IND-CCA-Secure Key Encapsulation Mechanism in the Quantum Random Oracle Model, Revisited

Abstract

With the gradual progress of NIST’s post-quantum cryptography standardization, the Round-1 KEM proposals have been posted for public to discuss and evaluate. Among the IND-CCA-secure KEM constructions, mostly, an IND-CPA-secure (or OW-CPA-secure) public-key encryption (PKE) scheme is first introduced, then some generic transformations are applied to it. All these generic transformations are constructed in the random oracle model (ROM). To fully assess the post-quantum security, security analysis in the quantum random oracle model (QROM) is preferred. However, current works either lacked a QROM security proof or just followed Targhi and Unruh’s proof technique (TCC-B 2016) and modified the original transformations by adding an additional hash to the ciphertext to achieve the QROM security.

In this paper, by using a novel proof technique, we present QROM security reductions for two widely used generic transformations without suffering any ciphertext overhead. Meanwhile, the security bounds are much tighter than the ones derived by utilizing Targhi and Unruh’s proof technique. Thus, our QROM security proofs not only provide a solid post-quantum security guarantee for NIST Round-1 KEM schemes, but also simplify the constructions and reduce the ciphertext sizes. We also provide QROM security reductions for Hofheinz-Hövelmanns-Kiltz modular transformations (TCC 2017), which can help to obtain a variety of combined transformations with different requirements and properties.

1 Introduction

As a foundational cryptography primitive, key encapsulation mechanism (KEM) is efficient and versatile. It can be used to construct, in a black-box manner, PKE (the KEM-DEM paradigm [1]), key exchange and authenticated key exchange [2, 3]. Compared with designing a full PKE scheme, the KEM construction is usually somewhat easier or more efficient. In December 2016, National Institute of Standards and Technology (NIST) announced a competition with the goal to standardize post-quantum cryptographic (PQC) algorithms including digital-signature, public-key encryption (PKE), and KEM (or key exchange) with security against quantum adversaries [4]. Among the 69 Round-1 algorithm submissions, posted in December 2017 by NIST for public to discuss and evaluate [4], there are 39 proposals for KEM constructions.

Indistinguishability against chosen-ciphertext attacks (IND-CCA) [5] is widely accepted as a standard security notion for many cryptography applications. However, the security is usually much more difficult to prove than IND-CPA (and OW-CPA) security, i.e., indistinguishability (and one-way) against chosen-plaintext attacks. Mostly, generic transformations [6, 7] are used to create an IND-CCA-secure KEM from some weakly secure (OW-CPA or IND-CPA) PKEs.

Recently, considering the drawbacks of previous analysis of Fujisaki-Okamoto (FO) transformation [8, 9], such as a non-tight security reduction and the need for a perfectly correct scheme, Hofheinz, Hövelmanns and Kiltz [7] revisited the KEM version of FO transformation [6] and provided a fine-grained and modular toolkit of transformations , \(\mathrm {U}^{\perp }\), , \(\mathrm {U}_m^{\perp }\), and \(\mathrm {QU}_m^{\perp }\) (In what follows, these transformations will be categorized as modular FO transformations for brevity), where m (without m) means \(K=H(m)\) (\(K=H(m,c)\)), (\(\perp \)) means implicit (explicit) rejection¹ and \(\mathrm {Q}\) means adding an additional hash to the ciphertext. Combing these modular transformations, they obtained several variants of FO transformation , \(\mathrm {FO}^{\perp }\), , \(\mathrm {FO}_m^\perp \), and \(\mathrm {QFO}_m^{\perp }\) (These transformations will be categorized as FO transformations in the following).

All the (modular) FO transformations are in the random oracle model (ROM) [10]. When the KEM scheme is instantiated, the random oracle is usually replaced by a hash function, which a quantum adversary may evaluate on a quantum superposition of inputs. As a result, to fully assess post-quantum security, we should analyze security in the quantum random oracle model (QROM), as introduced in [11]. However, proving security in the QROM is quite challenging, as many classical ROM proof techniques will be invalid [11].

In [7], Hofheinz et al. presented QROM security reductions for , \(\mathrm {QU}_m^{\perp }\), and \(\mathrm {QFO}_m^{\perp }\). For these transformations, there is an additional hash in the ciphertext, which plays an important role in their reductions. The security reductions for , \(\mathrm {U}^{\perp }\), , \(\mathrm {U}_m^{\perp }\), , \(\mathrm {FO}^{\perp }\), and \(\mathrm {FO}_m^\perp \) are just presented in the ROM.

Among the 39 KEM submissions, there are 35 schemes that take IND-CCA as the security goal. Particularly, 25 IND-CCA-secure KEM schemes are constructed by utilizing above transformations (see Table 1) from different PKE schemes, with different security notions (e.g., IND-CPA vs OW-CPA), and underlying hardness of certain problems over lattice, code theory and isogeny. In the submissions of LAC, Odd Manhattan, LEDAkem and SIKE, the QROM security is not considered. In the 16 submissions including FrodoKEM etc., ², \(\mathrm {QFO}^{\perp }\), and \(\mathrm {QFO}_m^{\perp }\) are used, where an additional hash is appended to the ciphertext. In the other 5 submissions including CRYSTALS-Kyber, LIMA, SABER, ThreeBears and Classic McEliece, the additional hash is removed according to recent works [12, 13].

For the (modular) FO transformations, the underlying PKE schemes differ in the following aspects including additional hash, correctness, determinacy, and security.

• Additional hash. Additional hash here is a length-preserving hash function (that has the same domain and range size) appended to the ciphertext, which was first introduced by Targhi and Unruh [14] to prove the QROM security of the variants of FO transformation [8, 9] and OAEP transformation [15, 16]. Following Targhi and Unruh’s trick, Hofheinz et al. gave the transformations , \(\mathrm {QU}_m^{\perp }\), and \(\mathrm {QFO}_m^{\perp }\) by adding an additional hash to the corresponding ROM constructions, and presented the QROM security reductions for them.

  Among NIST Round-1 submissions of an IND-CCA-secure KEM, 16 proposals use this trick to achieve QROM security. Intuitively, for 128-bit post-quantum security, this additional hash merely increases the ciphertext size by 256 bits [17]. However, we note that the QROM security proof in [7, 14] requires the additional hash to be length-preserving. Thus, for some schemes where the message space is strictly larger than the output space of the hash function, the increasement of ciphertext size is significant. Hülsing et al. [18] tried several ways to circumvent this issue, unfortunately all straight forward approaches failed. For their specific NTRU-based KEM, additional 1128 bits are needed, which accounts for \(11\%\) of the final encapsulation size.

  In the ROM, this additional hash is clearly redundant for the constructions of an IND-CCA-secure KEM [6, 7]. Some proposals, e.g., ThreeBears [19], believe this additional hash adds no security. To accomplish the QROM security proof, this additional hash was deliberately introduced, which increased the ciphertext size and complicated the implementation. Thus, a natural question is that: can we improve the QROM security proofs without suffering any ciphertext overhead for these constructions?

• Correctness error. For many practical post-quantum PKE schemes, e.g., DXL [20], Peikert [21], BCNS [22], New hope [23], Frodo [24], Lizard [25], Kyber [26], NTRUEncrypt [27], NTRU Prime [28], and QC-MDPC [29], there exists a small correctness error \(\delta \), i.e., the probability of decryption failure in a legitimate execution of the scheme. Specially, among the KEM submissions in Table 1, there are 18 proposals that have a correctness error issue.

  From a security point of view, it turns out that correctness errors not only influence the validity of a security proof, but also leak information on the private key [30]. Particularly, the chosen-ciphertext attacks by exploiting the gathered correctness errors [30, 31] were demonstrated for CCA versions of NTRUEncrypt and QC-MDPC obtained by using generic transformations, whose securities were proved assuming the underlying PKEs perfectly correct. Additionally, recently, Bernstein et al. [32] showed that the HILA5 KEM [33] does not provide IND-CCA security by demonstrating a key-recovery attack in the standard IND-CCA attack model using the information obtained from the correctness errors.

  To date, it is not clear how highly these correctness errors can affect the CCA security of these KEM schemes and how high these correctness errors should be to achieve a fixed security strength. To the best of our knowledge, for all previous security analyses about (modular) FO transformations except the work [7], perfect correctness, i.e., \(\delta =0\), is assumed. Therefore, QROM security analyses of above (modular) FO transformations with correctness errors into consideration are preferred.

• Determinacy. According to the work [7], an IND-CCA-secure KEM in the ROM can be easily constructed by applying the transformation \(\mathrm {U}_m^{\perp }\) (or ) to a deterministic PKE (DPKE). Saito et al. [12] showed that a DPKE can be constructed based on the concepts of the GPV trapdoor function for LWE [34], NTRU [27], the McEliece PKE [35], and the Niederreiter PKE [36]. However, the popular LWE cryptosystem and variants [37,38,39,40] are probabilistic encryption, which are referred by CRYSTALS-Kyber, EMBLEM and R.EMBLEM, FrodoKEM, KINDI, LAC, Lepton, LIMA, Lizard, NewHope, Round2, SABER and ThreeBears [4]. Particularly, of the underlying PKEs in the KEM proposals in Table 1, DPKEs just account for 28%.

• Security notion. IND-CPA security and OW-CPA security are widely accepted as standard security notions for PKE. In the KEM submissions in Table 1, all the underlying PKE schemes satisfy the OW-CPA security. The IND-CPA security is taken as a security goal of a PKE/KEM scheme during NIST’s PQC standardization, and satisfied for most latticed-based and isogeny-based PKE schemes. FO transformations are widely used as they just require the PKE schemes to have the standard CPA security.

  There are also some non-standard security notions, e.g., one-way against plaintext checking attacks (OW-PCA), one-way against validity checking attacks (OW-VA), one-way against plaintext and validity checking attacks (OW-PVCA) for PKE [6, 7] and disjoint simulatability (DS) for DPKE [12]. According to [7, 12], if the underlying PKE satisfies these non-standard securities, modular FO transformations can be used to construct an IND-CCA-secure KEM with a tighter security reduction. Particularly, Saito et al. [12] presented a tight security proof for with stronger assumptions for underlying DPKE scheme, DS security and perfect correctness, which are satisfied by Classical McEliece in Table 1.

To accurately evaluate the CCA security of the KEM proposals in Table 1 in the QROM, taking correctness error into account, we revisit the QROM security of above (modular) FO transformations without additional hash and with different assumptions for the underlying PKE scheme in terms of determinacy and security.

Table 1. List of KEM submissions based on (modular) FO transformations.

Table 2. FO transformations from standard security assumptions.

Table 3. Modular FO transformations from non-standard security assumptions.

1.1 Our Contributions

1. 1.

   For any correctness error \(\delta \) (\(0\le \delta < 1\)), we prove the QROM security of two generic transformations, and in [7], by reducing the standard OW-CPA security of the underlying PKE to the IND-CCA security of KEM, see Table 2.

   The obtained security bounds are both \(\epsilon ' \approx q\sqrt{\delta } + q\sqrt{\epsilon } \), where \(\epsilon '\) is the success probability of an adversary against the IND-CCA security of the resulting KEM, \(\epsilon \) is the success probability of another adversary against the OW-CPA security of the underlying PKE, and q is the total number of ’s queries to various oracles. Our security bounds are much better than \(\epsilon ' \approx q\sqrt{q^2\delta + q\sqrt{\epsilon }}\), achieved by [7]. Meanwhile, the additional hash is not required as it is redundant for our security proofs. In [12], Saito et al. also obtained a same tight security bound \(\epsilon ' \approx { q\sqrt{\epsilon }}\) for a variant of , ³, by assuming the underlying PKE scheme IND-CPA-secure and perfectly correct (i.e., \(\delta =0\)).

   With our tighter QROM security proofs, 16 KEM constructions including FrodoKEM etc., where , \(\mathrm {QFO}^{\perp }\), and \(\mathrm {QFO}_m^{\perp }\) are used, can be simplified by cutting off the additional hash and improved in performance with respect to speed and sizes. Additionally, although LAC and SIKE are constructed by using without the additional hash, the QROM security proof is not considered in their proposals. Thus, our proofs also provide a solid post-quantum security guarantee for these two KEM schemes without any additional ciphertext overhead.

2. 2.

   For modular FO transformations including , \(\mathrm {U}^{\perp }\), and \(\mathrm {U}_m^{\perp }\) in [7], we provide QROM security reductions without additional hash for any correctness error \(\delta \) (\(0\le \delta < 1\)), see Table 3.

   Specifically, we first define the quantum version of OW-PCA and OW-PVCA by one-way against quantum plaintext checking attacks (OW-qPCA) and one-way against quantum plaintext and (classical) validity checking attacks (OW-qPVCA) (quantum plaintext checking attacks mean that the adversary can make quantum queries to the plaintext checking oracle). For any correctness error \(\delta \) (\(0\le \delta < 1\)), we provide QROM security reductions for, from OW-qPCA, \(\mathrm {U}^{\perp }\) from OW-qPVCA, from OW-CPA (and DS), \(\mathrm {U}_m^{\perp }\) from OW-VA, to IND-CCA without additional hash.

   OW-qPCA (OW-qPVCA) security is just a proof artefact for simulating H. Compared with the DS security notion introduced by [12], the OW-qPCA security is less restrained and weaker. We note that the DS security notion is defined for the DPKE scheme which satisfies (1) statistical disjointness and (2) ciphertext-indistinguishability. Actually, all the DPKE schemes satisfy the OW-qPCA security as the plaintext checking oracle can be simulated by re-encryption in a quantum computer. Therefore, all the instantiations of DS-secure DPKE in [12] are also OW-qPCA-secure. Particularly, the OW-qPCA security is not restrained to the DPKE scheme. Many post-quantum PKE schemes satisfy OW-qPCA security, e.g., NTRU [27], McEliece [35], and Niederreiter [36]. Additionally, we show that the resulting PKE scheme achieved by applying the transformation \(\mathrm {T}\) to a OW-CPA-secure PKE [7] is also OW-qPCA-secure.

   Our security reductions preserve the tightness of the ones in [7, 12] without additional hash for any correctness error \(\delta \) (\(0\le \delta < 1\)), see Table 3. Our QROM security analyses not only provide post-quantum security guarantees for the KEM schemes constructed by using these modular FO transformations, e.g., Odd Manhattan, Classic McEliece and LEDAkem, but also can help to obtain a variety of combined transformations with different requirements and properties.

1.2 Techniques

Remove the additional hash. As explained by Targhi and Unruh [14], their proof technique strongly relies on the additional hash. In their paper, they discussed the QROM security of a variant of FO transformation from a OW-CPA-secure PKE to an IND-CCA-secure PKE. To implement the security reduction, one needs to simulate the decryption oracle without possessing the secret key. In classical proof, a RO-query list is used to simulate such an oracle. In the QROM, the simulator has no way to learn the actual content of adversarial RO queries, therefore such a RO-query list does not exist. Targhi and Unruh circumvented this issue by adding an additional length-preserving hash (modeled as a RO) to the ciphertext. In the security reduction, this additional RO is simulated by a k-wise independent function. For every output of this RO, the simulator can recover the corresponding input by inverting this function. Thereby, the simulator can answer the decryption queries without a secret key.

When considering the generic transformations from a weakly secure PKE to an IND-CCA-secure KEM, one needs to simulate the decapsulation oracle \(\textsc {Decaps}\) without the secret key. Indeed, obviously, we can modify the transformations by adding an additional length-preserving hash to the ciphertext so that the simulator can carry out the decryption. Thus, using the key-derivation-function (KDF, modeled as a random oracle H), he can easily simulate the \(\textsc {Decaps}\) oracle.

In [11, Theorem 6], Boneh et al. proved the QROM security of a generic hybrid encryption scheme [10], built from an injective trapdoor function and symmetric key encryption scheme. Inspired by their proof idea, we present a novel approach to simulate the \(\textsc {Decaps}\) oracle⁴.

The high level idea is that we associate the random oracle H (KDF in the KEM) with a secret random function \(H'\) by setting \(H=H' \circ g \) such that \(H'(\cdot )=\textsc {Decaps}(sk,\cdot )\). We demand that the function g should be indistinguishable from an injective function for any efficient quantum adversary. Thus, in the view of the adversary against the IND-CCA security of KEM, H is indeed a random oracle. Meanwhile, we can simulate the \(\textsc {Decaps}\) oracle just by using \(H'\). Note that in our simulation of the \(\textsc {Decaps}\) oracle, we circumvent the decryption computation. Thereby, there is no need to read the content of adversarial RO queries, which makes it unnecessary to add an additional length-preserving hash to the ciphertext.

Tighten the security bound. When proving the IND-CCA security of KEM from the OW-CPA security of underlying PKE for and , reprogramming the random oracles G and H is a natural approach. In quantum setting, the one-way to hiding (OW2H) lemma [42, Lemma 6.2] is a practical tool to argue the indistinguishability between games where the random oracles are reprogrammed. However, the OW2H lemma inherently incurs a quadratic security loss.

To tighten the security bounds, we have to decrease the times of the usage of the OW2H lemma. [7] analyzed the QROM security of (and \(\mathrm {QFO}_m^{{\perp }}\)) by two steps. First, they presented a QROM security reduction from the OW-CPA security of the underlying PKE to the OW-PCA security of an intermediate scheme PKE\('\). In this step, the random oracle G was reprogrammed, thus by using the OW2H lemma they obtained that \(\epsilon '' \le q^2\delta +q\sqrt{\epsilon }\), where \(\epsilon ''\) is the success probability of an adversary against the OW-PCA security of PKE\('\). In the second step, they reduced the OW-PCA security of PKE\('\) to the IND-CCA security of KEM, where the random oracles H and \(H''\) (the additional hash) were reprogrammed. Again, by using the OW2H lemma, they gained \(\epsilon '\le q \sqrt{\epsilon ''}\). Finally, combing above two bounds, they obtained the security bound of KEM, \(\epsilon '\le q \sqrt{q^2\delta +q \sqrt{\epsilon }}\). Direct combination of the modular analyses leads to twice utilization of the OW2H lemma, which makes the security bound highly non-tight.

When considering the QROM security of and , instead of modular analysis, we choose to reduce the OW-CPA security of underlying PKE to the IND-CCA security of KEM directly without introducing an intermediate scheme PKE\('\). In this way, G and H are reprogrammed simultaneously, thus the OW2H lemma is used only once in our reductions.

We also find that the order of the games can highly affect the tightness of the security bound. If we reprogram G and H before simulating the \(\textsc {Decaps}\) oracle with the secret random function \(H'\), the obtained security bound will be \(q \sqrt{\epsilon +q\sqrt{\delta }} \), where the \(\epsilon \) term has quadratic loss and the \(\delta \) term has quartic loss. Therefore, we choose to simulate the \(\textsc {Decaps}\) oracle with \(H'\) before reprogramming G and H. But, in this way, when using the OW2H lemma to argue the indistinguishability between games where G and H are reprogrammed, one has to guarantee the consistency of H and \(H'\). We solve this by generalizing the OW2H lemma to the case where the reprogrammed oracle and other redundant oracle can be sampled simultaneously according to some joint distribution (for complete description of the generalized OW2H lemma, see Lemma 3).

Finally, our derived security bound is \(q\sqrt{\delta } + q\sqrt{\epsilon }\), which is much tighter than the bound \(q\sqrt{q^2\delta + q\sqrt{\epsilon }}\) obtained by [7].

1.3 Discussion

Tightness. Having a tight security reduction is a desirable property for practice cryptography, especially in large-scale scenarios. In the ROM, if we assume that the underlying PKE scheme in and is IND-CPA-secure, we can obtain a tight reduction from the IND-CPA security of underlying PKE to IND-CCA security of resulting KEM [7]. Specially, if the PKE scheme in is instantiated with a Ring-LWE-based PKE scheme [39], the security of the underlying Ring-LWE problem can be reduced to the IND-CCA security of KEM [43]. In [12], Saito et al. presented a tight security reduction for by assuming a stronger underlying DPKE, which is only satisfied by Classic McEliece in Table 1. For the widely used and , quadratic security loss still exists even assuming the IND-CPA security of the underlying PKE scheme, see Table 2. For the tight ROM security reductions in [7, 43], the simulators need to make an elaborate analysis of the RO-query inputs and determine which one of the query inputs can be used to break the IND-CPA security of the underlying PKE scheme [7] or solve a decision Ring-LWE problem [43]. However, in the QROM, such a proof technique will be invalid for the reason that there is no way for the simulators to learn the RO-query inputs [44, 45]. Thus, in the QROM, it is still an important open problem that whether one can develop a novel proof technique to obtain a tight reduction for and assuming standard IND-CPA security of the underlying PKE.

Implicit rejection. For most of the previous generic transformations from a OW-CPA-secure (or IND-CPA-secure) PKE to an IND-CCA-secure KEM, explicit rejection is adopted. In [7], Hofheinz et al. presented several transformations with implicit rejection. These two different versions (explicit rejection and implicit rejection) have their own merits. The transformation with implicit rejection [7] does not require the underlying PKE scheme to be \(\gamma \)-spread [8, 9] (meaning that the ciphertexts generated by the probabilistic encryption algorithm have sufficiently large entropy), which may allow choosing better system parameters for the same security level. Whereas, the ones with explicit rejection have a relatively simple decapsulation algorithm.

In our paper, we just give QROM security reductions for the transformations with implicit rejection. It is not obvious how to extend our QROM security proofs for the transformations with explicit rejection, since the simulator has no way to tell if the submitted ciphertext is valid. In classical ROM, we usually assume the underlying PKE is \(\gamma \)-spread. Then, we can recognize invalid ciphertexts just by testing if they are in the RO-query list, as the probability that the adversary makes queries to the decapsulation oracle with a valid ciphertext which is not in the RO-query list is negligible [7,8,9, 43]. Unfortunately, in the QROM, the adversary makes quantum queries to the RO, above RO-query list does not exist. Thus, the ROM proof technique for the recognition of invalid ciphertexts is invalid in the QROM. Here, we leave it as an open problem to prove the QROM security of the transformations and with explicit rejection.

2 Preliminaries

Symbol description. Denote \(\mathcal {K}\), \(\mathcal {M}\), \(\mathcal {C}\) and \(\mathcal {R}\) as key space, message space, ciphertext space and randomness space, respectively. For a finite set X, we denote the sampling of a uniform random element x by \(x \overset{\$}{\leftarrow } X\), and we denote the sampling according to some distribution D by \(x {\leftarrow } D\). By \(x=?y\) we denote the integer that is 1 if \(x=y\), and otherwise 0. \(\Pr [P : G]\) is the probability that the predicate P holds true where free variables in P are assigned according to the program in G. Denote deterministic (probabilistic) computation of an algorithm A on input x by \(y:=A(x)\) (\(y \leftarrow A(x)\)). \(A^{H}\) means that the algorithm A gets access to the oracle H.

2.1 Quantum Random Oracle Model

In the ROM [10], we assume the existence of a random function H, and give all parties oracle access to this function. The algorithms comprising any cryptographic protocol can use H, as can the adversary. Thus we modify the security games for all cryptographic systems to allow the adversary to make random oracle queries.

When a random oracle scheme is implemented, some suitable hash function H is included in the specification. Any algorithm (including the adversary) replaces oracle queries with evaluations of this hash function. In quantum setting, because a quantum algorithm can evaluate H on an arbitrary superposition of inputs, we must allow the quantum adversary to make quantum queries to the random oracle. We call this the quantum random oracle model [11]. Unless otherwise specified, the queries to random oracles are quantum in our paper.

Tools. Next we state four lemmas that we will use throughout the paper. The first two lemmas have been proved in other works, and the complete proofs of last two are presented in the full version [13]. We refer the reader to [46] for basic of quantum computation. Here, we just recall two facts about quantum computation.

• Fact 1. Any classical computation can be implemented on a quantum computer.

• Fact 2. Any function that has an efficient classical algorithm computing it can be implemented efficiently as a quantum-accessible oracle.

Lemma 1

(Simulating the random oracle [47, Theorem 6.1]). Let H be an oracle drawn from the set of 2q-wise independent functions uniformly at random. Then the advantage any quantum algorithm making at most q queries to H has in distinguishing H from a truly random function is identically 0.

Lemma 2

(Generic search problem [48, 49]). Let \(\gamma \in [0,1]\). Let Z be a finite set. \(N_1:Z\rightarrow \{0,1\}\) is the following function: For each z, \(N_1(z)=1\) with probability \(p_z\) (\(p_z \le \gamma \)), and \(N_1(z)=0\) else. Let \(N_2\) be the function with \(\forall z : N_2(z)=0\). If an oracle algorithm A makes at most q quantum queries to \(N_1\) (or \(N_2\)), then

Particularly, the probability of A finding a z such that \(N_1(z)=1\) is at most \(2q\sqrt{\gamma } \), i.e., \(\Pr [N_1(z)=1:z \leftarrow A^{N_1}] \le 2q\sqrt{\gamma }\).

Note. [48, Lemma 37] and [49, Theorem 1] just consider the specific case where all \(p_z\)s are equal to \(\gamma \). But in our security proof, we need to consider the case where \(p_z \le \gamma \) and \(p_z\)s are in general different from each other. Fortunately, it is not difficult to verify that the proof of [48, Lemma 37] can be extended to this generic case.

The one-way to hiding (OW2H) lemma [42, Lemma 6.2] is a useful tool for reducing a hiding (i.e., indistinguishability) property to a guessing (i.e., one-wayness) property in the security proof. Roughly speaking, the lemma states that if there exists an oracle algorithm A who issuing at most \(q_1\) queries to random oracle \(\mathcal {O}_1\) can distinguish \((x,\mathcal {O}_1(x))\) from (x, y), where y is chosen uniformly at random, we can construct another oracle algorithm B who can find x by running A and measuring one of A’s query. However, in our security proof, the oracle \(\mathcal {O}_1\) is not a perfect random function and A can have access to other oracle \(\mathcal {O}_2\) associated to \(\mathcal {O}_1\). Therefore, we generalize the OW2H lemma.

Lemma 3

(One-way to hiding, with redundant oracle). Let oracles \(\mathcal {O}_1\), \(\mathcal {O}_2\), input parameter inp and x be sampled from some joint distribution D, where \(x \in \{0,1\}^n\) (the domain of \(\mathcal {O}_1\)) and \(\mathcal {O}_1(x)\) is uniformly distributed on \( \{0,1\}^m\) (the codomain of \(\mathcal {O}_1\)) conditioned on any fixed \(\mathcal {O}_1(x')\) for all \(x'\ne x\), \(\mathcal {O}_2\), inp and x, and independent from \(\mathcal {O}_2\).

Consider an oracle algorithm \(A^{\mathcal {O}_1, \mathcal {O}_2}\) that makes at most \(q_1\) queries to \(\mathcal {O}_1\) and \(q_2\) queries to \(\mathcal {O}_2\). Denote \(E_1\) as the event that \(A^{\mathcal {O}_1, \mathcal {O}_2}\) on input \((inp,x,\mathcal {O}_1(x))\) outputs 1. Reprogram \(\mathcal {O}_1\) at x and replace \(\mathcal {O}_1(x)\) by a uniformly random y from \(\{0,1\}^m\). Denote \(E_2\) as the event that \(A^{\mathcal {O}'_1, \mathcal {O}_2}\) on input (inp, x, y) outputs 1 after \(\mathcal {O}_1\) is reprogrammed, where \(\mathcal {O}'_1\) is denoted as the reprogrammed \(\mathcal {O}_1\). Let \(B^{\mathcal {O}_1, \mathcal {O}_2}\) be an oracle algorithm that on input (inp, x) does the following: pick \(i \overset{\$}{\leftarrow } \{1,\ldots ,q_1\} \) and \(y \overset{\$}{\leftarrow } \{0,1\}^m\), run \(A^{\mathcal {O}'_1,\mathcal {O}_2}(inp,x,y)\) until the i-th query to \(\mathcal {O}'_1\), measure the argument of the query in the computational basis, and output the measurement outcome. (When A makes less than i queries, B outputs \(\bot \notin \{0,1\}^n\).) Let

$$\begin{array}{c} \Pr [E_1]= \Pr [b' = 1: (\mathcal {O}_1, \mathcal {O}_2,inp, x) {\leftarrow } D, b' \leftarrow A^{\mathcal {O}_1, \mathcal {O}_2}(inp, x,\mathcal {O}_1(x))]\\ \Pr [E_2]= \Pr [b' = 1: (\mathcal {O}_1, \mathcal {O}_2,inp,x ) {\leftarrow } D, y \overset{\$}{\leftarrow } \{0,1\}^m, b' \leftarrow A^{\mathcal {O}'_1, \mathcal {O}_2}(inp,x,y)]\\ P_B:= \Pr [x'=x: (\mathcal {O}_1, \mathcal {O}_2, inp,x ) {\leftarrow } D, x' \leftarrow B^{\mathcal {O}_1, \mathcal {O}_2}(inp,x)]. \end{array}$$

Then

Note that \(\mathcal {O}_2\) is unchanged during the reprogramming of \(\mathcal {O}_1\) at x. Thus, intuitively, \(\mathcal {O}_2\) is redundant and unhelpful for A distinguishing \((x,\mathcal {O}_1(x))\) from (x, y). The complete proof of Lemma 3 is similar to the proof of the OW2H lemma [42, Lemma 6.2] and we present it in the full version [13].

Lemma 4

Let \(\varOmega _{H}\) (\(\varOmega _{H'}\)) be the set of all functions \(H:\{0,1\}^{n_1} \times \{0,1\}^{n_2} \rightarrow \{0,1\}^m\) (\(H': \{0,1\}^{n_2} \rightarrow \{0,1\}^m\)). Let \(H \overset{\$}{\leftarrow } \varOmega _{H}\), \(H' \overset{\$}{\leftarrow } \varOmega _{H'}\), \(x \overset{\$}{\leftarrow } \{0,1\}^{n_1}\). Let \(F_0=H(x,\cdot )\), \(F_1=H'(\cdot )\) Consider an oracle algorithm \(A^{H,F_i}\) that makes at most q queries to H and \(F_i\) (\(i \in \{0,1\}\)). If x is independent from the \(A^{H,F_i}\)’s view,

We now sketch the proof of Lemma 4. For the complete proof, please refer to the full version [13].

Proof sketch. In classical setting, it is obvious that can be bounded by the probability that A performs an H-query with input \((x,*)\). As x is independent from \(A^{H,F_i}\)’s view, . In quantum setting, it is not well-defined that queries \((x,*)\) from H, since H can be queried in superposition. To circumvent this problem, we follow Unruh’s proof technique in [42, Lemma 6.2] and define a new adversary B who runs A, but at some random query stops and measures the query input. Let \(P_B\) be the probability that B measures x. Similarly to [42, Lemma 6.2], we can bound by \(2q\sqrt{P_B}\). Since x is independent from the \(A^{H,F_i}\)’s view, \(P_B=\frac{1}{2^{n_1}}\). Thus,

2.2 Cryptographic Primitives

Definition 1

(Public-key encryption). A public-key encryption scheme \(\mathrm {PKE}=(Gen, Enc, Dec)\) consists of a triple of polynomial time (in the security parameter \(\lambda \)) algorithms and a finite message space \(\mathcal {M}\). Gen, the key generation algorithm, is a probabilistic algorithm which on input \(1^{\lambda }\) outputs a public/secret key-pair (pk, sk). The encryption algorithm Enc, on input pk and a message \(m \in \mathcal {M}\), outputs a ciphertext \(c\leftarrow Enc(pk,m)\). If necessary, we make the used randomness of encryption explicit by writing \(c:=Enc(pk,m;r)\), where \(r \overset{\$}{\leftarrow } \mathcal {R}\) (\(\mathcal {R}\) is the randomness space). Dec, the decryption algorithm, is a deterministic algorithm which on input sk and a ciphertext c outputs a message \(m:=Dec({sk},c)\) or a special symbol \(\perp \notin \mathcal {M}\) to indicate that c is not a valid ciphertext.

Definition 2

(Correctness [7]). A \(\mathrm {PKE}\) is \(\delta \)-correct if

$$\begin{aligned} E[\mathop {\mathrm {max}}\limits _{m\in \mathcal {M}}\Pr [Dec(sk,c)\ne m : c \leftarrow Enc(pk,m)]]\le \delta , \end{aligned}$$

where the expectation is taken over \((pk,sk) \leftarrow Gen\).

We now define four security notions for public-key encryption: one-way against chosen plaintext attacks (OW-CPA), one-way against validity checking attacks (OW-VA), one-way against quantum plaintext checking attacks (OW-qPCA) and one-way against quantum plaintext and (classical) validity checking attacks (OW-qPVCA).

Definition 3

(OW-ATK-secure PKE). Let \(\mathrm {PKE}=(Gen, Enc, Dec)\) be a public-key encryption scheme with message space \(\mathcal {M}\). For \(\mathrm {ATK} \in \{\mathrm {CPA,VA,qPCA,}\) \(\mathrm {qPVCA}\}\), we define \(\text {OW-ATK}\) games as in Fig. 1, where

Define the OW-ATK advantage function of an adversary against PKE as .

Fig. 1.

Games OW-ATK (ATK \(\in \) {CPA, VA, qPCA, qPVCA}) for PKE, where \(O_{\mathrm {ATK}}\) is defined in Definition 3. In games qPCA and qPVCA, the adversary can query the \(\textsc {Pco}\) oracle with quantum state.

Remark

We note that the security game OW-qPCA (OW-qPVCA) is the same as OW-PCA (OW-PVCA) except the adversary ’s queries to the Pco oracle. In OW-qPCA (OW-qPVCA) game, can make quantum queries to the Pco oracle, while in OW-PCA (OW-PVCA) game only the classical queries are allowed. These two new security notations will be used in the security analysis of modular FO transformations in Sect. 4.

Definition 4

(DS-secure DPKE [12]). Let \(D_\mathcal {M}\) denote an efficiently sampleable distribution on \(\mathcal {M}\). A DPKE scheme (Gen,Enc,Dec) with plaintext and ciphertext spaces \(\mathcal {M}\) and \(\mathcal {C}\) is \(D_\mathcal {M}\)-disjoint simulatable if there exists a PPT algorithm S that satisfies (1) Statistical disjointness: \({\textsc {Disj}}_{\mathrm {PKE},S}:=\mathop {\mathrm {max}}\limits _{pk} \Pr [c\in Enc(pk,\mathcal {M}): c \leftarrow S(pk)] \) is negligible. (2) Ciphertext-indistinguishability: For any PPT adversary , is negligible.

Definition 5

(Key encapsulation). A key encapsulation mechanism KEM consists of three algorithms Gen, Encaps and Decaps. The key generation algorithm Gen outputs a key pair (pk, sk). The encapsulation algorithm Encaps, on input pk, outputs a tuple (K, c) where c is said to be an encapsulation of the key K which is contained in key space \(\mathcal {K}\). The deterministic decapsulation algorithm Decaps, on input sk and an encapsulation c, outputs either a key \(K := Decaps(sk, c) \in \mathcal {K}\) or a special symbol \(\perp \notin \mathcal {K}\) to indicate that c is not a valid encapsulation.

Fig. 2.

IND-CCA game for KEM.

We now define a security notion for KEM: indistinguishability against chosen ciphertext attacks (IND-CCA).

Definition 6

(IND-CCA-secure KEM). We define the IND-CCA game as in Fig. 2 and the IND-CCA advantage function of an adversary against \(\mathrm {KEM}\) as .

We also define OW-ATK security of PKE, DS security of DPKE and IND-CCA security of KEM in the QROM, where adversary can make quantum queries to random oracles. Following the work [7], we also make the convention that the number \(q_H\) of adversarial queries to a random oracle H counts the total number of times H is executed in the experiment. That is, the number of ’s explicit queries to H plus the number of implicit queries to H made by the experiment.

3 Security Proofs for Two Generic KEM Constructions in the QROM

In this section, we revisit two generic transformations, and , see Figs. 3 and 4. These two transformations are widely used in the post-quantum IND-CCA-secure KEM constructions, see Table 1. But, there are no QROM security proofs for them. To achieve QROM security, some proposals, e.g., FrodoKEM, followed Hofheinz et al.’s work [7] and modified and by adding an additional length-preserving hash function to the ciphertext. Here, we present two QROM security proofs for and respectively without suffering any ciphertext overhead.

Fig. 3.

IND-CCA-secure KEM-I=[PKE,G,H]

Fig. 4.

IND-CCA-secure KEM-II=[PKE,G,H,f]

To a public-key encryption scheme PKE = (Gen, Enc, Dec) with message space \(\mathcal {M}\) and randomness space \(\mathcal {R}\), hash functions \(G:\mathcal {M} \rightarrow \mathcal {R}\), \(H :\{0,1\}^{*} \rightarrow \{0,1\}^{n}\) and a pseudorandom function (PRF) f with key space \(\mathcal {K}^{prf}\), we associate KEM-I=[PKE,G,H] and KEM-II= [PKE,G,H,f]⁵ shown in Figs. 3 and 4, respectively. The following two theorems establish that IND-CCA securities of KEM-I and KEM-II can both reduce to the OW-CPA security of PKE, in the QROM.

Theorem 1

(PKE OW-CPA \(\overset{{QROM}}{\Rightarrow }\) KEM-I IND-CCA). If \(\mathrm {PKE}\) is \(\delta \)-correct, for any IND-CCA against \(\text {KEM-I}\), issuing at most \(q_D\) queries to the decapsulation oracle Decaps, at most \(q_G\) queries to the random oracle G and at most \(q_H\) queries to the random oracle H, there exists a OW-CPA adversary against \(\mathrm {PKE}\) such that and the running time of is about that of .

Proof

Let be an adversary against the IND-CCA security of KEM-I, issuing at most \(q_D\) queries to Decaps, at most \(q_G\) queries to G and at most \(q_H\) queries to H. Denote \(\varOmega _G\), \(\varOmega _H\) and \(\varOmega _{H'}\) as the sets of all functions \(G:\mathcal {M} \rightarrow \mathcal {R}\), \(H:\mathcal {M} \times \mathcal {C} \rightarrow \mathcal {K}\) and \({H'}:\mathcal {C} \rightarrow \mathcal {K}\), respectively. Consider the games in Figs. 5 and 9.

Game \(G_0\). Since game \(G_0\) is exactly the IND-CCA game,

Game \(G_1\). In game \(G_1\), we change the \(\textsc {Decaps}\) oracle that \(H_2(c)\) is returned instead of H(s, c) for an invalid encapsulation c. Define an oracle algorithm \(A^{H,F_i}\) (\(i\in \{0,1\}\)), see Fig. 6. Let \(H=H_3\), \(F_0(\cdot )=H_3(s,\cdot )\) (\(s \overset{\$}{\leftarrow } \mathcal {M} \)) and \(F_1=H_2\), where \(H_2\) and \(H_3\) are chosen in the same way as \(G_0\) and \(G_1\). Then, . Since the uniform secret s is chosen independently from \(A^{H,F_i}\)’s view, we can use Lemma 4 to obtain

Fig. 5.

Games \(G_0\)-\(G_4\) for the proof of Theorem 1

Game \(G_2\). Note that in game \(G_1\), \(H(m,c)=H_3(m,c)\). In game \(G_2\), if H-query input (m, c) satisfies \(g(m)= c\), the response is replaced by \(H_1^g(m)=H_1\circ g(m)=H_1(g(m))=H_1(c)\), where

$$\begin{aligned} g(\cdot )=Enc(pk,\cdot ;G(\cdot )). \end{aligned}$$

Fig. 6.

\(A^{H,F_i}\) for the proof of Theorem 1.

Fig. 7.

\(A^N\) for the proof of Theorem 1

Given (pk, sk) and \(m \in \mathcal {M}\), let

$$\begin{aligned} \mathcal {R}_{\mathrm {bad}}(pk,sk,m):=\{{r \in \mathcal {R}}: Dec(sk,Enc(pk,m;r))\ne m\} \end{aligned}$$

denote the set of “bad” randomness. Define

as the fraction of bad randomness and \(\delta (pk,sk)=\max _{m\in {\mathcal {M}}}\delta (pk,sk,m)\). With this notation \(\delta =\mathbf {E}[\delta (pk,sk)]\), where the expectation is taken over \((pk,sk) {\leftarrow }Gen\).

Let \(G'\) be a random function such that \(G'(m)\) is sampled from the uniform distribution in \(\mathcal {R}\setminus \mathcal {R}_{\mathrm {bad}}(pk,sk,m)\). Let

$$\begin{aligned} g'(\cdot )=Enc(pk,\cdot ;G'(\cdot )). \end{aligned}$$

Distinctly, \(g'\) is an injective function. \(H_1\circ g'\) has the same output distribution as H in \(G_1\). Thus, distinguishing \(G_2\) from \(G_1\) is equivalent to distinguishing g from \(g'\), which is essentially the distinguishing problem between G and \(G'\).

Let \(N_1\) be the function such that \(N_1(m)\) is sampled from the Bernoulli distribution \(B_{\delta (pk,sk,m)}\), i.e., \(\Pr [N_1(m)=1]={\delta (pk,sk,m)}\) and \(\Pr [N_1(m)=0]={1-\delta (pk,sk,m)}\). Let \(N_2\) be a constant function that always outputs 0 for any input. Next, we will show that any algorithm that distinguishes G from \(G'\) can be converted into an algorithm that distinguishes \(N_1\) from \(N_2\).

For any efficient quantum adversary \(B^{\widetilde{G}}(pk,sk)\), we can construct an adversary \(A^N(pk,sk)\) as in Fig. 7. \({Sample}(\mathcal {Y})\) is a probabilistic algorithm that returns a uniformly distributed \(y\overset{\$}{\leftarrow } \mathcal {Y}\). \({Sample}(\mathcal {Y};f(m))\) denotes the deterministic execution of \({Sample}(\mathcal {Y})\) using explicitly given randomness f(m).

Note that \(\widetilde{G}=G\) if \(N=N_1\) and \(\widetilde{G}=G'\) if \(N=N_2\). Thus, for any fixed (pk, sk) that is generated by Gen, \(\Pr [1 \leftarrow A^{N_1}:(pk,sk)] = \Pr [1 \leftarrow B^{G}:(pk,sk)]\) and \(\Pr [1 \leftarrow A^{N_2}:(pk,sk)] = \Pr [1 \leftarrow B^{G'}:(pk,sk)]\). Conditioned on a fixed (pk, sk) we obtain by Lemma 2

Note that can be bounded by the maximum distinguishing probability between G and \(G'\) for \(B^{\widetilde{G}}(pk,sk)\). Thus,

By averaging over \((pk,sk) {\leftarrow } Gen \) we finally obtain

Game \(G_3\). In game \(G_3\), the \(\textsc {Decaps}\) oracle is changed that it makes no use of the secret key \(sk'\) any more. When queries the \(\textsc {Decaps}\) oracle on c (\(c \ne c^*\)), \(K:=H_1(c)\) is returned as the response. Let \(m':=Dec(sk,c)\) and consider the following two cases.

• Case 1: \(Enc(pk,m';G(m'))= c\). In this case, \(H(m',c)=H_1(c)\). Thus, both Decaps oracles in \(G_2\) and \(G_3\) return the same value.

• Case 2: \(Enc(pk,m';G(m')) \ne c\). Random values \(H_2(c)\) and \(H_1(c)\) are returned in \(G_2\) and \(G_3\) respectively. In \(G_2\), \(H_2\) is a random function independent of the oracles G and H, thus \(H_2(c)\) is uniform at random in ’s view. In \(G_3\), ’s queries to H can only help him get access to \(H_1\) at \(\hat{c}\) such that \(g(\hat{m}) = \hat{c}\) for some \(\hat{m}\). Consequently, if can not find a \(m''\) such that \(g(m'') = c\), \(H_1(c)\) is also a fresh random key just like \(H_2(c)\) in his view. Since \(m'' \ne m'\), finding such an \(m''\) is exactly the event E that finds a plaintext \(m''\) such that \(Dec(sk,g(m''))\ne m''\). That is, in this case, if E does not happen, the output distributions of the \(\textsc {Decaps}\) oracles in \(G_2\) and \(G_3\) are same in ’s view.

As a result, \(G_2\) and \(G_3\) only differ when E happens. By [7, Lemma 4.3], we know that if can find a plaintext \(m''\) such that \(Dec(sk,g(m'')) \ne m''\) with at most \(q_G\) quantum queries to g, we can easily construct another adversary who can find a plaintext \(m''\) such that \(N_1(m'')=1\) with at most \(q_G\) quantum queries to \(N_1\). Considering that the PKE scheme is \(\delta \)-correct, we can derive the upper bound of \(\Pr [E]\) by utilizing Lemma 2, . Therefore,

Game \(G_4\). In game \(G_4\), \(r^*\) and \(k_0^{*}\) are chosen uniformly at random from \(\mathcal {R}\) and \(\mathcal {K}\), respectively. In this game, bit b is independent from ’s view. Hence,

Note that in this game we reprogram the oracles G and H on inputs \(m^{*}\) and \((m^{*},c^{*})\) respectively. In classical setting, this will be unnoticed unless the event Query that queries G on \(m^{*}\) or H on \((m^{*},c^{*})\) happens. Then we can argue that \(G_3\) and \(G_4\) are indistinguishable until Query happens. In quantum setting, due to the quantum queries to G and H, the case is complicated and we will use Lemma 3 to bound . Note that \((m^{*},c^{*})\) is a valid plaintext-ciphertext pair, i.e., \(g(m^{*})=c^{*}\). Therefore, \(H(m^{*},c^{*})=H_1(c^{*})=H_1^g(m^{*})\). Actually, we just reprogram G and \(H_1^g\) at \(m^{*}\).

Let \((G \times H_1^g)(x):=(G(x), H_1^g(x))\)⁶. \(H_1^g\) and \(H_3\) are internal random oracles that can have access to only by querying the oracle H. Then, the number of total queries to \(G\times H_1^g\) is at most \(q_G+q_H\). Let \(H'_1\) be the function such that \(H'_1(g(m^*))=\perp \) and \(H'_1=H_1\) everywhere else. \(H'_1\) is exactly the Decaps oracle in \(G_3\) and \(G_4\) and unchanged during the reprogramming of \(G \times H_1^g\).

Let \(A^{G \times H_1^g, H'_1}\) be an oracle algorithm that has quantum access to \(G \times H_1^g\) and \(H'_1\), see Fig. 8. Sample G, \(H_1\), \(H_1^g\) and pk in the same way as \(G_3\) and \(G_4\), i.e., \((pk,sk') \leftarrow Gen', G \overset{\$}{\leftarrow } \varOmega _G, H_1 \overset{\$}{\leftarrow } \varOmega _{H'}, H_1^g:=H_1 \circ g.\) Let \(m^*\overset{\$}{\leftarrow } \mathcal {M}\).

Then, if \(r^*:=G(m^*) \) and \(k_0^*:=H_1^g(m^{*})\), \(A^{G \times H_1^g,H'_1}\) on input \((pk, m^{*}, (r^{*}, k_0^{*}) )\) perfectly simulates \(G_3\). And, if \(r^*\overset{\$}{\leftarrow } \mathcal {R}\) and \(k_0^*\overset{\$}{\leftarrow } \mathcal {K}\), \(A^{G \times H_1^g,H'_1}\) on input \((pk, m^{*}, (r^{*}, k_0^{*}) )\) perfectly simulates \(G_4\). Let \(B^{G\times H_1^g,H'_1}\) be an oracle algorithm that on input \((pk,m^*)\) does the following: pick \(i \overset{\$}{\leftarrow } \{1,\ldots ,q_G+q_H\}\), \(r^*\overset{\$}{\leftarrow } \mathcal {R}\) and \(k_0^*\overset{\$}{\leftarrow } \mathcal {K}\), run \(A^{G\times H_1^g,H'_1 }(pk, m^{*}, (r^{*}, k_0^{*}) )\) until the i-th query to \(G\times H_1^g\), measure the argument of the query in the computational basis, output the measurement outcome (when \(A^{G\times H_1^g,H'_1 }\) makes less than i queries, output \(\bot \)). Define game \(G_5\) as in Fig. 9. Then, .

Applying Lemma 3 with \(\mathcal {O}_1=G \times H_1^g\), \(\mathcal {O}_2=H'_1\), \(inp=pk\), \(x=m^*\) and \(y=(r^*,k_0^*)\), we have

Fig. 8.

\(A^{G\times H_1^g,H'_1}\) for the proof of Theorem 1.

Fig. 9.

Game \(G_5\) for the proof of Theorem 1

Next, we construct an adversary against the OW-CPA security of the PKE scheme such that The adversary on input (\(1^\lambda \), pk, c) does the following:

1. 1.

   Run the adversary in Game \(G_5\).

2. 2.

   Use a \(2q_G\)-wise independent function and two different \(2q_H\)-wise independent functions to simulate the random oracles G, \(H_1\) and \(H_3\) respectively. The random oracle H is simulated in the same way as the one in game \(G_5\).

3. 3.

   Answer the decapsulation queries by using the Decaps oracle in Fig. 9.

4. 4.

   Select \(k^*\overset{\$}{\leftarrow } \mathcal {K}\) and respond to ’s challenge query with (c, \(k^{*}\)).

5. 5.

   Select \( i \overset{\$}{\leftarrow } \{1,\ldots ,q_G+q_H\}\), measure the argument \(\hat{m}\) of i-th query to \(G\times H_1^g\) and output \(\hat{m}\).

According to Lemma 1, Finally, combing this with the bounds derived above, we can conclude that

   \(\square \)

Theorem 2

(PKE OW-CPA \(\overset{{QROM}}{\Rightarrow }\) KEM-II IND-CCA). If \(\mathrm {PKE}\) is \(\delta \)-correct, for any IND-CCA against \(\text {KEM-II}\), issuing at most \(q_D\) classical queries to the decapsulation oracle Decaps and at most \(q_G\) (\(q_H\)) queries to random oracle G (H), there exist a quantum OW-CPA adversary against \(\mathrm {PKE}\) and an adversary against the security of \(\mathrm {PRF}\) with at most \(q_D\) classical queries such that and the running time of is about that of .

The only difference between \(\text {KEM-I}\) and \(\text {KEM-II}\) is the KDF function. In \(\text {KEM-I}\), \(K=H(m,c)\), while \(K=H(m)\) in \(\text {KEM-II}\). Note that given pk and random oracle G, c is determined by m. The proof of Theorem 2 is similar to the one of Theorem 1 and we present it in the full version [13].

4 Modular Analysis of FO Transformation in the QROM

In [7], Hofheinz et al. introduced seven modular transformations \(\mathrm {T}\), , \(\mathrm {U}^{\perp }\), , \(\mathrm {U}_m^{\perp }\), and \(\mathrm {QU}_m^{\perp }\). But, they just presented QROM security reductions for the transformations \(\mathrm {T}\), and \(\mathrm {QU}_m^{\perp }\). Different from the transformations , \(\mathrm {U}^{\perp }\), and \(\mathrm {U}_m^{\perp }\), the transformations and \(\mathrm {QU}_m^{\perp }\) have an additional length-preserving hash in the ciphertext, thus they can follow the proof technique in [14, 52] to give QROM security reductions for them. As they pointed [14], their QROM security reductions quite rely on this additional hash. And, QROM security reductions for , \(\mathrm {U}^{\perp }\), and \(\mathrm {U}_m^{\perp }\) are missing in [7]. In [12], Saito et al. presented a tight QROM security reduction for with stronger assumptions for underlying DPKE scheme, DS-security and perfect correctness.

In this section, we revisit the transformations , \(\mathrm {U}^{\perp }\), and \(\mathrm {U}_m^{\perp }\), and argue their QROM security without any modification to the constructions and with correctness error into consideration. [7] has shown that the transformation \(\mathrm {T}\) can turn a OW-CPA-secure PKE into a OW-PCA-secure PKE in the QROM. In Sect. 4.1, we first show that the resulting PKE scheme by applying \(\mathrm {T}\) to a OW-CPA-secure PKE is also OW-qPCA-secure. The QROM security reduction for (\(\mathrm {U}^{\perp }\)) from the OW-qPCA (OW-qPVCA) security of PKE to the IND-CCA security of KEM is given in Sect. 4.2 (4.3). In Sect. 4.4, we show that (\(\mathrm {U}_m^{\perp }\)) transforms any OW-CPA-secure or DS-secure (OW-VA-secure) DPKE into an IND-CCA-secure KEM in the QROM.

4.1 \(\mathrm {T}\): from OW-CPA to OW-qPCA in the QROM

To a public-key encryption PKE = (Gen, Enc, Dec) with message space \(\mathcal {M}\) and randomness space R, and a hash function \(G:\mathcal {M} \rightarrow \mathcal {R}\), we associate \(\mathrm {PKE}'=T[\mathrm {PKE},G]\). The algorithms of PKE\('\) = (Gen, \(Enc'\), \(Dec'\)) are defined in Fig. 10.

Theorem 3

(PKE OW-CPA \(\overset{{QROM}}{\Rightarrow }\) PKE\('\) OW-qPCA). If \(\mathrm {PKE}\) is \(\delta \)-correct, for any OW-qPCA against \(\mathrm {PKE}'\), issuing at most \(q_G\) quantum queries to the random oracle G and at most \(q_P\) quantum queries to the plaintext checking oracle \(\textsc {Pco}\), there exists a OW-CPA adversary against PKE such that and the running time of is about that of .

The proof is essentially the same as the one of [7, Theorem 4.4] except the argument about the difference in ’s success probability between game \(G_0\) and game \(G_1\). Game \(G_0\) is exactly the original OW-qPCA game. In game \(G_1\), the \(\textsc {Pco}\) oracle is replaced by a simulation that \(Enc(pk,m;G(m))=?c\) is returned for the query input (m, c). As pk is public and G is a quantum random oracle, such a \(\textsc {Pco}\) simulation can be queried on a quantum superposition of inputs. Note that \(G_0\) and \(G_1\) are indistinguishable unless there exits an adversary who issuing at most \(q_G\) queries to G can distinguish \(N_1\) from a constant function \(N_2\) that always outputs 0 for any input, where \(N_1(m)=0\) if \(Dec(sk,Enc(pk,m;G(m)))=m\), and otherwise \(N_1(m)=1\). Thus, using Lemma 2, we can obtain that . Then, following the security proof of [7, Theorem 4.4], we can easily prove Theorem 3.

Fig. 10.

OW-qPCA-secure \(\mathrm {PKE}'=T[\mathrm {PKE},G]\)

4.2 : from OW-qPCA to IND-CCA in the QROM

To a public-key encryption PKE\('\) = (\(Gen'\), \(Enc'\), \(Dec'\)) and a hash function H, we associate . The algorithms of KEM-III = (Gen, Encaps, Decaps) are defined in Fig. 11.

Fig. 11.

IND-CCA-secure

Theorem 4

(PKE\('\) OW-qPCA \(\overset{{QROM}}{\Rightarrow }\) KEM-III IND-CCA). If \(\mathrm {PKE}'\) is \(\delta \)-correct, for any IND-CCA against \(\text {KEM-III}\), issuing at most \(q_D\) (classical) queries to the decapsulation oracle Decaps and at most \(q_H\) queries to the quantum random oracle H, there exists a quantum OW-qPCA adversary against PKE\('\) that makes at most \(q_H\) queries to the Pco oracle such that and the running time of is about that of .

The proof skeleton of Theorem 4 is essentially the same as the one of Theorem 1. Here, we briefly state the main differences. The complete proof is presented in the full version [13].

In KEM-I, the randomness used in the encryption algorithm is determined by the random oracle G. Given a plaintext m, we can deterministically evaluate the ciphertext \(c=Enc(pk,m;G(m))\). Thus, we can divide H-query inputs (m, c) into two categories by judging if (m, c) is a matching plaintex-ciphertext pair (i.e., \(c=Enc(pk,m;G(m))\)) or not. In KEM-III, the encryption algorithm may be probabilistic, thus the above method will be invalid. Instead, we can query the Pco oracle to judge whether (m, c) is a matching plaintex-ciphertext pair. If \(\textsc {Pco}(m,c)=1\), the random oracle H returns \(H_1(c)\), otherwise \(H_3(m,c)\). To simulate the random oracle H, we make quantum queries to Pco (this is the reason why we require the scheme PKE\('\) to be OW-qPCA-secure). Note that it is impossible that \(\textsc {Pco}(m_1,c)=\textsc {Pco}(m_2,c)=1\) for \(m_1 \ne m_2\). Thus, H is perfectly simulated without introducing the \(\delta \) term. As ’s queries to H can only help him get access to \(H_1\) at c such that \(Dec'(sk,c) =\hat{m}\) for some \(\hat{m}\ne \bot \), the \(\textsc {Decaps}\) oracle can be perfectly simulated by \(H_1\). Therefore, different from the security bounds obtained in Theorems 1 and 2, the \(\delta \) term is removed with the OW-qPCA security of underlying PKE.

Fig. 12.

IND-CCA-secure \(\text {KEM-IV}=U^{\perp }[\mathrm {PKE}',H]\)

4.3 \(\mathrm {U}^{\perp }\): from OW-qPVCA to IND-CCA in the QROM

To a public-key encryption PKE\('\) = (\(Gen'\), \(Enc'\), \(Dec'\)) and a hash function H, we associate \(\text {KEM-IV}=U^{\perp }[\mathrm {PKE}',H]\). We remark that \(\mathrm {U}^{\perp }\) is essentially the transformation [6, Table 2], a KEM variant of the REACT/GEM transformations [53, 54]. The algorithms of KEM-IV = (Gen,Encaps,\(Decaps^{\perp }\)) are defined in Fig. 12.

Theorem 5

(PKE\('\) OW-qPVCA \(\overset{{QROM}}{\Rightarrow }\) KEM-IV IND-CCA). If \(\mathrm {PKE}'\) is \(\delta \)-correct, for any IND-CCA against \(\text {KEM-IV}\), issuing at most \(q_D\) (classical) queries to the decapsulation oracle Decaps and at most \(q_H\) queries to the quantum random oracle H, there exists a OW-qPVCA adversary against PKE\('\) that makes at most \(q_H\) queries to the Pco oracle and at most \(q_D\) queries to the Val oracle such that and the running time of is about that of .

The only difference between KEM-III and KEM-IV is the response to the invalid ciphertext in the decapsulation algorithm. When the ciphertext c is invalid, the decapsulation algorithm in KEM-III returns a pseudorandom key related to c. In this way, whatever the ciphertext (valid or invalid) is submitted, the return values have the same distribution. As a result, can easily simulate the decapsulation oracle Decaps without recognition of the invalid ciphertexts. While the decapsulation algorithm in KEM-IV returns \(\perp \) when the submitted c is invalid. Thus, in order to simulate Decaps, needs to judge if the ciphertext c is valid. As we assume that the scheme PKE\('\) is OW-qPVCA-secure, can query the Val oracle to fulfill such a judgement. Then, it is easy to verify that by using the same proof method in Theorem 4 we can obtain the desired security bound.

4.4 : from OW-CPA/OW-VA to IND-CCA for Deterministic Encryption in the QROM

The transformation (\(\mathrm {U}_m^{{\perp }}\)) is a variant of (\(\mathrm {U}^{{\perp }}\)) that derives the KEM key as \(K=H(m)\), instead of \(K=H(m,c)\). To a deterministic public-key encryption scheme PKE\('\) = (\(Gen'\), \(Enc'\), \(Dec'\)) with message space \(\mathcal {M}\), a hash function \(H:\mathcal {M} \rightarrow \mathcal {K}\), and a pseudorandom function f with key space \(\mathcal {K}^{prf}\), we associate KEM-V = [PKE\('\), H, f] and KEM-VI = \(\mathrm {U}_m^{{\perp }}\)[PKE\('\), H] shown in Figs. 13 and 14, respectively.

Fig. 13.

IND-CCA-secure KEM-V = [PKE\('\), H, f]

Fig. 14.

IND-CCA-secure KEM-VI = \(\mathrm {U}_m^{\perp }\)[PKE\('\), H]

We note that for a deterministic PKE scheme the OW-PCA security is equivalent to the OW-CPA security as we can simulate the Pco oracle via re-encryption during the proof. Thus, combing the proofs of Theorem 2, Theorem 4, Theorem 5 and [12, Theorem 4.1], we can easily obtain the following two theorems.

Theorem 6

(PKE\('\) OW-CPA \(\overset{{QROM}}{\Rightarrow }\) KEM-V IND-CCA). If \(\mathrm {PKE}'\) is \(\delta \)-correct and deterministic, for any IND-CCA against \(\text {KEM-V}\), issuing at most \(q_E\) quantum queries to the encryption oracle⁷, at most \(q_D\) (classical) queries to the decapsulation oracle Decaps and at most \(q_H\) quantum queries to the random oracle H, there exist a quantum OW-CPA adversary against \(\mathrm {PKE}'\), an adversary against the security of \(\mathrm {PRF}\) with at most \(q_D\) classical queries and an adversary against the \(U_\mathcal {M}\)-DS security with a simulator S of \(\mathrm {PKE}'\) (\(U_\mathcal {M}\) is the uniform distribution in \(\mathcal {M}\)) such that and , and the running time of () is about that of .

Theorem 7

(PKE\('\) OW-VA \(\overset{{QROM}}{\Rightarrow }\) KEM-VI IND-CCA). If \(\mathrm {PKE}'\) is \(\delta \)-correct and deterministic, for any IND-CCA against \(\text {KEM-VI}\), issuing at most \(q_E\) quantum queries to the encryption oracle, at most \(q_D\) (classical) queries to the decapsulation oracle Decaps and at most \(q_H\) quantum queries to the random oracle H, there exists a quantum OW-VA adversary against \(\mathrm {PKE}'\) who makes at most \(q_D\) queries to the Val oracle such that and the running time of is about that of .