SO-CCA Secure PKE in the Quantum Random Oracle Model or the Quantum Ideal Cipher Model

Abstract

Selective opening (SO) security is one of the most important securities of public key encryption (PKE) in a multi-user setting. Even though messages and random coins used in some ciphertexts are leaked, SO security guarantees the confidentiality of the other ciphertexts. Actually, it is shown that there exist PKE schemes which meet the standard security such as indistinguishability against chosen ciphertext attacks (IND-CCA security) but do not meet SO security against chosen ciphertext attacks. Hence, it is important to consider SO security in the multi-user setting. On the other hand, many researchers have studied cryptosystems in the security model where adversaries can submit quantum superposition queries (i.e., quantum queries) to oracles. In particular, IND-CCA secure PKE and KEM schemes in the quantum random oracle model have been intensively studied so far.

In this paper, we show that two kinds of constructions of hybrid encryption schemes meet simulation-based SO security against chosen ciphertext attacks (SIM-SO-CCA security) in the quantum random oracle model or the quantum ideal cipher model. The first scheme is constructed from any IND-CCA secure KEM and any simulatable data encapsulation mechanism (DEM). The second one is constructed from any IND-CCA secure KEM based on Fujisaki-Okamoto transformation and any strongly unforgetable message authentication code (MAC). We can apply any IND-CCA secure KEM scheme to the first one if the underlying DEM scheme meets simulatability, whereas we can apply any DEM scheme meeting integrity to the second one if the underlying KEM is based on Fujisaki-Okamoto transformation.

Appendix A: Proof of Lemma 1

We prove Lemma 1. We use the same notations defined in the proof of Theorem 2. For \(i \in \{ 0,1,\ldots ,4 \}\), we consider games \(\mathsf {Hybrid}_i\), and let \(H_i\) be the event that \(\mathsf {A}\) outputs out such that \(R(\mathcal {M}_{\mathrm {D}},m_1,\ldots ,m_n,I,out) = 1\) in \(\mathsf {Hybrid}_i\), \(\mathsf {Find}_i\) be the event that a semi-classical oracle \(O_{S}^{SC}\) returns \(\sum _{x \in S,y \in \mathcal {Y}} \psi _{x,y}^\prime | x,y \rangle | 1 \rangle \) for a quantum query \(\sum _{x \in \mathcal {M}^{asy},y \in \mathcal {Y}} \psi _{x,y} | x,y \rangle \) to the random oracle \(\mathsf {G}\) (resp. \(\mathsf {H}\)), where \(S = \{ r_i \}_{i \in [n] \backslash I}\) and \(\mathcal {Y}= \mathcal {R}^{asy}\) (resp. \(\mathcal {Y}= \mathcal {C}^{asy} \times \mathcal {K}^{sym} \times \mathcal {K}^{mac}\)).

Furthermore, in the same way as the proof in Theorem 2, random oracles \(\ddot{\mathsf {G}}\) and \(\ddot{\mathsf {H}}\) are defined. Namely, \(\ddot{\mathsf {G}}\) (resp. \(\ddot{\mathsf {H}}\)) is a random oracle such that \(\ddot{\mathsf {G}}(r)\) (resp. \(\ddot{\mathsf {H}}(r,e)\)) is sampled from \(\mathcal {R}^{asy}\) (resp. \(\mathcal {K}^{sym} \times \mathcal {K}^{mac}\)) uniformly at random if \(r \in \{ r_i \}_{i \in [n]\backslash I}\), and \(\ddot{\mathsf {G}}(r) = \mathsf {G}(r)\) (resp. \(\ddot{\mathsf {H}}(r,e) = \mathsf {H}(r,e)\)) holds otherwise.

\(\mathsf {Hybrid}_{0}\): This game is the same as \(\mathsf {Game}_5\) in Theorem 2. Then, we have \(\Pr [H_0] = \Pr [W_5]\).    \(\blacksquare \)

\(\mathsf {Hybrid}_{1}\): This game is the same as \(\mathsf {Hybrid}_0\) except that we replace \(\mathsf {G}\) and \(\mathsf {H}\) by \(\ddot{\mathsf {G}} \backslash S\) and \(\ddot{\mathsf {H}} \backslash S\), respectively, where \(S = \{ r_i \}_{i \in [n] \backslash I}\). From Proposition 1, we have \(\left| \Pr [H_0] - \Pr [H_1] \right| \le 2\sqrt{(q_g + q_h)\Pr [\mathsf {Find}_1]}\). Notice that we also have \(\Pr [H_1] = \Pr [W_6]\).    \(\blacksquare \)

\(\mathsf {Hybrid}_{2}\): This game is the same as \(\mathsf {Hybrid}_1\) except that for all \(i \in [n]\), we replace and instead of \(\hat{r}_i \leftarrow \mathsf {G}(r_i)\) and \((\mathsf {k}_i^{sym},\mathsf {k}_i^{mac}) \leftarrow \mathsf {H}(r_i,e_i)\), respectively. We have \(\Pr [\mathsf {Find}_2] = \Pr [\mathsf {Find}_1]\) because we do not focus on the output of \(\mathsf {A}\).    \(\blacksquare \)

\(\mathsf {Hybrid}_{3}\): This game is the same as \(\mathsf {Hybrid}_2\) except that we replace \(\ddot{\mathsf {G}}\) and \(\ddot{\mathsf {H}}\) by \(\mathsf {G}\) and \(\mathsf {H}\), respectively. Because there is no difference between the view of \(\mathsf {A}\) in the two games by this change, \(\Pr [\mathsf {Find}_3] =\Pr [\mathsf {Find}_2]\) holds.    \(\blacksquare \)

\(\mathsf {Hybrid}_{4}\): This game is the same as \(\mathsf {Hybrid}_3\) except that we replace \(r_i\) by \(r_i^\prime \) for all \(i \in [n]\). Notice that we do not replace the set \(S = \{ r_i \}_{i \in [n] \backslash I}\) by \(\{ r_i^\prime \}_{i \in [n] \backslash I}\).

From Proposition 2, we get \(\Pr [\mathsf {Find}_4] \le 4n(q_g + q_h)/|\mathcal {M}^{asy}|\). In addition, We show \(\left| \Pr [\mathsf {Find}_3] - \Pr [\mathsf {Find}_4] \right| \le n \cdot \mathsf {Adv}_{\mathsf {PKE},\mathsf {D}}^{ind-cpa }(\lambda )\) by constructing the following PPT algorithm \(\mathsf {D}\) breaking \(\mathsf {IND}- \mathsf {CPA}\) security of \(\mathsf {PKE}^{asy}\): Given a public key \(\mathsf {pk}^{asy}\), \(\mathsf {D}\) chooses \(i^* \in [n]\), \(r_{i^*},r_{i^*}^\prime \in \mathcal {M}^{asy}\), and \(\mathsf {k}_{i^*} \in \mathcal {K}\) uniformly at random. It submits \((r_i,r_i^\prime )\) to the challenger in \(\mathsf {IND}- \mathsf {CPA}\) game and receives \(e_{i^*}\). And then, it computes \(e_i \leftarrow \mathsf {Enc}^{asy}(\mathsf {pk},r_i,\mathsf {G}(r_i))\) and \(\mathsf {k}_i \leftarrow \mathsf {H}_q(e_i)\) for \(i \in [n] \backslash \{ i^* \}\). In order to simulate a random oracle \(\mathsf {G}\) (resp. \(\mathsf {H}_q\)), \(\mathsf {D}\) chooses a \(2q_g\)-wise independent hash function (resp. a \(2q_h\)-wise independent hash function) at random. It sets \(I \leftarrow \emptyset \) and sends \(\mathsf {pk}:= \mathsf {pk}^{asy}\) to \(\mathsf {A}\).

When \(\mathsf {A}\) submits \(\mathcal {M}_{\mathrm {D}}\), \(\mathsf {D}\) chooses and computes \(d_i \leftarrow \mathsf {k}_i^{sym} \oplus m_i\) and \(\tau _i \leftarrow \mathsf {Tag}(\mathsf {k}_i^{mac},d_i)\) for \(i \in [n]\). Then, it returns \(((e_i,d_i,\tau _i))_{i \in [n]}\).

\(\mathsf {D}\) simulates oracles in the following way: When \(\mathsf {A}\) issues a quantum query \(\sum _{r \in \mathcal {M}^{asy},y \in \mathcal {Y}} \psi _{r,y} | r,y \rangle \) to the random oracle \(\mathsf {G}\) (resp. \(\mathsf {H}\)) for \(\mathcal {Y}= \mathcal {R}^{asy}\) (resp. \(\mathcal {Y}= \mathcal {C}^{asy} \times \mathcal {K}^{sym} \times \mathcal {K}^{mac}\)), \(\mathsf {D}\) submits \(\sum _{r \in \mathcal {M}^{asy},y \in \mathcal {Y}} \psi _{r,y} | r,y \rangle | 0 \rangle \) to a semi-classical oracle \(O_S^{SC}\). It halts and outputs 1 if \(O_S^{SC}\) returns the quantum superposition state \(\sum _{r \in \mathcal {M}^{asy},y \in \mathcal {Y}} \psi _{r,y}^\prime | r,y \rangle | 1 \rangle \). It returns a quantum state by accessing \(\mathsf {G}\) (resp. \(\mathsf {H}\)) otherwise.

• \(\mathsf {DEC}(\mathsf {c})\): Take \(\mathsf {c}= (e,d,\tau )\) as input and do the following.

  1. 1.

     \((\mathsf {k}^{sym},\mathsf {k}^{mac}) \leftarrow \mathsf {H}_q(e)\).

  2. 2.

     Return \(m\leftarrow \mathsf {k}^{sym} \oplus d\) if \(\mathsf {Vrfy}(\mathsf {k}^{mac},d,\tau ) = 1\). Return \(\bot \) otherwise.

• \(\mathsf {OPEN}(i)\): Set \(I \leftarrow I \cup \{ i \}\). Abort if \(i = i^*\). Return \((m_i,r_i)\) otherwise.

When \(\mathsf {A}\) outputs a value out and halts, \(\mathsf {D}\) outputs 0. \(\mathsf {D}\) simulates the view of \(\mathsf {A}\) in \(\mathsf {Game}_3\) (resp. \(\mathsf {Game}_4\)) if the challenger chooses \(r_i\) (resp. \(r_i^\prime \)). Then, the success probability of \(\mathsf {D}\) is at least \(\epsilon /n\), and we have the inequality.

Therefore, we obtain

$$\begin{aligned} \left| \Pr [\mathsf {Find}_3] - \Pr [\mathsf {Find}_4] \right| + \Pr [\mathsf {Find}_4] \le n \cdot \mathsf {Adv}_{\mathsf {PKE},\mathsf {D}}^{ind-cpa }(\lambda ) + \frac{4n(q_g + q_h)}{|\mathcal {M}^{asy}|}. \end{aligned}$$

   \(\blacksquare \)

From the discussion above, we obtain the following inequality

$$\begin{aligned} \left| \Pr [W_5] - \Pr [W_6] \right| \le \,&2\sqrt{(q_g + q_h) \Pr [\mathsf {Find}_1] } \\ \le \,&2\sqrt{ n(q_g + q_h) \mathsf {Adv}_{\mathsf {PKE},\mathsf {D}}^{ind-cpa }(\lambda )+ 4n\frac{(q_g + q_h)^2}{|\mathcal {M}^{asy}|}} \\ \le \,&2\sqrt{ n(q_g + q_h) \mathsf {Adv}_{\mathsf {PKE},\mathsf {D}}^{ind-cpa }(\lambda )} + 4(q_g + q_h)\sqrt{\frac{n}{|\mathcal {M}^{asy}|}}. \end{aligned}$$

Therefore, we complete the proof.    \(\square \)