Generic Authenticated Key Exchange in the Quantum Random Oracle Model

Hövelmanns, Kathrin; Kiltz, Eike; Schäge, Sven; Unruh, Dominique

doi:10.1007/978-3-030-45388-6_14

Kathrin Hövelmanns¹²,
Eike Kiltz¹²,
Sven Schäge¹² &
…
Dominique Unruh¹³

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 12111))

Included in the following conference series:

IACR International Conference on Public-Key Cryptography

1540 Accesses
32 Citations

Abstract

We propose $\mathsf {FO_\mathsf {AKE}}$, a generic construction of two-message authenticated key exchange (AKE) from any passively secure public key encryption (PKE) in the quantum random oracle model (QROM). Whereas previous AKE constructions relied on a Diffie-Hellman key exchange or required the underlying PKE scheme to be perfectly correct, our transformation allows arbitrary PKE schemes with non-perfect correctness. Dealing with imperfect schemes is one of the major difficulties in a setting involving active attacks. Our direct construction, when applied to schemes such as the submissions to the recent NIST post-quantum competition, is more natural than previous AKE transformations. Furthermore, we avoid the use of (quantum-secure) digital signature schemes which are considerably less efficient than their PKE counterparts. As a consequence, we can instantiate our AKE transformation with any of the submissions to the recent NIST competition, e.g., ones based on codes and lattices.

$\mathsf {FO_\mathsf {AKE}}$ can be seen as a generalisation of the well known Fujisaki-Okamoto transformation (for building actively secure PKE from passively secure PKE) to the AKE setting. As a helper result, we also provide a security proof for the Fujisaki-Okamoto transformation in the QROM for PKE with non-perfect correctness which is tighter and tolerates a larger correctness error than previous proofs.

You have full access to this open access chapter, Download conference paper PDF

Post-Quantum Security Models for Authenticated Encryption

Tighter Security for Generic Authenticated Key Exchange in the QROM

Password-Based Authenticated Key Exchange from Standard Isogeny Assumptions

Keywords

1 Introduction

Authenticated Key Exchange. Besides public key encryption (PKE) and digital signatures, authenticated key exchange (AKE) is arguably one of the most important cryptographic building blocks in modern security systems. In the last two decades, research on AKE protocols has made tremendous progress in developing more solid theoretical foundations [10, 19, 31, 38] as well as increasingly efficient designs of AKE protocols [37, 44, 47]. Most AKE protocols rely on constructions based on an ad-hoc Diffie-Hellman key exchange that is authenticated either via digital signatures, non-interactive key exchange (usually a Diffie-Hellman key exchange performed on long-term Diffie-Hellman keys), or public key encryption. While in the literature one can find many protocols that use one of the two former building blocks, results for PKE-based authentication are rather rare [8, 17]. Even rarer are constructions that only rely on PKE, discarding Diffie-Hellman key exchanges entirely. Notable recent exceptions are [23, 24] and the protocol in [2], the latter of which has been criticised for having a flawed security proof and a weak security model [39, 46].

The NIST Post-Quantum Competition. Recently, some of the above mentioned designs have gathered renewed interest in the quest of finding AKE protocols that are secure against quantum adversaries, i.e., adversaries equipped with a quantum computer. In particular, the National Institute of Standards and Technology (NIST) announced a competition with the goal to standardise new PKE and signature algorithms [41] with security against quantum adversaries. With the understanding that an AKE protocol can be constructed from low level primitives such as quantum-secure PKE and signature schemes, the NIST did not require the submissions to describe a concrete AKE protocol. Many PKE and signature candidates base their security on the hardness of certain problems over lattices and codes, which are generally believed to resist quantum adversaries.

The quantum ROM. Quantum computers may execute all “offline primitives” such as hash functions on arbitrary superpositions, which motivated the introduction of the quantum (accessible) random oracle model (QROM) [14]. While the adversary’s capability to issue quantum queries to the random oracle renders many proof strategies significantly more complicated, it is nowadays generally believed that only proofs in the QROM imply provable security guarantees against quantum adversaries.

AKE and Quantum-Secure Signatures. Digital signatures are useful for the “authentication” part in AKE, but unfortunately all known quantum-secure constructions would add a considerable overhead to the AKE protocol. Therefore, if at all possible, we prefer to build AKE protocols only from PKE schemes, without using signatures.^{Footnote 1} Our ultimate goal is to build a system that remains secure in the presence of quantum computers, meaning that even currently employed (very fast) signatures schemes based on elliptic curves are not an option.

Central Research Question for Quantum-Secure AKE. In summary, motivated by post-quantum secure cryptography and the NIST competition, we are interested in the following question:

How to build an actively secure AKE protocol from any passively secure PKE in the quantum random oracle model, without using signatures?

(The terms “actively secure AKE” and “passively secure PKE” will be made more precise later.) Surprisingly, one of the main technical difficulties is that the underlying PKE scheme might come with a small probability of decryption failure, i.e., first encrypting and then decrypting does not yield the original message. This property is called non-perfect correctness, and it is common for quantum-secure schemes from lattices and codes, rendering them useless for all previous constructions that relied on perfect correctness.^{Footnote 2}

Previous Constructions of AKE from public-key primitives. The generic AKE protocol of Fujioka et al. [23] (itself based on [17]) transforms a passively secure PKE scheme $\mathsf {PKE}$ and an actively (i.e., $\mathsf {IND}\text {-}\mathsf {CCA}$) secure PKE scheme $\mathsf {PKE}_\mathrm {cca}$ into an AKE protocol. We will refer to this transformation as $\mathsf {FSXY}[\mathsf {PKE}, \mathsf {PKE}_\mathrm {cca}]$. Since the $\mathsf {FSXY}$ transformation is in the standard model, it is likely to be secure with the same proof in the post-quantum setting and thus also in the QROM. The standard way to obtain actively secure encryption from passively secure ones is the Fujisaki-Okamoto transformation $\mathsf {PKE}_\mathrm {cca}= \mathsf {FO}[\mathsf {PKE},\mathsf {G},\mathsf {H}]$ [25, 26]. In its “implicit rejection” variant [28], it comes with a recently discovered security proof [43] that models the hash functions $\mathsf {G}$ and $\mathsf {H}$ as quantum random oracles. Indeed, the combined AKE transformation $\mathsf {FSXY}[\mathsf {PKE},\mathsf {FO}[\mathsf {PKE},\mathsf {G},\mathsf {H}]]$ transforms passively secure encryption into AKE that is very likely to be secure in the QROM, without using digital signatures, hence giving a first answer to our above question. It has, however, two main drawbacks.

Perfect correctness requirement. Transformation $\mathsf {FSXY}$ is not known to have a security proof if the underlying scheme does not satisfy perfect correctness. Likewise, the relatively tight QROM proof for $\mathsf {FO}$ that was given in [43] requires the underlying scheme to be perfectly correct, and a generalisation of the proof for schemes with non-perfect correctness is not straightforward. Hence, it is unclear whether $\mathsf {FSXY}[\mathsf {PKE},\mathsf {FO}[\mathsf {PKE},\mathsf {G},\mathsf {H}]]$ can be instantiated with lattice- or code-based encryption schemes.
Lack of simplicity. The Fujisaki-Okamoto transformation already involves hashing the key using hash function $\mathsf {H}$, and $\mathsf {FSXY}$ involves even more (potentially redundant) hashing of the (already hashed) session key. Overall, the combined transformation seems overly complicated and hence impractical.

In [24], a transformation was given that started from oneway-secure KEMs, but its security proof was given in the ROM, and its generalisation to the QROM was explicitly left as an open problem. Furthermore, it involves more hashing, similar to transformation $\mathsf {FSXY}$.

Hence, it seems desirable to provide a simplified transformation that gets rid of unnecessary hashing steps, and that can be proven secure in the QROM even if the underlying scheme does not satisfy perfect correctness. As a motivating example, note that the Kyber AKE protocol [16] can be seen as a result of applying such a simplified transformation to the Kyber PKE scheme, although coming without a formal security proof.

1.1 Our Contributions

Our main contribution is a transformation, $\mathsf {FO_\mathsf {AKE}}[\mathsf {PKE},\mathsf {G},\mathsf {H}]$ (“Fujisaki-Okamoto for AKE”) that converts any passively secure encryption scheme into an actively secure AKE protocol, with provable security in the quantum random oracle model. It can deal with non-perfect correctness and does not use digital signatures. Our transformation $\mathsf {FO_\mathsf {AKE}}$ can be viewed as a modification of the transformation given in [24]. Furthermore, we provide a precise game-based security definition for two-message AKE protocols. As a side result, we also give a security proof for the Fujisaki-Okamoto transformation in the QROM in Sect. 3 that deals with correctness errors. It can be seen as the $\mathsf {KEM}$ analogue of our main result, the $\mathsf {AKE}$ proof. Our proof strategy differs from and improves on the bounds of a previously published proof of the Fujisaki-Okamoto transformation for $\mathsf {KEM}$s in the QROM [32].

To simplify the presentation of $\mathsf {FO_\mathsf {AKE}}$, we first give some background on the Fujisaki-Okamoto transformation for $\mathsf {KEM}$s. In its original form [25, 26], FO yields an encryption scheme that is $\mathsf {IND}\text {-}\mathsf {CCA}$ secure in the random oracle model [9] from combining any One-Way secure asymmetric encryption scheme with any one-time secure symmetric encryption scheme. In “A Designer’s Guide to KEMs”, Dent [21] provided FO-like $\mathsf {IND}\text {-}\mathsf {CCA}$ secure KEMs. (Recall that any $\mathsf {IND}\text {-}\mathsf {CCA}$ secure Key Encapsulation Mechanism can be combined with any (one-time) chosen-ciphertext secure symmetric encryption scheme to obtain a $\mathsf {IND}\text {-}\mathsf {CCA}$ secure PKE scheme [20].) Since all of the transformations mentioned above required the underlying PKE scheme to be perfectly correct, and due to the increased popularity of lattice-based schemes with non-perfect correctness, [28] gave several modularisations of FO-like transformations and proved them robust against correctness errors. The key observation was that FO-like transformations essentially consists of two separate steps and can be dissected into two transformations, as sketched in the introduction of [28]:

Transformation $\mathsf {T}$: “Derandomise” and “re-encrypt”. Starting from an encryption scheme $\mathsf {PKE}$ and a hash function $\mathsf {G}$, encryption of $\mathsf {PKE}'=\mathsf {T}[\mathsf {PKE},\mathsf {G}]$ is defined by
$$\begin{aligned} \mathsf {Enc}'( pk ,m):=\mathsf {Enc}( pk ,m; \mathsf {G}(m)), \end{aligned}$$
where $\mathsf {G}(m)$ is used as the random coins for $\mathsf {Enc}$, rendering $\mathsf {Enc}'$ deterministic. $\mathsf {Dec}'( sk ,c)$ first decrypts c into $m'$ and rejects if $\mathsf {Enc}( pk ,m';\mathsf {G}(m')) \ne c$ (“re-encryption”).
Transformation $\mathsf {U}^{\not \bot }_ m $: “Hashing”. Starting from an encryption scheme $\mathsf {PKE}'$ and a hash function $\mathsf {H}$, key encapsulation mechanism $\mathsf {KEM}_m^{\not \bot }=\mathsf {U}^{\not \bot }_ m [\mathsf {PKE}',\mathsf {H}]$ with “implicit rejection” is defined by
$$\begin{aligned} \mathsf {Encaps}( pk ):= (c \leftarrow \mathsf {Enc}'( pk ,m), K:= \mathsf {H}(m)), \end{aligned}$$
(1)
where m is picked at random from the message space, and
$$\begin{aligned} \mathsf {Decaps}( sk ,c)= {\left\{ \begin{array}{ll} \mathsf {H}(m) &{} m \ne \bot \\ \mathsf {H}(s,c) &{} m=\bot \end{array}\right. }\;, \end{aligned}$$
where $m := \mathsf {Dec}( sk ,c)$ and s is a random seed which is contained in $ sk $. In the context of the FO transformation, implicit rejection was first introduced by Persichetti [42, Sec. 5.3].

Transformation $\mathsf {T}$ was proven secure both in the (classical) ROM and the QROM, and $\mathsf {U}^{\not \bot }_ m $ was proven secure in the ROM. To achieve QROM security, [28] gave a modification of $\mathsf {U}^{\not \bot }_ m $, called $\mathsf {QU}^{\not \bot }_ m $, but its security proof in the QROM suffered from a quartic^{Footnote 3} loss in tightness, and furthermore, most real-world proposals are designed such that they fit the framework of $\mathsf {FO^{\not \bot }_ m }= \mathsf {U}^{\not \bot }_ m \circ \mathsf {T}$, not $\mathsf {QU}^{\not \bot }_ m \circ \mathsf {T}$.

A slightly different modularisation was introduced in [43]: they gave transformations $\mathsf {TPunc}$ (“Puncturing and Encrypt-with-Hash”) and $\mathsf {SXY}$ (“Hashing with implicit reject and reencryption”). $\mathsf {SXY}$ differs from $\mathsf {U}^{\not \bot }_ m $ in that it reencrypts during decryption. Hence, it can only be applied to deterministic schemes. Even in the QROM, its $\mathsf {CCA}$ security tightly reduces to an intermediate notion called Disjoint Simulatability ($\mathsf {DS}$) of ciphertexts. Intuitively, disjoint simulatability means that we can efficiently sample “fake ciphertexts” that are computationally indistinguishable from real $\mathsf {PKE}$ ciphertexts (“simulatability”), while the set of possible fake ciphertexts is required to be (almost) disjoint from the set of real ciphertexts. $\mathsf {DS}$ is naturally satisfied by many code/lattice-based encryption schemes. Additionally, it can be achieved using transformation $\mathsf {Punc}$, i.e., by puncturing the underlying schemes’ message space at one point and using this message to sample fake encryptions. Deterministic $\mathsf {DS}$ can be achieved by using transformation $\mathsf {TPunc}$, albeit non-tightly: the reduction suffers from quadratic loss in security and an additional factor of q, the number of the adversary’s hash queries.

However, the reduction that is given in [43] requires the underlying encryption scheme to be perfectly correct. Later, [32] gave non-modular security proofs for the transformations $\mathsf {FO^{\not \bot }_ m }$ and $\mathsf {FO}^{\not \bot }$ as well as a security proof for $\mathsf {SXY}$^{Footnote 4} for schemes with correctness errors, which still suffered from quadratic loss in security and an additional factor of q, the latter of which this work improves to $\sqrt{q}$.

Our transformation $\mathsf {FO^{\not \bot }_ m }$ can be applied to any $\mathsf {PKE}$ scheme that is both $\mathsf {IND}\text {-}\mathsf {CPA}$ and $\mathsf {DS}$ secure. The reduction is tighter than the one that results from combining those of $\mathsf {TPunc}$ and $\mathsf {SXY}$ in [43], and also than the reduction given in [33]. This is due to our use of the improved Oneway-to-Hiding lemma [3, Thm. 1: “Semi-classical O2H”]. Furthermore, we achieve a better correctness bound (the square of the bound given in [33]) due to a better bound for the generic distinguishing problem. In cases where $\mathsf {PKE}$ is not already $\mathsf {DS}$, this requirement can be waived with negligible loss of efficiency: To rely on $\mathsf {IND}\text {-}\mathsf {CPA}$ alone, all that has to be done is to plug in transformation $\mathsf {Punc}$. A visualisation is given in Fig. 1.

Security Model for Two-Message Authenticated Key Exchange. We introduce a simple game-based security model for (non-parallel) two-message AKE protocols, i.e., protocols where the responder sends his message only after having received the initiator’s message. Technically, in our model, and similar to previous literature, we define several oracles that the attacker has access to. However, in contrast to most other security models, the inner workings of these oracles and their management via the challenger are precisely defined with pseudo-code.

Details on our Models. We define two security notions for two-message AKEs: key indistinguishability against active attacks ($\mathsf {IND}\text {-}\mathsf {AA}$) and the weaker notion of indistinguishability against active attacks without state reveal in the test session ($\mathsf {IND}\text {-}\mathsf {St}\mathsf {AA}$). $\mathsf {IND}\text {-}\mathsf {AA}$ captures the classical notion of key indistinguishability (as introduced by Bellare and Rogaway [10]) as well as security against reflection attacks, key compromise impersonation (KCI) attacks, and weak forward secrecy (wFS) [37]. It is based on the Canetti-Krawczyk (CK) model and allows the attacker to reveal (all) secret state information as compared to only ephemeral keys. As already pointed out by [17], this makes our model incomparable to the eCK model [38] but strictly stronger than the CK model. Essentially, the $\mathsf {IND}\text {-}\mathsf {AA}$ model states that the session key remains indistinguishable from a random one even if

1.
the attacker knows either the long-term secret key or the secret state information (but not both) of both parties involved in the test session, as long as it did not modify the message received by the test session,
2.
and also if the attacker modified the message received by the test session, as long as it did not obtain the long-term secret key of the test session’s peer.

We also consider the slightly weaker model $\mathsf {IND}\text {-}\mathsf {St}\mathsf {AA}$ (in which we will prove the security of our AKE protocols), where 2. is substituted by

2’.
and also if the attacker modified the message received by the test session, as long as it did neither obtain the long-term secret key of the test session’s peer nor the test session’s state. The latter strategy, we will call a state attack.

We remark that $\mathsf {IND}\text {-}\mathsf {St}\mathsf {AA}$ security is essentially the same notion that was achieved by the $\mathsf {FSXY}$ transformation [23].^{Footnote 5} In the full version we provide a more general perspective on how our model compares to existing ones.

Our Authenticated Key-Exchange Protocol. Our transformation $\mathsf {FO_\mathsf {AKE}}$ transforms any passively secure $\mathsf {PKE}$ (with potential non-perfect correctness) into an $\mathsf {IND}\text {-}\mathsf {St}\mathsf {AA}$ secure $\mathsf {AKE}$. $\mathsf {FO_\mathsf {AKE}}$ is a simplification of the transformation $\mathsf {FSXY}[\mathsf {PKE},\mathsf {FO}[\mathsf {PKE},\mathsf {G},\mathsf {H}]]$ mentioned above, where the derivation of the session key K uses only one single hash function $\mathsf {H}$. $\mathsf {FO_\mathsf {AKE}}$ can be regarded as the AKE analogue of the Fujisaki-Okamoto transformation.

Transformation $\mathsf {FO_\mathsf {AKE}}[\mathsf {PKE},\mathsf {G},\mathsf {H}]$ is described in Fig. 2 and uses transform $\mathsf {PKE}'= \mathsf {T}[\mathsf {PKE},\mathsf {G}]$ as a building block. (The full construction is given in Fig. 15, see Sect. 5.) Our main security result (Theorem 3) states that $\mathsf {FO_\mathsf {AKE}}[\mathsf {PKE},\mathsf {G},\mathsf {H}]$ is an $\mathsf {IND}\text {-}\mathsf {St}\mathsf {AA}$-secure AKE if the underlying probabilistic $\mathsf {PKE}$ is $\mathsf {DS}$ as well as $\mathsf {IND}\text {-}\mathsf {CPA}$ secure and has negligible correctness error, and furthermore $\mathsf {G}$ and $\mathsf {H}$ are modeled as quantum random oracles.

The proof essentially is the AKE analogue to the security proof of $\mathsf {FO^{\not \bot }_ m }$ we give in Sect. 3.2: By definition of our security model, it always holds that at least one of the messages $m_i$, $m_j$ and $\tilde{m}$ is hidden from the adversary (unless it loses trivially) since it may not reveal a party’s secret key and its session state at the same time. Adapting the simulation technique in [43], we can simulate the session keys even if we do not know the corresponding secret key $sk_i$ ($sk_j$, $\tilde{ sk }$). Assuming that $\mathsf {PKE}$ is $\mathsf {DS}$, we can replace the corresponding ciphertext $c_i$ ($c_j$, $\tilde{c}$) of the test session with a fake ciphertext, rendering the test session’s key completely random from the adversary’s view due to $\mathsf {PKE}$’s disjointness.

Let us add two remarks. Firstly, we cannot prove the security of $\mathsf {FO_\mathsf {AKE}}[\mathsf {PKE},\mathsf {G},\mathsf {H}]$ in the stronger sense of $\mathsf {IND}\text {-}\mathsf {AA}$ and actually, it is not secure against state attacks. Secondly, note that our security statement involves the probabilistic scheme $\mathsf {PKE}$ rather than $\mathsf {PKE}'$. Unfortunately, we were not able to provide a modular proof of $\mathsf {AKE}$ solely based on reasonable security properties of $\mathsf {PKE}'=\mathsf {T}[\mathsf {PKE},\mathsf {G}]$. The reason for this is indeed the non-perfect correctness of $\mathsf {PKE}$. This difficulty corresponds to the difficulty to generalise [43]’s result for deterministic encryption schemes with correctness errors discussed above.

Concrete Applications. Our transformation can be applied to any scheme that is $\mathsf {IND}\text {-}\mathsf {CPA}$ secure with post-quantum security, e.g., Frodo [40], Kyber [16], and Lizard [5]. Recall that the additional requirement of $\mathsf {DS}$ can be achieved with negligible loss of efficiency. However, in many applications even this negligible loss is inexistent since most of the aforementioned schemes can already be proven $\mathsf {DS}$ under the same assumption that their $\mathsf {IND}\text {-}\mathsf {CPA}$ security is based upon.

Subsequent Work. Since this paper was published on eprint, there has been more work on $\mathsf {CCA}$ security of FO in the QROM ([13, 35]), essentially achieving the same level of tightness as this work. [13] achieves more modularity, and covers a class of schemes that is both less and more restrictive at the same time: They only require schemes to be oneway-secure (instead of $\mathsf {CPA}$, as required in this work), but the schemes have to meet an additional injectivity requirement (specified below).

Tightness for FO. Reductions from $\mathsf {CCA}$ security to $\mathsf {CPA}$ security in the QROM usually suffer from tightness loss in two separate ways: The best known bounds for probabilistic schemes to this date are essentially of the form $\sqrt{q} \sqrt{\epsilon }$, where q is the number of the adversary’s hash queries, and $\epsilon $ is the reduction’s $\mathsf {CPA}$ advantage. Hence, the loss consists of both a loss regarding q (q-nontightness), and worse, a quadratic loss regarding the level of $\mathsf {CPA}$ security (root-nontightness). For the general setting where one starts from a probabilistic scheme, there have not been tightness improvements since this work:

Essentially, [35] is an update of [32] that makes use of the improved Oneway-to-Hiding bounds given in [3], thereby improving [32]’s bound $q \sqrt{\epsilon }$ to $\sqrt{q} \sqrt{\epsilon }$, with the security requirement switching from onewayness to $\mathsf {IND}\text {-}\mathsf {CPA}$. The result seems to differ from this work solely in its (nonmodular) proof structure.

In [13], a new modular proof for FO was given by starting from probabilistic onewayness and choosing deterministic oneway-security as their intermediate^{Footnote 6} notion, opposed to our (strictly stronger) intermediate notion of deterministic $\mathsf {DS}$. This approach matches the observation that if one can start from a scheme that already is deterministically oneway-secure (like [12]), derandomisation step $\mathsf {T}$ is superfluous. In this case, only transformation $\mathsf {U}$ has to be applied, which is proven secure q-tightly. The weaker intermediate notion, however, shifts the root-nontightness to second transformation $\mathsf {U}$. Therefore, the result still is heavily non-tight, even if derandomising via $\mathsf {T}$ is skipped. Furthermore, no tightness improvements whatsoever are achieved if the underlying scheme is not already deterministic, and thus has to be derandomised using $\mathsf {T}$ first.

Modularity. The modular proof of [13] is achieved by introducing an additional notion for the intermediate scheme that deals with correctness errors. Unfortunately, the possibility of correctness errors complicate modular attempts on analysing FO: For underlying probabilistic schemes, [13] requires more than this work since its approach only is applicable if the “intermediate” scheme is injective with overwhelming probability. It is very likely that the modular approach of [13] could be generalised to an AKE proof that similarly is modular and hence, conceptually nicer. But this gain in modularity would come at a cost: The approach only is applicable if the derandomised scheme is essentially injective. We would, therefore, add an unnecessary restriction on the class of schemes that AKE can be based upon.

Open Problems. In the literature, one can find several Diffie-Hellman based protocols that achieve $\mathsf {IND}\text {-}\mathsf {AA}$ security, for example HMQV [37]. However, none of them provides security against quantum computers. We leave as an interesting open problem to design a generic and efficient two-message AKE protocol in our stronger $\mathsf {IND}\text {-}\mathsf {AA}$ model, preferably with a security proof in the QROM to guarantee its security even in the presence of quantum adversaries.

While [13] gave a proof of $\mathsf {CCA}$ security that is conceptually cleaner, it still is heavily non-tight due to its root-nontightness, with the root-nontightness stemming from its usage of a standard Oneway-to-Hiding strategy. Recent work [34] proved that for reductions using this standard approach, suffering from quadratic security loss is inevitable. We would like to point out, however, that we do not view this result as an impossibility result^{Footnote 7}. It rather proves impossibility of root-tightness for a certain type of reduction, and thereby informs us how to adapt possible future proof strategies: A root-tight proof of $\mathsf {CCA}$ security still might be achievable, but the respective reduction would have to be more sophisticated than extracting oneway solutions for the underlying scheme by simply applying Oneway-to-Hiding.

2 Preliminaries

For $n \in \mathbb {N}$, let $[n] := \lbrace 1, \dots , n \rbrace .$ For a set S, |S| denotes the cardinality of S. For a finite set S, we denote the sampling of a uniform random element x by $x \leftarrow _\$S$, while we denote the sampling according to some distribution $\mathfrak {D}$ by $x \leftarrow \mathfrak {D}$. By $\llbracket B\rrbracket $ we denote the bit that is 1 if the boolean Statement B is true, and otherwise 0.

Algorithms. We denote deterministic computation of an algorithm A on input x by $y := A(x).$ We denote algorithms with access to an oracle $\textsc {O}$ by $\mathsf {A}^{\textsc {O}}$. Unless stated otherwise, we assume all our algorithms to be probabilistic and denote the computation by $y\leftarrow A(x)$.

Games. Following [11, 45], we use code-based games. We implicitly assume boolean flags to be initialised to false, numerical types to 0, sets to $\varnothing $, and strings to the empty string $\epsilon $. We make the convention that a procedure terminates once it has returned an output.

2.1 Public-Key Encryption

Syntax. A public-key encryption scheme $\mathsf {PKE}= (\mathsf {KG}, \mathsf {Enc}, \mathsf {Dec})$ consists of three algorithms, and a finite message space $\mathcal {M}$ which we assume to be efficiently recognisable. The key generation algorithm $\mathsf {KG}$ outputs a key pair $( pk , sk )$, where $ pk $ also defines a finite randomness space $\mathcal {R}=\mathcal {R}( pk )$ as well as a ciphertext space $\mathcal {C}$. The encryption algorithm $\mathsf {Enc}$, on input $ pk $ and a message $m \in \mathcal {M}$, outputs an encryption $c \leftarrow \mathsf {Enc}( pk ,m)$ of m under the public key $ pk $. If necessary, we make the used randomness of encryption explicit by writing $c := \mathsf {Enc}( pk ,m; r)$, where $r \leftarrow _\$\mathcal {R}$. The decryption algorithm $\mathsf {Dec}$, on input $ sk $ and a ciphertext c, outputs either a message $m = \mathsf {Dec}( sk ,c) \in \mathcal {M}$ or a special symbol $ \bot \notin \mathcal {M}$ to indicate that c is not a valid ciphertext.

Definition 1

(Collision probability of key generation). We define

$$\begin{aligned} \mu (\mathsf {KG}):= \Pr [( pk , sk ) \leftarrow \mathsf {KG}, ( pk ', sk ') \leftarrow \mathsf {KG}: pk = pk']. \end{aligned}$$

Definition 2

(Collision probability of ciphertexts). We define

$$\begin{aligned} \mu (\mathsf {Enc}):= \Pr [( pk , sk ) \leftarrow \mathsf {KG}, m, m' \leftarrow _\$\mathcal {M}, c \leftarrow \mathsf {Enc}( pk ,m), c' \leftarrow \mathsf {Enc}( pk ,m'): c = c']. \end{aligned}$$

Definition 3

($\gamma $-Spreadness). [25] We say that $\mathsf {PKE}$ is $\gamma $-spread iff for all key pairs $( pk , sk ) \in \mathrm {supp}(\mathsf {KG})$ and all messages $m \in \mathcal {M}$ it holds that

$$\begin{aligned} \max _{c \in \mathcal {C}} \Pr [r \leftarrow _\$\mathcal {R}: \mathsf {Enc}( pk , m; r)= c] \le 2^{- \gamma }. \end{aligned}$$

Definition 4

(Correctness). [28] We define $\delta := \mathbf {E}[\max _{m \in \mathcal {M}} \Pr [c \leftarrow \mathsf {Enc}( pk , m): \mathsf {Dec}( sk , c) \ne m]]$, where the expectation is taken over $( pk , sk ) \leftarrow \mathsf {KG}$.

Security. We now define the notion of Indistinguishability under Chosen Plaintext Attacks ($\mathsf {IND}\text {-}\mathsf {CPA}$) for public-key encryption.

Definition 5

($\mathsf {IND}\text {-}\mathsf {CPA}$). Let $\mathsf {PKE}=(\mathsf {KG},\mathsf {Enc},\mathsf {Dec})$ be a public-key encryption scheme. We define game $\mathsf {IND}\text {-}\mathsf {CPA}$ game as in Fig. 3, and the $\mathsf {IND}\text {-}\mathsf {CPA}$ advantage function of a quantum adversary $\mathsf {A} = (\mathsf {A}_1, \mathsf {A}_2)$ against $\mathsf {PKE}$ (such that $\mathsf {A}_2$ has binary output) as

$$\begin{aligned} \mathrm {Adv}^{\mathsf {IND}\text {-}\mathsf {CPA}}_{\mathsf {PKE}}(\mathsf {A}) := |\Pr [ \mathsf {IND}\text {-}\mathsf {CPA}_1^{\mathsf {A}} \Rightarrow 1 ] - \Pr [ \mathsf {IND}\text {-}\mathsf {CPA}_0^{\mathsf {A}} \Rightarrow 1 ]|. \end{aligned}$$

We also define $\mathsf {IND}\text {-}\mathsf {CPA}$ security in the random oracle model model, where $\mathsf {PKE}$ and adversary $\mathsf {A}$ are given access to a random oracle.

Disjoint simulatability. Following [43], we consider PKE where it is possible to efficiently sample fake ciphertexts that are indistinguishable from proper encryptions, while the probability that the sampling algorithm hits a proper encryption is small.

Definition 6

($\mathsf {DS}$) Let $\mathsf {PKE}= (\mathsf {KG}, \mathsf {Enc}, \mathsf {Dec})$ be a PKE scheme with message space $\mathcal {M}$ and ciphertext space $\mathcal {C}$, coming with an additional PPT algorithm $\overline{\mathsf {Enc}}$. For quantum adversaries $\mathsf {A}$, we define the advantage against $\mathsf {PKE}$’s disjoint simulatability as

$$\begin{aligned} \mathrm {Adv}^{\mathsf {DS}}_{\mathsf {PKE}, \overline{\mathsf {Enc}}}(\mathsf {A}) :=&|\Pr [ pk \leftarrow \mathsf {KG}, m \leftarrow _\$\mathcal {M}, c \leftarrow \mathsf {Enc}( pk , m): 1 \leftarrow \mathsf {A}( pk , c)] \\&- \Pr [ pk \leftarrow \mathsf {KG}, c \leftarrow \overline{\mathsf {Enc}}( pk ): 1 \leftarrow \mathsf {A}( pk , c)]|. \end{aligned}$$

When there is no chance of confusion, we will drop $\overline{\mathsf {Enc}}$ from the advantage’s subscript for convenience.

We call $\mathsf {PKE}$ $\epsilon _{\text {dis}}$-disjoint if for all $ pk \in \mathrm {supp}(\mathsf {KG})$, $ \Pr [c \leftarrow \overline{\mathsf {Enc}}( pk ) : c \in \mathsf {Enc}( pk , \mathcal {M}; \mathcal {R}) ] \le \epsilon _{\text {dis}}.$

2.2 Key Encapsulation

Syntax. A key encapsulation mechanism $\mathsf {KEM}= (\mathsf {KG}, \mathsf {Encaps}, \mathsf {Decaps})$ consists of three algorithms. The key generation algorithm $\mathsf {KG}$ outputs a key pair $( pk , sk )$, where $ pk $ also defines a finite key space $\mathcal {K}$. The encapsulation algorithm $\mathsf {Encaps}$, on input $ pk $, outputs a tuple (K, c) where c is said to be an encapsulation of the key K which is contained in key space $\mathcal {K}$. The deterministic decapsulation algorithm $\mathsf {Decaps}$, on input $ sk $ and an encapsulation c, outputs either a key $K := \mathsf {Decaps}( sk , c) \in \mathcal {K}$ or a special symbol $ \bot \notin \mathcal {K}$ to indicate that c is not a valid encapsulation.

We call $\mathsf {KEM}$ $\delta $-correct if

$$\begin{aligned} \Pr \left[ \mathsf {Decaps}( sk ,c) \ne K \mid ( pk , sk ) \leftarrow \mathsf {KG}; (K,c) \leftarrow \mathsf {Encaps}( pk ) \right] \le \delta . \end{aligned}$$

Note that the above definition also makes sense in the random oracle model since KEM ciphertexts do not depend on messages.

Security. We now define a security notion for key encapsulation: Indistinguishbility under Chosen Ciphertext Attacks ($\mathsf {IND}\text {-}\mathsf {CCA}$).

Definition 7

($\mathsf {IND}\text {-}\mathsf {CCA}$). We define the $\mathsf {IND}\text {-}\mathsf {CCA}$ game as in Fig. 3 and the $\mathsf {IND}\text {-}\mathsf {CCA}$ advantage function of an adversary $\mathsf {A}$ (with binary output) against $\mathsf {KEM}$ as

2.3 Quantum Computation

Qubits. For simplicity, we will treat a qubit as a vector $|{\varphi } \rangle \in \mathbb {C}^2$, i.e., a linear combination $|{\varphi } \rangle = \alpha \cdot |{0} \rangle + \beta \cdot |{1} \rangle $ of the two basis states (vectors) $|{0} \rangle $ and $|{1} \rangle $ with the additional requirement to the probability amplitudes $\alpha , \beta \in \mathbb {C}$ that $|\alpha |^2 + |\beta |^2 = 1.$ The basis $\lbrace |{0} \rangle , |{1} \rangle \rbrace $ is called standard orthonormal computational basis. The qubit $|{\varphi } \rangle $ is said to be in superposition. Classical bits can be interpreted as quantum bits via the mapping $(b \mapsto 1 \cdot |{b} \rangle + 0 \cdot |{1-b} \rangle )$.

Quantum Registers. We will treat a quantum register as a collection of multiple qubits, i.e. a linear combination $|{\varphi } \rangle := \sum _{x \in \mathbb {F}_2^n} \alpha _{x} \cdot |{x} \rangle $, where $\alpha _{x} \in \mathbb {C},$ with the additional restriction that $\sum _{x \in \mathbb {F}_2^n}^{} |\alpha _{x}|^2 = 1.$ As in the one-dimensional case, we call the basis $\lbrace |{x} \rangle \rbrace _{x \in \mathbb {F}_2^n}$ the standard orthonormal computational basis. We say that $|{\varphi } \rangle = \sum _{x \in \mathbb {F}_2^n} \alpha _x \cdot |{x} \rangle $ contains the classical query x if $\alpha _{x} \ne 0$.

Measurements. Qubits can be measured with respect to a basis. In this paper, we will only consider measurements in the standard orthonormal computational basis, and denote this measurement by $\textsc {Measure}(\cdot )$, where the outcome of $\textsc {Measure}(|{\varphi } \rangle )$ for a single qubit $|{\varphi } \rangle = \alpha \cdot |{0} \rangle + \beta \cdot |{1} \rangle $ will be 0 with probability $|\alpha |^2$ and 1 with probability $|\beta |^2$, and the outcome of measuring a qubit register $|{\varphi } \rangle = \sum _{x \in \mathbb {F}_2^n}^{} \alpha _{x} \cdot |{x} \rangle $ will be x with probability $|\alpha _{x}|^2$. Note that the amplitudes collapse during a measurement, this means that by measuring $\alpha \cdot |{0} \rangle + \beta \cdot |{1} \rangle $, $\alpha $ and $\beta $ are switched to one of the combinations in $\lbrace \pm (1,0),\ \pm (0,1)\rbrace .$ Likewise, in the n-dimensional case, all amplitudes are switched to 0 except for the one that belongs to the measurement outcome and which will be switched to 1.

Quantum oracles and quantum Adversaries. Following [6, 14], we view a quantum oracle $|{\mathsf {O}} \rangle $ as a mapping

$$\begin{aligned} |{x} \rangle |{y} \rangle \mapsto |{x} \rangle |{y \oplus \mathsf {O}(x)} \rangle , \end{aligned}$$

where $\mathsf {O}: \mathbb {F}_2^n \rightarrow \mathbb {F}_2^{m}$, and model quantum adversaries $\mathsf {A}$ with access to $\mathsf {O}$ by a sequence $U_1$, $|{\mathsf {O}} \rangle $, $U_2$, $\cdots $, $|{\mathsf {O}} \rangle $, $U_N$ of unitary transformations. We write $\mathsf {A}^{|{\mathsf {O}} \rangle }$ to indicate that the oracles are quantum-accessible (contrary to oracles which can only process classical bits).

Quantum random oracle model. We consider security games in the quantum random oracle model (QROM) as their counterparts in the classical random oracle model, with the difference that we consider quantum adversaries that are given quantum access to the (offline) random oracles involved, and classical access to all other (online) oracles. For example, in the $\mathsf {IND\text {-}CPA}$ game, the adversary only obtains a classical encryption, like in [18], and unlike in [15]. In the $\mathsf {IND\text {-}CCA}$ game, the adversary only has access to a classical decryption oracle, unlike in [27] and [1].

Zhandry [48] proved that no quantum algorithm $\mathsf {A}^{|{\mathsf {O}} \rangle }$, issuing at most q quantum queries to $|{\mathsf {O}} \rangle $, can distinguish between a random function $\mathsf {O}: \mathbb {F}_2^m \rightarrow \mathbb {F}_2^n$ and a 2q-wise independent function $f_{2q}$. For concreteness, we view $f_{2q}: \mathbb {F}_2^m \rightarrow \mathbb {F}_2^n$ as a random polynomial of degree 2q over the finite field $\mathbb {F}_{2^n}$. The running time to evaluate $f_{2q}$ is linear in q. In this article, we will use this observation in the context of security reductions, where quantum adversary $\mathsf {B}$ simulates quantum adversary $\mathsf {A}^{|{\mathsf {O}} \rangle }$ issuing at most q queries to $|{\mathsf {O}} \rangle $. Hence, the running time of $\mathsf {B}$ is $\text {Time}(\mathsf {B}) = \text {Time}(\mathsf {A}) + q \cdot \text {Time}(\mathsf {O})$, where $\text {Time}(\mathsf {O})$ denotes the time it takes to simulate $|{\mathsf {O}} \rangle $. Using the observation above, $\mathsf {B}$ can use a 2q-wise independent function in order to (information-theoretically) simulate $|{\mathsf {O}} \rangle $, and we obtain that the running time of $\mathsf {B}$ is $\text {Time}(\mathsf {B}) = \text {Time}(\mathsf {A}) + q \cdot \text {Time}(f_{2q})$, and the time $\text {Time}(f_{2q})$ to evaluate $f_{2q}$ is linear in q. Following [43] and [36], we make use of the fact that the second term of this running time (quadratic in q) can be further reduced to linear in q in the quantum random-oracle model where $\mathsf {B}$ can simply use another random oracle to simulate $|{\mathsf {O}} \rangle $. Assuming evaluating the random oracle takes one time unit, we write $\text {Time}(\mathsf {B}) = \text {Time}(\mathsf {A}) + q$, which is approximately $\text {Time}(\mathsf {A})$.

Oneway to Hiding with semi-classical oracles. In [3], Ambainis et al. defined semi-classical oracles that return a state that was measured with respect to one of the input registers. In particular, to any subset $S \subset X$, they associated the following semi-classical oracle $\mathsf {O^{SC}_S}$: Algorithm $\mathsf {O^{SC}_S}$, when queried on $|{\psi , 0} \rangle $, measures with respect to the projectors $M_1$ and $M_0$, where $M_1 := \sum _{x \in S} |{x} \rangle \langle x |$ and $M_0 := \sum _{x \notin S} |{x} \rangle \langle x |$. The oracle then initialises the second register to $|{b} \rangle $ for the measured bit b. This means that $|{\psi , 0} \rangle $ collapses to either a state $|{\psi ', 0} \rangle $ such that $|{\psi '} \rangle $ only contains elements of $X \setminus S$ or to a state $|{\psi ', 1} \rangle $ such that $|{\psi '} \rangle $ only contains elements of S. Let $\textsc {FIND}$ denote the event that the latter ever is the case, i.e., that $\mathsf {O^{SC}_S}$ ever answers with $|{\psi ',1} \rangle $ for some $\psi '$. To a quantum-accessible oracle $\mathsf {G}$ and a subset $S \subset X$, Ambainis et al. associate the following punctured oracle $\mathsf {G \setminus S}$ that removes S from the domain of $\mathsf {G}$ unless $\textsc {FIND}$ occurs (Fig. 4).

The following theorem is a simplification of statement (2) given in [3, Thm. 1: “Semi-classical O2H”], and of [3, Cor. 1]. It differs in the following way: While [3] consider adversaries that might execute parallel oracle invocations and therefore differentiate between query depth d and number of queries q, we use the upper bound $q \ge d$ for simplicity.

Theorem 1

Let $S \subset X$ be random. Let $G, H \in Y^X$ be random functions such that $G_{|X \setminus S}= H_{|X \setminus S}$, and let z be a random bitstring. (S, G, H, and z may have an arbitrary joint distribution.) Then, for all quantum algorithms $\mathsf {A}$ issuing at most q queries that, on input z, output either 0 or 1,

$$\begin{aligned} | \Pr [1 \leftarrow \mathsf {A}^{|{\mathsf {G}} \rangle }(z) ] - \Pr [1 \leftarrow \mathsf {A}^{|{\mathsf {H}} \rangle }(z) ] | \le 2 \cdot \sqrt{q \Pr [b \leftarrow \mathsf {A}^{|{\mathsf {G\setminus S}} \rangle }(z) : \textsc {FIND}] }. \end{aligned}$$

If furthermore $S := \lbrace x \rbrace $ for $x \leftarrow _\$X$, and x and z are independent,

$$\begin{aligned} \Pr [b \leftarrow \mathsf {A}^{|{\mathsf {G\setminus S}} \rangle }(z) : \textsc {FIND}] \le \frac{4 q}{|X|}. \end{aligned}$$

Generic quantum Distinguishing Problem with bounded probabilities. For $\lambda \in [0,1]$, let $B_\lambda $ be the Bernoulli distribution, i.e., $\Pr [b = 1] = \lambda $ for the bit $b \leftarrow B_\lambda $. Let X be some finite set. The generic quantum distinguishing problem ([4, Lemma 37], [30, Lem. 3]) is to distinguish quantum access to an oracle $F : X \rightarrow \mathbb {F}_2$, such that for each $x \in X$, F(x) is distributed according to $B_\lambda $, from quantum access to the zero function. We will need the following slight variation. The Gequantum Distinguishing Problem with Bounded probabilities $\mathsf {GDPB}$ is like the quantum distinguishing problem with the difference that the Bernoulli parameter $\lambda _x$ may depend on x, but still is upper bounded by a global $\lambda $. The upper bound we give is the same as in [30, Lem. 3]. It is proven in the full version.

Lemma 1

(Generic Distinguishing Problem with Bounded Probabilities). [Generic Distinguishing Problem with Bounded Probabilities] Let X be a finite set, and let $\lambda \in [0,1]$. Then, for any (unbounded, quantum) algorithm $\mathsf {A}$ issuing at most q quantum queries,

$$\begin{aligned} |\Pr [\mathsf {GDPB}^{\mathsf {A}}_{\lambda ,0} \Rightarrow 1] - \Pr [\mathsf {GDPB}^{\mathsf {A}}_{\lambda ,1} \Rightarrow 1]| \le 8 (q+1)^2 \cdot \lambda , \end{aligned}$$

where games $\mathsf {GDPB}^{\mathsf {A}}_{\lambda ,b}$ (for bit $b \in \mathbb {F}_2$) are defined as follows:

3 The FO Transformation: QROM Security with Correctness Errors

In Sect. 3.1, we modularise transformation $\mathsf {TPunc}$ that was given in [43] and that turns any public key encryption scheme that is $\mathsf {IND}\text {-}\mathsf {CPA}$ secure into a deterministic one that is $\mathsf {DS}$. Transformation $\mathsf {TPunc}$ essentially consists of first puncturing the message space at one point (transformation $\mathsf {Punc}$, to achieve probabilistic $\mathsf {DS}$), and then applying transformation $\mathsf {T}$. Next, in Sect. 3.2, we show that transformation $\mathsf {U}^{\not \bot }_ m $, when applied to $\mathsf {T}$, transforms any encryption scheme that is $\mathsf {DS}$ as well as $\mathsf {IND}\text {-}\mathsf {CPA}$ into a KEM that is $\mathsf {IND}\text {-}\mathsf {CCA}$ secure. We believe that many lattice-based schemes fulfill $\mathsf {DS}$ in a natural way,^{Footnote 8} but for the sake of completeness, we will show in the full version how transformation $\mathsf {Punc}$ can be used to waive the requirement of $\mathsf {DS}$ with negligible loss of efficiency.

3.1 Modularisation of $\mathsf {TPunc}$

We modularise transformation $\mathsf {TPunc}$ (“Puncturing and Encrypt-with-Hash”) that was given in [43], and that turns any $\mathsf {IND}\text {-}\mathsf {CPA}$ secure PKE scheme into a deterministic one that is $\mathsf {DS}$. Note that apart from reencryption, $\mathsf {TPunc}[\mathsf {PKE}_0, \mathsf {G}]$ given in [43] and our modularisation $\mathsf {T}[\mathsf {Punc}[\mathsf {PKE}_0], \mathsf {G}]$ are equal. We first give transformation $\mathsf {Punc}$ that turns any $\mathsf {IND}\text {-}\mathsf {CPA}$ secure scheme into a scheme that is both $\mathsf {DS}$ and $\mathsf {IND}\text {-}\mathsf {CPA}$. We show that transformation $\mathsf {T}$ turns any scheme that is $\mathsf {DS}$ as well as $\mathsf {IND}\text {-}\mathsf {CPA}$ secure into a deterministic scheme that is $\mathsf {DS}$.

Transformation $\mathsf {Punc}$ turns any $\mathsf {IND}\text {-}\mathsf {CPA}$ secure public-key encryption scheme into a $\mathsf {DS}$ secure one by puncturing the message space at one message and sampling encryptions of this message as fake encryptions.

The Construction. To a public-key encryption scheme $\mathsf {PKE}_0 = (\mathsf {KG}_0, \mathsf {Enc}_0, \mathsf {Dec}_0)$ with message space $\mathcal {M}_0$, we associate $\mathsf {PKE}:= \mathsf {Punc}[\mathsf {PKE}_0, \hat{m}]:= (\mathsf {KG}:= \mathsf {KG}_0,\mathsf {Enc}, \mathsf {Dec}:= \mathsf {Dec}_0)$ with message space $\mathcal {M}:= \mathcal {M}_0 \setminus \lbrace \hat{m} \rbrace $ for some message $\hat{m} \in \mathcal {M}$. Encryption and fake encryption sampling of $\mathsf {PKE}$ are defined in Fig. 5. Note that transformation $\mathsf {Punc}$ will only be used as a helper transformation to achieve $\mathsf {DS}$, generically. We prove that $\mathsf {Punc}$ achieves $\mathsf {DS}$ from $\mathsf {IND}\text {-}\mathsf {CPA}$ security in the full version.

Transformation $\mathsf {T}$ [7] turns any probabilistic public-key encryption scheme into a deterministic one. The transformed scheme is $\mathsf {DS}$, given that $\mathsf {PKE}$ is $\mathsf {DS}$ as well as $\mathsf {IND}\text {-}\mathsf {CPA}$ secure. Our security proof is tighter than the proof given for $\mathsf {TPunc}$ (see [43, Theorem 3.3]) due to our use of the semi-classical O2H theorem.

The Construction. Take an encryption scheme $\mathsf {PKE}= (\mathsf {KG}, \mathsf {Enc}, \mathsf {Dec})$ with message space $\mathcal {M}$ and randomness space $\mathcal {R}$. Assume $\mathsf {PKE}$ to be additionally endowed with a sampling algorithm $\overline{\mathsf {Enc}}$ (see Definition 6). To $\mathsf {PKE}$ and random oracle $\mathsf {G} : \mathcal {M}\rightarrow \mathcal {R}$, we associate $\mathsf {PKE}'= \mathsf {T}[\mathsf {PKE},\mathsf {G}] $, where the algorithms of $\mathsf {PKE}'=(\mathsf {KG}' := \mathsf {KG}, \mathsf {Enc}', \mathsf {Dec}', \overline{\mathsf {Enc}}' := \overline{\mathsf {Enc}})$ are defined in Fig. 6. Note that $\mathsf {Enc}'$ deterministically computes the ciphertext as $c := \mathsf {Enc}( pk ,m; \mathsf {G}(m))$.

The following lemma states that combined $\mathsf {IND}\text {-}\mathsf {CPA}$ and $\mathsf {DS}$ security of $\mathsf {PKE}$ imply the $\mathsf {DS}$ security of $\mathsf {PKE}'$.

Lemma 2

($\mathsf {DS}$ security of $\mathsf {PKE}'$). If $\mathsf {PKE}$ is $\epsilon $-disjoint, so is $\mathsf {PKE}'$. For all adversaries $\mathsf {A}$ issuing at most $q_{\mathsf {G}}$ (quantum) queries to $\mathsf {G}$, there exist an adversary $\mathsf {B_\mathsf {IND}}$ and an adversary $\mathsf {B_\mathsf {DS}}$ such that

$$\begin{aligned} \mathrm {Adv}^{\mathsf {DS}}_{\mathsf {PKE}'}(\mathsf {A}) \le&\; \mathrm {Adv}^{\mathsf {DS}}_{\mathsf {PKE}}(\mathsf {B}_\mathsf {DS}) + 2 \cdot \sqrt{q_{\mathsf {G}} \cdot \mathrm {Adv}^{\mathsf {IND}\text {-}\mathsf {CPA}}_{\mathsf {PKE}}(\mathsf {B_\mathsf {IND}}) + \frac{4 q_{\mathsf {G}}^2}{|\mathcal {M}|} } \\ \le&\; \mathrm {Adv}^{\mathsf {DS}}_{\mathsf {PKE}}(\mathsf {B}_\mathsf {DS}) + 2 \cdot \sqrt{q_{\mathsf {G}} \cdot \mathrm {Adv}^{\mathsf {IND}\text {-}\mathsf {CPA}}_{\mathsf {PKE}}(\mathsf {B_\mathsf {IND}})} + \frac{4 q_{\mathsf {G}}}{\sqrt{|\mathcal {M}|}}, \end{aligned}$$

and the running time of each adversary is about that of $\mathsf {B}$.

Proof

It is straightforward to prove disjointness since $\mathsf {Enc}'( pk , \mathcal {M})$ is subset of $\mathsf {Enc}( pk , \mathcal {M}; \mathcal {R})$. Let $\mathsf {A}$ be a $\mathsf {DS}$ adversary against $\mathsf {PKE}'$. Consider the sequence of games given in Fig. 7. Per definition,

$$\begin{aligned} \mathrm {Adv}^{\mathsf {DS}}_{\mathsf {PKE}'}(\mathsf {A})&= |\Pr [G_{0}^{\mathsf {A}} \Rightarrow 1] - \Pr [G_{1}^{\mathsf {A}} \Rightarrow 1]| \\&\le |\Pr [G_{0}^{\mathsf {A}} \Rightarrow 1] - \Pr [G_{3}^{\mathsf {A}} \Rightarrow 1]| + |\Pr [G_{1}^{\mathsf {A}} \Rightarrow 1] - \Pr [G_{3}^{\mathsf {A}} \Rightarrow 1]|. \end{aligned}$$

To upper bound $|\Pr [G_{0}^{\mathsf {A}} \Rightarrow 1] - \Pr [G_{3}^{\mathsf {A}} \Rightarrow 1]|$, consider adversary $\mathsf {B_\mathsf {DS}}$ against the disjoint simulatability of the underlying scheme $\mathsf {PKE}$, given in Fig. 8. $\mathsf {B_\mathsf {DS}}$ runs in the time that is required to run $\mathsf {A}$ and to simulate $\mathsf {G}$ for $q_{\mathsf {G}}$ queries. Since $\mathsf {B_\mathsf {DS}}$ perfectly simulates game $G_{0}$ if run with a fake ciphertext as input, and game $G_{3}$ if run with a random encryption $c \leftarrow \mathsf {Enc}( pk , m^*)$,

$$\begin{aligned} |\Pr [G_{0}^{\mathsf {A}} \Rightarrow 1] - \Pr [G_{3}^{\mathsf {A}} \Rightarrow 1]| = \mathrm {Adv}^{\mathsf {DS}}_{\mathsf {PKE}}(\mathsf {B_\mathsf {DS}}). \end{aligned}$$

It remains to upper bound $|\Pr [G_{1}^{\mathsf {A}} \Rightarrow 1] - \Pr [G_{3}^{\mathsf {A}} \Rightarrow 1]|$. We claim that there exists an adversary $\mathsf {B_\mathsf {IND}}$ such that

$$\begin{aligned} |\Pr [G_{1}^{\mathsf {A}} \Rightarrow 1] - \Pr [G_{3}^{\mathsf {A}} \Rightarrow 1]| \le 2 \sqrt{q_{\mathsf {G}} \cdot \mathrm {Adv}^{\mathsf {IND}\text {-}\mathsf {CPA}}_{\mathsf {PKE}}(\mathsf {B_\mathsf {IND}}) + \frac{4 q_{\mathsf {G}}^2}{|\mathcal {M}|}}. \end{aligned}$$

Game $G_2$. In game $G_2$, we replace oracle access to $\mathsf {G}$ with oracle acces to $\mathsf {H}$ in line 08, where $\mathsf {H}$ is defined as follows: we pick a uniformly random $r^*$ in line 08 and let $\mathsf {H}(m) := \mathsf {G}(m)$ for all $m \ne m^*$, and $\mathsf {H}(m^*) := r^*$. Note that this change also affects the challenge ciphertext $c^*$ since it is now defined relative to this new $r^*$, i.e., we now have $c^* = \mathsf {Enc}( pk , m^*; \mathsf {H}(m^*))$. Since $r^*$ is uniformly random and $\mathsf {G}$ is a random oracle, so is $\mathsf {H}$, and since we kept $c^*$ consistent, this change is purely conceptual and

$$\begin{aligned} \Pr [G_{1}^{\mathsf {A}} \Rightarrow 1] = \Pr [G_{2}^{\mathsf {A}} \Rightarrow 1]. \end{aligned}$$

Game $G_3$. In game $G_3$, we switch back to oracle access to $\mathsf {G}$, but keep $c^*$ unaffected by this change. We now are ready to use Oneway to Hiding with semi-classical oracles. Intuitively, the first part of O2H states that if oracles $\mathsf {G}$ and $\mathsf {H}$ only differ on point $m^*$, the probability of an adversary being able to tell $\mathsf {G}$ and $\mathsf {H}$ apart is directly related to $m^*$ being detectable in its random oracle queries. Detecting $m^*$ is formalised by game $G_{4}$, in which each of the random oracle queries of $\mathsf {A}$ is measured with respect to projector $|{m^*} \rangle \langle m^* |$, thereby collapsing the query to either $m^*$ (and switching flag $\textsc {FIND}$ to $\mathbf{true} $) or a superposition that does not contain $m^*$ at all. Following the notation of [3], we denote this process by a call to oracle $\mathsf {O^{SC}_{\lbrace m^* \rbrace }}$, see line 08. Applying the first statement of Theorem 1 for $S:= \lbrace m^*\rbrace $, and $z := ( pk , c^* := \mathsf {Enc}( pk , m^*; r^*))$, we obtain

$$\begin{aligned} |\Pr [G_{2}^{\mathsf {A}} \Rightarrow 1] - \Pr [G_{3}^{\mathsf {A}} \Rightarrow 1]| \le 2 \cdot \sqrt{q_{\mathsf {G}} \cdot \Pr [G_{4}^{\mathsf {A}} \Rightarrow 1] }. \end{aligned}$$

Game $G_5$. In game $G_5$, $c^* \leftarrow \mathsf {Enc}( pk , m^*)$ is replaced with an encryption of 0. Since in game $G_5$, $( pk , c^*)$ is independent of $m^*$, we can apply the second statement of O2H that upper bounds the probability of finding an independent point $m^*$, relative to the number of queries and the size of the search space $\mathcal {M}$. We obtain

$$\begin{aligned} \Pr [G_{5}^{\mathsf {A}} \Rightarrow 1] \le \frac{4 q_{\mathsf {G}}}{|\mathcal {M}|}. \end{aligned}$$

To upper bound $|\Pr [G_{4}^{\mathsf {A}} \Rightarrow 1] - \Pr [G_{5}^{\mathsf {A}} \Rightarrow 1]|$, consider adversary $\mathsf {B_{IND}}$ against the $\mathsf {IND}\text {-}\mathsf {CPA}$ security of $\mathsf {PKE}$, also given in Fig. 8. $\mathsf {B_{IND}}$ runs in the time that is required to run $\mathsf {A}$ and to simulate the measured version of oracle $\mathsf {G}$ for $q_{\mathsf {G}}$ queries. $\mathsf {B_{IND}}$ perfectly simulates game $G_{4}$ if run in game $\mathsf {IND}\text {-}\mathsf {CPA}_0$ and game $G_{5}$ if run in game $\mathsf {IND}\text {-}\mathsf {CPA}_1$, therefore,

$$\begin{aligned} |\Pr [G_{4}^{\mathsf {A}} \Rightarrow 1] - \Pr [G_{5}^{\mathsf {A}} \Rightarrow 1]| = \mathrm {Adv}^{\mathsf {IND}\text {-}\mathsf {CPA}}_{\mathsf {PKE}}(\mathsf {B_{IND}}). \end{aligned}$$

Collecting the probabilities yields

$$\begin{aligned} \Pr [G_{4}^{\mathsf {A}} \Rightarrow 1] \le \mathrm {Adv}^{\mathsf {IND}\text {-}\mathsf {CPA}}_{\mathsf {PKE}}(\mathsf {B_\mathsf {IND}}) + \frac{4 q_{\mathsf {G}}}{|\mathcal {M}|}. \end{aligned}$$

$\square $

3.2 Transformation $\mathsf {FO^{\not \bot }_ m }$ and Correctness Errors

Transformation $\mathsf {SXY}$ [43] got rid of the additional hash (sometimes called key confirmation) that was included in [28]’s quantum transformation $\mathsf {QU}^{\not \bot }_ m $. $\mathsf {SXY}$ is essentially the (classical) transformation $\mathsf {U}^{\not \bot }_ m $ that was also given in [28], and apart from doing without the additional hash, it comes with a tight security reduction in the QROM. $\mathsf {SXY}$ differs from the (classical) transformation $\mathsf {U}^{\not \bot }_ m $ only in the regard that it reencrypts during decapsulation. (In [28], reencryption is done during decryption of $\mathsf {T}$.)

The security proof given in [43] requires the underlying encryption scheme to be perfectly correct, and it turned out that their analysis cannot be trivially adapted to take possible decryption failures into account in a generic setting. A discussion of this matter is given in the full version. What we show instead is that the combined transformation $\mathsf {FO^{\not \bot }_ m }= \mathsf {U}^{\not \bot }_ m [\mathsf {T}[-, \mathsf {G}], \mathsf {H}]$ turns any encryption scheme that is $\mathsf {DS}$ as well as $\mathsf {IND}\text {-}\mathsf {CPA}$ into a KEM that is $\mathsf {IND}\text {-}\mathsf {CCA}$ secure in the QROM, even if the underlying encryption scheme comes with a small probability of decryption failure. Our reduction is tighter as the (combined) reduction in [43] due to our tighter security proof for $\mathsf {T}$.

The Construction. To $\mathsf {PKE}= (\mathsf {KG}, \mathsf {Enc}, \mathsf {Dec})$ with message space $\mathcal {M}$ and randomness space $\mathcal {R}$, and random oracles $\mathsf {H}: \mathcal {M}\rightarrow \mathcal {K}$, $\mathsf {G}: \mathcal {M}\rightarrow \mathcal {R}$, and an additional internal random oracle $\mathsf {H_r}: \mathcal {C}\rightarrow \mathcal {K}$ that can not be directly accessed, we associate $\mathsf {KEM}= \mathsf {FO^{\not \bot }_ m }[\mathsf {PKE},\mathsf {G},\mathsf {H}] := \mathsf {U}^{\not \bot }_ m [\mathsf {T}[\mathsf {PKE}, \mathsf {G}], \mathsf {H}]$, where the algorithms of $\mathsf {KEM}= (\mathsf {KG}, \mathsf {Encaps}, \mathsf {Decaps})$ are given in Fig. 9.

Security of $\mathsf {KEM}$. The following theorem (whose proof is essentially the same as in [43] except for the consideration of possible decryption failure) establishes that $\mathsf {IND}\text {-}\mathsf {CCA}$ security of $\mathsf {KEM}$ reduces to $\mathsf {DS}$ and $\mathsf {IND}\text {-}\mathsf {CPA}$ security of $\mathsf {PKE}$, in the quantum random oracle model.

Theorem 2

. Assume $\mathsf {PKE}$ to be $\delta $-correct, and to come with a fake sampling algorithm $\overline{\mathsf {Enc}}$ such that $\mathsf {PKE}$ is $\epsilon _{\text {dis}}$-disjoint. Then, for any (quantum) $\mathsf {IND}\text {-}\mathsf {CCA}$ adversary $\mathsf {A}$ issuing at most $q_D$ (classical) queries to the decapsulation oracle $\textsc {Decaps}$, at most $q_{\mathsf {H}}$ quantum queries to $\mathsf {H}$, and at most $q_{\mathsf {G}}$ quantum queries to $\mathsf {G}$, there exist (quantum) adversaries $\mathsf {B_\mathsf {DS}}$ and $\mathsf {B_\mathsf {IND}}$ such that

$$\begin{aligned} \mathrm {Adv}^{\mathsf {IND}\text {-}\mathsf {CCA}}_{\mathsf {KEM}}(\mathsf {A}) \le \;&8 \cdot ( 2\cdot q_{\mathsf {G}} + q_{\mathsf {H}} + q_D + 4)^2 \cdot \delta + \mathrm {Adv}^{\mathsf {DS}}_{\mathsf {PKE}}(\mathsf {B_\mathsf {DS}})\\&+\,2 \cdot \sqrt{ (q_{\mathsf {G}} + q_{\mathsf {H}}) \cdot \mathrm {Adv}^{\mathsf {IND}\text {-}\mathsf {CPA}}_{\mathsf {PKE}}(\mathsf {B_\mathsf {IND}}) + \frac{4 (q_{\mathsf {G}} + q_{\mathsf {H}})^2}{|\mathcal {M}|} } + \epsilon _{\text {dis}}, \end{aligned}$$

and the running time of $\mathsf {B_\mathsf {DS}}$ and $\mathsf {B_\mathsf {IND}}$ is about that of $\mathsf {A}$.

Proof

Let $\mathsf {A}$ be an adversary against the $ \mathsf {IND}\text {-}\mathsf {CCA}$ security of $\mathsf {KEM}$, issuing at most $q_D$ queries to $\textsc {Decaps}$, at most $q_{\mathsf {H}}$ queries to the quantum random oracle $\mathsf {H}$, and at most $q_{\mathsf {G}}$ queries to the quantum random oracle $\mathsf {G}$. Consider the sequence of games given in Fig. 10.

Game $G_0$. Since game $G_0$ is the original $\mathsf {IND}\text {-}\mathsf {CCA}$ game,

Game $G_{1}$. In game $G_{1}$, we enforce that no decryption failure will occur: For fixed $( pk , sk )$ and message $m \in \mathcal {M}$, let

$$\begin{aligned} \mathcal {R}_{\mathrm {bad}}( pk , sk , m) := \lbrace r \in \mathcal {R}\mid \mathsf {Dec}( sk ,\mathsf {Enc}( pk ,m;r))\ne m \rbrace \end{aligned}$$

denote the set of “bad” randomness. We replace random oracle $\mathsf {G}$ in line 05 with $\mathsf {G_{ pk , sk }}$ that only samples from good randomness. Further, define

(2)

as the fraction of bad randomness, and $\delta ( pk , sk ):= \max _{m \in \mathcal {M}} \delta ( pk , sk ,m)$. With this notation, $\delta = \mathbf{E}[\max _{m \in \mathcal {M}} \delta ( pk , sk ,m)]$, where the expectation is taken over $( pk , sk ) \leftarrow \mathsf {KG}$.

To upper bound $|\Pr [G_{{0}}^{\mathsf {A}}=1] - \Pr [G_{1}^{\mathsf {A}}=1]|$, we construct an (unbounded, quantum) adversary $\mathsf {B}$ against the generic distinguishing problem with bounded probabilities $\mathsf {GDPB}$ (see Lemma 1) in Fig. 11, issuing $q_{\mathsf {G}} + q_D + 1$ queries to $\mathsf {F}$. $\mathsf {B}$ draws a key pair $( pk , sk ) \leftarrow \mathsf {KG}$ and computes the parameters $\lambda (m)$ of the generic distinguishing problem as $\lambda (m) := \delta ( pk , sk , m)$, which are bounded by $\lambda := \delta ( pk , sk )$. To analyze $\mathsf {B}$, we first fix $( pk , sk )$. For each $m \in \mathcal {M}$, by the definition of game $\mathsf {GDPB}_{\lambda ,1}$, the random variable $\mathsf {F}(m)$ is bernoulli-distributed according to $B_{\lambda (m)} = B_{\delta ( pk , sk ,m)}$. By construction, the random variable $\mathsf {G}(m)$ defined in line 28 if $\mathsf {F}(m)= 0$ and in line 30 if $\mathsf {F}(m)= 1$ is uniformly distributed in $\mathcal {R}$. Therefore, $\mathsf {G}$ is a (quantum-accessible) random oracle, and $\mathsf {B}^{|{\mathsf {F}} \rangle }$ perfectly simulates game $G_{0}$ if executed in game $\mathsf {GDPB}_{\lambda ,1}$. Since $\mathsf {B}^{|{\mathsf {F}} \rangle }$ also perfectly simulates game $G_{1}$ if executed in game $\mathsf {GDPB}_{\lambda ,0}$,

$$\begin{aligned} |\Pr [G_{{0}}^{\mathsf {A}}=1] - \Pr [G_{1}^{\mathsf {A}}=1]| = |\Pr [\mathsf {GDPB}_{\lambda ,1}^{\mathsf {B}} = 1] - \Pr [\mathsf {GDPB}_{\lambda ,0}^{\mathsf {B}} = 1]|, \end{aligned}$$

and according to Lemma 1,

$$\begin{aligned} |\Pr [\mathsf {GDPB}_{\lambda ,1}^{\mathsf {B}} = 1] - \Pr [\mathsf {GDPB}_{\lambda ,0}^{\mathsf {B}} = 1]| \le 8 \cdot (q_{\mathsf {G}} + q_D + 2)^2 \cdot \delta . \end{aligned}$$

Game $G_{2}$. In game $G_{2}$, we prepare getting rid of the secret key by plugging in encryption into random oracle $\mathsf {H}$: Instead of drawing $\mathsf {H} \leftarrow _\$\mathcal {K}^{\mathcal {M}}$, we draw $\mathsf {H_q} \leftarrow _\$\mathcal {K}^{\mathcal {C}}$ in line 07 and define $\mathsf {H} := \mathsf {H_q(\mathsf {Enc}( pk , - ; \mathsf {G}(-)))}$ in line 08. For consistency, we also change key $K_0^*$ in line 14 from letting $K_0^* := \mathsf {H}(m^*)$ to letting $K_0^* := \mathsf {H_q}(c^*)$, which is a purely conceptual change since $c^* = \mathsf {Enc}( pk , m^*; \mathsf {G}(m^*))$. Additionally, we make the change of $\mathsf {H}$ explicit in oracle $\textsc {Decaps}$, i.e., we change oracle $\textsc {Decaps}$ in line 14 such that it returns $K := \mathsf {H_q}(c)$ whenever $\mathsf {Enc}( pk , m';$ $\mathsf {G}(m')) = c$. Since $\mathsf {G}$ only samples from good randomness, encryption is rendered perfectly correct and hence, injective. Since encryption is injective, $\mathsf {H}$ still is uniformly random. Furthermore, since we only change $\textsc {Decaps}$ for ciphertexts c where $c = \mathsf {Enc}( pk , m'; \mathsf {G}(m'))$, we maintain consistency of $\mathsf {H}$ and $\textsc {Decaps}$. In conclusion, $\mathsf {A}$’s view is identical in both games and

$$\begin{aligned} \Pr [G_{{1}}^{\mathsf {A}}=1] = \Pr [G_{2}^{\mathsf {A}}=1]. \end{aligned}$$

Game $G_{3}$. In game $G_{3}$, we change oracle $\textsc {Decaps}$ such that it always returns $K := \mathsf {H_q}(c)$, as opposed to returning $K := \mathsf {H_r}(c)$ as in game $G_{2}$ whenever decryption or reencryption fails (see line 21). We argue that this change does not affect $\mathsf {A}$’s view: If there exists no message m such that $c = \mathsf {Enc}( pk , m; \mathsf {G}(m))$, oracle $\textsc {Decaps}(c)$ returns a random value (that can not possibly correlate to any random oracle query to $\mathsf {H}$) in both games, therefore $\textsc {Decaps}(c)$ is a random value independent of all other input to $\mathsf {A}$ in both games. And if there exists some message m such that $c = \mathsf {Enc}( pk , m; \mathsf {G}(m))$, $\textsc {Decaps}(c)$ would have returned $\mathsf {H_q}(c)$ in both games, anyway: Since $\mathsf {G}(m) \in \mathcal {R}{\setminus }\mathcal {R}_{\mathrm {bad}}( pk , sk , m)$ for all messages m, it holds that $m' := \mathsf {Dec}( sk , c) = m \ne \bot $ and that $\mathsf {Enc}( pk , m'; \mathsf {G}(m')) = c$. Hence, $\mathsf {A}$’s view is identical in both games and

$$\begin{aligned} \Pr [G_{2}^{\mathsf {A}}=1] = \Pr [G_{3}^{\mathsf {A}}=1]. \end{aligned}$$

Game $G_{4}$. In game $G_{4}$, we switch back to using $\mathsf {G} \leftarrow _\$\mathcal {R}^\mathcal {M}$ instead of $\mathsf {G_{ pk , sk }}$. With the same reasoning as for the gamehop from game $G_{0}$ to $G_{1}$,

$$\begin{aligned} |\Pr [G_{3}^{\mathsf {A}}=1] - \Pr [G_{4}^{\mathsf {A}}=1]|&= |\Pr [\mathsf {GDPB}_{\lambda ,1}^{\mathsf {B'}} = 1] - \Pr [\mathsf {GDPB}_{\lambda ,0}^{\mathsf {B'}} = 1]| \\&\le 8 \cdot (q_{\mathsf {G}} + q_{\mathsf {H}} + 2)^2 \cdot \delta , \end{aligned}$$

where adversary $\mathsf {B'}$ (that issues at most issuing $q_{\mathsf {G}} + q_{\mathsf {H}} + 1$ queries to $\mathsf {F}$) is also given in Fig. 11.

So far, we established

The rest of the proof proceeds similar to the proof in [43], aside from the fact that we consider the particular scheme $\mathsf {T}[\mathsf {PKE}, \mathsf {G}]$ instead of a generic encryption scheme that is deterministically $\mathsf {DS}$.

Game $G_{5}$. In game $G_{5}$, the challenge ciphertext $c^*$ gets decoupled from message $m^*$ by sampling $c^* \leftarrow \overline{\mathsf {Enc}}( pk )$ in line 12 instead of letting $c^* := \mathsf {Enc}( pk , m^*; \mathsf {G}(m^*))$. Consider the adversary $\mathsf {C_\mathsf {DS}}$ against the disjoint simulatability of $\mathsf {T}[\mathsf {PKE}, \mathsf {G}]$ given in Fig. 12. Since $\mathsf {C_\mathsf {DS}}$ perfectly simulates game $G_{4}$ if run with deterministic encryption $c^* := \mathsf {Enc}( pk , m^*; \mathsf {G}(m^*))$ of a random message $m^*$, and game $G_{5}$ if run with a fake ciphertext,

$$\begin{aligned} |\Pr [G_{4}^{\mathsf {A}}=1] - \Pr [G_{5}^{\mathsf {A}}=1]| = \mathrm {Adv}^{\mathsf {DS}}_{\mathsf {T}[\mathsf {PKE}, \mathsf {G}]} (\mathsf {C_\mathsf {DS}}), \end{aligned}$$

and according to Lemma 2, there exist an adversary $\mathsf {B_\mathsf {DS}}$ and an adversary $\mathsf {B_\mathsf {IND}}$ with roughly the same running time such that

$$\begin{aligned} \mathrm {Adv}^{\mathsf {DS}}_{\mathsf {T}[\mathsf {PKE}, \mathsf {G}]}(\mathsf {C_\mathsf {DS}}) \le&\mathrm {Adv}^{\mathsf {DS}}_{\mathsf {PKE}}(\mathsf {B_\mathsf {DS}}) + 2 \cdot \sqrt{ (q_{\mathsf {G}} + q_{\mathsf {H}}) \cdot \mathrm {Adv}^{\mathsf {IND}\text {-}\mathsf {CPA}}_{\mathsf {PKE}}(\mathsf {B_\mathsf {IND}}) + \frac{4 (q_{\mathsf {G}} + q_{\mathsf {H}})^2}{|\mathcal {M}|} }. \end{aligned}$$

Game $G_{6}$. In game $G_{6}$, the game is changed in line 15 such that it always uses a randomly picked challenge key. Since both $K_0^*$ and $K_1^*$ are independent of all other input to $\mathsf {A}$ in game $G_{6}$,

It remains to upper bound $|\Pr [G_{5}^{\mathsf {A}}=1] - \Pr [G_{6}^{\mathsf {A}}=1]|$. To this end, it is sufficient to upper bound the probability that any of the queries to $\mathsf {H_q}$ could possibly contain $c^*$. Each query to $\mathsf {H_q}$ is either a classical query, triggered by $\mathsf {A}$ querying $\textsc {Decaps}$ on some ciphertext c, or a query in superposition, triggered by $\mathsf {A}$ querying $\mathsf {H}$. Since queries to $\textsc {Decaps}$ on $c^*$ are explicitly forbidden, the only possibility would be one of $\mathsf {A}$’s queries to $\mathsf {H}$. $\mathsf {A}$’s queries to $\mathsf {H}$ trigger queries to $\mathsf {H_q}$ that are of the form $\sum _m \alpha _m |{\mathsf {Enc}( pk , m; \mathsf {G}(m))} \rangle $. They cannot contain $c^*$ unless there exists some message m such that $\mathsf {Enc}( pk , m; \mathsf {G}(m)) = c^*$. Since we assume $\mathsf {PKE}$ to be $\epsilon _{\text {dis}}$-disjoint,

$$\begin{aligned} |\Pr [G_{5}^{\mathsf {A}}=1] - \Pr [G_{6}^{\mathsf {A}}=1]| \le \epsilon _{\text {dis}}. \end{aligned}$$

3.3 $\mathsf {CCA}$ Security Without Disjoint Simulatability

In the full version we show that transformation $\mathsf {Punc}$ can be used to waive the requirement of $\mathsf {DS}$: Plugging in transformation $\mathsf {Punc}$ (before using $\mathsf {FO^{\not \bot }_ m }$) achieves $\mathsf {IND}\text {-}\mathsf {CCA}$ security from $\mathsf {IND}\text {-}\mathsf {CPA}$ security alone, as long as $\mathsf {PKE}$ is $\gamma $-spread (see Definition 3).

4 Two-Message Authenticated Key Exchange

A two-message key exchange protocol $\mathsf {AKE}= (\mathsf {KG}, \mathsf {Init}, \mathsf {Der_{init}}, \mathsf {Der_{resp}})$ consists of four algorithms. Given the security parameter, the key generation algorithm $\mathsf {KG}$ outputs a key pair $( pk , sk )$. The initialisation algorithm $\mathsf {Init}$, on input $ sk $ and $ pk '$, outputs a message M and a state $\text {st}$. The responder’s derivation algorithm $\mathsf {Der_{resp}}$, on input $ sk '$, $ pk $ and M, outputs a key K, and also a message $M'$. The initiator’s derivation algorithm $\mathsf {Der_{init}}$, on input $ sk $, $ pk '$, $M'$ and $\text {st}$, outputs a key K.

Running a Key Exchange Protocol between two Parties. To run a two-message key exchange protocol, the algorithms $\mathsf {KG}, \mathsf {Init}$, $\mathsf {Der_{init}}$, and $\mathsf {Der_{resp}}$ are executed in an interactive manner between two parties $\mathsf {P}_i$ and $\mathsf {P}_j$ with key pairs $( sk _i, pk _i), ( sk _j, pk _j) \leftarrow \mathsf {KG}$. To execute the protocol, the parties call the algorithms in the following way:

1.
$\mathsf {P}_i$ computes $(M, \text {st}) \leftarrow \mathsf {Init}( sk _i , pk _j)$ and sends M to $P_j$.
2.
$\mathsf {P}_j$ computes $(M', K') \leftarrow \mathsf {Der_{resp}}( sk _j , pk _i , M)$ and sends $M'$ to $P_i$.
3.
$\mathsf {P}_i$ computes $K := \mathsf {Der_{init}}(sk_i , pk_j , M', \text {st})$.

Note that in contrast to the holder $\mathsf {P}_i$, the peer $\mathsf {P}_j$ will not be required to save any (secret) state information besides the key $K'$.

Our Security Model. We consider N parties $\mathsf {P}_1, \dots , \mathsf {P}_N$, each holding a key pair $( sk _i, pk _i)$, and possibly having several sessions at once. The sessions run the protocol with access to the party’s long-term key material, while also having their own set of (session-specific) local variables. The local variables of each session, identified by the integer $\text {sID}$, are the following:

1.
An integer $\mathbf {holder} \in [N]$ that points to the party running the session.
2.
An integer $\mathbf {peer} \in [N]$ that points to the party the session is communicating with.
3.
A string $\mathbf {sent}$ that holds the message sent by the session.
4.
A string $\mathbf {received}$ that holds the message received by the session.
5.
A string $\mathbf {st}$ that holds (secret) internal state values and intermediary results required by the session.
6.
A string $\mathbf {role}$ that holds the information whether the session’s key was derived by $\mathsf {Der_{init}}$ or $\mathsf {Der_{resp}}$.
7.
The session key K.

In our security model, the adversary A is given black-box access to the set of processes $\mathsf {Init}$, $\mathsf {Der_{resp}}$ and $\mathsf {Der_{init}}$ that execute the AKE algorithms. To model the attacker’s control of the network, we allow $\mathsf {A}$ to establish new sessions via $\textsc {EST}$, to call either $\textsc {INIT}$ and $\textsc {DER}_{\text {init}}$ or $\textsc {DER}_{\text {resp}}$, each at most once per session (see Fig. 13, page 23). Since both derivation processes can be called on arbitrary input, $\mathsf {A}$ may relay their input faithfully as well as modify the data on transit. Moreover, the attacker is additionally granted queries to reveal both secret process data, namely using oracles $\textsc {REVEAL}$, $\textsc {REV}\text {-}\textsc {STATE}$ and $\textsc {CORRUPT}$ (see Fig. 14, page 24). Oracles $\textsc {REVEAL}$ and $\textsc {REV}\text {-}\textsc {STATE}$ both can be queried on an arbitrary session ID, with oracle $\textsc {REVEAL}$ revealing the respective session’s key (if already defined), and oracle $\textsc {REV}\text {-}\textsc {STATE}$ revealing the respective session’s internal state. Oracle $\textsc {CORRUPT}$ can be queried on an arbitrary number $i \in [N]$ to reveal the respective party’s long-term key material. Usage of this oracle allows the attacker to corrupt the test session’s holder, the oracle therefore models the possibility of KCI attacks. Combined usage of oracles $\textsc {REV}\text {-}\textsc {STATE}$ and $\textsc {CORRUPT}$ allows the attacker to obtain the state as well as the long-term secret key on both sides of the session, the oracles therefore model the possibility of MEX attacks. After choosing a test session, either the session’s key or a uniformly random key is returned. The attacker’s task is to distinguish these two cases, to this end it outputs a bit.

Definition 8

(Key Indistinguishability of AKE). We define games $\mathsf {IND}\text {-}\mathsf {AA}_b$ and $\mathsf {IND}\text {-}\mathsf {St}\mathsf {AA}_b$ for $b \in \mathbb {F}_2$ as in Figs. 13 and 14.

We define the $\mathsf {IND}\text {-}\mathsf {AA}$ advantage function of an adversary $\mathsf {A}$ against $\mathsf {AKE}$ as

$$\begin{aligned} \mathrm {Adv}^{\mathsf {IND}\text {-}\mathsf {AA}}_{\mathsf {AKE}}(\mathsf {A}) := |\Pr [\mathsf {IND}\text {-}\mathsf {AA}_1^{\mathsf {A}} \Rightarrow 1 ] - \Pr [\mathsf {IND}\text {-}\mathsf {AA}_0^{\mathsf {A}} \Rightarrow 1 ]|, \end{aligned}$$

and the $\mathsf {IND}\text {-}\mathsf {St}\mathsf {AA}$ advantage function of an adversary $\mathsf {A}$ against $\mathsf {AKE}$ excluding test-state-attacks as

$$\begin{aligned} \mathrm {Adv}^{\mathsf {IND}\text {-}\mathsf {St}\mathsf {AA}}_{\mathsf {AKE}}(\mathsf {A}) := |\Pr [\mathsf {IND}\text {-}\mathsf {St}\mathsf {AA}_1^{\mathsf {A}} \Rightarrow 1 ] - \Pr [\mathsf {IND}\text {-}\mathsf {St}\mathsf {AA}_0^{\mathsf {A}} \Rightarrow 1 ]|. \end{aligned}$$

We call a session completed iff $\text {sKey}[\text {sID}] \ne \bot $, which implies that either $\textsc {DER}_{\text {resp}}(\text {sID}, m)$ or $\textsc {DER}_{\text {init}}(\text {sID}, m)$ was queried for some message m. We say that a completed session $\text {sID}$ was recreated iff there exists a session $\text {sID}' \ne \text {sID}$ such that $(\text {holder}[\text {sID}], \text {peer}[\text {sID}]) = (\text {holder}[\text {sID}'], \text {peer}[\text {sID}'])$, $\text {role}[\text {sID}] = \text {role}[\text {sID}']$, $\text {sent}[\text {sID}] = \text {sent}[\text {sID}']$, $\text {received}[\text {sID}] = \text {received}[\text {sID}']$ and $\text {state}[\text {sID}]= \text {state}[\text {sID}']$. We say that two completed sessions $\text {sID}_1$ and $\text {sID}_2$ match iff $(\text {holder}[\text {sID}_1],\text {peer}[\text {sID}_1]) = (\text {peer}[\text {sID}_2],$ $\text {holder}[\text {sID}_2])$, $(\text {sent}[\text {sID}_1],\text {received}[\text {sID}_1]) = (\text {received}[\text {sID}_2], \text {sent}[\text {sID}_2])$, and $\text {role}[\text {sID}_1]$ $\ne \text {role}[\text {sID}_2]$. We say that $\mathsf {A}$ tampered with the test session $\text {sID}^*$ if at the end of the security game, there exists no matching session for $\text {sID}^*$ Nonexistence of a matching session implies that $\mathsf {A}$ must have called the derivation process on a message of its own choosing.

Helper procedure $\mathsf {Trivial}$ (Fig. 14 ) is used in all games to exclude the possibility of trivial attacks, and helper procedure $\textsc {ATTACK}$ (also Fig. 14) is defined in games $\mathsf {IND}\text {-}\mathsf {St}\mathsf {AA}_b$ to exclude the possibility of trivial attacks as well as one nontrivial attack that we will discuss below. During execution of $\mathsf {Trivial}$, the game creates list $\mathfrak {M}(\text {sID}^*)$ of all matching sessions that were executed throughout the game (see line 55), and $\mathsf {A}$’s output bit $b'$ counts in games $\mathsf {IND}\text {-}\mathsf {AA}_b$ only if $\mathsf {Trivial}$ returns false, i.e., if test session $\text {sID}^*$ was completed and all of the following conditions hold:

1.
$\mathsf {A}$ did not obtain the key of $\text {sID}^*$ by querying $\textsc {REVEAL}$ on $\text {sID}^*$ or any matching session, see lines 49 and 56.
2.
$\mathsf {A}$ did not obtain both the holder i’s secret key $ sk _i$ and the test session’s internal state, see line 51. We enforce that $\lnot \text {corrupted}[i]$ or $\lnot \text {revState}[\text {sID}^*]$ since otherwise, $\mathsf {A}$ is allowed to obtain all information required to trivially compute $\mathsf {Der}( sk _i, pk _j, \text {received}[\text {sID}^*], \text {state}[\text {sID}^*])$.
3.
$\mathsf {A}$ did not obtain both the peer’s secret key $ sk _j$ and the internal state of any matching session, see line 58. We enforce that $\lnot \text {corrupted}[j]$ or $\lnot \text {revState}[\text {sID}]$ for all $\text {sID}$ s. th. $\text {sID}\in \mathfrak {M}(\text {sID}^*)$ for the same reason as discussed in 2: $\mathsf {A}$ could trivially compute $\mathsf {Der}( sk _j, pk _i, \text {received}[\text {sID}], \text {state}[\text {sID}])$ for some matching session $\text {sID}$.
4.
$\mathsf {A}$ did not both tamper with the test session and obtain the peer j’s secret key $ sk _j$, see line 61. We enforce that $\mathfrak {M}(\text {sID}^*)\ne \varnothing $ or $\lnot \text {corrupted}[j]$ to exclude the following trivial attack: $\mathsf {A}$ could learn the peer’s secret key $ sk _j$ via query $\textsc {CORRUPT}[j]$ and either
- receive a message M by querying $\textsc {INIT}$ on $\text {sID}^*$, compute $(M',K') \leftarrow \mathsf {Der_{resp}}( sk _j, pk _i, M)$ without having to call $\textsc {DER}_{\text {resp}}$, and then call $\textsc {DER}_{\text {init}}(\text {sID}^*, M')$, thereby ensuring that $\text {sKey}[\text {sID}^*]$ $= K'$,
- or compute $(M, \text {st}) \leftarrow \mathsf {Init}( sk _j, pk _i)$ without having to call $\textsc {INIT}$, receive a message $M'$ by querying $\textsc {DER}_{\text {resp}}(\text {sID}^*, M)$, and trivially compute $\mathsf {Der_{init}}( sk _j, pk _i, M', \text {st})$.

$\mathsf {A}$’s output bit $b'$ only counts in games $\mathsf {IND}\text {-}\mathsf {St}\mathsf {AA}_b$ if $\textsc {ATTACK}$ returns false, i.e., if both of the following conditions hold:

1.
$\mathsf {Trivial}$ returns $\mathbf{false} $
2.
$\mathsf {A}$ did not both tamper with the test session and obtain its internal state, see line 64. We enforce that $\mathfrak {M}(\text {sID}^*)\ne \varnothing $ or $\lnot \text {revState}[\text {sID}^*]$ in game $\mathsf {IND}\text {-}\mathsf {St}\mathsf {AA}$ for the following reason: In an active attack, given that the test session’s internal state got leaked, it is possible for some protocols to choose a message $M'$ such that the result of algorithm $\mathsf {Der_{init}}( sk _i, pk _j, M', \text {st})$ can be computed without knowledge of any of the long-term keys $ sk _i$ or $ sk _j$. In this setting, an adversary might query $\textsc {INIT}$ on $\text {sID}^*$, learn the internal state $\text {st}$ by querying $\textsc {REV}\text {-}\textsc {STATE}$ on $\text {sID}^*$, choose its own message $M'$ without a call to $\textsc {DER}_{\text {resp}}$ and finally call $\textsc {DER}_{\text {init}}(\text {sID}^*, M')$, thereby being enabled to anticipate the resulting key.

5 Transformation from PKE to AKE

Transformation $\mathsf {FO_\mathsf {AKE}}$ constructs a $\mathsf {IND}\text {-}\mathsf {St}\mathsf {AA}$-secure $\mathsf {AKE}$ protocol from a PKE scheme that is both $\mathsf {DS}$ and $\mathsf {IND}\text {-}\mathsf {CPA}$ secure. If we plug in transformation $\mathsf {Punc}$ before applying $\mathsf {FO_\mathsf {AKE}}$, we achieve $\mathsf {IND}\text {-}\mathsf {St}\mathsf {AA}$-security from $\mathsf {CPA}$ security alone.

The Construction. To a PKE scheme $\mathsf {PKE}= (\mathsf {KG}, \mathsf {Enc}, \mathsf {Dec})$ with message space $\mathcal {M}$, and random oracles $\mathsf {G}$ and $\mathsf {H}$, we associate

$$\begin{aligned} \mathsf {AKE}= \mathsf {FO_\mathsf {AKE}}[\mathsf {PKE}, \mathsf {G}, \mathsf {H}] = (\mathsf {KG}, \mathsf {Init}, \mathsf {Der_{resp}}, \mathsf {Der_{init}}). \end{aligned}$$

The algorithms of $\mathsf {AKE}$ are defined in Fig. 15.

$\mathsf {IND}\text {-}\mathsf {St}\mathsf {AA}$ Security of $\mathsf {FO_\mathsf {AKE}}$. The following theorem establishes that $\mathsf {IND}\text {-}\mathsf {St}\mathsf {AA}$ security of $\mathsf {AKE}$ reduces to $\mathsf {DS}$ and $\mathsf {IND}\text {-}\mathsf {CPA}$ security of $\mathsf {PKE}$ (see Definition 6).

Theorem 3

($\mathsf {PKE}\ \mathsf {DS}+ \mathsf {IND}\text {-}\mathsf {CPA}\Rightarrow \mathsf {AKE}\ \mathsf {IND}\text {-}\mathsf {St}\mathsf {AA}$). Assume $\mathsf {PKE}$ to be $\delta $-correct, and to come with a sampling algorithm $\overline{\mathsf {Enc}}$ such that it is $\epsilon $-disjoint. Then, for any $\mathsf {IND}\text {-}\mathsf {St}\mathsf {AA}$ adversary $\mathsf {B}$ that establishes S sessions and issues at most $q_{\mathsf {R}}$ (classical) queries to $\textsc {REVEAL}$, at most $q_{\mathsf {G}}$ (quantum) queries to random oracle $\mathsf {G}$ and at most $q_{\mathsf {H}}$ (quantum) queries to random oracle $\mathsf {H}$, there exists an adversary $\mathsf {A_\mathsf {DS}}$ against the disjoint simulatability of $\mathsf {T}[\mathsf {PKE},\mathsf {G}]$ issuing at most $q_\mathsf {G} + 2 q_\mathsf {H} + 3S$ queries to $\mathsf {G}$ such that

$$\begin{aligned} \mathrm {Adv}^{\mathsf {IND}\text {-}\mathsf {St}\mathsf {AA}}_{\mathsf {AKE}}(\mathsf {B}) \le&\ 2 \cdot S \cdot (S + 3 \cdot N) \cdot \mathrm {Adv}^{\mathsf {DS}}_{\mathsf {T}[\mathsf {PKE},\mathsf {G}]}(\mathsf {A_\mathsf {DS}}) + 32 \cdot (S + 3 \cdot N) \cdot (q_\mathsf {G} + 2 q_\mathsf {H} + 4S)^2 \cdot \delta \\ {}&\quad +\,4 \cdot S \cdot (S+N) \cdot \epsilon _{\text {dis}}+ S^2 \cdot (N + 1) \cdot \mu (\mathsf {KG})\cdot \mu (\mathsf {Enc})+ 2 \cdot S^2 \cdot \mu (\mathsf {KG}), \end{aligned}$$

and the running time of $\mathsf {A_\mathsf {DS}}$ is about that of $\mathsf {B}$. Due to Lemma 2, there exist adversaries $\mathsf {C_\mathsf {DS}}$ and $\mathsf {C_\mathsf {IND}}$ against $\mathsf {PKE}$ such that

$$\begin{aligned} \mathrm {Adv}^{\mathsf {IND}\text {-}\mathsf {St}\mathsf {AA}}_{\mathsf {AKE}}(\mathsf {B}) \le&\ 2 \cdot S \cdot (S + 3 \cdot N) \cdot \mathrm {Adv}^{\mathsf {DS}}_{\mathsf {PKE}}(\mathsf {C}_\mathsf {DS}) \\&+ 4 \cdot S \cdot (S + 3 \cdot N) \cdot \sqrt{ (q_\mathsf {G} + 2 q_\mathsf {H} + 3S) \cdot \mathrm {Adv}^{\mathsf {IND}\text {-}\mathsf {CPA}}_{\mathsf {PKE}}(\mathsf {C_\mathsf {IND}}) +\,\frac{4 {(q_\mathsf {G} + 2 q_\mathsf {H} + 3S)}^2}{|\mathcal {M}|}} \\ {}&+\,32 \cdot (S + 3 \cdot N) \cdot (q_\mathsf {G} + 2 q_\mathsf {H} + 3S)^2 \cdot \delta +\,4 \cdot S \cdot (S+N) \cdot \epsilon _{\text {dis}}\\&+\,S^2 \cdot (N + 1) \cdot \mu (\mathsf {KG})\cdot \mu (\mathsf {Enc})+ 2 \cdot S^2 \cdot \mu (\mathsf {KG}), \end{aligned}$$

and the running times of $\mathsf {C_\mathsf {DS}}$ and $\mathsf {C_\mathsf {IND}}$ is about that of $\mathsf {B}$.

Proof Sketch. To prove $\mathsf {IND}\text {-}\mathsf {St}\mathsf {AA}$ security of $\mathsf {FO_\mathsf {AKE}}[\mathsf {PKE},\mathsf {G},\mathsf {H}]$, we consider an adversary $\mathsf {B}$ with black-box access to the protocols’ algorithms and to oracles that reveal keys of completed sessions, internal states, and long-term secret keys of participating parties as specified in game $\mathsf {IND}\text {-}\mathsf {St}\mathsf {AA}$ (see Fig. 13). Intuitively, $\mathsf {B}$ will always be able to obtain all-but-one of the three secret messages $m_i$, $m_j$ and $\tilde{m}$ that are picked during execution of the test session between $\mathsf {P}_i$ and $\mathsf {P}_j$:

1.
We first consider the case that $\mathsf {B}$ executed the test session honestly. Note that on the right-hand side of the protocol there exists no state. We assume that $\mathsf {B}$ has learned the secret key of party $\mathsf {P}_j$ and hence knows $m_j$. Additionally, $\mathsf {B}$ could either learn the secret key of party $\mathsf {P}_i$ and thereby, compute $m_i$, or the state on the left-hand side of the protocol including $\tilde{ sk }$, and thereby, compute $\tilde{m}$, but not both.
2.
In the case that $\mathsf {B}$ did not execute the test session honestly, $\mathsf {B}$ is not only forbidden to obtain the long-term secret key of the test session’s peer, but also to obtain the test session’s state due to our restriction in game $\mathsf {IND}\text {-}\mathsf {St}\mathsf {AA}$. Given that $\mathsf {B}$ modified the exchanged messages, the test session’s side is decoupled from the other side. If the test session is on the right-hand side, messages $m_j$ and $\tilde{m}$ can be obtained, but message $m_i$ can not because we forbid to learn peer i’s secret key. If the test session is on the left-hand side, messages $m_i$ and $\tilde{m}$ can be obtained, but message $m_j$ can not because we forbid both to learn the test session’s state and to learn peer j’s secret key.

In every possible scenario of game $\mathsf {IND}\text {-}\mathsf {St}\mathsf {AA}$, at least one message can not be obtained trivially and is still protected by $\mathsf {PKE}$’s $\mathsf {IND}\text {-}\mathsf {CPA}$ security, and the respective ciphertext can be replaced with fake encryptions due to $\mathsf {PKE}$’s disjoint simulatability. Consequently, the session key K is pseudorandom. A detailed, game-based proof is given in the full version.

So far we have ignored the fact that $\mathsf {B}$ has access to an oracle that reveals the keys of completed sessions. This implicitly provides $\mathsf {B}$ a decryption oracle with respect to the secret keys $ sk _i$ and $ sk _j$. In our proof, we want to make use of the technique from [43] to simulate the decryption oracles by patching encryption into the random oracle $\mathsf {H}$. In order to extend their technique to PKE schemes with non-perfect correctness, during the security proof we also need to patch random oracle $\mathsf {G}$ in a way that $(\mathsf {Enc}',\mathsf {Dec}')$ (relative to the patched $\mathsf {G}$) provides perfect correctness. This strategy is the $\mathsf {AKE}$ analogue to the technique used in our analysis of the Fujisaki-Okamoto transformation given in Sect. 3, in particular, during our proof of Theorem 2. The latter also explains why our transformation does not work with any deterministic encryption scheme, but only with the ones that are derived by using transformation $\mathsf {T}$. For more details on this issue, we also refer to the full version.

5.1 $\mathsf {IND}\text {-}\mathsf {St}\mathsf {AA}$ Security Without Disjoint Simulatability

In the full version we show that transformation $\mathsf {Punc}$ can be used to waive the requirement of $\mathsf {DS}$: Plugging in transformation $\mathsf {Punc}$ before using $\mathsf {FO_\mathsf {AKE}}$ achieves $\mathsf {IND}\text {-}\mathsf {St}\mathsf {AA}$ security from $\mathsf {IND}\text {-}\mathsf {CPA}$ security alone, as long as $\mathsf {PKE}$ is $\gamma $-spread.

Notes

1.
Clearly, PKE requires a working public-key infrastructure (PKI) which in turn requires signatures to certify the public-key. However, a user only has to verify a given certificate once and for all, which means the overhead of a quantum-secure signature can be neglected.
2.
There exist generic transformations that can immunise against decryption errors (e.g., [22]). Even though they are quite efficient in theory, the induced overhead is still not acceptable for practical purposes. While lattice schemes could be rendered perfectly correct by putting a limit on the noise, and setting the modulus of the LWE instance large enough (see, e.g., [12, 29]), the security level cannot be maintained without increasing the problem’s dimension, accordingly. Since this modification would lead to increased public-key and ciphertext length, many NIST submissions deliberately made the design choice of having imperfect correctness.
3.
Not just quadratic, but indeed quartic.
4.
Note that nomenclature of [33] is a bit misleading: while the respective KEM is called $\mathsf {U}^{\not \bot }_ m $, it is actually transformation $\mathsf {SXY}$ (it reencrypts during decryption, which $\mathsf {U}^{\not \bot }_ m $ does not).
5.
The difference is that the model from [23] furthermore allows a “partial reveal” of the test session’s state. For simplicity and due to their little practical relevance, we decided not to include such partial session reveal queries in our model. We remark that, however, our protocol could be proven secure in this slightly stronger model.
6.
By “intermediate”, we mean the deterministic scheme that is to be plugged into one of the $\mathsf {U}$-transforms. In most cases, it is derived by starting from a probabilistic scheme and first applying derandomisation transformation $\mathsf {T}$.
7.
A strict impossibility result would have to consist of a concrete scheme as well as a concrete attack, with the latter matching the given upper bound.
8.
Fake encryptions could be sampled uniformly random. $\mathsf {DS}$ would follow from the LWE assumption, and since LWE samples are relatively sparse, uniform sampling should be disjoint.

References

Alagic, G., Jeffery, S., Ozols, M., Poremba, A.: On non-adaptive quantum chosen-ciphertext attacks and learning with errors. CoRR abs/1808.09655 (2018)
Google Scholar
Alawatugoda, J., Boyd, C., Stebila, D.: Continuous after-the-fact leakage-resilient key exchange. In: Susilo, W., Mu, Y. (eds.) ACISP 2014. LNCS, vol. 8544, pp. 258–273. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-08344-5_17
Chapter Google Scholar
Ambainis, A., Hamburg, M., Unruh, D.: Quantum security proofs using semi-classical oracles. Cryptology ePrint Archive, Report 2018/904 (2018). http://eprint.iacr.org/2018/904
Ambainis, A., Rosmanis, A., Unruh, D.: Quantum attacks on classical proof systems: the hardness of quantum rewinding. In: 55th Annual Symposium on Foundations of Computer Science, 18–21 October 2014, pp. 474–483. IEEE Computer Society Press, Philadelphia (2014)
Google Scholar
Banik, S., Isobe, T.: Some cryptanalytic results on lizard. Cryptology ePrint Archive, Report 2017/346 (2017). http://eprint.iacr.org/2017/346
Beals, R., Buhrman, H., Cleve, R., Mosca, M., Wolf, R.: Quantum lower bounds by polynomials. In: 39th Annual Symposium on Foundations of Computer Science, 8–11 November 1998, pp. 352–361. IEEE Computer Society Press, Palo Alto (1998)
Google Scholar
Bellare, M., Boldyreva, A., O’Neill, A.: Deterministic and efficiently searchable encryption. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 535–552. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-74143-5_30
Chapter Google Scholar
Bellare, M., Canetti, R., Krawczyk, H.: A modular approach to the design and analysis of authentication and key exchange protocols (extended abstract). In: 30th Annual ACM Symposium on Theory of Computing, 23–26 May 1998, pp. 419–428. ACM Press, Dallas (1998)
Google Scholar
Bellare, M., Rogaway, P.: Random oracles are practical: a paradigm for designing efficient protocols. In: Denning, D.E., Pyle, R., Ganesan, R., Sandhu, R.S., Ashby, V. (eds.) ACM CCS 93: 1st Conference on Computer and Communications Security, 3–5 November 1993, pp. 62–73. ACM Press, Fairfax (1993)
Google Scholar
Bellare, M., Rogaway, P.: Entity authentication and key distribution. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 232–249. Springer, Heidelberg (1994). https://doi.org/10.1007/3-540-48329-2_21
Chapter Google Scholar
Bellare, M., Rogaway, P.: The security of triple encryption and a framework for code-based game-playing proofs. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 409–426. Springer, Heidelberg (2006). https://doi.org/10.1007/11761679_25
Chapter Google Scholar
Bernstein, D.J., Chuengsatiansup, C., Lange, T., van Vredendaal, C.: NTRU prime. Cryptology ePrint Archive, Report 2016/461 (2016). http://eprint.iacr.org/2016/461
Bindel, N., Hamburg, M., Hövelmanns, K., Hülsing, A., Persichetti, E.: Tighter proofs of CCA security in the quantum random oracle model. Cryptology ePrint Archive, Report 2019/590 (2019). https://eprint.iacr.org/2019/590
Boneh, D., Dagdelen, Ö., Fischlin, M., Lehmann, A., Schaffner, C., Zhandry, M.: Random oracles in a quantum world. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 41–69. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25385-0_3
Chapter MATH Google Scholar
Boneh, D., Zhandry, M.: Secure signatures and chosen ciphertext security in a quantum computing world. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8043, pp. 361–379. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40084-1_21
Chapter MATH Google Scholar
Bos, J., et al.: CRYSTALS - Kyber: a CCA-secure module-lattice-based KEM. Cryptology ePrint Archive, Report 2017/634 (2017). http://eprint.iacr.org/2017/634
Boyd, C., Cliff, Y., Gonzalez Nieto, J., Paterson, K.G.: Efficient one-round key exchange in the standard model. In: Mu, Y., Susilo, W., Seberry, J. (eds.) ACISP 2008. LNCS, vol. 5107, pp. 69–83. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-70500-0_6
Chapter Google Scholar
Broadbent, A., Jeffery, S.: Quantum homomorphic encryption for circuits of low T-gate complexity. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9216, pp. 609–629. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48000-7_30
Chapter Google Scholar
Canetti, R., Krawczyk, H.: Analysis of key-exchange protocols and their use for building secure channels. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 453–474. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44987-6_28
Chapter Google Scholar
Cramer, R., Shoup, V.: Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack. SIAM J. Comput. 33(1), 167–226 (2003)
Article MathSciNet Google Scholar
Dent, A.W.: A designer’s guide to KEMs. In: Paterson, K.G. (ed.) Cryptography and Coding 2003. LNCS, vol. 2898, pp. 133–151. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-40974-8_12
Chapter Google Scholar
Dwork, C., Naor, M., Reingold, O.: Immunizing encryption schemes from decryption errors. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 342–360. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24676-3_21
Chapter Google Scholar
Fujioka, A., Suzuki, K., Xagawa, K., Yoneyama, K.: Strongly secure authenticated key exchange from factoring, codes, and lattices. In: Fischlin, M., Buchmann, J., Manulis, M. (eds.) PKC 2012. LNCS, vol. 7293, pp. 467–484. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-30057-8_28
Chapter MATH Google Scholar
Fujioka, A., Suzuki, K., Xagawa, K., Yoneyama, K.: Practical and post-quantum authenticated key exchange from one-way secure key encapsulation mechanism. In: Chen, K., Xie, Q., Qiu, W., Li, N., Tzeng, W.G. (eds.) ASIACCS 13: 8th ACM Symposium on Information, Computer and Communications Security, 8–10 May 2013, pp. 83–94. ACM Press, Hangzhou (2013)
Google Scholar
Fujisaki, E., Okamoto, T.: Secure integration of asymmetric and symmetric encryption schemes. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 537–554. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48405-1_34
Chapter Google Scholar
Fujisaki, E., Okamoto, T.: Secure integration of asymmetric and symmetric encryption schemes. J. Cryptol. 26(1), 80–101 (2013)
Article MathSciNet Google Scholar
Gagliardoni, T., Hülsing, A., Schaffner, C.: Semantic security and indistinguishability in the quantum world. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9816, pp. 60–89. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53015-3_3
Chapter MATH Google Scholar
Hofheinz, D., Hövelmanns, K., Kiltz, E.: A modular analysis of the Fujisaki-Okamoto transformation. In: Kalai, Y., Reyzin, L. (eds.) TCC 2017. LNCS, vol. 10677, pp. 341–371. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70500-2_12
Chapter MATH Google Scholar
Howgrave-Graham, N., Silverman, J.H., Whyte, W.: Choosing parameter sets for NTRUEncrypt with NAEP and SVES-3. In: Menezes, A. (ed.) CT-RSA 2005. LNCS, vol. 3376, pp. 118–135. Springer, Heidelberg (2005). https://doi.org/10.1007/978-3-540-30574-3_10
Chapter Google Scholar
Hülsing, A., Rijneveld, J., Song, F.: Mitigating multi-target attacks in hash-based signatures. In: Cheng, C.-M., Chung, K.-M., Persiano, G., Yang, B.-Y. (eds.) PKC 2016. LNCS, vol. 9614, pp. 387–416. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49384-7_15
Chapter Google Scholar
Jager, T., Kohlar, F., Schäge, S., Schwenk, J.: On the security of TLS-DHE in the standard model. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 273–293. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-32009-5_17
Chapter MATH Google Scholar
Jiang, H., Zhang, Z., Chen, L., Wang, H., Ma, Z.: IND-CCA-secure key encapsulation mechanism in the quantum random oracle model, revisited. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10993, pp. 96–125. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96878-0_4
Chapter Google Scholar
Jiang, H., Zhang, Z., Chen, L., Wang, H., Ma, Z.: IND-CCA-secure key encapsulation mechanism in the quantum random oracle model, revisited. Cryptology ePrint Archive, Report 2017/1096, July 2018. https://eprint.iacr.org/2017/1096/
Jiang, H., Zhang, Z., Ma, Z.: On the non-tightness of measurement-based reductions for key encapsulation mechanism in the quantum random oracle model. Cryptology ePrint Archive, Report 2019/494 (2019). https://eprint.iacr.org/2019/494
Jiang, H., Zhang, Z., Ma, Z.: Tighter security proofs for generic key encapsulation mechanism in the quantum random oracle model. Cryptology ePrint Archive, Report 2019/134 (2019). https://eprint.iacr.org/2019/134
Kiltz, E., Lyubashevsky, V., Schaffner, C.: A concrete treatment of Fiat-Shamir signatures in the quantum random-oracle model. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10822, pp. 552–586. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78372-7_18
Chapter MATH Google Scholar
Krawczyk, H.: HMQV: a high-performance secure Diffie-Hellman protocol. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 546–566. Springer, Heidelberg (2005). https://doi.org/10.1007/11535218_33
Chapter Google Scholar
LaMacchia, B., Lauter, K., Mityagin, A.: Stronger security of authenticated key exchange. In: Susilo, W., Liu, J.K., Mu, Y. (eds.) ProvSec 2007. LNCS, vol. 4784, pp. 1–16. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-75670-5_1
Chapter MATH Google Scholar
Li, Y., Schäge, S.: No-match attacks and robust partnering definitions: defining trivial attacks for security protocols is not trivial. In: Thuraisingham, B.M., Evans, D., Malkin, T., Xu, D. (eds.) ACM CCS 2017: 24th Conference on Computer and Communications Security, 31 October–2 November 2017, pp. 1343–1360. ACM Press, Dallas (2017)
Google Scholar
Naehrig, M., et al.: FrodoKEM. Technical report, National Institute of Standards and Technology (2017). https://csrc.nist.gov/projects/post-quantum-cryptography/round-1-submissions
NIST: National institute for standards and technology. Postquantum crypto project (2017). http://csrc.nist.gov/groups/ST/post-quantum-crypto/
Persichetti, E.: Improving the efficiency of code-based cryptography. Ph.D. thesis (2012). http://persichetti.webs.com/Thesis%20Final.pdf
Saito, T., Xagawa, K., Yamakawa, T.: Tightly-secure key-encapsulation mechanism in the quantum random oracle model. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10822, pp. 520–551. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78372-7_17
Chapter MATH Google Scholar
Schäge, S.: TOPAS: 2-pass key exchange with full perfect forward secrecy and optimal communication complexity. In: Ray, I., Li, N., Kruegel, C. (eds.) ACM CCS 2015: 22nd Conference on Computer and Communications Security, 12–16 October 2015, pp. 1224–1235. ACM Press, Denver (2015)
Google Scholar
Shoup, V.: Sequences of games: a tool for taming complexity in security proofs. Cryptology ePrint Archive, Report 2004/332 (2004). http://eprint.iacr.org/2004/332
Toorani, M.: On continuous after-the-fact leakage-resilient key exchange. In: Proceedings of the Second Workshop on Cryptography and Security in Computing Systems. CS2 2015, pp. 31:31–31:34. ACM, New York (2015). http://doi.acm.org/10.1145/2694805.2694811
Yao, A.C.C., Zhao, Y.: OAKE: a new family of implicitly authenticated Diffie-Hellman protocols. In: Sadeghi, A.R., Gligor, V.D., Yung, M. (eds.) ACM CCS 2013: 20th Conference on Computer and Communications Security, 4–8 November 2013, pp. 1113–1128. ACM Press, Berlin (2013)
Google Scholar
Zhandry, M.: Secure identity-based encryption in the quantum random oracle model. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 758–775. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-32009-5_44
Chapter MATH Google Scholar

Download references

Acknowledgments

We would like to thank the anonymous reviewers of Eurocrypt 2018, Crypto 2019 and Asiacrypt 2019 for their helpful comments and suggestions. This work was supported by the European Union PROMETHEUS project (Horizon 2020 Research and Innovation Program, grant 780701), the Deutsche Forschungsgemeinschaft (DFG, German Research Foundation) under Germany’s Excellence Strategy (EXC 2092 CASA, 390781972), ERC Project ERCC (FP7/615074), the German Federal Ministry of Education and Research (BMBF) Project DigiSeal (16KIS0695), the United States Air Force Office of Scientific Research (AFOSR) via AOARD Grant “Verification of Quantum Cryptography” (FA2386-17-1-4022), the project “Research and preparation of an ERC grant application on Certified Quantum Security” (MOBERC12), the ERC Consolidator grant “Certified Quantum Security” (819317), the Estonian Centre of Excellence in IT (EXCITE) funded by the ERDF, and by the institutional research funding IUT2-1 of the Estonian Ministry of Education and Research.

Author information

Authors and Affiliations

Ruhr-Universität Bochum, Bochum, Germany
Kathrin Hövelmanns, Eike Kiltz & Sven Schäge
University of Tartu, Tartu, Estonia
Dominique Unruh

Authors

Kathrin Hövelmanns
View author publications
You can also search for this author in PubMed Google Scholar
Eike Kiltz
View author publications
You can also search for this author in PubMed Google Scholar
Sven Schäge
View author publications
You can also search for this author in PubMed Google Scholar
Dominique Unruh
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Kathrin Hövelmanns .

Editor information

Editors and Affiliations

University of Edinburgh, Edinburgh, UK
Aggelos Kiayias
University of Edinburgh, Edinburgh, UK
Markulf Kohlweiss
University of Edinburgh, Edinburgh, UK
Petros Wallden
University of Edinburgh, Edinburgh, UK
Vassilis Zikas

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Hövelmanns, K., Kiltz, E., Schäge, S., Unruh, D. (2020). Generic Authenticated Key Exchange in the Quantum Random Oracle Model. In: Kiayias, A., Kohlweiss, M., Wallden, P., Zikas, V. (eds) Public-Key Cryptography – PKC 2020. PKC 2020. Lecture Notes in Computer Science(), vol 12111. Springer, Cham. https://doi.org/10.1007/978-3-030-45388-6_14

Download citation

DOI: https://doi.org/10.1007/978-3-030-45388-6_14
Published: 29 April 2020
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-45387-9
Online ISBN: 978-3-030-45388-6
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships

International Association for Cryptologic Research (opens in a new tab)

Generic Authenticated Key Exchange in the Quantum Random Oracle Model

Abstract

Similar content being viewed by others

Post-Quantum Security Models for Authenticated Encryption

Tighter Security for Generic Authenticated Key Exchange in the QROM

Password-Based Authenticated Key Exchange from Standard Isogeny Assumptions

Keywords

1 Introduction

1.1 Our Contributions

2 Preliminaries

2.1 Public-Key Encryption

Definition 1

Definition 2

Definition 3

Definition 4

Definition 5

Definition 6

2.2 Key Encapsulation

Definition 7

2.3 Quantum Computation

Theorem 1

Lemma 1

3 The FO Transformation: QROM Security with Correctness Errors

3.1 Modularisation of \(\mathsf {TPunc}\)

Lemma 2

Proof

3.2 Transformation \(\mathsf {FO^{\not \bot }_ m }\) and Correctness Errors

Theorem 2

Proof

3.3 \(\mathsf {CCA}\) Security Without Disjoint Simulatability

4 Two-Message Authenticated Key Exchange

Definition 8

5 Transformation from PKE to AKE

Theorem 3

5.1 \(\mathsf {IND}\text {-}\mathsf {St}\mathsf {AA}\) Security Without Disjoint Simulatability

Notes

References

Acknowledgments

Author information

Authors and Affiliations

Corresponding author

Editor information

Editors and Affiliations

Rights and permissions

Copyright information

About this paper

Cite this paper

Download citation

Share this paper

Publish with us

Societies and partnerships

Search

Navigation