CCA-Secure (Puncturable) KEMs from Encryption with Non-Negligible Decryption Errors

Cini, Valerio; Ramacher, Sebastian; Slamanig, Daniel; Striecks, Christoph

doi:10.1007/978-3-030-64837-4_6

Valerio Cini¹⁰,
Sebastian Ramacher¹⁰,
Daniel Slamanig¹⁰ &
…
Christoph Striecks¹⁰

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 12491))

Included in the following conference series:

International Conference on the Theory and Application of Cryptology and Information Security

2272 Accesses

Abstract

Public-key encryption (PKE) schemes or key-encapsulation mechanisms (KEMs) are fundamental cryptographic building blocks to realize secure communication protocols. There are several known transformations that generically turn weakly secure schemes into strongly (i.e., IND-CCA) secure ones. While most of these transformations require the weakly secure scheme to provide perfect correctness, Hofheinz, Hövelmanns, and Kiltz (HHK) (TCC 2017) have recently shown that variants of the Fujisaki-Okamoto (FO) transform can work with schemes that have negligible correctness error in the (quantum) random oracle model (QROM). Many recent schemes in the NIST post-quantum competition (PQC) use variants of these transformations. Some of their CPA-secure versions even have a non-negligible correctness error and so the techniques of HHK cannot be applied.

In this work, we study the setting of generically transforming PKE schemes with potentially large, i.e., non-negligible, correctness error to ones having negligible correctness error. While there have been previous treatments in an asymptotic setting by Dwork et al. (EUROCRYPT 2004), our goal is to come up with practically efficient compilers in a concrete setting and apply them in two different contexts: firstly, we show how to generically transform weakly secure deterministic or randomized PKEs into CCA-secure KEMs in the (Q)ROM using variants of HHK. This applies to essentially all candidates to the NIST PQC based on lattices and codes with non-negligible error, for which we provide an extensive analysis. We thereby show that it improves some of the code-based candidates. Secondly, we study puncturable KEMs in terms of the Bloom Filter KEM (BFKEM) proposed by Derler et al. (EUROCRYPT 2018) which inherently have a non-negligible correctness error. BFKEMs are a building block to construct fully forward-secret zero round-trip time (0-RTT) key-exchange protocols. In particular, we show how to achieve the first post-quantum secure BFKEM generically from lattices and codes by applying our techniques to identity-based encryption (IBE) schemes with (non-)negligible correctness error.

You have full access to this open access chapter, Download conference paper PDF

On the Security of NTS-KEM in the Quantum Random Oracle Model

IND-CCA-Secure Key Encapsulation Mechanism in the Quantum Random Oracle Model, Revisited

Tightly-Secure Key-Encapsulation Mechanism in the Quantum Random Oracle Model

Keywords

1 Introduction

Public-key encryption (PKE) schemes or key-encapsulation mechanisms (KEM) are fundamental cryptographic building blocks to realize secure communication protocols. The security property considered standard nowadays is security against chosen-ciphertext attacks ($\mathsf {IND}\text {-}\mathsf {CCA} $ security). This is important to avoid pitfalls and attacks in the practical deployments of such schemes, e.g., padding oracle attacks as demonstrated by Bleichenbacher [12] and still showing up very frequently [5, 14, 46, 57]. Also, for key exchange protocols that achieve the desirable forward secrecy property, formal analysis shows that security against active attacks is required (cf. [22, 45, 50, 56]). This equally holds for recent proposals for fully forward-secret zero round-trip time (0-RTT) key-exchange protocols from puncturable KEMs [20, 21, 34] and even for ephemeral KEM keys for a post-quantum secure TLS handshake without signatures [61].

In the literature, various different ways of obtaining CCA security generically from weaker encryption schemes providing only chosen-plaintext ($\mathsf {IND}\text {-}\mathsf {CPA} $) or one-way ($\mathsf {OW}\text {-}\mathsf {CPA} $) security are known. These can be in the standard model using the double-encryption paradigm due to Naor and Yung [54], the compiler from selectively secure identity-based encryption (IBE) due to Canetti, Halevi and Katz [18], or the more recent works due to Koppula and Waters [49] based on so called hinting pseudo-random generators and Hohenberger, Koppula, and Waters [42] from injective trapdoor functions. In the random oracle model (ROM), CCA security can be generically obtained via the well-known and widely-used Fujisaki-Okamoto (FO) transform [27, 28] yielding particularly practical efficiency.

Perfect Correctness and (Non-)Negligible Correctness Error. A property common to many compilers is the requirement for the underlying encryption schemes to provide perfect correctness, i.e., there are no valid ciphertexts where the decryption algorithm fails when used with honestly generated keys. Recently, Hofheinz, Hövelmanns and Kiltz (HHK) [40] investigated different variants of the FO transform also in a setting where the underlying encryption scheme has non-perfect correctness and in particular decryption errors may occur with a negligible probability in the security parameter. This is interesting since many PKE or KEM schemes based on conjectured quantum safe assumptions and in particular assumptions on lattices and codes do not provide perfect correctness. Even worse, some of the candidates submitted to the NIST post-quantum competition (PQC) suffer from a non-negligible correctness error and so the FO transforms of HHK cannot be applied. Ad-hoc approaches to overcome this problem that are usually chosen by existing constructions in practice—if the problem is considered at all—is to increase the parameters to obtain a suitably small decryption error, applying an error correcting code on top or implementing more complex decoders. In practice, these ad-hoc methods come with drawbacks. Notably, LAC which is a Learning With Errors (LWE) based $\mathsf {IND}\text {-}\mathsf {CCA}$ secure KEM in the 2^nd round of the NIST PQC that applies an error correcting code is susceptible to a key recovery attack recently proposed by Guo et al. [37]. Also, code-based schemes have a history of attacks [26, 36, 59] due to decoding errors. Recently, Bindel and Schanck [10] proposed a failure boosting attack for lattice-based schemes with a non-zero correctness error. For some code-based schemes, the analysis of the decoding error is a non-trivial task as it specifically depends on the decoder. For instance, the analysis of BIKE’s decoder, another 2^nd round NIST PQC candidate, has recently been updated [62].

Consequently, it would be interesting to have rigorous and simple approaches to remove decryption errors (to a certain degree) from PKE and KEM schemes.

Immunizing Encryption Schemes. The study of “immunizing” encryption schemes from decryption errors is not new. Goldreich, Goldwasser, and Halevi [32] studied the reduction or removal of decryption errors in the Ajtai-Dwork encryption scheme as well as Howgrave-Graham et al. [44] in context of NTRU. The first comprehensive and formal treatment has been given by Dwork, Naor, and Reingold [25] who study different amplification techniques in the standard and random oracle model to achieve non-malleable ($\mathsf {IND}\text {-}\mathsf {CCA} $ secure) schemes. One very intuitive compiler is the direct product compiler $\mathsf {Enc}^{\otimes \ell }$ which encrypts a message M under a PKE $\varPi =(\mathsf {KGen},\mathsf {Enc},\mathsf {Dec})$ with a certain decryption error $\delta $ under $\ell $ independent public-keys from $\mathsf {KGen}$, i.e., ${\mathsf {pk}}':=({\mathsf {pk}}_1,\ldots ,{\mathsf {pk}}_\ell )$ as $\mathsf {Enc}'({\mathsf {pk}}',M):=(\mathsf {Enc}({\mathsf {pk}}_1,M),\ldots ,\mathsf {Enc}({\mathsf {pk}}_\ell ,M))$. $\mathsf {Dec}'$, given $C'=(C_1,\ldots ,C_\ell )$ tries to decrypt $C_i$, $1\le i\le \ell $, and returns the result of a majority vote among all decrypted messages, yielding an encryption scheme with some error $\delta '\le \delta $. Their asymptotic analysis, however, and limitation to PKEs with a binary message space does not make it immediate what this would mean in a concrete setting and in particular how to choose $\ell $ for practically interesting values of $\delta $ and $\delta '$. For turning a so-obtained amplified scheme with negligible correctness error into a CCA-secure one in the ROM, they provide a transform using similar ideas, but more involved than the FO transform. Bitansky and Vaikuntanathan [11] go a step further and turn encryption schemes with a correctness error into perfectly correct ones, whereas they even consider getting completely rid of bad keys (if they exist) and, thus, completely immunize encryption schemes. They build upon the direct product compiler of Dwork et al. and then apply reverse randomization [53] and Nisan-Wigderson style derandomization [55]. Thereby, they partition the randomness space into good and bad randomness, and ensure that only good randomness is used for encryption and key generation.

Our Goals. In this work, we are specifically interested in transformations that lift weaker schemes with non-negligible correctness error into CCA-secure ones with negligible error. Thereby, our focus is on modular ways of achieving this and can be seen as a concrete treatment of ideas that have also be discussed by Dwork et al. [25], who, however, treat their approaches in an asymptotic setting only. We show that the direct product compiler can be used with variants of the standard FO transform considered by HHK [40] (in the ROM) as well as Bindel et al. [9] and Jiang et al. [48] (in the quantum ROM (QROM) [15]). They are used by many candidates of the NIST PQC, when starting from PKE schemes having non-negligible correctness error generically. As we are particularly interested in practical compilers in a concrete setting to obtain CCA security for KEMs in the (Q)ROM, we analyze the concrete overhead of this compiler and its use with widely used variants of the transforms from HHK. Moreover, we provide a rigorous treatment of non-black-box applications of these ideas and show that they yield better concrete results than the direct application of the direct product compiler. Importantly, it gives a generic way to deal with the error from weaker schemes (e.g., $\mathsf {IND}\text {-}\mathsf {CPA} $ secure ones with non-negligible error) which are easier to design. An interesting question that we will study is how does increasing from one to $\ell $ ciphertexts compare to increasing the parameters at comparable resulting decryption errors for existing round-two submissions in the NIST PQC. As it turns out, our approach performs well in context of code-based schemes but gives less advantage for lattice-based schemes.

We also study our approach beyond conventional PKEs and KEMs. In particular, a class of KEMs that have recently found interest especially in context of full forward-secrecy for zero round-trip time (0-RTT) key-exchange (KE) protocols are so-called puncturable KEMs [21, 33, 34, 63] and, in particular, Bloom Filter KEMs (BFKEMs) [20, 21]. BFKEMs schemes are CCA-secure KEMs that inherently have non-negligible correctness error. Interestingly, however, the non-negligible correctness error comes from the Bloom filter layer and the underlying IBE scheme (specifically, the Boneh-Franklin [16] instantiation in [21]) is required to provide perfect correctness. Thus, as all post-quantum IBEs have at least negligible correctness error, there are no known post-quantum BFKEMs.

1.1 Contribution

Our contributions on a more technical level can be summarized as follows:

Generic Transform. We revisit the ideas of the direct product compiler of Dwork et al. [25] (dubbed $\mathsf {C_{p,r}}$ and $\mathsf {C_{p,d}}$ for randomized and deterministic PKEs respectively) in the context of the modular framework of HHK [40]. In particular, we present a generic transform dubbed ${\mathsf T}^{\star }$ that, given any randomized PKE scheme with non-negligible correctness error, produces a derandomized PKE scheme with negligible correctness error. We analyze the transform both in the ROM and QROM and give a tight reduction in the ROM and compare it to a generic application of the direct product compiler. The transform naturally fits into the modular framework of HHK [40], and, thus, by applying the ${\mathsf U}^{\not \bot }$ transform, gives rise to an $\mathsf {IND}\text {-}\mathsf {CCA}$-secure KEM. For the analysis in the QROM, we follow the work of Bindel et al. [9]. We show that the ${\mathsf T}^{\star }$ transform also fits into their framework. Hence, given the additional injectivity assumption, we also obtain a tight proof for ${\mathsf U}^{\not \bot }$. But even if this assumption does not hold, the non-tight proofs of Jiang et al. [48] and Hövelmanns et al. [43] still apply. Compared to the analysis of the ${\mathsf T}$ transform that is used in the modular frameworks, our reductions lose a factor of $\ell $, i.e., the number of parallel ciphertexts required to reach a negligible correctness error, in the ROM and a factor of $\ell ^2$ in the QROM. For concrete schemes this number is small (e.g., $\le 5$) and thus does not impose a significant loss. An overview of the transformations and how our transform fits into the modular frameworks is given in Fig. 1 (ROM) and Fig. 2 (QROM). Furthermore, using ideas similar to ${\mathsf T}^{\star }$, we discuss a modified version of the deterministic direct product compiler $\mathsf {C_{p,d}}$ which we denote by $\mathsf {C_{p,d}^\star }$, that compared to the original one allows to reduce the number of parallel repetitions needed to achieve negligible correctness error.

Evaluation. We evaluate ${\mathsf T}^{\star }$ based on its application to code- and lattice-based second-round candidates in the NIST PQC. In particular, we focus on schemes that offer $\mathsf {IND}\text {-}\mathsf {CPA}$ secure versions with non-negligible correctness error such as ROLLO [4], BIKE [3] and Round5 [30]. We compare their $\mathsf {IND}\text {-}\mathsf {CCA}$ variants with our transform applied to the $\mathsf {IND}\text {-}\mathsf {CPA}$ schemes. In particular, for the code-based schemes such as ROLLO we can observe improvements in the combined size of public keys and ciphertexts, a metric important when used in protocols such as TLS, as well as its runtime efficiency. We also argue the ease of implementing our so-obtained schemes which can rely on simpler decoders. For lattice-based constructions, we find that the use of the transform results in an increase in the sum of ciphertext and public-key size of 30% even in the best case scenario, i.e., for an $\mathsf {IND}\text {-}\mathsf {CPA}$ version of KEM Round5 [30]. Nevertheless, it offers easier constant-time implementations and the opportunity of decreasing the correctness error without changing the underlying parameter set and, thus, the possibility to focus on analyzing and implementing one parameter set for both, $\mathsf {IND}\text {-}\mathsf {CPA}$ and $\mathsf {IND}\text {-}\mathsf {CCA}$ security.

Bloom Filter KEMs. Finally, we revisit puncturable KEMs from Bloom filter KEMs (BFKEMs) [20, 21], a recent primitive to realize 0-RTT key exchange protocols with full forward-secrecy [34]. Currently, it is unclear how to instantiate BFKEMs generically from IBE and, in particular, from conjectured post-quantum assumptions due to the correctness error of the respective IBE schemes. We show that one can construct BFKEMs generically from any IBE and even base it upon IBEs with a (non-)negligible correctness error. Consequently, our results allow BFKEMs to be instantiated from lattice- and code-based IBEs and, thereby, we obtain the first post-quantum CCA-secure BFKEM.

2 Preliminaries

Notation. For $n\in \mathbb {N} $, let $[n]:=\{1,\ldots ,n\}$, and let $\lambda \in \mathbb {N} $ be the security parameter. For a finite set $\mathcal {S} $, we denote by $s\leftarrow _{\$}\mathcal {S} $ the process of sampling s uniformly from $\mathcal {S} $. For an algorithm A, let $y\leftarrow A(\lambda ,x)$ be the process of running A on input $(\lambda ,x)$ with access to uniformly random coins and assigning the result to y (we may assume that all algorithms take $\lambda $ as input). To make the random coins r explicit, we write A(x; r). We say an algorithm A is probabilistic polynomial time (PPT) if the running time of A is polynomial in $\lambda $. A function f is negligible if its absolute value is smaller than the inverse of any polynomial, i.e., if $\forall c\;\exists k_0\text { s.t. } \forall \lambda \ge k_0:|f(\lambda )|<1/ \lambda ^c$.

2.1 Public-Key Encryption and Key-Encapsulation Mechanisms

Public-key Encryption. A public-key encryption (PKE) scheme $\varPi $ with message space $\mathcal {M}$ consists of the three PPT algorithms $(\mathsf {KGen},\mathsf {Enc},\mathsf {Dec})$: $\mathsf {KGen}(\lambda )$, on input security parameter $\lambda $, outputs public and secret keys $({\mathsf {pk}},\mathsf {sk})$. $\mathsf {Enc}({\mathsf {pk}},M)$, on input ${\mathsf {pk}}$ and message $M \in \mathcal {M} $, outputs a ciphertext $C $. $\mathsf {Dec}(\mathsf {sk},C)$, on input $\mathsf {sk}$ and $C $, outputs $M \in \mathcal {M} \cup \{\bot \}$. We may assume that ${\mathsf {pk}}$ is implicitly available in $\mathsf {Dec}$.

Correctness. We recall the definition of $\delta $-correctness of [40]. A PKE $\varPi $ is $\delta $-correct if

$$ E\left[ \max _{M \in \mathcal {M}} \mathsf {Pr}\left[ {c \leftarrow \mathsf {Enc}({\mathsf {pk}}, M): \mathsf {Dec}(\mathsf {sk}, C) \ne M}\right] \right] \le \delta \text {,} $$

where the expected value is taken over all $({\mathsf {pk}}, \mathsf {sk}) \leftarrow \mathsf {KGen}(\lambda )$.

PKE-IND-CPA, PKE-OW-CPA, and PKE-OW-PCA Security. We say a PKE $\varPi $ is PKE-IND-CPA-secure if and only if any PPT adversary $A$ has only negligible advantage in the following security experiment. First, $A$ gets an honestly generated public key ${\mathsf {pk}}$. $A$ outputs equal-length messages $(M _0,M _1)$ and, in return, gets $C ^*_b\leftarrow \mathsf {Enc}({\mathsf {pk}},M _b)$, for $b\leftarrow _{\$}\{0,1\}$. Eventually, $A$ outputs a guess $b'$. If $b=b'$, then the experiment outputs 1. For PKE-OW-CPA security, $A$ does not receive a ciphertext for $A$-chosen messages, but only a ciphertext $C ^*\leftarrow \mathsf {Enc}({\mathsf {pk}},M)$ for $M \leftarrow _{\$}\mathcal {M} $ and outputs $M '$; if $M =M '$, then the experiment outputs 1. For PKE-OW-PCA security, $A$ additionally has access to a plaintext checking oracle $\textsc {Pco}(M,C)$ returning 1 if $M=\mathsf {Dec}(\mathsf {sk},C)$ and 0 otherwise.

Definition 1

For any PPT adversary $A$ the advantage function

$$ \mathsf {Adv}^{\mathsf {pke\text {-}ind\text {-}cpa}}_{\varPi ,A}(\lambda ):= \left| \mathsf {Pr}\left[ {\mathsf {Exp}^{\mathsf {pke\text {-}ind\text {-}cpa}}_{\varPi ,A}(\lambda )=1}\right] -\frac{1}{2}\right| , $$

is negligible in $\lambda $, where the experiment $\mathsf {Exp}^{\mathsf {pke\text {-}ind\text {-}cpa}}_{\varPi ,A}(\lambda )$ is given in Fig. 3 and $\varPi $ is a PKE as above.

Definition 2

For any PPT adversary $A$, and ${\mathsf y}\in \{CPA,PCA\}$ the advantage function

$$ \mathsf {Exp}^{\mathsf {pke\text {-}OW\text {-}y}}_{\varPi ,A}(\lambda ):= \mathsf {Pr}\left[ {\mathsf {Exp}^{\mathsf {pke\text {-}OW\text {-}y}}_{\varPi ,A}(\lambda )=1}\right] , $$

is negligible in $\lambda $, where the experiments $\mathsf {Exp}^{\mathsf {pke\text {-}ow\text {-}cpa}}_{\varPi ,A}(\lambda )$ and $\mathsf {Exp}^{\mathsf {pke\text {-}ow\text {-}pca}}_{\varPi ,A}(\lambda )$ are given in Fig. 3 and $\varPi $ is a PKE as above.

We recall a well known lemma below:

Lemma 1

For any adversary B there exists an adversary A with the same running time as that of B such that

$$\begin{aligned} \mathsf {Adv}^{\mathsf {pke\text {-}ow\text {-}cpa}}_{\varPi ,B}(\lambda ) \le \mathsf {Adv}^{\mathsf {pke\text {-}ind\text {-}cpa}}_{\varPi ,A}(\lambda ) + \frac{1}{|{{{\mathcal {M}}}}|}. \end{aligned}$$

We note that Lemma 1 equivalently holds for the $\ell \text {-}\mathsf {IND\text {-}CPA}$ notion below.

Multi-challenge Setting. We recall some basic observations from [8] regarding the multi-challenge security of PKE schemes. In particular, for our construction we need the relation between $\mathsf {OW}\text {-}\mathsf {CPA} $/$\mathsf {IND}\text {-}\mathsf {CPA} $ security in the conventional single-challenge and single-user setting and $n\text {-}\mathsf {OW}\text {-}\mathsf {CPA}/n\text {-}\mathsf {IND\text {-}CPA}$ respectively, which represents the multi-challenge and multi-user setting. In particular, latter means that the adversary is allowed to obtain multiple challenges under multiple different public keys.

Theorem 1

(Th. 4.1 [8]). Let $\varPi =(\mathsf {KGen},\mathsf {Enc},\mathsf {Dec})$ be a PKE scheme that provides $\mathsf x$-$\mathsf CPA$ security with $\mathsf {x\in \{OW,IND\}}$. Then, it holds that:

$$\begin{aligned} \mathsf {Adv}^{\mathsf {pke\text {-}x\text {-}cpa}}_{\varPi ,A}(\lambda ) \ge \frac{1}{q\cdot n}\cdot \mathsf {Adv}^{\mathsf {n\text {-}pke\text {-}x\text {-}cpa}}_{\varPi ,A}(\lambda ), \end{aligned}$$

where n is the number of public keys and $A $ makes at most q queries to any of its n challenge oracles.

Although the loss imposed by the reduction in Theorem 1 can be significant when used in a general multi-challenge and multi-user setting, in our application we only have cases where $n=1$ and small q ($q = 5$ at most), or vice versa (i.e., $q=1$ and $n=5$ at most) thus tightness in a concrete setting is preserved.

Finding Failing Ciphertexts and Injectivity. For the QROM security proof we will need the following two definitions from [9].

Definition 3

($\varepsilon $-injectivity). A PKE $\varPi $ is called $\varepsilon $-injective if

$\varPi $ is deterministic and
$$ \mathsf {Pr}\left[ {({\mathsf {pk}},\mathsf {sk})\leftarrow \mathsf {KGen}(\lambda ): M \mapsto \mathsf {Enc}({\mathsf {pk}}, M) \text { is not injective}}\right] \le \varepsilon \text {.} $$
$\varPi $ is non-deterministic with randomness space ${\mathcal {R}}$ and
$$ \mathsf {Pr}\left[ {\begin{aligned}&({\mathsf {pk}},\mathsf {sk})\leftarrow \mathsf {KGen}(\lambda ),\\ {}&M, M ' \leftarrow _{\$} \mathcal {M}, r, r' \leftarrow _{\$} {\mathcal {R}} \end{aligned}: \mathsf {Enc}({\mathsf {pk}},M;r) = \mathsf {Enc}({\mathsf {pk}}, M '; r')}\right] \le \varepsilon \text {.} $$

Definition 4 (Finding failing ciphertexts)

For a deterministic $\mathsf {PKE}$, the $\mathsf {FFC}$-advantage of an adversary $A$ is defined as

$$ \mathsf {Adv}^{\mathsf {pke\text {-}ffc}}_{\varPi ,A}(\lambda ):=\mathsf {Pr}\left[ {\mathsf {Exp}^{\mathsf {pke\text {-}ffc}}_{\varPi ,A}(\lambda )=1}\right] \text {,} $$

where the experiment $\mathsf {Exp}^{\mathsf {pke\text {-}ffc}}_{\varPi ,A}$ is given in Fig. 4.

Key-Encapsulation Mechanism. A key-encapsulation mechanism (KEM) scheme $\mathsf {KEM}$ with key space $\mathcal {K}$ consists of the three PPT algorithms $(\mathsf {KGen},\mathsf {Encaps},\mathsf {Decaps})$: $\mathsf {KGen}(\lambda )$, on input security parameter $\lambda $, outputs public and secret keys $({\mathsf {pk}},\mathsf {sk})$. $\mathsf {Encaps} ({\mathsf {pk}})$, on input ${\mathsf {pk}}$, outputs a ciphertext $C $ and key k. $\mathsf {Decaps} (\mathsf {sk},C)$, on input $\mathsf {sk}$ and $C $, outputs $\textsf {k}$ or $\{\bot \}$.

Correctness of $\mathsf {KEM} $. We call a $\mathsf {KEM} $ $\delta $-correct if for all $\lambda \in \mathbb {N} $, for all $({\mathsf {pk}},\mathsf {sk})\leftarrow \mathsf {KGen}(\lambda )$, for all $(C,\textsf {k})\leftarrow \mathsf {Enc}({\mathsf {pk}})$, we have that

$$ \mathsf {Pr}\left[ {\mathsf {Dec}(\mathsf {sk},C)\ne \textsf {k}}\right] \le \delta \text {.} $$

KEM-IND-CCA Security. We say a KEM $\mathsf {KEM}$ is KEM-IND-CCA-secure if and only if any PPT adversary $A$ has only negligible advantage in the following security experiment. First, $A$ gets an honestly generated public key ${\mathsf {pk}}$ as well as a ciphertext-key pair $(C ^*,\textsf {k}_b)$, for $(C ^*,\textsf {k}_0)\leftarrow \mathsf {Encaps} ({\mathsf {pk}})$, for $\textsf {k}_1\leftarrow _{\$}\mathcal {K} $, and for $b\leftarrow _{\$}\{0,1\}$. $A$ has access to a decapsulation oracle $\mathsf {Dec}(\mathsf {sk},\cdot )$ and we require that $A$ never queries $\mathsf {Decaps} (\mathsf {sk},C ^*)$. Eventually, $A$ outputs a guess $b'$. Finally, if $b=b'$, then the experiment outputs 1.

Definition 5

For any PPT adversary $A$, the advantage functions

$$\begin{aligned} \mathsf {Adv}^{\mathsf {kem\text {-}ind\text {-}cca}}_{\mathsf {KEM},A}(\lambda ):=\left| \mathsf {Pr}\left[ {\mathsf {Exp}^{\mathsf {kem\text {-}ind\text {-}cca}}_{\mathsf {KEM},A}(\lambda )=1}\right] -\frac{1}{2}\right| , \end{aligned}$$

is negligible in $\lambda $, where the experiment $\mathsf {Exp}^{\mathsf {kem\text {-}ind\text {-}cca}}_{\mathsf {KEM},A}(\lambda )$ is given in Fig. 5 and $\mathsf {KEM}$ is a KEM as above.

2.2 Identity-Based Encryption

An identity-based encryption (IBE) scheme $\mathsf {IBE}$ with identity space $\mathcal {ID} $ and message space $\mathcal {M}$ consists of the five PPT algorithms $(\mathsf {KGen},\mathsf {Ext},\mathsf {Enc},\mathsf {Dec})$: $\mathsf {KGen}(\lambda )$ on input security parameter $\lambda $, outputs master public and secret keys . $\mathsf {Ext} (msk, id )$ on input identity $ id \in \mathcal {ID} $, outputs a user secret key $ usk _{ id } $. on input , and message $M \in \mathcal {M} $, outputs a ciphertext $C $. ${\mathsf {Dec}( usk _{ id },C)}$ on input $ usk _{ id }$ and $C$, outputs $M \in \mathcal {M} \cup \{\bot \}$.

Correctness of $\mathsf {IBE}$. Analogous to [40] we define $\delta $-correctness of an IBE $\mathsf {IBE} $ for any $ id \in \mathcal {ID} $ as

$$ E\left[ \max _{M \in \mathcal {M}} \mathsf {Pr}\left[ {C \leftarrow \mathsf {Enc}(mpk, id ,M): \mathsf {Dec}( usk _{ id },C) \ne M}\right] \right] \le \delta (\lambda )\text {,} $$

where the expected value is taken over all $(mpk, msk) \leftarrow \mathsf {KGen}(\lambda )$ and $ usk _{ id } \leftarrow \mathsf {Ext} (msk, id )$.

We recall the formal definitions of IBE-sIND-CPA security in the full version.

3 CCA Security from Non-Negligible Correctness Errors

In this section, we present our approaches to generically achieve CCA secure KEMs in the (Q)ROM with negligible correctness error when starting from an $\mathsf {OW}\text {-}\mathsf {CPA} $ or $\mathsf {IND}\text {-}\mathsf {CPA} $ secure PKE with non-negligible correctness error. We start by discussing the definitions of correctness errors of PKE and KEMs. Then, we present a generic transform based on the direct product compiler of Dwork et al. [25] and revisit certain FO transformation variants from [40] (in particular the $\mathsf T$ and $\mathsf U$ transformations), their considerations in the QROM [9] and their application with the direct product compiler. As a better alternative, we analyze the non-black-box use of the previous technique yielding transformation $\mathsf T^\star $, that combines the direct product compiler with the $\mathsf T$ transformation. Finally, we provide a comprehensive comparison of the two approaches.

3.1 On the Correctness Error

In this work, we use the $\delta $-correctness for PKEs given by HHK in [40]. With this definition, particularly bad keys in terms of correctness error only contribute a fraction to the overall correctness error as it averages the error probability over all key pairs: if there are negligible many keys with a higher correctness error, then those keys do not really contribute to the overall correctness error. At the same time this definition is tailored, via maxing over all possible messages, to the security proofs of the FO-transforms where an adversary could actively search for the worst possible message, in order to trigger decryption failure. As also done by Dwork et al. [25], we explicitly write the correctness error as a function in the security parameter:

Definition 6

A $\mathsf {PKE}$ $\varPi $ is $\delta (\cdot )$-correct if

$$ E\left[ \max _{M \in \mathcal {M}} \mathsf {Pr}\left[ {C \leftarrow \mathsf {Enc}({\mathsf {pk}}, M): \mathsf {Dec}(\mathsf {sk}, C) \ne M}\right] \right] \le \delta (\lambda )\text {,} $$

where the expected value is taken over all $({\mathsf {pk}}, \mathsf {sk}) \leftarrow \mathsf {KGen}(\lambda )$.

It will be important for our transform to make explicit that the correctness error depends on the security level, as this allows us to chose a function $\ell (\cdot )$ such that $\delta (\lambda )^{\ell (\lambda )} \le 2^{-\lambda }$. We will often just write $\delta = \delta (\lambda )$ and $\ell = \ell (\lambda )$ for simplicity.

An alternative but equivalent definition, as used in [40], can be given in the following form: a PKE $\varPi $ is called $\delta (\cdot )$-correct if we have for all (possibly unbounded) adversaries $A $ that

$$ \mathsf {Adv}^{\mathsf {cor}}_{\varPi ,A}(\lambda ) = \mathsf {Pr}\left[ {\mathsf {Exp}^{\mathsf {cor}}_{\varPi ,A}(\lambda ) = 1}\right] \le \delta (\lambda ) \text {,} $$

where the experiment is given in Fig. 6. If $\varPi $ is defined relative to a random oracle $\mathsf {H}$, then the adversary is given access to the random oracle and $\delta $ is additionally a function in the number of queries $q_{\mathsf {H}}$, i.e., the bound is given by $\le \delta (\lambda , q_{\mathsf {H}})$. We note that in [10] an alternative definition of correctness was proposed, where the adversary does not get access to $\mathsf {sk}$ and the adversary’s runtime is bounded. With this change, it can be run as part of the $\mathsf {IND}\text {-}\mathsf {CCA}$ experiment which does not change the power of the $\mathsf {IND}\text {-}\mathsf {CCA}$ adversary and additionaly removes a factor $q_{\mathsf {H}}$ from the correctness error and advantage analysis. In particular, one can obtain an upper bound for $\mathsf {IND}\text {-}\mathsf {CCA}$ security of a scheme via the correctness error.

We recall, for completeness, the definition of correctness error, here denoted as DNR-$\delta $-correctness (from Dwork-Naor-Reingold), used by Dwork et al.:

Definition 7

(Def. 2, Def. 3 [25]). A $\mathsf {PKE}$ $\varPi $ is

DNR-$\delta (\cdot )$-correct if we have that
$$ \mathsf {Pr}\left[ {\mathsf {Dec}(\mathsf {sk},\mathsf {Enc}({\mathsf {pk}}, M)) \ne M}\right] \le \delta (\lambda ) \text {,} $$
where the probability is taken over the choice of key pairs $({\mathsf {pk}},\mathsf {sk})\leftarrow \mathsf {KGen}(\lambda )$, $M \in \mathcal {M} $ and over the random coins of $\mathsf {Enc}$ and $\mathsf {Dec}$.
DNR-(almost-)all-keys $\delta (\cdot )$-correct if for all (but negligible many) keys $({\mathsf {pk}},\mathsf {sk})\leftarrow \mathsf {KGen}(\lambda )$, we have that
$$ \mathsf {Pr}\left[ {\mathsf {Dec}(\mathsf {sk},\mathsf {Enc}({\mathsf {pk}}, M)) \ne M}\right] \le \delta (\lambda ) \text {,} $$
where the probability is taken over the choice of $M \in \mathcal {M} $ and over the random coins of $\mathsf {Enc}$ and $\mathsf {Dec}$.

Correctness error in this sense still allows bad key pairs that potentially have an even worse error but it is not suited for our security proofs as the probability is also taken over $M \leftarrow _{\$}\mathcal {M} $. Recently Drucker et al. [23] introduced the notion of message agnostic PKE and showed that all the versions of BIKE, a 2nd round candidate in the NIST PQC, are message-agnostic: in such a PKE, the probability that, given $(\mathsf {sk}, {\mathsf {pk}})$, the encryption of a message $M\in \mathcal {M} $ correctly decrypts is independent of the message $M \in \mathcal {M} $ itself. For such PKEs the definitions of $\delta $-correctness and DNR-$\delta $-correctness coincide (Cor. 1 [23]).

3.2 Compiler for Immunizing Decryption Errors

Now we present two variants of a compiler $\mathsf {C_{p}}$ denoted $\mathsf {C_{{p,d}}}$ (for deterministic schemes) and $\mathsf { C_{{p,r}}}$ (for randomized schemes) which is based on the direct product compiler by Dwork et al. [25]. We recall that the idea is to take a PKE scheme $\varPi =(\mathsf {KGen},\mathsf {Enc},\mathsf {Dec})$ with non-negligible correctness error $\delta $ (and randomness space ${{\mathcal {R}}}$ in case of randomized schemes) and output a PKE scheme $\varPi '=(\mathsf {KGen}',\mathsf {Enc}',\mathsf {Dec}')$ with negligible correctness error $\delta '$ (and randomness space ${{{\mathcal {R}}}}':={{{\mathcal {R}}}}^\ell $, for some $\ell \in {\mathbb {N}}$, in case of a randomized schemes). We present a precise description of the compilers in Fig. 7. Note that in $\mathsf {Dec}'$, the message that is returned most often by $\mathsf {Dec}$ is returned. If two or more messages are tied, one of them is returned arbitrarily and we denote this operation as $\mathsf {maj}(M')$.

Analyzing Correctness. Dwork et al. in [25] explicitly discuss the amplification of the correctness for encryption schemes with a binary message space $\mathcal {M} = \{ 0, 1 \}$ and obtain that to achieve DNR-$\delta '$-correctness $\ell > {c}/{(1-\delta )^2} \cdot \log {1}/{\delta '}$ when starting from a scheme with DNR-$\delta $-correctness. As c is some constant that is never made explicit, the formula is more of theoretical interest and for concrete instances it is hard to estimate the number of required ciphertexts. We can however analyze the probabilities that the majority vote in $\mathsf {Dec}'$ returns the correct result. As far as the correctness notion used in this work is concerned, in order to prove an acceptable good lower bound for the $\delta $-correctness of the direct product compiler, it suffices to find an event, in which the decryption procedure fails, that happens with a large enough probability. The following reasoning applies to both its deterministic and randomized versions, $\mathsf {C_{p,d}}$ and $\mathsf {C_{p,r}}$ respectively. One such case is the following: only 1 ciphertext correctly decrypts and all other $\ell -1$ ciphertexts decrypt to $\ell -1$ distinct wrong messages. During the $\mathsf {maj}$ operation, one of the “wrong” messages is then returned. The probability of this event is

$$ \frac{\ell - 1}{\ell }{\ell \atopwithdelims ()\ell -1}\delta ^{\ell -1}(1-\delta )\frac{M-1}{M-1}\frac{M-2}{M-1}\cdots \frac{M-(\ell -1)}{M-1} \text {.} $$

Looking ahead to our compiler $\mathsf T^*$ presented in Sect. 3.4, if the message space is sufficiently large, this probability is bigger than $\delta ^{\ell -1}(1-\delta )$, which gives that at least one more ciphertext is needed to achieve the same decryption error as with our compiler $\mathsf T^*$. The results are shown in Table 1. One can compute the exact probability of decryption error by listing all cases in which the decryption fails and summing up all these probabilities to obtain the overall decryption failure of the direct product compiler. This computation is not going to give a significantly different result from the lower bound that we have just computed.

We note that using 2 parallel ciphertexts does not improve the correctness error, so the direct product compiler only becomes interesting for $\ell \ge 3$: indeed for $\ell =2$, we have 3 possible outcomes in which the decryption algorithm can fail: 1) the first ciphertext decrypts and the second does not, 2) vice versa, 3) both fail to decrypt. In 1), 2), half the time the wrong plaintext is returned. Summing these probabilities gives exactly $\delta $.

Table 1. Estimation of the correctness error for the direct product compilers. $\delta '(\ell )$ denotes the correctness error for $\ell $ ciphertexts.

Full size table

Remark 1

As far as the deterministic direct product compiler $\mathsf {C_{{p,d}}}$ is concerned, the correctness error can be improved by modifying the decryption: instead of relying on the $\mathsf {maj}$ operation, we can re-encrypt the plaintexts obtained during decryption with the respective keys and compare them to the original ciphertexts. Only if this check passes, the plaintext is returned. If this is done, then decryption fails iff no ciphertext decrypts correctly, i.e., with probability $\delta ^\ell $, and thereby the number of parallel repetition necessary to achieve negligible correctness-error is reduced at the cost of a computational overhead in the decryption. We denote this version of the deterministic direct product compiler by $\mathsf {C_{{{p,d}}}^\star }$.

Their security follows by applying Theorem 1 with $q=1$ and $n=\ell $ in the deterministic case, for both $\mathsf {C_{{{p,d}}}}$ and $\mathsf {C_{{{p,d}}}^\star }$, or vice versa with $q=\ell $ and $n=1$ in the randomized case:

Corollary 1

For any $\mathsf x$-$\mathsf {CPA}$ adversary B against $\varPi '$ obtained via applying $\mathsf {C}_{\mathsf p,y}$ to $\varPi $, there exists an $\mathsf x$-$\mathsf {CPA}$ adversary A such that:

$$\begin{aligned} \mathsf {Adv}^{\mathsf {pke\text {-}x\text {-}cpa}}_{\varPi ',B}(\lambda ) \le \ell \cdot \mathsf {Adv}^{\mathsf {pke\text {-}x\text {-}cpa}}_{\varPi ,A}(\lambda ), \end{aligned}$$

where $\mathsf {y=d}$ if $\mathsf {x=OW}$ and $\mathsf {y=r}$ if $\mathsf {x=IND}$.

As the analysis above suggests, $\ell $ will be a small constant, so the loss in $\ell $ does not pose a problem regarding tightness.

3.3 Transformations $\mathsf T$ and $\mathsf U^{\not \bot }$

Subsequently, we discuss basic transformations from [41] to first transform an $\mathsf {IND\text {-}CPA}$ secure PKE into an $\mathsf {OW\text {-}PCA}$ secure PKE (transformation $\mathsf T$ in [41]) and then to convert an $\mathsf {OW\text {-}PCA}$ secure PKE into an $\mathsf {IND\text {-}CCA}$ secure KEM with implicit rejection (transformation $\mathsf U^{\not \bot }$ in [41]) and we discuss alternative transformations later. We stress that these transformations either work for perfectly correct schemes or schemes with a negligible correctness error.

The transform ${\mathsf T}$ is a simple de-randomization of a PKE by deriving the randomness r used by the algorithm $\mathsf {Enc}$ via evaluating a random oracle (RO) on the message to be encrypted. More precisely, let $\varPi =(\mathsf {KGen},\mathsf {Enc},\mathsf {Dec})$ be a PKE with message space ${{\mathcal {M}}}$ and randomness space ${{\mathcal {R}}}$ and ${\mathsf G}:{{{\mathcal {M}}}}\rightarrow {{{\mathcal {R}}}}$ be a RO. We denote the PKE $\varPi '$ obtained by applying transformation $\mathsf T$ depicted in Fig. 8 as $\varPi '={\mathsf T}[\varPi ,{\mathsf G}]$, where $\varPi '.\mathsf {KGen}= \varPi .\mathsf {KGen}$ and is thus omitted.

For the ROM, we recall the following theorem:

Theorem 2

(Thm. 3.2 [41] ($\varPi ~\mathsf {IND}\text {-}\mathsf {CPA} \implies \varPi '~{\mathsf {O}}{\mathsf {W}}\text {-}\mathsf {PCA}$)). Assume $\varPi $ to be $\delta $-correct. Then, $\varPi '$ is $\delta _1(q_{\mathsf G})=q_{\mathsf G}\cdot \delta $ correct and for any $\mathsf {OW\text {-}PCA}$ adversary B that issues at most $q_{\mathsf G}$ queries to the RO $\mathsf G$ and $q_P$ queries to a plaintext checking oracle Pco, there exists an $\mathsf {IND\text {-}CPA}$ adversary A running in about the same time as $B $ such that

$$ \mathsf {Adv}^{\mathsf {pke\text {-}ow\text {-}pca}}_{\varPi ',B}(\lambda ) \le q_{\mathsf G}\cdot \delta + \frac{2q_{\mathsf G}+1}{|{{{\mathcal {M}}}}|} + 3\cdot \mathsf {Adv}^{\mathsf {pke\text {-}ind\text {-}cpa}}_{\varPi ,A}(\lambda ). $$

And for the QROM, we recall the following theorem:

Theorem 3

(Thm. 1 [9] ($\varPi ~\mathsf {IND}\text {-}\mathsf {CPA} \implies \varPi '~{\mathsf {O}}{\mathsf {W}}\text {-}\mathsf {CPA}$)). If $A $ is an $\mathsf {OW}\text {-}\mathsf {CPA}$-adversary against $\varPi ' = {\mathsf T}[\varPi , \mathsf {G}]$ issuing at most $q_{\mathsf {G}}$ queries to the quantum-accessible RO $\mathsf {G}$ of at most depth d, then there exists an $\mathsf {IND}\text {-}\mathsf {CPA}$ adversary $B$ against $\varPi $ running in about the same time as $A $ such that

$$ \mathsf {Adv}^{\mathsf {pke\text {-}ow\text {-}cpa}}_{\varPi ',A}(\lambda ) \le (d + 1) \left( \mathsf {Adv}^{\mathsf {pke\text {-}ind\text {-}cpa}}_{\varPi ,B}(\lambda ) + \frac{8(q_{\mathsf {G}}+1)}{|\mathcal {M} |}\right) \text {.} $$

The transformation $\mathsf U^{\not \bot }$ transforms any $\mathsf {OW\text {-}PCA}$ secure PKE $\varPi '$ into an $\mathsf {IND\text {-}CCA}$ secure KEM in the (Q)ROM. The basic idea is that one encrypts a random message $M $ from the message space ${{\mathcal {M}}}$ of $\varPi '$ and the encapsulated key is the RO evaluated on the message $M $ and the corresponding ciphertext $C $ under $\varPi '$. This transformation uses implicit rejection and on decryption failure does not return $\bot $, but an evaluation of the RO on the ciphertext and a random message $s\in {{\mathcal {M}}}$, being part of $\mathsf {sk}$ of the resulting KEM, as a “wrong” encapsulation key. It is depicted in Fig. 9.

In the ROM, we have the following result:

Theorem 4

(Thm. 3.4 [41] ($\varPi '~\mathsf {OW\text {-}PCA}\implies \mathsf {KEM} ~\mathsf {IND\text {-}CCA}$)). If $\varPi '$ is $\delta _1$-correct, then $\mathsf {KEM} $ is $\delta _1$-correct in the random oracle model. For any $\mathsf {IND\text {-}CCA}$ adversary B against $\mathsf {KEM} $, issuing at most $q_{\mathsf H}$ queries to the random oracle $\mathsf H$, there exists an $\mathsf {OW\text {-}PCA}$ adversary A against $\varPi '$ running in about the same time as B that makes at most $q_{\mathsf H}$ queries to the Pco oracle such that

$$\begin{aligned} \mathsf {Adv}^{\mathsf {kem\text {-}ind\text {-}cca}}_{\mathsf {KEM},B}(\lambda ) \le \frac{q_{\mathsf H}}{|{{{\mathcal {M}}}}|}+ \mathsf {Adv}^{\mathsf {pke\text {-}ow\text {-}pca}}_{\varPi ',A}(\lambda ). \end{aligned}$$

For the QROM, we have the following non-tight result:

Theorem 5

(Thm. 6 [48] ($\varPi '~{\mathsf {O}}{\mathsf {W}}\text {-}\mathsf {PCA} \implies \mathsf {KEM}~\mathsf {IND}\text {-}\mathsf {CCA}$)). Let $\varPi '$ be a deterministic PKE scheme which is independent of $\mathsf {H}$. Let $B $ be an $\mathsf {IND}\text {-}\mathsf {CCA}$ adversary against the KEM ${\mathsf U^{\not \bot }}[\varPi ', \mathsf {H}]$, and suppose that $A $ makes at most $q_d$ (classical) decryption queries and $q_\mathsf {H}$ queries to quantum-accessible random oracle $\mathsf {H}$ of depth at most d, then there exists and adversary $B $ against $\varPi '$ such that

$$ \mathsf {Adv}^{\mathsf {kem\text {-}ind\text {-}cca}}_{{\mathsf U^{\not \bot }}[\varPi ', \mathsf {H}], A} (\lambda ) \le \frac{2 \cdot q_{\mathsf {H}}}{\sqrt{|\mathcal {M} |}} + 2 \cdot \sqrt{(q_{\mathsf {H}} + 1)(2 \cdot \delta + \mathsf {Adv}^{\mathsf {pke\text {-}ow\text {-}cpa}}_{\varPi ',B}(\lambda ))}\text {.} $$

If we assume $\varepsilon $-injectivity and $\mathsf {FFC}$, respectively, we have tighter bounds:

Theorem 6

(Thm. 4.6 [51] ($\varPi '~{\mathsf {O}}{\mathsf {W}}\text {-}\mathsf {CPA} + \mathsf {FFC} \implies \mathsf {KEM}~\mathsf {IND}\text {-}\mathsf {CCA}$)). Let $\varPi '$ be an $\varepsilon $-injective deterministic PKE scheme which is independent of $\mathsf {H}$. Suppose that $A $ is an $\mathsf {IND}\text {-}\mathsf {CCA}$ adversary against the KEM ${\mathsf U^{\not \bot }}[\varPi ', \mathsf {H}]$, and suppose that $A $ makes at most $q_d$ (classical) decryption queries and $q_{\mathsf {H}}$ queries to quantum-accessible random oracle $\mathsf {H}$ of depth at most d, then there exist two adversaries running in about the same time as $A $:

an $\mathsf {OW}\text {-}\mathsf {CPA}$-adversary $B _1$ against $\varPi '$ and
a $\mathsf {FFC}$-adversary $B _2$ against $\varPi '$ returning a list of at most $q_d$ ciphertexts,

such that

$$ \mathsf {Adv}^{\mathsf {kem\text {-}ind\text {-}cca}}_{{\mathsf U^{\not \bot }}[\varPi ', \mathsf {H}], A} (\lambda ) \le 4d \cdot \mathsf {Adv}^{\mathsf {pke\text {-}ow\text {-}cpa}}_{\varPi ',B _1}(\lambda ) + 6 \mathsf {Adv}^{\mathsf {pke\text {-}ffc}}_{\varPi ',B _2}(\lambda ) + (4d + 6) \cdot \varepsilon \text {.} $$

By combining transformation $\mathsf T$ with $\mathsf U^{\not \bot }$ one consequently obtains an $\mathsf {IND\text {-}CCA}$ secure KEM $\mathsf {KEM} $ from an $\mathsf {IND\text {-}CPA}$ secure PKE $\varPi $. Note that the security reduction of the ${\mathsf FO}^{\not \bot }:= {\mathsf U}^{\not \bot } \circ {\mathsf T}$ variant of the FO is tight in the random oracle model and works even if $\varPi $ has negligible correctness error instead of perfect correctness.

Hofheinz et al. in [41] also provide variants of the FO transform that are secure in the QROM, but they are (highly) non-tight. Bindel et al. [9] presented a tighter proof for ${\mathsf U}^{\not \bot }$ under an additional assumption of $\varepsilon $-injectivity. This result was recently improved by Kuchta et al. [51]. Additionally, Jiang et al. [48] provided tighter proofs for the general case.

Besides the transform with implicit rejection, ${\mathsf U}^{\not \bot }$, one can also consider explicit rejection, ${\mathsf U}^{\bot }$ and versions of both where the derived session key depends on the ciphertext, ${\mathsf U}^{\not \bot }_m$ and ${\mathsf U}^{\bot }_m$, respectively. Bindel et al. [9] show that security of implicit rejection implies security with explicit rejection. The opposite direction also holds if the scheme with explicit rejection also employs key confirmation. Moreover, they show that the security is independent of including the ciphertext in the session key derivation.

A different approach was proposed by Saito et al. [58], where they start from a deterministic disjoint simulatable PKE and apply ${\mathsf U}^{\not \bot }_m$ with an additional re-encryption step in the decryption algorithm. While the original construction relied on a perfectly correct PKE, Jiang et al. gave non-tight reductions for schemes with negligible correctness error in [47]. Hövelmanns et al. [43] improve over this approach by giving a different modularization of Saito et al.’s $\mathsf {TPunc}$.

Black-Box Use of the Compiler . Using , or from Sect. 3.2, we can transform any deterministic or randomized PKE with non-negligible correctness error into one with negligible correctness error. Consequently, Theorem 1 as a result yields a scheme that is compatible with all the results on the $\mathsf T$ and variants of the $\mathsf U$ transformations in this section. Note that in particular this gives us a general way to apply these variants of the FO transform to PKE schemes with non-negligible correctness error.

3.4 Non Black-Box Use: The Transformation $\mathsf T^\star $

Since the direct product compiler is rather complicated to analyze, we alternatively investigate to start from an $\mathsf {IND}$-$\mathsf {CPA}$ secure PKE $\varPi $ with non-negligible correctness error $\delta $ and introduce a variant of the transform $\mathsf T$ to de-randomize a PKE, denoted $\mathsf T^\star $. The idea is that we compute $\ell $ independent encryptions of the same message $M $ under the same public key ${\mathsf {pk}}$ using randomness ${\mathsf G}(M,i)$, $i\in [\ell ]$, where $\mathsf G$ is a RO (see Fig. 10 for a compact description). The resulting de-randomized PKE $\varPi '$ has then correctness error $\delta ':=\delta ^\ell $, where $\ell $ is chosen in a way that $\delta ^\ell $ is negligible. To the resulting PKE $\varPi '$ we can then directly apply the transformation $\mathsf U^{\not \bot }$ to obtain an $\mathsf {IND}$-$\mathsf {CCA}$ secure KEM $\mathsf {KEM} $ with negligible correctness error in the (Q)ROM.

Note that as we directly integrate the product compiler into the $\mathsf T$ transform, the correctness of the message can be checked via the de-randomization. Hence, we can get rid of the majority vote in the direct product compiler. With this change the analysis of the concrete choice of $\ell $ becomes simpler and, more importantly, allows us to choose smaller $\ell $ than in the black-box use of the compiler.

Remark 2

Note that in Fig. 10 we explicitly consider the case where $\mathsf {Dec}$ of the PKE scheme $\varPi $ may return something arbitrary on failed decryption. For the simpler case where we have a PKE scheme $\varPi $ which always returns $\bot $ on failed decryption, we can easily adapt the approach in Fig. 10. Namely, we would decrypt all $\ell $ ciphertexts $C _i$, $i\in [\ell ]$. Let $h\in [\ell ]$ be the minimum index such that $\texttt {res}[h]\ne \bot $. Then for every element $j\in [\ell ]$ run $C _j':=\varPi .\mathsf {Enc}({\mathsf {pk}}, \texttt {res}[h]; {\mathsf G}(\texttt {res}[h],j)$. If for all $j\in [\ell ]$ we have $C _j'=C _j$ we return ${\texttt {res}}[h]$. If this is not the case we return $\bot $. Note that all $\ell $ $C '_j$ have to be re-encrypted and checked against $C _j$, as otherwise $\mathsf {IND}\text {-}\mathsf {CCA} $-security is not achieved. The difference is, that only $\ell $ encryptions instead of $\ell ^2$ are required.

We now show the following theorem.

Theorem 7

($\varPi ~\mathsf {IND}\text {-}\mathsf {CPA} \implies \varPi '~{\mathsf {O}}{\mathsf {W}}\text {-}\mathsf {PCA}$ ). Assume $\varPi $ to be $\delta $-correct. Then, $\varPi '$ is $\delta _1(q_{\mathsf G},\ell )\le \dfrac{q_{\mathsf G}}{\ell }\cdot \delta ^\ell $ correct and for any $\mathsf {OW\text {-}PCA}$ adversary B that issues at most $q_{\mathsf G}$ queries to the random oracle $\mathsf G$ and $q_P$ queries to a plaintext checking oracle Pco, there exists an $\mathsf {IND\text {-}CPA}$ adversary A running in about the same time as $B $ such that

$$\begin{aligned} \mathsf {Adv}^{\mathsf {pke\text {-}ow\text {-}pca}}_{\varPi ',B}(\lambda ) \le \dfrac{q_{\mathsf G}}{\ell }\cdot \delta ^\ell + \frac{2q_{\mathsf G}+1}{|{{{\mathcal {M}}}}|} + 3\ell \cdot \mathsf {Adv}^{\mathsf {pke\text {-}ind\text {-}cpa}}_{\varPi ,A}(\lambda ). \end{aligned}$$

We provide the proof which closely follows the proof of [41, Thm 3.2] in the full version. Note that we lose an additional factor of $\ell $. Additionally, when using the bounded $\delta $-correctness notion from Bindel. et al. [10], the factor of $q_{\mathsf G}$ disappears.

We now have an $\mathsf OW$-$\mathsf PCA$ secure PKE $\varPi '$ with negligible correctness error and can thus directly use $\mathsf U^{\not \bot }$ and by invoking Theorem 4 obtain an $\mathsf {IND}\text {-}\mathsf {CCA}$ secure KEM $\mathsf {KEM} $. Note that all steps in the reduction are tight. For the security in the QROM, we can directly conclude from Theorem 1 that the generic framework of Bindel et al. [9] can be applied to and with the additional constraint of $\varepsilon $-injectivity and $\mathsf {FFC} $, respectively. Without these additional constraints, the results of Jiang et al. [48] or Hövelmanns et al. [43]^{Footnote 1} apply without the tighter reductions that the Bindel et al.’s and Kuchta et al.’s results offer.

The security of the ${\mathsf T^\star }$ transform in the QROM follows in a similar vein. To highlight how $\ell $ influences the advantages, we follow the proof strategy of Bindel et al. [9]. Therefore, we first show that a randomized $\mathsf {IND}\text {-}\mathsf {CPA}$-secure PKE scheme with a non-negligible correctness error is transformed to $\mathsf {OW}\text {-}\mathsf {CPA}$-secure deterministic PKE scheme with negligible correctness error. Second, we prove that if the ${\mathsf T^\star }$-transformed version is also $\varepsilon $-injective, then it provides $\mathsf {FFC}$. With these two results in place, we can apply Theorem 6 to obtain an $\mathsf {IND}\text {-}\mathsf {CCA}$-secure KEM.

In the following theorem, we prove $\mathsf {OW}\text {-}\mathsf {CPA}$ security of the ${\mathsf T^\star }$ transform in the QROM (see the full version). We follow the strategy of the proof of [9, Thm. 1] and adapt it to our transform. Compared to the ${\mathsf T}$ transform, we lose a factor of $\ell ^2$. Once the loss is incurred by Theorem 1 and once by the semi-classical one-way to hiding Theorem [2].

Theorem 8

($\varPi ~\mathsf {IND}-\mathsf {CPA} \implies \varPi ' {\mathsf {O}}{\mathsf {W}}-\mathsf {CPA}$). Let $\varPi $ be a non-deterministic PKE with randomness space ${\mathcal {R}}$ and decryption error $\delta $. Let $\ell \in \mathbb {N} $ such that $\delta ^\ell $ is negligible in the security parameter $\lambda $. Let $\mathsf {G}:\mathcal {M} \times [\ell ] \rightarrow {\mathcal {R}}$ be a quantum-accessible random oracle and let $q_{\mathsf {G}}$ the number queries with depth at most d. If $A $ is an $\mathsf {OW}\text {-}\mathsf {CPA}$-adversary against ${\mathsf T^\star }[\varPi , \mathsf {G}, \ell ]$, then there exists an $\mathsf {IND}\text {-}\mathsf {CPA}$ adversary $B$ against $\varPi $, running in about same time as $A $, such that

$$ \mathsf {Adv}^{\mathsf {pke\text {-}ow\text {-}cpa}}_{{\mathsf T^\star }[\varPi , \mathsf {G}, \ell ],A}(\lambda ) \le (d + \ell + 1) \left( \ell \cdot \mathsf {Adv}^{\mathsf {pke\text {-}ind\text {-}cpa}}_{\varPi ,B}(\lambda ) + \frac{8(q_{\mathsf {G}}+1)}{|\mathcal {M} |}\right) \text {.} $$

We refer to the full version for the proof. Next, we show that the transform provides the $\mathsf {FFC}$ property (cf. [9, Lemma 6]).

Lemma 2

If $\varPi $ is a $\delta $-correct non-deterministic PKE with randomness space ${\mathcal {R}}$, $\ell \in \mathbb {N} $ such that $\delta ^\ell $ is negligible in the security parameter $\lambda $, $\mathsf {G}:\mathcal {M} \times [\ell ] \rightarrow {\mathcal {R}}$ is a random oracle so that $\varPi ' = {\mathsf T^\star }[\varPi ,\mathsf {G},\ell ]$ is $\varepsilon $-injective, then the advantage for any $\mathsf {FFC}$-adversary $A$ against $\varPi '$ which makes at most $q_{\mathsf {G}}$ queries at depth d to $\mathsf {G}$ and which returns a list of at most $q_L$ ciphertexts is bounded by

$$ \mathsf {Adv}^{\mathsf {pke\text {-}ffc}}_{\varPi ',A}(\lambda ) \le \left( (4d+1) \delta ^\ell + \sqrt{3 \varepsilon }\right) (q_{\mathsf {G}} + q_L) + \varepsilon \text {.} $$

For the proof we refer to the full version.

3.5 Comparison of the Two Approaches

The major difference between the generic approach using the direct product compiler $\mathsf {C_{{p,y}}}$, , and $\mathsf T^\star $ (or the modified deterministic direct product compiler $\mathsf {C_{{p,d}}}^\star $) is the number of ciphertexts required to reach a negligible correctness error. As observed in Sect. 3.2, the analysis of the overall decryption error is rather complicated and $\mathsf {C_{{p,y}}}$ requires at least $\ell \ge 3$. With $\mathsf T^\star /\mathsf {C_{{p,d}}}^\star $ however, the situation is simpler. As soon as one ciphertext decrypts correctly, the overall correctness of the decryption can be guaranteed. Also, for the cases analysed in Table 1, $\mathsf {C_{{p,y}}}$ requires at least one ciphertext more than $\mathsf T^\star $ and $\mathsf {C_{{p,d}}}^\star $. For the correctness error, we have a loss in the number of random oracle queries in both cases. For the comparison of the runtime and bandwidth overheads, we refer to Table 2. Note that if the $\mathsf {Dec}$ of the underlying PKE $\varPi $ reports decryption failures with $\bot $, then the overhead of $\mathsf T^\star $ for $\mathsf {Dec}$ is only a factor $\ell $ (cf. Remark 2).

Table 2. Comparison of the runtime and bandwidth overheads of $\mathsf {C_{p,y}}$, $\mathsf {{y}\in \{r,d\}}$, with $\ell $ ciphertexts and $\mathsf {T}^\star $ and $\mathsf {C_{p,d}^\star }$ with $\ell '$ ciphertexts such that $\ell \ge \ell ' + 1$.

Full size table

4 Our Transform in Practice

The most obvious use-case for $\mathsf {IND}\text {-}\mathsf {CCA}$ secure KEMs in practice is when considering static long-term keys. Systems supporting such a setting are for example RSA-based key exchange for SSH [39] or similarly in TLS up to version 1.2. But since the use of long-term keys precludes forward-secrecy guarantees, using static keys is not desirable. For ephemeral keys such as used in the ephemeral Diffie-Hellman key exchange, an $\mathsf {IND}\text {-}\mathsf {CPA}$ secure KEM might seem sufficient. Yet, in the post-quantum setting accidental re-use of an ephemeral key leads to a wide range of attacks [7]. But also from a theoretical viewpoint it is unclear whether CPA security actually would be enough. Security analysis of the TLS handshake protocol suggests that in the case of version 1.2 an only passively secure version is insufficient [45, 50] (cf. also [56]). Also, security analysis of the version 1.3 handshake requires $\mathsf {IND}\text {-}\mathsf {CCA}$ security [22]. Thus, even in the case of ephemeral key exchanges, using a $\mathsf {IND}\text {-}\mathsf {CCA}$ secure KEM is actually desirable and often even necessary as highlighted by Schwabe et al. [61].

For comparing KEMs in this context, the interesting metric is hence not the ciphertext size alone, but the combined public key and ciphertext size. Both parts influence the communication cost of the protocols. Additionally, the combined runtime of the key generation, encapsulation and decapsulation is also an interesting metric. All three operations are performed in a typical ephemeral key exchange and hence give a lower bound for the overall runtime of the protocol.

In the following comparison, we assume that the underlying PKE never returns $\bot $ on failure, but an incorrect message instead. Thereby we obtain an upper bound for the runtime of the $\mathsf {Decaps} $ algorithm. For specific cases where $\mathsf {Decaps} $ explicitly returns $\bot $ on failure, the runtime figures would get better since the overhead to check the ciphertexts is reduced to a factor of $\ell $ (cf. Remark 2).

4.1 Code-Based KEMs

KEMs based on error correcting codes can be parametrized such that the decoding failure rate (DFR) is non-negligible, negligible, or 0. Interestingly, the DFR rate is also influenced by the actual decoder. Even for the same choice of code and the exact same instance of the code, a decoder might have a non-negligible DFR, whereas another (usually more complex) decoder obtains a negligible DFR. For the submissions in the NIST PQC we can observe all three choices. The candidates providing $\mathsf {IND}\text {-}\mathsf {CPA}$-secure variants with non-negligible DFR include: BIKE [3], ROLLO [4], and LEDAcrypt [6]. We discuss the application of our transform to those schemes below. For the comparison in Table 3, we consider the DFR as upper bound for correctness error.

Table 3. Sizes (in bytes) and runtimes (in ms and millions of cycles for BIKE), where $\mathsf {O}$ denotes the transformed scheme. The LEDAcrypt instances with postfix NN refer to those with non-negligible DFR. Runtimes are taken from the respective submission documents and are only intra-scheme comparable.

Full size table

In Table 3, we present an overview of the comparison (see the full version for the full comparison). First we consider ROLLO, and in particular ROLLO-I, where we obtain the best results: public key and ciphertext size combined is always smaller than for ROLLO-II and the parallel implementation is faster even in case of a $\ell ^2$ overhead. For both BIKE (using $\mathsf {T}^\star $) and LEDAcrypt (using $\mathsf {C_{p,d}^\star }$ since it starts from a deterministic $\mathsf {PKE}$), we observe a trade-off between bandwidth and runtime.

4.2 Lattice-Based KEMs

For lattice-based primitives the decryption error depends both on the modulus q and the error distribution used. As discussed in [60], an important decision that designers have to make is whether to allow decryption failures or choose parameters that not only have a negligible, but a zero chance of failure. Having a perfectly correct encryption makes transforms to obtain $\mathsf {IND}\text {-}\mathsf {CCA}$ security and security proofs easier, but with the disadvantage that this means either decreasing security against attacks targeting the underlying lattice problem or decreasing performance. The only NIST PQC submissions based on lattices which provide parameter sets achieving both negligible and non-negligible decryption failure are ThreeBears [38] and Round5 [30]. The $\mathsf {IND}\text {-}\mathsf {CCA}$-secure version of ThreeBears is obtained by tweaking the error distribution, hence, our approach does not yield any improvements. For Round5 we achieve a trade-off between bandwidth and runtime. We also considered FrodoKEM [52], comparing its version [17] precedent to the NIST PQC, which only achieved non-negligible failure probability, to the ones in the second round of the above competition, but we do not observe any improvements for this scheme. For the full comparison we refer to the full version. It would be interesting to understand the reasons why the compiler does not perform well on lattice-based scheme compared to the code-based ones and whether this is due to the particular schemes analysed or due to some intrinsic difference between code- and lattice-based constructions.

4.3 Implementation Aspects

One of the strengths of ${\mathsf T}^\star $ compared to the black-box use of ${\mathsf {C_{{p,y}}}}$, (and ${\mathsf {C_{{{p,d}}}}}^\star $), is that besides the initial generation of the encapsulated key, all the random oracle calls can be evaluated independently. Therefore, the encryptions of the underlying PKE do not depend on each other. Thus, the encapsulation algorithms are easily parallelizable – both in software and hardware. The same applies to the decapsulation algorithm. While in this case only one successful run of the algorithm is required, doing all of them in parallel helps to obtain a constant-time implementation. Then, after all ciphertexts have been processed, the first valid one can be used to re-compute the ciphertexts, which can be done again in parallel. For software implementations on multi-core CPUs as seen on today’s desktops, servers, and smartphones with 4 or more cores, the overhead compared to the $\mathsf {IND}\text {-}\mathsf {CPA}$ secure version is thus insignificant as long as the error is below $2^{-32}$. If not implemented in a parallel fashion, providing a constant-time implementation of the decapsulation algorithms is more costly. In that case, all of the ciphertexts have to be dealt with to not leak the index of invalid ciphertexts. Note that a constant-time implementation of the transform is important to avoid key-recovery attacks [35].

The ${\mathsf T}^\star $ transform also avoids new attack vectors such as [37] that are introduced via different techniques to decrease the correctness error, e.g., by applying an error-correcting code on top. Furthermore, since the same parameter sets are used for the $\mathsf {IND}\text {-}\mathsf {CPA}$ and $\mathsf {IND}\text {-}\mathsf {CCA}$ secure version when applying our transforms, the implementations of proposals with different parameter sets can be simplified. Thus, more focus can be put on analysing one of the parameter sets and also on optimizing the implementation of one of them.

5 Application to Bloom Filter KEMs

A Bloom Filter Key Encapsulation Mechanism (BFKEM) [20, 21] is a specific type of a puncturable encryption scheme [21, 33, 34, 63] where one associates a Bloom Filter (BF) [13] to its public-secret key pair. The initial (i.e., non-punctured) secret key is associated to an empty BF where all bits are set to 0. Encapsulation, depending on an element s in the universe of the BF, takes the public key and returns a ciphertext and an encapsulation key $\textsf {k}$ corresponding to the evaluation of BF(s), i.e., k hash evaluations on s yielding indexes in the size m of the BF. Puncturing, on input a ciphertext $C $ (associated to s) and a secret key $\mathsf {sk}'$, punctures $\mathsf {sk}'$ on $C $ and returns the resulting secret key. Decapsulation, on input a ciphertext $C $ (with an associated tag s) and secret key $\mathsf {sk}'$ is able to decapsulate the ciphertext to $\textsf {k}$ if $\mathsf {sk}'$ was not punctured on $C $. We want to mention, as in [20], we solely focus on KEMs since a Bloom Filter Encryption (BFE) scheme (which encrypts a message from some message space) can be generically derived from a BFKEM (cf. [27]).

The basic instantiation of a BFKEM in [20, 21] is non-black box and based on the pairing-based Boneh-Franklin IBE (BF-IBE) scheme [16], where $\mathsf {sk}$ contains an IBE secret key for every identity $i\in [m]$ of the BF bits and puncturing amounts to inserting s in the BF and deleting the IBE secret keys for the corresponding bits. Although the BFKEM is defined with respect to a non-negligible correctness error, the underlying BF-IBE has perfect correctness. So the non-negligible error in the BFKEM is only introduced on an abstraction (at the level of the BF) above the FO transform applied to the k BF-IBE ciphertexts (so the application of the FO can be done as usual for perfectly correct encryption schemes).

However, if one targets instantiations of BFE where the underlying IBE does not have perfect correctness (e.g., lattice- or code-based IBEs), it is not obvious whether the security proof using the BF-IBE as presented in [20, 21] can easily be adapted to this setting.^{Footnote 2}

We first recall necessary definitions and then show a generic construction of BFKEM from any IBE scheme with (non-)negligible correctness error.

Due to space constraints, we present the definition of Bloom filters with its formal properties in the full version.

Bloom Filter Key Encapsulation Mechanism. We recap the Bloom Filter Key Encapsulation Mechanism (BFKEM) and its formal properties from [20] that tolerates a non-negligible correctness error and the key generation takes parameters m and k as input which specify this correctness error. A BFKEM $\mathsf {BFKEM}$ with key space $\mathcal {K} $ consists of the PPT algorithms $(\mathsf {KGen},\mathsf {Encaps},\mathsf {Punc},\mathsf {Decaps})$.

$\mathsf {KGen}(\lambda ,m,k):$:: Key generation, on input security parameter $\lambda $ and BF parameters m, k, outputs public and secret keys $({\mathsf {pk}},\mathsf {sk}_0)$.
$\mathsf {Encaps} ({\mathsf {pk}}):$:: Encapsulation, on input ${\mathsf {pk}}$, outputs a ciphertext $C $ and key k.
$\mathsf {Punc} (\mathsf {sk},C):$:: Secret-key puncturing, on input $\mathsf {sk}$ and $C $, outputs an updated secret key $\mathsf {sk}'$.
$\mathsf {Decaps} (\mathsf {sk},C):$:: Decapsulation, on input $\mathsf {sk}$ and $C $, outputs $\textsf {k}$ or $\{\bot \}$.

Definition 8 (Correctness)

For all $\lambda ,m,k,n\in {\mathbb {N}}$ and any $({\mathsf {pk}},\mathsf {sk}_0)\leftarrow \mathsf {KGen}(\lambda ,m,k)$, we require the following. For any (arbitrary interleaved) sequence of invocations of $ \mathsf {sk}_{j+1}\leftarrow \mathsf {Punc} (\mathsf {sk}_{j},C _{j}), $ where $j\in \{0,\ldots ,n\}$, and $(C _{j},\mathsf {k}_j)\leftarrow \mathsf {Encaps} ({\mathsf {pk}})$, it holds that

$$ \mathsf {Pr}\left[ \mathsf {Decaps} (\mathsf {sk}_{n+1},C ^*)\ne \mathsf {k}^* \right] \le \left( 1-e^{- \frac{(n+1/2)k}{m-1}}\right) ^k + \varepsilon (\lambda ), $$

where $(C ^*,\mathsf {k}^*)\leftarrow \mathsf {Encaps} ({\mathsf {pk}})$ and $\varepsilon (\cdot )$ is a negligible function in $\lambda $.

Definition 9 (Extended Correctness)

For all $\lambda ,m,k,n\in \mathbb {N}$ and $(\mathsf {pk},\mathsf {sk_0})\leftarrow \mathsf {KGen}(\lambda , m, k)$, we require that for any (arbitrary interleaved) sequence of invocations of $\mathsf {sk}_i\leftarrow \mathsf {Punc}(\mathsf {sk}_{i-1},C_{i-1})$, where $i\in [n]$ and $(C_{i-1},\mathsf {k}_{i-1})\leftarrow \mathsf {Encaps}(\mathsf {pk})$, it holds that:

(a)
Impossibility of false-negatives: $\mathsf {Decaps}(\mathsf {sk}_{n},C_{j-1})=\bot $, for all $j\in [n]$.
(b)
Correctness of the initial secret key: $\mathsf {Pr}\left[ \mathsf {Decaps}(\mathsf {sk}_0,C)\ne \mathsf {k}\right] \le \varepsilon (\lambda )$, for all $(C,\mathsf {k})\leftarrow \mathsf {Encaps}(\mathsf {pk})$ and $\varepsilon $ is a negligible function in $\lambda $.
(c)
Semi-correctness of punctured secret keys: if $\mathsf {Decaps}(\mathsf {sk}_{j},C)\ne \bot $ then
$$\mathsf {Pr}\left[ \mathsf {Decaps}(\mathsf {sk}_{j},C)\ne \mathsf {Decaps}(\mathsf {sk}_0,C)\right] \le \varepsilon (\lambda ),$$
for all $j\in [n]$, any C, and $\varepsilon $ is a negligible function in $\lambda $.

All probabilities are taken over the random coins of $\mathsf {KGen},\mathsf {Punc},$ and $\mathsf {Encaps}$.

All probabilities are taken over the random coins of $\mathsf {KGen}$, $\mathsf {Punc} $, and $\mathsf {Encaps} $. We recall additional properties (i.e., separable randomness, publicly-checkable puncturing, and $\gamma $-spreadness) and formal definitions of BFKEM-IND-CPA and BFKEM-IND-CCA security in the full version.

5.1 IBE with Negligible from Non-Negligible Correctness Error

We follow the approach for randomized PKE schemes in Sect. 3.2 adapted for the IBE case (cf. Fig. 11).^{Footnote 3} Let $\mathsf {IBE} =(\mathsf {KGen},\mathsf {Ext},\mathsf {Enc},\mathsf {Dec})$ be an IBE scheme with identity, message spaces, and randomness spaces $\mathcal {ID} $, $\mathcal {M} $, and ${{{\mathcal {R}}}}$, respectively, with non-negligible correctness error $\delta (\lambda )$, we construct an IBE scheme $\mathsf {IBE} '=(\mathsf {KGen}',\mathsf {Ext} ',\mathsf {Enc}',\mathsf {Dec}')$ with identity and message spaces $\mathcal {ID} ':=\mathcal {ID} $ and $\mathcal {M} ':=\mathcal {M} $, respectively, with negligible correctness error $\delta '(\lambda )$. The construction is as follows. Set $\mathsf {KGen}':=\mathsf {KGen}$ and $\mathsf {Ext} ':=\mathsf {Ext} $ while $\mathsf {Enc}'$ and $\mathsf {Dec}'$ are given in Fig. 11. See that $\ell =\ell (\lambda )$ can be chosen appropriately to accommodate a negligible correctness error $\delta '(\lambda )$.

As for randomized PKE schemes, by an analogue of Theorem 1 for IBEs with $q=\ell $ and $n=1$, the security claim follows.

Corollary 2

For any IBE-sIND-CPA adversary B against $\mathsf {IBE} '$ obtained via applying the above transformation to $\mathsf {IBE} $, there exists an IBE-sIND-CPA adversary A such that:

$$\begin{aligned} \mathsf {Adv}^{\mathsf {ibe\text {-}sind\text {-}cpa}}_{\mathsf {IBE} ',B}(\lambda ) \le \ell \cdot \mathsf {Adv}^{\mathsf {ibe\text {-}sind\text {-}cpa}}_{\mathsf {IBE},A}(\lambda ). \end{aligned}$$

The correctness error analysis is again equivalent to the one in the PKE scenario. We refer to Sect. 3.2 for a more in depth discussion.

5.2 BFKEM from IBE with Negligible Correctness Error

The intuition for our generic construction from any IBE with negligible correctness error is as follows. We associate “user-secret keys” of $\mathsf {IBE}$ with the indexes $i\in [m]$ of the Bloom filter $\mathsf {BF}$ and annotate $\mathsf {sk}'_0$ as a special key for “fixed identity” 0. We consider the encapsulation key as $\textsf {k}_0\oplus \textsf {k}_1$ where one share is encrypted under “identity” 0 (yielding $C _0$) while the other share is encrypted under the “identities” $(i_j)_{j}$ of indexes of the BF that are determined by $C _0$. Put differently, $C _0$ acts as a tag of the overall ciphertext while the other $\mathsf {IBE}$-ciphertexts $(C _{i_j})_{j}$ are utilized for correct decryption. The secret key is punctured on “tag” $C _0$. Note that the secret key $\mathsf {sk}'_0$ is not affected by the puncturing mechanism and one can always at least decrypt $C _0$. However, one additionally needs the encapsulation-key share from the other ciphertexts $(C _{i_j})_{j}$; those ciphertexts can only be decrypted if at least one secret key $\mathsf {sk}'_{i^*}$ is available which can be checked with $\mathsf {BFCheck}$.

Let $\mathsf {IBE} =(\mathsf {IBE}.\mathsf {KGen},\mathsf {IBE}.\mathsf {Ext},\mathsf {IBE}.\mathsf {Enc},\mathsf {IBE}.\mathsf {Dec})$ be an IBE-sIND-CPA-secure IBE scheme with identity and message spaces $\mathcal {ID} =[m]\cup \{0\}$ and $\mathcal {M} =\{0,1\}^\lambda $, respectively, with negligible correctness error $\delta =\delta (\lambda )$, and $\mathsf {BF} =(\mathsf {BFGen},\mathsf {BFUpdate},\mathsf {BFCheck})$ a BF with universe ${\mathcal {U}}$, we construct a BFKEM-IND-CPA-secure BFKEM scheme $\mathsf {BFKEM} =(\mathsf {KGen},\mathsf {Encaps},\mathsf {Punc},\mathsf {Decaps})$ with key space $\mathcal {K}:=\mathcal {M} =\{0,1\}^\lambda $ as a stepping stone towards a BFKEM-IND-CCA-secure BFKEM as follows.

$\mathsf {KGen}(\lambda ,m,k)$::

on input security parameter $\lambda $ and BF parameters m, k, compute $(mpk,msk)\leftarrow \mathsf {IBE}.\mathsf {KGen}(\lambda )$, $\mathsf {sk}'_ id \leftarrow \mathsf {IBE}.\mathsf {Ext} (msk, id )$, for all $ id \in [m]\cup \{0\}$, and $(H,T_0) \leftarrow \mathsf {BFGen}(m,k)$. Return ${\mathsf {pk}}:=(mpk,H)$ and $\mathsf {sk}:=(T_0,(\mathsf {sk}'_ id )_{ id })$ (we assume that ${\mathsf {pk}}$ is available to $\mathsf {Punc} $ and $\mathsf {Decaps}$ implicitly).

$\mathsf {Encaps} ({\mathsf {pk}})$::

on input $(mpk,H):={\mathsf {pk}}$, sample $\textsf {k}_0,\textsf {k}_1\leftarrow _{\$}\mathcal {K} $ and compute $C _0\leftarrow \mathsf {Enc}(mpk,0,\textsf {k}_0)$. For $ id _j:=H_j(C _0)$ with $(H_j)_j:=H$ and all $j\in [k]$, compute $C _{ id _j}\leftarrow \mathsf {Enc}(mpk, id _j,\textsf {k}_1)$ and output

$$ ((C _0,(C _{ id _j})_{j}),\textsf {k}_0\oplus \textsf {k}_1). $$

$\mathsf {Punc} (\mathsf {sk},C)$::

on input $(T,\mathsf {sk}'_0,(\mathsf {sk}'_ id )_{ id \in [m]}):=\mathsf {sk}$ and $(C _0,\ldots ):=C $, compute $T':=\mathsf {BFUpdate}(H,T,C _0)$ and set

$$\begin{aligned} \mathsf {sk}''_ id := {\left\{ \begin{array}{ll} \mathsf {sk}'_ id &{}\text {if } T'[ id ]=0,\\ \bot &{}\text {if } T'[ id ]=1, \end{array}\right. } \end{aligned}$$

for $T'[ id ]$ the $ id $-th bit of $T'$. Return $(T',\mathsf {sk}'_0,(\mathsf {sk}''_ id )_{ id \in [m]})$.

$\mathsf {Decaps} (\mathsf {sk},C)$::

on input $(T,(\mathsf {sk}'_ id )_{ id \in [m]\cup \{0\}}):=\mathsf {sk}$ and $(C _0,(C _{ id _j})_{j\in [k]}):=C $, output $\bot $ if $\mathsf {BFCheck}(H,T,C _0)=1$. Otherwise, there exists a smallest $ id ^*\in [m]$ such that $\mathsf {sk}'_{ id ^*}\ne \bot $, compute $\textsf {k}_0:=\mathsf {Dec}(\mathsf {sk}'_0,C _0)$ and $\textsf {k}_1:=\mathsf {Dec}(\mathsf {sk}'_{ id ^*},C _{ id ^*})$, and output $\textsf {k}_0\oplus \textsf {k}_1$.

We prove the correctness (Definition 8), extended correctness (Definition 9), separable randomness, publicly-checkable puncturing, and $\gamma $-spreadness properties of $\mathsf {BFKEM}$ in the full version.

BFKEM-IND-CPA Security of $\mathsf {BFKEM} $ . We start by showing the BFKEM-IND-CPA security of $\mathsf {BFKEM} =(\mathsf {KGen},\mathsf {Encaps},\mathsf {Punc},\mathsf {Decaps})$.

Theorem 9

If $\mathsf {IBE}$ is IBE-sIND-CPA-secure, then $\mathsf {BFKEM} $ is BFKEM-IND-CPA-secure. Concretely, for any PPT adversary $A$ there is a distinguisher $D $ for the IBE-sIND-CPA security experiment such that

$$\begin{aligned} \mathsf {Adv}^{\mathsf {bfkem\text {-}ind\text {-}cpa}}_{\mathsf {BFKEM},A}(\lambda ,m,k)\le k\cdot m\cdot \mathsf {Adv}^{\mathsf {ibe\text {-}sind\text {-}cpa}}_{\mathsf {IBE},D}(\lambda ). \end{aligned}$$

(1)

Proof

We show the BFKEM-IND-CPA-security of $\mathsf {BFKEM} $ for any valid PPT adversary $A$ in series of games where:

Game 0.:: Game 0 is the BFKEM-IND-CPA-experiment.
Game i.:: Game i is defined as Game $i-1$ except that the i-th challenge-ciphertext element $C _{ id _i}$ in $C ^*$ is independent of the challenge bit, for $i\in [k]$.
Game $k+1$.:: Game $k+1$ is defined as Game k except that the encapsulation key in the challenge ciphertext is independent of $b'$.

We denote the event of the adversary winning Game i as $S_i$. In Game $k+1$, $A$ has no advantage (i.e., success probability of $\mathsf {Pr}[S_{k+1}]=1/2$) in the sense of BFKEM-IND-CPA. We argue in hybrids that the Games $i\in [k+1]$ are computationally indistinguishable from Game 0.

Hybrids Between Games 0 and $k+1$. Each hybrid between Games $i-1$ and i, $i\in [k]$, is constructed as follows: on input m and k, $D$ samples $(H,T_0)\leftarrow \mathsf {BFGen}(m,k)$, for $H=:(H_j)_{j\in [k]}$ and sets $T_0=0^m$. Next, $D$ samples $ id ^*\leftarrow _{\$}[m]$ and sends $ id ^*$ to its IBE-sIND-CPA-challenger. $D$ retrieves $mpk $ in return and sets ${\mathsf {pk}}:=(mpk,H)$.

Furthermore, for all $ id \in ([m]\cup \{0\})\setminus \{ id ^*\}$, $D$ retrieves $\mathsf {sk}_0:=( usk _ id )_{ id }$ from its $\mathsf {Ext}$-oracle. (Note that $D$ does not have a secret key for $ id ^*$ and $A $ has to query the challenge ciphertext to the $\mathsf {Punc} '$-oracle in order to receive secret keys via the $\mathsf {Cor} $-oracle, which results in “deleting” the secret key for $ id ^*$ if there were any. Particularly, all $\mathsf {Cor}$-queries can be answered correctly.)

Furthermore, $D$ sends $\textsf {k}^{(0)}_1,\textsf {k}^{(1)}_1\leftarrow _{\$}\mathcal {M} =\{0,1\}^\lambda $ to its IBE-sIND-CPA-challenger and retrieves $C ^*_{ id ^*}\leftarrow \mathsf {Enc}(mpk, id ^*,\textsf {k}^{(b)})$, for some $b\leftarrow _{\$}\{0,1\}$.

$D$ samples $b'\leftarrow _{\$}\{0,1\}$, computes $C _0\leftarrow \mathsf {Enc}(mpk,0,\textsf {k}_{0})$, for $\textsf {k}_{0}\leftarrow \mathcal {M} $, and sets $( id _j)_j:=(H_j(C _0))_{j\in [k]}$. If $ id _i\ne id ^*$, abort. (See that this happens with probability $(m-1)/m$.) Otherwise, $D$ computes $C _{ id _j}\leftarrow \mathsf {Enc}(mpk, id _j,\textsf {k}^{(b')}_1)$, for all $( id _j)_{j\in [k]\setminus [i]}$, and $C _{ id _j}\leftarrow \mathsf {Enc}(mpk, id _j,\textsf {k}'_1)$, for all $( id _j)_{j\in [i-1]}$, for $\textsf {k}'_1\leftarrow _{\$}\mathcal {M} $.

$D$ sets $C _{ id _i}:=C ^*_{ id ^*}$ and sends $({\mathsf {pk}},C ^*:=(C _0,(C _{ id _j})_{j}),\textsf {k}^{(b')})$ to $A$, for $\textsf {k}^{(b')}:=\textsf {k}^{(b')}_1\oplus \textsf {k}_0$.

$A$ has access to a $\mathsf {Punc} '(C)$-oracle which runs $\mathsf {sk}_{i+1}\leftarrow \mathsf {Punc} (\mathsf {sk}_i,C)$ for each invocation $i=0,1,\dots ,q$ and sets ${\mathcal {L}}:={\mathcal {L}}\cup \{C \}$ for initially empty set ${\mathcal {L}}$. The $\mathsf {Cor}$-oracle returns $\mathsf {sk}_{i+1}$ iff $C ^*\in {\mathcal {L}}$. Eventually, $A$ outputs a guess $b^*$ which $D$ forwards as $b^*\oplus b'$ to its IBE-sIND-CPA-challenger.

In the hybrid between Games k and $k+1$: proceed as in Game k, but send $({\mathsf {pk}},C ^*:=(C _0,(C _{ id _j})_{j}),\textsf {k}')$, for uniform $\textsf {k}'\leftarrow \mathcal {M} $ to $A$.

Analysis. In the hybrids between the Games $j-1$ and j, for $j\in [k]$, we have that if $b'=b=0$ or $b'=b=1$, then the distribution of the challenge ciphertext is correct and a successful $A $ should output $b^*=0$ where $D$ forwards $b^*\oplus b'=b$ as guess to its challenger which yields a successful IBE-sIND-CPA distinguisher $D$. If $b'\ne b$, then $A $ is used to distinguish the j-th challenge-ciphertext component, i.e., a successful $A$ should output $b^*=1$ where $D$ forwards $b^*\oplus b'=b$ as guess to its challenger which, again, yields a successful IBE-sIND-CPA distinguisher $D$. In the hybrid between the Games k and $k+1$, the change is information-theoretic, i.e., the challenge ciphertext encapsulates uniformly random key-elements (independent of $b'$) and the encapsulation key is sampled uniformly at random which yields $\mathsf {Pr}[S_{k+1}]=1/2$. In each hybrid, we have that $\mathsf {Pr}[ id _i= id ^*]=1/m$. Putting things together, for $k+1$ hybrids, Eq. (1) holds. $\square $

BFKEM-IND-CCA Security of $\mathsf {BFKEM} '$ . We construct a slight variant of our $\mathsf {BFKEM}$ scheme above, dubbed $\mathsf {BFKEM} '$, via the FO transform [27] along the lines of [21]. We want to mention that the FO transform does not work generically for any BFKEM and no generic framework as in the case of KEMs exists. Hence, we consider the direct product compiler in Sect. 5.1 and, in the vein of [21], to prove BFKEM-IND-CCA security of our BFKEM, we introduce further properties (i.e., separable randomness, publicly-checkable puncturing, and $\gamma $-spreadness) . Furthermore, [21] requires perfect correctness for unpunctured keys which our BFKEM definition cannot guarantee. Hence, we have to reprove the BFKEM-IND-CCA-security for $\mathsf {BFKEM} '$, although the proof techniques are almost the same as presented in [21]. We construct a BFKEM-IND-CCA-secure BFKEM as follows. Let $\mathsf {BFKEM} =(\mathsf {KGen},\mathsf {Encaps},\mathsf {Punc},\mathsf {Decaps})$ be a randomness-separable BFKEM-IND-CPA-secure BFKEM scheme with key space $\mathcal {K} =\{0,1\}^\lambda $ and correctness error $\delta =\delta (\lambda )$, we construct a BFKEM-IND-CCA-secure BFKEM scheme $\mathsf {BFKEM} '=(\mathsf {KGen}',\mathsf {Encaps} ',\mathsf {Punc} ',\mathsf {Decaps} ')$ with key space $\mathcal {K} '=\mathcal {K} $ using a variant of the FO transform as follows. Let ${\mathsf G}:\mathcal {K} '\rightarrow \{0,1\}^{\rho +\lambda }$ be a hash function modeled as random oracle (RO) in the security proof.

$\mathsf {KGen}'(\lambda ,m,k)$::: same as $\mathsf {KGen}(\lambda ,m,k)$.
$\mathsf {Encaps} '({\mathsf {pk}})$::: on input ${\mathsf {pk}}$, sample $\textsf {k}'\leftarrow _{\$}\mathcal {K} '$, compute $(r,\textsf {k}):={\mathsf G}(\textsf {k}')\in \{0,1\}^{\rho +\lambda }$ and $(C,\textsf {k}')\leftarrow \mathsf {Encaps} ({\mathsf {pk}};(r,\textsf {k}'))$, and return $(C,\textsf {k})$. $\mathsf {Punc} '(\mathsf {sk},C)$: same as $\mathsf {Punc} (\mathsf {sk},C)$.
$\mathsf {Decaps} '(\mathsf {sk},C)$::: on input secret key $\mathsf {sk}$ and ciphertext $C $, compute $\textsf {k}'\leftarrow \mathsf {Decaps} (\mathsf {sk},C)$ and return $\bot $ if $\textsf {k}'=\bot $. Otherwise, compute $(r,\textsf {k}):={\mathsf G}(\textsf {k}')$ and return $\textsf {k}$ if $(C,\textsf {k}')=\mathsf {Encaps} ({\mathsf {pk}};(r,\textsf {k}'))$, else output $\bot $.

We prove the correctness (Definition 8), extended correctness (Definition 9), separable randomness, publicly-checkable puncturing, and $\gamma $-spreadness properties of $\mathsf {BFKEM} '$ in the full version.

Theorem 10

If a BFKEM $\mathsf {BFKEM} $ is BFKEM-IND-CPA-secure with the separable randomness, publicly-checkable puncturing, and $\gamma $-spreadness properties, and negligible correctness error probability $\delta =\delta (\lambda )$, then $\mathsf {BFKEM} '$ is BFKEM-IND-CCA-secure. Concretely, for any PPT adversary $A$ making at most $q_{\mathsf G}=q_{\mathsf G}(\lambda )$ queries to the random oracle ${\mathsf G}$ there is a distinguisher $D $ in the BFKEM-IND-CPA-security experiment such that

$$\begin{aligned} \mathsf {Adv}^{\mathsf {bfkem\text {-}ind\text {-}cca}}_{\mathsf {BFKEM} ',A}(\lambda ,m,k)\le \mathsf {Adv}^{\mathsf {bfkem\text {-}ind\text {-}cpa}}_{\mathsf {BFKEM},D}(\lambda ,m,k)+2\delta +\frac{q_{\mathsf G}}{2^\gamma }. \end{aligned}$$

(2)

Due to space constraints, we show the proof in the full version.

5.3 Comparison of BFKEM Instantiations

To instantiate $\mathsf {BFKEM} '$ from post-quantum IBE schemes, we investigating instantiations based on a selectively IND-CPA secure lattice-based or code-based IBEs. As far as lattices are concerned, the first such construction was [31] after which numerous others followed [1, 19, 24, 64]. To compute the dimension of a lattice-based BFKEM, we start from the GVP-IBE instantiation of [24], for which an implementation and concrete dimensions were given for 80 and 192-bit quantum security. We set the parameter of the BFKEM as in [21], i.e., targeting the maximum number of allowed punctures to $n=2^{20}$, which amounts to adding $2^{12}$ elements per day to the BF for a year, and allowing for a false-positive probability of $10^{-3}$, we obtain $m = 1.5 \cdot 10^7$ and $k=10$. A similar procedure can be applied to the code-based IBE of Gaborit et al. (GHPT) [29] achieving 128-bit quantum security. We note though that with recent advances in the cryptanalysis, these instances may provide less security. Table 4 provides an overview including the pairing-based BFKEM from [21]. For the latter, we assume the use of the pairing-friendly BLS12-381 curve with 120-bit classical security.

Table 4. Sizes of BFKEM when instantiated with GVP or GHPT.

Full size table

Notes

1.
Without restating [43, Thm 3.2], note that we can adopt it the same way we highlight in Theorems 7 and 8. So, we start with their $\mathsf {Punc}$ to obtain disjoint simutability and then apply $\mathsf T^\star $ and $\mathsf U^{\not \bot }_m$.
2.
Note that we want the size of the BFKEM public key to be independent of the BF parameters for practical reasons (besides the descriptions of the hash functions). Right now, we only can guarantee this with IBE schemes as such schemes allow for exponentially many secret keys with a short master public key and, hence, we consider IBE schemes as a main building block of our BFKEM constructions.
3.
We explicitly mention that we are only concerned with randomized IBEs. Adopting $\mathsf {C_{p,d}}$ for deterministic IBEs will work as well. Though in the latter case, one can further optimize the compiler depending on whether the IBE has deterministic or randomized key extraction $\mathsf {Ext} $.

References

Agrawal, S., Boneh, D., Boyen, X.: Efficient lattice (H)IBE in the standard model. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 553–572. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13190-5_28
Chapter MATH Google Scholar
Ambainis, A., Hamburg, M., Unruh, D.: Quantum security proofs using semi-classical oracles. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11693, pp. 269–295. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26951-7_10
Chapter Google Scholar
Aragon, N., et al.: BIKE. Technical report, National Institute of Standards and Technology (2019)
Google Scholar
Aragon, N., et al.: ROLLO. Technical report, National Institute of Standards and Technology (2019)
Google Scholar
Aviram, N., et al.: DROWN: Breaking TLS using SSLv2. In: USENIX Security (2016)
Google Scholar
Baldi, M., Barenghi, A., Chiaraluce, F., Pelosi, G., Santini, P.: LEDAcrypt. Technical report, National Institute of Standards and Technology (2019)
Google Scholar
Bauer, A., Gilbert, H., Renault, G., Rossi, M.: Assessment of the key-reuse resilience of NewHope. In: Matsui, M. (ed.) CT-RSA 2019. LNCS, vol. 11405, pp. 272–292. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-12612-4_14
Chapter Google Scholar
Bellare, M., Boldyreva, A., Micali, S.: Public-key encryption in a multi-user setting: security proofs and improvements. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 259–274. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-45539-6_18
Chapter MATH Google Scholar
Bindel, N., Hamburg, M., Hövelmanns, K., Hülsing, A., Persichetti, E.: Tighter proofs of CCA security in the quantum random oracle model. In: Hofheinz, D., Rosen, A. (eds.) TCC 2019, Part II. LNCS, vol. 11892, pp. 61–90. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-36033-7_3
Chapter MATH Google Scholar
Bindel, N., Schanck, J.M.: Decryption failure is more likely after success. In: Ding, J., Tillich, J.-P. (eds.) PQCrypto 2020. LNCS, vol. 12100, pp. 206–225. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-44223-1_12
Chapter Google Scholar
Bitansky, N., Vaikuntanathan, V.: A note on perfect correctness by derandomization. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017, Part II. LNCS, vol. 10211, pp. 592–606. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56614-6_20
Chapter Google Scholar
Bleichenbacher, D.: Chosen ciphertext attacks against protocols based on the RSA encryption standard PKCS #1. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 1–12. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0055716
Chapter Google Scholar
Bloom, B.H.: Space/time trade-offs in hash coding with allowable errors. Commun. ACM 13, 422–426 (1970)
Article Google Scholar
Böck, H., Somorovsky, J., Young, C.: Return of bleichenbacher’s oracle threat (ROBOT). In: USENIX Security 2018 (2018)
Google Scholar
Boneh, D., Dagdelen, Ö., Fischlin, M., Lehmann, A., Schaffner, C., Zhandry, M.: Random oracles in a quantum world. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 41–69. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25385-0_3
Chapter MATH Google Scholar
Boneh, D., Franklin, M.: Identity-based encryption from the Weil pairing. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 213–229. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44647-8_13
Chapter Google Scholar
Bos, J.W., et al.: Frodo: take off the ring! Practical, quantum-secure key exchange from LWE. In: ACM CCS (2016)
Google Scholar
Canetti, R., Halevi, S., Katz, J.: Chosen-ciphertext security from identity-based encryption. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 207–222. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24676-3_13
Chapter Google Scholar
Cash, D., Hofheinz, D., Kiltz, E., Peikert, C.: Bonsai trees, or how to delegate a lattice basis. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 523–552. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13190-5_27
Chapter Google Scholar
Derler, D., Gellert, K., Jager, T., Slamanig, D., Striecks, C.: Bloom filter encryption and applications to efficient forward-secret 0-RTT key exchange. IACR Cryptol. ePrint Arch. (To appear in Journal of Cryptology)
Google Scholar
Derler, D., Jager, T., Slamanig, D., Striecks, C.: Bloom filter encryption and applications to efficient forward-secret 0-RTT key exchange. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018, Part III. LNCS, vol. 10822, pp. 425–455. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78372-7_14
Chapter Google Scholar
Dowling, B., Fischlin, M., Günther, F., Stebila, D.: A cryptographic analysis of the TLS 1.3 handshake protocol candidates. In: ACM CCS (2015)
Google Scholar
Drucker, N., Gueron, S., Kostic, D., Persichetti, E.: On the applicability of the Fujisaki-Okamoto transformation to the BIKE KEM. IACR ePrint 2020/510 (2020)
Google Scholar
Ducas, L., Lyubashevsky, V., Prest, T.: Efficient identity-based encryption over NTRU lattices. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014, Part II. LNCS, vol. 8874, pp. 22–41. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-45608-8_2
Chapter Google Scholar
Dwork, C., Naor, M., Reingold, O.: Immunizing encryption schemes from decryption errors. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 342–360. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24676-3_21
Chapter Google Scholar
Fabšič, T., Hromada, V., Stankovski, P., Zajac, P., Guo, Q., Johansson, T.: A reaction attack on the QC-LDPC McEliece cryptosystem. In: Lange, T., Takagi, T. (eds.) PQCrypto 2017. LNCS, vol. 10346, pp. 51–68. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-59879-6_4
Chapter Google Scholar
Fujisaki, E., Okamoto, T.: Secure integration of asymmetric and symmetric encryption schemes. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 537–554. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48405-1_34
Chapter Google Scholar
Fujisaki, E., Okamoto, T.: Secure integration of asymmetric and symmetric encryption schemes. J. Cryptol. 26(1), 80–101 (2013). https://doi.org/10.1007/s00145-011-9114-1
Article MathSciNet MATH Google Scholar
Gaborit, P., Hauteville, A., Phan, D.H., Tillich, J.-P.: Identity-based encryption from codes with rank metric. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017, Part III. LNCS, vol. 10403, pp. 194–224. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63697-9_7
Chapter Google Scholar
Garcia-Morchon, O., et al.: Round5. Technical report, National Institute of Standards and Technology (2019)
Google Scholar
Gentry, C., Peikert, C., Vaikuntanathan, V.: Trapdoors for hard lattices and new cryptographic constructions. In: 40th ACM STOC (2008)
Google Scholar
Goldreich, O., Goldwasser, S., Halevi, S.: Eliminating decryption errors in the Ajtai-Dwork cryptosystem. In: Kaliski, B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 105–111. Springer, Heidelberg (1997). https://doi.org/10.1007/BFb0052230
Chapter MATH Google Scholar
Green, M.D., Miers, I.: Forward secure asynchronous messaging from puncturable encryption. In: 2015 IEEE Symposium on Security and Privacy (2015)
Google Scholar
Günther, F., Hale, B., Jager, T., Lauer, S.: 0-RTT key exchange with full forward secrecy. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017, Part III. LNCS, vol. 10212, pp. 519–548. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56617-7_18
Chapter Google Scholar
Guo, Q., Johansson, T., Nilsson, A.: A key-recovery timing attack on post-quantum primitives using the fujisaki-okamoto transformation and its application on FrodoKEM. In: Micciancio, D., Ristenpart, T. (eds.) CRYPTO 2020, Part II. LNCS, vol. 12171, pp. 359–386. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-56880-1_13
Chapter Google Scholar
Guo, Q., Johansson, T., Stankovski, P.: A key recovery attack on MDPC with CCA security using decoding errors. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016, Part I. LNCS, vol. 10031, pp. 789–815. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53887-6_29
Chapter Google Scholar
Guo, Q., Johansson, T., Yang, J.: A novel CCA attack using decryption errors against LAC. In: Galbraith, S.D., Moriai, S. (eds.) ASIACRYPT 2019, Part I. LNCS, vol. 11921, pp. 82–111. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-34578-5_4
Chapter Google Scholar
Hamburg, M.: Three bears. Technical report, National Institute of Standards and Technology (2019)
Google Scholar
Harris, B.: RSA key exchange for the secure shell (SSH) transport layer protocol. RFC (2006)
Google Scholar
Hofheinz, D., Hövelmanns, K., Kiltz, E.: A modular analysis of the Fujisaki-Okamoto transformation. In: Kalai, Y., Reyzin, L. (eds.) TCC 2017. LNCS, vol. 10677, pp. 341–371. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70500-2_12
Chapter MATH Google Scholar
Hofheinz, D., Hövelmanns, K., Kiltz, E.: A modular analysis of the Fujisaki-Okamoto transformation. Cryptology ePrint Archive, Report 2017/604
Google Scholar
Hohenberger, S., Koppula, V., Waters, B.: Chosen ciphertext security from injective trapdoor functions. In: Micciancio, D., Ristenpart, T. (eds.) CRYPTO 2020. LNCS, vol. 12170, pp. 836–866. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-56784-2_28
Chapter Google Scholar
Hövelmanns, K., Kiltz, E., Schäge, S., Unruh, D.: Generic authenticated key exchange in the quantum random oracle model. In: Kiayias, A., Kohlweiss, M., Wallden, P., Zikas, V. (eds.) PKC 2020. LNCS, vol. 12111, pp. 389–422. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45388-6_14
Chapter Google Scholar
Howgrave-Graham, N., et al.: The impact of decryption failures on the security of NTRU encryption. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 226–246. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-45146-4_14
Chapter Google Scholar
Jager, T., Kohlar, F., Schäge, S., Schwenk, J.: On the security of TLS-DHE in the standard model. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 273–293. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-32009-5_17
Chapter MATH Google Scholar
Jager, T., Schinzel, S., Somorovsky, J.: Bleichenbacher’s attack strikes again: breaking PKCS#1 v1.5 in XML encryption. In: Foresti, S., Yung, M., Martinelli, F. (eds.) ESORICS 2012. LNCS, vol. 7459, pp. 752–769. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-33167-1_43
Chapter Google Scholar
Jiang, H., Zhang, Z., Chen, L., Wang, H., Ma, Z.: IND-CCA-secure key encapsulation mechanism in the quantum random oracle model, revisited. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10993, pp. 96–125. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96878-0_4
Chapter Google Scholar
Jiang, H., Zhang, Z., Ma, Z.: Tighter security proofs for generic key encapsulation mechanism in the quantum random oracle model. In: Ding, J., Steinwandt, R. (eds.) PQCrypto 2019. LNCS, vol. 11505, pp. 227–248. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-25510-7_13
Chapter Google Scholar
Koppula, V., Waters, B.: Realizing chosen ciphertext security generically in attribute-based encryption and predicate encryption. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11693, pp. 671–700. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26951-7_23
Chapter MATH Google Scholar
Krawczyk, H., Paterson, K.G., Wee, H.: On the security of the TLS protocol: a systematic analysis. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 429–448. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40041-4_24
Chapter Google Scholar
Kuchta, V., Sakzad, A., Stehlé, D., Steinfeld, R., Sun, S.-F.: Measure-rewind-measure: tighter quantum random oracle model proofs for one-way to hiding and CCA security. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020. LNCS, vol. 12107, pp. 703–728. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45727-3_24
Chapter Google Scholar
Naehrig, M., et al.: FrodoKEM. Technical report, National Institute of Standards and Technology (2019)
Google Scholar
Naor, M.: Bit commitment using pseudo-randomness. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 128–136. Springer, New York (1990). https://doi.org/10.1007/0-387-34805-0_13
Chapter Google Scholar
Naor, M., Yung, M.: Public-key cryptosystems provably secure against chosen ciphertext attacks. In: 22nd ACM STOC (1990)
Google Scholar
Nisan, N., Wigderson, A.: Hardness vs randomness. J. Comput. Syst. Sci 49, 149–167 (1994)
Article MathSciNet Google Scholar
Paquin, C., Stebila, D., Tamvada, G.: Benchmarking post-quantum cryptography in TLS. In: Ding, J., Tillich, J.-P. (eds.) PQCrypto 2020. LNCS, vol. 12100, pp. 72–91. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-44223-1_5
Chapter Google Scholar
Ronen, E., Gillham, R., Genkin, D., Shamir, A., Wong, D., Yarom, Y.: The 9 lives of bleichenbacher’s CAT: new cache ATtacks on TLS implementations. In: 2019 IEEE Symposium on Security and Privacy (2019)
Google Scholar
Saito, T., Xagawa, K., Yamakawa, T.: Tightly-secure key-encapsulation mechanism in the quantum random oracle model. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10822, pp. 520–551. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78372-7_17
Chapter MATH Google Scholar
Samardjiska, S., Santini, P., Persichetti, E., Banegas, G.: A reaction attack against cryptosystems based on LRPC codes. In: Schwabe, P., Thériault, N. (eds.) LATINCRYPT 2019. LNCS, vol. 11774, pp. 197–216. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-30530-7_10
Chapter Google Scholar
Schwabe, P., et al.: CRYSTALS-KYBER. Technical report, National Institute of Standards and Technology (2019)
Google Scholar
Schwabe, P., Stebila, D., Wiggers, T.: Post-quantum TLS without handshake signatures. Cryptology ePrint Archive, Report 2020/534
Google Scholar
Sendrier, N., Vasseur, V.: On the decoding failure rate of QC-MDPC bit-flipping decoders. In: Ding, J., Steinwandt, R. (eds.) PQCrypto 2019. LNCS, vol. 11505, pp. 404–416. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-25510-7_22
Chapter Google Scholar
Sun, S.-F., Sakzad, A., Steinfeld, R., Liu, J.K., Gu, D.: Public-key puncturable encryption: modular and compact constructions. In: Kiayias, A., Kohlweiss, M., Wallden, P., Zikas, V. (eds.) PKC 2020. LNCS, vol. 12110, pp. 309–338. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45374-9_11
Chapter Google Scholar
Zhang, J., Chen, Yu., Zhang, Z.: Programmable hash functions from lattices: short signatures and IBEs with small key sizes. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9816, pp. 303–332. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53015-3_11
Chapter Google Scholar

Download references

Acknowledgements

We would like to thank the anonymous reviewers for their helpful comments. This project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement n$^{\circ }$783119 (SECREDAS), n$^{\circ }$826610 (COMP4DRONES), n$^{\circ }$871473 (KRAKEN) and by the Austrian Science Fund (FWF) and netidee SCIENCE grant P31621-N38 (PROFET).

Author information

Authors and Affiliations

AIT Austrian Institute of Technology, Vienna, Austria
Valerio Cini, Sebastian Ramacher, Daniel Slamanig & Christoph Striecks

Authors

Valerio Cini
View author publications
You can also search for this author in PubMed Google Scholar
Sebastian Ramacher
View author publications
You can also search for this author in PubMed Google Scholar
Daniel Slamanig
View author publications
You can also search for this author in PubMed Google Scholar
Christoph Striecks
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Valerio Cini .

Editor information

Editors and Affiliations

Network Security Research Institute (NICT), Tokyo, Japan
Shiho Moriai
Nanyang Technological University, Singapore, Singapore
Huaxiong Wang

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Cini, V., Ramacher, S., Slamanig, D., Striecks, C. (2020). CCA-Secure (Puncturable) KEMs from Encryption with Non-Negligible Decryption Errors. In: Moriai, S., Wang, H. (eds) Advances in Cryptology – ASIACRYPT 2020. ASIACRYPT 2020. Lecture Notes in Computer Science(), vol 12491. Springer, Cham. https://doi.org/10.1007/978-3-030-64837-4_6

Download citation

DOI: https://doi.org/10.1007/978-3-030-64837-4_6
Published: 06 December 2020
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-64836-7
Online ISBN: 978-3-030-64837-4
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships

International Association for Cryptologic Research (opens in a new tab)

CCA-Secure (Puncturable) KEMs from Encryption with Non-Negligible Decryption Errors

Abstract

Similar content being viewed by others

On the Security of NTS-KEM in the Quantum Random Oracle Model

IND-CCA-Secure Key Encapsulation Mechanism in the Quantum Random Oracle Model, Revisited

Tightly-Secure Key-Encapsulation Mechanism in the Quantum Random Oracle Model

Keywords

1 Introduction

1.1 Contribution

2 Preliminaries

2.1 Public-Key Encryption and Key-Encapsulation Mechanisms

Definition 1

Definition 2

Lemma 1

Theorem 1

Definition 3

Definition 4 (Finding failing ciphertexts)

Definition 5

2.2 Identity-Based Encryption

3 CCA Security from Non-Negligible Correctness Errors

3.1 On the Correctness Error

Definition 6

Definition 7

3.2 Compiler for Immunizing Decryption Errors

Remark 1

Corollary 1

3.3 Transformations \(\mathsf T\) and \(\mathsf U^{\not \bot }\)

Theorem 2

Theorem 3

Theorem 4

Theorem 5

Theorem 6

3.4 Non Black-Box Use: The Transformation \(\mathsf T^\star \)

Remark 2

Theorem 7

Theorem 8

Lemma 2

3.5 Comparison of the Two Approaches

4 Our Transform in Practice

4.1 Code-Based KEMs

4.2 Lattice-Based KEMs

4.3 Implementation Aspects

5 Application to Bloom Filter KEMs

Definition 8 (Correctness)

Definition 9 (Extended Correctness)

5.1 IBE with Negligible from Non-Negligible Correctness Error

Corollary 2

5.2 BFKEM from IBE with Negligible Correctness Error

Theorem 9

Proof

Theorem 10

5.3 Comparison of BFKEM Instantiations

Notes

References

Acknowledgements

Author information

Authors and Affiliations

Corresponding author

Editor information

Editors and Affiliations

Rights and permissions

Copyright information

About this paper

Cite this paper

Download citation

Share this paper

Publish with us

Societies and partnerships