Abstract
The generic \(\textsf{IND}\)-\(\textsf{CCA}\) secure key encapsulation mechanism (KEM) constructions in the quantum random oracle model (QROM) attract much attention due to the NIST post-quantum competition. Most of the NIST KEM submissions follow the generic Fujisaki-Okamoto transformation with implicit rejection (FO-IR). We propose a framework for the construction of quantum random oracles that supports implicit rejection, and prove that the KEMs satisfying our framework are \(\textsf{IND}\)-\(\textsf{CCA}\) secure in the QROM. Specifically, we use the idea of hash combination to eliminate the requirement for checking the validity of ciphertexts, which is the key point to achieve \(\textsf{IND}\)-\(\textsf{CCA}\) security. We show that the existing FO-IR widely used in the NIST KEM submissions can be explained by our framework. Additionally, we also propose a novel realization which exploits the verifiability of the private key.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
There are some variants of \(\textsf{U}^{\not \bot }\) including \(\textsf{U}_{m}^{\not \bot }\), \(\textsf{U}^{\bot }\) and \(\textsf{U}_{m}^{\bot }\) [12], where \({\bot }\) means explicit rejection, and m (without m) means \(K:=\textsf{H}(m)\) (\(K:=\textsf{H}(m,c)\)).
- 2.
Here, “\(\text {DS}\)” is a domain separator, and it should be a bit string of sufficient length, otherwise it is easy to be guessed by the adversary.
- 3.
For any fixed key pair \(\left( pk,sk \right) \), we say that a ciphertext c is invalid if \(\mathsf {Dec'}\left( sk,c \right) = \bot \), and valid otherwise.
- 4.
Since quantum adversaries may evaluate random oracles on quantum superposition states, the simulator can only \({\textbf {test}}\) whether \(A_{1}=sk\) and cannot extract sk, which means the simulator need to measure the quantum queries.
- 5.
We will explain in Sect. 3.2 why we require the intermediate scheme to be \(\textsf{OW}\)-\(\textsf{qPCA}\) secure.
- 6.
By the definitions of \(\mathsf {Dec'}\) and condition on \(c\leftarrow \mathsf {Enc'}\left( pk,m \right) \), if \(\mathsf {Dec'}\left( sk,c \right) \ne m\), then we must have \(\textsf{Dec}\left( sk,c \right) =m'\ne m\) or \(\textsf{Dec}\left( sk,c \right) =\bot \), i.e., \(\textsf{Dec}\left( sk,c \right) \ne m\).
- 7.
- 8.
In addition, the simulator can also test whether \(A_{1}=sk\) by repeated random encryption and trial decryption.
References
Ambainis, A., Hamburg, M., Unruh, D.: Quantum security proofs using semi-classical oracles. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11693, pp. 269–295. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26951-7_10
Bellare, M., Rogaway, P.: Random oracles are practical: a paradigm for designing efficient protocols. In: Proceedings of the 1st ACM Conference on Computer and Communications Security, pp. 62–73 (1993)
Bindel, N., Hamburg, M., Hövelmanns, K., Hülsing, A., Persichetti, E.: Tighter proofs of CCA security in the quantum random oracle model. In: Hofheinz, D., Rosen, A. (eds.) TCC 2019. LNCS, vol. 11892, pp. 61–90. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-36033-7_3
Boneh, D., Dagdelen, Ö., Fischlin, M., Lehmann, A., Schaffner, C., Zhandry, M.: Random oracles in a quantum world. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 41–69. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25385-0_3
Dent, A.W.: A designer’s guide to KEMs. In: Paterson, K.G. (ed.) Cryptography and Coding 2003. LNCS, vol. 2898, pp. 133–151. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-40974-8_12
Diffie, W., Hellman, M.E.: New directions in cryptography. IEEE Trans. Inf. Theory 22(6), 644–654 (1976)
Don, J., Fehr, S., Majenz, C., Schaffner, C.: Online-extractability in the quantum random-oracle model. In: Dunkelman, O., Dziembowski, S. (eds) Advances in Cryptology – EUROCRYPT 2022. EUROCRYPT 2022. LNCS, vol. 13277, pp. 677–706. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-07082-2_24
Duman, J., Hövelmanns, K., Kiltz, E., Lyubashevsky, V., Seiler, G.: Faster lattice-based KEMs via a generic Fujisaki-Okamoto transform using prefix hashing. In: Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security, pp. 2722–2737 (2021)
Fujisaki, E., Okamoto, T.: Secure integration of asymmetric and symmetric encryption schemes. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 537–554. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48405-1_34
Fujisaki, E., Okamoto, T.: Secure integration of asymmetric and symmetric encryption schemes. J. Cryptol. 26(1), 80–101 (2011). https://doi.org/10.1007/s00145-011-9114-1
Grover, L.K.: A fast quantum mechanical algorithm for database search. In: Miller, G.L. (ed.) The Twenty-Eighth Annual ACM Symposium on the Theory of Computing, pp. 212–219 (1996)
Hofheinz, D., Hövelmanns, K., Kiltz, E.: A modular analysis of the Fujisaki-Okamoto transformation. In: Kalai, Y., Reyzin, L. (eds.) TCC 2017. LNCS, vol. 10677, pp. 341–371. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70500-2_12
Hövelmanns, K., Hülsing, A., Majenz, C.: Failing gracefully: decryption failures and the Fujisaki-Okamoto transform. arXiv preprint arXiv:2203.10182 (2022)
Hövelmanns, K., Kiltz, E., Schäge, S., Unruh, D.: Generic authenticated key exchange in the quantum random oracle model. In: Kiayias, A., Kohlweiss, M., Wallden, P., Zikas, V. (eds.) PKC 2020. LNCS, vol. 12111, pp. 389–422. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45388-6_14
Jiang, H., Zhang, Z., Chen, L., Wang, H., Ma, Z.: IND-CCA-secure key encapsulation mechanism in the quantum random oracle model, revisited. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10993, pp. 96–125. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96878-0_4
Jiang, H., Zhang, Z., Ma, Z.: Key encapsulation mechanism with explicit rejection in the quantum random oracle model. In: Lin, D., Sako, K. (eds.) PKC 2019. LNCS, vol. 11443, pp. 618–645. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17259-6_21
Jiang, H., Zhang, Z., Ma, Z.: Tighter security proofs for generic key encapsulation mechanism in the quantum random oracle model. In: Ding, J., Steinwandt, R. (eds.) PQCrypto 2019. LNCS, vol. 11505, pp. 227–248. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-25510-7_13
Kuchta, V., Sakzad, A., Stehlé, D., Steinfeld, R., Sun, S.-F.: Measure-rewind-measure: tighter quantum random oracle model proofs for one-way to hiding and CCA security. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020. LNCS, vol. 12107, pp. 703–728. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45727-3_24
NIST: National institute for standards and technology. In: Post Quantum Crypto Project (2021). https://csrc.nist.gov/Projects/post-quantum-cryptography/round-3-submissions
Rackoff, C., Simon, D.R.: Non-interactive zero-knowledge proof of knowledge and chosen ciphertext attack. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 433–444. Springer, Heidelberg (1992). https://doi.org/10.1007/3-540-46766-1_35
Saito, T., Xagawa, K., Yamakawa, T.: Tightly-secure key-encapsulation mechanism in the quantum random oracle model. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10822, pp. 520–551. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78372-7_17
Shor, P.W.: Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM J. Comput. 26(5), 1484–1509
Targhi, E.E., Unruh, D.: Post-quantum security of the Fujisaki-Okamoto and OAEP transforms. In: Hirt, M., Smith, A. (eds.) TCC 2016. LNCS, vol. 9986, pp. 192–216. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53644-5_8
Unruh, D.: Revocable quantum timed-release encryption. In: Advances in Cryptology - EUROCRYPT 2014, pp. 129–146 (2014)
Zhandry, M.: How to record quantum queries, and applications to quantum indifferentiability. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11693, pp. 239–268. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26951-7_9
Zhandry, M.: Redeeming reset indifferentiability and applications to post-quantum security. In: Tibouchi, M., Wang, H. (eds.) ASIACRYPT 2021. LNCS, vol. 13090, pp. 518–548. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-92062-3_18
Zhandry, M.: Secure identity-based encryption in the quantum random oracle model. In: CRYPTO 2012, pp. 758–775 (2012)
Zhandry, M., Zhang, C.: Indifferentiability for public key cryptosystems. In: Micciancio, D., Ristenpart, T. (eds.) CRYPTO 2020. LNCS, vol. 12170, pp. 63–93. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-56784-2_3
Acknowledgments
We thank the anonymous ISC2022 reviewers for their helpful comments. This work was supported by the National Natural Science Foundation of China (Grant Nos. 61972391).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Chen, Z., Lu, X., Jia, D., Li, B. (2022). Implicit Rejection in Fujisaki-Okamoto: Framework and a Novel Realization. In: Susilo, W., Chen, X., Guo, F., Zhang, Y., Intan, R. (eds) Information Security. ISC 2022. Lecture Notes in Computer Science, vol 13640. Springer, Cham. https://doi.org/10.1007/978-3-031-22390-7_8
Download citation
DOI: https://doi.org/10.1007/978-3-031-22390-7_8
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-22389-1
Online ISBN: 978-3-031-22390-7
eBook Packages: Computer ScienceComputer Science (R0)