Robustly Reusable Fuzzy Extractors in a Post-quantum World

Abstract

We revisit the problem of robustly reusable fuzzy extractors (RRFEs) with post-quantum security. Our main focus is constructions secure in the quantum random oracle model (QROM) that can be built by modifying existing classical ROM constructions. To date, security in the QROM has not been considered in the context of RRFEs. More specifically, we achieve three core contributions. The first is to produce a simple QROM construction of a (non-reusable) robust fuzzy extractor with security bounds that do not depend explicitly on the number of correctable errors t. As Becker (ePrint/2017/493) showed, previous ROM proofs depend heavily on t, preventing their use in certain applications (e.g. to PUFs). Our second contribution is to produce the first RRFE with a security proof in the QROM. The security bounds here also do not depend explicitly on t. Importantly, the construction does not utilise random number generation which can be difficult to achieve on constrained devices in a PUF application. Finally, we suggest optimisations of the only existing post-quantum standard model RRFE capable of correcting a linear number of errors, showing that it is far less efficient than our QROM construction.

Appendices

Quantum Computation Preliminaries

Let \( \mathcal {H} \) be a complex Hilbert space of dimension n with orthonormal basis

$$ \left\{ \left| {1} \right\rangle , \dots , \left| {n} \right\rangle \right\} . $$

A (pure) quantum state \( \left| {\psi } \right\rangle \) over this Hilbert space is a (normalized) complex linear combination of the basis states i.e. \( \left| {\psi } \right\rangle = \sum _{i=1}^n \alpha _i \left| {i} \right\rangle \) where \( \alpha _i \in \mathbb {C} \) and \( \sum _{i}\Vert \alpha _i\Vert ^2=1 \). On making a basis measurement on the state \( \left| {\psi } \right\rangle \), we have \( \Pr [i] = \Vert \alpha _i \Vert ^2 \) where \( \Pr [i] \) is the probability of measuring the state to be in \( \left| {i} \right\rangle \). More generally, the probability of measuring the state \( \left| {\psi } \right\rangle \) and finding it to be in some other state \( \left| {\phi } \right\rangle \) is \( \Vert \left\langle {\psi } \right| \left| {\phi } \right\rangle \Vert ^2 \) which is equal to \( \textrm{Tr}\left( \left| {\phi } \right\rangle \left\langle {\phi } \right| \left| {\psi } \right\rangle \left\langle {\psi } \right| \right) = \textrm{Tr}( \varPi _{\phi } \left| {\psi } \right\rangle \left\langle {\psi } \right| ) \). Next, a projection value measurement (PVM) with k possible outcomes is a collection of k projections as \( \varPi _1, \dots , \varPi _k \) such that \( \sum _{i=1}^k \varPi _i = I \). Then the probability of the outcome indexed by i is \( \Pr [i] = \left\langle {\psi } \right| \varPi _i \left| {\psi } \right\rangle \). The post-measurement state after measuring i is \( \varPi _i \left| {\psi } \right\rangle / \Vert \varPi _i \left| {\psi } \right\rangle \Vert \).

Quantum algorithms are usually described by applying some quantum computation i.e. unitary U to a starting state \( \left| {\varphi _0} \right\rangle \). The state \( \left| {\varphi _0} \right\rangle \) is said to contain input registers, output registers and ancillary registers to aide its computation. At the end of this computation, a measurement associated with some set of projections projection \( \{ \varPi _1, \dots , \varPi _k \} \) over the output registers is taken to obtain some usable classical information from the computation. In this context, k will be the number of distinct values the output registers can take. For example, if the output registers consist of \( \kappa \) qubit registers (i.e. registers that can take only binary values when measured), then \( k=2^{\kappa } \). Overall, the probability of the algorithm outputting j is \( \Vert \varPi _j \cdot U \left| {\varphi _0} \right\rangle \Vert ^2 \) where U denotes the unitary applied when running the quantum algorithm. Note that this format of a quantum algorithm is w.l.o.g as any algorithm with intermediate projections can be written in the stated form (with slightly different unitaries and projections). In other words, we do not need to consider intermediate measurements by the principle of deferred measurements.

Preliminaries for Standard Model Construction

The following definition uses the notion of statistical distance. The statistical distance of two distributions P and Q is \( \text {SD}(P,Q) := \sum _{x} |\Pr [P=x] - \Pr [Q=x]|/2 \).

Definition 8

A function \( \textsf{Ext}: W \times S \rightarrow R \) is a strong \( (m,\epsilon ) \) randomness extractor if for any distribution \( \mathcal {W} \) over W with \( \widetilde{H}_{\infty }(\mathcal {W}) \ge m \),

$$ \text {SD}\left( (\textsf{Ext}(\mathcal {W},U_S), U_S),\ \ U_{R \times S}\right) \le \epsilon $$

where \( U_S \) and \( U_{R \times S} \) are the uniform distributions over S and \( R \times S \) respectively.

Example 2

Take S to be the set of all binary Toeplitz matrices of the form

$$ {\textbf {A}} = \begin{bmatrix} a_0 &{} a_{n-1} &{} \dots &{} a_1 \\ a_1 &{} a_0 &{} \dots &{} a_2 \\ \vdots &{} \vdots &{} \vdots &{} \vdots \\ a_{k-1} &{} a_{k-2} &{} \dots &{} a_k \end{bmatrix} \in \mathbb {Z}_2^{k \times n} $$

where \( k<n \) and \( W =\mathbb {Z}_2^n\). Then \( \textsf{Ext}({\textbf {w}},{\textbf {A}}) = {\textbf {A}}\cdot {\textbf {w}} \) is a strong \( (m,2^{-(m-k)/2}) \) extractor. Informally, this extractor maps m bits of entropy to within statistical distance \( 2^{-\lambda } \) of the uniform distribution over \( \mathbb {Z}_2^k \) provided that \( m \ge k+2\lambda \).

Definition 9

([12, 26]). A symmetric key encapsulation mechanism (SKEM) with decapsulation uniformity consists of three algorithms

$$ \textsf{SKEM}= (\textsf{SKEM}\text {.}\textsf{Setup}, \textsf{SKEM}\text {.}\textsf{Encaps},\textsf{SKEM}\text {.}\textsf{Decaps}) $$

where:

• \( \textsf{SKEM}\text {.}\textsf{Setup}(1^{\lambda }) \) takes as input a security parameter and outputs public parameters \( \textsf{pp}\) that include descriptions of spaces \( \mathcal {R}_e, \mathcal {K},\mathcal {K}' \) and \( \mathcal {C} \).

• \( \textsf{SKEM}\text {.}\textsf{Encaps}(k;r) \) is a probabilistic algorithm taking as input a key \( k \in \mathcal {K}' \) and randomness \( r \in \mathcal {R}_e \) and outputs (C, K) where \( C \in \mathcal {C} \) is a ciphertext and \( K \in \mathcal {K} \) is an encapsulated key.

• \( \textsf{SKEM}\text {.}\textsf{Decaps}(C,k) \) takes as input a key \( k \in \mathcal {K}' \) and ciphertext \( C \in \mathcal {C} \) and outputs a decrypted key \( K' \in \mathcal {K} \) or \( \bot \).

A SKEM with decapsulation uniformity must satisfy the following properties:

1. 1.

   (Correctness)

   $$ \Pr \left[ K=K' : \begin{array}{c} \textsf{pp}\leftarrow \textsf{SKEM}\text {.}\textsf{Setup}(\lambda ),\ k \leftarrow \mathcal {K}' \\ (C,K) \leftarrow \textsf{SKEM}\text {.}\textsf{Encaps}(k) \\ K' \leftarrow \textsf{SKEM}\text {.}\textsf{Decaps}(C,k) \end{array} \right] = 1 - \textsf{negl}(\lambda ) .$$
2. 2.

   (Key-Shift Pseudorandomness) For all PPT \( \mathcal {A}\),

   $$ \Pr \left[ b'=b : \begin{array}{c} \textsf{pp} \leftarrow \textsf{SKEM}\text {.}\textsf{Setup}(\lambda ),\ k \leftarrow \mathcal {K}' \\ b \leftarrow \{0,1\} \\ b' \leftarrow \mathcal {A}^{\mathcal {O}^{\textsf{ksp}}_b}(\lambda ) \end{array} \right] = \textsf{negl}(\lambda ) $$

   where the oracles \( \mathcal {O}^{\textsf{ksp}}_0 \) and \( \mathcal {O}^{\textsf{ksp}}_1 \) are defined below.

3. 3.

   (Decapsulation Uniformity) For any \( C \in \mathcal {C} \) and \( K' \in \mathcal {K} \),

   $$ \Pr [\textsf{SKEM}\text {.}\textsf{Decaps}(C,k) = K' : \begin{array}{c} \textsf{pp} \leftarrow \textsf{SKEM}\text {.}\textsf{Setup}(\lambda ) \\ k \leftarrow \mathcal {K}' \end{array}] = \frac{1}{|\mathcal {K}|}. $$

The oracles for the key-shift pseudorandomness property are defined as:

• \( \mathcal {O}^{\textsf{ksp}}_{0}: \) On input \( \delta \), return uniform \( (C,K) \leftarrow \mathcal {C} \times \mathcal {K} \).

• \( \mathcal {O}^{\textsf{ksp}}_1: \) On input \( \delta \), return \( (C,K) \leftarrow \textsf{SKEM}\text {.}\textsf{Encaps}(k + \delta ) \).

(Ring-)LPN Preliminaries

We now recall the LWE [22] and ring-LWE [20] problems with modulus 2, also known as LPN and ring-LPN (RLPN) respectively. Below, \(\text {Ber}_\tau \) represents the Bernoulli distribution with probability \(\tau \in [0,1]\).

Definition 10

For dimensions m, n and Bernoulli parameter \( \tau \in (0,1/2) \), the LPN distribution with secret \( {\textbf {S}}\in \mathbb {Z}_2^{n \times m} \), denoted \( A_{m,n,\tau }({\textbf {S}}) \) is sampled as follows: First sample \( {\textbf {a}} \leftarrow \mathbb {Z}_2^n \), \( {\textbf {e}} \leftarrow \text {Ber}^m_\tau \) and output \( ({\textbf {a}}, {\textbf {a}}^{\top } {\textbf {S}} \oplus {\textbf {e}}) \). The \( \textsf{LPN}_{m,n,\tau } \) problem is to distinguish between an unbounded number of samples of \( A_{m,n,\chi }({\textbf {S}}) \) and the uniform distribution over \( \mathbb {Z}_2^n \times \mathbb {Z}_q^m \) where \( {\textbf {S}} \leftarrow \mathbb {Z}_2^{n \times m} \).

Definition 11

([17]). For dimension \( m' \), ring \( R = \mathbb {Z}[X]/(f(X)) \) with f of degree n, and Bernoulli parameter \( \tau \in (0,1/2) \), define \( R_2 := R/2R \). The ring-LPN distribution with secret \( {\textbf {s}} \in R_q^{m'} \) denoted as \( A_{m',R,\tau }({\textbf {s}}) \) is sampled as follows: First sample \( a \leftarrow R_2 \), \( {\textbf {e}} \leftarrow \text {Ber}_t^{m'n} \) (interpreted as an element of \(R_2^{m'}\) where each coefficient is sampled from \( \text {Ber}_t \)) and then output \( (a,a\cdot {\textbf {s}}+{\textbf {e}}) \in R_2 \times R_2^{m'} \). The \( \textsf{RLPN}_{m',R,\tau } \) problem is to distinguish between an unbounded number of samples of \( A_{m',R,\tau }({\textbf {s}}) \) and the uniform distribution over \( R_2 \times R_2^{m'} \) where \( {\textbf {s}} \leftarrow R_2^{m'} \).

Note that a single secret i.e. \( m'=1 \) RLPN sample is essentially \( (a,a\cdot s + e) \), where \( a \cdot s \) can be expressed as a \( n \times n \) matrix multiplied by a n-dimensional vector. In other words, a single RLPN sample \( (a,a\cdot s +e) \) can be considered as n structured LPN samples (with \( m=1 \)). However, only 2n bits are required to represent an RLPN sample whereas n LPN samples require \( n^2 + n \) bits of storage. Further, ring multiplication can be made extremely fast if the underlying ring splits into many factors by applying fast Fourier transform-like techniques (e.g. [2]). These are two main advantages of RLPN over LPN.

Deferring Measurements for Recorded Classical Oracle Queries

Consider a quantum algorithm \( \mathcal {A}\) that is restricted to making classical queries to some quantum instantiation of an oracle \( \mathcal {O}: X \rightarrow Y \). This is no different from the case where \(\mathcal {A}\) has purely classical access to the oracle. In order to make a classical query to the quantum oracle, \( \mathcal {A}\) can take an intermediate measurements of the query input register before making its query. Note that this is equivalent to a classical query because the query input register collapses to a classical state after the measurement. Our aim here is to show that there is an algorithm \( \bar{\mathcal {A}} \) that keeps some database registers (in addition to the registers of \(\mathcal {A}\)) such that

• \( \bar{\mathcal {A}} \) does not make any measurements until it is ready to make an output measurement (in particular, there are no intermediate measurements of the query input register).

• When producing output, \( \bar{\mathcal {A}} \) additionally measures the database registers.

• The joint distribution of \( \mathcal {A}\)’s output and intermediate measurements is identical to the joint distribution of \( \bar{\mathcal {A}} \)’s output and database measurement.

Given these properties, \( \bar{\mathcal {A}} \) perfectly simulates the behaviour of \( \mathcal {A}\) and its intermediate measurements while deferring measurements to the end of the computation.

Note that we can describe the measurement of the query input register by considering the set of projections \( \{ \varPi _x = \mathbb {I}\otimes \left| {x} \right\rangle \left\langle {*} \right| {x} \otimes \mathbb {I}: x \in X \} \). We explicitly describe the algorithm \( \mathcal {A}\) making q classical queries to \( \mathcal {O} \) as follows:

• \( \mathcal {A}\) has registers \( \left| {*} \right\rangle {\dots }_{\mathcal {A}} \otimes \left| {*} \right\rangle {x,y}_{\mathcal {O}} \) where for any basis state, applying the oracle treats x as the input register and y as the output, i.e. an oracle application is

  $$ (\mathbb {I}\otimes \mathcal {O}) \left| {\phi } \right\rangle _{\mathcal {A}} \otimes \left| {x,y} \right\rangle _{\mathcal {O}} := \left| {\phi } \right\rangle _{\mathcal {A}} \otimes \left| {x,y\oplus \mathcal {O}(x)} \right\rangle _{\mathcal {O}}. $$

• \( \mathcal {A}\) begins in the state \( \left| {\phi _0} \right\rangle \).

• For \( i=1, \dots , q \):

  • \( \mathcal {A}\) performs a unitary \( U_i \) on the entire state to obtain \( \left| {\phi _{i-1}} \right\rangle \).

  • \( \mathcal {A}\) performs a measurement. Denoting the result as \( x_i \), the un-normalized collapsed state is \( (\mathbb {I}\otimes \varPi _{x_i} \otimes \mathbb {I}) \left| {\phi _{i-1}} \right\rangle \).

  • \( \mathcal {A}\) sends its state to the oracle and it applies \( \mathbb {I}\otimes \mathcal {O} \).

• \( \mathcal {A}\) applies a unitary \( U_{q+1} \) and takes a measurement of its output registers.

Note that if we were to add a register containing the results \( x_i \) after every measurement, the output distribution of \( \mathcal {A}\) is unchanged as the overall state is always a product state between \( \mathcal {A}\)’s state and a classical list of observed measurements.

Here we will show how to defer measurements of \( \mathcal {A}\) to the end while preserving the output distribution of \( \mathcal {A}\) and the intermediate measurements jointly. There will be three sets of registers of the form \( \left| {\dots } \right\rangle _{\mathcal {A}} \), \( \left| {x,y} \right\rangle _{\mathcal {O}} \) and \( \left| {\dots } \right\rangle _{D} \) where the last of these denotes a set of q registers that will store a record of the \( \mathcal {O} \)-queries. The deferred measurement algorithm will be denoted as \( \bar{\mathcal {A}} \) and will have quantum access to \( \mathcal {O} \). The behaviour of \( \bar{\mathcal {A}} \) is as follows:

• \( \bar{\mathcal {A}} \) has registers \( \left| {\dots } \right\rangle _{\mathcal {A}} \otimes \left| {x,y} \right\rangle _{\mathcal {O}} \otimes \left| {\dots } \right\rangle _{D} \).

• \( \bar{\mathcal {A}} \) begins in the state \( \left| {\phi _0} \right\rangle \otimes \overbrace{\left| {0,\dots ,0} \right\rangle _D}^{q \text { times}} \) where \( \left| {\phi _0} \right\rangle \) is \( \mathcal {A}\)’s starting state.

• For \( i=1, \dots , q \):

  • \( \bar{\mathcal {A}} \) performs the unitary \( U_i \otimes \mathbb {I}_D \) (where \( U_i \) is the same unitary as in the description of \( \mathcal {A}\)).

  • \( \bar{\mathcal {A}} \) then adds the contents of the query input register into the i-th slot of the D registers. Denote the unitary that performs this as \( C_i \).

  • \( \bar{\mathcal {A}} \) sends its state to the oracle which applies \( \mathbb {I}\otimes \mathcal {O} \otimes \mathbb {I}_D\) to the state.

• \( \bar{\mathcal {A}} \) applies the unitary \( U_{q+1} \otimes \mathbb {I}_D \) and then measures the D registers.

• Finally, \( \bar{\mathcal {A}} \) takes a measurement of the output registers.

Consider now the set of projections \( \{\varPi ^{D,i}_{x} : x \in X, i \in [q]\} \) where \( \varPi ^{D,i}_{x} \) denotes the projection of the i-th slot of the D registers onto the state \( \left| {x} \right\rangle \). Also consider the set \( \{\varPi ^{D}_{{\textbf {x}}} : {\textbf {x}} \in X^q\} \) where \( \varPi ^D_{{\textbf {x}}} \) is the projection of the D registers onto \( \left| {x_1,\dots ,x_q} \right\rangle \) from which it can be seen that

$$ \varPi ^D_{{\textbf {x}}} = \varPi ^{D,q}_{x_q} \cdot \dots \cdot \varPi ^{D,1}_{x_1}. $$

Furthermore, recall that \( \varPi _x \) denotes the projection of the query input register onto \( \left| {x} \right\rangle \). Then we have the following claim:

Claim

Take \(C_i\) to be the unitary from the description of \(\bar{\mathcal {A}}\). For any value of \( {\textbf {x}}=(x_1,\dots , x_q) \in X^q \), any \( \left| {\phi _0} \right\rangle \), any sequence of unitaries \( U_1,\dots ,U_q \) and any oracle \( \mathcal {O} \), the two following (un-normalized) states are equal:

1. 1.

   \( U_{q+1} \cdot C_q \cdot \varPi _{x_q}\cdot U_{q} \dots C_2\cdot \varPi _{x_2}\cdot U_2\cdot C_1\cdot \varPi _{x_1}\cdot U_1\left( \left| {\phi _0} \right\rangle \otimes \left| {0,\dots ,0} \right\rangle _D\right) \)

2. 2.

   \( \varPi ^D_{{\textbf {x}}}\cdot U_{q+1} \cdot C_q\cdot U_{q} \dots C_2\cdot U_2\cdot C_1\cdot U_1\left( \left| {\phi _0} \right\rangle \otimes \left| {0,\dots ,0} \right\rangle _D\right) \)

Proof

We first show that for any i, applying \( C_i \cdot \varPi _{x_i} \) to a state where the i-th D register is 0 is the same as applying \( \varPi _{x_i}^{D,i} \cdot C_i \) to that same state. Note that both \( C_i \) and \( \varPi _{x_i} \) are the identity on all registers other than the query input register and i-th D register. Therefore, ignoring all registers except for the query input and i-th D register, we have \( C_i \cdot \varPi _{x_i} (\left| {x} \right\rangle \otimes \left| {0} \right\rangle _{D,i}) = \delta _{x,x_i} \left| {x} \right\rangle \otimes \left| {x} \right\rangle = \varPi ^{D,i}_{x_i} \cdot C_i (\left| {x} \right\rangle \otimes \left| {0} \right\rangle _{D,i}) \). Therefore the first state in the claim is equal to

$$ U_{q+1} \varPi ^{D,q}_{x_q} C_q U_{q} \dots \varPi ^{D,2}_{x_2} C_2U_2 \varPi ^{D,1}_{x_1} C_1 U_1(\left| {\phi _0} \right\rangle \otimes \left| {0,\dots ,0} \right\rangle _D). $$

Next, note that the projection \( \varPi ^{D,i}_{x_i} \) is the identity on all registers except for the i-th D register and that all matrices to the left of it are the identity on the i-th D register. Therefore, each \( \varPi ^{D,i}_{x_i} \) commutes with everything to the left of it, so the fact that

$$ \varPi ^D_{{\textbf {x}}} = \varPi ^{D,q}_{x_q} \cdot \dots \cdot \varPi ^{D,1}_{x_1} $$

completes the proof.    \(\square \)

Carefully examining the two states from the above claim, we can see that the first state corresponds to \( \mathcal {A}\)’s pre-output measurement state given intermediate measurement results \( {\textbf {x}} \) (and copying classical information into the D registers along the way) and the second corresponds to \( \bar{\mathcal {A}} \)’s pre-output measurement given that the D registers are measured to contain \( {\textbf {x}} \). Therefore, for any given oracle-input measurement sequence \( {\textbf {x}} \), the resulting state of \( \mathcal {A}\) and \( \bar{\mathcal {A}} \) are identical. What remains is to show that the distribution of oracle-input measurements of \( \mathcal {A}\) and \( \bar{\mathcal {A}} \) is the same.

In the second state from the claim, all matrices applied to \( \left( \left| {\phi } \right\rangle \otimes \left| {0,\dots ,0} \right\rangle \right) \) are unitary apart from the projection. Therefore, before the projection is applied, we have a normalized state, which implies that the probability that \( \bar{\mathcal {A}} \) measure the D registers in the state \( {\textbf {x}} \) is exactly

$$ \left\| \varPi ^D_{{\textbf {x}}}\cdot U_{q+1} \cdot C_q\cdot U_{q} \dots C_2\cdot U_2\cdot C_1\cdot U_1\left( \left| {\phi _0} \right\rangle \otimes \left| {0,\dots ,0} \right\rangle _D\right) \right\| ^2. $$

On the other hand, let us consider the probability when \(q=2 \) i.e. \( \mathcal {A}\) just measures some \( x_1 \) and \( x_2 \). The probability of measuring \( x_1 \) is \( \Vert \varPi _{x_1} \cdot U_1 \left( \left| {\phi _0} \right\rangle \otimes \left| {0,\dots ,0} \right\rangle \right) \Vert ^2 \), and the probability of it measuring \( x_2 \) given that it measured \( x_1 \) is

$$ \left\| \varPi _{x_2}\cdot U_2 \cdot C_1 \cdot \frac{\varPi _{x_1} \cdot U_1 \left( \left| {\phi _0} \right\rangle \otimes \left| {0,\dots ,0} \right\rangle \right) }{\Vert \varPi _{x_1} \cdot U_1 \left( \left| {\phi _0} \right\rangle \otimes \left| {0,\dots ,0} \right\rangle \right) \Vert } \right\| ^2. $$

Therefore, the probability that \( \mathcal {A}\) measures \( (x_1,x_2) \) is

$$ \Vert \varPi _{x_2} \cdot U_2 \cdot C_1 \cdot \varPi _{x_1} \cdot U_1 \left( \left| {\phi _0} \right\rangle \otimes \left| {0,\dots ,0} \right\rangle \right) \Vert ^2. $$

Following this logic through for general q and noting that applying the unitary \( U_{q+1} \cdot C_{q} \) does not affect norms, we have that the probability of \( \mathcal {A}\) measuring the sequence \( {\textbf {x}} \) is

$$\begin{aligned} \Vert U_{q+1} \cdot C_q \cdot \varPi _{x_q}\cdot U_{q} \dots C_2\cdot \varPi _{x_2}\cdot U_2\cdot C_1\cdot \varPi _{x_1}\cdot U_1\left( \left| {\phi _0} \right\rangle \otimes \left| {0,\dots ,0} \right\rangle _D\right) \Vert ^2, \end{aligned}$$

which is precisely the same as \( \bar{\mathcal {A}} \)’s probability by the claim above.

Separate Robustness and Reusability Proofs

Although plain robustness is implied by reusable robustness, we consider the former here to explicitly address the first key question from the introduction. This section also serves as intuition for the more complex robustly reusable proofs. We also stress that reusable robustness (proved in Sect. 4.2) also implies the stronger post-application version of robustness discussed in Sect. 2.

1.1 Robustness in the Classical ROM

Here we will write a relatively simple proof of robustness in the classical ROM. Note that the lack of explicit dependence of the security bound on the number of correctable errors (i.e. t) is achieved by considering linear secure sketches along with the robustness definition from Sect. 2. Once we have this proof, we can aim to translate it into the QROM setting using the O2H lemma and Zhandry’s quantum query recording techniques as is done in the full version. Taking \( k=\lambda \) and query bound \( q=2^{\lambda } \), the below shows that we may use a \( (m,m',t) \) secure sketch where \( m' \approx 2\lambda \) to achieve \( \lambda \) bits of security in the classical ROM.

Theorem 4

Let \( (\textsf{SS}, \textsf{Rec}) \) be a linear \( (m,m',t) \) secure sketch. Then the hash construction \( \textsf{HFE}\) is a robust \( (\mathcal {M},m,\ell ,t,\epsilon =2q\cdot 2^{-m'}) \) fuzzy extractor with robustness \( \delta \le 2^{-k} + 2q \cdot 2^{-m'} \) in the classical ROM against unbounded adversaries making at most q queries to the random oracle.

Proof

Assume that the adversary \( \mathcal {A}\) is unbounded and deterministic, but only accesses the oracle H at most q times. Throughout, we parse H as \( H_1 \) (the function that outputs the first k bits of H) and \( H_2 \) (the function that outputs the final \( \ell \) bits of H). Denote the hint/helper data given to the adversary in the robustness game as \( P:=(s,h = H_1(w,s)) \) where w is the secret value sampled by the challenger. It is assumed that w follows any any distribution \( \mathcal {W} \) with min-entropy at least m. We denote the algorithm \( \mathcal {E}^{H}_{\mathcal {A}}(w,P) \) to be the robustness experiment that is played between the challenger and adversary \( \mathcal {A}\) with respect to the values w and P. Concretely, \( \mathcal {E}^H_{\mathcal {A}} \) on input (w, P) is as follows:

1. 1.

   Run \( \mathcal {A}^{H}(P) \) and wait for it to output \( (\varDelta ^*, P^*=(s^*,h^*)) \).

2. 2.

   Decide on the ultimate output according to the following:

   • If \( \Vert \varDelta ^*\Vert > t \): output 0.

   • If \( s^* = s \): output 0.

   • If \( H_1(w + f(\varDelta ^*,s^*,s),s^*) \ne h^*\) (where f is from the linearity property of the sketch and \( H_1 \) is computed via a random oracle query): output 0. Otherwise output 1.

It can be seen that the probability that \( \mathcal {A}\) wins the robustness experiment is then \( \delta = \Pr _{w,P,H}[1 \leftarrow \mathcal {E}^{H}_\mathcal {A}(w,P)] \) after noting that if \( \Vert \varDelta \Vert \le t \) and \( s^*=s \), it is required that \( P^*=P \) for the hash value to be valid. Now suppose we sample a function G as follows: set \( G(x) = H(x) \) for all \( x \ne (w,s) \) and set G(w, s) uniformly in \( \{0,1\}^k \). The point of introducing this function G is that it is independent of the input P given to the adversary. Consider the event \( \textsf{E} \) that \( \mathcal {A}\) queries its oracle on the point (w, s) at some point during execution of \( \mathcal {E}_{\mathcal {A}} \). Note that G and H are identical apart from on the input (w, s) . Therefore, the output of \( \mathcal {E}_\mathcal {A}^{G}(P) \) and \( \mathcal {E}_\mathcal {A}^{H}(P) \) are identical unless there is an oracle query on (w, s) . Note that \( \mathcal {A}^{G}(P) \) queries its oracle on (w, s) if and only if \( \mathcal {A}^{H}(P) \) does (assuming \( \mathcal {A}\) is deterministic). Also, any potential random oracle query performed when \( \mathcal {E}_\mathcal {A}\) makes its output decision cannot possibly be (w, s) as it is guaranteed that \( s^* \ne s \). Therefore, we can write

$$\begin{aligned} \left| \Pr _{\begin{array}{c} w,P,\\ G,H \end{array}}\left[ 1 \leftarrow \mathcal {E}_{\mathcal {A}}^{H}(w,P)\right] - \Pr _{\begin{array}{c} w,P,\\ G,H \end{array}}\left[ 1 \leftarrow \mathcal {E}_{\mathcal {A}}^{G}(w,P)\right] \right| \le \Pr _{\begin{array}{c} w,P,\\ G,H \end{array}}[\textsf{E} : \mathcal {E}^{G}_{\mathcal {A}}(w,P)]. \end{aligned}$$

(3)

\( \mathcal {A}^{G}(P) \) is given input \( P=(s, H_1(w,s)) \) and access to G where G(w, s) is independent of \( H_1(w,s) \). This means that the uniform value \( H_1(w,s) \) does not leak any information on w at all given access to G. Therefore, if \( \mathcal {A}^{G}(P) \) makes q oracle queries, the probability that it queries (w, s) is at most \( q \cdot 2^{-\gamma _s} \) where \( \gamma _s = \widetilde{H}_{\infty }(\mathcal {W} \mid s) \) for a fixed P. Taking an expectation over P, we find that \( \Pr [\textsf{E} : \mathcal {E}^{G}_{\mathcal {A}}(w,P)] \le q \cdot 2^{-m'}\) by the security of the secure sketch.

Now we analyse \( \Pr \left[ 1 \leftarrow \mathcal {E}_{\mathcal {A}}^{G}(w,P)\right] \). Denote the sequence of queries that \( \mathcal {A}\) submits to the oracle G as \( Q = ((w_1,s_1), \dots , (w_q,s_q)) \) (we parse each query as \( (w_i,s_i) \) and pad Q to make it have length exactly q). Recall that we use f to denote the function from the linearity condition on the secure sketch. If \( (w+f(\varDelta ^*,s^*,s),s^*) \) was not in Q, then the value of \( G(w+f(\varDelta ^*,s^*,s),s^*) \) is uniform from \( \mathcal {A}\)’s perspective, in which case \( h^* \) is correct with probability \( 2^{-k} \). Therefore, if this point is not in Q, then \( \mathcal {E}_\mathcal {A}^{G} \) outputs 1 with probability \( 2^{-k} \). On the other hand, suppose that \( (w+f(\varDelta ^*,s^*,s),s^*) \) does appear in Q and consider the algorithm \( \bar{\mathcal {A}}(s) \) that (i) takes input of the form \( s=\textsf{SS}.\textsf{Gen}(w) \), (ii) samples \( h \leftarrow \{0,1\}^k \) and runs \( \mathcal {A}^{G}((s,h)) \) (simulating G) until it outputs \( (\varDelta ^*,s^*,h^*) \) recording the query list Q, and (iii) for \( i \leftarrow [|Q|] \), takes the i-th element of Q denoted by \( x_i = (w_i,s_i) \) and outputs \( w_i - f(\varDelta ^*,s^*,s) \). Now \( \bar{\mathcal {A}}(s) \) outputs w when both \( (w+f(\varDelta ^*,s^*,s),s^*) \) appears in Q and it chooses a correct value i. This implies that

$$\begin{aligned} \Pr _s[w \leftarrow \bar{\mathcal {A}}(s)] = \frac{1}{q} \cdot \Pr [(w+f(\varDelta ^*,s^*,s),s^*) \in Q] . \end{aligned}$$

Furthermore, the probability of any algorithm (including \( \bar{\mathcal {A}} \)) outputting w on input s is at most \( 2^{-\gamma _s} \) for fixed s. Overall we have

$$\begin{aligned} \Pr _{\begin{array}{c} w,P,\\ G,H \end{array}}\left[ 1 \leftarrow \mathcal {E}_{\mathcal {A}}^{G}(w,P)\right]&\le 2^{-k} + \Pr _{\begin{array}{c} w,P,\\ G,H \end{array}}[(w+f(\varDelta ^*,s^*,s),s^*) \in Q] \\&= 2^{-k} + q \cdot \Pr _{s}[w \leftarrow \bar{\mathcal {A}}(s)] \\&\le 2^{-k} + q \cdot 2^{-m'}. \end{aligned}$$

Combining the above inequality with Eq. (3) completes the proof for the robustness bound. For the bound on \( \epsilon \), we can say that the advantage of \( \mathcal {A}\) in distinguishing \( R = H_2(w) \) from a uniform value U given \( P=(s,h) \) is at most the probability that \( \mathcal {A}\) queries H on (w, s) given that it knows \( P=(s,h) \). To upper bound this probability we can use Eq. (3), but instead of considering the event that \( \mathcal {E}_{\mathcal {A}}^{G} \) or \( \mathcal {E}_{\mathcal {A}}^{H} \) outputs 1, we consider the event that (w, s) is queried to the random oracle by \( \mathcal {A}\) during the execution of \( \mathcal {E}_{\mathcal {A}} \). The RHS of the inequality remains the same so we may reuse the analysis above to bound it. Also, similarly to the above, if \( \mathcal {E}_{\mathcal {A}}^{G}(w,P) \) outputs (w, s) in the query list to G, there must be an algorithm similar to \( \bar{\mathcal {A}} \) (with input s) that finds w by picking some query made to G at random.    \(\square \)

Security Proof for Ring-LPN SKEM

Lemma 6

\( \textsf{SKEM}_{RLPN} \) is correct as long as \( \tau m \le t \).

Proof

Take any encapsulation key \( {\textbf {k}}_1 \in R_2^{\kappa }, k_2 \in \mathbb {Z}_2^k,\) and encapsulation randomness \( a \in R_2, \tilde{{k}} \in \mathbb {Z}_2^{k}\). Also consider \( {\textbf {e}} \) sampled according to \( \textsf{Ber}_{\tau }^{\kappa \cdot n} \). Then the ciphertext/output key is

$$ (c_1,{\textbf {c}}_2) := (a, a{\textbf {k}}_1+{\textbf {e}}+ \mathcal {E}(\tilde{{k}})), \quad k' = \tilde{{k}} \oplus k_2. $$

Note that for \( {\textbf {e}} \leftarrow \textsf{Ber}_{\tau }^{\kappa \cdot n} \), the probability that \( {\textbf {e}} \) has Hamming weight larger than \( \tau m \) is negligible as in [16]. Therefore, \( \mathcal {D}({\textbf {c}}_2-c_1 {\textbf {k}}) = \mathcal {D}(e+ \mathcal {E}(\tilde{{k}})) = \tilde{{k}} \) with all but negligible probability.    \(\square \)

Lemma 7

The SKEM described above has key-shift pseudorandomness as long as \( \textsf{RLPN}_{\kappa ,R,\tau } \) is hard.

Proof

We will provide a reduction from an algorithm \( \mathcal {B}\) attempting to solve the \( \textsf{RLPN}_{m',R,\tau } \) problem to the algorithm \( \mathcal {A}\) that plays the key-shift pseudorandomness game. We suppose that \( \mathcal {B}\) has access to an oracle that returns arbitrarily many pairs \( (a,{\textbf {b}}) \) where \( (a,{\textbf {b}}) \) is either from the RLPN distribution or from the uniform distribution. Using \( \mathcal {A}\) as a sub-routine, \( \mathcal {B}\) carries out the following steps:

1. 1.

   \( \mathcal {B}\) samples the public parameters \( \textsf{pp} \leftarrow \textsf{SKEM}_{RLPN}.\textsf{Setup}(\lambda ) \) and gives them to \( \mathcal {A}\). \( \mathcal {B}\) also samples \( k_2 \).

2. 2.

   Whenever \( \mathcal {A}\) makes a \( \mathcal {O}^{\textsf{ksp}} \)-query on \( \delta = (\delta _1,\delta _2) \in R_2^{\kappa } \times \{0,1\}^{k} \), \( \mathcal {B}\) begins by asking its RLPN challenge oracle for a sample \( (a,{\textbf {b}})\). It then samples \( \tilde{k} \leftarrow R_2^{\kappa } \) and returns

   $$ (c_1,{\textbf {c}}_2) = (a,{\textbf {b}}+a\cdot \delta _1 + \mathcal {E}(\tilde{{k}})), \quad k' = \tilde{{k}} \oplus (k_2\oplus \delta _2) $$

   to \( \mathcal {A}\).

3. 3.

   When \( \mathcal {A}\) has finished making its queries, it outputs a bit \( b' \). \( \mathcal {B}\) outputs \( b' \).

First note that if \( \mathcal {B}\) has access to truly uniform samples \( (a,{\textbf {b}}) \), then \( \mathcal {B}\)’s answers to \( \mathcal {A}\)’s oracle queries are truly uniform and independent. In other words, \( \mathcal {B}\) perfectly simulates the key-shift pseudorandomness experiment when \( b=0 \). On the other hand, suppose that \( \mathcal {B}\) has access to samples of the form \( (a,a{\textbf {s}}+e) \) where \( {\textbf {s}} \leftarrow R_2^{\kappa } \) that is fixed across queries. In this case, \( \mathcal {B}\)’s answers take the form

$$ (c_1,{\textbf {c}}_2) = (a,a({\textbf {s}}+\delta _1) + {\textbf {e}} + \mathcal {E}(\tilde{{k}})), \quad k' = \tilde{{k}} \oplus (k_2\oplus \delta _2) $$

which is precisely the required form when \( b=1 \) in the key-shift pseudorandomness experiment. Therefore, if \( \mathcal {B}\) outputs the same as \( \mathcal {A}\), then the advantage of \( \mathcal {B}\) in the \( \textsf{RLPN}_{\kappa ,R,\tau } \) problem is exactly the advantage of \( \mathcal {A}\) in the key-shift pseudorandomness game.    \(\square \)

The decapsulation uniformity proof follows trivially from the discussion in Remark 2.