Abstract
The recent post-quantum cryptography standardization project launched by NIST increased the interest in generic key encapsulation mechanism (KEM) constructions in the quantum random oracle (QROM). Based on a OW-CPA-secure public-key encryption (PKE), Hofheinz, Hövelmanns and Kiltz (TCC 2017) first presented two generic constructions of an IND-CCA-secure KEM with quartic security loss in the QROM, one with implicit rejection (a pseudorandom key is return for an invalid ciphertext) and the other with explicit rejection (an abort symbol is returned for an invalid ciphertext). Both are widely used in the NIST Round-1 KEM submissions and the ones with explicit rejection account for 40%. Recently, the security reductions have been improved to quadratic loss under a standard assumption, and be tight under a nonstandard assumption by Jiang et al. (Crypto 2018) and Saito, Xagawa and Yamakawa (Eurocrypt 2018). However, these improvements only apply to the KEM submissions with implicit rejection and the techniques do not seem to carry over to KEMs with explicit rejection.
In this paper, we provide three generic constructions of an IND-CCA-secure KEM with explicit rejection, under the same assumptions and with the same tightness in the security reductions as the aforementioned KEM constructions with implicit rejection (Crypto 2018, Eurocrypt 2018). Specifically, we develop a novel approach to verify the validity of a ciphertext in the QROM and use it to extend the proof techniques for KEM constructions with implicit rejection (Crypto 2018, Eurocrypt 2018) to our KEM constructions with explicit rejection. Moreover, using an improved version of one-way to hiding lemma by Ambainis, Hamburg and Unruh (ePrint 2018/904), for two of our constructions, we present tighter reductions to the standard IND-CPA assumption. Our results directly apply to 9 KEM submissions with explicit rejection, and provide tighter reductions than previously known (TCC 2017).
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
The message m here is picked at random from the message space of underlying PKE.
- 2.
- 3.
The probability of decryption failure in a legitimate execution of the scheme.
- 4.
Perfect correctness, i.e., \(\delta =0\) is required by [13]. Here, we just follow this assumption.
- 5.
This name comes from Bernstein and Persichetti’s paper [17].
- 6.
- 7.
We assume that G, H, \(H'\) are not used in the algorithms of PKE, including Gen, Enc and Dec.
- 8.
The key generation algorithms Gen in KEM-I, KEM-II and KEM-III are the same as the ones in corresponding underlying PKEs.
- 9.
There may exist some KEMs with neither explicit nor implicit rejection.
- 10.
\(\bar{H}_q\) here in the input of \(A^{G\times H}\) is the whole truth table of \(\bar{H}_q\). One may wonder that the size of \(A^{G\times H}\)’s memory needs to be exponentially large. Don’t worry about this. \(\bar{H}_q\) is just taken as an oracle to make queries (with at most \(q_H\) times) in actual games. That is, we can also take \(\bar{H}_q\) as an accessible oracle instead of a whole truth table.
References
Rackoff, C., Simon, D.R.: Non-interactive zero-knowledge proof of knowledge and chosen ciphertext attack. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 433–444. Springer, Heidelberg (1992). https://doi.org/10.1007/3-540-46766-1_35
Bellare, M., Rogaway, P.: Random oracles are practical: a paradigm for designing efficient protocols. In: Denning, D.E., Pyle, R., Ganesan, R., Sandhu, R.S., Ashby, V. (eds.) Proceedings of the 1st ACM Conference on Computer and Communications Security – CCS 1993, pp. 62–73. ACM (1993)
Dent, A.W.: A designer’s guide to KEMs. In: Paterson, K.G. (ed.) Cryptography and Coding 2003. LNCS, vol. 2898, pp. 133–151. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-40974-8_12
Hofheinz, D., Hövelmanns, K., Kiltz, E.: A modular analysis of the Fujisaki-Okamoto transformation. In: Kalai, Y., Reyzin, L. (eds.) TCC 2017. LNCS, vol. 10677, pp. 341–371. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70500-2_12
Fujisaki, E., Okamoto, T.: Secure integration of asymmetric and symmetric encryption schemes. In: Wiener, M.J. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 537–554. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48405-1_34
Fujisaki, E., Okamoto, T.: Secure integration of asymmetric and symmetric encryption schemes. J. Cryptol. 26(1), 1–22 (2013)
Okamoto, T., Pointcheval, D.: REACT: rapid enhanced-security asymmetric cryptosystem transform. In: Naccache, D. (ed.) CT-RSA 2001. LNCS, vol. 2020, pp. 159–174. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-45353-9_13
Jean-Sébastien, C., Handschuh, H., Joye, M., Paillier, P., Pointcheval, D., Tymen, C.: GEM: A \(\underline{\rm G}\)eneric chosen-ciphertext secure \(\underline{\rm E}\)ncryption \(\underline{\rm M}\)ethod. In: Preneel, B. (ed.) CT-RSA 2002. LNCS, vol. 2271, pp. 263–276. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45760-7_18
Targhi, E.E., Unruh, D.: Post-quantum security of the Fujisaki-Okamoto and OAEP transforms. In: Hirt, M., Smith, A. (eds.) TCC 2016. LNCS, vol. 9986, pp. 192–216. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53644-5_8
NIST: National Institute for Standards and Technology. Post quantum crypto project (2017). https://csrc.nist.gov/projects/post-quantum-cryptography/round-1-submissions
Boneh, D., Dagdelen, Ö., Fischlin, M., Lehmann, A., Schaffner, C., Zhandry, M.: Random oracles in a quantum world. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 41–69. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25385-0_3
Unruh, D.: Non-interactive zero-knowledge proofs in the quantum random oracle model. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 755–784. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46803-6_25
Saito, T., Xagawa, K., Yamakawa, T.: Tightly-secure key-encapsulation mechanism in the quantum random oracle model. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10822, pp. 520–551. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78372-7_17
Jiang, H., Zhang, Z., Chen, L., Wang, H., Ma, Z.: IND-CCA-secure key encapsulation mechanism in the quantum random oracle model, revisited. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10993, pp. 96–125. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96878-0_4
Hamburg, M.: Module-LWE: the three bears. Technical report. https://www.shiftleft.org/papers/threebears/
Hülsing, A., Rijneveld, J., Schanck, J., Schwabe, P.: High-speed key encapsulation from NTRU. In: Fischer, W., Homma, N. (eds.) CHES 2017. LNCS, vol. 10529, pp. 232–252. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-66787-4_12
Bernstein, D.J., Persichetti, E.: Towards KEM unification. Cryptology ePrint Archive, Report 2018/526 (2018). https://eprint.iacr.org/2018/526
Unruh, D.: Revocable quantum timed-release encryption. J. ACM 62(6), 49:1–49:76 (2015)
Ambainis, A., Hamburg, M., Unruh, D.: Quantum security proofs using semi-classical oracles. Cryptology ePrint Archive, Report 2018/904 (2018). https://eprint.iacr.org/2018/904
Zhandry, M.: How to record quantum queries, and applications to quantum indifferentiability. Cryptology ePrint Archive, Report 2018/276 (2018). https://eprint.iacr.org/2018/276
Boneh, D., Zhandry, M.: Secure signatures and chosen ciphertext security in a quantum computing world. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8043, pp. 361–379. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40084-1_21
Nielsen, M.A., Chuang, I.L.: Quantum Computation and Quantum Information. Cambridge University Press, Cambridge (2000). Number 2
Zhandry, M.: Secure identity-based encryption in the quantum random oracle model. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 758–775. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-32009-5_44
Ambainis, A., Rosmanis, A., Unruh, D.: Quantum attacks on classical proof systems: the hardness of quantum rewinding. In: 55th IEEE Annual Symposium on Foundations of Computer Science - FOCS 2014, pp. 474–483. IEEE (2014)
Hülsing, A., Rijneveld, J., Song, F.: Mitigating multi-target attacks in hash-based signatures. In: Cheng, C.-M., Chung, K.-M., Persiano, G., Yang, B.-Y. (eds.) PKC 2016. LNCS, vol. 9614, pp. 387–416. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49384-7_15
Acknowledgements
We would like to thank anonymous reviews of PKC 2019 for their insightful comments. In particular, we are also grateful to Chris Brzuska for his kind suggestions which are helpful in improving our paper. This work is supported by the National Key Research and Development Program of China (No. 2017YFB0802000), the National Natural Science Foundation of China (No. U1536205, 61472446, 61701539), and the National Cryptography Development Fund (mmjj20180107, mmjj20180212).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Proof of Theorem 2
A Proof of Theorem 2
Proof
Let be an adversary against the IND-CCA security of KEM-I, issuing at most \(q_D\) queries to the decapsulation oracle Decaps, at most \(q_G\) (\(q_H\), \(q_{H'}\)) queries to the random oracle \(G\) (H, \(H'\)). Follow the same notations \(\varOmega _G\), \(\varOmega _H\), \(\varOmega _{H'}\), \(\varOmega _{H_q}\), \(\varOmega _{H'_q}\), \(\varOmega _{G'}\) and \(\mathcal {C}_1\) as in the proof of Theorem 1. Consider the games in Figs. 11 and 13.
Game \(G_0\). Since game \(G_0\) is exactly the IND-CCA game,
Game \(G_1\). In game \(G_1\), we replace G by \(G'\) that uniformly samples from “good” randomness at random, i.e., \(G' \overset{\$}{\leftarrow } \varOmega _{G'}\).
Game \(G_2\). In this game, replace H and \(H'\) by \(H_q\circ g\) and \(H'_q \circ g\) respectively, where
Game \(G_3\). In game \(G_3\), the \(\textsc {Decaps}\) oracle is changed that it makes no use of the secret key \(sk\) any more. When queries the \(\textsc {Decaps}\) oracle on \(c=(c_1,c_2)\) (\(c \ne c^*\)), \(K:=H_q(c_1)\) is returned if \(H'_q(c_1)=c_2\), otherwise \(\perp \).
Game \(G_4\). In game \(G_4\), we switch the G that only samples from “good” randomness back to an ideal random oracle G.
Using the same analysis as in the proof of Theorem 1, we can have
Let \(\ddot{G}\) (\(\ddot{H}\)) be the function that \(\ddot{G}(m^*)=\dot{r}^*\) (\(\ddot{H}(m^*)=\dot{k}_0^{*}\)), and \(\ddot{G}=G\) (\(\ddot{H}=H\)) everywhere else, where \(\dot{r}^*\) and \(\dot{k}_0^{*}\) are picked uniformly at random from \(\mathcal {R}\) and \(\mathcal {K}\).
Game \(G_5\). In game \(G_5\), replace G and H by \(\ddot{G}\) and \(\ddot{H} \) respectively. In this game, bit \(b\) is independent of ’s view. Hence,
Let \((G \times H)(\cdot )= (G(\cdot ),H(\cdot ))\) and \((\ddot{G} \times \ddot{H})(\cdot )= (\ddot{G}(\cdot ),\ddot{H}(\cdot ))\). Let \(\bar{H}_q\) be the function that \(\bar{H}_q(c_1^*)=\perp \) and \(\bar{H}_q=H_q\) everywhere else. Define \(A^{G \times H}\) as in Fig. 12. Sample pk, \(m^*\), G, \(H_q\), H and \(c_1^*\) in the same way as \(G_4\) and \(G_5\), i.e., \((pk,sk) \leftarrow Gen\), \(m^*\overset{\$}{\leftarrow } \mathcal {M}\), \( G \overset{\$}{\leftarrow } \varOmega _G\), \( H_q \overset{\$}{\leftarrow } \varOmega _{H_q}\), \(H:=H_q \circ g\) and \(c_1^*=Enc(pk,m^*;G(m^*))\), where \(g(\cdot )=Enc(pk,\cdot ;G(\cdot ))\).
Then, \(A^{G\times H}\) on input \((pk, c_1^*, H(m^*), \bar{H}_q)\) perfectly simulates \(G_4\). If we replace \({G\times H}\) by \(\ddot{G} \times \ddot{H}\), \(A^{\ddot{G} \times \ddot{H}}\) on input \((pk, c_1^*,H(m^*), \bar{H}_q)\) perfectly simulates \(G_5\).
Let \(B^{\ddot{G}\times \ddot{H}}\) be an oracle algorithm that on input \((pk, c_1^*, H(m^*), \bar{H}_q)\) does the following: pick \(i \overset{\$}{\leftarrow } \{1,\ldots ,q_G+q_H\}\), run \(A^{\ddot{G}\times \ddot{H}}(pk, c_1^*, H(m^*), \bar{H}_q)\) until the i-th query, measure the argument of the query in the computational basis, output the measurement outcome. Define game \(G_6\) as in Fig. 13.
Applying Lemma 5 with \(X={\mathcal {M}}\), \(Y=(\mathcal {R},\mathcal {K})\), \(S=\{m^*\}\), \(\mathcal {O}_1=\ddot{G} \times \ddot{H}\), \(\mathcal {O}_2={G\times H}\) and \(z=(pk, c_1^*, H(m^*), \bar{H}_q)\), we can have
Rearrange game \(G_6\) into game \(G_7\), see Fig. 13. Clearly, . Then, we construct an adversary against the OW-CPA security of PKE such that The adversary on input (\(1^\lambda \), pk, \(c_1^*\)) does the following:
-
1.
Run the adversary in game \(G_7\).
-
2.
Pick a \(2q_G\) (\(2q_H\), \(2q_{H'}\))-wise independent function uniformly at random and use it to simulate the random oracle G (\(H_q\), \(H'_q\)). The random oracle H (\(H'\)) is simulated by \(H_q \circ g\) (\(H'_q\circ g\)). Use \(G\times H\) to answer ’s queries to both G and H.
-
3.
Let \(c_2^*=H'_q(c_1^*)\) and \(c^*= (c_1^*,c_2^*)\).
-
4.
Answer the decapsulation queries by using the Decaps oracle as in Fig. 13.
-
5.
Select \(k^*\overset{\$}{\leftarrow } \mathcal {K}\) and respond to ’s challenge query with (\(c^*\), \(k^{*}\)).
-
6.
Select \( i \overset{\$}{\leftarrow } \{1,\ldots ,q_G+q_H\}\), measure the argument \(\hat{m}\) of the i-th query to \(G\times H\) and output \(\hat{m}\).
It is obvious that Combing this with the bounds derived above, we can conclude that
\(\square \)
Rights and permissions
Copyright information
© 2019 International Association for Cryptologic Research
About this paper
Cite this paper
Jiang, H., Zhang, Z., Ma, Z. (2019). Key Encapsulation Mechanism with Explicit Rejection in the Quantum Random Oracle Model. In: Lin, D., Sako, K. (eds) Public-Key Cryptography – PKC 2019. PKC 2019. Lecture Notes in Computer Science(), vol 11443. Springer, Cham. https://doi.org/10.1007/978-3-030-17259-6_21
Download citation
DOI: https://doi.org/10.1007/978-3-030-17259-6_21
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-17258-9
Online ISBN: 978-3-030-17259-6
eBook Packages: Computer ScienceComputer Science (R0)