Key Encapsulation Mechanism with Explicit Rejection in the Quantum Random Oracle Model

Abstract

The recent post-quantum cryptography standardization project launched by NIST increased the interest in generic key encapsulation mechanism (KEM) constructions in the quantum random oracle (QROM). Based on a OW-CPA-secure public-key encryption (PKE), Hofheinz, Hövelmanns and Kiltz (TCC 2017) first presented two generic constructions of an IND-CCA-secure KEM with quartic security loss in the QROM, one with implicit rejection (a pseudorandom key is return for an invalid ciphertext) and the other with explicit rejection (an abort symbol is returned for an invalid ciphertext). Both are widely used in the NIST Round-1 KEM submissions and the ones with explicit rejection account for 40%. Recently, the security reductions have been improved to quadratic loss under a standard assumption, and be tight under a nonstandard assumption by Jiang et al. (Crypto 2018) and Saito, Xagawa and Yamakawa (Eurocrypt 2018). However, these improvements only apply to the KEM submissions with implicit rejection and the techniques do not seem to carry over to KEMs with explicit rejection.

In this paper, we provide three generic constructions of an IND-CCA-secure KEM with explicit rejection, under the same assumptions and with the same tightness in the security reductions as the aforementioned KEM constructions with implicit rejection (Crypto 2018, Eurocrypt 2018). Specifically, we develop a novel approach to verify the validity of a ciphertext in the QROM and use it to extend the proof techniques for KEM constructions with implicit rejection (Crypto 2018, Eurocrypt 2018) to our KEM constructions with explicit rejection. Moreover, using an improved version of one-way to hiding lemma by Ambainis, Hamburg and Unruh (ePrint 2018/904), for two of our constructions, we present tighter reductions to the standard IND-CPA assumption. Our results directly apply to 9 KEM submissions with explicit rejection, and provide tighter reductions than previously known (TCC 2017).

A Proof of Theorem 2

Proof

Let be an adversary against the IND-CCA security of KEM-I, issuing at most \(q_D\) queries to the decapsulation oracle Decaps, at most \(q_G\) (\(q_H\), \(q_{H'}\)) queries to the random oracle \(G\) (H, \(H'\)). Follow the same notations \(\varOmega _G\), \(\varOmega _H\), \(\varOmega _{H'}\), \(\varOmega _{H_q}\), \(\varOmega _{H'_q}\), \(\varOmega _{G'}\) and \(\mathcal {C}_1\) as in the proof of Theorem 1. Consider the games in Figs. 11 and 13.

Game \(G_0\). Since game \(G_0\) is exactly the IND-CCA game,

Game \(G_1\). In game \(G_1\), we replace G by \(G'\) that uniformly samples from “good” randomness at random, i.e., \(G' \overset{\$}{\leftarrow } \varOmega _{G'}\).

Game \(G_2\). In this game, replace H and \(H'\) by \(H_q\circ g\) and \(H'_q \circ g\) respectively, where

$$\begin{aligned} g(\cdot )=Enc(pk,\cdot ;G(\cdot )). \end{aligned}$$

Game \(G_3\). In game \(G_3\), the \(\textsc {Decaps}\) oracle is changed that it makes no use of the secret key \(sk\) any more. When queries the \(\textsc {Decaps}\) oracle on \(c=(c_1,c_2)\) (\(c \ne c^*\)), \(K:=H_q(c_1)\) is returned if \(H'_q(c_1)=c_2\), otherwise \(\perp \).

Game \(G_4\). In game \(G_4\), we switch the G that only samples from “good” randomness back to an ideal random oracle G.

Using the same analysis as in the proof of Theorem 1, we can have

Let \(\ddot{G}\) (\(\ddot{H}\)) be the function that \(\ddot{G}(m^*)=\dot{r}^*\) (\(\ddot{H}(m^*)=\dot{k}_0^{*}\)), and \(\ddot{G}=G\) (\(\ddot{H}=H\)) everywhere else, where \(\dot{r}^*\) and \(\dot{k}_0^{*}\) are picked uniformly at random from \(\mathcal {R}\) and \(\mathcal {K}\).

Fig. 11.

Games \(G_0\)-\(G_5\) for the proof of Theorem 2

Fig. 12.

\(A^{G \times H}\) for the proof of Theorem 2.

Fig. 13.

Game \(G_6\) and game \(G_7\) for the proof of Theorem 2

Game \(G_5\). In game \(G_5\), replace G and H by \(\ddot{G}\) and \(\ddot{H} \) respectively. In this game, bit \(b\) is independent of ’s view. Hence,

Let \((G \times H)(\cdot )= (G(\cdot ),H(\cdot ))\) and \((\ddot{G} \times \ddot{H})(\cdot )= (\ddot{G}(\cdot ),\ddot{H}(\cdot ))\). Let \(\bar{H}_q\) be the function that \(\bar{H}_q(c_1^*)=\perp \) and \(\bar{H}_q=H_q\) everywhere else. Define \(A^{G \times H}\) as in Fig. 12. Sample pk, \(m^*\), G, \(H_q\), H and \(c_1^*\) in the same way as \(G_4\) and \(G_5\), i.e., \((pk,sk) \leftarrow Gen\), \(m^*\overset{\$}{\leftarrow } \mathcal {M}\), \( G \overset{\$}{\leftarrow } \varOmega _G\), \( H_q \overset{\$}{\leftarrow } \varOmega _{H_q}\), \(H:=H_q \circ g\) and \(c_1^*=Enc(pk,m^*;G(m^*))\), where \(g(\cdot )=Enc(pk,\cdot ;G(\cdot ))\).

Then, \(A^{G\times H}\) on input \((pk, c_1^*, H(m^*), \bar{H}_q)\) perfectly simulates \(G_4\). If we replace \({G\times H}\) by \(\ddot{G} \times \ddot{H}\), \(A^{\ddot{G} \times \ddot{H}}\) on input \((pk, c_1^*,H(m^*), \bar{H}_q)\) perfectly simulates \(G_5\).

Let \(B^{\ddot{G}\times \ddot{H}}\) be an oracle algorithm that on input \((pk, c_1^*, H(m^*), \bar{H}_q)\) does the following: pick \(i \overset{\$}{\leftarrow } \{1,\ldots ,q_G+q_H\}\), run \(A^{\ddot{G}\times \ddot{H}}(pk, c_1^*, H(m^*), \bar{H}_q)\) until the i-th query, measure the argument of the query in the computational basis, output the measurement outcome. Define game \(G_6\) as in Fig. 13.

Applying Lemma 5 with \(X={\mathcal {M}}\), \(Y=(\mathcal {R},\mathcal {K})\), \(S=\{m^*\}\), \(\mathcal {O}_1=\ddot{G} \times \ddot{H}\), \(\mathcal {O}_2={G\times H}\) and \(z=(pk, c_1^*, H(m^*), \bar{H}_q)\), we can have

Rearrange game \(G_6\) into game \(G_7\), see Fig. 13. Clearly, . Then, we construct an adversary against the OW-CPA security of PKE such that The adversary on input (\(1^\lambda \), pk, \(c_1^*\)) does the following:

1. 1.

   Run the adversary in game \(G_7\).

2. 2.

   Pick a \(2q_G\) (\(2q_H\), \(2q_{H'}\))-wise independent function uniformly at random and use it to simulate the random oracle G (\(H_q\), \(H'_q\)). The random oracle H (\(H'\)) is simulated by \(H_q \circ g\) (\(H'_q\circ g\)). Use \(G\times H\) to answer ’s queries to both G and H.

3. 3.

   Let \(c_2^*=H'_q(c_1^*)\) and \(c^*= (c_1^*,c_2^*)\).

4. 4.

   Answer the decapsulation queries by using the Decaps oracle as in Fig. 13.

5. 5.

   Select \(k^*\overset{\$}{\leftarrow } \mathcal {K}\) and respond to ’s challenge query with (\(c^*\), \(k^{*}\)).

6. 6.

   Select \( i \overset{\$}{\leftarrow } \{1,\ldots ,q_G+q_H\}\), measure the argument \(\hat{m}\) of the i-th query to \(G\times H\) and output \(\hat{m}\).

It is obvious that Combing this with the bounds derived above, we can conclude that

   \(\square \)