Skip to main content

Key Encapsulation Mechanism with Explicit Rejection in the Quantum Random Oracle Model

  • Conference paper
  • First Online:
Public-Key Cryptography – PKC 2019 (PKC 2019)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 11443))

Included in the following conference series:

Abstract

The recent post-quantum cryptography standardization project launched by NIST increased the interest in generic key encapsulation mechanism (KEM) constructions in the quantum random oracle (QROM). Based on a OW-CPA-secure public-key encryption (PKE), Hofheinz, Hövelmanns and Kiltz (TCC 2017) first presented two generic constructions of an IND-CCA-secure KEM with quartic security loss in the QROM, one with implicit rejection (a pseudorandom key is return for an invalid ciphertext) and the other with explicit rejection (an abort symbol is returned for an invalid ciphertext). Both are widely used in the NIST Round-1 KEM submissions and the ones with explicit rejection account for 40%. Recently, the security reductions have been improved to quadratic loss under a standard assumption, and be tight under a nonstandard assumption by Jiang et al. (Crypto 2018) and Saito, Xagawa and Yamakawa (Eurocrypt 2018). However, these improvements only apply to the KEM submissions with implicit rejection and the techniques do not seem to carry over to KEMs with explicit rejection.

In this paper, we provide three generic constructions of an IND-CCA-secure KEM with explicit rejection, under the same assumptions and with the same tightness in the security reductions as the aforementioned KEM constructions with implicit rejection (Crypto 2018, Eurocrypt 2018). Specifically, we develop a novel approach to verify the validity of a ciphertext in the QROM and use it to extend the proof techniques for KEM constructions with implicit rejection (Crypto 2018, Eurocrypt 2018) to our KEM constructions with explicit rejection. Moreover, using an improved version of one-way to hiding lemma by Ambainis, Hamburg and Unruh (ePrint 2018/904), for two of our constructions, we present tighter reductions to the standard IND-CPA assumption. Our results directly apply to 9 KEM submissions with explicit rejection, and provide tighter reductions than previously known (TCC 2017).

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Subscribe and save

Springer+ Basic
EUR 32.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 79.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 99.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    The message m here is picked at random from the message space of underlying PKE.

  2. 2.

    Actually, \(\mathrm {QFO}^{\perp }\) was not definitely presented by [4]. But, its construction is the same as \(\mathrm {QFO}_m^{{\perp }}\) except that \(K=H(m,c)\) and its security can be easily derived from the security proof of \(\mathrm {QFO}_m^{{\perp }}\) in [4].

  3. 3.

    The probability of decryption failure in a legitimate execution of the scheme.

  4. 4.

    Perfect correctness, i.e., \(\delta =0\) is required by [13]. Here, we just follow this assumption.

  5. 5.

    This name comes from Bernstein and Persichetti’s paper [17].

  6. 6.

    Such a non-adaptive RO programming technique is also used in [11, 13, 14].

  7. 7.

    We assume that G, H, \(H'\) are not used in the algorithms of PKE, including Gen, Enc and Dec.

  8. 8.

    The key generation algorithms Gen in KEM-I, KEM-II and KEM-III are the same as the ones in corresponding underlying PKEs.

  9. 9.

    There may exist some KEMs with neither explicit nor implicit rejection.

  10. 10.

    \(\bar{H}_q\) here in the input of \(A^{G\times H}\) is the whole truth table of \(\bar{H}_q\). One may wonder that the size of \(A^{G\times H}\)’s memory needs to be exponentially large. Don’t worry about this. \(\bar{H}_q\) is just taken as an oracle to make queries (with at most \(q_H\) times) in actual games. That is, we can also take \(\bar{H}_q\) as an accessible oracle instead of a whole truth table.

References

  1. Rackoff, C., Simon, D.R.: Non-interactive zero-knowledge proof of knowledge and chosen ciphertext attack. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 433–444. Springer, Heidelberg (1992). https://doi.org/10.1007/3-540-46766-1_35

    Chapter  Google Scholar 

  2. Bellare, M., Rogaway, P.: Random oracles are practical: a paradigm for designing efficient protocols. In: Denning, D.E., Pyle, R., Ganesan, R., Sandhu, R.S., Ashby, V. (eds.) Proceedings of the 1st ACM Conference on Computer and Communications Security – CCS 1993, pp. 62–73. ACM (1993)

    Google Scholar 

  3. Dent, A.W.: A designer’s guide to KEMs. In: Paterson, K.G. (ed.) Cryptography and Coding 2003. LNCS, vol. 2898, pp. 133–151. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-40974-8_12

    Chapter  Google Scholar 

  4. Hofheinz, D., Hövelmanns, K., Kiltz, E.: A modular analysis of the Fujisaki-Okamoto transformation. In: Kalai, Y., Reyzin, L. (eds.) TCC 2017. LNCS, vol. 10677, pp. 341–371. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70500-2_12

    Chapter  MATH  Google Scholar 

  5. Fujisaki, E., Okamoto, T.: Secure integration of asymmetric and symmetric encryption schemes. In: Wiener, M.J. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 537–554. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48405-1_34

    Chapter  Google Scholar 

  6. Fujisaki, E., Okamoto, T.: Secure integration of asymmetric and symmetric encryption schemes. J. Cryptol. 26(1), 1–22 (2013)

    Article  MathSciNet  Google Scholar 

  7. Okamoto, T., Pointcheval, D.: REACT: rapid enhanced-security asymmetric cryptosystem transform. In: Naccache, D. (ed.) CT-RSA 2001. LNCS, vol. 2020, pp. 159–174. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-45353-9_13

    Chapter  Google Scholar 

  8. Jean-Sébastien, C., Handschuh, H., Joye, M., Paillier, P., Pointcheval, D., Tymen, C.: GEM: A \(\underline{\rm G}\)eneric chosen-ciphertext secure \(\underline{\rm E}\)ncryption \(\underline{\rm M}\)ethod. In: Preneel, B. (ed.) CT-RSA 2002. LNCS, vol. 2271, pp. 263–276. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45760-7_18

    Chapter  Google Scholar 

  9. Targhi, E.E., Unruh, D.: Post-quantum security of the Fujisaki-Okamoto and OAEP transforms. In: Hirt, M., Smith, A. (eds.) TCC 2016. LNCS, vol. 9986, pp. 192–216. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53644-5_8

    Chapter  MATH  Google Scholar 

  10. NIST: National Institute for Standards and Technology. Post quantum crypto project (2017). https://csrc.nist.gov/projects/post-quantum-cryptography/round-1-submissions

  11. Boneh, D., Dagdelen, Ö., Fischlin, M., Lehmann, A., Schaffner, C., Zhandry, M.: Random oracles in a quantum world. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 41–69. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25385-0_3

    Chapter  MATH  Google Scholar 

  12. Unruh, D.: Non-interactive zero-knowledge proofs in the quantum random oracle model. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 755–784. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46803-6_25

    Chapter  MATH  Google Scholar 

  13. Saito, T., Xagawa, K., Yamakawa, T.: Tightly-secure key-encapsulation mechanism in the quantum random oracle model. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10822, pp. 520–551. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78372-7_17

    Chapter  MATH  Google Scholar 

  14. Jiang, H., Zhang, Z., Chen, L., Wang, H., Ma, Z.: IND-CCA-secure key encapsulation mechanism in the quantum random oracle model, revisited. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10993, pp. 96–125. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96878-0_4

    Chapter  Google Scholar 

  15. Hamburg, M.: Module-LWE: the three bears. Technical report. https://www.shiftleft.org/papers/threebears/

  16. Hülsing, A., Rijneveld, J., Schanck, J., Schwabe, P.: High-speed key encapsulation from NTRU. In: Fischer, W., Homma, N. (eds.) CHES 2017. LNCS, vol. 10529, pp. 232–252. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-66787-4_12

    Chapter  Google Scholar 

  17. Bernstein, D.J., Persichetti, E.: Towards KEM unification. Cryptology ePrint Archive, Report 2018/526 (2018). https://eprint.iacr.org/2018/526

  18. Unruh, D.: Revocable quantum timed-release encryption. J. ACM 62(6), 49:1–49:76 (2015)

    Article  MathSciNet  Google Scholar 

  19. Ambainis, A., Hamburg, M., Unruh, D.: Quantum security proofs using semi-classical oracles. Cryptology ePrint Archive, Report 2018/904 (2018). https://eprint.iacr.org/2018/904

  20. Zhandry, M.: How to record quantum queries, and applications to quantum indifferentiability. Cryptology ePrint Archive, Report 2018/276 (2018). https://eprint.iacr.org/2018/276

  21. Boneh, D., Zhandry, M.: Secure signatures and chosen ciphertext security in a quantum computing world. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8043, pp. 361–379. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40084-1_21

    Chapter  MATH  Google Scholar 

  22. Nielsen, M.A., Chuang, I.L.: Quantum Computation and Quantum Information. Cambridge University Press, Cambridge (2000). Number 2

    MATH  Google Scholar 

  23. Zhandry, M.: Secure identity-based encryption in the quantum random oracle model. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 758–775. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-32009-5_44

    Chapter  MATH  Google Scholar 

  24. Ambainis, A., Rosmanis, A., Unruh, D.: Quantum attacks on classical proof systems: the hardness of quantum rewinding. In: 55th IEEE Annual Symposium on Foundations of Computer Science - FOCS 2014, pp. 474–483. IEEE (2014)

    Google Scholar 

  25. Hülsing, A., Rijneveld, J., Song, F.: Mitigating multi-target attacks in hash-based signatures. In: Cheng, C.-M., Chung, K.-M., Persiano, G., Yang, B.-Y. (eds.) PKC 2016. LNCS, vol. 9614, pp. 387–416. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49384-7_15

    Chapter  Google Scholar 

Download references

Acknowledgements

We would like to thank anonymous reviews of PKC 2019 for their insightful comments. In particular, we are also grateful to Chris Brzuska for his kind suggestions which are helpful in improving our paper. This work is supported by the National Key Research and Development Program of China (No. 2017YFB0802000), the National Natural Science Foundation of China (No. U1536205, 61472446, 61701539), and the National Cryptography Development Fund (mmjj20180107, mmjj20180212).

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Zhenfeng Zhang .

Editor information

Editors and Affiliations

A Proof of Theorem 2

A Proof of Theorem 2

Proof

Let be an adversary against the IND-CCA security of KEM-I, issuing at most \(q_D\) queries to the decapsulation oracle Decaps, at most \(q_G\) (\(q_H\), \(q_{H'}\)) queries to the random oracle \(G\) (H, \(H'\)). Follow the same notations \(\varOmega _G\), \(\varOmega _H\), \(\varOmega _{H'}\), \(\varOmega _{H_q}\), \(\varOmega _{H'_q}\), \(\varOmega _{G'}\) and \(\mathcal {C}_1\) as in the proof of Theorem 1. Consider the games in Figs. 11 and 13.

Game \(G_0\). Since game \(G_0\) is exactly the IND-CCA game,

figure n

Game \(G_1\). In game \(G_1\), we replace G by \(G'\) that uniformly samples from “good” randomness at random, i.e., \(G' \overset{\$}{\leftarrow } \varOmega _{G'}\).

Game \(G_2\). In this game, replace H and \(H'\) by \(H_q\circ g\) and \(H'_q \circ g\) respectively, where

$$\begin{aligned} g(\cdot )=Enc(pk,\cdot ;G(\cdot )). \end{aligned}$$

Game \(G_3\). In game \(G_3\), the \(\textsc {Decaps}\) oracle is changed that it makes no use of the secret key \(sk\) any more. When queries the \(\textsc {Decaps}\) oracle on \(c=(c_1,c_2)\) (\(c \ne c^*\)), \(K:=H_q(c_1)\) is returned if \(H'_q(c_1)=c_2\), otherwise \(\perp \).

Game \(G_4\). In game \(G_4\), we switch the G that only samples from “good” randomness back to an ideal random oracle G.

Using the same analysis as in the proof of Theorem 1, we can have

Let \(\ddot{G}\) (\(\ddot{H}\)) be the function that \(\ddot{G}(m^*)=\dot{r}^*\) (\(\ddot{H}(m^*)=\dot{k}_0^{*}\)), and \(\ddot{G}=G\) (\(\ddot{H}=H\)) everywhere else, where \(\dot{r}^*\) and \(\dot{k}_0^{*}\) are picked uniformly at random from \(\mathcal {R}\) and \(\mathcal {K}\).

Fig. 11.
figure 11

Games \(G_0\)-\(G_5\) for the proof of Theorem 2

Fig. 12.
figure 12

\(A^{G \times H}\) for the proof of Theorem 2.

Fig. 13.
figure 13

Game \(G_6\) and game \(G_7\) for the proof of Theorem 2

Game \(G_5\). In game \(G_5\), replace G and H by \(\ddot{G}\) and \(\ddot{H} \) respectively. In this game, bit \(b\) is independent of ’s view. Hence,

Let \((G \times H)(\cdot )= (G(\cdot ),H(\cdot ))\) and \((\ddot{G} \times \ddot{H})(\cdot )= (\ddot{G}(\cdot ),\ddot{H}(\cdot ))\). Let \(\bar{H}_q\) be the function that \(\bar{H}_q(c_1^*)=\perp \) and \(\bar{H}_q=H_q\) everywhere else. Define \(A^{G \times H}\) as in Fig. 12. Sample pk, \(m^*\), G, \(H_q\), H and \(c_1^*\) in the same way as \(G_4\) and \(G_5\), i.e., \((pk,sk) \leftarrow Gen\), \(m^*\overset{\$}{\leftarrow } \mathcal {M}\), \( G \overset{\$}{\leftarrow } \varOmega _G\), \( H_q \overset{\$}{\leftarrow } \varOmega _{H_q}\), \(H:=H_q \circ g\) and \(c_1^*=Enc(pk,m^*;G(m^*))\), where \(g(\cdot )=Enc(pk,\cdot ;G(\cdot ))\).

Then, \(A^{G\times H}\) on input \((pk, c_1^*, H(m^*), \bar{H}_q)\) perfectly simulates \(G_4\). If we replace \({G\times H}\) by \(\ddot{G} \times \ddot{H}\), \(A^{\ddot{G} \times \ddot{H}}\) on input \((pk, c_1^*,H(m^*), \bar{H}_q)\) perfectly simulates \(G_5\).

Let \(B^{\ddot{G}\times \ddot{H}}\) be an oracle algorithm that on input \((pk, c_1^*, H(m^*), \bar{H}_q)\) does the following: pick \(i \overset{\$}{\leftarrow } \{1,\ldots ,q_G+q_H\}\), run \(A^{\ddot{G}\times \ddot{H}}(pk, c_1^*, H(m^*), \bar{H}_q)\) until the i-th query, measure the argument of the query in the computational basis, output the measurement outcome. Define game \(G_6\) as in Fig. 13.

Applying Lemma 5 with \(X={\mathcal {M}}\), \(Y=(\mathcal {R},\mathcal {K})\), \(S=\{m^*\}\), \(\mathcal {O}_1=\ddot{G} \times \ddot{H}\), \(\mathcal {O}_2={G\times H}\) and \(z=(pk, c_1^*, H(m^*), \bar{H}_q)\), we can have

Rearrange game \(G_6\) into game \(G_7\), see Fig. 13. Clearly, . Then, we construct an adversary against the OW-CPA security of PKE such that The adversary on input (\(1^\lambda \), pk, \(c_1^*\)) does the following:

  1. 1.

    Run the adversary in game \(G_7\).

  2. 2.

    Pick a \(2q_G\) (\(2q_H\), \(2q_{H'}\))-wise independent function uniformly at random and use it to simulate the random oracle G (\(H_q\), \(H'_q\)). The random oracle H (\(H'\)) is simulated by \(H_q \circ g\) (\(H'_q\circ g\)). Use \(G\times H\) to answer ’s queries to both G and H.

  3. 3.

    Let \(c_2^*=H'_q(c_1^*)\) and \(c^*= (c_1^*,c_2^*)\).

  4. 4.

    Answer the decapsulation queries by using the Decaps oracle as in Fig. 13.

  5. 5.

    Select \(k^*\overset{\$}{\leftarrow } \mathcal {K}\) and respond to ’s challenge query with (\(c^*\), \(k^{*}\)).

  6. 6.

    Select \( i \overset{\$}{\leftarrow } \{1,\ldots ,q_G+q_H\}\), measure the argument \(\hat{m}\) of the i-th query to \(G\times H\) and output \(\hat{m}\).

It is obvious that Combing this with the bounds derived above, we can conclude that

figure q

   \(\square \)

Rights and permissions

Reprints and permissions

Copyright information

© 2019 International Association for Cryptologic Research

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Jiang, H., Zhang, Z., Ma, Z. (2019). Key Encapsulation Mechanism with Explicit Rejection in the Quantum Random Oracle Model. In: Lin, D., Sako, K. (eds) Public-Key Cryptography – PKC 2019. PKC 2019. Lecture Notes in Computer Science(), vol 11443. Springer, Cham. https://doi.org/10.1007/978-3-030-17259-6_21

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-17259-6_21

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-17258-9

  • Online ISBN: 978-3-030-17259-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics