Abstract
Selective opening (SO) security is one of the most important securities of public key encryption (PKE) in a multi-user setting. Even though messages and random coins used in some ciphertexts are leaked, SO security guarantees the confidentiality of the other ciphertexts. Actually, it is shown that there exist PKE schemes which meet the standard security such as indistinguishability against chosen ciphertext attacks (IND-CCA security) but do not meet SO security against chosen ciphertext attacks. Hence, it is important to consider SO security in the multi-user setting. On the other hand, many researchers have studied cryptosystems in the security model where adversaries can submit quantum superposition queries (i.e., quantum queries) to oracles. In particular, IND-CCA secure PKE and KEM schemes in the quantum random oracle model have been intensively studied so far.
In this paper, we show that two kinds of constructions of hybrid encryption schemes meet simulation-based SO security against chosen ciphertext attacks (SIM-SO-CCA security) in the quantum random oracle model or the quantum ideal cipher model. The first scheme is constructed from any IND-CCA secure KEM and any simulatable data encapsulation mechanism (DEM). The second one is constructed from any IND-CCA secure KEM based on Fujisaki-Okamoto transformation and any strongly unforgetable message authentication code (MAC). We can apply any IND-CCA secure KEM scheme to the first one if the underlying DEM scheme meets simulatability, whereas we can apply any DEM scheme meeting integrity to the second one if the underlying KEM is based on Fujisaki-Okamoto transformation.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Alagic, G., Russell, A.: Quantum-secure symmetric-key cryptography based on hidden shifts. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10212, pp. 65–93. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56617-7_3
Ambainis, A., Hamburg, M., Unruh, D.: Quantum security proofs using semi-classical oracles. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11693, pp. 269–295. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26951-7_10
Bellare, M., Dowsley, R., Waters, B., Yilek, S.: Standard security does not imply security against selective-opening. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 645–662. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4_38
Bellare, M., Hofheinz, D., Yilek, S.: Possibility and impossibility results for encryption and commitment secure under selective opening. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 1–35. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-01001-9_1
Bellare, M., Namprempre, C.: Authenticated encryption: relations among notions and analysis of the generic composition paradigm. J. Cryptol. 21(4), 469–491 (2008)
Bellare, M., Rogaway, P.: Optimal asymmetric encryption. In: De Santis, A. (ed.) EUROCRYPT 1994. LNCS, vol. 950, pp. 92–111. Springer, Heidelberg (1995). https://doi.org/10.1007/BFb0053428
Bellare, M., Waters, B., Yilek, S.: Identity-based encryption secure against selective opening attack. In: Ishai, Y. (ed.) TCC 2011. LNCS, vol. 6597, pp. 235–252. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-19571-6_15
Bellare, M., Yilek, S.: Encryption schemes secure under selective opening attack. IACR Cryptology ePrint Archive 2009/101 (2009)
Boneh, D., Dagdelen, Ö., Fischlin, M., Lehmann, A., Schaffner, C., Zhandry, M.: Random oracles in a quantum world. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 41–69. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25385-0_3
Boneh, D., Zhandry, M.: Secure signatures and chosen ciphertext security in a quantum computing world. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8043, pp. 361–379. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40084-1_21
Boyen, X., Li, Q.: All-but-many lossy trapdoor functions from lattices and applications. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10403, pp. 298–331. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63697-9_11
Cramer, R., Shoup, V.: Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack. IACR Cryptology ePrint Archive 2001/108 (2001)
Don, J., Fehr, S., Majenz, C., Schaffner, C.: Security of the Fiat-Shamir transformation in the quantum random-oracle model. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11693, pp. 356–383. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26951-7_13
Fehr, S., Hofheinz, D., Kiltz, E., Wee, H.: Encryption schemes secure against chosen-ciphertext selective opening attacks. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 381–402. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13190-5_20
Fujisaki, E., Okamoto, T.: Secure integration of asymmetric and symmetric encryption schemes. J. Cryptology 26(1), 80–101 (2013)
Hemenway, B., Libert, B., Ostrovsky, R., Vergnaud, D.: Lossy encryption: constructions from general assumptions and efficient selective opening chosen ciphertext security. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 70–88. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25385-0_4
Heuer, F., Jager, T., Kiltz, E., Schäge, S.: On the selective opening security of practical public-key encryption schemes. In: Katz, J. (ed.) PKC 2015. LNCS, vol. 9020, pp. 27–51. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46447-2_2
Heuer, F., Poettering, B.: Selective opening security from simulatable data encapsulation. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10032, pp. 248–277. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53890-6_9
Hiromasa, R.: Digital signatures from the middle-product LWE. In: Baek, J., Susilo, W., Kim, J. (eds.) ProvSec 2018. LNCS, vol. 11192, pp. 239–257. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-01446-9_14
Hofheinz, D., Hövelmanns, K., Kiltz, E.: A modular analysis of the Fujisaki-Okamoto transformation. In: Kalai, Y., Reyzin, L. (eds.) TCC 2017. LNCS, vol. 10677, pp. 341–371. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70500-2_12
Hofheinz, D., Jager, T., Rupp, A.: Public-key encryption with simulation-based selective-opening security and compact ciphertexts. In: Hirt, M., Smith, A. (eds.) TCC 2016. LNCS, vol. 9986, pp. 146–168. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53644-5_6
Hofheinz, D., Rao, V., Wichs, D.: Standard security does not imply indistinguishability under selective opening. In: Hirt, M., Smith, A. (eds.) TCC 2016. LNCS, vol. 9986, pp. 121–145. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53644-5_5
Hofheinz, D., Rupp, A.: Standard versus selective opening security: separation and equivalence results. In: Lindell, Y. (ed.) TCC 2014. LNCS, vol. 8349, pp. 591–615. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-54242-8_25
Hosoyamada, A., Yasuda, K.: Building quantum-one-way functions from block ciphers: Davies-Meyer and Merkle-Damgård constructions. In: Peyrin, T., Galbraith, S. (eds.) ASIACRYPT 2018. LNCS, vol. 11272, pp. 275–304. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03326-2_10
Hövelmanns, K., Kiltz, E., Schäge, S., Unruh, D.: Generic authenticated key exchange in the quantum random oracle model. IACR Cryptology ePrint Archive 2018/928 (2018)
Jiang, H., Zhang, Z., Chen, L., Wang, H., Ma, Z.: IND-CCA-secure key encapsulation mechanism in the quantum random oracle model, revisited. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10993, pp. 96–125. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96878-0_4
Jiang, H., Zhang, Z., Ma, Z.: Key encapsulation mechanism with explicit rejection in the quantum random oracle model. In: Lin, D., Sako, K. (eds.) PKC 2019. LNCS, vol. 11443, pp. 618–645. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17259-6_21
Jiang, H., Zhang, Z., Ma, Z.: Tighter security proofs for generic key encapsulation mechanism in the quantum random oracle model. In: Ding, J., Steinwandt, R. (eds.) PQCrypto 2019. LNCS, vol. 11505, pp. 227–248. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-25510-7_13
Kiltz, E., Lyubashevsky, V., Schaffner, C.: A concrete treatment of Fiat-Shamir signatures in the quantum random-oracle model. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10822, pp. 552–586. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78372-7_18
Lai, J., Deng, R.H., Liu, S., Weng, J., Zhao, Y.: Identity-based encryption secure against selective opening chosen-ciphertext attack. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 77–92. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-55220-5_5
Libert, B., Sakzad, A., Stehlé, D., Steinfeld, R.: All-but-many lossy trapdoor functions and selective opening chosen-ciphertext security from LWE. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10403, pp. 332–364. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63697-9_12
Liu, S., Paterson, K.G.: Simulation-based selective opening CCA security for PKE from key encapsulation mechanisms. In: Katz, J. (ed.) PKC 2015. LNCS, vol. 9020, pp. 3–26. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46447-2_1
Lyu, L., Liu, S., Han, S., Gu, D.: Tightly SIM-SO-CCA secure public key encryption from standard assumptions. In: Abdalla, M., Dahab, R. (eds.) PKC 2018. LNCS, vol. 10769, pp. 62–92. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-76578-5_3
NIST: National institute for standards and technology: post quantum crypto project (2019). https://csrc.nist.gov/projects/post-quantum-cryptography/round-2-submissions
Saito, T., Xagawa, K., Yamakawa, T.: Tightly-secure key-encapsulation mechanism in the quantum random oracle model. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10822, pp. 520–551. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78372-7_17
Targhi, E.E., Unruh, D.: Post-quantum security of the Fujisaki-Okamoto and OAEP transforms. In: Hirt, M., Smith, A. (eds.) TCC 2016. LNCS, vol. 9986, pp. 192–216. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53644-5_8
Zhandry, M.: Secure identity-based encryption in the quantum random oracle model. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 758–775. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-32009-5_44
Acknowledgements
The authors would like to thank the anonymous referees for their helpful comments.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendix A: Proof of Lemma 1
Appendix A: Proof of Lemma 1
We prove Lemma 1. We use the same notations defined in the proof of Theorem 2. For \(i \in \{ 0,1,\ldots ,4 \}\), we consider games \(\mathsf {Hybrid}_i\), and let \(H_i\) be the event that \(\mathsf {A}\) outputs out such that \(R(\mathcal {M}_{\mathrm {D}},m_1,\ldots ,m_n,I,out) = 1\) in \(\mathsf {Hybrid}_i\), \(\mathsf {Find}_i\) be the event that a semi-classical oracle \(O_{S}^{SC}\) returns \(\sum _{x \in S,y \in \mathcal {Y}} \psi _{x,y}^\prime | x,y \rangle | 1 \rangle \) for a quantum query \(\sum _{x \in \mathcal {M}^{asy},y \in \mathcal {Y}} \psi _{x,y} | x,y \rangle \) to the random oracle \(\mathsf {G}\) (resp. \(\mathsf {H}\)), where \(S = \{ r_i \}_{i \in [n] \backslash I}\) and \(\mathcal {Y}= \mathcal {R}^{asy}\) (resp. \(\mathcal {Y}= \mathcal {C}^{asy} \times \mathcal {K}^{sym} \times \mathcal {K}^{mac}\)).
Furthermore, in the same way as the proof in Theorem 2, random oracles \(\ddot{\mathsf {G}}\) and \(\ddot{\mathsf {H}}\) are defined. Namely, \(\ddot{\mathsf {G}}\) (resp. \(\ddot{\mathsf {H}}\)) is a random oracle such that \(\ddot{\mathsf {G}}(r)\) (resp. \(\ddot{\mathsf {H}}(r,e)\)) is sampled from \(\mathcal {R}^{asy}\) (resp. \(\mathcal {K}^{sym} \times \mathcal {K}^{mac}\)) uniformly at random if \(r \in \{ r_i \}_{i \in [n]\backslash I}\), and \(\ddot{\mathsf {G}}(r) = \mathsf {G}(r)\) (resp. \(\ddot{\mathsf {H}}(r,e) = \mathsf {H}(r,e)\)) holds otherwise.
\(\mathsf {Hybrid}_{0}\): This game is the same as \(\mathsf {Game}_5\) in Theorem 2. Then, we have \(\Pr [H_0] = \Pr [W_5]\). \(\blacksquare \)
\(\mathsf {Hybrid}_{1}\): This game is the same as \(\mathsf {Hybrid}_0\) except that we replace \(\mathsf {G}\) and \(\mathsf {H}\) by \(\ddot{\mathsf {G}} \backslash S\) and \(\ddot{\mathsf {H}} \backslash S\), respectively, where \(S = \{ r_i \}_{i \in [n] \backslash I}\). From Proposition 1, we have \(\left| \Pr [H_0] - \Pr [H_1] \right| \le 2\sqrt{(q_g + q_h)\Pr [\mathsf {Find}_1]}\). Notice that we also have \(\Pr [H_1] = \Pr [W_6]\). \(\blacksquare \)
\(\mathsf {Hybrid}_{2}\): This game is the same as \(\mathsf {Hybrid}_1\) except that for all \(i \in [n]\), we replace and instead of \(\hat{r}_i \leftarrow \mathsf {G}(r_i)\) and \((\mathsf {k}_i^{sym},\mathsf {k}_i^{mac}) \leftarrow \mathsf {H}(r_i,e_i)\), respectively. We have \(\Pr [\mathsf {Find}_2] = \Pr [\mathsf {Find}_1]\) because we do not focus on the output of \(\mathsf {A}\). \(\blacksquare \)
\(\mathsf {Hybrid}_{3}\): This game is the same as \(\mathsf {Hybrid}_2\) except that we replace \(\ddot{\mathsf {G}}\) and \(\ddot{\mathsf {H}}\) by \(\mathsf {G}\) and \(\mathsf {H}\), respectively. Because there is no difference between the view of \(\mathsf {A}\) in the two games by this change, \(\Pr [\mathsf {Find}_3] =\Pr [\mathsf {Find}_2]\) holds. \(\blacksquare \)
\(\mathsf {Hybrid}_{4}\): This game is the same as \(\mathsf {Hybrid}_3\) except that we replace \(r_i\) by \(r_i^\prime \) for all \(i \in [n]\). Notice that we do not replace the set \(S = \{ r_i \}_{i \in [n] \backslash I}\) by \(\{ r_i^\prime \}_{i \in [n] \backslash I}\).
From Proposition 2, we get \(\Pr [\mathsf {Find}_4] \le 4n(q_g + q_h)/|\mathcal {M}^{asy}|\). In addition, We show \(\left| \Pr [\mathsf {Find}_3] - \Pr [\mathsf {Find}_4] \right| \le n \cdot \mathsf {Adv}_{\mathsf {PKE},\mathsf {D}}^{ind-cpa }(\lambda )\) by constructing the following PPT algorithm \(\mathsf {D}\) breaking \(\mathsf {IND}- \mathsf {CPA}\) security of \(\mathsf {PKE}^{asy}\): Given a public key \(\mathsf {pk}^{asy}\), \(\mathsf {D}\) chooses \(i^* \in [n]\), \(r_{i^*},r_{i^*}^\prime \in \mathcal {M}^{asy}\), and \(\mathsf {k}_{i^*} \in \mathcal {K}\) uniformly at random. It submits \((r_i,r_i^\prime )\) to the challenger in \(\mathsf {IND}- \mathsf {CPA}\) game and receives \(e_{i^*}\). And then, it computes \(e_i \leftarrow \mathsf {Enc}^{asy}(\mathsf {pk},r_i,\mathsf {G}(r_i))\) and \(\mathsf {k}_i \leftarrow \mathsf {H}_q(e_i)\) for \(i \in [n] \backslash \{ i^* \}\). In order to simulate a random oracle \(\mathsf {G}\) (resp. \(\mathsf {H}_q\)), \(\mathsf {D}\) chooses a \(2q_g\)-wise independent hash function (resp. a \(2q_h\)-wise independent hash function) at random. It sets \(I \leftarrow \emptyset \) and sends \(\mathsf {pk}:= \mathsf {pk}^{asy}\) to \(\mathsf {A}\).
When \(\mathsf {A}\) submits \(\mathcal {M}_{\mathrm {D}}\), \(\mathsf {D}\) chooses and computes \(d_i \leftarrow \mathsf {k}_i^{sym} \oplus m_i\) and \(\tau _i \leftarrow \mathsf {Tag}(\mathsf {k}_i^{mac},d_i)\) for \(i \in [n]\). Then, it returns \(((e_i,d_i,\tau _i))_{i \in [n]}\).
\(\mathsf {D}\) simulates oracles in the following way: When \(\mathsf {A}\) issues a quantum query \(\sum _{r \in \mathcal {M}^{asy},y \in \mathcal {Y}} \psi _{r,y} | r,y \rangle \) to the random oracle \(\mathsf {G}\) (resp. \(\mathsf {H}\)) for \(\mathcal {Y}= \mathcal {R}^{asy}\) (resp. \(\mathcal {Y}= \mathcal {C}^{asy} \times \mathcal {K}^{sym} \times \mathcal {K}^{mac}\)), \(\mathsf {D}\) submits \(\sum _{r \in \mathcal {M}^{asy},y \in \mathcal {Y}} \psi _{r,y} | r,y \rangle | 0 \rangle \) to a semi-classical oracle \(O_S^{SC}\). It halts and outputs 1 if \(O_S^{SC}\) returns the quantum superposition state \(\sum _{r \in \mathcal {M}^{asy},y \in \mathcal {Y}} \psi _{r,y}^\prime | r,y \rangle | 1 \rangle \). It returns a quantum state by accessing \(\mathsf {G}\) (resp. \(\mathsf {H}\)) otherwise.
-
\(\mathsf {DEC}(\mathsf {c})\): Take \(\mathsf {c}= (e,d,\tau )\) as input and do the following.
-
1.
\((\mathsf {k}^{sym},\mathsf {k}^{mac}) \leftarrow \mathsf {H}_q(e)\).
-
2.
Return \(m\leftarrow \mathsf {k}^{sym} \oplus d\) if \(\mathsf {Vrfy}(\mathsf {k}^{mac},d,\tau ) = 1\). Return \(\bot \) otherwise.
-
1.
-
\(\mathsf {OPEN}(i)\): Set \(I \leftarrow I \cup \{ i \}\). Abort if \(i = i^*\). Return \((m_i,r_i)\) otherwise.
When \(\mathsf {A}\) outputs a value out and halts, \(\mathsf {D}\) outputs 0. \(\mathsf {D}\) simulates the view of \(\mathsf {A}\) in \(\mathsf {Game}_3\) (resp. \(\mathsf {Game}_4\)) if the challenger chooses \(r_i\) (resp. \(r_i^\prime \)). Then, the success probability of \(\mathsf {D}\) is at least \(\epsilon /n\), and we have the inequality.
Therefore, we obtain
\(\blacksquare \)
From the discussion above, we obtain the following inequality
Therefore, we complete the proof. \(\square \)
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Sato, S., Shikata, J. (2019). SO-CCA Secure PKE in the Quantum Random Oracle Model or the Quantum Ideal Cipher Model. In: Albrecht, M. (eds) Cryptography and Coding. IMACC 2019. Lecture Notes in Computer Science(), vol 11929. Springer, Cham. https://doi.org/10.1007/978-3-030-35199-1_16
Download citation
DOI: https://doi.org/10.1007/978-3-030-35199-1_16
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-35198-4
Online ISBN: 978-3-030-35199-1
eBook Packages: Computer ScienceComputer Science (R0)