Tighter Proofs of CCA Security in the Quantum Random Oracle Model

Abstract

We revisit the construction of IND-CCA secure key encapsulation mechanisms (KEM) from public-key encryption schemes (PKE). We give new, tighter security reductions for several constructions. Our main result is an improved reduction for the security of the \(U^{\not \bot }\)-transform of Hofheinz, Hövelmanns, and Kiltz (TCC’17) which turns OW-CPA secure deterministic PKEs into IND-CCA secure KEMs. This result is enabled by a new one-way to hiding (O2H) lemma which gives a tighter bound than previous O2H lemmas in certain settings and might be of independent interest. We extend this result also to the case of PKEs with non-zero decryption failure probability and non-deterministic PKEs. However, we assume that the derandomized PKE is injective with overwhelming probability.

In addition, we analyze the impact of different variations of the \(U^{\not \bot }\)-transform discussed in the literature on the security of the final scheme. We consider the difference between explicit (\(U^{\bot }\)) and implicit (\(U^{\not \bot }\)) rejection, proving that security of the former implies security of the latter. We show that the opposite direction holds if the scheme with explicit rejection also uses key confirmation. Finally, we prove that (at least from a theoretic point of view) security is independent of whether the session keys are derived from message and ciphertext (\(U^{\not \bot }\)) or just from the message (\(U^{\not \bot }_m\)).

1 Introduction

If a general-purpose quantum computer can be built, it will break most widely-deployed public-key cryptography. The cryptographic community is busily designing new cryptographic systems to prepare for this risk. These systems typically consist of an algebraic structure with cryptographic hardness properties, plus a symmetric cryptography layer which transforms the algebraic structure into a higher level primitive like a public-key encryption (PKE) scheme, a key encapsulation mechanism (KEM), or a signature scheme. The algebraic structures underlying these so-called “post-quantum” systems have new properties, and the quantum threat model requires changes in the way security is analyzed. Therefore the transformations turning the algebraic structures into cryptosystems have to be freshly examined.

In this work we focus on the construction of secure KEMs. In this setting the algebraic structures usually provide a PKE from which a KEM is derived via a generic transform. A new property of the algebraic structures used in many post-quantum PKEs and KEMs gives them malleable ciphertexts, so they are at risk from chosen-ciphertext attacks (CCA) [HNP+03]. The standard defenses against CCA are variants of the Fujisaki-Okamoto (FO) transform [FO99]. Known security proofs for the FO transform use the random oracle model (ROM) [BR93]. This is for two reasons. First, the FO transform has a circular structure–it chooses coins for encryption according to the message being encrypted. This leads to obstacles which we do not know how to overcome when proving security in the standard model. In the ROM, we circumvent this by re-programming. Second, in the ROM a reduction learns all the adversary’s queries to the random oracle. This allows us to formalize the intuition that an adversary must have known a challenge plaintext to extract said plaintext.

Since we are concerned with security against quantum attackers, we need to extend these proofs to the quantum-accessible random oracle model (QROM) [BDF+11]. This comes with two challenges for our setting. On the one hand, in the QROM the adversary can query all inputs in superposition. Hence, it is no longer trivial to break the circular dependency by re-programming, which results in security bounds that do not tightly match known attacks. On the other hand, a reduction cannot learn the adversarial queries by simple observation anymore. The reason is that observation of a quantum state requires a measurement which disturbs the state. Hence, more advanced techniques are required.

1.1 Our Contribution

QROM analysis of KEMs has advanced rapidly over the past several years. The initial solutions were loose by a factor of up to \(q^6\) [TU16, HHK17], where q is the number of times the adversary queries the random oracle. This has improved to \(q^2\) [SXY18, JZC+18] and finally to q [HKSU18, JZM19a, JZM19c]. Some works provide tight proofs under stronger assumptions [SXY18, XY19]. Our work provides a proof of IND-CCA security for KEMs constructed from deterministic PKEs (Theorem 2), which is tight except for a quadratic security loss which might be impossible to avoid [JZM19b]. For KEMs constructed from randomized PKEs our bound is still loose by a factor of up to q (Theorem 1). In this particular case, our bound does not essentially differ from the bound already given in [HKSU18]. In [HKSU18], the proof given is called “semi-modular”: it is first shown that derandomization and puncturing achieve the stronger notion that [SXY18] requires to achieve tight security, and the tight proof of [SXY18] is then applied to the derandomized and punctured scheme. The strategy of [HKSU18] was deliberately chosen to deal with correctness errors: The tight proof of [SXY18] could not trivially be generalized for non-perfect schemes in a way such that the result still would have been meaningful for most lattice-based encryption schemes. Our work deals with correctness errors in a modular way by introducing an additional intermediate notion (called \(\mathsf {FFC} \)).

At the heart of our bound is a new one-way to hiding (O2H) lemma which gives a tighter bound than previous O2H lemmas (Lemma 5). This comes at the cost of limited applicability. O2H lemmas allow to bound the difference in the success probability of an adversary when replacing its oracle function by a similar function. Previous lemmas lost a factor of roughly the number of the adversary’s queries to this oracle or its square-root. Our lemma does not incur any such loss. On the downside, our lemma only applies if the reduction has access to both oracle functions and if the functions only differ in one position. See Table 1 for a comparison.

Some post-quantum schemes feature an inherent probability of decryption failure, say \(\delta >0\). Such failures can be used in attacks, but they also complicate security proofs. As a result, previous bounds typically contain a term \(q\sqrt{\delta }\) which is not known to be tight. However, most of the obstacles that arise in our CCA security proof can be avoided by assuming that encryption with a particular public key is injective (after derandomization). This is generally the case, even for imperfectly-correct systems; see Appendix D for a rough analysis of LWE schemes. In that case, the adversary’s advantage is limited to the probability that it actually finds and submits a valid message that fails to decrypt. This means that our bounds apply to deterministic but failure-prone systems like certain earlier BIKE [ABB+19] variants¹, but our result is limited by the assumption of injectivity.

Until today several variants of the FO-transform were proposed. We consider the four basic transforms \(U^{\bot },U^{\bot }_m,U^{\not \bot },U^{\not \bot }_m\) [HHK17] and, in addition, we study \(U^{\bot }_m\) in the presence of key confirmation. The two most notable differences reside in the use of implicit rejection (\(U^{\not \bot }, U^{\not \bot }_m\)) versus explicit rejection (\(U^{\bot }, U^{\bot }_m\)), and whether the derivation of the session key should depend on the ciphertext (\(U^{\bot }_m, U^{\not \bot }_m\)) or not (\(U^{\bot }, U^{\not \bot }\)). Another important decision is the use of key confirmation which we also partially analyze. We come to the following results. Security with implicit rejection implies security with explicit rejection (Theorem 3). The opposite holds if the scheme with explicit rejection also employs key confirmation (Theorem 4). Moreover, security is independent of the decision if the session key derivation depends on the ciphertext (Theorem 5).

Notation. We will use the following notation throughout the paper.

• For two sets X, Y, we write \(Y^X\) to denote the set of functions from X to Y.

• Let \(H:X \rightarrow Y\) be a (classical or quantum-accessible) random oracle. Then we denote the programming of H at \(x\in X\) to some \(y\in Y\) as \(H[x \rightarrow y]\).

• Let \(\mathcal {A} \) be an algorithm. If \(\mathcal {A} \) has access to a classical (resp., quantum-accessible) oracle H, we write \(\mathcal {A} ^H\) and call \(\mathcal {A} \) an oracle (resp., quantum oracle) algorithm.

2 One-way to Hiding

ROM reductions typically simulate the random oracle in order to learn the adversary’s queries. In the classical ROM, the adversary cannot learn any information about H(x) without the simulator learning both x and H(x). In the QROM things are not so simple, because measuring or otherwise recording the queries might collapse the adversary’s quantum state and change its behavior. However, under certain conditions the simulator can learn the queries using “One-way to Hiding” (O2H) techniques going back to [Unr15]. We will use the O2H techniques from [AHU19], and introduce a novel variant that allows for tighter results.

Consider two quantum-accessible oracles \(G,H:X\rightarrow Y\). The oracles do not need to be random. Suppose that G and H differ only on some small set \(S\subset X\), meaning that \(\forall x\notin S, G(x) = H(x)\). Let \(\mathcal {A} \) be an oracle algorithm that takes an input z and makes at most q queries to G or H. Possibly \(\mathcal {A} \) makes them in parallel. Therefore, suppose that the query depth, i.e., the maximum number of sequential invocations of the oracle [AHU19], is at most \(d\le q\). If \(\mathcal {A} ^G(z)\) behaves differently from \(\mathcal {A} ^H(z)\), then the O2H techniques give a way for the simulator to find some \(x\in S\) with probability dependent on d and q.

We will use the following three O2H lemmas.

• Lemma 1 (original O2H) is the most general: the simulator needs to provide only G or H but it has the least probability of success.

• Lemma 3 (semiclassical O2H) has a greater probability of success, but requires more from the simulator: for each query x, the simulator must be able to recognize whether \(x\in S\), and if not it must return \(G(x)=H(x)\).

• Lemma 5 (our new “double-sided” O2H) gives the best probability of success, but it requires the simulator to evaluate both G and H in superposition. It also can only extract \(x\in S\) if S has a single element. If S has many elements, but the simulator knows a function f such that \(\{f(x):x\in S\}\) has a single element, then it can instead extract that element f(x).

We summarize the three variants of O2H as shown in Table 1. In all cases, there are two oracles H and G that differ in some set S, and the simulator outputs \(x\in S\) with some probability \(\epsilon \). The lemma then shows an upper bound on the difference between \(\mathcal {A} ^{H}\) and \(\mathcal {A} ^{G}\) as a function of \(\epsilon \).

Table 1. Comparison of O2H variants

Arbitrary joint distribution. The O2H lemmas allow (G, H, S, z) to be random with arbitrary joint distribution. This is stronger than (G, H, S, z) being arbitrary fixed objects, because the probabilities in the lemma include the choice of (G, H, S, z) in addition to \(\mathcal {A} \)’s coins and measurements. Also, the lemmas are still true if the adversary consults other oracles which are also drawn from a joint distribution with (G, H, S, z).

2.1 Original O2H

We begin with the original O2H which first appeared in [Unr15]. We use the phrasing from [AHU19] as it is more general and more consistent with our other lemmata.

Lemma 1

(One-way to hiding; [AHU19] Theorem 3). Let \(G,H:X\rightarrow Y\) be random functions, let z be a random value, and let \(S\subset X\) be a random set such that \(\forall x\notin S, G(x)=H(x)\). (G, H, S, z) may have arbitrary joint distribution. Furthermore, let \(\mathcal {A} ^H\) be a quantum oracle algorithm which queries H with depth at most d. Let \(\mathsf {Ev}\) be an arbitrary classical event. Define an oracle algorithm \(\mathcal {B} ^H(z)\) as follows: Pick . Run \(\mathcal {A} ^H(z)\) until just before its ith round of queries to H. Measure all query input registers in the computational basis, and output the set T of measurement outcomes. Let

$$\begin{aligned} P_\mathrm {left}&:= \Pr [\mathsf {Ev}: \mathcal {A} ^H(z)],\ \ P_\mathrm {right} := \Pr [\mathsf {Ev}: \mathcal {A} ^G(z)], \\P_\mathrm {guess}&:= \Pr [S\cap T\ne \varnothing : T\leftarrow \mathcal {B} ^H(z)]. \end{aligned}$$

Then

$$ {\left| {P_\mathrm {left}-P_\mathrm {right}}\right| } \le 2d\sqrt{ P_\mathrm {guess}} \qquad \text {and}\qquad {\left| {\sqrt{P_\mathrm {left}}-\sqrt{P_\mathrm {right}}}\right| } \le 2d\sqrt{ P_\mathrm {guess}}. $$

The same result holds with \(\mathcal {B} ^{G}(z)\) instead of \(B^H(z)\) in the definition of \(P_\mathrm {guess}\).

From this lemma we conclude the following result for pseudo-random functions (PRFs, see Definition 10). It intuitively states that a random oracle makes a good PRF, even if the distinguisher is given full access to the random oracle in addition to the PRF oracle.

Corollary 1 (PRF based on random oracle)

Let \(H:(K\times X)\rightarrow Y\) be a quantum-accessible random oracle. This function may be used as a quantum-accessible PRF \(F_k(x) := H(k,x)\) with a key . Suppose a PRF-adversary \(\mathcal {A} \) makes q queries to H at depth d, and any number of queries to \(F_k\) at any depth. Then

$$\mathrm {Adv}^{\mathrm {\mathsf {PRF}}}_{F_k}(\mathcal {A}) \le 2\sqrt{dq/{\left| {K}\right| }}.$$

Proof

The adversary’s goal is to distinguish \((F_k,H)\) from (F, H), where F is an unrelated uniformly random function. This is the same as distinguishing \((F,H[(k,x)\rightarrow F(x)])\) from (F, H), and the set of differences between these two H-oracles is \(S:=\{k\}\times X\). By Lemma 1, the distinguishing advantage is at most \(2d\sqrt{P_\mathrm {guess}}\), where \(P_\mathrm {guess} = \Pr [\exists (k',x) \in Q: k'=k]\), for a random round Q of parallel queries made by \(\mathcal {A} ^{F,H}\).

Since \(\mathcal {A} ^{F,H}\) has no information about k, and in expectation Q contains q/d parallel queries, we have \(P_\mathrm {guess} \le q/(d\cdot {\left| {K}\right| })\), so

$$\mathrm {Adv}^{\mathrm {\mathsf {PRF}}}_{F_k}(\mathcal {A}) \le 2d\sqrt{q/(d\cdot {\left| {K}\right| })} = 2\sqrt{dq/{\left| {K}\right| }}$$

as claimed.    \(\square \)

Note that Corollary 1 is the same as [SXY18] Lemma 2.2 and [XY19] Lemma 4, except that it takes query depth into account.

2.2 Semi-classical O2H

We now move on to semi-classical O2H. Here \(\mathcal {B} \) is defined in terms of punctured oracles [AHU19], which measure whether the input is in a set S as defined next.

Definition 1

(Punctured oracle). Let \(H:X\rightarrow Y\) be any function, and \(S\subset X\) be a set. The oracle \({H}\backslash {S} \) (“H punctured by S”) takes as input a value x. It first computes whether \(x\in S\) into an auxiliary qubit p, and measures p. Then it runs H(x) and returns the result. Let \(\mathsf {Find} \) be the event that any of the measurements of p returns 1.

The event is called \(\mathsf {Find} \) because if the simulator chooses to, it can immediately terminate the simulation and measure the value \(x\in S\) which caused the event. The oracle is called “punctured” because if \(\mathsf {Find} \) does not occur, \({H}\backslash {S} \) returns a result independent of H’s outputs on S, as shown by the following lemma.

Lemma 2

(Puncturing is effective; [AHU19] Lemma 1). Let \(G,H:X\rightarrow Y\) be random functions, let z be a random value, and let \(S\subset X\) be a random set such that \(\forall x\notin S, G(x)=H(x)\). (G, H, S, z) may have arbitrary joint distribution. Let \(\mathcal {A} ^H\) be a quantum oracle algorithm. Let \(\mathsf {Ev}\) be an arbitrary classical event. Then

$$\Pr [\mathsf {Ev}\wedge \lnot \mathsf {Find}:\mathcal {A} ^{{H}\backslash {S}}(z)] = \Pr [\mathsf {Ev}\wedge \lnot \mathsf {Find}:\mathcal {A} ^{{G}\backslash {S}}(z)].$$

Also, puncturing only disturbs the adversary’s state when it is likely to \(\mathsf {Find}\).

Lemma 3

(Semi-classical O2H; [AHU19] Theorem 1). Let \(G,H:X\rightarrow Y\) be random functions, let z be a random value, and let \(S\subset X\) be a random set such that \(\forall x\notin S, G(x)=H(x)\). (G, H, S, z) may have arbitrary joint distribution.

Let \(\mathcal {A} ^H\) be a quantum oracle algorithm which queries H with depth at most d. Let \(\mathsf {Ev}\) be an arbitrary classical event and let

$$\begin{aligned}&P_\mathrm {left} := \Pr [\mathsf {Ev} : \mathcal {A} ^H(z)], \ P_\mathrm {right} := \Pr [\mathsf {Ev} : \mathcal {A} ^G(z)], \\&P_\mathrm {find} := \Pr [\mathsf {Find}: \mathcal {A} ^{{G}\backslash {S}}(z)] \ \ \,\,{\mathop {=}\limits ^{\text {Lem. 2}}}\ \ \Pr [\mathsf {Find}: \mathcal {A} ^{{H}\backslash {S}}(z)]. \end{aligned}$$

Then

$$ {\left| {P_\mathrm {left}-P_\mathrm {right}}\right| } \le 2\sqrt{d P_\mathrm {find}} \qquad \text {and}\qquad {\left| {\sqrt{P_\mathrm {left}}-\sqrt{P_\mathrm {right}}}\right| } \le 2\sqrt{d P_\mathrm {find}}. $$

The theorem also holds with bound \(\sqrt{(d+1) P_\mathrm {find}}\) for the following alternative definitions of \(P_\mathrm {right}\):

$$\begin{aligned} P_\mathrm {right}&:= \Pr [\mathsf {Ev}: \mathcal {A} ^{{H}\backslash {S}}(z)] \\ P_\mathrm {right}&:= \Pr [\mathsf {Ev} \wedge \lnot \mathsf {Find}: \mathcal {A} ^{{H}\backslash {S}}(z)] \ \ {\mathop {=}\limits ^{\text {Lem. 2}}}\ \ \Pr [\mathsf {Ev} \wedge \lnot \mathsf {Find}: \mathcal {A} ^{{G}\backslash {S}}(z)] \\ P_\mathrm {right}&:= \Pr [\mathsf {Ev} \vee \,\,\,\, \mathsf {Find}: \mathcal {A} ^{{H}\backslash {S}}(z)] \ \ {\mathop {=}\limits ^{\text {Lem. 2}}}\ \ \Pr [\mathsf {Ev} \vee \,\,\,\, \mathsf {Find}: \mathcal {A} ^{{G}\backslash {S}}(z)] \\ \end{aligned}$$

We might expect that if the adversary has no information about S, then \(P_\mathrm {find}\) would be at most \(q{\left| {S}\right| }/{\left| {X}\right| }\). But this is not quite true: the disturbance caused by puncturing gives the adversary information about S. This increases \(\mathcal {A}\)’s chances, but only by a factor of 4, as explained next.

Lemma 4

(Search in semi-classical oracle; [AHU19] Theorem 2). Let \(H: X\rightarrow Y\) be a random function, let z be a random value, and let \(S\subset X\) be a random set. (H, S, z) may have arbitrary joint distribution. Let \(\mathcal {A} ^H\) be a quantum oracle algorithm which queries H at most q times with depth at most d.

Let \(\mathcal {B} ^H(z)\) and \(P_\mathrm {guess}\) be defined as in Lemma 1. Then

$$ \Pr [\mathsf {Find}: \mathcal {A} ^{{H}\backslash {S}}(z) ] \le 4dP_\mathrm {guess}. $$

In particular, if for each \(x\in X\), \(\Pr [x\in S]\le \epsilon \) (conditioned on z, on other oracles \(\mathcal {A}\) has access to, and on other outputs of H) then

$$\Pr [\mathsf {Find}: \mathcal {A} ^{{H}\backslash {S}}(z) ]\le 4q\epsilon .$$

2.3 Double-sided O2H

We augment these lemmas with a new O2H lemma which achieves a tighter bound focusing on a special case. This focus comes at the price of limited applicability. Our lemma applies when the simulator can simulate both G and H. It also requires that S is a single element; alternatively if some function f is known such that f(S) is a single element, it can extract f(S).

Lemma 5

(Double-sided O2H). Let \(G,H:X\rightarrow Y\) be random functions, let z be a random value, and let \(S\subset X\) be a random set such that \(\forall x\notin S, G(x)=H(x)\). (G, H, S, z) may have arbitrary joint distribution. Let \(\mathcal {A} ^H\) be a quantum oracle algorithm. Let \(f:X\rightarrow W\subseteq \{0,1\}^n\) be any function, and let f(S) denote the image of S under f. Let \(\mathsf {Ev}\) be an arbitrary classical event.

We will define another quantum oracle algorithm \(\mathcal {B} ^{G,H}(z)\). This \(\mathcal {B}\) runs in about the same amount of time as \(\mathcal {A}\), but when \(\mathcal {A}\) queries H, \(\mathcal {B}\) queries both G and H, and also runs f twice. Let

$$\begin{aligned}&P_\mathrm {left} := \Pr [\mathsf {Ev} : \mathcal {A} ^H(z)], \ P_\mathrm {right} := \Pr [\mathsf {Ev} : \mathcal {A} ^G(z)],\ P_\mathrm {extract} := \Pr [\mathcal {B} ^{G,H}(z)\in f(S)]. \end{aligned}$$

If \(f(S) = \{w^*\}\) is a single element, then \(\mathcal {B} \) will only return \(\bot \) or \(w^*\), and furthermore

$$ {\left| {P_\mathrm {left}-P_\mathrm {right}}\right| } \le 2\sqrt{P_\mathrm {extract}} \qquad \text {and}\qquad {\left| {\sqrt{P_\mathrm {left}}-\sqrt{P_\mathrm {right}}}\right| } \le 2\sqrt{P_\mathrm {extract}}. $$

Proof

See Appendix B.

Note that if \(S=\{x^*\}\) is already a single element, then we may take f as the identity. In this case \(\mathcal {B} \) will return either \(\bot \) or \(x^*\).

3 KEM and PKE Security Proofs

We are now ready to get to the core of our work. All the relevant security notions are given in Appendix A. The implications are summarized in Fig. 1.

Fig. 1.

Relations of our security notions using transforms T and \(U^{\not \bot }\) (above) and relations between the security of different types of U-constructions (below). The solid lines show implications which are tight with respect to powers of q and/or d, and the dashed line shows a non-tight implication. The hooked arrows indicate theorems with \(\epsilon \)-injectivity constraints.

3.1 Derandomization: \(\mathsf {IND}{\text {-}}\mathsf {CPA}\) \(\mathsf {P}\) \({\mathop {\Rightarrow }\limits ^{\text {QROM}}}\) \(\mathsf {OW}{\text {-}}\mathsf {CPA}\) \(T(\mathsf {P}, G)\)

The T transform [HHK17] converts a rPKE \(\mathsf {P} =(\mathrm {Keygen},\mathrm {Encr},\mathrm {Decr})\) to a dPKE \(T(\mathsf {P},G)=(\mathrm {Keygen},\mathrm {Encr} _1,\mathrm {Decr})\) by using a hash function \(G:\mathcal {M}\rightarrow \mathcal {R}\), modeled as random oracle, to choose encryption coins, where

$$\mathrm {Encr} _1(\mathrm {pk},m) := \mathrm {Encr} (\mathrm {pk},m;\ G(m)).$$

The following theorem shows that if a PKE \(\mathsf {P}\) is \(\mathsf {IND}{\text {-}}\mathsf {CPA}\) secure², then T\((\mathsf {P},G)\) is one-way secure in the quantum-accessible random oracle model.

Theorem 1

Let \(\mathsf {P} \) be an rPKE with messages in \(\mathcal {M}{}\) and random coins in \(\mathcal {R}{}\). Let \(G:\mathcal {M}{}\rightarrow \mathcal {R}{}\) be a quantum-accessible random oracle. Let \(\mathcal {A}\) be an \(\mathsf {OW}{\text {-}}\mathsf {CPA} \) adversary against \(\mathsf {P} ':=T(\mathsf {P},G)\). Suppose that \(\mathcal {A} \) queries G at most q times with depth at most d.

Then we can construct an \(\mathsf {IND}{\text {-}}\mathsf {CPA}\) adversary \(\mathcal {B}\) against \(\mathsf {P} \), running in about the same time and resources as \(\mathcal {A}\), such that

$$\mathrm {Adv}^{\mathrm {\mathsf {OW}{\text {-}}\mathsf {CPA}}}_{\mathsf {P} '}(\mathcal {A}) \le (d+2)\cdot \left( \mathrm {Adv}^{\mathrm {\mathsf {IND}{\text {-}}\mathsf {CPA}}}_{\mathsf {P}}(\mathcal {B}) +\frac{8(q+1)}{{\left| {\mathcal {M}{}}\right| }}\right) . $$

Proof

See Appendix C.

Second preimages. In the traditional definition of one-way functions, the adversary wins by finding any \(\mathrm {m} '\) where \(\mathrm {Encr} (\mathrm {pk},\mathrm {m} ') = c ^*\), whereas in our definition (cf. Definition 7) of \(\mathsf {OW}{\text {-}}\mathsf {CPA}\) the adversary must find \(m^*\) itself. This only matters if there is a second preimage, and thus a decryption failure. If \(\mathsf {P}\) is \(\delta \)-correct and \(\epsilon \)-injective, it is easily shown that a definition allowing second preimages adds at most \(\min (\delta ,\epsilon )\) to the adversary’s \(\mathsf {OW}{\text {-}}\mathsf {CPA}\)-advantage.

Hashing the public key. Many KEMs use a variant of T which sets the coins to \(G(\mathrm {pk},m)\). This is a countermeasure against multi-key attacks. In this paper we only model single-key security, so we omit \(\mathrm {pk} \) from the hashes for brevity. The same also applies to the other transforms later in this paper, such as \(U^{\not \bot }\).

3.2 Deterministic \(\mathsf {P}\): OW-CPA \(\mathsf {P} \) \({\mathop {\Rightarrow }\limits ^{\text {QROM}}}\) IND-CCA \(U^{\not \bot }(\mathsf {P},\mathsf {F},H)\)

Our \(\mathsf {OW}{\text {-}}\mathsf {CPA}\) to \(\mathsf {IND}{\text {-}}\mathsf {CCA}\) conversion is in the style of [JZM19d]. However, that bound is based on the failure probability \(\delta \) of a randomized encryption algorithm, whereas ours is based on the difficulty of finding a failure without access to the private key. This means our theorem applies to deterministic but imperfectly-correct algorithms, such as one of the three BIKE variants, BIKE-2 [ABB+19]. So instead we use injectivity and a game where the adversary tries to find ciphertexts which are valid but do not decrypt correctly.

Definition 2

(Valid ciphertext). Let \(\mathsf {P} =(\mathrm {Keygen}, \mathrm {Encr},\) \(\mathrm {Decr})\) be a dPKE. Call a ciphertext \(c \) “valid” for a public key \(\mathrm {pk} \) of \(\mathsf {P} \) if there exists \(\mathrm {m} \) such that \(c =\mathrm {Encr} (\mathrm {pk},\mathrm {m})\).

We introduce a new failure-finding experiment³, to capture the probability that the adversary can find valid ciphertexts that cause a decryption failure.

Definition 3

(Finding Failing Ciphertext). The find-failing-ciphertexts experiment \((\mathsf {FFC})\) is shown in Fig. 2. The \(\mathsf {FFC}\)-advantage of an adversary \(\mathcal {A}\) is defined by

$$\mathrm {Adv}^{\mathrm {\mathsf {FFC}}}_{\mathsf {P}}(\mathcal {A}) := \Pr [\mathrm {Expt}^{\mathsf {FFC} {}}_{\mathsf {P}}(\mathcal {A})\rightarrow 1].$$

Fig. 2.

\(\mathsf {FFC}\) experiment on a dPKE \(\mathsf {P}\). The instantiation of H generalizes to any number of random oracles, including zero.

The \(U^{\not \bot }\) transform [HHK17] converts a dPKE \(\mathsf {P} =(\mathrm {Keygen} _\mathsf {P},\mathrm {Encr},\mathrm {Decr})\) into a KEM \(\mathsf {K} =(\mathrm {Keygen},\mathrm {Encaps},\mathrm {Decaps})\) using a PRF \(\mathsf {F}:\mathcal {K}_\mathsf {F} \times \mathcal {C}\rightarrow \mathcal {K}\) and a hash function \(H:\mathcal {M}\times \mathcal {C}\rightarrow \mathcal {K}\), modeled as a random oracle. The PRF is used for implicit rejection, returning \(\mathsf {F} (\mathrm {prfk},c)\) in case of an invalid ciphertext using a secret \(\mathrm {prfk}\). The \(U^{\not \bot }\) transform is defined in Fig. 3. We also describe variants \(U^{\not \bot }_m, U^\bot , U^\bot _m\) of this transform from [HHK17], which make the following changes:

• On \(\mathrm {Encaps} \) line 3 resp. \(\mathrm {Decaps} \) line 7, the transformations \(U^{\not \bot }_m\) and \(U^\bot _m\) compute H(m) resp. \(H(m')\) instead of \(H(m,c)\) resp. \(H(m',c)\).

• On \(\mathrm {Decaps} \) lines 4 and 6, the transformations \(U^\bot \) and \(U^\bot _m\) return \(\bot \) instead of \(\mathsf {F} (\mathrm {prfk},c)\). These variants also don’t need \(\mathrm {prfk}\) as part of the private key.

The transforms \(U^\bot \) and \(U^\bot _m\) are said to use explicit rejection because they return an explicit failure symbol \(\bot \). \(U^{\not \bot }\) and \(U^{\not \bot }_m\) are said to use implicit rejection.

Fig. 3.

Transform \(U^{\not \bot }(\mathsf {P}, \mathsf {F}):=(\mathrm {Keygen},\mathrm {Encaps},\mathrm {Decaps})\).

The next theorem states that breaking the \(\mathsf {IND}{\text {-}}\mathsf {CCA}\) security of \(U^{\not \bot }(\mathsf {P},\mathsf {F}, H)\) requires either breaking the \(\mathsf {OW}{\text {-}}\mathsf {CPA}\) security of \(\mathsf {P}\), causing a decapsulation failure, or breaking the PRF used for implicit rejection. In particular, we need \(\mathsf {P}\) to be an \(\epsilon \)-injective dPKE as in Definition 6.

Theorem 2

Let \(H:\mathcal {M}\times \mathcal {C}\rightarrow \mathcal {K}\) be a quantum-accessible random oracle and \(\mathsf {F}:\mathcal {K}_\mathsf {F} \times \mathcal {C}\rightarrow \mathcal {K}\) be a PRF. Let \(\mathsf {P}\) be an \(\epsilon \)-injective dPKE which is independent of H. Let \(\mathcal {A}\) be an \(\mathsf {IND}{\text {-}}\mathsf {CCA}\) adversary against the KEM \(U^{\not \bot }(\mathsf {P},\mathsf {F})\), and suppose that \(\mathcal {A}\) makes at most \(q_\mathrm {dec}\) decryption queries. Then we can construct three adversaries running in about the same time and resources as \(\mathcal {A}\):

• an \(\mathsf {OW}{\text {-}}\mathsf {CPA}\)-adversary \(\mathcal {B} _1\) against \(\mathsf {P}\)

• a \(\mathsf {FFC}\)-adversary \(\mathcal {B} _2\) against \(\mathsf {P}\), returning a list of at most \(q_\mathrm {dec}\) ciphertexts

• a \(\mathsf {PRF}\)-adversary \(\mathcal {B} _3\) against \(\mathsf {F} \)

such that

$$\mathrm {Adv}^{\mathrm {\mathsf {IND}{\text {-}}\mathsf {CCA}}}_{U^{\not \bot }(\mathsf {P})}(\mathcal {A}) \le 2\sqrt{\mathrm {Adv}^{\mathrm {\mathsf {OW}{\text {-}}\mathsf {CPA}}}_{\mathsf {P}}(\mathcal {B} _1)}+ \mathrm {Adv}^{\mathrm {\mathsf {FFC}}}_{\mathsf {P}}(\mathcal {B} _2) + 2\cdot \mathrm {Adv}^{\mathrm {\mathsf {PRF}}}_{\mathsf {F}}(\mathcal {B} _3) + \epsilon . $$

In the common case that \(\mathsf {F} (\mathrm {prfk},c)\) is implemented as \(H(\mathrm {prfk},c)\) it holds that if \(\mathcal {A} \) makes q queries at depth d, then

$$\mathrm {Adv}^{\mathrm {\mathsf {PRF}}}_{\mathsf {F}}(\mathcal {B} _3) {\mathop {\le }\limits ^{\text {cor. 1}}}2\sqrt{dq/{\left| {M}\right| }}.$$

Proof

Our proof is by a series of games. In some later games, we will define an outcome “draw” which is distinct from a win or loss. A draw counts as halfway between a win and a loss, as described by the adversary’s score \(w_i\):

$$\begin{aligned} w_i:= & {} \Pr [\mathcal {A}\ \text {wins: Game}\ i] + \frac{1}{2}\Pr [\text {Draw: Game}\ i]\\= & {} \frac{1}{2} \left( 1 + \Pr [\mathcal {A}\ \text {wins: Game}\ i] - \Pr [\mathcal {A}\ \text {loses: Game}\ i]\right) \end{aligned}$$

Game 0

\(\mathbf{(}{\mathsf {IND}{\text {-}}\mathsf {CCA}}{} \mathbf{).}\) This is the original \(\mathsf {IND}{\text {-}}\mathsf {CCA}\) game against the KEM \(U^{\not \bot }(\mathsf {P},\mathsf {F},H)\), cf. Definition 12.

Game 1

(PRF is random). Game 1 is the same as Game 0, except the simulator replaces \(\mathsf {F} (\mathrm {prfk},\cdot )\) with a random function .

We construct a \(\mathsf {PRF}\)-adversary \(\mathcal {B} _3\) (cf. Definition 10) which replaces its calls to \(\mathsf {F} (\mathrm {prfk},\cdot )\) by calls to its oracle, runs \(\mathcal {A} \), and outputs 1 if \(\mathcal {A} \) wins and 0 otherwise. Now, by construction and . Hence,

$$\begin{aligned} {\left| {w_{1} - w_{0}}\right| } = \mathrm {Adv}^{\mathrm {PRF}}_{F}(\mathcal {A}). \end{aligned}$$

Game 2

(Draw on fail or non-injective \({\mathrm {pk}}{} \mathbf{).}\) Let \(\mathsf {Fail}\) be the event that one or more of \(\mathcal {A} \)’s decapsulation queries \(D(c)\) fails to decrypt, meaning that \(c = \mathrm {Encr} (\mathrm {pk},\mathrm {m})\) for some \(\mathrm {m} \), but \(\mathrm {Decr} (\mathrm {sk},c)\ne \mathrm {m} \). Let \(\mathsf {NonInj}\) be the event that \(\mathrm {Encr} (\mathrm {pk},\cdot )\) is not injective, and let \(\mathsf {Draw} := \mathsf {Fail} \vee \mathsf {NonInj}\). In Game 2 and onward, if \(\mathsf {Draw}\) occurs then the game continues, but at the end it is a draw instead of the adversary winning or losing.

Let \(d_i := \Pr [\mathsf {Draw}:\text {Game}\ i]\). Then \({\left| {w_{2}-w_{1}}\right| }\le \frac{1}{2} d_{2}\). It is important to note that the event \(\mathsf {Draw}\) is a well-defined classical event and does not depend on H, even though the simulator might not be able to determine efficiently whether it occurred.

Game 3

(Reprogram \(H(m,c)\) to \(R(c)\)). Game 3 is the same as Game 2, but the simulator reprograms \(H(m,c)\) where \(c =\mathrm {Encr} (\mathrm {pk},m)\) to return \(R(c)\).

This produces the same win and draw probabilities as Game 2 as explained next. For each m, the value \(H(m,\mathrm {Encr} (\mathrm {pk},m))\) is changed to a uniformly, independently random value, except when the game is already a draw:

• It is uniformly random because R is uniformly random.

• It is independent of \(H(m',c)\) for \(m'\ne m\) because \(\mathrm {Encr} (\mathrm {pk},\cdot )\) is injective or else the game is a draw.

• H calls R(c) only for valid ciphertexts \(c=\mathrm {Encr} (\mathrm {pk},m')\). On the other hand, the decapsulation oracle only calls \(R(c')\) for rejected ciphertexts \(c'\), i.e. ones where \(c'\ne \mathrm {Encr} (\mathrm {pk},\mathrm {Decr} (\mathrm {sk},c'))\). If a valid ciphertext has been rejected and passed to R in this way, then \(\mathsf {Draw}\) has occurred and the return value of R does not affect \(w_i\) or \(d_i\).

Therefore \(w_{3} = w_{2}\) and \(d_{3} = d_{2}\).

Game 4

(Decapsulation oracle returns \(R(c)\)). Game 4 is the same as Game 3, but the simulated decapsulation oracle simply returns \(R(c)\) for all ciphertexts other than the challenge (for which it still returns \(\bot \)).

In fact, the decapsulation oracle was already doing this in Game 3: The original decapsulation returns either \(H(m,c)\) with \(c =\mathrm {Encr} (\mathrm {pk},m)\) or \(\mathsf {F} (\mathrm {prfk},c)\), but both of those have been reprogrammed to return \(R(c)\). Therefore \(w_{4} = w_{3}\) and \(d_{4} = d_{3}\). As of this game, the simulator does not use the private key anymore.

Bound draw. We now want to upper bound the draw probability. Let \(\mathcal {B} _2\) be the algorithm which, given a public key \(\mathrm {pk} \), simulates Game 4 for \(\mathcal {A} \) and outputs a list L of all of \(\mathcal {A} \)’s decapsulation queries. Then \(\mathcal {B} _2\) is a \(\mathsf {FFC}\)-adversary against \(\mathsf {P} \) which runs in about the same time as \(\mathcal {A}\) and succeeds whenever a draw occurred during the game. Consequently,

$$d_{2} = d_{3} = d_{4} \le \mathrm {Adv}^{\mathrm {\mathsf {FFC}}}_{\mathsf {P}}(\mathcal {B} _2) +\epsilon .$$

Game 5

(Change shared secret). In Game 5, the shared secret is changed to a uniformly random value r. If \(b=1\), then for all m such that \(\mathrm {Encr} (\mathrm {pk},m)=c^*\), the oracle H(m) is reprogrammed to return r. If \(b=0\), then H is not reprogrammed.

If \(\mathrm {Encr} (\mathrm {pk},\cdot )\) is injective, then this is the same distribution as Game 4, and otherwise the game is a draw. Therefore \({w_{5} = w_{4}}\).

It remains to bound \(\mathcal {A} \)’s advantage in Game 5. The simulation still runs in about the same time as \(\mathcal {A} \). Suppose at first that \(\mathrm {Encr} (\mathrm {pk},\cdot )\) is injective, so that the oracle H is reprogrammed only at \(m^*\). Then the \(b=0\) and \(b=1\) cases are now distinguished by a single return value from the H oracle. Hence, we can consider two oracles H and \(H' := H[m^*\rightarrow r]\) as required by Lemma 5. Then Lemma 5, states that there is an algorithm \(\mathcal {B} _1\), running in about the same time as \(\mathcal {A} \), such that for all H:

The same inequality holds if \(\mathrm {Encr} (\mathrm {pk},\cdot )\) is not injective, for then the game is always a draw and the left-hand side is zero. (The algorithm \(\mathcal {B} _1\) still runs with the same efficiency in that case; it just might not return \(m^*\).) The inequality also holds in expectation over H by Jensen’s inequality:

so that

$${\left| {\Pr [\text {Win}:b=0] - \Pr [\text {Lose}:b=1]}\right| } \le 2\sqrt{\mathrm {Adv}^{\mathrm {\mathsf {OW}{\text {-}}\mathsf {CPA}}}_{\mathsf {P}}(\mathcal {B} _1)}.$$

Likewise, for the same adversary \(\mathcal {B} _1\),

$${\left| {\Pr [\text {Win}:b=1] - \Pr [\text {Lose}:b=0]}\right| } \le 2\sqrt{\mathrm {Adv}^{\mathrm {\mathsf {OW}{\text {-}}\mathsf {CPA}}}_{\mathsf {P}}(\mathcal {B} _1)}.$$

Since b is either 0 or 1 each with probability \(\frac{1}{2}\), we have by the triangle inequality:

$${\left| {\Pr [\text {Win}]-\Pr [\text {Lose}]}\right| } \le 2\sqrt{\mathrm {Adv}^{\mathrm {\mathsf {OW}{\text {-}}\mathsf {CPA}}}_{\mathsf {P}}(\mathcal {B} _1)}$$

so that \({\left| {w_{5}- \frac{1}{2}}\right| } \le \sqrt{\mathrm {Adv}^{\mathrm {\mathsf {OW}{\text {-}}\mathsf {CPA}}}_{\mathsf {P}}(\mathcal {B} _1)}\).

Summing up the differences in the previous games, we have

$${\left| {w_0- \frac{1}{2}}\right| } \le \sqrt{\mathrm {Adv}^{\mathrm {\mathsf {OW}{\text {-}}\mathsf {CPA}}}_{\mathsf {P}}(\mathcal {B} _1)}+ \frac{1}{2}\mathrm {Adv}^{\mathrm {\mathsf {FFC}}}_{\mathsf {P}}(\mathcal {B} _2) + \frac{\epsilon }{2} + \mathrm {Adv}^{\mathrm {\mathsf {PRF}}}_{\mathsf {F}}(\mathcal {B} _3) $$

and finally

$$\mathrm {Adv}^{\mathrm {\mathsf {IND}{\text {-}}\mathsf {CCA}}}_{U^{\not \bot }(\mathsf {P})}(\mathcal {A}) \le 2\sqrt{\mathrm {Adv}^{\mathrm {\mathsf {OW}{\text {-}}\mathsf {CPA}}}_{\mathsf {P}}(\mathcal {B} _1)} + 2\cdot \mathrm {Adv}^{\mathrm {\mathsf {PRF}}}_{\mathsf {F}}(\mathcal {B} _3) + \mathrm {Adv}^{\mathrm {\mathsf {FFC}}}_{\mathsf {P}}(\mathcal {B} _2) +\epsilon .$$

This completes the proof of Theorem 2.    \(\square \)

Tightness. This bound is essentially tight, since breaking the one-wayness of \(\mathsf {P}\) and finding decryption failures are both known to result in attacks. Breaking the PRF harms security if and only if implicit rejection is more secure than explicit rejection. For a correct \(\mathsf {P}\) the bound boils down to the first two terms of the sum. The square-root loss arises from OW being a weaker security notion than IND [MW18], i.e., harder to break, and recent results [JZM19b] suggest that the square-root loss might be unavoidable in the quantum setting.

3.3 Decryption Failures

When the dPKE is constructed by derandomizing an rPKE, we can also bound the \(\mathsf {FFC}\) advantage.

Lemma 6

Let \(\mathsf {P} =(\mathrm {Keygen},\mathrm {Encr},\mathrm {Decr})\) be a \(\delta \)-correct rPKE with messages in \(\mathcal {M}\) and randomness in \(\mathcal {R}\). Let \(G:\mathcal {M}\rightarrow \mathcal {R}\) be a random oracle, so that \(T(\mathsf {P},G) := (\mathrm {Keygen},\mathrm {Encr} _1,\mathrm {Decr})\) is a derandomized version of \(\mathsf {P} \). Suppose that \(T(\mathsf {P},G)\) is \(\epsilon \)-injective. Let \(\mathcal {A} \) be a \(\mathsf {FFC}\) adversary against \(T(\mathsf {P},G)\) which makes at most q queries at depth d to G and returns a list of at most \(q_\mathrm {dec}\) ciphertexts. Then

$$\mathrm {Adv}^{\mathrm {\mathsf {FFC}}}_{T(\mathsf {P},G)}(\mathcal {A}) \le ((4d+1)\delta +\sqrt{3\epsilon })\cdot (q+q_{\mathrm {dec}})+\epsilon .$$

Proof

See Appendix E.

Note that if \(\epsilon \) is negligible, and if the adversary can recognize which ciphertexts will fail, then this is a Grover bound.

4 Explicit Rejection and Key Confirmation

We now turn to systems with explicit rejection or key confirmation. The next theorem shows that the transform \(U^{\bot }\) (with explicit rejection) never yields KEMs that are more secure than KEMs constructed via \(U^{\not \bot }\) (with implicit rejection).

Theorem 3

(Explicit \(\rightarrow \) implicit). Let \(\mathsf {P}\) be a dPKE. Let \(\mathcal {A} \) be an \(\mathsf {IND}{\text {-}}\mathsf {CCA}\) adversary against \(U^{\not \bot }(\mathsf {P},\mathsf {F},H)\). Then there is an \(\mathsf {IND}{\text {-}}\mathsf {CCA}\) adversary \(\mathcal {B} \) against \(U^{\bot }(\mathsf {P},H)\), running in about the same time and resources as \(\mathcal {B} \), such that

$$\mathrm {Adv}^{\mathrm {\mathsf {IND}{\text {-}}\mathsf {CCA}}}_{U^{\not \bot }(\mathsf {P},\mathsf {F},H)}(\mathcal {A}) = \mathrm {Adv}^{\mathrm {\mathsf {IND}{\text {-}}\mathsf {CCA}}}_{U^{\bot }(\mathsf {P},H)}(\mathcal {B}).$$

Proof

The only difference between \(U^{\bot }(\mathsf {P},H)\) and \(U^{\not \bot }(\mathsf {P},\mathsf {F},H)\) is that where the former would reject a ciphertext c by returning \(\bot \), the latter instead returns \(\mathsf {F} (\mathrm {prfk},c)\). So the adversary \(\mathcal {B} \) can simply choose a random PRF key \(\mathrm {prfk}\), run \(\mathcal {A}\), and output \(\mathcal {A}\)’s result. \(\mathcal {B}\) forwards all of \(\mathcal {A}\)’s queries to its oracles and returns the responses with the only difference that in case the decapsulation oracle returns \(\bot \), \(\mathcal {B}\) returns \(\mathsf {F} (\mathrm {prfk},c)\). The algorithm \(\mathcal {B}\) perfectly simulates the \(\mathsf {IND}{\text {-}}\mathsf {CCA}\) game for \(U^{\not \bot }(\mathsf {P},\mathsf {F},H)\) and hence \(\mathcal {A}\) succeeds with the same success probability as in the original game.    \(\square \)

On the other hand, explicit rejection is secure if key confirmation is used. Key confirmation refers to adding a hash of the message to the cipher text. Let \(\tau \) be the number of bits desired for the key-confirmation tag. For a PKE \(\mathsf {P} =(\mathrm {Keygen},\mathrm {Encr},\mathrm {Decr})\) define the transform \(C(\mathsf {P},H_t,\tau ) := (\mathrm {Keygen},\mathrm {Encr} _1,\mathrm {Decr} _1)\) using a random oracle \(H_t:\mathcal {M}\rightarrow \{0,1\}^\tau \) as in Fig. 4.

Fig. 4.

Transform \(C(\mathsf {P},H_t,\tau ):=(\mathrm {Keygen},\mathrm {Encr} _1,\mathrm {Decr} _1)\).

Theorem 4

(Implicit \(\rightarrow \) explicit with key confirmation). Let \(\mathsf {P}\) be an \(\epsilon \)-injective dPKE. Consider the KEM \(\mathsf {K} _1 := U^{\bot }_m(C(\mathsf {P},H_t,\tau ),H_s)\) obtained from \(\mathsf {P}\) applying the \(C\)-transform with random oracle \(H_t:\mathcal {M}\rightarrow \{0,1\}^\tau \) and the \(U^{\bot }_m\)-transform with independent random oracle \(H_s:\mathcal {M}\rightarrow \{0,1\}^\varsigma \). Let \(\mathsf {K} _2 := U^{\not \bot }_m(\mathsf {P},\mathsf {F}, H)\) be the KEM obtained from \(\mathsf {P}\) applying the \(U^{\not \bot }_m\)-transform with random oracle \(H:\mathcal {M}\rightarrow \{0,1\}^{\varsigma +\tau }\).

If \(\mathcal {A} \) is an \(\mathsf {IND}{\text {-}}\mathsf {CCA}\)-adversary against \(\mathsf {K} _1\) which makes \(q_\mathrm {dec}\) decapsulation queries, then it is also an \(\mathsf {IND}{\text {-}}\mathsf {CCA}\)-adversary against \(\mathsf {K} _2\) and there is a \(\mathsf {PRF}\)-adversary \(\mathcal {B} \) against \(\mathsf {F} \) which uses about the same time and resources as \(\mathcal {A} \), such that:

$$\mathrm {Adv}^{\mathrm {\mathsf {IND}{\text {-}}\mathsf {CCA}}}_{\mathsf {K} _1}(\mathcal {A}) \le 2\cdot \mathrm {Adv}^{\mathrm {\mathsf {IND}{\text {-}}\mathsf {CCA}}}_{\mathsf {K} _2}(\mathcal {A}) + \frac{q_\mathrm {dec}}{2^{\tau -1}} + 2\cdot \mathrm {Adv}^{\mathrm {\mathsf {PRF}}}_{\mathsf {F}}(\mathcal {B}) + 2\epsilon .$$

Proof

Deferred to Appendix F.

Finally, we can show that hashing m is equivalent to hashing \((m,c)\) in the next theorem.

Theorem 5

(\(U_m\leftrightarrow U\)). Let \(\mathsf {P} \) be a dPKE. Let \(\mathsf {K} _1=U^\bot (\mathsf {P},H_1)\) and \(\mathsf {K} _2=U^\bot _m(\mathsf {P},H_2)\). Then \(\mathsf {K} _1\) is \(\mathsf {IND}{\text {-}}\mathsf {CCA}\) secure if and only if \(\mathsf {K} _2\) is \(\mathsf {IND}{\text {-}}\mathsf {CCA}\) secure. In other words, if there is an adversary \(\mathcal {A} \) against one, then there is an adversary \(\mathcal {B} \) against the other, running in about the same time and with the same advantage.

The same is true for \(U^{\not \bot }\) and \(U^{\not \bot }_m\).

Proof

This is a simple indifferentiability argument. In both the encapsulation and decapsulation functions, the \(\mathsf {IND}{\text {-}}\mathsf {CCA}\) experiment against \(\mathsf {K} _1\) only calls \(H_1(m,c)\) when \(c =\mathrm {Encr} (\mathrm {pk},m)\). So to simulate the \(\mathsf {K} _1\)-experiment playing in an \(\mathsf {IND}{\text {-}}\mathsf {CCA}\) experiment against \(\mathsf {K} _2\) (with oracle \(H_2: \mathcal {M}\rightarrow \mathcal {K}\)), sample fresh random oracle and set

$$H_1(m,c) := \left\{ \begin{array}{ll} H_2(m), &{} \text {if}\ c =\mathrm {Encr} (\mathrm {pk},m), \\ H(m,c), &{} \text {otherwise}. \end{array}\right. $$

This exactly simulates the \(\mathsf {IND}{\text {-}}\mathsf {CCA}\) experiment against \(\mathsf {K} _1\). In the other direction, to simulate the \(\mathsf {IND}{\text {-}}\mathsf {CCA}\) experiment against \(\mathsf {K} _2\) it suffices to redirect \(H_2(m)\) to \(H_1(m,\mathrm {Encr} (\mathrm {pk},m))\).

The same technique works for \(U^{\not \bot }\) and \(U^{\not \bot }_m\). It also works for security notions other than \(\mathsf {IND}{\text {-}}\mathsf {CCA}\), such as \(\mathsf {OW}{\text {-}}\mathsf {CCA}\), \(\mathsf {OW}{\text {-}}\mathsf {qPVCA}\), etc. (see for example [JZC+18]).    \(\square \)

Appendices

A Security Notions and Definitions

In this section we recall the definition of KEMs and PKEs. Additionally, we recall the respective security notions that are needed in this paper. We begin with a definition of random oracles following [BDF+11] and summarized in Fig. 5.

Fig. 5.

Definition of the classical and quantum random oracle

Definition 4

(Public-Key Encryption Schemes). A randomized public-key encryption scheme (rPKE) is defined over a finite message space \(\mathcal {M}{}\), a ciphertext space \(\mathcal {C}\), a secret key space \(\mathcal {SK}_{}\) and a public key space \(\mathcal {PK}_{}\). It consists of a triple of algorithms \(\mathsf {P} =(\mathrm {Keygen}, \mathrm {Encr},\) \(\mathrm {Decr})\) defined as follows.

• \(\mathrm {Keygen} () \rightarrow (\mathrm {pk}, \mathrm {sk})\) is a randomized algorithm that returns a secret key \(\mathrm {sk} \in \mathcal {SK}_{}\) and a public key \(\mathrm {pk} \in \mathcal {PK}_{}\).

• \(\mathrm {Encr} (\mathrm {pk},\mathrm {m})\rightarrow c\) is a randomized algorithm that takes as input a public key \(\mathrm {pk} \) and a message \(\mathrm {m} \in \mathcal {M}{}\), and outputs a ciphertext \(c\in \mathcal C\).

• \(\mathrm {Decr} (\mathrm {sk},c)\rightarrow \{\mathrm {m} ',\bot \}\) is a deterministic algorithm that takes as input a secret key \(\mathrm {sk} \in \mathcal {SK}_{}\) and a ciphertext \(c\in \mathcal C\) and returns either a message \(\mathrm {m} '\in \mathcal {M}{}\) or a failure symbol \(\bot \notin \mathcal {M}\).

A deterministic public-key encryption scheme (dPKE) is defined the same way, except that \(\mathrm {Encr} \) is a deterministic algorithm.

Definition 5

(Correctness and failure probability of PKEs). A PKE \(\mathsf {P} =(\mathrm {Keygen}, \mathrm {Encr}, \mathrm {Decr})\) is \(\delta \)-correct if

$$\mathrm {E}\left[ \max _{\mathrm {m} \in \mathcal {M}}\ \Pr [\mathrm {Decr} (\mathrm {sk},\mathrm {Encr} (\mathrm {pk},\mathrm {m}))\ne \mathrm {m} ]:(\mathrm {pk}, \mathrm {sk})\leftarrow \mathrm {Keygen} ()\right] \le \delta .$$

We call \(\delta \) the decryption failure probability of \(\mathsf {P} \). We say \(\mathsf {P}\) is correct if \(\delta =0\).

Note that this definition works for a deterministic or randomized PKE, but for a deterministic PKE the term \(\max _{\mathrm {m} \in \mathcal {M}}\ \Pr [\mathrm {Decr} (\mathrm {sk},\mathrm {Encr} (\mathrm {pk},\mathrm {m}))\) is either 0 or 1 for each keypair.

Definition 6

(Injectivity of PKEs). A dPKE \(\mathsf {P} =(\mathrm {Keygen}, \mathrm {Encr}, \mathrm {Decr})\) is \(\epsilon \)-injective if

We say \(\mathsf {P}\) is injective if \(\epsilon =0\). We say that an rPKE is injective if for all public keys \(\mathrm {pk} \), all \(m\ne m'\) and all coins \(r,r'\), we have \(\mathrm {Encr} (\mathrm {pk},m,r) \ne \mathrm {Encr} (\mathrm {pk},m',r')\).

Definition 7

\(\mathbf{(}{\mathsf {OW}{\text {-}}\mathsf {CPA}}\) Advantage). Let \(\mathsf {P} =(\mathrm {Keygen}, \mathrm {Encr},\) \(\mathrm {Decr})\) be a dPKE or rPKE. The one-way under chosen-plaintext attacks \((\mathsf {OW}{\text {-}}\mathsf {CPA})\) experiment is shown in Fig. 6. The \(\mathsf {OW}{\text {-}}\mathsf {CPA}\)-advantage of an adversary \(\mathcal {A}\) is defined as

$$\mathrm {Adv}^{\mathrm {\mathsf {OW}{\text {-}}\mathsf {CPA}}}_{\mathsf {P}}(\mathcal {A}) := \Pr [\mathrm {Expt}^{\mathsf {OW}{\text {-}}\mathsf {CPA} {}}_{\mathsf {P}}(\mathcal {A})\rightarrow 1].$$

Note that some papers, e.g., [JZM19c], define \(\mathsf {OW}{\text {-}}\mathsf {CPA}\)-advantage this way, and some, e.g., [HHK17], instead use the looser condition that \(\mathrm {Encr} (\mathrm {pk},\mathrm {m} ')=c ^*\), particularly if \(\mathrm {Encr}\) is deterministic. We use the definition in Fig. 6 because it is more convenient for our proofs of Theorems 1 and 2.

Definition 8

\(\mathbf{(}{\mathsf {IND}{\text {-}}\mathsf {CPA}}\) Advantage). Let \(\mathsf {P} =(\mathrm {Keygen}, \mathrm {Encr},\) \(\mathrm {Decr})\) be an rPKE. The indistinguishability under chosen-plaintext attacks \((\mathsf {IND}{\text {-}}\mathsf {CPA})\) experiment is shown in Fig. 6. The \(\mathsf {IND}{\text {-}}\mathsf {CPA}\)-advantage of an adversary \(\mathcal {A} =(\mathcal {A} _1,\mathcal {A} _2)\) is defined as

$$\mathrm {Adv}^{\mathrm {\mathsf {IND}{\text {-}}\mathsf {CPA}}}_{\mathsf {P}}(\mathcal {A}) := 2{\left| {\Pr [\mathrm {Expt}^{\mathsf {IND}{\text {-}}\mathsf {CPA} {}}_{\mathsf {P}}(\mathcal {A})\rightarrow 1]-\frac{1}{2}}\right| }.$$

Note that \(\mathsf {IND}{\text {-}}\mathsf {CPA}\) is unachievable for dPKEs, because \(\mathcal {A} \) can just test which message encrypts to \(c^*\).

A weakening of \(\mathsf {IND}{\text {-}}\mathsf {CPA}\) is \(\mathsf {IND}{\text {-}}\mathsf {KPA}\) where the challenge messages are chosen by the experiment.

Definition 9

\(\mathbf{(}{\mathsf {IND}{\text {-}}\mathsf {KPA}}\) Advantage). Let \(\mathsf {P} =(\mathrm {Keygen}, \mathrm {Encr},\) \(\mathrm {Decr})\) be an rPKE. The indistinguishability under known-plaintext attack \((\mathsf {IND}{\text {-}}\mathsf {KPA})\) experiment is shown in Fig. 6. The \(\mathsf {IND}{\text {-}}\mathsf {KPA}\)-advantage of an adversary \(\mathcal {A} \) is defined as

$$\mathrm {Adv}^{\mathrm {\mathsf {IND}{\text {-}}\mathsf {KPA}}}_{\mathsf {P}}(\mathcal {A}) := 2{\left| {\Pr [\mathrm {Expt}^{\mathsf {IND}{\text {-}}\mathsf {KPA} {}}_{\mathsf {P}}(\mathcal {A})\rightarrow 1]-\frac{1}{2}}\right| }.$$

Clearly \(\mathsf {IND}{\text {-}}\mathsf {CPA} \Rightarrow \mathsf {IND}{\text {-}}\mathsf {KPA} \) as any \(\mathsf {IND}{\text {-}}\mathsf {KPA}\) adversary can be used to break \(\mathsf {IND}{\text {-}}\mathsf {CPA}\) using it as \(\mathcal {A} _2\) and simulating \(\mathcal {A} _1\) by just sampling random messages.

Fig. 6.

\(\mathsf {OW}{\text {-}}\mathsf {CPA}\), \(\mathsf {IND}{\text {-}}\mathsf {CPA}\), and \(\mathsf {IND}{\text {-}}\mathsf {KPA}\) of a PKE \(\mathsf {P}\). The instantiation of H generalizes to any number of random oracles, including zero.

Definition 10

\(\mathbf{(}{\mathsf {PRF}}\) Advantage). Let \(\mathsf {F}:\mathcal {K}_\mathsf {F} \times X \rightarrow Y\) be a pseudorandom function (PRF). We define the \(\mathsf {PRF}\)-advantage of an adversary \(\mathcal {A} \) as

Definition 11

(Key Encapsulation Mechanism). A KEM \(\mathsf {K} \) defined over the message space \(\mathcal {M}{}\), the public key space \(\mathcal {PK}_{}\), the secret key space \(\mathcal {SK}_{}\), and the key space \(\mathcal {K}\), is a triple of algorithms \(\mathsf {K} =(\mathrm {Keygen}, \mathrm {Encaps},\) \(\mathrm {Decaps})\) defined as follows.

• \(\mathrm {Keygen} () \rightarrow (\mathrm {pk}, \mathrm {sk})\) is a randomized algorithm that returns a public key \(\mathrm {pk} \in \mathcal {PK}_{}\) and a secret key \(\mathrm {sk} \in \mathcal {SK}_{}\).

• \(\mathrm {Encaps} (\mathrm {pk})\rightarrow (c,\kappa )\) is a randomized algorithm that takes as input a public key \(\mathrm {pk} \) and outputs a ciphertext c as well as a key \(\kappa \in K\).

• \(\mathrm {Decaps} (\mathrm {sk},c)\rightarrow \kappa \) or \(\bot \) is a deterministic algorithm that takes as input a secret key \(\mathrm {sk} \in \mathcal {SK}_{}\) and a ciphertext c and returns a key \(\kappa \in K\) or a failure symbol \(\bot \notin K\).

As before, we use \(\mathcal {H}_{}\) to denote the space of functions from which the random hash function is randomly sampled if a proof for \(\mathsf {K} \) is being given in the ROM.

Definition 12

\(\mathbf{(}{\mathsf {IND}{\text {-}}\mathsf {CCA}}\) Advantage). Let \(\mathsf {K} \) be a KEM. The security experiment \(\mathrm {Expt}^{\mathsf {IND}{\text {-}}\mathsf {CCA}}_{\mathsf {K}}(\mathcal {A})\) is defined in Fig. 7 for an adversary \(\mathcal {A} \) against \(\mathsf {K} \), given access to a (quantum-accessible) random oracle H and a classical decapsulation oracle D.

We define the advantage of a classical (resp., quantum) adversary \(\mathcal {A} \) against a KEM \(\mathsf {K} \) in the classical (resp., quantum-accessible) random oracle model as

$$ \mathrm {Adv}^{\mathrm {\mathsf {IND}{\text {-}}\mathsf {CCA}}}_{\mathsf {K}}(\mathcal {A}) = \left| \Pr \left[ \mathrm {Expt}^{\mathsf {IND}{\text {-}}\mathsf {CCA}}_{\mathsf {K}}(\mathcal {A}) = 1\right] - \frac{1}{2} \right| . $$

Fig. 7.

IND-CCA security experiment in the (Q)ROM against an adversary \(\mathcal {A} \)

B Proof of Lemma 5

Lemma 5

(Double-sided O2H). Let \(G,H:X\rightarrow Y\) be random functions, let z be a random value, and let \(S\subset X\) be a random set such that \(\forall x\notin S, G(x)=H(x)\). (G, H, S, z) may have arbitrary joint distribution. Let \(\mathcal {A} ^H\) be a quantum oracle algorithm. Let \(f:X\rightarrow W\subseteq \{0,1\}^n\) be any function, and let f(S) denote the image of S under f. Let \(\mathsf {Ev}\) be an arbitrary classical event.

We will define another quantum oracle algorithm \(\mathcal {B} ^{G,H}(z)\). This \(\mathcal {B}\) runs in about the same amount of time as \(\mathcal {A}\), but when \(\mathcal {A}\) queries H, \(\mathcal {B}\) queries both G and H, and also runs f twice. Let

$$\begin{aligned}&P_\mathrm {left} := \Pr [\mathsf {Ev} : \mathcal {A} ^H(z)], \ P_\mathrm {right} := \Pr [\mathsf {Ev} : \mathcal {A} ^G(z)],\ P_\mathrm {extract} := \Pr [\mathcal {B} ^{G,H}(z)\in f(S)]. \end{aligned}$$

If \(f(S) = \{w^*\}\) is a single element, then \(\mathcal {B} \) will only return \(\bot \) or \(w^*\), and furthermore

$$ {\left| {P_\mathrm {left}-P_\mathrm {right}}\right| } \le 2\sqrt{P_\mathrm {extract}} \qquad \text {and}\qquad {\left| {\sqrt{P_\mathrm {left}}-\sqrt{P_\mathrm {right}}}\right| } \le 2\sqrt{P_\mathrm {extract}}. $$

Proof

The outline of our proof is to use the compressed oracle framework from [Zha19] to instantiate a new random oracle \(B:W\rightarrow \{0,1\}\). On query x, the simulator returns H(x) if \(B(f(x))=0\), or G(x) if \(B(f(x))=1\). The only value of B(z) that affects the result is \(b := B(w^*)\), so at the end of the computation the compressed oracle table for B must be either the empty table or \(\{w^*\rightarrow b\}\). Our proof quantizes and simplifies this outline.

To begin, suppose that G and H are fixed and \(\mathcal {A} \) is unitary. Consider an algorithm \(\mathcal {B} _0^{H,G}\) which runs \(\mathcal {A} ^{H}\) and \(\mathcal {A} ^{G}\) in superposition, with an additional bit b signifying which oracle is being used. Then if \(\mathcal {A} ^G\) behaves differently from \(\mathcal {A} ^H\), the state of \(\mathcal {A} \) will become entangled with b. We will use to signify that \(\mathcal {A} \) is using H, and to signify that \(\mathcal {A} \) is using G. That is:

This \(\mathcal {B} _0\) can be implemented as \(\mathcal {A} \) with only the oracle queries changed. To do this, let b start in the state . When \(\mathcal {A} \) queries the oracle, \(\mathcal {B} _0\) implements the following map on \(\left| {x,y,b}\right\rangle \):

This is the same as a conditional evaluation map which queries H if \(b=0\) and G if \(b=1\), with a Hadamard transform before and after.

Let \(\psi _H\) resp. \(\psi _G\) be the final states of \(\mathcal {A} ^H\) resp. \(\mathcal {A} ^G\). The final state of \(\mathcal {B} _0^{H,G}\) is

Suppose we measure b in the computational basis. This commutes with the final measurement of \(\mathcal {A} \)’s state. Then, we will measure 1 with probability \(\epsilon :={\left\Vert \left| {\psi _H}\right\rangle -\left| {\psi _G}\right\rangle \right\Vert }^2/4\), and hence,

$${\left\Vert \left| {\psi _H}\right\rangle -\left| {\psi _G}\right\rangle \right\Vert }= 2\sqrt{\epsilon }.$$

This \(2\sqrt{\epsilon }\) is the claimed probability bound, but we still need a way to extract \(w^*\). The full algorithm \(\mathcal {B} ^{H,G}\) is the same as \(\mathcal {B} _0\), but with a different final measurement and another auxiliary register \(w\in \{0,1\}^n\) (i.e. a register that can represent elements of w). The w register is initialized to 0.

We will ensure that except during queries, (b, w) will always be in the state (0, 0) or \((1,w^*)\). More formally, let \(T_w\) operate on the b and w registers by \(T_w(\left| {b,w}\right\rangle ) := \left| {b,w\oplus (b\cdot w^*)}\right\rangle \). Therefore \(T_w\) swaps (1, 0) with \((1,w^*)\). We will ensure that if at some step in the computation the state of \(\mathcal {B} _0^{H,G}\) is \(\psi \), then during the same step the state of \(\mathcal {B} ^{H,G}\) is \(T_w(\psi \otimes \left| {0}\right\rangle )\).

Since \(\mathcal {B} _0^{H,G}\) replaces the oracle queries with U, \(\mathcal {B} ^{H,G}\) should replace them with \(U_w := T_w\circ U\circ T_w^\dagger \). (This gives the desired result because \(T_w\) commutes with all the steps of \(\mathcal {A} \) except for the oracle queries.) To do this, let

$$T_f(\left| {x,y,b,w}\right\rangle ) := \left| {x,y,b,w\oplus (b\cdot f(x))}\right\rangle .$$

Then \(\mathcal {B} ^{H,G}\) replaces \(\mathcal {A} \)’s oracle queries with

$$U_f := T_f\circ U\circ T_f^\dagger .$$

In fact, \(U_f = U_w\). On the subspace where \(x\in S\), we have \(f(x)=w^*\) by assumption. Therefore \(T_f = T_w\) and \(U_f = U_w\). On the orthogonal subspace where \(x\notin S\), we have \(G(x)=H(x)\), so the operation U does not depend on b or w. Therefore on that subspace, U commutes with \(T_f\) and \(T_w\), so that \(U_f=U=U_w\). In sum, \(U_f=U_w\) is an efficient implementation of the oracle by \(\mathcal {B} ^{H,G}\).

When \(\mathcal {A} \) completes, \(\mathcal {B} ^{H,G}\) measures (b, w) in the computational basis. With probability \(\epsilon \) it measures \((1,w^*)\), in which case it outputs \(w^*\). Otherwise it measures (0, 0), in which case it outputs \(\bot \).

The event \(\mathsf {Ev}\) is classical and well-defined. Therefore whether it occurred is a binary measurement on the final state of \(\mathcal {A} \) as a density operator. By [AHU19] Lemmas 3 and 4,

$$ {\left| {\Pr [\mathsf {Ev}:\mathcal {A} ^{H}]-\Pr [\mathsf {Ev}:\mathcal {A} ^{G}]}\right| } \le {\left\Vert \left| {\psi _0}\right\rangle -\left| {\psi _1}\right\rangle \right\Vert } \le 2\sqrt{\Pr [\mathcal {B} ^{H,G}\rightarrow w^*]} $$

and likewise

$$ {\left| {\sqrt{\Pr [\mathsf {Ev}:\mathcal {A} ^{H}]}-\sqrt{\Pr [\mathsf {Ev}:\mathcal {A} ^{G}]}}\right| } \le {\left\Vert \left| {\psi _0}\right\rangle -\left| {\psi _1}\right\rangle \right\Vert } \le 2\sqrt{\Pr [\mathcal {B} ^{H,G}\rightarrow w^*]}. $$

This completes the proof for unitary adversaries \(\mathcal {A} \) with a fixed H and G.

For non-unitary adversaries and for random distributions of H, G, we instead end in a mixture of states \(\varPsi _0\) resp. \(\varPsi _1\), for which Euclidean distance is not appropriate but the Bures distance [NC00] is. By monotonicity and joint concavity of fidelity (exactly as in [AHU19] Lemma 6 and 9), the same bound holds for the Bures distance:

$$ {\left| {\Pr [\mathsf {Ev}:\mathcal {A} ^{H}]-\Pr [\mathsf {Ev}:\mathcal {A} ^{G}]}\right| } \le B(\varPsi _0,\varPsi _1) \le 2\sqrt{\Pr [\mathcal {B} ^{H,G}\rightarrow w^*]} $$

and likewise

$$ {\left| {\sqrt{\Pr [\mathsf {Ev}:\mathcal {A} ^{H}]}-\sqrt{\Pr [\mathsf {Ev}:\mathcal {A} ^{G}]}}\right| } \le B(\varPsi _0,\varPsi _1) \le 2\sqrt{\Pr [\mathcal {B} ^{H,G}\rightarrow w^*]}. $$

This completes the proof in the general case.    \(\square \)

C Proof of Theorem 1

Theorem 1

Let \(\mathsf {P} \) be an rPKE with messages in \(\mathcal {M}{}\) and random coins in \(\mathcal {R}{}\). Let \(G:\mathcal {M}{}\rightarrow \mathcal {R}{}\) be a quantum-accessible random oracle. Let \(\mathcal {A}\) be an \(\mathsf {OW}{\text {-}}\mathsf {CPA} \) adversary against \(\mathsf {P} ':=T(\mathsf {P},G)\). Suppose that \(\mathcal {A} \) queries G at most q times with depth at most d.

Then we can construct an \(\mathsf {IND}{\text {-}}\mathsf {CPA}\) adversary \(\mathcal {B}\) against \(\mathsf {P} \), running in about the same time and resources as \(\mathcal {A}\), such that

$$\mathrm {Adv}^{\mathrm {\mathsf {OW}{\text {-}}\mathsf {CPA}}}_{\mathsf {P} '}(\mathcal {A}) \le (d+2)\cdot \left( \mathrm {Adv}^{\mathrm {\mathsf {IND}{\text {-}}\mathsf {CPA}}}_{\mathsf {P}}(\mathcal {B}) +\frac{8(q+1)}{{\left| {\mathcal {M}{}}\right| }}\right) . $$

Proof

Let \(\mathcal {A} _1\) be the same as \(\mathcal {A} \), except that at the end after choosing an output m, it computes and discards G(m). Therefore it makes at most \(q+1\) queries at depth at most \(d+1\). This is a formality so that returning the correct m will count as a \(\mathsf {Find}\) (cf. Definition 1) later in the proof. Clearly the two algorithms \(\mathcal {A} \) and \(\mathcal {A} _1\) have the same \(\mathsf {OW}{\text {-}}\mathsf {CPA}\)-advantage against \(\mathsf {P} '\).

We actually show a slightly stronger result, constructing an \(\mathsf {IND}{\text {-}}\mathsf {KPA}\) adversary \(\mathcal {B} \). The \(\mathsf {IND}{\text {-}}\mathsf {KPA}\) adversary \(\mathcal {B} \) (cf. Definition 9) is given the tuple

$$(\mathrm {pk},m_0,m_1,c)\ \ \text {where}\ \ c=\mathrm {Encr} (\mathrm {pk},m_b;r).$$

It wants to determine whether \(b=0\) or \(b=1\). The algorithm \(\mathcal {B} \) creates a fresh random oracle G and runs

$$\mathcal {A} _1^{{G}\backslash {\{m_0,m_1\}}}(\mathrm {pk},c).$$

Suppose \(\mathsf {Find}\) occurs, i.e., a query \(x\in \{m_0,m_1\}\) was asked by \(\mathcal {A} \) to its oracle G. Then \(\mathcal {B} \) measures whether the query x was \(m_0\) or \(m_1\), and returns the corresponding b. If \(\mathsf {Find}\) does not occur, or if \(\mathsf {Find}\) occurs but both \(m_0\) and \(m_1\) were queried, then \(\mathcal {B} \) guesses b at random.

Let \(G'\) be the oracle such that \(G'(m_b) = r\) gives the encryption coins used to encrypt \(m_b\), but \(G'(m)=G(m)\) for all other messages m. \(G'\) is unknown to \(\mathcal {B} \), but we can still analyze \(\mathcal {A} \)’s behavior when run with \(G'\) instead of G.

By construction, \(\mathcal {A} _1^{{G'}\backslash {\{m_0,m_1\}}}\) cannot return \(m_b\) without causing \(\mathsf {Find}\). Hence,

$$\begin{aligned} \sqrt{\mathrm {Adv}^{\mathrm {\mathsf {OW}{\text {-}}\mathsf {CPA}}}_{\mathsf {P} '}(\mathcal {A})}&= \sqrt{\Pr [\mathcal {A} ^{G'}\rightarrow m_b]} \\&= {\left| {\sqrt{\Pr \left[ \mathcal {A} _1^{G'}\rightarrow m_b\right] }}\right| } - \underbrace{\sqrt{\Pr \left[ \mathcal {A} _1^{{G'}\backslash {\{m_0,m_1\}}}\rightarrow m_b\wedge \lnot \mathsf {Find} \right] }}_{=\ 0} \\&\!\!\!\! {\mathop {\le }\limits ^{\text {Lem. 3}}}\sqrt{(d+2)\cdot \Pr \left[ \mathsf {Find}:\mathcal {A} _1^{{G'}\backslash {\{m_0,m_1\}}}\right] }. \end{aligned}$$

Squaring both sides,

$$\begin{aligned} \mathrm {Adv}^{\mathrm {\mathsf {OW}{\text {-}}\mathsf {CPA}}}_{\mathsf {P} '}(\mathcal {A})&\le {(d+2)\cdot \Pr \left[ \mathsf {Find}:\mathcal {A} _1^{{G'}\backslash {\{m_0,m_1\}}}\right] } \\&\!\!\!\! {\mathop {=}\limits ^{\text {Lem. 2}}} {(d+2)\cdot \Pr \left[ \mathsf {Find}:\mathcal {A} _1^{{G}\backslash {\{m_0,m_1\}}}\right] } \\&= {(d+2)\cdot \Pr \left[ \mathsf {Find}:\mathcal {B} \right] }. \end{aligned}$$

Now decompose \(\mathsf {Find} \) as \(\mathsf {Find} _{b}\vee \mathsf {Find} _{\lnot b}\), where the former event means that \(\mathsf {Find} \) occurs and \(m_b\) is measured, and latter means that \(\mathsf {Find} \) occurs and \(m_{\lnot b}\) is measured. They can both occur if \(\mathcal {A} \) makes multiple queries simultaneously, but \(\mathrm {Adv}^{\mathrm {\mathsf {IND}{\text {-}}\mathsf {KPA}}}_{\mathsf {P}}(\mathcal {B}) = {\left| {\Pr [\mathsf {Find} _b]-\Pr [\mathsf {Find} _{\lnot b}]}\right| }\) regardless.

Moreover, since \(\mathcal {B} \) measures m whenever \(\mathsf {Find}\) occurs, we can view \({G}\backslash {\{m_0,m_1\}} \) as \({G''}\backslash {\{m_{\lnot b}\}}:={\left( {G}\backslash {\{m_b\}} \right) }\backslash {\{m_{\lnot b}\}} \). Since \(\mathcal {A} \) has no information about \(m_{\lnot b}\) except from puncturing, it holds for any m that

$$\Pr \left[ m \in \{m_{\lnot b}\}\ : \mathcal {A} ^{G''}\right] = 1/{\left| {\mathcal {M}}\right| } =: \epsilon .$$

By (the second statement in) Lemma 4, we have

$$\Pr [\mathsf {Find} _{\lnot b}:\mathcal {B} ] \le 4 (q+1)\epsilon = \frac{4(q+1)}{{\left| {\mathcal {M}}\right| }}.$$

Hence,

$$\begin{aligned} \mathrm {Adv}^{\mathrm {\mathsf {IND}{\text {-}}\mathsf {KPA}}}_{\mathsf {P} '}(\mathcal {B})= & {} {\left| {\Pr \left[ \mathsf {Find} _{b}:\mathcal {B} \right] -\Pr \left[ \mathsf {Find} _{\lnot b:\mathcal {B}}\right] }\right| } \\ {}\ge & {} \Pr \left[ \mathsf {Find}:\mathcal {B} \right] - 2\,\,\Pr \left[ \mathsf {Find} _{\lnot b}:\mathcal {B} \right] \\ {}\ge & {} \Pr \left[ \mathsf {Find}:\mathcal {B} \right] - 8(q+1)/{\left| {\mathcal {M}}\right| }. \end{aligned}$$

Taking into account that \(\mathrm {Adv}^{\mathrm {\mathsf {IND}{\text {-}}\mathsf {KPA}}}_{\mathsf {P}}(\mathcal {B}) \le \mathrm {Adv}^{\mathrm {\mathsf {IND}{\text {-}}\mathsf {CPA}}}_{\mathsf {P}}(\mathcal {B}) \) and combining these results gives

$$ \mathrm {Adv}^{\mathrm {\mathsf {OW}{\text {-}}\mathsf {CPA}}}_{\mathsf {P} '}(\mathcal {A}) \le (d+2)\cdot \left( \mathrm {Adv}^{\mathrm {\mathsf {IND}{\text {-}}\mathsf {CPA}}}_{\mathsf {P}}(\mathcal {B}) +\frac{8(q+1)}{{\left| {\mathcal {M}}\right| }}\right) $$

as claimed.    \(\square \)

IND vs. OW. Our \(\mathcal {B} \) is a distinguishing adversary, not a one-way adversary. The reason is that \(\mathcal {A} \) can check whether a given m is the challenge message, but if \(\mathsf {P} \) is semantically secure then \(\mathcal {B} \) cannot check this. Instead \(\mathcal {B} \) would have to pick a random query to measure, which still works using Lemma 1, but with an additional factor of q tightness loss. That is, the one-way problem is potentially harder for a randomized encryption scheme than for a deterministic one. The authors discussed using a new “one-way with confirmation oracle” security game to more tightly capture the OW vs. IND tradeoff, but decided that it is simpler to just reduce to \(\mathsf {IND}{\text {-}}\mathsf {CPA}\).

We also note that ordinarily distinguishing adversaries are much harder to amplify than one-way adversaries, but \(\mathcal {B} \) is constructed to either output with relative certainty if \(\mathsf {Find}\), or to fail and guess at random. This means that its advantage will still be high in the Micciancio-Walter notion of cryptographic advantage [MW18]. It is likely that the \(8(q+1)/{\left| {\mathcal {M}}\right| }\) could be reduced to a \(4(q+1)/{\left| {\mathcal {M}}\right| }\) without this requirement.

D Why Encryption Is Usually Injective for LWE

Here we outline why we expect \(\mathrm {Encr} ^G(\mathrm {pk},\cdot )\) to be an injective function for the overwhelming majority of public keys \(\mathrm {pk} \) in a derandomized PKE based on Learning with Errors (LWE). Consider a typical LWE PKE, where the public key has the form \((A,S=sA+e)\) where s and e are small of dimension n, and ciphertexts have the form \((As'+e', \left\lceil Xs'+e'+\mathrm {encode}(m)\right\rfloor )\). Encryption will fail to be injective for some G if there are \((s'_0, e'_0) = G(m_0)\) and \((s'_1, e'_1) = G(m_1)\) such that

$$As_0'+e_0' = As_1'+e_1' \ \ \text {and}\ \ \left\lceil Xs_0'+e_0'+\mathrm {encode}(m_0)\right\rfloor = \left\lceil Xs_1'+e_1'+\mathrm {encode}(m_1)\right\rfloor .$$

For correctness, the rounded component is always larger than the message space, and is generally larger than \({\left| {M}\right| }^2\). The unrounded component has size at least \(q^n\) which is larger still. The function \((s'_0,e'_0)\rightarrow As'_0+e'_0\) is almost a universal hash unless \(s'_0\) has large nullity, which is highly unlikely for any secure PKE. So the probability of collision with fewer than \({\left| {M}\right| }^2\) message pairs is not much bigger than \(q^{-n}\), which is negligible.

E Proof of Lemma 6

To prove Lemma 6, we first show a result about Bernoulli variables.

Lemma 7

Let \(\{e_i:1\le i\le n\}\) be a collection of n independent Bernoulli variables. Let \(\delta := \max \ \Pr [e_i]\), and for each integer j let \(p_j := \Pr \left[ \sum _{i=1}^n e_i = j\right] \).

Then \(p_1 \le \sqrt{3p_0 p_2 + \delta ^2}\le \sqrt{3p_2}+\delta \).

Proof

Let \(\epsilon _i := \Pr [e_i=1]\), and without loss of generality let

$$\delta =\epsilon _1\ge \epsilon _2\ge \ldots \ge \epsilon _n$$

be given in descending order. Then

$$ p_0 = \prod _{i=1}^n(1-\epsilon _i),\ \ p_1 = p_0\cdot \left( \sum _{i=1}^n\frac{\epsilon _i}{1-\epsilon _i}\right) ,\ \ p_2 = p_0\cdot \left( \sum _{i>j}\frac{\epsilon _i\epsilon _j}{(1-\epsilon _i)(1-\epsilon _j)}\right) $$

so that

$$\begin{aligned} p_1^2-3p_0p_2&= p_0^2\cdot \left( \sum _{i,j=1}^n\frac{\epsilon _i\epsilon _j}{(1-\epsilon _i)(1-\epsilon _j)} -3\sum _{i>j}\frac{\epsilon _i\epsilon _j}{(1-\epsilon _i)(1-\epsilon _j)} \right) \\ {}&= p_0^2\cdot \left( \sum _{i=1}^n\frac{\epsilon _i^2}{(1-\epsilon _i)^2}- \sum _{i>j}\frac{\epsilon _i\epsilon _j}{(1-\epsilon _i)(1-\epsilon _j)} \right) \\&\ge p_0^2\cdot \left( \sum _{i=1}^n\frac{\epsilon _i^2}{(1-\epsilon _i)^2}- \sum _{i=j+1}\frac{\epsilon _i\epsilon _j}{(1-\epsilon _i)(1-\epsilon _j)} \right) \\ {}&\ge p_0^2\cdot \left( \sum _{i=1}^n\frac{\epsilon _i^2}{(1-\epsilon _i)^2}- \sum _{i=2}^n\frac{\epsilon _i^2}{(1-\epsilon _i)^2} \right) \\ {}&= p_0^2 \cdot \frac{\epsilon _1^2}{(1-\epsilon _1)^2} \le \delta ^2. \end{aligned}$$

Hence, \(p_1^2-3p_0p_2 \le \delta ^2\) and \(p_1 \le \sqrt{3p_0p_2 + \delta ^2}\) as claimed.    \(\square \)

We are now ready to prove Lemma 6.

Lemma 6

Let \(\mathsf {P} =(\mathrm {Keygen},\mathrm {Encr},\mathrm {Decr})\) be a \(\delta \)-correct rPKE with messages in \(\mathcal {M}\) and randomness in \(\mathcal {R}\). Let \(G:\mathcal {M}\rightarrow \mathcal {R}\) be a random oracle, so that \(T(\mathsf {P},G) := (\mathrm {Keygen},\mathrm {Encr} _1,\mathrm {Decr})\) is a derandomized version of \(\mathsf {P} \). Suppose that \(T(\mathsf {P},G)\) is \(\epsilon \)-injective. Let \(\mathcal {A} \) be a \(\mathsf {FFC}\) adversary against \(T(\mathsf {P},G)\) which makes at most q queries at depth d to G and returns a list of at most \(q_\mathrm {dec}\) ciphertexts. Then

$$\mathrm {Adv}^{\mathrm {\mathsf {FFC}}}_{T(\mathsf {P},G)}(\mathcal {A}) \le ((4d+1)\delta +\sqrt{3\epsilon })\cdot (q+q_{\mathrm {dec}})+\epsilon .$$

Proof

Essentially, the idea is at follows: the adversary gets an advantage of about \(4dq\delta \) from querying G in search of failing ciphertexts, and at most \(q_\mathrm {dec}(\delta +3\sqrt{\epsilon })\) from guessing blindly. The latter term comes from considering ways that some blind guess could be a failing ciphertext: if it is the encryption of one message, then \(\delta \) is large, and if it is possibly the encryption of more than one message (e.g., as a general “encryption failed” output), then \(\epsilon \) is large. We will formalize this in what follows.

Generate a keypair \((\mathrm {pk},\mathrm {sk})\leftarrow \mathrm {Keygen} ()\) and oracle . Let

$$Y_\mathrm {m}:= \{r:\mathrm {Decr} (\mathrm {sk},\mathrm {Encr} (\mathrm {pk},\mathrm {m},r))= \mathrm {m} \}$$

be the set of coins such that decryption of \(\mathrm {m} \) will succeed. Let \(G'(\mathrm {m}) := G(\mathrm {m})\) if \(G(\mathrm {m})\in Y_\mathrm {m} \), if \(Y_\mathrm {m} =\emptyset \), and otherwise. Thus \(G'\) is uniformly random in the space \(\mathcal {G}\) of oracles where decryption succeeds if possible. Moreover, \(G'\) is independent of the behavior of messages and ciphertexts for \(T(\mathsf {P},G)\) which do not decrypt correctly.

Now, fix \((\mathrm {sk},\mathrm {pk})\) and \(G'\) and let

$$\delta ' := \max _{\mathrm {m} \in \mathcal {M}} \Pr [\mathrm {Decr} (\mathrm {sk},\mathrm {Encr} (\mathrm {pk},\mathrm {m}))\ne \mathrm {m} ]$$

be the failure probability for this keypair. Let \(\mathsf {DblFail}\) be the event that some ciphertext c is the encryption of two messages \(\mathrm {m} _1\) and \(\mathrm {m} _2\) such that \(\mathrm {Decr} (\mathrm {sk},c)\notin \{\mathrm {m} _1,\mathrm {m} _2\}\). We define \(\epsilon ' := \Pr [\mathsf {DblFail}]\). Both \(\delta '\) and \(\epsilon '\) are independent of \(G'\). In addition, let \(\mathsf {Fail}\) be the event that \(\mathcal {A}\) wins the \(\mathsf {FFC}\) game (see Definition 3), and \(\mathsf {Ev}:=\mathsf {Fail}\wedge \lnot \mathsf {DblFail}\). By Lemma 1, it holds that

$$\left| \sqrt{\Pr [\mathsf {Ev} : \mathcal {A} ^G(\mathrm {pk})]} - \sqrt{\Pr [\mathsf {Ev} : \mathcal {A} ^{G'}(\mathrm {pk})]}\right| \le 2d\sqrt{P_\mathrm {guess}}.$$

Since, conditioned on \(G'\), \(G(\mathrm {m})\ne G'(\mathrm {m})\) at each \(\mathrm {m} \) with probability at most \(\delta '\) and there are q/d guesses (in expectation), it holds furthermore that

$$ 2d\sqrt{P_\mathrm {guess}} \le \sqrt{4d^2P_\mathrm {guess}} \le \sqrt{4dq\delta '}.$$

Next we define for a ciphertext \(c \),

$$p_1(c):=\Pr [\exists \ \text {unique}\ \mathrm {m} \in \mathcal {M}: c =\mathrm {Encr} (\mathrm {pk},\mathrm {m},G(\mathrm {m}))\wedge \mathrm {Decr} (\mathrm {sk},c)\ne \mathrm {m} ].$$

(It is important to note that if \(\mathrm {m} \) exists but is not unique, then \(\mathsf {DblFail}\) occurs.) Furthermore, let \(p_1 := \max _c (p_1(c))\). Since \(p_1(c)\) and \(p_1\) are independent of \(G'\), we have

$$\Pr [\mathsf {Ev}:\mathcal {A} ^{G'}(\mathrm {pk})]\le q_\mathrm {dec}\cdot p_1.$$

By Lemma 7, \(p_1\le \delta '+\sqrt{3\epsilon '}\). Plugging this in and applying the Cauchy-Schwarz corollary \(\sqrt{ab}+\sqrt{cd}\le \sqrt{(a+c)(b+d)}\) gives

$$\begin{aligned} \sqrt{\Pr [\mathsf {Ev} : \mathcal {A} ^G(\mathrm {pk})]}&\le \sqrt{4dq\delta '} + \sqrt{q_\mathrm {dec}\cdot (\delta '+\sqrt{3\epsilon '})} \\ {}&\le \sqrt{((4d+1)\delta '+\sqrt{3\epsilon '})\cdot (q+q_{\mathrm {dec}})}. \end{aligned}$$

Finally, by definition of correctness and injectivity (see Definitions 5 and 6, respectively), it holds that \(\delta =\mathrm {E}\left[ \delta ':\mathrm {pk},G\right] \) and \(\epsilon \le \mathrm {E}\left[ \epsilon ':\mathrm {pk},G\right] \). By Jensen’s inequality, it holds furthermore that \(\sqrt{\epsilon }\le \mathrm {E}\left[ \sqrt{\epsilon '}:\mathrm {pk},G\right] \). Hence,

as claimed.    \(\square \)

F Proof of Theorem 4

Theorem 4

(Implicit \(\rightarrow \) explicit with key confirmation). Let \(\mathsf {P}\) be an \(\epsilon \)-injective dPKE. Consider the KEM \(\mathsf {K} _1 := U^{\bot }_m(C(\mathsf {P},H_t,\tau ),H_s)\) obtained from \(\mathsf {P}\) applying the \(C\)-transform with random oracle \(H_t:\mathcal {M}\rightarrow \{0,1\}^\tau \) and the \(U^{\bot }_m\)-transform with independent random oracle \(H_s:\mathcal {M}\rightarrow \{0,1\}^\varsigma \). Let \(\mathsf {K} _2 := U^{\not \bot }_m(\mathsf {P},\mathsf {F}, H)\) be the KEM obtained from \(\mathsf {P}\) applying the \(U^{\not \bot }_m\)-transform with random oracle \(H:\mathcal {M}\rightarrow \{0,1\}^{\varsigma +\tau }\).

If \(\mathcal {A} \) is an \(\mathsf {IND}{\text {-}}\mathsf {CCA}\)-adversary against \(\mathsf {K} _1\) which makes \(q_\mathrm {dec}\) decapsulation queries, then it is also an \(\mathsf {IND}{\text {-}}\mathsf {CCA}\)-adversary against \(\mathsf {K} _2\) and there is a \(\mathsf {PRF}\)-adversary \(\mathcal {B} \) against \(\mathsf {F} \) which uses about the same time and resources as \(\mathcal {A} \), such that:

$$\mathrm {Adv}^{\mathrm {\mathsf {IND}{\text {-}}\mathsf {CCA}}}_{\mathsf {K} _1}(\mathcal {A}) \le 2\cdot \mathrm {Adv}^{\mathrm {\mathsf {IND}{\text {-}}\mathsf {CCA}}}_{\mathsf {K} _2}(\mathcal {A}) + \frac{q_\mathrm {dec}}{2^{\tau -1}} + 2\cdot \mathrm {Adv}^{\mathrm {\mathsf {PRF}}}_{\mathsf {F}}(\mathcal {B}) + 2\epsilon .$$

Proof

The proof is by a series of games. Let \(w_i\) be the probability that \(\mathcal {A} \) wins Game i. At some point we will have two IND-CCA games running against \(\mathsf {K} _1\) and \(\mathsf {K} _2\) with different values of the challenge bit b. Call these values \(b_1\) and \(b_2\), respectively.

Game 0

\(\mathbf{(}{\mathsf {IND}{\text {-}}\mathsf {CCA}}{} \mathbf{).}\) This is the \(\mathsf {IND}{\text {-}}\mathsf {CCA}\) game against \(\mathsf {K} _1\), which is the KEM with explicit rejection and key confirmation.

Game 1

(Modify decapsulation with random function). In Game 1, the simulator instantiates a fresh random function R, and modifies the decapsulation oracle D to the oracle \(D'\) shown in Fig. 8.

Fig. 8.

Decapsulation oracles for Game 0 and Game 1.

We analyze the difference between D and \(D'\) as follows.

• If \(c=c^*\), then \(D'\) returns \(\bot \). If \(\mathrm {Encr} (\mathrm {pk},\cdot )\) is injective, then so does D.

• Otherwise, if \(\mathrm {Encr} (\mathrm {pk},m') = c \), then both D and \(D'\) return \(H_s(m')\) if \(H_t(m')=t\), and \(\bot \) otherwise.

• Otherwise, D returns \(\bot \), and so does \(D'\) unless t matches \(t'\). Since R is random and is only used for this purpose, this happens with probability at most \(q_\mathrm {dec}/2^{\tau }\).

The difference in \(\mathcal {A}\)’s view is bound by the probability that \(D'\) acts different than D. So overall \({{\left| {w_{1}-w_{0}}\right| } \le q_\mathrm {dec}/2^{\tau }+\epsilon }\).

Game 2

(Use PRF instead of R). In Game 2, the simulator replaces \(R(c)\) by \(\mathsf {F} (\mathrm {prfk},\cdot )\) with a random prf key \(\mathrm {prfk}\).

The difference in probability of any adversary \(\mathcal {A}\) between winning Game 1 and Game 2 is exactly the \(\mathsf {PRF}\)-advantage of an adversary \(\mathcal {B} \) that works exactly as in the analysis of Game 1 in the proof of Theorem 2. Hence it holds that

$$\begin{aligned} {{\left| {w_{2}-w_{1}}\right| } = \mathrm {Adv}^{\mathrm {\mathsf {PRF}}}_{\mathsf {F}}(\mathcal {B})} \end{aligned}$$

Game 3

(Redirect to \(U^{\not \bot }_m(\mathsf {P},\mathsf {F},H)\)). Game 3 is refactored so that it simulates the \(\mathsf {IND}{\text {-}}\mathsf {CCA}\) experiment for \(\mathsf {K} _2 = U^{\not \bot }_m(\mathsf {P},\mathsf {F},H)\) (which uses implicit rejection and no key confirmation) for the case \(b_2=0\) (correct key), as follows:

• Hash redirection. The oracles \(H_s\) resp. \(H_t \) used for \(C\) resp. \(U^\bot \) are redirected to the first \(\varsigma \) resp. last \(\tau \) bits of the hash function H of \(U^{\not \bot }_m(\mathsf {P},\mathsf {F},H)\).

• The simulator creates a challenge ciphertext \(c \) with shared secret k of length \(\varsigma +\tau \). It parses this as \((k_s,k_t)\), and gives \(\mathcal {A} \) a challenge ciphertext \((c,k_t)\). The challenge shared secret is \(k_s\) if \(b_1=0\), or random if \(b_1=1\).

• The decapsulation oracle \(D'\) from Game 2 is changed to use the \(U^{\not \bot }_m\) decapsulation oracle internally, as shown in Fig. 9. It is called \(D''\).

Fig. 9.

Decapsulation oracle for Game 3.

Note that \(b_2\) is fixed, but the adversary is still trying to determine the bit \(b_1\) of the IND-CCA game against \(\mathsf {K} _1\).

All the above steps do not change \(\mathcal {A}\)’s view compared to Game 2, so \({w_{3}=w_{2}}\).

Game 4

(Redirect to \(U^{\not \bot }_m(\mathsf {P},\mathsf {F},H)\) with random keys). Game 4 is the same as Game 3 except that it now simulates the \(b_2=1\) (random key) case of the \(\mathsf {IND}{\text {-}}\mathsf {CCA}\) experiment against \(\mathsf {K} _2\), i.e., it always sets . This means that for the challenge ciphertext, both \(k_s\) and \(k_t\) will be uniformly random.

Distinguishing Game 3 from Game 4 is exactly the \(\mathsf {IND}{\text {-}}\mathsf {CCA}\) experiment for \(\mathsf {K} _2\). Hence,

$$\begin{aligned} {{\left| {w_{4}-w_{3}}\right| } = \mathrm {Adv}^{\mathrm {\mathsf {IND}{\text {-}}\mathsf {CCA}}}_{\mathsf {K} _2}(\mathcal {A}).} \end{aligned}$$

In this game the shared secret k is always random, and thereby independent of \(b_1\). Hence, the adversary has no information about \(b_1\) and so \(w_{4}=\frac{1}{2}.\)

Summing up the differences in winning probability from all the games we get

$${\left| {w_0-\frac{1}{2}}\right| } \le \mathrm {Adv}^{\mathrm {\mathsf {IND}{\text {-}}\mathsf {CCA}}}_{\mathsf {K} _2}(\mathcal {A}) + \frac{q_\mathrm {dec}}{2^\tau } + \mathrm {Adv}^{\mathrm {\mathsf {PRF}}}_{\mathsf {F}}(\mathcal {B}) $$

and \(\mathrm {Adv}^{\mathrm {\mathsf {IND}{\text {-}}\mathsf {CCA}}}_{\mathsf {K} _1}(\mathcal {A}) \) is at most twice this value. This completes the proof.    \(\square \)