Keywords

1 Introduction

There are two criteria for a practical encryption scheme: security and efficiency. Many generic transformations are proposed to enhance the security of public-key encryption schemes (PKEs) to achieve the indistinguishable under chosen ciphertext attacks (IND-CCA) security [2, 8, 11, 23]. As for efficiency, Cramer and Shoup proposed the KEM-DEM hybrid construction that combines an IND-CCA key encapsulation mechanism (KEM) with a one-time chosen ciphertext secure secret-key encryption scheme (SKE) to obtain an IND-CCA PKE [9].

Cryptographic schemes often have efficient constructions in the random oracle model (ROM) [2], in which schemes are proven to be secure assuming the existence of the publicly accessible random oracle. Many generic transforms are relative to random oracles. For instance, the Fujisaki-Okamoto (FO) transformation turns an arbitrary PKE that is one-way under chosen plaintext attacks (OW-CPA) into an IND-CCA PKE in the ROM [11], and the REACT transformation turns an arbitrary PKE that is one-way under plaintext checking attacks (OW-PCA) into an IND-CCA PKE in the ROM [23].

Typically, the random oracle is instantiated with a cryptographic hash function. Thus in the real world attack, a quantum attacker can evaluate the hash function in superposition. To capture this issue, Boneh et al. [4] proposed the quantum random oracle model (QROM) where the quantum adversary can query the random oracle with superposition states. Further, classical schemes may be implemented on quantum computers, which potentially gives quantum attackers more power. For this case, Boneh and Zhandry [5] introduced the indistinguishability under quantum chosen ciphertext attacks (IND-qCCA) for encryption schemes, where the adversary can make quantum queries to the decryption oracle. Following it, Gagliardoni et al. [13] focused on SKE and proposed new notions of indistinguishability and semantic security in the quantum world, e.g. quantum semantic security under chosen plaintext attacks (qSEM-qCPA). On the other hand, Xagawa and Yamakawa [27] presented the IND-qCCA security of KEMs, where the adversary can query the decapsulation oracle in superposition.

Boneh et al. [4] summarized four proof techniques that are commonly used in the ROM but not appropriate to the quantum setting straightforwardly. “Extractability”, as one of them, is that the simulator learns the preimages the adversary takes interest in when simulating the random oracle for the adversary.

Extractability is the core to simulate answers to decryption queries in the IND-CCA security proof for both FO and REACT in the ROM. However, in the quantum setting, the non-existence of this technique had been an obstacle to their security proofs in QROM. To circumvent it, Targhi and Unruh [26] and the follow-up work by Ambainis et al. [1] modified the FO transformation by appending an extra hash function to the ciphertext, then applied the One-way to Hiding (O2H) Theorem and its variant to prove the IND-CCA security of the modified FO in the QROM.

Hofheinz et al. [14] divided KEMs into two types: explicit rejection and implicit rejection. The explicit rejection (resp. implicit rejection) type returns a symbol \(\bot \) (resp. a pseudorandom value) if the ciphertext is invalid. For both two types, they presented the IND-CCA security proof of transformations with additional hash in the QROM. Later, transformations with implicit rejection had been free from the additional hash and proved to be IND-CCA and even IND-qCCA in the QROM [3, 17, 19,20,21, 24, 27]. Nonetheless, for explicit rejection type, the IND-CCA security proofs in the QROM were only given for those transformations either with additional hash [18] or with non-standard security assumptions [19]. It seemed infeasible to give post-quantum security proof of unmodified transformations due to the non-existence of extractability.

In his seminal paper [29], Zhandry proposed the compressed oracle technique, with which the simulator can “record” quantum queries to the random oracle while simulating it efficiently. This enables to use extractability technique in the quantum setting and thus makes it possible to give security proofs of the unmodified FO and those transformations with explicit rejection in QROM.

Indeed in the full version of [29], Zhandry gave a proof that the unmodified FO turns any OW-CPA PKE into an IND-qCCA PKE in the QROM. However, in this proof, as was pointed out by Don et al. [10], the answers to decryption queries in Hybrids 2 to 4 are simulated by applying (purified) measurements on the internal state of the compressed oracle, yet these measurements are hard to be determined explicitly from their respective descriptions. Until now, this is considered as the gap that prevents the analysis of the disturbance caused by those measurements.

As for transformations with explicit rejection, Don et al. [10] presented the first IND-CCA security proof of \(\textsf {FO}_m^{\bot }\), a variant of FO transformation, in the QROM, as well as its concrete security bound. Based on their work, Hövelmanns et al. [15] improved the proof in [10] resulting in a tighter bound. However, as far as we know, there are only a few results on the IND-qCCA security proof of any transformations with explicit rejection [27].

1.1 Our Results

In this paper, we improve the IND-qCCA security proof in [29] and avoid the gap mentioned in [10]. Especially, we simplify that proof with our tool and present a tighter proof. We also give the first IND-qCCA security proof for transformation REACT and \(\textsf {T}_{\textsf {CH}}\) in the QROM, where \(\textsf {T}_{\textsf {CH}}\) is a KEM variant of REACT with explicit rejection proposed in [16]. The concrete security bounds for these three transformations are shown in Table 1.

Table 1. Concrete security bounds for FO, REACT and \(\textsf {T}_{\textsf {CH}}\) in the QROM. The “Underlying security” column omits the one-time security of the underlying SKE for both FO and REACT. \(\epsilon ^{asy}\) is the advantage of the reduced adversary against the security of the underlying PKE. \(\epsilon ^{sy}\) is the advantage against the security of the underlying SKE. d is the number of decryption or decapsulation queries. q is the total number of random oracle queries. \(\gamma \) is from the \(\gamma \)-spreadness of the underlying PKE. n is the length of the hash value being one part of the ciphertext of the achieved PKE or KEM.
Full size table

Our main tool to prove our results is a unitary \(\text {U}_{\text {Ext}}\) named the plaintext extraction procedure for a class of PKE called oracle-masked schemes. Informally, the oracle-masked scheme is defined as follows.

Definition 1 (Oracle-Masked Scheme, Informal)

For random oracle \(\mathcal {O}\) with codomain \(\mathcal {Y}\), we call \(\varPi =(\text {Gen},\text {Enc}^{\mathcal {O}},\text {Dec}^{\mathcal {O}})\) an oracle-masked scheme if \(\text {Enc}^{\mathcal {O}}\) and \(\text {Dec}^{\mathcal {O}}\) are constructed as in Fig. 1. Parameter \(\eta \) of \(\varPi \) is defined to be

$$\begin{aligned} \eta :=\max _{(pk,sk),\,c}{\bigl \vert \{y\in \mathcal {Y}: c=\text {A}_2\left( pk,\text {A}_3(sk,c),y\right) \}\bigr \vert }/|\mathcal {Y}|\,, \end{aligned}$$

where (pksk) is generated by \(\text {Gen}\) and \(c\in \mathcal {C}\) is such that \(\text {A}_3(sk,c)\ne \bot \).

Fig. 1.
figure 1

Algorithm \(\text {Enc}^{\mathcal {O}}\) and \(\text {Dec}^{\mathcal {O}}\) of an oracle-masked scheme \(\varPi \), and the tuple of algorithm \(\mathrm {A_1}\), \(\mathrm {A_2}\), \(\mathrm {A_3}\) and \(\mathrm {A_4}\) is called the decomposition of \(\varPi \).

Full size image

According to the above definition, oracle-masked schemes contains PKEs obtained by several transformations, including FO transformation, REACT transformation and \(\textsf{T}\) in the modular FO toolkit [14]. We then present the plaintext extraction procedure \(\text {U}_{\text {Ext}}\) for oracle-masked scheme \(\varPi \) as below.

Definition 2 (Plaintext Extraction Procedure, informal)

Suppose that \(\mathcal {O}\) is simulated by the compressed standard oracle \(\textsf{CStO}\) with database register D. Then the plaintext extraction procedure \(\text {U}_{\text {Ext}}\) of oracle-masked scheme \(\varPi \) applied on register C, Z, D is that \(\text {U}_{\text {Ext}}|c,z,D\rangle =|c,z\oplus f(c,D),D\rangle \), where

$$\begin{aligned} f(c,D):=\left\{ \begin{array}{ll} \text {A}_4(x) &{} \text {if}\, c\ne c^*\, \text {and}\, \exists \,x\,\text {s.t.}\,\text {A}_2(pk,x,D(x))=c,\,\text {A}_3(sk,c)=x\\ \bot &{} \text {otherwise}.\\ \end{array} \right. \end{aligned}$$

Plaintext extraction procedure \(\text {U}_{\text {Ext}}\) is to apply extractability technique to simulate the quantum-accessible decryption oracle in the IND-qCCA security proof of \(\varPi \). When random oracle \(\mathcal {O}\) is simulated by \(\textsf{CStO}\), the random oracle queries is recorded on the database register D. Note that the queries is not recorded perfectly, but the simulator can still learn some information from the state on D by quantum measurements or computing functions defined on database [7, 10]. Following this fact, \(\text {U}_{\text {Ext}}\) extracts plaintext \(m(:=\text {A}_4(x))\) for ciphertext c by computing a classical function f(cD) defined as above. Moreover, \(\text {U}_{\text {Ext}}\) is performed efficiently if f can be computed efficiently.

With the notions defined as above, we then prove the IND-qCCA security of transformation FO, REACT and \(\textsf {T}_{\textsf {CH}}\). Our proofs can be outlined as the following three steps.

Firstly, we represent the schemes obtained by transformations as oracle-masked schemes relative to \(\mathcal {O}\) and specify their decomposition \((\text {A}_1,\text {A}_2,\text {A}_3,\text {A}_4)\). In the IND-qCCA security games of these schemes, random oracle \(\mathcal {O}\) is simulated by \(\textsf{CStO}\) and accordingly, the quantum decryption oracle \(\text {Dec}^{\mathcal {O}}\) is simulated by unitary \(\text {U}_{\text {Sim}}\).

Next, we replace unitary \(\text {U}_{\text {Sim}}\) with the plaintext extraction procedure \(\text {U}_{\text {Ext}}\). We also present the detailed construction of \(\text {U}_{\text {Ext}}\) without the secret key.

Finally, we apply the semi-classical O2H theorem to reprogram the compressed oracle at some points, which results in a new game. We then connect it to the security game of the underlying schemes.

Here we analyze the security loss introduced by the second and third step.

For the second step, we need to bound the security loss caused by the replacement of the simulation of the decryption oracle \(\text {Dec}^{\mathcal {O}}\). Since \(\textsf{CStO}\) perfectly simulates the random oracle, \(\text {U}_{\text {Sim}}\) and \(\text {Dec}^{\mathcal {O}}\) are perfectly indistinguishable for any adversary. Then we analyze the loss introduced by performing unitary \(\text {U}_{\text {Ext}}\). For one type of state \(|\psi \rangle \), we compute the difference between \(\text {U}_{\text {Ext}}|\psi \rangle \) and \(\text {U}_{\text {Sim}}|\psi \rangle \) and obtain the following lemma.

Lemma 1 (Informal)

Let \(|\psi \rangle \) be a quantum state on register C, Z, D that is orthogonal to \(\sum _{c,z,D,x}\alpha _{c,z,D,x}|c,z,D\cup (x,\beta _0)\rangle \). Then \(\Vert (\text {U}_{\text {Sim}}-\text {U}_{\text {Ext}})|\psi \rangle \Vert \le 5\sqrt{\eta }\).

As is argued in [10], there are at least two requirements of refining the proof in [29]: To rigorously specify the quantum measurements in Hybrid 3 and 4, respectively; To analyze the disturbance of the state of \(\textsf{CStO}\) caused by quantum measurements.

Our proofs meet the first requirement by providing the plaintext extraction procedure \(\text {U}_{\text {Ext}}\) of oracle-masked schemes. Indeed, \(\text {U}_{\text {Ext}}\) and the scan operation in Hybrid 4 act similarly. They both learns the information from the database. But our \(\text {U}_{\text {Ext}}\) is represented in a more specific form and can also be viewed as a formalization of the scan operation. As for the second requirement, we apply Lemma 1 to bound the disturbance caused by performing \(\text {U}_{\text {Ext}}\). If the adversary makes at most q decryption queries, then by the hybrid argument, the loss caused by \(\text {U}_{\text {Ext}}\) is upper bounded by \(5q\sqrt{\eta }\).

For the third step, we stress that we can not reprogram \(\textsf{CStO}\) only by applying the semi-classical O2H theorem. As an explanation, suppose that we puncture \(\textsf{CStO}\) on point x via the semi-classical oracle \(\mathcal {O}_{\{x\}}^{SC}\), which forbids the adversary from querying \(\textsf{CStO}\) by x if event Find does not occur. However, the performance of \(\text {U}_{\text {Ext}}\) disturbs the database state on register D, which disturbs the simulation of random oracle \(\mathcal {O}\). Thus, it can not be concluded that \(\textsf{CStO}\) on x is uniformly random even if the adversary never queries \(\textsf{CStO}\) on point x (i.e., Find does not occur).

To fix it, before reprogramming the compressed oracle on x, we change \(\text {U}_{\text {Ext}}\) into \(\textsf {StdDecomp}_x\circ \text {U}_{\text {Ext}}\circ \textsf {StdDecomp}_x\), where \(\textsf {StdDecomp}_x\), the local decompression procedure defined in [29], is an involution performed on the database register D. Then by the definition of \(\text {U}_{\text {Ext}}\), \(\textsf {StdDecomp}_x\circ \text {U}_{\text {Ext}}\circ \textsf {StdDecomp}_x\) does not disturb any database state in the form of \(|D\cup \textsf {StdDecomp}_x(x,y)\rangle \), which in contrast to the disturbance made by \(\text {U}_{\text {Ext}}\). Then we apply the following lemma to bound the difference between \(\text {U}_{\text {Ext}}\) and \(\textsf {StdDecomp}_x\circ \text {U}_{\text {Ext}}\circ \textsf {StdDecomp}_x\).

Lemma 2 (Informal)

For any x and state \(|\psi \rangle \) on register C, Z, D,

$$\begin{aligned} \bigl \Vert (\text {U}_{\text {Ext}}\circ \textsf{StdDecomp}_{x}-\textsf{StdDecomp}_{x}\circ \text {U}_{\text {Ext}})|\psi \rangle \bigr \Vert \le 7\sqrt{\eta }\,. \end{aligned}$$

Overall, we propose the notion of oracle-masked schemes and define plaintext extraction procedure \(\text {U}_{\text {Ext}}\) for these schemes. They can be used to avoid the gap in the FO proof in [29]. And our proof outline can also be applied to the IND-qCCA security proofs of other transformations in the QROM.

1.2 Related Work

Abstract frameworks were proposed to simplify the application of the compressed oracle technique in different situations [6, 7, 10]. They formalized properties that are satisfied in the presence of random oracle, and lifted them to the quantum setting.

Existing proofs from [29] already implicitly were using compressed oracles for some sort of extractability. Don et al. [10] then considered extractability in a general form. Specifically, they define a simulator \(\mathcal {S}\) that simulates the random oracle and also allows the extraction query that is replied with a guess of the plaintext of the query. They then prove that this simulation of the random oracle is statistically indistinguishable from the real one if some properties are satisfied. In their security proof, the extraction query is restricted to be classical in the simulation. Therefore, their result seems to be tailored for post-quantum security proofs, yet are not sufficient to prove the IND-qCCA security.

Based on [10], Hövelmanns et al. [15] proposed a variant of semi-classical O2H theorem as the core to prove the post-quantum security of \(\textsf{FO}^{\bot }_{m}\). Roughly speaking, this theorem states that the probabilities of classical event EXT and FIND can bound the loss caused by the reprogramming of the oracle simulated by \(\mathcal {S}\). Different from their work, our argument allows the adversary to make quantum extraction query, which makes event EXT no longer make sense.

2 Preliminaries

2.1 Notation

Denote \(\mathcal {M}\), \(\mathcal {C}\) and \(\mathcal {R}\) as key space, message space and ciphertext space, respectively. A function \(f(\lambda )\) is negligible if \(f(\lambda )=\lambda ^{-\omega (1)}\). Algorithms take as input a security parameter \(\lambda \), and we omit it for convenience. \(\text {Time}(A)\) is denoted as the running time of algorithm A.

For a finite set \(\mathcal {X}\), denote \(|\mathcal {X}|\) as the number of elements \(\mathcal {X}\) contains, and denote \(x\xleftarrow {\$} \mathcal {X}\) as uniformly choose a random element x from \(\mathcal {X}\). \([b=b^\prime ]\) is an integer, that is 1 if \(b=b^\prime \) and 0 otherwise. \(\Pr [P:Q]\) is the probability that predicate P keeps true where all the variables in P are assigned according to the program in Q.

2.2 Quantum Random Oracle Model

We refer to [22] for basics of quantum computation and quantum information.

In the ROM, we assume the existence of the random oracle \(\mathcal {O}:\mathcal {X} \rightarrow \mathcal {Y}\), and \(\mathcal {O}\) is publicly accessible to all parties. For concreteness, let \(\mathcal {Y}=\{0,1\}^n\). \(\mathcal {O}\) is initialized by choosing \(H\xleftarrow {\$} \varOmega _H\), where \(\varOmega _H\) is the set of all functions from \(\mathcal {X}\) to \(\mathcal {Y}\). In the QROM, quantum algorithms can query \(\mathcal {O}\) with superposition states, and the oracle performs the unitary mapping \(|x,y\rangle \mapsto |x,y\oplus H(x)\rangle \) on the query state. Oracle \(\mathcal {O}\) also allows making classical queries. To query x, set the input and output state to be \(|x,0\rangle \) and measure it after querying \(\mathcal {O}\) to obtain H(x).

Below, we introduce several tools for QROM, that are used in this paper. We begin with two ways for the simulation of the quantum random oracle.

Theorem 1

([28, Theorem 6.1]). Let H be a function chosen from the set of 2q-wise independent functions uniformly at random. Then for any quantum algorithm A with at most q queries,

$$\Pr [b=1:b\leftarrow A^{H}()]=\Pr [b=1:b\leftarrow A^{\mathcal {O}}()]\,.$$

The Compressed Oracle. Here we briefly introduce the compressed oracle technique, and we only consider the Compressed Standard Oracles(\(\textsf {CStO}\)), one version of the compressed oracle, with query number at most q. We refer to the full version of [29] for more details of the compressed oracle.

The core idea of the compressed oracle technique is the purification of the quantum random oracle, and the purified oracle imperfectly records quantum queries to the random oracle. In the QROM, random oracle \(\mathcal {O}\) is initialized by uniformly sampling a function H from \( \varOmega _H\). If \(\mathcal {O}\) is queried with a quantum state \(\vert x,y\rangle \), then the replied state is a mixed state and can be represented as \(\{p_i,|x,y\oplus H_i(x)\rangle \}\), where \(p_i=1/|\varOmega _H|\), \(i=1,\ldots ,|\varOmega _H|\). This mixed state can be purified to state \(1/{\vert \varOmega _H\vert }\sum _H|x,y\oplus H(x),H\rangle \), where \(|H\rangle \) is the internal state of oracle \(\mathcal {O}\) and H of \(|H\rangle \) is a truth table of function H.

Instead of a superposition state of H, \(\textsf {CStO}\) takes a superposition of database as its internal state and simulates random oracle \(\mathcal {O}\). We denote this simulated oracle by \(\textsf {CStO}\) directly, and database by D. Here D is an element of set \(\textbf{D}_l:=(\mathcal {X}\times \bar{\mathcal {Y}})^l\) where \(\bar{\mathcal {Y}}=\mathcal {Y}\cup \{\bot \}\), l is the length of D. For any \(x\in \mathcal {X}\), if (xy) exists as an entry of D, then \((x,y)\in D\) and \(D(x)=y\). Otherwise, \(D(x)=\bot \). Denote |D| as the total number of \(x\in \mathcal {X}\) such that \(D(x)\ne \bot \). Then for any \(y\in \mathcal {Y}\) and D that \(D(x)=\bot \), \(|D|<l\), define \(D\cup (x,y)\) to be the database that \(D\cup (x,y)(x')=D(x')\) for any \(x'\ne x\) and \(D\cup (x,y)(x)=y\). Moreover, any D is written in the form of \(((x_1,y_1),\ldots ,(x_s,y_s),(0,\bot ),\ldots ,(0,\bot ))\) such that \(|D|=s\le l\), \(x_1<x_2<\cdots <x_s\).

For any \(x\in \mathcal {X}\), define the local decompression procedure \(\textsf {StdDecomp}_x\) applied on the database state \(|D\rangle \in \mathbb {C}[\textbf{D}_l]\) as below:

  • For D that \(D(x)=\bot \) and \(|D|=l\), \(\textsf {StdDecomp}_x|D\rangle =|D\rangle \).

  • For D that \(D(x)=\bot \) and \(|D|<l\), \(\textsf {StdDecomp}_x|D\cup (x,\beta _r)\rangle =|D\cup (x,\beta _r)\rangle \) for any \(r\ne 0\), \(\textsf {StdDecomp}_x|D\cup (x,\beta _{0})\rangle =|D\rangle \), \(\textsf {StdDecomp}_x|D\rangle =|D\cup (x,\beta _{0})\rangle \),

    where state \(|D\cup (x,\beta _r)\rangle =1/\sqrt{2^n}\sum _{y\in \mathcal {Y}}(-1)^{y\cdot r}|D\cup (x,y)\rangle \) for any \(r\in \mathcal {Y}\).

\(\textsf {CStO}\) initializes a database state \(|(0,\bot )^q\rangle \) with length q. For any query \(|x,y\rangle \) to random oracle \(\mathcal {O}\), \(\textsf {CStO}\) does three steps: First, perform the unitary \(|x,y,D\rangle \mapsto |x,y\rangle \textsf {StdDecomp}_x|D\rangle \) in superposition. Next, apply the map \(|x,y,D\rangle \mapsto |x,y\oplus D(x),D\rangle \). Finally, repeat the first step.

Theorem 2

([29, Lemma 4]). \(\textsf {CStO} \) and random oracle \(\mathcal {O}\) are indistinguishable for any quantum algorithm A, i.e.,

$$\Pr [b=1:b\leftarrow A^{\textsf {CStO} }()]=\Pr [b=1:b\leftarrow A^{\mathcal {O}}()]\,.$$

It is also observed that any quantum state on the database register is orthogonal to state \(|D\cup (x,\beta _{0})\rangle \) in the simulation of \(\textsf {CStO}\). Therefore, the database state should be the superposition state of \(|D\cup (x,\beta _{r})\rangle \) for \(r\ne 0\). This fact will be used later.

Semi-classical Oracle. For set \(\mathcal {X}\) and \(\mathcal {S}\), define \(f_{\mathcal {S}}:{\mathcal {X}}\rightarrow \{0,1\}\) to be an indicator function such that \(f_{\mathcal {S}}(x)=1\) if \(x\in \mathcal {S}\) and 0 otherwise. Then we define the semi-classical oracle \(\mathcal {O}_{\mathcal {S}}^{SC}:\mathcal {X}\rightarrow \{0,1\}\). For any quantum query, \(\mathcal {O}_{\mathcal {S}}^{SC}\) does the following steps. First, initialize a qubit T to be \(|0\rangle \). Then evaluate the mapping \(|x,0\rangle \mapsto |x,f_{\mathcal {S}}(x)\rangle \) in superposition. Finally, measure T in the computational basis and obtain a bit \(b\in \{0,1\}\) as its output.

Theorem 3

(Semi-classical O2H [1, Theorem 1]). Let \(\mathcal {S}\) be a random subset of \(\mathcal {X}\), \(H: \mathcal {X} \rightarrow \mathcal {Y}\) a random function, z a random bitstring. And H,\(\mathcal {S}\),z may have arbitrary joint distribution. Let \({H\setminus \mathcal {S}}\) be an oracle that first queries \(\mathcal {O}_{\mathcal {S}}^{SC}\) and then queries H. Let A be a quantum oracle algorithm with query depth d. In the execution of \(A^{H\setminus \mathcal {S}}(z)\), let Find be the event that \(\mathcal {O}_{\mathcal {S}}^{SC}\) ever outputs 1. Then

$$\begin{aligned} \left| \Pr [b=1: b \leftarrow A^{H}(z)]-\Pr [b=1: b \leftarrow A^{H\setminus \mathcal {S}}(z)]\right| \le \sqrt{(d+1)\cdot \Pr [\text { Find }] }\,. \end{aligned}$$

The following theorem gives an upper bound for the probability that Find occurs.

Theorem 4

([1, Theorem 2]). Let \(\mathcal {S}\subseteq \mathcal {X}\) and \(z\in \{0,1\}^*\). And \(\mathcal {S},z\) may have arbitrary joint distribution. Let A be a quantum oracle algorithm making at most d queries to \(O_{\mathcal {S}}^{SC}\) with domain \(\mathcal {X}\). Let B be an algorithm that on input z, chooses \( i {\mathop {\leftarrow }\limits ^{\$}}\{1, \ldots , d\} \) , runs \( A^{\mathcal {O}_{\varnothing }^{SC}}(z) \) until (just before) the i-th query, and then measures all query input registers in the computational basis. Denote by \(\mathcal {T}\) the set of measurement outcomes. Then

$$\begin{aligned} \Pr \left[ \text {Find }: A^{\mathcal {O}_{\mathcal {S}}^{S C}}(z)\right] \le 4 d \cdot \Pr [\mathcal {S} \cap \mathcal {T} \ne \varnothing : \mathcal {T} \leftarrow B(z)]\,. \end{aligned}$$

3 Plaintext Extraction of the Oracle-Masked Scheme

In this section, we start by the formalization of the class of PKE \(\varPi \) named the oracle-masked scheme. Then we will introduce plaintext extraction game \(\text {Game}_{A,{\varPi }}^{\text {Ext}}\) for adversary A, and end this section with a theorem that bounds the difference of the output distributions of and \(\text {Game}_{A,\varPi }^{\text {Ext}}\). The definition of the IND-qCCA security game is shown in the Appendix B.2.

Definition 3 (Oracle-Masked Scheme)

Let \(\varPi =(\text {Gen},\text {Enc}^{\mathcal {O}},\text {Dec}^{\mathcal {O}})\) be a PKE relative to random oracle \(\mathcal {O}\) with codomain \(\mathcal {Y}\). We say that \(\varPi \) is an oracle-masked scheme if there exist deterministic polynomial time algorithm \(\text {A}_1\), \(\text {A}_2\), \(\text {A}_3\), \(\text {A}_4\) such that for any (pksk) generated by \(\text {Gen}\), \(\text {Enc}^{\mathcal {O}}\) and \(\text {Dec}^{\mathcal {O}}\) are written as in Fig. 2. Tuple \((\text {A}_1,\text {A}_2,\text {A}_3,\text {A}_4)\) is called the decomposition of \(\varPi \).

Fig. 2.
figure 2

Algorithm \(\text {Enc}^{\mathcal {O}}\) and \(\text {Dec}^{\mathcal {O}}\) of an oracle-masked scheme \(\varPi \)

Full size image

For an oracle-masked scheme \(\varPi \), parameter \(\eta \) of \(\varPi \) is defined to be

$$\begin{aligned} \eta :=\max _{(pk,sk),\,c}{\bigl \vert \{y\in \mathcal {Y}: c=\text {A}_2\left( pk,\text {A}_3(sk,c),y\right) \}\bigr \vert }/|\mathcal {Y}|\,, \end{aligned}$$

where (pksk) is generated by \(\text {Gen}\) and \(c\in \mathcal {C}\) is such that \(\text {A}_3(sk,c)\ne \bot \).

Let \(\varPi \) be an oracle-masked scheme. For quantum adversary A in the security game in the QROM, it can query random oracle \(\mathcal {O}\) and decryption oracle \(\text {Dec}^{\mathcal {O}}\) both in superposition. Write C and Z to denote the input and output register of the decryption query of A, respectively. The decryption oracle \(\text {Dec}^{\mathcal {O}}\) in can be simulated by a unitary operator \(\text {U}_{\text {Dec}}\) applied on register C and Z, i.e., for any computational basis state \(|c,z\rangle \), \(\text {U}_{\text {Dec}}\) acts as follows:

$$\begin{aligned} \begin{aligned} \text {U}_{\text {Dec}}|c,z\rangle = {\left\{ \begin{array}{ll} |c,z\oplus \bot \rangle &{} \text {if }c^*\text { is defined and }c=c^*\\ |c,z\oplus \text {Dec}^{\mathcal {O}}(c)\rangle &{} \text {else.} \end{array}\right. } \end{aligned} \end{aligned}$$

where \(c^*\) is the challenge ciphertext in .

Then we introduce a new game \(\text {Game}_{A,{\varPi }}^{\text {Sim}}\), that is identical with except that random oracle \(\mathcal {O}\) is simulated by \(\textsf {CStO}\). In this game, quantum queries to oracle \(\mathcal {O}\) are recorded in the database register D imperfectly. The decryption oracle answers queries in the same process as in Fig. 2 and it can be simulated by a unitary operator on register C, Z, D. We denote this operator by \(\text {U}_{\text {Sim}}\). Then by Theorem 2, \(\text {U}_{\text {Dec}}\) and \(\text {U}_{\text {Sim}}\), these two simulations of the decryption oracle are perfectly indistinguishable for any quantum adversary.

Notice that in the process of the decryption algorithm \(\text {Dec}^{\mathcal {O}}\), \(\text {A}_3\) is computed first to obtain x and then \(\text {A}_2\) is applied to check if \(c=\text {A}_2(pk,x,\mathcal {O}(x))\). Then the query x to oracle \(\mathcal {O}\) is recorded in the database D imperfectly if the decryption oracle is simulated by \(\text {U}_{\text {Sim}}\). With this property, we design a new unitary to reply decryption queries, and it is defined as follows.

Definition 4 (Plaintext Extraction Procedure)

Let \(\varPi \) be an oracle-masked scheme and \((\text {A}_1,\text {A}_2,\text {A}_3,\text {A}_4)\) be its decomposition. For any (pksk) of \(\varPi \), define unitary operation \(\text {U}_{\text {Ext}}\), as the plaintext extraction procedure of \(\varPi \), applied on register C, Z, D as follows.

\(\underline{\text {U}_{\text {Ext}}|c,z,D\rangle }:\)

  1. 1.

    If the challenge ciphertext \(c^*\) is defined and \(c=c^*\), return \(|c,z\oplus \bot ,D\rangle \).

  2. 2.

    Else if database D contains no pair (xD(x)) such that \(\text {A}_2(pk,x,D(x))=c\), return \(|c,z\oplus \bot ,D\rangle \).

  3. 3.

    Else, for each tuple (xD(x)) that \(\text {A}_2(pk,x,D(x))=c\), check if \(\text {A}_3(sk,c)=x\) and do the following procedure:

    1. (a)

      If a tuple (xD(x)) passes this test,Footnote 1 compute \(m:=\text {A}_4(x)\) and return \(|c,z\oplus m,D\rangle \).

    2. (b)

      Otherwise, return \(|c,z\oplus \bot ,D\rangle \).

In addition, the detailed construction of \(\text {U}_{\text {Ext}}\) is shown in Appendix A.

Compared with \(\text {U}_{\text {Sim}}\), \(\text {U}_{\text {Ext}}\) does not follow the decryption algorithm to produce the plaintext \(m(:=\text {Dec}^{\mathcal {O}}(sk,c))\), but just searches (xD(x)) on D to obtain m. Therefore, we call \(\text {U}_{\text {Ext}}\) the plaintext extraction procedure.

By the definition of \(\text {U}_{\text {Ext}}\), for any computational basis state \(|c,z,D\rangle \), \(\text {U}_{\text {Ext}}\) has no effect on \(|D\rangle \), and does not need to query oracle \(\mathcal {O}\). And for any oracle-masked scheme, such a plaintext extraction procedure \(\text {U}_{\text {Ext}}\) exists, and it can be used to answer quantum decryption queries. Then we introduce two properties of \(\text {U}_{\text {Ext}}\) by the following two lemmas. Except register C, Z and D, we abbreviate other registers (e.g. other registers of adversary A) into W and the detailed proofs of these lemmas are shown in the full version [25].

Lemma 3

Let \(|\psi \rangle \) be a quantum state on register W, C, Z and D such that \(|\psi \rangle \) is orthogonal to any state in the form of \(\sum _{w,c,z,D,x}\alpha _{w,c,z,D,x}|w,c,z,D\cup (x,\beta _0)\rangle \). Then

$$\begin{aligned} \Vert (\text {U}_{\text {Sim}}-\text {U}_{\text {Ext}})|\psi \rangle \Vert \le 5\sqrt{\eta }\,. \end{aligned}$$

Lemma 4

Given any \(x\in \{0,1\}^*\), unitary \(\textsf{StdDecomp}_{x}\) is performed on register D. For any quantum state \(|\psi \rangle \) on register W, C, Z and D,

$$\begin{aligned} \bigl \Vert (\text {U}_{\text {Ext}}\circ \textsf{StdDecomp}_{x}-\textsf{StdDecomp}_{x}\circ \text {U}_{\text {Ext}})|\psi \rangle \bigr \Vert \le 7\sqrt{\eta }\,. \end{aligned}$$

Here we define a new game \(\text {Game}_{A,{\varPi }}^{\text {Ext}}\) named plaintext extraction game that differs from \(\text {Game}_{A,{\varPi }}^{\text {Sim}}\) in the way of answering decryption queries: In \(\text {Game}_{A,{\varPi }}^{\text {Ext}}\), the decryption oracle is simulated by unitary \(\text {U}_{\text {Ext}}\) while that in \(\text {Game}_{A,{\varPi }}^{\text {Sim}}\) is simulated by unitary \(\text {U}_{\text {Sim}}\). With Lemma 3, we obtain Theorem 5 as follows to bound the output difference of and \(\text {Game}_{A,\varPi }^{\text {Ext}}\).

Theorem 5

Let \(\varPi \) be an oracle-masked scheme. For any quantum adversary A against the security of \(\varPi \) in the QROM, if A makes at most q decryption queries, then

figure i

Proof

Given \(\varPi \) and A, recall that \(\text {Game}_{A,\varPi }^{\text {Sim}}\) is identical with except that the random oracle is simulated by \(\textsf {CStO}\). By Theorem 2,

figure k

In the following, we prove that

$$\begin{aligned} \bigl \vert \Pr [\text {Game}_{A,{\varPi }}^{\text {Sim}}\rightarrow 1]-\Pr [\text {Game}_{A,\varPi }^{\text {Ext}}\rightarrow 1]\bigr \vert \le 5q\cdot \sqrt{\eta }\,. \end{aligned}$$

For any fixed (pksk), the decryption oracle in \(\text {Game}_{A,{\varPi }}^{\text {Sim}}\) and that in \(\text {Game}_{A,{\varPi }}^{\text {Ext}}\) are simulated by unitary \(\text {U}_{\text {Sim}}\) and \(\text {U}_{\text {Ext}}\), respectively.

For any \(i=1,\ldots ,q\), define \(\text {G}_i\) to be a game that is the same as \(\text {Game}_{A,\varPi }^{\text {Sim}}\) until just before the i-th decryption query of A, then simulates the decryption oracle with unitary \(\text {U}_{\text {Ext}}\) instead of \(\text {U}_{\text {Sim}}\). Then \(\text {G}_1\) is exactly \(\text {Game}_{A,\varPi }^{\text {Ext}}\). We also denote \(\text {Game}_{A,\varPi }^{\text {Sim}}\) by \(G_{q+1}\).

For \(i=1,\ldots ,q+1\), denote by \(\sigma _i\) the final joint state of the registers of \(G_i\) including the register of A and the database register. By the triangle inequality of the trace distance,

$$\begin{aligned} \text {TD}(\sigma _1,\sigma _{q+1})\le \text {TD}(\sigma _{1},\sigma _{2})+\ldots +\text {TD}(\sigma _{q},\sigma _{q+1})\,, \end{aligned}$$

where \(\text {TD}(\rho ,\tau )\) is the trace distance of state \(\rho \) and \(\tau \).

Fix \(1\le i\le q\). Since game \(G_i\) and \(G_{i+1}\) only differ in the i-th decryption query, we denote by \(\rho \) the joint state of A and the database register just before the i-th decryption query. All the operations after the i-th decryption query can be represented by a trace-preserving operation, that is denoted by \(\mathcal {E}\). Then \(\sigma _i\) and \(\sigma _{i+1}\) can be represented by \(\sigma _i=\mathcal {E}(\text {U}_{\text {Sim}}\,\rho \text {U}_{\text {Sim}}^{\dagger })\) and \(\sigma _{i+1}=\mathcal {E}(\text {U}_{\text {Ext}}\,\rho \text {U}_{\text {Ext}}^{\dagger })\), respectively. And we have

$$\begin{aligned} \text {TD}(\sigma _{i},\sigma _{i+1})\le \text {TD}(\text {U}_{\text {Sim}}\,\rho \text {U}_{\text {Sim}}^{\dagger },\text {U}_{\text {Ext}}\,\rho \text {U}_{\text {Ext}}^{\dagger })\,. \end{aligned}$$

Let \(\rho =\sum _jp_j|\psi _j\rangle \langle \psi _j|\) be a spectral decomposition of \(\rho \), where \(\sum _jp_j=1\). Then by the convexity of the trace distance,

$$\begin{aligned}&\text {TD}(\text {U}_{\text {Sim}}\,\rho \text {U}_{\text {Sim}}^{\dagger },\text {U}_{\text {Ext}}\,\rho \text {U}_{\text {Ext}}^{\dagger })\\&=\text {TD}\bigl (\,\sum _jp_j\text {U}_{\text {Sim}}|\psi _j\rangle \langle \psi _j|\text {U}_{\text {Sim}}^{\dagger },\sum _jp_j\text {U}_{\text {Ext}}|\psi _j\rangle \langle \psi _j|\text {U}_{\text {Ext}}^{\dagger }\bigr )\\&\le \sum _jp_j\text {TD}(\text {U}_{\text {Sim}}|\psi _j\rangle \langle \psi _j|\text {U}_{\text {Sim}}^{\dagger },\text {U}_{\text {Ext}}|\psi _j\rangle \langle \psi _j|\text {U}_{\text {Ext}}^{\dagger })\\&\le \sum _jp_j\Vert (\text {U}_{\text {Sim}}-\text {U}_{\text {Ext}})|\psi _j\rangle \Vert \,. \end{aligned}$$

Note that before the i-th decryption query, the decryption procedure is \(\text {U}_{\text {Sim}}\) and A can be considered as being in \(\text {Game}_{A,\varPi }^{\text {Sim}}\). Thus, any state \(|\psi _j\rangle \) in the spectral decomposition of \(\rho \) is in the form of the superposition state in Lemma 3. By Lemma 3, \(\Vert (\text {U}_{\text {Sim}}-\text {U}_{\text {Ext}})|\psi _j\rangle \Vert \le 5\sqrt{\eta }\). Then for every \(1\le i\le q\),

$$\begin{aligned} \text {TD}(\sigma _{i},\sigma _{i+1}) \le \sum _jp_j\cdot \Vert (\text {U}_{\text {Sim}}-\text {U}_{\text {Ext}})|\psi _j\rangle \Vert \le \sum _jp_j\cdot 5\sqrt{\eta }=5\sqrt{\eta }\,. \end{aligned}$$

Thus, \(\text {TD}(\sigma _1,\sigma _{q+1})\le 5q\cdot \sqrt{\eta }\). Further, the output difference of \(\text {Game}_{A,{\varPi }}^{\text {Sim}}\) and \(\text {Game}_{A,{\varPi }}^{\text {Ext}}\) is upper bounded by the trace distance of \(\sigma _1\) and \(\sigma _{q+1}\), the states of these two games. This completes the proof.   \(\square \)

4 Application in the Quantum Security Proof

In this section, we apply Theorem 5 of oracle-masked schemes to provide the IND-qCCA security proof for transformation FO, REACT and \(\textsf{T}_{\textsf{CH}}\) in the QROM.

4.1 FO: From OW-CPA to IND-qCCA in the QROM

Let \({\varPi }^{asy}=(\text {Gen}^{asy},\text {Enc}^{asy},\text {Dec}^{asy})\) be a PKE with message space \(\mathcal {M}^{asy}\), randomness space \(\mathcal {R}^{asy}(=\{0,1\}^n)\) and ciphertext space \(\mathcal {C}^{asy}\). Let \({\varPi }^{sy}=(\text {Enc}^{sy},\text {Dec}^{sy})\) be a SKE with key space \(\mathcal {K}^{sy}\), message space \(\mathcal {M}^{sy}\) and ciphertext space \(\mathcal {C}^{sy}\). Let \(H:\{0,1\}^{*}\rightarrow \mathcal {R}^{asy}\) and \(G:\{0,1\}^{*}\rightarrow \mathcal {K}^{sy}\) be hash functions. We review the FO transformation in the following definition, and then provide its IND-qCCA security proof in the QROM.

Definition 5

\(\textsf{FO}[\varPi ^{asy},\varPi ^{sy},H,G]=(\text {Gen},\text {Enc},\text {Dec})\) obtained from the FO transformation is constructed as shown in Fig. 3.

Fig. 3.
figure 3

PKE \(\textsf{FO}[\varPi ^{asy},\varPi ^{sy},H,G]\) obtained from FO transformation

Full size image

Lemma 5

Assume that H is the random oracle and \(\varPi ^{asy}\) is \(\gamma \)-spread, then \(\textsf{FO}[\varPi ^{asy},\varPi ^{sy},H,G]\) is an oracle-masked scheme relative to H, and its parameter \(\eta \) is such that \(\eta \le 1/2^{\gamma }\).

Proof

We define deterministic polynomial-time algorithm \(\text {A}_1\), \(\text {A}_2\), \(\text {A}_3\) and \(\text {A}_4\):

  • \(\text {A}_1\) on input \(\delta \) and m, evaluates \(k:=G(\delta )\) and \(d:=\text {Enc}^{sy}(k,m)\), then outputs \((\delta ,d)\).

  • \(\text {A}_2\) takes pk, \((\delta ,d)\) and \(y\in \mathcal {R}^{asy}\) as input, computes \(c:=\text {Enc}^{asy}(pk,\delta ;y)\), then outputs (cd).

  • \(\text {A}_3\) takes sk and (cd) as input, evaluates \(\delta :=\text {Dec}^{asy}(sk,c)\). If \(\delta \ne \bot \), output \((\delta ,d)\). Otherwise, output \(\bot \).

  • \(\text {A}_4\) on input \((\delta ,d)\), computes \(k:=G(\delta )\) and \(m:=\text {Dec}^{sy}(k,d)\), outputs m.

It can be verified that with these four algorithms, algorithm \(\text {Enc}\) and \(\text {Dec}\) given in Fig. 3 are written as \(\text {Enc}^{\mathcal {O}}\) and \(\text {Dec}^{\mathcal {O}}\) in Definition 3 with \(\mathcal {O}=H\), respectively. Thus, \(\textsf{FO}[\varPi ^{asy},\varPi ^{sy},H,G]\) is an oracle-masked scheme, and its parameter \(\eta \) is

$$\eta =\max _{(pk,sk),\,c}{\bigl \vert \{r\in \mathcal {R}^{asy}: \, c=\text {Enc}^{asy}(pk,\text {Dec}^{asy}(sk,c);r)\}\bigr \vert }/|\mathcal {R}^{asy}|\,,$$

where (pksk) and \(c\in \mathcal {C}^{asy}\) are such that \(\text {Dec}^{asy}(sk,c)\in \mathcal {M}^{asy}\).

Since \(\varPi ^{asy}\) is \(\gamma \)-spread, for any (pksk) and \(m\in \mathcal {M}^{asy}\),

$$\max _{c\in \mathcal {C}^{asy}}{\bigl \vert \{r\in \mathcal {R}^{asy}: \, c=\text {Enc}^{asy}(pk,m;r)\}\bigr \vert }/|\mathcal {R}^{asy}|\le 1/2^{\gamma }\,.$$

Therefore, \(\eta \le 1/2^{\gamma }\).   \(\square \)

Note that the above evaluation of function G can be replaced by querying an oracle that computes G. Then algorithm \(\text {A}_1\) and \(\text {A}_4\) become oracle algorithms denoted by \(\text {A}_1^G\) and \(\text {A}_4^G\), respectively. In this case, the notions in Definition 3 still work, and Theorem 5 holds. Then we apply Theorem 5 to prove the IND-qCCA security of oracle-masked scheme \(\textsf{FO}[\varPi ^{asy},\varPi ^{sy},H,G]\) in the QROM.

Theorem 6

Let \(\varPi ^{asy}\) be \(\gamma \)-spread, for any adversary against the security of scheme \(\varPi =\textsf{FO}[\varPi ^{asy},\varPi ^{sy},H,G]\), making at most \(q_D\) queries to the decryption oracle, at most \(q_H\) queries to random oracle H and at most \(q_G\) queries to random oracle G, there exist an adversary \(A_{asy}\) against the security of \(\varPi ^{asy}\) and an adversary \(A_{sy}\) against the \(\text {OT}\) security of \(\varPi ^{sy}\) such that

figure n

where \(d=q_D+q_H+2q_G\), \(\text {Time}(A_{sy})\approx \text {Time}(A)+O\big (d^2+q_H\cdot q_D\cdot \text {Time}(\text {Enc}^{asy})\big )\) and \(\text {Time}(A_{asy})\approx \text {Time}(A_{sy})\).

Proof

Define Game 0 to be \(\text {Game}_{A,\varPi }^{\text {IND-qCCA}}\) as in Fig. 4. Then we obtain

$$\begin{aligned} \left| \Pr [{\textbf {Game 0}}\rightarrow 1]-\frac{1}{2}\right| =\text {Adv}_{A,{\varPi }}^{\text {IND-qCCA}}\,. \end{aligned}$$
(1)

In the following, we will introduce a sequence of games to bound \(\text {Adv}_{A,{\varPi }}^{\text {IND-qCCA}}\).

Fig. 4.
figure 4

\(\text {Game}_{A,\varPi }^{\text {IND-qCCA}}\) for FO transformation in the QROM, where oracle H, G and \(\text {Dec}_{a}\) are all quantum-accessible.

Full size image

Starting from Game 1, random oracle H is simulated with \(\textsf {CStO}\) and its database register is denoted as D. This change is undetectable for A by Theorem 2. Moreover, \(\delta ^*\) is sampled uniformly at the beginning of the game, which is also undetectable for any adversary.

Game 1: In this game, the decryption oracle is simulated by the plaintext extraction procedure \(\text {U}_{\text {Ext}}\) of \(\varPi \). We refer to Appendix A for the detailed construction of \(\text {U}_{\text {Ext}}\) of \(\varPi \) without sk.

Omitting the \((c,d)=(c^*,d^*)\) case, \(\text {U}_{\text {Ext}}\) can also be rephrased as \(\text {U}_{\text {Ext}}=\text {U}_\text {E}^{\dagger }\circ \text {U}_\text {C}\circ \text {U}_\text {E}\), based on Lemma 5. Here unitary \(\text {U}_\text {E}\) is used to extract \((\delta ',d)\) corresponding to (cd) from database and unitary \(\text {U}_\text {C}\) is used to compute plaintext \(m'\) from \((\delta ',d)\). And \(\text {U}_\text {E}\) acts as follows.

$$\begin{aligned} \begin{aligned} \text {U}_{\text {E}}|(c,d),z_1,D\rangle = {\left\{ \begin{array}{ll} |(c,d),z_1\oplus (1,(\delta ',d)),D\rangle &{} \text {if } \text {Enc}^{asy}(pk,\delta ';D(\delta ',d))=c\\ |(c,d),z_1\oplus (0,0^n),D\rangle &{} \text {otherwise.} \end{array}\right. } \end{aligned} \end{aligned}$$

It is obvious that \({\textbf {Game 1}}\) is the plaintext extraction game \(\text {Game}_{A,{\varPi }}^{\text {Ext}}\). Then by Theorem 5, we obtain \(\bigl \vert \Pr [{\textbf {Game 0}}\rightarrow 1]-\Pr [{\textbf {Game 1}}\rightarrow 1]\bigr \vert \le 5q_D\cdot \sqrt{\eta }\) for any fixed \(G\in \varOmega _{G}\). Therefore,

$$\begin{aligned}&\bigl \vert \Pr [{\textbf {Game 0}}\rightarrow 1]-\Pr [{\textbf {Game 1}}\rightarrow 1]\bigr \vert \le 5q_D\cdot \sqrt{\eta }\le q_D\cdot \frac{5}{\sqrt{2^{\gamma }}}\,, \end{aligned}$$
(2)

where variable G, both in \({\textbf {Game 0}}\) and \({\textbf {Game 1}}\), is sampled from \(\varOmega _G\) uniformly.

\({\textbf {Game 2}}\): This game is identical with \({\textbf {Game 1}}\) except that the decryption oracle is simulated by the following steps after the challenge query.

  1. 1.

    Perform unitary \(\textsf {StdDecomp}_{(\delta ^*,d^*)}\) to register D.

  2. 2.

    Apply \(\text {U}_{\text {Ext}}\) on register C, Z and D.

  3. 3.

    Perform \(\textsf {StdDecomp}_{(\delta ^*,d^*)}\) to register D a second time.

We define unitary \(\text {SU}_{\text {Ext}}:=\textsf {StdDecomp}_{(\delta ^*,d^*)}\circ \text {U}_{\text {Ext}}\circ \textsf {StdDecomp}_{(\delta ^*,d^*)}\). If we flip the order of the last two steps of \(\text {SU}_{\text {Ext}}\), then \(\textsf {StdDecomp}_{(\delta ^*,d^*)}\circ \textsf {StdDecomp}_{(\delta ^*,d^*)}\) is an identity operator and in this way, \(\text {SU}_{\text {Ext}}\) performs identically as \(\text {U}_{\text {Ext}}\). Since Lemma 4 states that \(\text {U}_{\text {Ext}}\) commutes with \(\textsf {StdDecomp}_{(\delta ^*,d^*)}\) by a loss, we have

$$\begin{aligned} \text {TD}(\text {U}_{\text {Ext}}\rho \text {U}_{\text {Ext}}^{\dagger },\text {SU}_{\text {Ext}}\rho \,\text {SU}_{\text {Ext}}^{\dagger })\le 7\sqrt{\eta }\le \frac{7}{\sqrt{2^{\gamma }}}\end{aligned}$$

for any joint state \(\rho \) on registers in \({\textbf {Game 2}}\). At most \(q_D\) decryption queries are made after the challenge query, and then by the hybrid argument,

$$\begin{aligned} \vert \Pr [{\textbf {Game 1}}\rightarrow 1]-\Pr [{\textbf {Game 2}}\rightarrow 1]\vert \le q_D\cdot \frac{7}{\sqrt{2^{\gamma }}}\,. \end{aligned}$$
(3)

\({\textbf {Game 3}}\): Differing from \({\textbf {Game 2}}\), we change the way to answer random oracle queries in some cases: when random oracle H or G is queried by A or G is applied in the decryption process, we query E and then query the random oracle, where E is a constant zero function with quantum access.

Since E is a constant zero function, the random oracle query does not change after querying E, and we have

$$\begin{aligned} \Pr [{\textbf {Game 2}}\rightarrow 1]=\Pr [{\textbf {Game 3}}\rightarrow 1]\,. \end{aligned}$$
(4)

\({\textbf {Game 4}}\): The only difference between \({\textbf {Game 3}}\) and \({\textbf {Game 4}}\) is that the semi-classical oracle \(O^{SC}_{\mathcal {S}}\) is applied before each query to E, and set \(\mathcal {S}:=\{\delta ^*,\delta ^*\Vert \cdot \}\).

Let \(z:=\delta ^*\), and \(B^{E}(\delta ^*)\) be the algorithm that runs A and simulates \({\textbf {Game 3}}\). Then we have

$$\begin{aligned} \Pr [{\textbf {Game 3}}\rightarrow 1]&=\Pr [b=1:b\leftarrow B^{E}(\delta ^*),\delta ^*\xleftarrow {\$}\mathcal {M}^{asy}]\,,\\ \Pr [{\textbf {Game 4}}\rightarrow 1]&=\Pr [ b=1:b\leftarrow B^{E\backslash \mathcal {S}}(\delta ^*),\delta ^*\xleftarrow {\$}\mathcal {M}^{asy}]\,,\\ \Pr [\text {Find}:{\textbf {Game 4}}]&=\Pr [\text {Find}:B^{E\backslash \mathcal {S}}(\delta ^*),\delta ^*\xleftarrow {\$}\mathcal {M}^{asy}]\,. \end{aligned}$$

It can be verified that B makes at most \(q_H+q_G+2q_D\) queries to E. We let \(d=q_H+q_G+2q_D\) and apply Theorem 3 to obtain

$$\begin{aligned} \vert \Pr [{\textbf {Game 3}}\rightarrow 1]-\Pr [{\textbf {Game 4}}\rightarrow 1]\vert \le \sqrt{(d+1)\Pr [\text {Find}:{\textbf {Game 4}}]}\,. \end{aligned}$$
(5)

Notice that by \(\text {A}_4\) defined in Lemma 5, G is queried in the process of \(\text {U}_\text {C}\) when performing \(\text {U}_{\text {Ext}}\). Then oracle \(\mathcal {O}_{\mathcal {S}}^{SC}\) should be queried in the process of \(\text {U}_\text {C}\) in \({\textbf {Game 4}}\). We denote by \(\text {U}_\text {C}'\) the modified \(\text {U}_\text {C}\). Accordingly, before the challenge query, the decryption oracle in \({\textbf {Game 4}}\) is simulated by \(\text {U}_\text {E}\circ \text {U}_\text {C}'\circ \text {U}_\text {E}^{\dagger }\), that is denoted by \(\text {U}_{\text {Ext}}'\). After that, the decryption oracle is simulated by \(\textsf {StdDecomp}_{(\delta ^*,d^*)}\circ \text {U}'_{\text {Ext}}\circ \textsf {StdDecomp}_{(\delta ^*,d^*)}\), that is denoted by \(\text {SU}'_{\text {Ext}}\).

We assume that Find does not occur in \({\textbf {Game 4}}\). In this case, A never queries H by \((\delta ^*,d^*)\), and the database D is such that \(D(\delta ^*,d^*)=\bot \) until the challenge query. To produce the challenge ciphertext, \(r^*:=H(\delta ^*,d^*)\) is computed and then the joint state is in a superposition of \(\textsf {StdDecomp}_{(\delta ^*,d^*)}|w,D\cup ((\delta ^*,d^*),r^*)\rangle \), here w is other registers of this game and \(D(\delta ^*,d^*)=\bot \). Then by the definition of \(\text {U}_{\text {E}}\), we can conclude that for any ciphertext \((c,d)\ne (c^*,d^*)\),

$$\begin{aligned} \text {U}_{\text {E}}|(c,d),z_1,D\cup ((\delta ^*,d^*),r^*)\rangle =|(c,d),z_1\oplus (b,x),D\cup ((\delta ^*,d^*),r^*)\rangle \end{aligned}$$

if and only if \(\text {U}_{\text {E}}|(c,d),z_1,D\rangle =|(c,d),z_1\oplus (b,x),D\rangle \).

Furthermore, observe that \(\textsf {StdDecomp}_{(\delta ^*,d^*)}\) commutes with \(\text {U}_{\text {C}}'\) of \(\text {U}_{\text {Ext}}'\). Then for any ciphertext \((c,d)\ne (c^*,d^*)\),

$$\begin{aligned} \text {SU}'_{\text {Ext}}\circ&\textsf {StdDecomp}_{(\delta ^*,d^*)}|(c,d),z,D\cup ((\delta ^*,d^*),r^*)\rangle \\ =&\textsf {StdDecomp}_{(\delta ^*,d^*)}|c,z\oplus m',D\cup ((\delta ^*,d^*),r^*)\rangle \end{aligned}$$

if and only if \(\text {U}_{\text {Ext}}'|(c,d),z,D\rangle =|(c,d),z\oplus m',D\rangle \). This means that the database state on \((\delta ^*,d^*)\) is not involved in the decryption process of \({\textbf {Game 4}}\). Therefore, if Find does not occur, then random oracle H and G are never queried by \((\delta ^*,d)\) and \(\delta ^*\) by the adversary. Meanwhile, the adversary A can not get information on \(H(\delta ^*,d^*)\) either by making decryption queries. Therefore, it is undetectable for adversary A to produce the challenge ciphertext with uniformly chosen \(k^*\in \mathcal {K}^{sy}\) and \(r^*\in \mathcal {R}^{say}\), which is the difference between \({\textbf {Game 4}}\) and \({\textbf {Game 5}}\).

Game 5: In this game, we pick \(k^*\in \mathcal {K}^{sy}\) and \(r^*\in \mathcal {R}^{asy}\) uniformly and use them to produce the challenge ciphertext \((c^*,d^*)\). And we replace \(\text {SU}'_{\text {Ext}}\) with \(\text {U}'_{\text {Ext}}\).

As analysis in \({\textbf {Game 4}}\), the view of A in \({\textbf {Game 4}}\) and that in \({\textbf {Game 5}}\) are identical until Find occurs. Therefore,

$$\begin{aligned} \Pr [\text {Find}:{\textbf {Game 4}}]&=\Pr [\text {Find}:{\textbf {Game 5}}]\,,\end{aligned}$$
(6)
$$\begin{aligned} \Pr [\lnot \text {Find}\wedge {\textbf {Game 4}}\rightarrow 1]&=\Pr [\lnot \text {Find}\wedge {\textbf {Game 5}}\rightarrow 1]\,. \end{aligned}$$
(7)

Lemma 6

There exists a quantum adversary \(A_{sy}\) invoking A such that

$$\begin{aligned} \left| \Pr [\mathbf {Game\text { }5 }\rightarrow 1]-\frac{1}{2}\right| =\textrm{Adv}_{A_{sy},{\varPi }^{sy}}^{\text {OT}} \end{aligned}$$
(8)

and \(\text {Time}(A_{sy})\approx \text {Time}(A)+O((q_H+q_G+2q_D)^2+q_H\cdot q_D\cdot \text {Time}\left( \text {Enc}^{asy})\right) \).

Proof

A quantum algorithm \(A_{sy}\) that runs A and breaks the one-time security of \({\varPi }^{sy}\) is constructed as follows.

\(A_{sy}\) generates \((pk,sk)\leftarrow \text {Gen}\), picks \(\delta ^*\xleftarrow {\$}\mathcal {M}^{asy}\) and simulates \({\textbf {Game 5}}\) for A. Random oracle G is simulated by a \(2(q_G+2q_D)\)-wise independent function, and other oracles used in \({\textbf {Game 5}}\) can be implemented efficiently by \(A_{sy}\). For A’s challenge query \((m_0,m_1)\), \(A_{sy}\) sends it to the challenger in \(\text {Game}_{A_{sy},\varPi ^{sy}}^{\text {OT}}\). After receiving \(d^*\), \(A_{sy}\) picks \(r\in \mathcal {R}^{asy}\) uniformly, then computes \(c^*:=\text {Enc}^{asy}(pk,\delta ^*;r)\) and sends \((c^*,d^*)\) back to A. After receiving \(b'\) from A, \(A_{sy}\) output \(b'\).

From the construction of \(A_{sy}\), the output of \(A_{sy}\) is correct if and only if A guesses correctly. Moreover, the view of A invoked by \(A_{sy}\) is identical with that in \({\textbf {Game 5}}\). Therefore,

$$\begin{aligned} \left| \Pr [\mathbf {Game\text { }5 }\rightarrow 1]-\frac{1}{2}\right| =\left| \Pr [\text {Game}_{A_{sy},{\varPi }^{sy}}^{\text {OT}}\rightarrow 1]-\frac{1}{2}\right| =\textrm{Adv}_{A_{sy},{\varPi }^{sy}}^{\text {OT}}\,. \end{aligned}$$

Denote by \(\text {T}_{\mathcal {O}}\) the time needed to simulate oracle \(\mathcal {O}\), then the running time of B is given by \(\text {Time}(B)=\text {Time}(A)+\text {T}_G+\text {T}_H+\text {Time}(\text {U}_{\text {Ext}})\), where \(\text {T}_G=O\left( (q_G+2q_D)^2\right) \), \(\text {T}_H=O(q_H^2)\), \(\text {Time}(\text {U}_{\text {Ext}})=O(q_D\cdot q_H\cdot \text {Time}(\text {Enc}^{asy}))\) by Appendix A.1.   \(\square \)

Lemma 7

There is a quantum adversary \(A_{asy}\) invoking A such that

(9)

and \(\text {Time}(A_{asy})\approx \text {Time}(A)+O((q_H+q_G+2q_D)^2+q_H\cdot q_D\cdot \text {Time}\left( \text {Enc}^{asy})\right) \).

Proof

Define \(B^{\mathcal {O}_{\mathcal {S}}^{SC}}\) as a quantum oracle algorithm that on input pk, \(c^*\), runs A and simulates \({\textbf {Game 5}}\) for it. Then we have \(\Pr [\text {Find}:{\textbf {Game 5}}]=\Pr [\text {Find}:B^{\mathcal {O}_{\mathcal {S}}^{SC}}(pk,c^*)]\), where \(c^*\leftarrow \text {Enc}^{asy}(pk,\delta ^*)\), \(\delta ^*\) is sampled uniformly from \(\mathcal {M}^{asy}\). As analyzed in \({\textbf {Game 4}}\), B makes at most \(d=q_H+q_G+2q_D\) queries, then by Theorem 4,

$$\begin{aligned} \Pr [\text {Find}:B^{\mathcal {O}_{\mathcal {S}}^{SC}}(pk,c^*)]\le 4d\cdot \Pr [(\delta ,d)\in \mathcal {S}:(\delta ,d)\leftarrow D(pk,c^*)]\,. \end{aligned}$$

Here D is a quantum algorithm invoking B. On input \((pk,c^*)\), D chooses \(i\xleftarrow {\$}\{1,\ldots ,d\}\), runs \(B^{\mathcal {O}_{\varnothing }^{SC}}(pk,c^*)\) until (just before) i-th query of B, and then measures the state on the input register of \(\mathcal {O}_{\varnothing }^{SC}\) to obtain \((\delta ,d)\). Note that the running time of D and that of B are almost the same.

Because \(\mathcal {S}=\{\delta ^*,\delta ^*\Vert \cdot \}\), \((\delta ,d)\in \mathcal {S}\) is equivalent to \(\delta =\delta ^*\). Then D can be considered as a quantum algorithm \(A_{asy}\) that breaks the OW-CPA security of \({\varPi }^{asy}\). Therefore,

figure o

The running time of B is \(\text {Time}(B)=\text {Time}(A)+\text {T}_G+\text {T}_H+\text {Time}(\text {U}_{\text {Ext}})\), where \(\text {T}_G=O\left( (q_G+2q_D)^2\right) \), \(\text {T}_H=O(q_H^2)\), \(\text {Time}(\text {U}_{\text {Ext}})=O(q_D\cdot q_H\cdot \text {Time}(\text {Enc}^{asy}))\).

   \(\square \)

Summarizing Eq. (1) to (9), we have

figure p

   \(\square \)

Furthermore, compared with Zhandry’s proof for FO transformation, we notice that the plaintext extraction procedure in this proof acts the same as the decryption procedure defined in Hybrid 4 in his proof on input (cd) such that \(c\ne c^*\). With Theorem 5, we can prove that any polynomial time quantum adversary distinguishes Hybrid 1 from Hybrid 4 with a negligible probability. On the other hand, by Eq. (2), it seems unnecessary to restrict that the decryption oracle outputs \(\bot \) directly for query (cd) such that \(c=c^*\).

4.2 REACT: From OW-qPCA to IND-qCCA in the QROM

Let \({\varPi }^{asy}=(\text {Gen}^{asy},\text {Enc}^{asy},\text {Dec}^{asy})\) be a PKE with key space \(\mathcal {K}^{asy}\), message space \(\mathcal {M}^{asy}\), randomness space \(\mathcal {R}^{asy}\) and ciphertext space \(\mathcal {C}^{asy}\). Let \({\varPi }^{sy}=(\text {Enc}^{sy},\text {Dec}^{sy})\) be a SKE with message space \(\mathcal {M}^{sy}\), ciphertext space \(\mathcal {C}^{sy}\), key space \(\mathcal {K}^{sy}\). Let \(H:\{0,1\}^*\rightarrow \{0,1\}^{n}\) and \(G:\{0,1\}^*\rightarrow \mathcal {R}^{sy}\) be hash functions. We recall the REACT transformation in the following definition, and then provide its IND-qCCA security proof.

Definition 6

\(\textsf{REACT}[\varPi ^{asy},\varPi ^{sy},H,G]=(\text {Gen},\text {Enc},\text {Dec})\) obtained from the REACT transformation is constructed as in Fig. 5.

Fig. 5.
figure 5

PKE \(\textsf{REACT}[\varPi ^{asy},\varPi ^{sy},H,G]\) obtained from REACT transformation

Full size image

Lemma 8

Let H be the random oracle, then \(\textsf{REACT}[\varPi ^{asy},\varPi ^{sy},H,G]\) is an oracle-masked scheme relative to H, and its parameter \(\eta \) is \(1/2^n\).

Proof

We define deterministic polynomial time algorithm \(\text {A}_1\), \(\text {A}_2\), \(\text {A}_3\) and \(\text {A}_4\):

  • \(\text {A}_1\) takes pk, (Rr) and m as input, evaluates \(c_1:=\text {Enc}^{asy}(pk,R;r)\), \(k:=G(R)\), \(c_2:=\text {Enc}^{sy}(k,m)\), and then outputs \((R,m,c_1,c_2)\).

  • \(\text {A}_2\) on input \((R,m,c_1,c_2)\) and \(y\in \{0,1\}^n\), lets \(c_3:=y\) and outputs \((c_1,c_2,c_3)\).

  • \(\text {A}_3\) takes sk and \((c_1,c_2,c_3)\) as input, computes \(R:=\text {Dec}^{asy}(sk,c_1)\). If \(R=\bot \), output \(\bot \). Else, compute \(k:=G(R)\) and \(m:=\text {Dec}^{sy}(k,c_2)\). If \(m=\bot \), output \(\bot \). Otherwise, output \((R,m,c_1,c_2)\).

  • \(\text {A}_4\) on input \((R,m,c_1,c_2)\), outputs m directly.

We can verify that with four algorithms defined as above, algorithm \(\text {Enc}\) and \(\text {Dec}\) given in Fig. 5 are written as \(\text {Enc}^{\mathcal {O}}\) and \(\text {Dec}^{\mathcal {O}}\) in Definition 3 with \(\mathcal {O}=H\). And thus \(\varPi \) is an oracle-masked scheme, and its \(\eta \) is

$$\begin{aligned} \eta&=\max _{(pk,sk),(c_1,c_2,c_3)}{1}/{2^n}\bigl \vert \{y\in \{0,1\}^n: (c_1,c_2,c_3)=\text {A}_2(pk,\text {A}_3(sk,(c_1,c_2,c_3)),y)\}\bigr \vert \\&=\max _{(pk,sk),(c_1,c_2,c_3)}1/{2^n}{\bigl \vert \{y\in \{0,1\}^n: c_3=y\}\bigr \vert }=1/2^n\,, \end{aligned}$$

where (pksk) is generated by \(\text {Gen}\), \((c_1,c_2,c_3)\in \mathcal {C}^{asy}\times \mathcal {C}^{sy}\times \{0,1\}^n\) is such that \(\text {A}_3(sk,(c_1,c_2,c_3))\ne \bot \).    \(\square \)

Theorem 7

For any adversary A against the security of \(\varPi =\textsf{REACT}[\varPi ^{asy},\varPi ^{sy},H,G]\) in the QROM, making at most \(q_D\) queries to the decryption oracle, at most \(q_G\) queries to random oracle G and at most \(q_H\) queries to random oracle H, there exist an adversary \(A_{asy}\) against the security of \(\varPi ^{asy}\) and an adversary \(A_{sy}\) against the \(\text {OT}\) security of \(\varPi ^{sy}\) such that

figure s

where \(d=q_H+q_G+2q_H\cdot q_D\), \(\text {Time}(A_{sy})\approx \text {Time}(A_{asy})\approx \text {Time}(A)+O(d^2).\)

The IND-qCCA security proof of REACT transformation essentially follows the proof outline for FO transformation, which is presented in the proof of Theorem 6. Thus, we present the proof of Theorem 7 in the full version [25].

4.3 \(\textsf{T}_{\textsf{CH}}\): From OW-qPCA to IND-qCCA in the QROM

Transformation \(\textsf{T}_{\textsf{CH}}\) transforms a OW-PCA secure PKE to a q-IND-CCAFootnote 2 secure KEM in the quantum random oracle model [16].

Let \({\varPi }^{asy}=(\text {Gen}^{asy},\text {Enc}^{asy},\text {Dec}^{asy})\) be a PKE with message space \(\mathcal {M}^{asy}\). Let \(H,G:\{0,1\}^*\rightarrow \{0,1\}^{n}\) be hash functions. We then introduce \(\textsf{T}_{\textsf{CH}}\) and a new transformation \(\widetilde{\textsf{T}}\) to prove the IND-qCCA security of \(\textsf{T}_{\textsf{CH}}\).

Definition 7

PKE \(\widetilde{\textsf{T}}[\varPi ^{asy},H]=(\text {Gen},\text {Enc},\text {Dec})\) and KEM \(\textsf{T}_{\textsf{CH}}[\varPi ^{asy},H,G]=(\text {Gen},\text {Encaps},\text {Decaps})\) are as shown in Fig. 6, respectively. Particularly, \(\textsf{T}_{\textsf{CH}}\) is composited of transformation \(\widetilde{\textsf{T}}\) and modular \(\text {FO}\) transformation \(\textsf{U}_m^{\bot }\), i.e., \(\textsf{T}_{\textsf{CH}}[\varPi ^{asy},H,G]=\textsf{U}_{m}^{\bot }[\widetilde{\textsf{T}}[\varPi ^{asy},H],G]\).

Fig. 6.
figure 6

PKE \(\widetilde{\textsf{T}}[\varPi ^{asy},H]\) and KEM \(\textsf{T}_{\textsf{CH}}[\varPi ^{asy},H,G]\)

Full size image

Lemma 9

\(\widetilde{\textsf{T}}[\varPi ^{asy},H]\) is an oracle-masked scheme relative to random oracle H, and its parameter \(\eta \) is \(1/{2^n}\).

Proof

Tuple \((\text {A}_1, \text {A}_2, \text {A}_3, \text {A}_4)\), as the decomposition of scheme \(\widetilde{\textsf{T}}[\varPi ^{asy},H]\), is defined as follows.

  • \(\text {A}_1\) takes pk, m and r as input, computes \(c_1:=\text {Enc}^{asy}(pk,m;r)\), then outputs \((m,c_1)\).

  • \(\text {A}_2\) takes \((m,c_1)\) and \(c_2\in \{0,1\}^n\) as input, then outputs \((c_1,c_2)\).

  • \(\text {A}_3\) takes \((c_1,c_2)\) as input, evaluates \(m:=\text {Dec}^{asy}(sk,c_1)\). If \(m=\bot \), output \(\bot \). Otherwise, output \((m,c_1)\).

  • \(\text {A}_4\) on input \((m,c_1)\), outputs m.

Then its parameter \(\eta \) is calculated by

$$\begin{aligned} \eta&=\max _{(pk,sk),(c_1,c_2)}1/{2^n}\cdot \vert \{y\in \{0,1\}^n:(c_1,c_2)=\text {A}_2(pk,\text {A}_3(sk,(c_1,c_2)),y)\}\vert \\&=\max _{(pk,sk),(c_1,c_2)}1/{2^n}\cdot \vert \{y\in \{0,1\}^n:c_2=y\}\vert ={1}/{2^n}\,, \end{aligned}$$

where (pksk) and \((c_1,c_2)\in \mathcal {C}^{asy}\times \{0,1\}^n\) are such that \(\text {A}_3(sk,(c_1,c_2))\ne \bot \).    \(\square \)

Theorem 8

If \(\varPi ^{asy}\) is \(\delta \)-correct, for any adversary A against the security of \(\varPi =\textsf{T}_{\textsf{CH}}[\varPi ^{asy},H,G]\) in the QROM, making at most \(q_D\) queries to decapsulation oracle Decaps, at most \(q_H\) queries to random oracle H and at most \(q_G\) queries to random oracle G, there exists an adversary \(A_{asy}\) against the security of \(\varPi ^{asy}\) such that

figure v

where \(d=q_D+q_H+q_G\), \(\text {Time}(A_{asy})\approx \text {Time}(A)+O\left( d^2\right) \).

Proof

Game 0: This game is exactly \(\text {Game}_{A,\varPi }^{\text {IND-qCCA}}\), that is given in Fig. 7. Then we have

$$\begin{aligned} \left| \Pr [{\textbf {Game 0}}\rightarrow 1]-\frac{1}{2}\right| =\text {Adv}_{A,{\varPi }}^{\text {IND-qCCA}}\,. \end{aligned}$$
Fig. 7.
figure 7

\(\text {Game}_{A,\varPi }^{\text {IND-qCCA}}\) for \(\textsf{T}_{\textsf{CH}}\) transformation, where oracle H, G and \(\text {Decaps}\) are all quantum-accessible

Full size image

Starting from \({\textbf {Game 1}}\), random oracle H is simulated with \(\textsf {CStO}\) and its database register is denoted by D.

\({\textbf {Game 1}}\): In this game, we replace decapsulation oracle Decaps with oracle \(\text {Decaps}_1\). \(\text {Decaps}_1\) replies quantum query \(|(c_1,c_2),z\rangle \) in three steps:

  1. 1.

    Perform the plaintext extraction procedure \(\text {U}_{\text {Ext}}\) of \(\widetilde{\textsf{T}}[\varPi ^{asy},H]\) to obtain m.

  2. 2.

    If \(m=\bot \), return \(|(c_1,c_2),z\oplus \bot \rangle \). Otherwise, return \(|(c_1,c_2),z\oplus G(m)\rangle \).

  3. 3.

    Perform \(\text {U}_{\text {Ext}}\) a second time to uncompute m.

Note that the construction of \(\text {U}_{\text {Ext}}\) of \(\widetilde{\textsf{T}}[\varPi ^{asy},H]\) is presented in Appendix A. We then can construct \(\text {Decaps}_1\) by invoking plaintext checking oracle \(\text {P{CO}}\), instead of using sk directly.

That \(\text {Decaps}_1\) answers \(q_D\) decapsulation queries requires performing plaintext extraction procedure \(2q_D\) times. By applying Theorem 5,

$$\begin{aligned} \left| \Pr [{\textbf {Game 0}}\rightarrow 1]-\Pr [{\textbf {Game 1}}\rightarrow 1]\right| \le 10q_D\cdot \sqrt{\eta }=q_D\cdot \frac{10}{\sqrt{2^n}}\,. \end{aligned}$$

\({\textbf {Game 2}}\): In this game, we change oracle \(\text {Decaps}_1\) by \(\text {Decaps}_2\). \(\text {Decaps}_2\) differs from \(\text {Decaps}_1\) only after the challenge query: \(\text {Decaps}_2\) performs \(\textsf {StdDecomp}_{(m^*,c_1^*)}\) on register D before and after applying \(\text {Decaps}_1\).

To consider the commutativity of \(\textsf {StdDecomp}_{(m^*,c_1^*)}\) and \(\text {Decaps}_1\), note that the second step of \(\text {Decaps}_1\) commutes with \(\textsf {StdDecomp}_{(m^*,c_1^*)}\). Then by Lemma 4, the first and last step commute with \(\textsf {StdDecomp}_{(m^*,c_1^*)}\) by a loss. Therefore,

$$\begin{aligned} \left| \Pr [{\textbf {Game 1}}\rightarrow 1]-\Pr [{\textbf {Game 2}}\rightarrow 1]\right| \le 14q_D\cdot \sqrt{\eta }=q_D\cdot \frac{14}{\sqrt{2^n}}\,. \end{aligned}$$

\({\textbf {Game 3}}\): In this game, we change the process of replying random oracle queries: When random oracles are queried in the execution of A, we query a constant zero function E and then query these random oracles. Then we have

$$\begin{aligned} \Pr [{\textbf {Game 2}}\rightarrow 1]=\Pr [{\textbf {Game 3}}\rightarrow 1]\,. \end{aligned}$$

\({\textbf {Game 4}}\): In this game, the only change is that the semi-classical oracle \(\mathcal {O}^{SC}_{\mathcal {S}}\) is applied before querying E, where set \(\mathcal {S}=\{m^*,m^*\Vert \cdot \}\).

E is queried at most \(q_D+q_H+q_G\) times. We let \(d=q_D+q_H+q_G\), and apply Theorem 3 to obtain

$$\begin{aligned} \vert \Pr [{\textbf {Game 3}}\rightarrow 1]-\Pr [{\textbf {Game 4}}\rightarrow 1]\vert \le \sqrt{(d+1)\Pr [\text {Find}:{\textbf {Game 4}}]}\,. \end{aligned}$$

Game 5: In this game, we pick \(c_2^*\in \{0,1\}^n\) and \(K_0^*\in \{0,1\}^n\) uniformly to produce \((c_1^*,c_2^*)\) and \(K^*\). And we replace \(\text {Decaps}_2\) with \(\text {Decaps}_1\).

By similar analysis in the proof of Theorem 6, the process of oracle \(\text {Decaps}_2\) in Game 4 does not disturb the database state on \((m^*,c_1^*)\) if Find does not occur. Moreover, Game 4 and Game 5 are indistinguishable for adversary A until Find occurs. Thus,

$$\begin{aligned} \Pr [\text {Find}:{\textbf {Game 4}}]&=\Pr [\text {Find}:{\textbf {Game 5}}]\,,\\ \Pr [\lnot \text {Find}\wedge {\textbf {Game 4}}\rightarrow 1]&=\Pr [\lnot \text {Find}\wedge {\textbf {Game 5}}\rightarrow 1]\,. \end{aligned}$$

Furthermore,

figure w

where adversary \(A_{asy}\) invokes A and breaks the security of \(\varPi ^{asy}\). The running time of \(A_{asy}\) is \(\text {Time}(A_{asy})\approx \text {Time}(A)+O\left( d^2\right) \).

Game 6: In this game, \(\mathcal {O}^{SC}_{\mathcal {S}}\) is removed from the process of E.

The output difference of Game 5 and Game 6 is bounded by Theorem 3. And in Game 6, \(K_0^*\) and \(K_1^*\) are both chosen from \(\{0,1\}^n\) uniformly, which means that Game 6 outputs 1 with probability 1/2.

Summarizing the above arguments, we obtain

figure y

   \(\square \)