Abstract
The post-quantum security of cryptographic schemes assumes that the quantum adversary only receives the classical result of computations with the secret key. Further, it is unknown whether the post-quantum secure schemes still remain secure if the adversary can obtain a superposition state of the results.
In this paper, we formalize one class of public-key encryption schemes named oracle-masked schemes. Then we define the plaintext extraction procedure for those schemes and this procedure simulates the quantum-accessible decryption oracle with a certain loss.
The construction of the plaintext extraction procedure does not need to take the secret key as input. Based on this property, we prove the IND-qCCA security of the Fujisaki-Okamoto (FO) transformation in the quantum random oracle model (QROM) and our security proof is tighter than the proof given by Zhandry (Crypto 2019). We also give the first IND-qCCA security proof of the REACT transformation in the QROM. Furthermore, our formalization can be applied to prove the IND-qCCA security of key encapsulation mechanisms with explicit rejection. As an example, we present the IND-qCCA security proof of \(\textsf {T}_{\textsf {CH}}\) transformation, proposed by Huguenin-Dumittan and Vaudenay (Eurocrypt 2022), in the QROM.
Access provided by Autonomous University of Puebla. Download conference paper PDF
Similar content being viewed by others
Keywords
1 Introduction
There are two criteria for a practical encryption scheme: security and efficiency. Many generic transformations are proposed to enhance the security of public-key encryption schemes (PKEs) to achieve the indistinguishable under chosen ciphertext attacks (IND-CCA) security [2, 8, 11, 23]. As for efficiency, Cramer and Shoup proposed the KEM-DEM hybrid construction that combines an IND-CCA key encapsulation mechanism (KEM) with a one-time chosen ciphertext secure secret-key encryption scheme (SKE) to obtain an IND-CCA PKE [9].
Cryptographic schemes often have efficient constructions in the random oracle model (ROM) [2], in which schemes are proven to be secure assuming the existence of the publicly accessible random oracle. Many generic transforms are relative to random oracles. For instance, the Fujisaki-Okamoto (FO) transformation turns an arbitrary PKE that is one-way under chosen plaintext attacks (OW-CPA) into an IND-CCA PKE in the ROM [11], and the REACT transformation turns an arbitrary PKE that is one-way under plaintext checking attacks (OW-PCA) into an IND-CCA PKE in the ROM [23].
Typically, the random oracle is instantiated with a cryptographic hash function. Thus in the real world attack, a quantum attacker can evaluate the hash function in superposition. To capture this issue, Boneh et al. [4] proposed the quantum random oracle model (QROM) where the quantum adversary can query the random oracle with superposition states. Further, classical schemes may be implemented on quantum computers, which potentially gives quantum attackers more power. For this case, Boneh and Zhandry [5] introduced the indistinguishability under quantum chosen ciphertext attacks (IND-qCCA) for encryption schemes, where the adversary can make quantum queries to the decryption oracle. Following it, Gagliardoni et al. [13] focused on SKE and proposed new notions of indistinguishability and semantic security in the quantum world, e.g. quantum semantic security under chosen plaintext attacks (qSEM-qCPA). On the other hand, Xagawa and Yamakawa [27] presented the IND-qCCA security of KEMs, where the adversary can query the decapsulation oracle in superposition.
Boneh et al. [4] summarized four proof techniques that are commonly used in the ROM but not appropriate to the quantum setting straightforwardly. “Extractability”, as one of them, is that the simulator learns the preimages the adversary takes interest in when simulating the random oracle for the adversary.
Extractability is the core to simulate answers to decryption queries in the IND-CCA security proof for both FO and REACT in the ROM. However, in the quantum setting, the non-existence of this technique had been an obstacle to their security proofs in QROM. To circumvent it, Targhi and Unruh [26] and the follow-up work by Ambainis et al. [1] modified the FO transformation by appending an extra hash function to the ciphertext, then applied the One-way to Hiding (O2H) Theorem and its variant to prove the IND-CCA security of the modified FO in the QROM.
Hofheinz et al. [14] divided KEMs into two types: explicit rejection and implicit rejection. The explicit rejection (resp. implicit rejection) type returns a symbol \(\bot \) (resp. a pseudorandom value) if the ciphertext is invalid. For both two types, they presented the IND-CCA security proof of transformations with additional hash in the QROM. Later, transformations with implicit rejection had been free from the additional hash and proved to be IND-CCA and even IND-qCCA in the QROM [3, 17, 19,20,21, 24, 27]. Nonetheless, for explicit rejection type, the IND-CCA security proofs in the QROM were only given for those transformations either with additional hash [18] or with non-standard security assumptions [19]. It seemed infeasible to give post-quantum security proof of unmodified transformations due to the non-existence of extractability.
In his seminal paper [29], Zhandry proposed the compressed oracle technique, with which the simulator can “record” quantum queries to the random oracle while simulating it efficiently. This enables to use extractability technique in the quantum setting and thus makes it possible to give security proofs of the unmodified FO and those transformations with explicit rejection in QROM.
Indeed in the full version of [29], Zhandry gave a proof that the unmodified FO turns any OW-CPA PKE into an IND-qCCA PKE in the QROM. However, in this proof, as was pointed out by Don et al. [10], the answers to decryption queries in Hybrids 2 to 4 are simulated by applying (purified) measurements on the internal state of the compressed oracle, yet these measurements are hard to be determined explicitly from their respective descriptions. Until now, this is considered as the gap that prevents the analysis of the disturbance caused by those measurements.
As for transformations with explicit rejection, Don et al. [10] presented the first IND-CCA security proof of \(\textsf {FO}_m^{\bot }\), a variant of FO transformation, in the QROM, as well as its concrete security bound. Based on their work, Hövelmanns et al. [15] improved the proof in [10] resulting in a tighter bound. However, as far as we know, there are only a few results on the IND-qCCA security proof of any transformations with explicit rejection [27].
1.1 Our Results
In this paper, we improve the IND-qCCA security proof in [29] and avoid the gap mentioned in [10]. Especially, we simplify that proof with our tool and present a tighter proof. We also give the first IND-qCCA security proof for transformation REACT and \(\textsf {T}_{\textsf {CH}}\) in the QROM, where \(\textsf {T}_{\textsf {CH}}\) is a KEM variant of REACT with explicit rejection proposed in [16]. The concrete security bounds for these three transformations are shown in Table 1.
Our main tool to prove our results is a unitary \(\text {U}_{\text {Ext}}\) named the plaintext extraction procedure for a class of PKE called oracle-masked schemes. Informally, the oracle-masked scheme is defined as follows.
Definition 1 (Oracle-Masked Scheme, Informal)
For random oracle \(\mathcal {O}\) with codomain \(\mathcal {Y}\), we call \(\varPi =(\text {Gen},\text {Enc}^{\mathcal {O}},\text {Dec}^{\mathcal {O}})\) an oracle-masked scheme if \(\text {Enc}^{\mathcal {O}}\) and \(\text {Dec}^{\mathcal {O}}\) are constructed as in Fig. 1. Parameter \(\eta \) of \(\varPi \) is defined to be
where (pk, sk) is generated by \(\text {Gen}\) and \(c\in \mathcal {C}\) is such that \(\text {A}_3(sk,c)\ne \bot \).
According to the above definition, oracle-masked schemes contains PKEs obtained by several transformations, including FO transformation, REACT transformation and \(\textsf{T}\) in the modular FO toolkit [14]. We then present the plaintext extraction procedure \(\text {U}_{\text {Ext}}\) for oracle-masked scheme \(\varPi \) as below.
Definition 2 (Plaintext Extraction Procedure, informal)
Suppose that \(\mathcal {O}\) is simulated by the compressed standard oracle \(\textsf{CStO}\) with database register D. Then the plaintext extraction procedure \(\text {U}_{\text {Ext}}\) of oracle-masked scheme \(\varPi \) applied on register C, Z, D is that \(\text {U}_{\text {Ext}}|c,z,D\rangle =|c,z\oplus f(c,D),D\rangle \), where
Plaintext extraction procedure \(\text {U}_{\text {Ext}}\) is to apply extractability technique to simulate the quantum-accessible decryption oracle in the IND-qCCA security proof of \(\varPi \). When random oracle \(\mathcal {O}\) is simulated by \(\textsf{CStO}\), the random oracle queries is recorded on the database register D. Note that the queries is not recorded perfectly, but the simulator can still learn some information from the state on D by quantum measurements or computing functions defined on database [7, 10]. Following this fact, \(\text {U}_{\text {Ext}}\) extracts plaintext \(m(:=\text {A}_4(x))\) for ciphertext c by computing a classical function f(c, D) defined as above. Moreover, \(\text {U}_{\text {Ext}}\) is performed efficiently if f can be computed efficiently.
With the notions defined as above, we then prove the IND-qCCA security of transformation FO, REACT and \(\textsf {T}_{\textsf {CH}}\). Our proofs can be outlined as the following three steps.
Firstly, we represent the schemes obtained by transformations as oracle-masked schemes relative to \(\mathcal {O}\) and specify their decomposition \((\text {A}_1,\text {A}_2,\text {A}_3,\text {A}_4)\). In the IND-qCCA security games of these schemes, random oracle \(\mathcal {O}\) is simulated by \(\textsf{CStO}\) and accordingly, the quantum decryption oracle \(\text {Dec}^{\mathcal {O}}\) is simulated by unitary \(\text {U}_{\text {Sim}}\).
Next, we replace unitary \(\text {U}_{\text {Sim}}\) with the plaintext extraction procedure \(\text {U}_{\text {Ext}}\). We also present the detailed construction of \(\text {U}_{\text {Ext}}\) without the secret key.
Finally, we apply the semi-classical O2H theorem to reprogram the compressed oracle at some points, which results in a new game. We then connect it to the security game of the underlying schemes.
Here we analyze the security loss introduced by the second and third step.
For the second step, we need to bound the security loss caused by the replacement of the simulation of the decryption oracle \(\text {Dec}^{\mathcal {O}}\). Since \(\textsf{CStO}\) perfectly simulates the random oracle, \(\text {U}_{\text {Sim}}\) and \(\text {Dec}^{\mathcal {O}}\) are perfectly indistinguishable for any adversary. Then we analyze the loss introduced by performing unitary \(\text {U}_{\text {Ext}}\). For one type of state \(|\psi \rangle \), we compute the difference between \(\text {U}_{\text {Ext}}|\psi \rangle \) and \(\text {U}_{\text {Sim}}|\psi \rangle \) and obtain the following lemma.
Lemma 1 (Informal)
Let \(|\psi \rangle \) be a quantum state on register C, Z, D that is orthogonal to \(\sum _{c,z,D,x}\alpha _{c,z,D,x}|c,z,D\cup (x,\beta _0)\rangle \). Then \(\Vert (\text {U}_{\text {Sim}}-\text {U}_{\text {Ext}})|\psi \rangle \Vert \le 5\sqrt{\eta }\).
As is argued in [10], there are at least two requirements of refining the proof in [29]: To rigorously specify the quantum measurements in Hybrid 3 and 4, respectively; To analyze the disturbance of the state of \(\textsf{CStO}\) caused by quantum measurements.
Our proofs meet the first requirement by providing the plaintext extraction procedure \(\text {U}_{\text {Ext}}\) of oracle-masked schemes. Indeed, \(\text {U}_{\text {Ext}}\) and the scan operation in Hybrid 4 act similarly. They both learns the information from the database. But our \(\text {U}_{\text {Ext}}\) is represented in a more specific form and can also be viewed as a formalization of the scan operation. As for the second requirement, we apply Lemma 1 to bound the disturbance caused by performing \(\text {U}_{\text {Ext}}\). If the adversary makes at most q decryption queries, then by the hybrid argument, the loss caused by \(\text {U}_{\text {Ext}}\) is upper bounded by \(5q\sqrt{\eta }\).
For the third step, we stress that we can not reprogram \(\textsf{CStO}\) only by applying the semi-classical O2H theorem. As an explanation, suppose that we puncture \(\textsf{CStO}\) on point x via the semi-classical oracle \(\mathcal {O}_{\{x\}}^{SC}\), which forbids the adversary from querying \(\textsf{CStO}\) by x if event Find does not occur. However, the performance of \(\text {U}_{\text {Ext}}\) disturbs the database state on register D, which disturbs the simulation of random oracle \(\mathcal {O}\). Thus, it can not be concluded that \(\textsf{CStO}\) on x is uniformly random even if the adversary never queries \(\textsf{CStO}\) on point x (i.e., Find does not occur).
To fix it, before reprogramming the compressed oracle on x, we change \(\text {U}_{\text {Ext}}\) into \(\textsf {StdDecomp}_x\circ \text {U}_{\text {Ext}}\circ \textsf {StdDecomp}_x\), where \(\textsf {StdDecomp}_x\), the local decompression procedure defined in [29], is an involution performed on the database register D. Then by the definition of \(\text {U}_{\text {Ext}}\), \(\textsf {StdDecomp}_x\circ \text {U}_{\text {Ext}}\circ \textsf {StdDecomp}_x\) does not disturb any database state in the form of \(|D\cup \textsf {StdDecomp}_x(x,y)\rangle \), which in contrast to the disturbance made by \(\text {U}_{\text {Ext}}\). Then we apply the following lemma to bound the difference between \(\text {U}_{\text {Ext}}\) and \(\textsf {StdDecomp}_x\circ \text {U}_{\text {Ext}}\circ \textsf {StdDecomp}_x\).
Lemma 2 (Informal)
For any x and state \(|\psi \rangle \) on register C, Z, D,
Overall, we propose the notion of oracle-masked schemes and define plaintext extraction procedure \(\text {U}_{\text {Ext}}\) for these schemes. They can be used to avoid the gap in the FO proof in [29]. And our proof outline can also be applied to the IND-qCCA security proofs of other transformations in the QROM.
1.2 Related Work
Abstract frameworks were proposed to simplify the application of the compressed oracle technique in different situations [6, 7, 10]. They formalized properties that are satisfied in the presence of random oracle, and lifted them to the quantum setting.
Existing proofs from [29] already implicitly were using compressed oracles for some sort of extractability. Don et al. [10] then considered extractability in a general form. Specifically, they define a simulator \(\mathcal {S}\) that simulates the random oracle and also allows the extraction query that is replied with a guess of the plaintext of the query. They then prove that this simulation of the random oracle is statistically indistinguishable from the real one if some properties are satisfied. In their security proof, the extraction query is restricted to be classical in the simulation. Therefore, their result seems to be tailored for post-quantum security proofs, yet are not sufficient to prove the IND-qCCA security.
Based on [10], Hövelmanns et al. [15] proposed a variant of semi-classical O2H theorem as the core to prove the post-quantum security of \(\textsf{FO}^{\bot }_{m}\). Roughly speaking, this theorem states that the probabilities of classical event EXT and FIND can bound the loss caused by the reprogramming of the oracle simulated by \(\mathcal {S}\). Different from their work, our argument allows the adversary to make quantum extraction query, which makes event EXT no longer make sense.
2 Preliminaries
2.1 Notation
Denote \(\mathcal {M}\), \(\mathcal {C}\) and \(\mathcal {R}\) as key space, message space and ciphertext space, respectively. A function \(f(\lambda )\) is negligible if \(f(\lambda )=\lambda ^{-\omega (1)}\). Algorithms take as input a security parameter \(\lambda \), and we omit it for convenience. \(\text {Time}(A)\) is denoted as the running time of algorithm A.
For a finite set \(\mathcal {X}\), denote \(|\mathcal {X}|\) as the number of elements \(\mathcal {X}\) contains, and denote \(x\xleftarrow {\$} \mathcal {X}\) as uniformly choose a random element x from \(\mathcal {X}\). \([b=b^\prime ]\) is an integer, that is 1 if \(b=b^\prime \) and 0 otherwise. \(\Pr [P:Q]\) is the probability that predicate P keeps true where all the variables in P are assigned according to the program in Q.
2.2 Quantum Random Oracle Model
We refer to [22] for basics of quantum computation and quantum information.
In the ROM, we assume the existence of the random oracle \(\mathcal {O}:\mathcal {X} \rightarrow \mathcal {Y}\), and \(\mathcal {O}\) is publicly accessible to all parties. For concreteness, let \(\mathcal {Y}=\{0,1\}^n\). \(\mathcal {O}\) is initialized by choosing \(H\xleftarrow {\$} \varOmega _H\), where \(\varOmega _H\) is the set of all functions from \(\mathcal {X}\) to \(\mathcal {Y}\). In the QROM, quantum algorithms can query \(\mathcal {O}\) with superposition states, and the oracle performs the unitary mapping \(|x,y\rangle \mapsto |x,y\oplus H(x)\rangle \) on the query state. Oracle \(\mathcal {O}\) also allows making classical queries. To query x, set the input and output state to be \(|x,0\rangle \) and measure it after querying \(\mathcal {O}\) to obtain H(x).
Below, we introduce several tools for QROM, that are used in this paper. We begin with two ways for the simulation of the quantum random oracle.
Theorem 1
([28, Theorem 6.1]). Let H be a function chosen from the set of 2q-wise independent functions uniformly at random. Then for any quantum algorithm A with at most q queries,
The Compressed Oracle. Here we briefly introduce the compressed oracle technique, and we only consider the Compressed Standard Oracles(\(\textsf {CStO}\)), one version of the compressed oracle, with query number at most q. We refer to the full version of [29] for more details of the compressed oracle.
The core idea of the compressed oracle technique is the purification of the quantum random oracle, and the purified oracle imperfectly records quantum queries to the random oracle. In the QROM, random oracle \(\mathcal {O}\) is initialized by uniformly sampling a function H from \( \varOmega _H\). If \(\mathcal {O}\) is queried with a quantum state \(\vert x,y\rangle \), then the replied state is a mixed state and can be represented as \(\{p_i,|x,y\oplus H_i(x)\rangle \}\), where \(p_i=1/|\varOmega _H|\), \(i=1,\ldots ,|\varOmega _H|\). This mixed state can be purified to state \(1/{\vert \varOmega _H\vert }\sum _H|x,y\oplus H(x),H\rangle \), where \(|H\rangle \) is the internal state of oracle \(\mathcal {O}\) and H of \(|H\rangle \) is a truth table of function H.
Instead of a superposition state of H, \(\textsf {CStO}\) takes a superposition of database as its internal state and simulates random oracle \(\mathcal {O}\). We denote this simulated oracle by \(\textsf {CStO}\) directly, and database by D. Here D is an element of set \(\textbf{D}_l:=(\mathcal {X}\times \bar{\mathcal {Y}})^l\) where \(\bar{\mathcal {Y}}=\mathcal {Y}\cup \{\bot \}\), l is the length of D. For any \(x\in \mathcal {X}\), if (x, y) exists as an entry of D, then \((x,y)\in D\) and \(D(x)=y\). Otherwise, \(D(x)=\bot \). Denote |D| as the total number of \(x\in \mathcal {X}\) such that \(D(x)\ne \bot \). Then for any \(y\in \mathcal {Y}\) and D that \(D(x)=\bot \), \(|D|<l\), define \(D\cup (x,y)\) to be the database that \(D\cup (x,y)(x')=D(x')\) for any \(x'\ne x\) and \(D\cup (x,y)(x)=y\). Moreover, any D is written in the form of \(((x_1,y_1),\ldots ,(x_s,y_s),(0,\bot ),\ldots ,(0,\bot ))\) such that \(|D|=s\le l\), \(x_1<x_2<\cdots <x_s\).
For any \(x\in \mathcal {X}\), define the local decompression procedure \(\textsf {StdDecomp}_x\) applied on the database state \(|D\rangle \in \mathbb {C}[\textbf{D}_l]\) as below:
-
For D that \(D(x)=\bot \) and \(|D|=l\), \(\textsf {StdDecomp}_x|D\rangle =|D\rangle \).
-
For D that \(D(x)=\bot \) and \(|D|<l\), \(\textsf {StdDecomp}_x|D\cup (x,\beta _r)\rangle =|D\cup (x,\beta _r)\rangle \) for any \(r\ne 0\), \(\textsf {StdDecomp}_x|D\cup (x,\beta _{0})\rangle =|D\rangle \), \(\textsf {StdDecomp}_x|D\rangle =|D\cup (x,\beta _{0})\rangle \),
where state \(|D\cup (x,\beta _r)\rangle =1/\sqrt{2^n}\sum _{y\in \mathcal {Y}}(-1)^{y\cdot r}|D\cup (x,y)\rangle \) for any \(r\in \mathcal {Y}\).
\(\textsf {CStO}\) initializes a database state \(|(0,\bot )^q\rangle \) with length q. For any query \(|x,y\rangle \) to random oracle \(\mathcal {O}\), \(\textsf {CStO}\) does three steps: First, perform the unitary \(|x,y,D\rangle \mapsto |x,y\rangle \textsf {StdDecomp}_x|D\rangle \) in superposition. Next, apply the map \(|x,y,D\rangle \mapsto |x,y\oplus D(x),D\rangle \). Finally, repeat the first step.
Theorem 2
([29, Lemma 4]). \(\textsf {CStO} \) and random oracle \(\mathcal {O}\) are indistinguishable for any quantum algorithm A, i.e.,
It is also observed that any quantum state on the database register is orthogonal to state \(|D\cup (x,\beta _{0})\rangle \) in the simulation of \(\textsf {CStO}\). Therefore, the database state should be the superposition state of \(|D\cup (x,\beta _{r})\rangle \) for \(r\ne 0\). This fact will be used later.
Semi-classical Oracle. For set \(\mathcal {X}\) and \(\mathcal {S}\), define \(f_{\mathcal {S}}:{\mathcal {X}}\rightarrow \{0,1\}\) to be an indicator function such that \(f_{\mathcal {S}}(x)=1\) if \(x\in \mathcal {S}\) and 0 otherwise. Then we define the semi-classical oracle \(\mathcal {O}_{\mathcal {S}}^{SC}:\mathcal {X}\rightarrow \{0,1\}\). For any quantum query, \(\mathcal {O}_{\mathcal {S}}^{SC}\) does the following steps. First, initialize a qubit T to be \(|0\rangle \). Then evaluate the mapping \(|x,0\rangle \mapsto |x,f_{\mathcal {S}}(x)\rangle \) in superposition. Finally, measure T in the computational basis and obtain a bit \(b\in \{0,1\}\) as its output.
Theorem 3
(Semi-classical O2H [1, Theorem 1]). Let \(\mathcal {S}\) be a random subset of \(\mathcal {X}\), \(H: \mathcal {X} \rightarrow \mathcal {Y}\) a random function, z a random bitstring. And H,\(\mathcal {S}\),z may have arbitrary joint distribution. Let \({H\setminus \mathcal {S}}\) be an oracle that first queries \(\mathcal {O}_{\mathcal {S}}^{SC}\) and then queries H. Let A be a quantum oracle algorithm with query depth d. In the execution of \(A^{H\setminus \mathcal {S}}(z)\), let Find be the event that \(\mathcal {O}_{\mathcal {S}}^{SC}\) ever outputs 1. Then
The following theorem gives an upper bound for the probability that Find occurs.
Theorem 4
([1, Theorem 2]). Let \(\mathcal {S}\subseteq \mathcal {X}\) and \(z\in \{0,1\}^*\). And \(\mathcal {S},z\) may have arbitrary joint distribution. Let A be a quantum oracle algorithm making at most d queries to \(O_{\mathcal {S}}^{SC}\) with domain \(\mathcal {X}\). Let B be an algorithm that on input z, chooses \( i {\mathop {\leftarrow }\limits ^{\$}}\{1, \ldots , d\} \) , runs \( A^{\mathcal {O}_{\varnothing }^{SC}}(z) \) until (just before) the i-th query, and then measures all query input registers in the computational basis. Denote by \(\mathcal {T}\) the set of measurement outcomes. Then
3 Plaintext Extraction of the Oracle-Masked Scheme
In this section, we start by the formalization of the class of PKE \(\varPi \) named the oracle-masked scheme. Then we will introduce plaintext extraction game \(\text {Game}_{A,{\varPi }}^{\text {Ext}}\) for adversary A, and end this section with a theorem that bounds the difference of the output distributions of and \(\text {Game}_{A,\varPi }^{\text {Ext}}\). The definition of the IND-qCCA security game is shown in the Appendix B.2.
Definition 3 (Oracle-Masked Scheme)
Let \(\varPi =(\text {Gen},\text {Enc}^{\mathcal {O}},\text {Dec}^{\mathcal {O}})\) be a PKE relative to random oracle \(\mathcal {O}\) with codomain \(\mathcal {Y}\). We say that \(\varPi \) is an oracle-masked scheme if there exist deterministic polynomial time algorithm \(\text {A}_1\), \(\text {A}_2\), \(\text {A}_3\), \(\text {A}_4\) such that for any (pk, sk) generated by \(\text {Gen}\), \(\text {Enc}^{\mathcal {O}}\) and \(\text {Dec}^{\mathcal {O}}\) are written as in Fig. 2. Tuple \((\text {A}_1,\text {A}_2,\text {A}_3,\text {A}_4)\) is called the decomposition of \(\varPi \).
For an oracle-masked scheme \(\varPi \), parameter \(\eta \) of \(\varPi \) is defined to be
where (pk, sk) is generated by \(\text {Gen}\) and \(c\in \mathcal {C}\) is such that \(\text {A}_3(sk,c)\ne \bot \).
Let \(\varPi \) be an oracle-masked scheme. For quantum adversary A in the security game in the QROM, it can query random oracle \(\mathcal {O}\) and decryption oracle \(\text {Dec}^{\mathcal {O}}\) both in superposition. Write C and Z to denote the input and output register of the decryption query of A, respectively. The decryption oracle \(\text {Dec}^{\mathcal {O}}\) in can be simulated by a unitary operator \(\text {U}_{\text {Dec}}\) applied on register C and Z, i.e., for any computational basis state \(|c,z\rangle \), \(\text {U}_{\text {Dec}}\) acts as follows:
where \(c^*\) is the challenge ciphertext in .
Then we introduce a new game \(\text {Game}_{A,{\varPi }}^{\text {Sim}}\), that is identical with except that random oracle \(\mathcal {O}\) is simulated by \(\textsf {CStO}\). In this game, quantum queries to oracle \(\mathcal {O}\) are recorded in the database register D imperfectly. The decryption oracle answers queries in the same process as in Fig. 2 and it can be simulated by a unitary operator on register C, Z, D. We denote this operator by \(\text {U}_{\text {Sim}}\). Then by Theorem 2, \(\text {U}_{\text {Dec}}\) and \(\text {U}_{\text {Sim}}\), these two simulations of the decryption oracle are perfectly indistinguishable for any quantum adversary.
Notice that in the process of the decryption algorithm \(\text {Dec}^{\mathcal {O}}\), \(\text {A}_3\) is computed first to obtain x and then \(\text {A}_2\) is applied to check if \(c=\text {A}_2(pk,x,\mathcal {O}(x))\). Then the query x to oracle \(\mathcal {O}\) is recorded in the database D imperfectly if the decryption oracle is simulated by \(\text {U}_{\text {Sim}}\). With this property, we design a new unitary to reply decryption queries, and it is defined as follows.
Definition 4 (Plaintext Extraction Procedure)
Let \(\varPi \) be an oracle-masked scheme and \((\text {A}_1,\text {A}_2,\text {A}_3,\text {A}_4)\) be its decomposition. For any (pk, sk) of \(\varPi \), define unitary operation \(\text {U}_{\text {Ext}}\), as the plaintext extraction procedure of \(\varPi \), applied on register C, Z, D as follows.
\(\underline{\text {U}_{\text {Ext}}|c,z,D\rangle }:\)
-
1.
If the challenge ciphertext \(c^*\) is defined and \(c=c^*\), return \(|c,z\oplus \bot ,D\rangle \).
-
2.
Else if database D contains no pair (x, D(x)) such that \(\text {A}_2(pk,x,D(x))=c\), return \(|c,z\oplus \bot ,D\rangle \).
-
3.
Else, for each tuple (x, D(x)) that \(\text {A}_2(pk,x,D(x))=c\), check if \(\text {A}_3(sk,c)=x\) and do the following procedure:
-
(a)
If a tuple (x, D(x)) passes this test,Footnote 1 compute \(m:=\text {A}_4(x)\) and return \(|c,z\oplus m,D\rangle \).
-
(b)
Otherwise, return \(|c,z\oplus \bot ,D\rangle \).
-
(a)
In addition, the detailed construction of \(\text {U}_{\text {Ext}}\) is shown in Appendix A.
Compared with \(\text {U}_{\text {Sim}}\), \(\text {U}_{\text {Ext}}\) does not follow the decryption algorithm to produce the plaintext \(m(:=\text {Dec}^{\mathcal {O}}(sk,c))\), but just searches (x, D(x)) on D to obtain m. Therefore, we call \(\text {U}_{\text {Ext}}\) the plaintext extraction procedure.
By the definition of \(\text {U}_{\text {Ext}}\), for any computational basis state \(|c,z,D\rangle \), \(\text {U}_{\text {Ext}}\) has no effect on \(|D\rangle \), and does not need to query oracle \(\mathcal {O}\). And for any oracle-masked scheme, such a plaintext extraction procedure \(\text {U}_{\text {Ext}}\) exists, and it can be used to answer quantum decryption queries. Then we introduce two properties of \(\text {U}_{\text {Ext}}\) by the following two lemmas. Except register C, Z and D, we abbreviate other registers (e.g. other registers of adversary A) into W and the detailed proofs of these lemmas are shown in the full version [25].
Lemma 3
Let \(|\psi \rangle \) be a quantum state on register W, C, Z and D such that \(|\psi \rangle \) is orthogonal to any state in the form of \(\sum _{w,c,z,D,x}\alpha _{w,c,z,D,x}|w,c,z,D\cup (x,\beta _0)\rangle \). Then
Lemma 4
Given any \(x\in \{0,1\}^*\), unitary \(\textsf{StdDecomp}_{x}\) is performed on register D. For any quantum state \(|\psi \rangle \) on register W, C, Z and D,
Here we define a new game \(\text {Game}_{A,{\varPi }}^{\text {Ext}}\) named plaintext extraction game that differs from \(\text {Game}_{A,{\varPi }}^{\text {Sim}}\) in the way of answering decryption queries: In \(\text {Game}_{A,{\varPi }}^{\text {Ext}}\), the decryption oracle is simulated by unitary \(\text {U}_{\text {Ext}}\) while that in \(\text {Game}_{A,{\varPi }}^{\text {Sim}}\) is simulated by unitary \(\text {U}_{\text {Sim}}\). With Lemma 3, we obtain Theorem 5 as follows to bound the output difference of and \(\text {Game}_{A,\varPi }^{\text {Ext}}\).
Theorem 5
Let \(\varPi \) be an oracle-masked scheme. For any quantum adversary A against the security of \(\varPi \) in the QROM, if A makes at most q decryption queries, then
Proof
Given \(\varPi \) and A, recall that \(\text {Game}_{A,\varPi }^{\text {Sim}}\) is identical with except that the random oracle is simulated by \(\textsf {CStO}\). By Theorem 2,
In the following, we prove that
For any fixed (pk, sk), the decryption oracle in \(\text {Game}_{A,{\varPi }}^{\text {Sim}}\) and that in \(\text {Game}_{A,{\varPi }}^{\text {Ext}}\) are simulated by unitary \(\text {U}_{\text {Sim}}\) and \(\text {U}_{\text {Ext}}\), respectively.
For any \(i=1,\ldots ,q\), define \(\text {G}_i\) to be a game that is the same as \(\text {Game}_{A,\varPi }^{\text {Sim}}\) until just before the i-th decryption query of A, then simulates the decryption oracle with unitary \(\text {U}_{\text {Ext}}\) instead of \(\text {U}_{\text {Sim}}\). Then \(\text {G}_1\) is exactly \(\text {Game}_{A,\varPi }^{\text {Ext}}\). We also denote \(\text {Game}_{A,\varPi }^{\text {Sim}}\) by \(G_{q+1}\).
For \(i=1,\ldots ,q+1\), denote by \(\sigma _i\) the final joint state of the registers of \(G_i\) including the register of A and the database register. By the triangle inequality of the trace distance,
where \(\text {TD}(\rho ,\tau )\) is the trace distance of state \(\rho \) and \(\tau \).
Fix \(1\le i\le q\). Since game \(G_i\) and \(G_{i+1}\) only differ in the i-th decryption query, we denote by \(\rho \) the joint state of A and the database register just before the i-th decryption query. All the operations after the i-th decryption query can be represented by a trace-preserving operation, that is denoted by \(\mathcal {E}\). Then \(\sigma _i\) and \(\sigma _{i+1}\) can be represented by \(\sigma _i=\mathcal {E}(\text {U}_{\text {Sim}}\,\rho \text {U}_{\text {Sim}}^{\dagger })\) and \(\sigma _{i+1}=\mathcal {E}(\text {U}_{\text {Ext}}\,\rho \text {U}_{\text {Ext}}^{\dagger })\), respectively. And we have
Let \(\rho =\sum _jp_j|\psi _j\rangle \langle \psi _j|\) be a spectral decomposition of \(\rho \), where \(\sum _jp_j=1\). Then by the convexity of the trace distance,
Note that before the i-th decryption query, the decryption procedure is \(\text {U}_{\text {Sim}}\) and A can be considered as being in \(\text {Game}_{A,\varPi }^{\text {Sim}}\). Thus, any state \(|\psi _j\rangle \) in the spectral decomposition of \(\rho \) is in the form of the superposition state in Lemma 3. By Lemma 3, \(\Vert (\text {U}_{\text {Sim}}-\text {U}_{\text {Ext}})|\psi _j\rangle \Vert \le 5\sqrt{\eta }\). Then for every \(1\le i\le q\),
Thus, \(\text {TD}(\sigma _1,\sigma _{q+1})\le 5q\cdot \sqrt{\eta }\). Further, the output difference of \(\text {Game}_{A,{\varPi }}^{\text {Sim}}\) and \(\text {Game}_{A,{\varPi }}^{\text {Ext}}\) is upper bounded by the trace distance of \(\sigma _1\) and \(\sigma _{q+1}\), the states of these two games. This completes the proof. \(\square \)
4 Application in the Quantum Security Proof
In this section, we apply Theorem 5 of oracle-masked schemes to provide the IND-qCCA security proof for transformation FO, REACT and \(\textsf{T}_{\textsf{CH}}\) in the QROM.
4.1 FO: From OW-CPA to IND-qCCA in the QROM
Let \({\varPi }^{asy}=(\text {Gen}^{asy},\text {Enc}^{asy},\text {Dec}^{asy})\) be a PKE with message space \(\mathcal {M}^{asy}\), randomness space \(\mathcal {R}^{asy}(=\{0,1\}^n)\) and ciphertext space \(\mathcal {C}^{asy}\). Let \({\varPi }^{sy}=(\text {Enc}^{sy},\text {Dec}^{sy})\) be a SKE with key space \(\mathcal {K}^{sy}\), message space \(\mathcal {M}^{sy}\) and ciphertext space \(\mathcal {C}^{sy}\). Let \(H:\{0,1\}^{*}\rightarrow \mathcal {R}^{asy}\) and \(G:\{0,1\}^{*}\rightarrow \mathcal {K}^{sy}\) be hash functions. We review the FO transformation in the following definition, and then provide its IND-qCCA security proof in the QROM.
Definition 5
\(\textsf{FO}[\varPi ^{asy},\varPi ^{sy},H,G]=(\text {Gen},\text {Enc},\text {Dec})\) obtained from the FO transformation is constructed as shown in Fig. 3.
Lemma 5
Assume that H is the random oracle and \(\varPi ^{asy}\) is \(\gamma \)-spread, then \(\textsf{FO}[\varPi ^{asy},\varPi ^{sy},H,G]\) is an oracle-masked scheme relative to H, and its parameter \(\eta \) is such that \(\eta \le 1/2^{\gamma }\).
Proof
We define deterministic polynomial-time algorithm \(\text {A}_1\), \(\text {A}_2\), \(\text {A}_3\) and \(\text {A}_4\):
-
\(\text {A}_1\) on input \(\delta \) and m, evaluates \(k:=G(\delta )\) and \(d:=\text {Enc}^{sy}(k,m)\), then outputs \((\delta ,d)\).
-
\(\text {A}_2\) takes pk, \((\delta ,d)\) and \(y\in \mathcal {R}^{asy}\) as input, computes \(c:=\text {Enc}^{asy}(pk,\delta ;y)\), then outputs (c, d).
-
\(\text {A}_3\) takes sk and (c, d) as input, evaluates \(\delta :=\text {Dec}^{asy}(sk,c)\). If \(\delta \ne \bot \), output \((\delta ,d)\). Otherwise, output \(\bot \).
-
\(\text {A}_4\) on input \((\delta ,d)\), computes \(k:=G(\delta )\) and \(m:=\text {Dec}^{sy}(k,d)\), outputs m.
It can be verified that with these four algorithms, algorithm \(\text {Enc}\) and \(\text {Dec}\) given in Fig. 3 are written as \(\text {Enc}^{\mathcal {O}}\) and \(\text {Dec}^{\mathcal {O}}\) in Definition 3 with \(\mathcal {O}=H\), respectively. Thus, \(\textsf{FO}[\varPi ^{asy},\varPi ^{sy},H,G]\) is an oracle-masked scheme, and its parameter \(\eta \) is
where (pk, sk) and \(c\in \mathcal {C}^{asy}\) are such that \(\text {Dec}^{asy}(sk,c)\in \mathcal {M}^{asy}\).
Since \(\varPi ^{asy}\) is \(\gamma \)-spread, for any (pk, sk) and \(m\in \mathcal {M}^{asy}\),
Therefore, \(\eta \le 1/2^{\gamma }\). \(\square \)
Note that the above evaluation of function G can be replaced by querying an oracle that computes G. Then algorithm \(\text {A}_1\) and \(\text {A}_4\) become oracle algorithms denoted by \(\text {A}_1^G\) and \(\text {A}_4^G\), respectively. In this case, the notions in Definition 3 still work, and Theorem 5 holds. Then we apply Theorem 5 to prove the IND-qCCA security of oracle-masked scheme \(\textsf{FO}[\varPi ^{asy},\varPi ^{sy},H,G]\) in the QROM.
Theorem 6
Let \(\varPi ^{asy}\) be \(\gamma \)-spread, for any adversary against the security of scheme \(\varPi =\textsf{FO}[\varPi ^{asy},\varPi ^{sy},H,G]\), making at most \(q_D\) queries to the decryption oracle, at most \(q_H\) queries to random oracle H and at most \(q_G\) queries to random oracle G, there exist an adversary \(A_{asy}\) against the security of \(\varPi ^{asy}\) and an adversary \(A_{sy}\) against the \(\text {OT}\) security of \(\varPi ^{sy}\) such that
where \(d=q_D+q_H+2q_G\), \(\text {Time}(A_{sy})\approx \text {Time}(A)+O\big (d^2+q_H\cdot q_D\cdot \text {Time}(\text {Enc}^{asy})\big )\) and \(\text {Time}(A_{asy})\approx \text {Time}(A_{sy})\).
Proof
Define Game 0 to be \(\text {Game}_{A,\varPi }^{\text {IND-qCCA}}\) as in Fig. 4. Then we obtain
In the following, we will introduce a sequence of games to bound \(\text {Adv}_{A,{\varPi }}^{\text {IND-qCCA}}\).
Starting from Game 1, random oracle H is simulated with \(\textsf {CStO}\) and its database register is denoted as D. This change is undetectable for A by Theorem 2. Moreover, \(\delta ^*\) is sampled uniformly at the beginning of the game, which is also undetectable for any adversary.
Game 1: In this game, the decryption oracle is simulated by the plaintext extraction procedure \(\text {U}_{\text {Ext}}\) of \(\varPi \). We refer to Appendix A for the detailed construction of \(\text {U}_{\text {Ext}}\) of \(\varPi \) without sk.
Omitting the \((c,d)=(c^*,d^*)\) case, \(\text {U}_{\text {Ext}}\) can also be rephrased as \(\text {U}_{\text {Ext}}=\text {U}_\text {E}^{\dagger }\circ \text {U}_\text {C}\circ \text {U}_\text {E}\), based on Lemma 5. Here unitary \(\text {U}_\text {E}\) is used to extract \((\delta ',d)\) corresponding to (c, d) from database and unitary \(\text {U}_\text {C}\) is used to compute plaintext \(m'\) from \((\delta ',d)\). And \(\text {U}_\text {E}\) acts as follows.
It is obvious that \({\textbf {Game 1}}\) is the plaintext extraction game \(\text {Game}_{A,{\varPi }}^{\text {Ext}}\). Then by Theorem 5, we obtain \(\bigl \vert \Pr [{\textbf {Game 0}}\rightarrow 1]-\Pr [{\textbf {Game 1}}\rightarrow 1]\bigr \vert \le 5q_D\cdot \sqrt{\eta }\) for any fixed \(G\in \varOmega _{G}\). Therefore,
where variable G, both in \({\textbf {Game 0}}\) and \({\textbf {Game 1}}\), is sampled from \(\varOmega _G\) uniformly.
\({\textbf {Game 2}}\): This game is identical with \({\textbf {Game 1}}\) except that the decryption oracle is simulated by the following steps after the challenge query.
-
1.
Perform unitary \(\textsf {StdDecomp}_{(\delta ^*,d^*)}\) to register D.
-
2.
Apply \(\text {U}_{\text {Ext}}\) on register C, Z and D.
-
3.
Perform \(\textsf {StdDecomp}_{(\delta ^*,d^*)}\) to register D a second time.
We define unitary \(\text {SU}_{\text {Ext}}:=\textsf {StdDecomp}_{(\delta ^*,d^*)}\circ \text {U}_{\text {Ext}}\circ \textsf {StdDecomp}_{(\delta ^*,d^*)}\). If we flip the order of the last two steps of \(\text {SU}_{\text {Ext}}\), then \(\textsf {StdDecomp}_{(\delta ^*,d^*)}\circ \textsf {StdDecomp}_{(\delta ^*,d^*)}\) is an identity operator and in this way, \(\text {SU}_{\text {Ext}}\) performs identically as \(\text {U}_{\text {Ext}}\). Since Lemma 4 states that \(\text {U}_{\text {Ext}}\) commutes with \(\textsf {StdDecomp}_{(\delta ^*,d^*)}\) by a loss, we have
for any joint state \(\rho \) on registers in \({\textbf {Game 2}}\). At most \(q_D\) decryption queries are made after the challenge query, and then by the hybrid argument,
\({\textbf {Game 3}}\): Differing from \({\textbf {Game 2}}\), we change the way to answer random oracle queries in some cases: when random oracle H or G is queried by A or G is applied in the decryption process, we query E and then query the random oracle, where E is a constant zero function with quantum access.
Since E is a constant zero function, the random oracle query does not change after querying E, and we have
\({\textbf {Game 4}}\): The only difference between \({\textbf {Game 3}}\) and \({\textbf {Game 4}}\) is that the semi-classical oracle \(O^{SC}_{\mathcal {S}}\) is applied before each query to E, and set \(\mathcal {S}:=\{\delta ^*,\delta ^*\Vert \cdot \}\).
Let \(z:=\delta ^*\), and \(B^{E}(\delta ^*)\) be the algorithm that runs A and simulates \({\textbf {Game 3}}\). Then we have
It can be verified that B makes at most \(q_H+q_G+2q_D\) queries to E. We let \(d=q_H+q_G+2q_D\) and apply Theorem 3 to obtain
Notice that by \(\text {A}_4\) defined in Lemma 5, G is queried in the process of \(\text {U}_\text {C}\) when performing \(\text {U}_{\text {Ext}}\). Then oracle \(\mathcal {O}_{\mathcal {S}}^{SC}\) should be queried in the process of \(\text {U}_\text {C}\) in \({\textbf {Game 4}}\). We denote by \(\text {U}_\text {C}'\) the modified \(\text {U}_\text {C}\). Accordingly, before the challenge query, the decryption oracle in \({\textbf {Game 4}}\) is simulated by \(\text {U}_\text {E}\circ \text {U}_\text {C}'\circ \text {U}_\text {E}^{\dagger }\), that is denoted by \(\text {U}_{\text {Ext}}'\). After that, the decryption oracle is simulated by \(\textsf {StdDecomp}_{(\delta ^*,d^*)}\circ \text {U}'_{\text {Ext}}\circ \textsf {StdDecomp}_{(\delta ^*,d^*)}\), that is denoted by \(\text {SU}'_{\text {Ext}}\).
We assume that Find does not occur in \({\textbf {Game 4}}\). In this case, A never queries H by \((\delta ^*,d^*)\), and the database D is such that \(D(\delta ^*,d^*)=\bot \) until the challenge query. To produce the challenge ciphertext, \(r^*:=H(\delta ^*,d^*)\) is computed and then the joint state is in a superposition of \(\textsf {StdDecomp}_{(\delta ^*,d^*)}|w,D\cup ((\delta ^*,d^*),r^*)\rangle \), here w is other registers of this game and \(D(\delta ^*,d^*)=\bot \). Then by the definition of \(\text {U}_{\text {E}}\), we can conclude that for any ciphertext \((c,d)\ne (c^*,d^*)\),
if and only if \(\text {U}_{\text {E}}|(c,d),z_1,D\rangle =|(c,d),z_1\oplus (b,x),D\rangle \).
Furthermore, observe that \(\textsf {StdDecomp}_{(\delta ^*,d^*)}\) commutes with \(\text {U}_{\text {C}}'\) of \(\text {U}_{\text {Ext}}'\). Then for any ciphertext \((c,d)\ne (c^*,d^*)\),
if and only if \(\text {U}_{\text {Ext}}'|(c,d),z,D\rangle =|(c,d),z\oplus m',D\rangle \). This means that the database state on \((\delta ^*,d^*)\) is not involved in the decryption process of \({\textbf {Game 4}}\). Therefore, if Find does not occur, then random oracle H and G are never queried by \((\delta ^*,d)\) and \(\delta ^*\) by the adversary. Meanwhile, the adversary A can not get information on \(H(\delta ^*,d^*)\) either by making decryption queries. Therefore, it is undetectable for adversary A to produce the challenge ciphertext with uniformly chosen \(k^*\in \mathcal {K}^{sy}\) and \(r^*\in \mathcal {R}^{say}\), which is the difference between \({\textbf {Game 4}}\) and \({\textbf {Game 5}}\).
Game 5: In this game, we pick \(k^*\in \mathcal {K}^{sy}\) and \(r^*\in \mathcal {R}^{asy}\) uniformly and use them to produce the challenge ciphertext \((c^*,d^*)\). And we replace \(\text {SU}'_{\text {Ext}}\) with \(\text {U}'_{\text {Ext}}\).
As analysis in \({\textbf {Game 4}}\), the view of A in \({\textbf {Game 4}}\) and that in \({\textbf {Game 5}}\) are identical until Find occurs. Therefore,
Lemma 6
There exists a quantum adversary \(A_{sy}\) invoking A such that
and \(\text {Time}(A_{sy})\approx \text {Time}(A)+O((q_H+q_G+2q_D)^2+q_H\cdot q_D\cdot \text {Time}\left( \text {Enc}^{asy})\right) \).
Proof
A quantum algorithm \(A_{sy}\) that runs A and breaks the one-time security of \({\varPi }^{sy}\) is constructed as follows.
\(A_{sy}\) generates \((pk,sk)\leftarrow \text {Gen}\), picks \(\delta ^*\xleftarrow {\$}\mathcal {M}^{asy}\) and simulates \({\textbf {Game 5}}\) for A. Random oracle G is simulated by a \(2(q_G+2q_D)\)-wise independent function, and other oracles used in \({\textbf {Game 5}}\) can be implemented efficiently by \(A_{sy}\). For A’s challenge query \((m_0,m_1)\), \(A_{sy}\) sends it to the challenger in \(\text {Game}_{A_{sy},\varPi ^{sy}}^{\text {OT}}\). After receiving \(d^*\), \(A_{sy}\) picks \(r\in \mathcal {R}^{asy}\) uniformly, then computes \(c^*:=\text {Enc}^{asy}(pk,\delta ^*;r)\) and sends \((c^*,d^*)\) back to A. After receiving \(b'\) from A, \(A_{sy}\) output \(b'\).
From the construction of \(A_{sy}\), the output of \(A_{sy}\) is correct if and only if A guesses correctly. Moreover, the view of A invoked by \(A_{sy}\) is identical with that in \({\textbf {Game 5}}\). Therefore,
Denote by \(\text {T}_{\mathcal {O}}\) the time needed to simulate oracle \(\mathcal {O}\), then the running time of B is given by \(\text {Time}(B)=\text {Time}(A)+\text {T}_G+\text {T}_H+\text {Time}(\text {U}_{\text {Ext}})\), where \(\text {T}_G=O\left( (q_G+2q_D)^2\right) \), \(\text {T}_H=O(q_H^2)\), \(\text {Time}(\text {U}_{\text {Ext}})=O(q_D\cdot q_H\cdot \text {Time}(\text {Enc}^{asy}))\) by Appendix A.1. \(\square \)
Lemma 7
There is a quantum adversary \(A_{asy}\) invoking A such that
and \(\text {Time}(A_{asy})\approx \text {Time}(A)+O((q_H+q_G+2q_D)^2+q_H\cdot q_D\cdot \text {Time}\left( \text {Enc}^{asy})\right) \).
Proof
Define \(B^{\mathcal {O}_{\mathcal {S}}^{SC}}\) as a quantum oracle algorithm that on input pk, \(c^*\), runs A and simulates \({\textbf {Game 5}}\) for it. Then we have \(\Pr [\text {Find}:{\textbf {Game 5}}]=\Pr [\text {Find}:B^{\mathcal {O}_{\mathcal {S}}^{SC}}(pk,c^*)]\), where \(c^*\leftarrow \text {Enc}^{asy}(pk,\delta ^*)\), \(\delta ^*\) is sampled uniformly from \(\mathcal {M}^{asy}\). As analyzed in \({\textbf {Game 4}}\), B makes at most \(d=q_H+q_G+2q_D\) queries, then by Theorem 4,
Here D is a quantum algorithm invoking B. On input \((pk,c^*)\), D chooses \(i\xleftarrow {\$}\{1,\ldots ,d\}\), runs \(B^{\mathcal {O}_{\varnothing }^{SC}}(pk,c^*)\) until (just before) i-th query of B, and then measures the state on the input register of \(\mathcal {O}_{\varnothing }^{SC}\) to obtain \((\delta ,d)\). Note that the running time of D and that of B are almost the same.
Because \(\mathcal {S}=\{\delta ^*,\delta ^*\Vert \cdot \}\), \((\delta ,d)\in \mathcal {S}\) is equivalent to \(\delta =\delta ^*\). Then D can be considered as a quantum algorithm \(A_{asy}\) that breaks the OW-CPA security of \({\varPi }^{asy}\). Therefore,
The running time of B is \(\text {Time}(B)=\text {Time}(A)+\text {T}_G+\text {T}_H+\text {Time}(\text {U}_{\text {Ext}})\), where \(\text {T}_G=O\left( (q_G+2q_D)^2\right) \), \(\text {T}_H=O(q_H^2)\), \(\text {Time}(\text {U}_{\text {Ext}})=O(q_D\cdot q_H\cdot \text {Time}(\text {Enc}^{asy}))\).
\(\square \)
Summarizing Eq. (1) to (9), we have
\(\square \)
Furthermore, compared with Zhandry’s proof for FO transformation, we notice that the plaintext extraction procedure in this proof acts the same as the decryption procedure defined in Hybrid 4 in his proof on input (c, d) such that \(c\ne c^*\). With Theorem 5, we can prove that any polynomial time quantum adversary distinguishes Hybrid 1 from Hybrid 4 with a negligible probability. On the other hand, by Eq. (2), it seems unnecessary to restrict that the decryption oracle outputs \(\bot \) directly for query (c, d) such that \(c=c^*\).
4.2 REACT: From OW-qPCA to IND-qCCA in the QROM
Let \({\varPi }^{asy}=(\text {Gen}^{asy},\text {Enc}^{asy},\text {Dec}^{asy})\) be a PKE with key space \(\mathcal {K}^{asy}\), message space \(\mathcal {M}^{asy}\), randomness space \(\mathcal {R}^{asy}\) and ciphertext space \(\mathcal {C}^{asy}\). Let \({\varPi }^{sy}=(\text {Enc}^{sy},\text {Dec}^{sy})\) be a SKE with message space \(\mathcal {M}^{sy}\), ciphertext space \(\mathcal {C}^{sy}\), key space \(\mathcal {K}^{sy}\). Let \(H:\{0,1\}^*\rightarrow \{0,1\}^{n}\) and \(G:\{0,1\}^*\rightarrow \mathcal {R}^{sy}\) be hash functions. We recall the REACT transformation in the following definition, and then provide its IND-qCCA security proof.
Definition 6
\(\textsf{REACT}[\varPi ^{asy},\varPi ^{sy},H,G]=(\text {Gen},\text {Enc},\text {Dec})\) obtained from the REACT transformation is constructed as in Fig. 5.
Lemma 8
Let H be the random oracle, then \(\textsf{REACT}[\varPi ^{asy},\varPi ^{sy},H,G]\) is an oracle-masked scheme relative to H, and its parameter \(\eta \) is \(1/2^n\).
Proof
We define deterministic polynomial time algorithm \(\text {A}_1\), \(\text {A}_2\), \(\text {A}_3\) and \(\text {A}_4\):
-
\(\text {A}_1\) takes pk, (R, r) and m as input, evaluates \(c_1:=\text {Enc}^{asy}(pk,R;r)\), \(k:=G(R)\), \(c_2:=\text {Enc}^{sy}(k,m)\), and then outputs \((R,m,c_1,c_2)\).
-
\(\text {A}_2\) on input \((R,m,c_1,c_2)\) and \(y\in \{0,1\}^n\), lets \(c_3:=y\) and outputs \((c_1,c_2,c_3)\).
-
\(\text {A}_3\) takes sk and \((c_1,c_2,c_3)\) as input, computes \(R:=\text {Dec}^{asy}(sk,c_1)\). If \(R=\bot \), output \(\bot \). Else, compute \(k:=G(R)\) and \(m:=\text {Dec}^{sy}(k,c_2)\). If \(m=\bot \), output \(\bot \). Otherwise, output \((R,m,c_1,c_2)\).
-
\(\text {A}_4\) on input \((R,m,c_1,c_2)\), outputs m directly.
We can verify that with four algorithms defined as above, algorithm \(\text {Enc}\) and \(\text {Dec}\) given in Fig. 5 are written as \(\text {Enc}^{\mathcal {O}}\) and \(\text {Dec}^{\mathcal {O}}\) in Definition 3 with \(\mathcal {O}=H\). And thus \(\varPi \) is an oracle-masked scheme, and its \(\eta \) is
where (pk, sk) is generated by \(\text {Gen}\), \((c_1,c_2,c_3)\in \mathcal {C}^{asy}\times \mathcal {C}^{sy}\times \{0,1\}^n\) is such that \(\text {A}_3(sk,(c_1,c_2,c_3))\ne \bot \). \(\square \)
Theorem 7
For any adversary A against the security of \(\varPi =\textsf{REACT}[\varPi ^{asy},\varPi ^{sy},H,G]\) in the QROM, making at most \(q_D\) queries to the decryption oracle, at most \(q_G\) queries to random oracle G and at most \(q_H\) queries to random oracle H, there exist an adversary \(A_{asy}\) against the security of \(\varPi ^{asy}\) and an adversary \(A_{sy}\) against the \(\text {OT}\) security of \(\varPi ^{sy}\) such that
where \(d=q_H+q_G+2q_H\cdot q_D\), \(\text {Time}(A_{sy})\approx \text {Time}(A_{asy})\approx \text {Time}(A)+O(d^2).\)
The IND-qCCA security proof of REACT transformation essentially follows the proof outline for FO transformation, which is presented in the proof of Theorem 6. Thus, we present the proof of Theorem 7 in the full version [25].
4.3 \(\textsf{T}_{\textsf{CH}}\): From OW-qPCA to IND-qCCA in the QROM
Transformation \(\textsf{T}_{\textsf{CH}}\) transforms a OW-PCA secure PKE to a q-IND-CCAFootnote 2 secure KEM in the quantum random oracle model [16].
Let \({\varPi }^{asy}=(\text {Gen}^{asy},\text {Enc}^{asy},\text {Dec}^{asy})\) be a PKE with message space \(\mathcal {M}^{asy}\). Let \(H,G:\{0,1\}^*\rightarrow \{0,1\}^{n}\) be hash functions. We then introduce \(\textsf{T}_{\textsf{CH}}\) and a new transformation \(\widetilde{\textsf{T}}\) to prove the IND-qCCA security of \(\textsf{T}_{\textsf{CH}}\).
Definition 7
PKE \(\widetilde{\textsf{T}}[\varPi ^{asy},H]=(\text {Gen},\text {Enc},\text {Dec})\) and KEM \(\textsf{T}_{\textsf{CH}}[\varPi ^{asy},H,G]=(\text {Gen},\text {Encaps},\text {Decaps})\) are as shown in Fig. 6, respectively. Particularly, \(\textsf{T}_{\textsf{CH}}\) is composited of transformation \(\widetilde{\textsf{T}}\) and modular \(\text {FO}\) transformation \(\textsf{U}_m^{\bot }\), i.e., \(\textsf{T}_{\textsf{CH}}[\varPi ^{asy},H,G]=\textsf{U}_{m}^{\bot }[\widetilde{\textsf{T}}[\varPi ^{asy},H],G]\).
Lemma 9
\(\widetilde{\textsf{T}}[\varPi ^{asy},H]\) is an oracle-masked scheme relative to random oracle H, and its parameter \(\eta \) is \(1/{2^n}\).
Proof
Tuple \((\text {A}_1, \text {A}_2, \text {A}_3, \text {A}_4)\), as the decomposition of scheme \(\widetilde{\textsf{T}}[\varPi ^{asy},H]\), is defined as follows.
-
\(\text {A}_1\) takes pk, m and r as input, computes \(c_1:=\text {Enc}^{asy}(pk,m;r)\), then outputs \((m,c_1)\).
-
\(\text {A}_2\) takes \((m,c_1)\) and \(c_2\in \{0,1\}^n\) as input, then outputs \((c_1,c_2)\).
-
\(\text {A}_3\) takes \((c_1,c_2)\) as input, evaluates \(m:=\text {Dec}^{asy}(sk,c_1)\). If \(m=\bot \), output \(\bot \). Otherwise, output \((m,c_1)\).
-
\(\text {A}_4\) on input \((m,c_1)\), outputs m.
Then its parameter \(\eta \) is calculated by
where (pk, sk) and \((c_1,c_2)\in \mathcal {C}^{asy}\times \{0,1\}^n\) are such that \(\text {A}_3(sk,(c_1,c_2))\ne \bot \). \(\square \)
Theorem 8
If \(\varPi ^{asy}\) is \(\delta \)-correct, for any adversary A against the security of \(\varPi =\textsf{T}_{\textsf{CH}}[\varPi ^{asy},H,G]\) in the QROM, making at most \(q_D\) queries to decapsulation oracle Decaps, at most \(q_H\) queries to random oracle H and at most \(q_G\) queries to random oracle G, there exists an adversary \(A_{asy}\) against the security of \(\varPi ^{asy}\) such that
where \(d=q_D+q_H+q_G\), \(\text {Time}(A_{asy})\approx \text {Time}(A)+O\left( d^2\right) \).
Proof
Game 0: This game is exactly \(\text {Game}_{A,\varPi }^{\text {IND-qCCA}}\), that is given in Fig. 7. Then we have
Starting from \({\textbf {Game 1}}\), random oracle H is simulated with \(\textsf {CStO}\) and its database register is denoted by D.
\({\textbf {Game 1}}\): In this game, we replace decapsulation oracle Decaps with oracle \(\text {Decaps}_1\). \(\text {Decaps}_1\) replies quantum query \(|(c_1,c_2),z\rangle \) in three steps:
-
1.
Perform the plaintext extraction procedure \(\text {U}_{\text {Ext}}\) of \(\widetilde{\textsf{T}}[\varPi ^{asy},H]\) to obtain m.
-
2.
If \(m=\bot \), return \(|(c_1,c_2),z\oplus \bot \rangle \). Otherwise, return \(|(c_1,c_2),z\oplus G(m)\rangle \).
-
3.
Perform \(\text {U}_{\text {Ext}}\) a second time to uncompute m.
Note that the construction of \(\text {U}_{\text {Ext}}\) of \(\widetilde{\textsf{T}}[\varPi ^{asy},H]\) is presented in Appendix A. We then can construct \(\text {Decaps}_1\) by invoking plaintext checking oracle \(\text {P{CO}}\), instead of using sk directly.
That \(\text {Decaps}_1\) answers \(q_D\) decapsulation queries requires performing plaintext extraction procedure \(2q_D\) times. By applying Theorem 5,
\({\textbf {Game 2}}\): In this game, we change oracle \(\text {Decaps}_1\) by \(\text {Decaps}_2\). \(\text {Decaps}_2\) differs from \(\text {Decaps}_1\) only after the challenge query: \(\text {Decaps}_2\) performs \(\textsf {StdDecomp}_{(m^*,c_1^*)}\) on register D before and after applying \(\text {Decaps}_1\).
To consider the commutativity of \(\textsf {StdDecomp}_{(m^*,c_1^*)}\) and \(\text {Decaps}_1\), note that the second step of \(\text {Decaps}_1\) commutes with \(\textsf {StdDecomp}_{(m^*,c_1^*)}\). Then by Lemma 4, the first and last step commute with \(\textsf {StdDecomp}_{(m^*,c_1^*)}\) by a loss. Therefore,
\({\textbf {Game 3}}\): In this game, we change the process of replying random oracle queries: When random oracles are queried in the execution of A, we query a constant zero function E and then query these random oracles. Then we have
\({\textbf {Game 4}}\): In this game, the only change is that the semi-classical oracle \(\mathcal {O}^{SC}_{\mathcal {S}}\) is applied before querying E, where set \(\mathcal {S}=\{m^*,m^*\Vert \cdot \}\).
E is queried at most \(q_D+q_H+q_G\) times. We let \(d=q_D+q_H+q_G\), and apply Theorem 3 to obtain
Game 5: In this game, we pick \(c_2^*\in \{0,1\}^n\) and \(K_0^*\in \{0,1\}^n\) uniformly to produce \((c_1^*,c_2^*)\) and \(K^*\). And we replace \(\text {Decaps}_2\) with \(\text {Decaps}_1\).
By similar analysis in the proof of Theorem 6, the process of oracle \(\text {Decaps}_2\) in Game 4 does not disturb the database state on \((m^*,c_1^*)\) if Find does not occur. Moreover, Game 4 and Game 5 are indistinguishable for adversary A until Find occurs. Thus,
Furthermore,
where adversary \(A_{asy}\) invokes A and breaks the security of \(\varPi ^{asy}\). The running time of \(A_{asy}\) is \(\text {Time}(A_{asy})\approx \text {Time}(A)+O\left( d^2\right) \).
Game 6: In this game, \(\mathcal {O}^{SC}_{\mathcal {S}}\) is removed from the process of E.
The output difference of Game 5 and Game 6 is bounded by Theorem 3. And in Game 6, \(K_0^*\) and \(K_1^*\) are both chosen from \(\{0,1\}^n\) uniformly, which means that Game 6 outputs 1 with probability 1/2.
Summarizing the above arguments, we obtain
\(\square \)
Notes
- 1.
Such a tuple is unique, since c and sk determines the value of \(\text {A}_3(sk,c)\).
- 2.
Here q is a constant and indicates q classical decryption queries.
References
Ambainis, A., Hamburg, M., Unruh, D.: Quantum security proofs using semi-classical oracles. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11693, pp. 269–295. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26951-7_10
Bellare, M., Rogaway, P.: Random oracles are practical: a paradigm for designing efficient protocols. In: Proceedings of the 1st ACM Conference on Computer and Communications Security, pp. 62–73 (1993). https://doi.org/10.1145/168588.168596
Bindel, N., Hamburg, M., Hövelmanns, K., Hülsing, A., Persichetti, E.: Tighter proofs of CCA security in the quantum random oracle model. In: Hofheinz, D., Rosen, A. (eds.) TCC 2019. LNCS, vol. 11892, pp. 61–90. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-36033-7_3
Boneh, D., Dagdelen, Ö., Fischlin, M., Lehmann, A., Schaffner, C., Zhandry, M.: Random oracles in a quantum world. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 41–69. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25385-0_3
Boneh, D., Zhandry, M.: Secure signatures and chosen ciphertext security in a quantum computing world. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8043, pp. 361–379. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40084-1_21
Chiesa, A., Manohar, P., Spooner, N.: Succinct arguments in the quantum random oracle model. In: Hofheinz, D., Rosen, A. (eds.) TCC 2019. LNCS, vol. 11892, pp. 1–29. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-36033-7_1
Chung, K.-M., Fehr, S., Huang, Y.-H., Liao, T.-N.: On the compressed-oracle technique, and post-quantum security of proofs of sequential work. In: Canteaut, A., Standaert, F.-X. (eds.) EUROCRYPT 2021. LNCS, vol. 12697, pp. 598–629. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-77886-6_21
Coron, J.S., Handschuh, H., Joye, M., Paillier, P., Pointcheval, D., Tymen, C.: GEM: a generic chosen-ciphertext secure encryption method. In: Preneel, B. (eds.) Topics in Cryptology–CT-RSA 2002. CT-RSA 2002. Lecture Notes in Computer Science, vol. 2271, pp. 263–276. Springer, Berlin (2002). https://doi.org/10.1007/3-540-45760-7_18
Cramer, R., Shoup, V.: Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack. SIAM J. Comput. 33(1), 167–226 (2003). https://doi.org/10.1137/S0097539702403773
Don, J., Fehr, S., Majenz, C., Schaffner, C.: Online-extractability in the quantum random-oracle model. In: Dunkelman, O., Dziembowski, S. (eds.) Advances in Cryptology–EUROCRYPT 2022. EUROCRYPT 2022. Lecture Notes in Computer Science, vol. 13277, pp. 677–706. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-07082-2_24
Fujisaki, E., Okamoto, T.: Secure integration of asymmetric and symmetric encryption schemes. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 537–554. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48405-1_34
Fujisaki, E., Okamoto, T.: Secure integration of asymmetric and symmetric encryption schemes. J. Cryptol. 26(1), 80–101 (2011). https://doi.org/10.1007/s00145-011-9114-1
Gagliardoni, T., Hülsing, A., Schaffner, C.: Semantic security and indistinguishability in the quantum world. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9816, pp. 60–89. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53015-3_3
Hofheinz, D., Hövelmanns, K., Kiltz, E.: A modular analysis of the fujisaki-okamoto transformation. In: Kalai, Y., Reyzin, L. (eds.) TCC 2017. LNCS, vol. 10677, pp. 341–371. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70500-2_12
Hövelmanns, K., Hülsing, A., Majenz, C.: Failing gracefully: decryption failures and the Fujisaki-Okamoto transform. In: Agrawal, S., Lin, D. (eds.) Advances in Cryptology–ASIACRYPT 2022. ASIACRYPT 2022. Lecture Notes in Computer Science, vol. 13794, pp. 414–443. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-22972-5_15
Huguenin-Dumittan, L., Vaudenay, S.: On ind-qcca security in the ROM and its applications - CPA security is sufficient for TLS 1.3. In: Dunkelman, O., Dziembowski, S. (eds.) Advances in Cryptology– EUROCRYPT 2022. EUROCRYPT 2022. Lecture Notes in Computer Science, vol. 13277, pp. 613–642. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-07082-2_22
Jiang, H., Zhang, Z., Chen, L., Wang, H., Ma, Z.: IND-CCA-Secure key encapsulation mechanism in the quantum random oracle model, revisited. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10993, pp. 96–125. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96878-0_4
Jiang, H., Zhang, Z., Ma, Z.: Key encapsulation mechanism with explicit rejection in the quantum random oracle model. In: Lin, D., Sako, K. (eds.) PKC 2019. LNCS, vol. 11443, pp. 618–645. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17259-6_21
Jiang, H., Zhang, Z., Ma, Z.: Tighter security proofs for generic key encapsulation mechanism in the quantum random oracle model. In: Ding, J., Steinwandt, R. (eds.) PQCrypto 2019. LNCS, vol. 11505, pp. 227–248. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-25510-7_13
Kuchta, V., Sakzad, A., Stehlé, D., Steinfeld, R., Sun, S.-F.: Measure-rewind-measure: tighter quantum random oracle model proofs for one-way to hiding and CCA security. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020. LNCS, vol. 12107, pp. 703–728. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45727-3_24
Liu, X., Wang, M.: QCCA-secure generic key encapsulation mechanism with tighter security in the quantum random oracle model. In: Garay, J.A. (ed.) PKC 2021. LNCS, vol. 12710, pp. 3–26. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-75245-3_1
Nielsen, M.A., Chuang, I.: Quantum computation and quantum information (2002)
Okamoto, T., Pointcheval, D.: REACT: rapid enhanced-security asymmetric cryptosystem transform. In: Naccache, D. (ed.) CT-RSA 2001. LNCS, vol. 2020, pp. 159–174. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-45353-9_13
Saito, T., Xagawa, K., Yamakawa, T.: Tightly-secure key-encapsulation mechanism in the quantum random oracle model. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10822, pp. 520–551. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78372-7_17
Shan, T., Ge, J., Xue, R.: QCCA-secure generic transformations in the quantum random oracle model. IACR Cryptology ePrint Archive, p. 1235 (2022). https://eprint.iacr.org/2022/1235
Targhi, E.E., Unruh, D.: Post-quantum security of the Fujisaki-Okamoto and OAEP transforms. In: Hirt, M., Smith, A. (eds.) TCC 2016. LNCS, vol. 9986, pp. 192–216. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53644-5_8
Xagawa, K., Yamakawa, T.: (Tightly) QCCA-secure key-encapsulation mechanism in the quantum random oracle model. In: Ding, J., Steinwandt, R. (eds.) PQCrypto 2019. LNCS, vol. 11505, pp. 249–268. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-25510-7_14
Zhandry, M.: Secure identity-based encryption in the quantum random oracle model. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 758–775. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-32009-5_44
Zhandry, M.: How to record quantum queries, and applications to quantum indifferentiability. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11693, pp. 239–268. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26951-7_9
Acknowledgments
We thank the anonymous reviewers of PKC 2023, and Shujiao Cao for their insightful comments and suggestions. This work is supported by National Natural Science Foundation of China (Grants No. 62172405).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A The Construction of \(\text {U}_{\text {Ext}}\)
To implement \(\text {U}_{\text {Ext}}\), we first give some notations, then introduce algorithm \(\textbf{Extract}\), as a primitive of \(\text {U}_{\text {Ext}}\), and finally present the construction of \(\text {U}_{\text {Ext}}\).
As is shown in definition 4, \(\mathcal {O}\) is simulated by \(\textsf {CStO}\) and we introduce two definitions related to database D: For any \(c\in \mathcal {C}\), a completion in D is defined to be a pair \((x,y)\in D\) such that \(\text {A}_2(pk,x,y)=c\) and \(\text {A}_3(sk,c)=x\). Define \(D_c\) to be the subset of D such that \(\text {A}_2(pk,x,y)=c\) for any (x, y) in \(D_c\). Then any completion of c in set D is necessarily in set \(D_c\). Note that D contains at most one completion of c, since c determines \(\text {A}_3(sk,c)\).
Define relation \(\mathcal {R}_1(pk,sk)\) and \(\mathcal {R}_2(pk,sk)\) for any (pk, sk) of \(\varPi \) as below.
where \(\mathcal {X}\) is the output space of algorithm \(\text {A}_1\). And we give the definition of the verification oracle \(\textbf{V}(pk,sk,\cdot ,\cdot )\) of \(\varPi \). \(\textbf{V}(pk,sk,\cdot ,\cdot )\) takes input \((x,c)\in \mathcal {X}\times \mathcal {C}\) and outputs a bit \(b\in \{0,1\}\). For any \((x,c)\in \mathcal {R}_1(pk,sk)\), \(\textbf{V}(pk,sk,x,c)=1\) if and only if \((x,c)\in \mathcal {R}_2(pk,sk)\).
Next, we define a classical algorithm \(\textbf{Extract}\). \(\textbf{Extract}\) takes pk, sk, c and D as input. It looks for a completion of c in D. If a completion \((x,y)\in D\) is found, \(\textbf{Extract}\) outputs (1, x). Otherwise, it outputs (0, 0).
Then we give a construction of \(\textbf{Extract}\) relative to oracle \(\textbf{V}\). \(\textbf{Extract}\) on input c and D, finds a completion in two steps: For each pair (x, y) in D, it computes \(c'=\text {A}_2(pk,x,y)\) and compares \(c'\) with c for equality to check whether \((x,y)\in D_c\). Then to extract a completion from \(D_{c}\), it invokes \(\textbf{V}\) and computes \(\textbf{V}(pk,sk,x,y)\) for each pair \((x,y)\in D_{c}\). If \((x,y)\in D\) exists such that \(\textbf{V}(pk,sk,x,y)=1\), \(\textbf{Extract}\) outputs (1, x). Otherwise, it outputs (0, 0).
Then we construct \(\text {U}_{\text {Ext}}\) with \(\textbf{Extract}\), and we start with the case when the challenge query does not happen.
-
1.
Evaluate \((b,x)=\textbf{Extract}(pk,sk,c,D)\) in superposition and xor the output into a newly created register.
-
2.
Apply the following conditional procedures in superposition:
-
3.
Condition on \(b=0\), evaluate the map \(|c,z,D,b,x\rangle \mapsto |c,z\oplus \bot ,D,b,x\rangle \).
-
4.
Condition on \(b=1\), evaluate the map \(|c,z,D,b,x\rangle \mapsto |c,z\oplus \text {A}_4(x),D,b,x\rangle \).
-
5.
Uncompute (b, x) by evaluating \(\textbf{Extract}(pk,sk,c,D)\) in superposition again. Then discord the new register.
After the challenge query, the challenge ciphertext \(c^*\) is produced and \(\text {U}_{\text {Ext}}\) is implemented below.
-
1.
Apply the following conditional procedures in superposition:
-
2.
Condition on \(c=c^*\), evaluate the map \(|c,z,D\rangle \mapsto |c,z\oplus \bot ,D\rangle \).
-
3.
Condition on \(c\ne c^*\), apply the procedure in the case when \(c^*\) is undefined.
In addition, the running time of \(\text {U}_{\text {Ext}}\) is upper bounded as follows. Denote the length of database by l. For each database D, \(|D|\le l\) and \(\textbf{Extract}\) invokes \(\text {A}_2\) and \(\textbf{V}\) at most l times during the execution. Thus \(O(l\cdot \text {Time}(\text {A}_2)+l\cdot \text {Time}(\textbf{V}))\) is an upper bound of the running time of \(\text {U}_{\text {Ext}}\).
Then we will give respective constructions of \(\text {U}_{\text {Ext}}\) for \(\textsf{FO}[\varPi ^{asy},\varPi ^{sy},H,G]\), \(\textsf{REACT}[\varPi ^{asy},\varPi ^{sy},H,G]\) and \(\widetilde{\textsf{T}}[\varPi ^{asy},H]\). Since the implementation of \(\textbf{V}\) is sufficient to determine the construction of \(\text {U}_{\text {Ext}}\) for an oracle-masked scheme \(\varPi \), we only give constructions of the verification oracle \(\textbf{V}\) for these three schemes.
1.1 A.1 The Construction of \(\text {U}_{\text {Ext}}\) for FO
For scheme \(\varPi =\textsf{FO}[\varPi ^{asy},\varPi ^{sy},H,G]\), we first present relation \(\mathcal {R}_1(pk,sk)\) and \(\mathcal {R}_2(pk,sk)\) to determine the input form of the verification oracle \(\textbf{V}\), then give an implementation of \(\textbf{V}\).
By Lemma 5, relation \(\mathcal {R}_1(pk,sk)\) and \(\mathcal {R}_2(pk,sk)\) are subsets of \(\mathcal {M}^{asy}\times \mathcal {C}^{sy}\times \mathcal {C}^{asy}\times \mathcal {C}^{sy}\) for any (pk, sk) of \(\varPi \). Tuple \((\delta ,d_1,c,d_2)\in \mathcal {R}_1(pk,sk)\) if \(d_1=d_2\) and \(r\in \mathcal {R}^{asy}\) exists such that \(c:=\text {Enc}^{asy}(pk,\delta ;r)\). Tuple \((\delta ,d_1,c,d_2)\in \mathcal {R}_2(pk,sk)\) if \(d_1=d_2\) and \(\text {Dec}^{asy}(sk,c)=\delta \).
Further, tuple \((\delta ,d_1,c,d_2)\in \mathcal {R}_1(pk,sk)\) also satisfies \(\text {Dec}^{asy}(sk,c)=\delta \) by the correctness of \(\varPi ^{asy}\), and thus \((\delta ,d_1,c,d_2)\in \mathcal {R}_2(pk,sk)\). Then \(\mathcal {R}_1(pk,sk)\) is a subset of \(\mathcal {R}_2(pk,sk)\). By similar arguments, we also conclude that \((\delta ,d_1,c,d_2)\notin \mathcal {R}_1(pk,sk)\) implies \((\delta ,d_1,c,d_2)\notin \mathcal {R}_2(pk,sk)\) for any (pk, sk). Thus for any (pk, sk) of \(\varPi \), \(\mathcal {R}_1(pk,sk)=\mathcal {R}_2(pk,sk)\) and
By the definition of the verification oracle, \(\textbf{V}\) for \(\varPi \) can be simply simulated by an algorithm that takes as input tuple \((\delta ,d_1,c,d_2)\) and trivially outputs 1. Moreover, notice that sk is not used in the construction of \(\text {U}_{\text {Ext}}\) except for the verification oracle. Therefore, \(\text {U}_{\text {Ext}}\) for \(\varPi \) can be implemented without sk.
Finally, the running time of \(\text {U}_{\text {Ext}}\) is given by \(O(l\cdot \text {Time}(\text {Enc}^{asy}))\).
1.2 A.2 The Construction of \(\text {U}_{\text {Ext}}\) for REACT
For scheme \(\varPi =\textsf{REACT}[\varPi ^{asy},\varPi ^{sy},H,G]\), we only give an implementation of oracle \(\textbf{V}\) here.
By Lemma 8, \(\mathcal {R}_1(pk,sk)\) and \(\mathcal {R}_2(pk,sk)\) are subsets of \(\mathcal {M}^{asy}\times \mathcal {M}^{sy}\times \mathcal {C}^{asy}\times \mathcal {C}^{sy}\times \mathcal {C}^{asy}\times \mathcal {C}^{sy}\times \{0,1\}^n\) for any (pk, sk). Any tuple \((R,m,c_1,c_2,c_1',c_2',c_3')\in \mathcal {R}_1(pk,sk)\) if \(c_1=c_1'\), \(c_2=c_2'\). And this tuple is an element of \(\mathcal {R}_2(pk,sk)\) if \(R=\text {Dec}^{asy}(sk,c_1')\), \(m=\text {Dec}^{sy}(G(R),c_2')\), \(c_1=c_1'\), \(c_2=c_2'\). Thus, we have \(\mathcal {R}_1(pk,sk)=\{(R,m,c_1,c_2,c_1,c_2,c_3):\mathcal {R}\in \mathcal {M}^{asy},m\in \mathcal {M}^{sy},c_1\in \mathcal {C}^{asy},c_2\in \mathcal {C}^{sy},c_3\in \{0,1\}^n\} \) and \(\mathcal {R}_2(pk,sk)=\{(R,m,c_1,c_2,c_1,c_2,c_3):c_1\in \mathcal {C}^{asy},c_2\in \mathcal {C}^{sy},c_3\in \{0,1\}^n,R=\text {Dec}^{asy}(sk,c_1),m=\text {Dec}^{sy}(G(R),c_2)\}\). Then we assume the input form of \(\textbf{V}\) to be \((R,m,c_1,c_2,c_1,c_2,c_3)\) according to \(\mathcal {R}_1(pk,sk)\) of \(\varPi \).
We present an algorithm \(\textbf{V}_{\text {Sim}}\) relative to plaintext checking oracle \(\text {P{CO}}\). \(\textbf{V}_{\text {Sim}}\) takes as input tuple \((R,m,c_1,c_2,c_1,c_2,c_3)\). It first invokes \(\text {P{CO}}\) and obtain \(b:=\text {P{CO}}(R,c_1)\). If \(b=0\), \(\textbf{V}_{\text {Sim}}\) outputs 0. Else, it computes \(m':=\text {Dec}^{sy}(G(R),c_2)\). If \(m\ne m'\), output 0. Else, output 1. Then by the definition of \(\text {P{CO}}\) in Appendix B.2, it is easily verified that \(\textbf{V}\) can be simulated by \(\textbf{V}_{\text {Sim}}\). In this way, \(\text {U}_{\text {Ext}}\) for \(\varPi \) is implemented by invoking \(\text {P{CO}}\) instead of using sk directly. Moreover, the running time of \(\text {U}_{\text {Ext}}\) is given by O(l).
1.3 A.3 The Construction of \(\text {U}_{\text {Ext}}\) for \(\widetilde{\textsf{T}}\)
For scheme \(\widetilde{\textsf{T}}[\varPi ^{asy},H]\), we give a straightforward way to simulate oracle \(\textbf{V}\) here.
According to Lemma 9, tuple \(((m,c_1),(c_1',c_2'))\in \mathcal {R}_1(pk,sk)\) if \(c_1=c_1'\), while tuple \(((m,c_1),(c_1',c_2'))\in \mathcal {R}_2(pk,sk)\) if \(c_1=c_1'\) and \(m=\text {Dec}^{asy}(sk,c_1)\). Then we can assume the input form of \(\textbf{V}\) to be \((m,c_1,c_1,c_2)\).
We construct an oracle \(\textbf{V}_{\text {Sim}}\) relative to plaintext-checking oracle \(\text {P{CO}}\) and use it to simulate \(\textbf{V}\). On input \((m,c_1,c_1,c_2)\), \(\textbf{V}_{\text {Sim}}\) first invokes \(\text {P{CO}}\) and obtains \(b:=\text {P{CO}}(m,c_1)\). If \(b=0\), it outputs 0. Otherwise, it outputs 1. Then \(\text {U}_{\text {Ext}}\) can be implemented without sk, and its running time is O(l).
B Cryptographic Primitives
Here we introduce secret-key encryption schemes (SKE), public-key encryption schemes (PKE), key encapsulation mechanisms (KEM) and their security notions.
1.1 B.1 Secret-Key Encryption
Definition 8
A SKE \(\varPi ^{sy}\) consists of a pair of polynomial-time algorithms \((\text {E},\text {D})\) as follows.
-
1.
\(\text {E}\), the encryption algorithm, takes as input a message m and a key k, and outputs a ciphertext c.
-
2.
\(\text {D}\), the decryption algorithm, on input a ciphertext c and a key k outputs either a message m or a special symbol \(\perp \) if c is invalid.
Let \(\varPi ^{sy}=(\text {E},\text {D})\) be a SKE and define one-time (OT) security for it.
Definition 9 (OT)
Define the advantage of adversary A against the \(\text {OT}\) security of \(\varPi ^{sy}\) as \(\textrm{Adv}_{A,{\varPi ^{sy}}}^{\text {OT}}:=\left| \Pr [\text {Game}_{A,{\varPi ^{sy}}}^{\text {OT}}\rightarrow 1]-1/2\right| \) and \(\Pr [\text {Game}_{A,{\varPi ^{sy}}}^{\text {OT}}\rightarrow 1]\) is written by \(\Pr [b'=b: (m_0,m_1)\leftarrow A, b\xleftarrow {\$}\{0,1\},c^*\leftarrow \text {E}(k,m_b), b'\leftarrow A(c^*)]\). Then \(\varPi ^{sy}\) is \(\text {OT}\) secure if \(\textrm{Adv}_{A,{\varPi ^{sy}}}^{\text {OT}}\) is negligible for any polynomial-time adversary A.
1.2 B.2 Public-Key Encryption
Definition 10
A PKE \({\varPi }^{asy}\) consists of a triple of polynomial-time algorithms \((\text {Gen},\text {Enc},\text {Dec})\) as follows.
-
1.
\(\text {Gen}\), the key generation algorithm, on input \(1^\lambda \) outputs a public/secret key-pair (pk, sk).
-
2.
\(\text {Enc}\), the encryption algorithm, on input a public key pk and a message m outputs a ciphertext c.
-
3.
\(\text {Dec}\), the decryption algorithm, on input a secret key sk and a ciphertext c outputs either a message m or a special symbol \(\perp \) if c is invalid.
Let \(\varPi ^{asy}=(\text {Gen},\text {Enc},\text {Dec})\) be a PKE with message space \(\mathcal {M}\). Then we introduce \(\gamma \)-spread and \(\delta \)-correct property for it.
Definition 11
(\(\gamma \)-spread [12]). \({\varPi ^{asy}}\) is \(\gamma \)-spread if for any pk produced by \(\text {Gen}(1^{\lambda })\) and any message \(m\in \mathcal {M}\),
And \({\varPi ^{asy}}\) is called well-spread in \(\lambda \) if \(\gamma =\omega (\log (\lambda ))\).
Definition 12
(\(\delta \)-correct [14]). \({\varPi ^{asy}}\) is \(\delta \)-correct if
And \({\varPi ^{asy}}\) is called perfectly correct if \(\delta =0\).
In the following, we define one-wayness under chosen plaintext attacks (OW-CPA), one-wayness under quantum plaintext checking attacks (OW-qPCA) and indistinguishability under quantum chosen ciphertext attacks (IND-qCCA) these three security notions for \(\varPi ^{asy}\).
Definition 13 (OW-CPA)
The game for \(\varPi ^{asy}\) is defined in Fig. 8. The advantage of an adversary A against the security of \(\varPi \) is defined to be . Then \(\varPi ^{asy}\) is secure if is negligible for any polynomial-time adversary A.
Definition 14
(OW-qPCA [17]). The game for \(\varPi ^{asy}\) is defined in Fig. 8. The advantage of an adversary A against the security of \(\varPi ^{asy}\) is defined as . \(\varPi ^{asy}\) is secure if is negligible for any polynomial-time adversary A.
Definition 15
(IND-qCCA [5]). The game for \(\varPi ^{asy}\) is defined in Fig. 9. The advantage of an adversary A against the security of \(\varPi ^{asy}\) is defined as . Then \(\varPi ^{asy}\) is secure if is negligible for any polynomial-time adversary A.
1.3 B.3 Key Encapsulation
Definition 16
A KEM \({\varPi }^{kem}\) consists of a triple of polynomial-time algorithms \((\text {Gen},\text {Encaps},\text {Decaps})\) as follows.
-
1.
\(\text {Gen}\), the key generation algorithm,on input \(1^\lambda \) outputs a public/secret key-pair (pk, sk).
-
2.
\(\text {Encaps}\), the encapsulation algorithm, takes as input a public key pk and outputs a ciphertext c and a key k.
-
3.
\(\text {Decaps}\), the decapsulation algorithm, on input a secret key sk and a ciphertext c outputs either a key k or a special symbol \(\perp \) if c is invalid.
Let \(\varPi ^{kem}=(\text {Gen},\text {Encaps},\text {Decaps})\) be a KEM and define IND-qCCA security for it.
Definition 17
(IND-qCCA [27]). The game for \(\varPi ^{kem}\) is defined in Fig. 9. The advantage of an adversary A against the security of \(\varPi ^{kem}\) is defined as . Then \(\varPi ^{kem}\) is secure if is negligible for any polynomial-time adversary A.
Rights and permissions
Copyright information
© 2023 International Association for Cryptologic Research
About this paper
Cite this paper
Shan, T., Ge, J., Xue, R. (2023). QCCA-Secure Generic Transformations in the Quantum Random Oracle Model. In: Boldyreva, A., Kolesnikov, V. (eds) Public-Key Cryptography – PKC 2023. PKC 2023. Lecture Notes in Computer Science, vol 13940. Springer, Cham. https://doi.org/10.1007/978-3-031-31368-4_2
Download citation
DOI: https://doi.org/10.1007/978-3-031-31368-4_2
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-31367-7
Online ISBN: 978-3-031-31368-4
eBook Packages: Computer ScienceComputer Science (R0)