QCCA-Secure Generic Transformations in the Quantum Random Oracle Model

Abstract

The post-quantum security of cryptographic schemes assumes that the quantum adversary only receives the classical result of computations with the secret key. Further, it is unknown whether the post-quantum secure schemes still remain secure if the adversary can obtain a superposition state of the results.

In this paper, we formalize one class of public-key encryption schemes named oracle-masked schemes. Then we define the plaintext extraction procedure for those schemes and this procedure simulates the quantum-accessible decryption oracle with a certain loss.

The construction of the plaintext extraction procedure does not need to take the secret key as input. Based on this property, we prove the IND-qCCA security of the Fujisaki-Okamoto (FO) transformation in the quantum random oracle model (QROM) and our security proof is tighter than the proof given by Zhandry (Crypto 2019). We also give the first IND-qCCA security proof of the REACT transformation in the QROM. Furthermore, our formalization can be applied to prove the IND-qCCA security of key encapsulation mechanisms with explicit rejection. As an example, we present the IND-qCCA security proof of \(\textsf {T}_{\textsf {CH}}\) transformation, proposed by Huguenin-Dumittan and Vaudenay (Eurocrypt 2022), in the QROM.

Appendices

A The Construction of \(\text {U}_{\text {Ext}}\)

To implement \(\text {U}_{\text {Ext}}\), we first give some notations, then introduce algorithm \(\textbf{Extract}\), as a primitive of \(\text {U}_{\text {Ext}}\), and finally present the construction of \(\text {U}_{\text {Ext}}\).

As is shown in definition 4, \(\mathcal {O}\) is simulated by \(\textsf {CStO}\) and we introduce two definitions related to database D: For any \(c\in \mathcal {C}\), a completion in D is defined to be a pair \((x,y)\in D\) such that \(\text {A}_2(pk,x,y)=c\) and \(\text {A}_3(sk,c)=x\). Define \(D_c\) to be the subset of D such that \(\text {A}_2(pk,x,y)=c\) for any (x, y) in \(D_c\). Then any completion of c in set D is necessarily in set \(D_c\). Note that D contains at most one completion of c, since c determines \(\text {A}_3(sk,c)\).

Define relation \(\mathcal {R}_1(pk,sk)\) and \(\mathcal {R}_2(pk,sk)\) for any (pk, sk) of \(\varPi \) as below.

$$\mathcal {R}_1(pk,sk):=\{(x,c)\in \mathcal {X}\times \mathcal {C}:\exists \,y\in \mathcal {Y}\text { s.t. }\text {A}_2(pk,x,y)=c\}\,,$$

$$\mathcal {R}_2(pk,sk):=\{(x,c)\in \mathcal {X}\times \mathcal {C}:\text {A}_3(sk,c)=x\}\,,$$

where \(\mathcal {X}\) is the output space of algorithm \(\text {A}_1\). And we give the definition of the verification oracle \(\textbf{V}(pk,sk,\cdot ,\cdot )\) of \(\varPi \). \(\textbf{V}(pk,sk,\cdot ,\cdot )\) takes input \((x,c)\in \mathcal {X}\times \mathcal {C}\) and outputs a bit \(b\in \{0,1\}\). For any \((x,c)\in \mathcal {R}_1(pk,sk)\), \(\textbf{V}(pk,sk,x,c)=1\) if and only if \((x,c)\in \mathcal {R}_2(pk,sk)\).

Next, we define a classical algorithm \(\textbf{Extract}\). \(\textbf{Extract}\) takes pk, sk, c and D as input. It looks for a completion of c in D. If a completion \((x,y)\in D\) is found, \(\textbf{Extract}\) outputs (1, x). Otherwise, it outputs (0, 0).

Then we give a construction of \(\textbf{Extract}\) relative to oracle \(\textbf{V}\). \(\textbf{Extract}\) on input c and D, finds a completion in two steps: For each pair (x, y) in D, it computes \(c'=\text {A}_2(pk,x,y)\) and compares \(c'\) with c for equality to check whether \((x,y)\in D_c\). Then to extract a completion from \(D_{c}\), it invokes \(\textbf{V}\) and computes \(\textbf{V}(pk,sk,x,y)\) for each pair \((x,y)\in D_{c}\). If \((x,y)\in D\) exists such that \(\textbf{V}(pk,sk,x,y)=1\), \(\textbf{Extract}\) outputs (1, x). Otherwise, it outputs (0, 0).

Then we construct \(\text {U}_{\text {Ext}}\) with \(\textbf{Extract}\), and we start with the case when the challenge query does not happen.

1. 1.

   Evaluate \((b,x)=\textbf{Extract}(pk,sk,c,D)\) in superposition and xor the output into a newly created register.

2. 2.

   Apply the following conditional procedures in superposition:

3. 3.

   Condition on \(b=0\), evaluate the map \(|c,z,D,b,x\rangle \mapsto |c,z\oplus \bot ,D,b,x\rangle \).

4. 4.

   Condition on \(b=1\), evaluate the map \(|c,z,D,b,x\rangle \mapsto |c,z\oplus \text {A}_4(x),D,b,x\rangle \).

5. 5.

   Uncompute (b, x) by evaluating \(\textbf{Extract}(pk,sk,c,D)\) in superposition again. Then discord the new register.

After the challenge query, the challenge ciphertext \(c^*\) is produced and \(\text {U}_{\text {Ext}}\) is implemented below.

1. 1.

   Apply the following conditional procedures in superposition:

2. 2.

   Condition on \(c=c^*\), evaluate the map \(|c,z,D\rangle \mapsto |c,z\oplus \bot ,D\rangle \).

3. 3.

   Condition on \(c\ne c^*\), apply the procedure in the case when \(c^*\) is undefined.

In addition, the running time of \(\text {U}_{\text {Ext}}\) is upper bounded as follows. Denote the length of database by l. For each database D, \(|D|\le l\) and \(\textbf{Extract}\) invokes \(\text {A}_2\) and \(\textbf{V}\) at most l times during the execution. Thus \(O(l\cdot \text {Time}(\text {A}_2)+l\cdot \text {Time}(\textbf{V}))\) is an upper bound of the running time of \(\text {U}_{\text {Ext}}\).

Then we will give respective constructions of \(\text {U}_{\text {Ext}}\) for \(\textsf{FO}[\varPi ^{asy},\varPi ^{sy},H,G]\), \(\textsf{REACT}[\varPi ^{asy},\varPi ^{sy},H,G]\) and \(\widetilde{\textsf{T}}[\varPi ^{asy},H]\). Since the implementation of \(\textbf{V}\) is sufficient to determine the construction of \(\text {U}_{\text {Ext}}\) for an oracle-masked scheme \(\varPi \), we only give constructions of the verification oracle \(\textbf{V}\) for these three schemes.

1.1 A.1 The Construction of \(\text {U}_{\text {Ext}}\) for FO

For scheme \(\varPi =\textsf{FO}[\varPi ^{asy},\varPi ^{sy},H,G]\), we first present relation \(\mathcal {R}_1(pk,sk)\) and \(\mathcal {R}_2(pk,sk)\) to determine the input form of the verification oracle \(\textbf{V}\), then give an implementation of \(\textbf{V}\).

By Lemma 5, relation \(\mathcal {R}_1(pk,sk)\) and \(\mathcal {R}_2(pk,sk)\) are subsets of \(\mathcal {M}^{asy}\times \mathcal {C}^{sy}\times \mathcal {C}^{asy}\times \mathcal {C}^{sy}\) for any (pk, sk) of \(\varPi \). Tuple \((\delta ,d_1,c,d_2)\in \mathcal {R}_1(pk,sk)\) if \(d_1=d_2\) and \(r\in \mathcal {R}^{asy}\) exists such that \(c:=\text {Enc}^{asy}(pk,\delta ;r)\). Tuple \((\delta ,d_1,c,d_2)\in \mathcal {R}_2(pk,sk)\) if \(d_1=d_2\) and \(\text {Dec}^{asy}(sk,c)=\delta \).

Further, tuple \((\delta ,d_1,c,d_2)\in \mathcal {R}_1(pk,sk)\) also satisfies \(\text {Dec}^{asy}(sk,c)=\delta \) by the correctness of \(\varPi ^{asy}\), and thus \((\delta ,d_1,c,d_2)\in \mathcal {R}_2(pk,sk)\). Then \(\mathcal {R}_1(pk,sk)\) is a subset of \(\mathcal {R}_2(pk,sk)\). By similar arguments, we also conclude that \((\delta ,d_1,c,d_2)\notin \mathcal {R}_1(pk,sk)\) implies \((\delta ,d_1,c,d_2)\notin \mathcal {R}_2(pk,sk)\) for any (pk, sk). Thus for any (pk, sk) of \(\varPi \), \(\mathcal {R}_1(pk,sk)=\mathcal {R}_2(pk,sk)\) and

$$\begin{aligned} \mathcal {R}_2(pk,sk)=\{(\delta ,d,c,d):c\in \mathcal {C}^{asy}, \delta =\text {Dec}^{asy}(sk,c), d\in \mathcal {C}^{sy}\}\,. \end{aligned}$$

By the definition of the verification oracle, \(\textbf{V}\) for \(\varPi \) can be simply simulated by an algorithm that takes as input tuple \((\delta ,d_1,c,d_2)\) and trivially outputs 1. Moreover, notice that sk is not used in the construction of \(\text {U}_{\text {Ext}}\) except for the verification oracle. Therefore, \(\text {U}_{\text {Ext}}\) for \(\varPi \) can be implemented without sk.

Finally, the running time of \(\text {U}_{\text {Ext}}\) is given by \(O(l\cdot \text {Time}(\text {Enc}^{asy}))\).

1.2 A.2 The Construction of \(\text {U}_{\text {Ext}}\) for REACT

For scheme \(\varPi =\textsf{REACT}[\varPi ^{asy},\varPi ^{sy},H,G]\), we only give an implementation of oracle \(\textbf{V}\) here.

By Lemma 8, \(\mathcal {R}_1(pk,sk)\) and \(\mathcal {R}_2(pk,sk)\) are subsets of \(\mathcal {M}^{asy}\times \mathcal {M}^{sy}\times \mathcal {C}^{asy}\times \mathcal {C}^{sy}\times \mathcal {C}^{asy}\times \mathcal {C}^{sy}\times \{0,1\}^n\) for any (pk, sk). Any tuple \((R,m,c_1,c_2,c_1',c_2',c_3')\in \mathcal {R}_1(pk,sk)\) if \(c_1=c_1'\), \(c_2=c_2'\). And this tuple is an element of \(\mathcal {R}_2(pk,sk)\) if \(R=\text {Dec}^{asy}(sk,c_1')\), \(m=\text {Dec}^{sy}(G(R),c_2')\), \(c_1=c_1'\), \(c_2=c_2'\). Thus, we have \(\mathcal {R}_1(pk,sk)=\{(R,m,c_1,c_2,c_1,c_2,c_3):\mathcal {R}\in \mathcal {M}^{asy},m\in \mathcal {M}^{sy},c_1\in \mathcal {C}^{asy},c_2\in \mathcal {C}^{sy},c_3\in \{0,1\}^n\} \) and \(\mathcal {R}_2(pk,sk)=\{(R,m,c_1,c_2,c_1,c_2,c_3):c_1\in \mathcal {C}^{asy},c_2\in \mathcal {C}^{sy},c_3\in \{0,1\}^n,R=\text {Dec}^{asy}(sk,c_1),m=\text {Dec}^{sy}(G(R),c_2)\}\). Then we assume the input form of \(\textbf{V}\) to be \((R,m,c_1,c_2,c_1,c_2,c_3)\) according to \(\mathcal {R}_1(pk,sk)\) of \(\varPi \).

We present an algorithm \(\textbf{V}_{\text {Sim}}\) relative to plaintext checking oracle \(\text {P{CO}}\). \(\textbf{V}_{\text {Sim}}\) takes as input tuple \((R,m,c_1,c_2,c_1,c_2,c_3)\). It first invokes \(\text {P{CO}}\) and obtain \(b:=\text {P{CO}}(R,c_1)\). If \(b=0\), \(\textbf{V}_{\text {Sim}}\) outputs 0. Else, it computes \(m':=\text {Dec}^{sy}(G(R),c_2)\). If \(m\ne m'\), output 0. Else, output 1. Then by the definition of \(\text {P{CO}}\) in Appendix B.2, it is easily verified that \(\textbf{V}\) can be simulated by \(\textbf{V}_{\text {Sim}}\). In this way, \(\text {U}_{\text {Ext}}\) for \(\varPi \) is implemented by invoking \(\text {P{CO}}\) instead of using sk directly. Moreover, the running time of \(\text {U}_{\text {Ext}}\) is given by O(l).

1.3 A.3 The Construction of \(\text {U}_{\text {Ext}}\) for \(\widetilde{\textsf{T}}\)

For scheme \(\widetilde{\textsf{T}}[\varPi ^{asy},H]\), we give a straightforward way to simulate oracle \(\textbf{V}\) here.

According to Lemma 9, tuple \(((m,c_1),(c_1',c_2'))\in \mathcal {R}_1(pk,sk)\) if \(c_1=c_1'\), while tuple \(((m,c_1),(c_1',c_2'))\in \mathcal {R}_2(pk,sk)\) if \(c_1=c_1'\) and \(m=\text {Dec}^{asy}(sk,c_1)\). Then we can assume the input form of \(\textbf{V}\) to be \((m,c_1,c_1,c_2)\).

We construct an oracle \(\textbf{V}_{\text {Sim}}\) relative to plaintext-checking oracle \(\text {P{CO}}\) and use it to simulate \(\textbf{V}\). On input \((m,c_1,c_1,c_2)\), \(\textbf{V}_{\text {Sim}}\) first invokes \(\text {P{CO}}\) and obtains \(b:=\text {P{CO}}(m,c_1)\). If \(b=0\), it outputs 0. Otherwise, it outputs 1. Then \(\text {U}_{\text {Ext}}\) can be implemented without sk, and its running time is O(l).

B Cryptographic Primitives

Here we introduce secret-key encryption schemes (SKE), public-key encryption schemes (PKE), key encapsulation mechanisms (KEM) and their security notions.

1.1 B.1 Secret-Key Encryption

Definition 8

A SKE \(\varPi ^{sy}\) consists of a pair of polynomial-time algorithms \((\text {E},\text {D})\) as follows.

1. 1.

   \(\text {E}\), the encryption algorithm, takes as input a message m and a key k, and outputs a ciphertext c.

2. 2.

   \(\text {D}\), the decryption algorithm, on input a ciphertext c and a key k outputs either a message m or a special symbol \(\perp \) if c is invalid.

Let \(\varPi ^{sy}=(\text {E},\text {D})\) be a SKE and define one-time (OT) security for it.

Definition 9 (OT)

Define the advantage of adversary A against the \(\text {OT}\) security of \(\varPi ^{sy}\) as \(\textrm{Adv}_{A,{\varPi ^{sy}}}^{\text {OT}}:=\left| \Pr [\text {Game}_{A,{\varPi ^{sy}}}^{\text {OT}}\rightarrow 1]-1/2\right| \) and \(\Pr [\text {Game}_{A,{\varPi ^{sy}}}^{\text {OT}}\rightarrow 1]\) is written by \(\Pr [b'=b: (m_0,m_1)\leftarrow A, b\xleftarrow {\$}\{0,1\},c^*\leftarrow \text {E}(k,m_b), b'\leftarrow A(c^*)]\). Then \(\varPi ^{sy}\) is \(\text {OT}\) secure if \(\textrm{Adv}_{A,{\varPi ^{sy}}}^{\text {OT}}\) is negligible for any polynomial-time adversary A.

1.2 B.2 Public-Key Encryption

Definition 10

A PKE \({\varPi }^{asy}\) consists of a triple of polynomial-time algorithms \((\text {Gen},\text {Enc},\text {Dec})\) as follows.

1. 1.

   \(\text {Gen}\), the key generation algorithm, on input \(1^\lambda \) outputs a public/secret key-pair (pk, sk).

2. 2.

   \(\text {Enc}\), the encryption algorithm, on input a public key pk and a message m outputs a ciphertext c.

3. 3.

   \(\text {Dec}\), the decryption algorithm, on input a secret key sk and a ciphertext c outputs either a message m or a special symbol \(\perp \) if c is invalid.

Let \(\varPi ^{asy}=(\text {Gen},\text {Enc},\text {Dec})\) be a PKE with message space \(\mathcal {M}\). Then we introduce \(\gamma \)-spread and \(\delta \)-correct property for it.

Definition 11

(\(\gamma \)-spread [12]). \({\varPi ^{asy}}\) is \(\gamma \)-spread if for any pk produced by \(\text {Gen}(1^{\lambda })\) and any message \(m\in \mathcal {M}\),

$$\begin{aligned}\max _{c\in \{0,1\}^*}\Pr [c'=c: c'\leftarrow \text {Enc}(pk,m)]\le 1/{2^{\gamma }}.\end{aligned}$$

And \({\varPi ^{asy}}\) is called well-spread in \(\lambda \) if \(\gamma =\omega (\log (\lambda ))\).

Definition 12

(\(\delta \)-correct [14]). \({\varPi ^{asy}}\) is \(\delta \)-correct if

$$\begin{aligned} \underset{(pk,sk)\leftarrow \text {Gen}}{\text {E}}\left[ \max _{m\in \mathcal {M}}\Pr [\text {Dec}(sk,c)\ne m:c\leftarrow \text {Enc}(pk,m)]\right] \le \delta . \end{aligned}$$

And \({\varPi ^{asy}}\) is called perfectly correct if \(\delta =0\).

In the following, we define one-wayness under chosen plaintext attacks (OW-CPA), one-wayness under quantum plaintext checking attacks (OW-qPCA) and indistinguishability under quantum chosen ciphertext attacks (IND-qCCA) these three security notions for \(\varPi ^{asy}\).

Definition 13 (OW-CPA)

The game for \(\varPi ^{asy}\) is defined in Fig. 8. The advantage of an adversary A against the security of \(\varPi \) is defined to be . Then \(\varPi ^{asy}\) is secure if is negligible for any polynomial-time adversary A.

Definition 14

(OW-qPCA [17]). The game for \(\varPi ^{asy}\) is defined in Fig. 8. The advantage of an adversary A against the security of \(\varPi ^{asy}\) is defined as . \(\varPi ^{asy}\) is secure if is negligible for any polynomial-time adversary A.

Fig. 8.

Game for \(\varPi ^{asy}\) (\(\text {ATK}\in \{\text {CPA},\text {qPCA}\}\)), where oracle \(\mathcal {O}_{\text {ATK}}\) is quantum-accessible.

Definition 15

(IND-qCCA [5]). The game for \(\varPi ^{asy}\) is defined in Fig. 9. The advantage of an adversary A against the security of \(\varPi ^{asy}\) is defined as . Then \(\varPi ^{asy}\) is secure if is negligible for any polynomial-time adversary A.

Fig. 9.

Game for \(\varPi ^{asy}\) and \(\varPi ^{kem}\), where oracle \(\text {Dec}_{a}\) and \(\text {Decaps}_{a}\) are both quantum-accessible.

1.3 B.3 Key Encapsulation

Definition 16

A KEM \({\varPi }^{kem}\) consists of a triple of polynomial-time algorithms \((\text {Gen},\text {Encaps},\text {Decaps})\) as follows.

1. 1.

   \(\text {Gen}\), the key generation algorithm,on input \(1^\lambda \) outputs a public/secret key-pair (pk, sk).

2. 2.

   \(\text {Encaps}\), the encapsulation algorithm, takes as input a public key pk and outputs a ciphertext c and a key k.

3. 3.

   \(\text {Decaps}\), the decapsulation algorithm, on input a secret key sk and a ciphertext c outputs either a key k or a special symbol \(\perp \) if c is invalid.

Let \(\varPi ^{kem}=(\text {Gen},\text {Encaps},\text {Decaps})\) be a KEM and define IND-qCCA security for it.

Definition 17

(IND-qCCA [27]). The game for \(\varPi ^{kem}\) is defined in Fig. 9. The advantage of an adversary A against the security of \(\varPi ^{kem}\) is defined as . Then \(\varPi ^{kem}\) is secure if is negligible for any polynomial-time adversary A.