Abstract
The post-quantum security of cryptographic schemes assumes that the quantum adversary only receives the classical result of computations with the secret key. Further, it is unknown whether the post-quantum secure schemes still remain secure if the adversary can obtain a superposition state of the results.
In this paper, we formalize one class of public-key encryption schemes named oracle-masked schemes. Then we define the plaintext extraction procedure for those schemes and this procedure simulates the quantum-accessible decryption oracle with a certain loss.
The construction of the plaintext extraction procedure does not need to take the secret key as input. Based on this property, we prove the IND-qCCA security of the Fujisaki-Okamoto (FO) transformation in the quantum random oracle model (QROM) and our security proof is tighter than the proof given by Zhandry (Crypto 2019). We also give the first IND-qCCA security proof of the REACT transformation in the QROM. Furthermore, our formalization can be applied to prove the IND-qCCA security of key encapsulation mechanisms with explicit rejection. As an example, we present the IND-qCCA security proof of \(\textsf {T}_{\textsf {CH}}\) transformation, proposed by Huguenin-Dumittan and Vaudenay (Eurocrypt 2022), in the QROM.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Such a tuple is unique, since c and sk determines the value of \(\text {A}_3(sk,c)\).
- 2.
Here q is a constant and indicates q classical decryption queries.
References
Ambainis, A., Hamburg, M., Unruh, D.: Quantum security proofs using semi-classical oracles. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11693, pp. 269–295. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26951-7_10
Bellare, M., Rogaway, P.: Random oracles are practical: a paradigm for designing efficient protocols. In: Proceedings of the 1st ACM Conference on Computer and Communications Security, pp. 62–73 (1993). https://doi.org/10.1145/168588.168596
Bindel, N., Hamburg, M., Hövelmanns, K., Hülsing, A., Persichetti, E.: Tighter proofs of CCA security in the quantum random oracle model. In: Hofheinz, D., Rosen, A. (eds.) TCC 2019. LNCS, vol. 11892, pp. 61–90. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-36033-7_3
Boneh, D., Dagdelen, Ö., Fischlin, M., Lehmann, A., Schaffner, C., Zhandry, M.: Random oracles in a quantum world. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 41–69. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25385-0_3
Boneh, D., Zhandry, M.: Secure signatures and chosen ciphertext security in a quantum computing world. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8043, pp. 361–379. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40084-1_21
Chiesa, A., Manohar, P., Spooner, N.: Succinct arguments in the quantum random oracle model. In: Hofheinz, D., Rosen, A. (eds.) TCC 2019. LNCS, vol. 11892, pp. 1–29. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-36033-7_1
Chung, K.-M., Fehr, S., Huang, Y.-H., Liao, T.-N.: On the compressed-oracle technique, and post-quantum security of proofs of sequential work. In: Canteaut, A., Standaert, F.-X. (eds.) EUROCRYPT 2021. LNCS, vol. 12697, pp. 598–629. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-77886-6_21
Coron, J.S., Handschuh, H., Joye, M., Paillier, P., Pointcheval, D., Tymen, C.: GEM: a generic chosen-ciphertext secure encryption method. In: Preneel, B. (eds.) Topics in Cryptology–CT-RSA 2002. CT-RSA 2002. Lecture Notes in Computer Science, vol. 2271, pp. 263–276. Springer, Berlin (2002). https://doi.org/10.1007/3-540-45760-7_18
Cramer, R., Shoup, V.: Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack. SIAM J. Comput. 33(1), 167–226 (2003). https://doi.org/10.1137/S0097539702403773
Don, J., Fehr, S., Majenz, C., Schaffner, C.: Online-extractability in the quantum random-oracle model. In: Dunkelman, O., Dziembowski, S. (eds.) Advances in Cryptology–EUROCRYPT 2022. EUROCRYPT 2022. Lecture Notes in Computer Science, vol. 13277, pp. 677–706. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-07082-2_24
Fujisaki, E., Okamoto, T.: Secure integration of asymmetric and symmetric encryption schemes. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 537–554. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48405-1_34
Fujisaki, E., Okamoto, T.: Secure integration of asymmetric and symmetric encryption schemes. J. Cryptol. 26(1), 80–101 (2011). https://doi.org/10.1007/s00145-011-9114-1
Gagliardoni, T., Hülsing, A., Schaffner, C.: Semantic security and indistinguishability in the quantum world. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9816, pp. 60–89. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53015-3_3
Hofheinz, D., Hövelmanns, K., Kiltz, E.: A modular analysis of the fujisaki-okamoto transformation. In: Kalai, Y., Reyzin, L. (eds.) TCC 2017. LNCS, vol. 10677, pp. 341–371. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70500-2_12
Hövelmanns, K., Hülsing, A., Majenz, C.: Failing gracefully: decryption failures and the Fujisaki-Okamoto transform. In: Agrawal, S., Lin, D. (eds.) Advances in Cryptology–ASIACRYPT 2022. ASIACRYPT 2022. Lecture Notes in Computer Science, vol. 13794, pp. 414–443. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-22972-5_15
Huguenin-Dumittan, L., Vaudenay, S.: On ind-qcca security in the ROM and its applications - CPA security is sufficient for TLS 1.3. In: Dunkelman, O., Dziembowski, S. (eds.) Advances in Cryptology– EUROCRYPT 2022. EUROCRYPT 2022. Lecture Notes in Computer Science, vol. 13277, pp. 613–642. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-07082-2_22
Jiang, H., Zhang, Z., Chen, L., Wang, H., Ma, Z.: IND-CCA-Secure key encapsulation mechanism in the quantum random oracle model, revisited. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10993, pp. 96–125. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96878-0_4
Jiang, H., Zhang, Z., Ma, Z.: Key encapsulation mechanism with explicit rejection in the quantum random oracle model. In: Lin, D., Sako, K. (eds.) PKC 2019. LNCS, vol. 11443, pp. 618–645. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17259-6_21
Jiang, H., Zhang, Z., Ma, Z.: Tighter security proofs for generic key encapsulation mechanism in the quantum random oracle model. In: Ding, J., Steinwandt, R. (eds.) PQCrypto 2019. LNCS, vol. 11505, pp. 227–248. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-25510-7_13
Kuchta, V., Sakzad, A., Stehlé, D., Steinfeld, R., Sun, S.-F.: Measure-rewind-measure: tighter quantum random oracle model proofs for one-way to hiding and CCA security. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020. LNCS, vol. 12107, pp. 703–728. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45727-3_24
Liu, X., Wang, M.: QCCA-secure generic key encapsulation mechanism with tighter security in the quantum random oracle model. In: Garay, J.A. (ed.) PKC 2021. LNCS, vol. 12710, pp. 3–26. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-75245-3_1
Nielsen, M.A., Chuang, I.: Quantum computation and quantum information (2002)
Okamoto, T., Pointcheval, D.: REACT: rapid enhanced-security asymmetric cryptosystem transform. In: Naccache, D. (ed.) CT-RSA 2001. LNCS, vol. 2020, pp. 159–174. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-45353-9_13
Saito, T., Xagawa, K., Yamakawa, T.: Tightly-secure key-encapsulation mechanism in the quantum random oracle model. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10822, pp. 520–551. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78372-7_17
Shan, T., Ge, J., Xue, R.: QCCA-secure generic transformations in the quantum random oracle model. IACR Cryptology ePrint Archive, p. 1235 (2022). https://eprint.iacr.org/2022/1235
Targhi, E.E., Unruh, D.: Post-quantum security of the Fujisaki-Okamoto and OAEP transforms. In: Hirt, M., Smith, A. (eds.) TCC 2016. LNCS, vol. 9986, pp. 192–216. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53644-5_8
Xagawa, K., Yamakawa, T.: (Tightly) QCCA-secure key-encapsulation mechanism in the quantum random oracle model. In: Ding, J., Steinwandt, R. (eds.) PQCrypto 2019. LNCS, vol. 11505, pp. 249–268. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-25510-7_14
Zhandry, M.: Secure identity-based encryption in the quantum random oracle model. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 758–775. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-32009-5_44
Zhandry, M.: How to record quantum queries, and applications to quantum indifferentiability. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11693, pp. 239–268. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26951-7_9
Acknowledgments
We thank the anonymous reviewers of PKC 2023, and Shujiao Cao for their insightful comments and suggestions. This work is supported by National Natural Science Foundation of China (Grants No. 62172405).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A The Construction of \(\text {U}_{\text {Ext}}\)
To implement \(\text {U}_{\text {Ext}}\), we first give some notations, then introduce algorithm \(\textbf{Extract}\), as a primitive of \(\text {U}_{\text {Ext}}\), and finally present the construction of \(\text {U}_{\text {Ext}}\).
As is shown in definition 4, \(\mathcal {O}\) is simulated by \(\textsf {CStO}\) and we introduce two definitions related to database D: For any \(c\in \mathcal {C}\), a completion in D is defined to be a pair \((x,y)\in D\) such that \(\text {A}_2(pk,x,y)=c\) and \(\text {A}_3(sk,c)=x\). Define \(D_c\) to be the subset of D such that \(\text {A}_2(pk,x,y)=c\) for any (x, y) in \(D_c\). Then any completion of c in set D is necessarily in set \(D_c\). Note that D contains at most one completion of c, since c determines \(\text {A}_3(sk,c)\).
Define relation \(\mathcal {R}_1(pk,sk)\) and \(\mathcal {R}_2(pk,sk)\) for any (pk, sk) of \(\varPi \) as below.
where \(\mathcal {X}\) is the output space of algorithm \(\text {A}_1\). And we give the definition of the verification oracle \(\textbf{V}(pk,sk,\cdot ,\cdot )\) of \(\varPi \). \(\textbf{V}(pk,sk,\cdot ,\cdot )\) takes input \((x,c)\in \mathcal {X}\times \mathcal {C}\) and outputs a bit \(b\in \{0,1\}\). For any \((x,c)\in \mathcal {R}_1(pk,sk)\), \(\textbf{V}(pk,sk,x,c)=1\) if and only if \((x,c)\in \mathcal {R}_2(pk,sk)\).
Next, we define a classical algorithm \(\textbf{Extract}\). \(\textbf{Extract}\) takes pk, sk, c and D as input. It looks for a completion of c in D. If a completion \((x,y)\in D\) is found, \(\textbf{Extract}\) outputs (1, x). Otherwise, it outputs (0, 0).
Then we give a construction of \(\textbf{Extract}\) relative to oracle \(\textbf{V}\). \(\textbf{Extract}\) on input c and D, finds a completion in two steps: For each pair (x, y) in D, it computes \(c'=\text {A}_2(pk,x,y)\) and compares \(c'\) with c for equality to check whether \((x,y)\in D_c\). Then to extract a completion from \(D_{c}\), it invokes \(\textbf{V}\) and computes \(\textbf{V}(pk,sk,x,y)\) for each pair \((x,y)\in D_{c}\). If \((x,y)\in D\) exists such that \(\textbf{V}(pk,sk,x,y)=1\), \(\textbf{Extract}\) outputs (1, x). Otherwise, it outputs (0, 0).
Then we construct \(\text {U}_{\text {Ext}}\) with \(\textbf{Extract}\), and we start with the case when the challenge query does not happen.
-
1.
Evaluate \((b,x)=\textbf{Extract}(pk,sk,c,D)\) in superposition and xor the output into a newly created register.
-
2.
Apply the following conditional procedures in superposition:
-
3.
Condition on \(b=0\), evaluate the map \(|c,z,D,b,x\rangle \mapsto |c,z\oplus \bot ,D,b,x\rangle \).
-
4.
Condition on \(b=1\), evaluate the map \(|c,z,D,b,x\rangle \mapsto |c,z\oplus \text {A}_4(x),D,b,x\rangle \).
-
5.
Uncompute (b, x) by evaluating \(\textbf{Extract}(pk,sk,c,D)\) in superposition again. Then discord the new register.
After the challenge query, the challenge ciphertext \(c^*\) is produced and \(\text {U}_{\text {Ext}}\) is implemented below.
-
1.
Apply the following conditional procedures in superposition:
-
2.
Condition on \(c=c^*\), evaluate the map \(|c,z,D\rangle \mapsto |c,z\oplus \bot ,D\rangle \).
-
3.
Condition on \(c\ne c^*\), apply the procedure in the case when \(c^*\) is undefined.
In addition, the running time of \(\text {U}_{\text {Ext}}\) is upper bounded as follows. Denote the length of database by l. For each database D, \(|D|\le l\) and \(\textbf{Extract}\) invokes \(\text {A}_2\) and \(\textbf{V}\) at most l times during the execution. Thus \(O(l\cdot \text {Time}(\text {A}_2)+l\cdot \text {Time}(\textbf{V}))\) is an upper bound of the running time of \(\text {U}_{\text {Ext}}\).
Then we will give respective constructions of \(\text {U}_{\text {Ext}}\) for \(\textsf{FO}[\varPi ^{asy},\varPi ^{sy},H,G]\), \(\textsf{REACT}[\varPi ^{asy},\varPi ^{sy},H,G]\) and \(\widetilde{\textsf{T}}[\varPi ^{asy},H]\). Since the implementation of \(\textbf{V}\) is sufficient to determine the construction of \(\text {U}_{\text {Ext}}\) for an oracle-masked scheme \(\varPi \), we only give constructions of the verification oracle \(\textbf{V}\) for these three schemes.
1.1 A.1 The Construction of \(\text {U}_{\text {Ext}}\) for FO
For scheme \(\varPi =\textsf{FO}[\varPi ^{asy},\varPi ^{sy},H,G]\), we first present relation \(\mathcal {R}_1(pk,sk)\) and \(\mathcal {R}_2(pk,sk)\) to determine the input form of the verification oracle \(\textbf{V}\), then give an implementation of \(\textbf{V}\).
By Lemma 5, relation \(\mathcal {R}_1(pk,sk)\) and \(\mathcal {R}_2(pk,sk)\) are subsets of \(\mathcal {M}^{asy}\times \mathcal {C}^{sy}\times \mathcal {C}^{asy}\times \mathcal {C}^{sy}\) for any (pk, sk) of \(\varPi \). Tuple \((\delta ,d_1,c,d_2)\in \mathcal {R}_1(pk,sk)\) if \(d_1=d_2\) and \(r\in \mathcal {R}^{asy}\) exists such that \(c:=\text {Enc}^{asy}(pk,\delta ;r)\). Tuple \((\delta ,d_1,c,d_2)\in \mathcal {R}_2(pk,sk)\) if \(d_1=d_2\) and \(\text {Dec}^{asy}(sk,c)=\delta \).
Further, tuple \((\delta ,d_1,c,d_2)\in \mathcal {R}_1(pk,sk)\) also satisfies \(\text {Dec}^{asy}(sk,c)=\delta \) by the correctness of \(\varPi ^{asy}\), and thus \((\delta ,d_1,c,d_2)\in \mathcal {R}_2(pk,sk)\). Then \(\mathcal {R}_1(pk,sk)\) is a subset of \(\mathcal {R}_2(pk,sk)\). By similar arguments, we also conclude that \((\delta ,d_1,c,d_2)\notin \mathcal {R}_1(pk,sk)\) implies \((\delta ,d_1,c,d_2)\notin \mathcal {R}_2(pk,sk)\) for any (pk, sk). Thus for any (pk, sk) of \(\varPi \), \(\mathcal {R}_1(pk,sk)=\mathcal {R}_2(pk,sk)\) and
By the definition of the verification oracle, \(\textbf{V}\) for \(\varPi \) can be simply simulated by an algorithm that takes as input tuple \((\delta ,d_1,c,d_2)\) and trivially outputs 1. Moreover, notice that sk is not used in the construction of \(\text {U}_{\text {Ext}}\) except for the verification oracle. Therefore, \(\text {U}_{\text {Ext}}\) for \(\varPi \) can be implemented without sk.
Finally, the running time of \(\text {U}_{\text {Ext}}\) is given by \(O(l\cdot \text {Time}(\text {Enc}^{asy}))\).
1.2 A.2 The Construction of \(\text {U}_{\text {Ext}}\) for REACT
For scheme \(\varPi =\textsf{REACT}[\varPi ^{asy},\varPi ^{sy},H,G]\), we only give an implementation of oracle \(\textbf{V}\) here.
By Lemma 8, \(\mathcal {R}_1(pk,sk)\) and \(\mathcal {R}_2(pk,sk)\) are subsets of \(\mathcal {M}^{asy}\times \mathcal {M}^{sy}\times \mathcal {C}^{asy}\times \mathcal {C}^{sy}\times \mathcal {C}^{asy}\times \mathcal {C}^{sy}\times \{0,1\}^n\) for any (pk, sk). Any tuple \((R,m,c_1,c_2,c_1',c_2',c_3')\in \mathcal {R}_1(pk,sk)\) if \(c_1=c_1'\), \(c_2=c_2'\). And this tuple is an element of \(\mathcal {R}_2(pk,sk)\) if \(R=\text {Dec}^{asy}(sk,c_1')\), \(m=\text {Dec}^{sy}(G(R),c_2')\), \(c_1=c_1'\), \(c_2=c_2'\). Thus, we have \(\mathcal {R}_1(pk,sk)=\{(R,m,c_1,c_2,c_1,c_2,c_3):\mathcal {R}\in \mathcal {M}^{asy},m\in \mathcal {M}^{sy},c_1\in \mathcal {C}^{asy},c_2\in \mathcal {C}^{sy},c_3\in \{0,1\}^n\} \) and \(\mathcal {R}_2(pk,sk)=\{(R,m,c_1,c_2,c_1,c_2,c_3):c_1\in \mathcal {C}^{asy},c_2\in \mathcal {C}^{sy},c_3\in \{0,1\}^n,R=\text {Dec}^{asy}(sk,c_1),m=\text {Dec}^{sy}(G(R),c_2)\}\). Then we assume the input form of \(\textbf{V}\) to be \((R,m,c_1,c_2,c_1,c_2,c_3)\) according to \(\mathcal {R}_1(pk,sk)\) of \(\varPi \).
We present an algorithm \(\textbf{V}_{\text {Sim}}\) relative to plaintext checking oracle \(\text {P{CO}}\). \(\textbf{V}_{\text {Sim}}\) takes as input tuple \((R,m,c_1,c_2,c_1,c_2,c_3)\). It first invokes \(\text {P{CO}}\) and obtain \(b:=\text {P{CO}}(R,c_1)\). If \(b=0\), \(\textbf{V}_{\text {Sim}}\) outputs 0. Else, it computes \(m':=\text {Dec}^{sy}(G(R),c_2)\). If \(m\ne m'\), output 0. Else, output 1. Then by the definition of \(\text {P{CO}}\) in Appendix B.2, it is easily verified that \(\textbf{V}\) can be simulated by \(\textbf{V}_{\text {Sim}}\). In this way, \(\text {U}_{\text {Ext}}\) for \(\varPi \) is implemented by invoking \(\text {P{CO}}\) instead of using sk directly. Moreover, the running time of \(\text {U}_{\text {Ext}}\) is given by O(l).
1.3 A.3 The Construction of \(\text {U}_{\text {Ext}}\) for \(\widetilde{\textsf{T}}\)
For scheme \(\widetilde{\textsf{T}}[\varPi ^{asy},H]\), we give a straightforward way to simulate oracle \(\textbf{V}\) here.
According to Lemma 9, tuple \(((m,c_1),(c_1',c_2'))\in \mathcal {R}_1(pk,sk)\) if \(c_1=c_1'\), while tuple \(((m,c_1),(c_1',c_2'))\in \mathcal {R}_2(pk,sk)\) if \(c_1=c_1'\) and \(m=\text {Dec}^{asy}(sk,c_1)\). Then we can assume the input form of \(\textbf{V}\) to be \((m,c_1,c_1,c_2)\).
We construct an oracle \(\textbf{V}_{\text {Sim}}\) relative to plaintext-checking oracle \(\text {P{CO}}\) and use it to simulate \(\textbf{V}\). On input \((m,c_1,c_1,c_2)\), \(\textbf{V}_{\text {Sim}}\) first invokes \(\text {P{CO}}\) and obtains \(b:=\text {P{CO}}(m,c_1)\). If \(b=0\), it outputs 0. Otherwise, it outputs 1. Then \(\text {U}_{\text {Ext}}\) can be implemented without sk, and its running time is O(l).
B Cryptographic Primitives
Here we introduce secret-key encryption schemes (SKE), public-key encryption schemes (PKE), key encapsulation mechanisms (KEM) and their security notions.
1.1 B.1 Secret-Key Encryption
Definition 8
A SKE \(\varPi ^{sy}\) consists of a pair of polynomial-time algorithms \((\text {E},\text {D})\) as follows.
-
1.
\(\text {E}\), the encryption algorithm, takes as input a message m and a key k, and outputs a ciphertext c.
-
2.
\(\text {D}\), the decryption algorithm, on input a ciphertext c and a key k outputs either a message m or a special symbol \(\perp \) if c is invalid.
Let \(\varPi ^{sy}=(\text {E},\text {D})\) be a SKE and define one-time (OT) security for it.
Definition 9 (OT)
Define the advantage of adversary A against the \(\text {OT}\) security of \(\varPi ^{sy}\) as \(\textrm{Adv}_{A,{\varPi ^{sy}}}^{\text {OT}}:=\left| \Pr [\text {Game}_{A,{\varPi ^{sy}}}^{\text {OT}}\rightarrow 1]-1/2\right| \) and \(\Pr [\text {Game}_{A,{\varPi ^{sy}}}^{\text {OT}}\rightarrow 1]\) is written by \(\Pr [b'=b: (m_0,m_1)\leftarrow A, b\xleftarrow {\$}\{0,1\},c^*\leftarrow \text {E}(k,m_b), b'\leftarrow A(c^*)]\). Then \(\varPi ^{sy}\) is \(\text {OT}\) secure if \(\textrm{Adv}_{A,{\varPi ^{sy}}}^{\text {OT}}\) is negligible for any polynomial-time adversary A.
1.2 B.2 Public-Key Encryption
Definition 10
A PKE \({\varPi }^{asy}\) consists of a triple of polynomial-time algorithms \((\text {Gen},\text {Enc},\text {Dec})\) as follows.
-
1.
\(\text {Gen}\), the key generation algorithm, on input \(1^\lambda \) outputs a public/secret key-pair (pk, sk).
-
2.
\(\text {Enc}\), the encryption algorithm, on input a public key pk and a message m outputs a ciphertext c.
-
3.
\(\text {Dec}\), the decryption algorithm, on input a secret key sk and a ciphertext c outputs either a message m or a special symbol \(\perp \) if c is invalid.
Let \(\varPi ^{asy}=(\text {Gen},\text {Enc},\text {Dec})\) be a PKE with message space \(\mathcal {M}\). Then we introduce \(\gamma \)-spread and \(\delta \)-correct property for it.
Definition 11
(\(\gamma \)-spread [12]). \({\varPi ^{asy}}\) is \(\gamma \)-spread if for any pk produced by \(\text {Gen}(1^{\lambda })\) and any message \(m\in \mathcal {M}\),
And \({\varPi ^{asy}}\) is called well-spread in \(\lambda \) if \(\gamma =\omega (\log (\lambda ))\).
Definition 12
(\(\delta \)-correct [14]). \({\varPi ^{asy}}\) is \(\delta \)-correct if
And \({\varPi ^{asy}}\) is called perfectly correct if \(\delta =0\).
In the following, we define one-wayness under chosen plaintext attacks (OW-CPA), one-wayness under quantum plaintext checking attacks (OW-qPCA) and indistinguishability under quantum chosen ciphertext attacks (IND-qCCA) these three security notions for \(\varPi ^{asy}\).
Definition 13 (OW-CPA)
The game for \(\varPi ^{asy}\) is defined in Fig. 8. The advantage of an adversary A against the security of \(\varPi \) is defined to be . Then \(\varPi ^{asy}\) is secure if is negligible for any polynomial-time adversary A.
Definition 14
(OW-qPCA [17]). The game for \(\varPi ^{asy}\) is defined in Fig. 8. The advantage of an adversary A against the security of \(\varPi ^{asy}\) is defined as . \(\varPi ^{asy}\) is secure if is negligible for any polynomial-time adversary A.
Definition 15
(IND-qCCA [5]). The game for \(\varPi ^{asy}\) is defined in Fig. 9. The advantage of an adversary A against the security of \(\varPi ^{asy}\) is defined as . Then \(\varPi ^{asy}\) is secure if is negligible for any polynomial-time adversary A.
1.3 B.3 Key Encapsulation
Definition 16
A KEM \({\varPi }^{kem}\) consists of a triple of polynomial-time algorithms \((\text {Gen},\text {Encaps},\text {Decaps})\) as follows.
-
1.
\(\text {Gen}\), the key generation algorithm,on input \(1^\lambda \) outputs a public/secret key-pair (pk, sk).
-
2.
\(\text {Encaps}\), the encapsulation algorithm, takes as input a public key pk and outputs a ciphertext c and a key k.
-
3.
\(\text {Decaps}\), the decapsulation algorithm, on input a secret key sk and a ciphertext c outputs either a key k or a special symbol \(\perp \) if c is invalid.
Let \(\varPi ^{kem}=(\text {Gen},\text {Encaps},\text {Decaps})\) be a KEM and define IND-qCCA security for it.
Definition 17
(IND-qCCA [27]). The game for \(\varPi ^{kem}\) is defined in Fig. 9. The advantage of an adversary A against the security of \(\varPi ^{kem}\) is defined as . Then \(\varPi ^{kem}\) is secure if is negligible for any polynomial-time adversary A.
Rights and permissions
Copyright information
© 2023 International Association for Cryptologic Research
About this paper
Cite this paper
Shan, T., Ge, J., Xue, R. (2023). QCCA-Secure Generic Transformations in the Quantum Random Oracle Model. In: Boldyreva, A., Kolesnikov, V. (eds) Public-Key Cryptography – PKC 2023. PKC 2023. Lecture Notes in Computer Science, vol 13940. Springer, Cham. https://doi.org/10.1007/978-3-031-31368-4_2
Download citation
DOI: https://doi.org/10.1007/978-3-031-31368-4_2
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-31367-7
Online ISBN: 978-3-031-31368-4
eBook Packages: Computer ScienceComputer Science (R0)