Post-quantum IND-CCA-secure KEM without Additional Hash

With the gradual progress of NIST’s post-quantum cryptography standardization, several practical post-quantum secure key encapsulation mechanism (KEM) schemes have been proposed. Generally, an IND-CCA-secure KEM is usually achieved by introducing an IND-CPAsecure (or OW-CPA-secure) public-key encryption (PKE) scheme, then applying some generic transformations to it. All these generic transformations are constructed in the random oracle model (ROM). To fully assess the post-quantum security, security analysis in the quantum random oracle model (QROM) is preferred. However, current works either lacked a QROM security proof or just followed Targhi and Unruh’s proof technique (TCC-B 2016) and modified the original transformations by adding an additional hash to the ciphertext to achieve the QROM security. In this paper, by using a novel proof technique, we present QROM security reductions for two widely used generic transformations without suffering any ciphertext overhead. Meanwhile, the security bounds are much tighter than the ones derived by utilizing Targhi and Unruh’s proof technique. Thus, our QROM security proofs not only provide a solid post-quantum security guarantee for previous KEM schemes, but also simplify the constructions and reduce the ciphertext sizes. We also provide QROM security reductions for Hofheinz-Hövelmanns-Kiltz modular transformations (TCC 2017), which can help to obtain a variety of combined transformations with different requirements and properties.

[1]  Henry Yuen,et al.  A quantum lower bound for distinguishing random functions from random permutations , 2013, Quantum Inf. Comput..

[2]  Dominique Unruh,et al.  Non-Interactive Zero-Knowledge Proofs in the Quantum Random Oracle Model , 2015, EUROCRYPT.

[3]  Eike Kiltz,et al.  A Modular Analysis of the Fujisaki-Okamoto Transformation , 2017, TCC.

[4]  Lov K. Grover A fast quantum mechanical algorithm for database search , 1996, STOC '96.

[5]  Kenneth G. Paterson,et al.  Tightly Secure Ring-LWE Based Key Encapsulation with Short Ciphertexts , 2017, ESORICS.

[6]  Mark Zhandry,et al.  A note on the quantum collision and set equality problems , 2013, Quantum Inf. Comput..

[7]  Chris Peikert,et al.  On Ideal Lattices and Learning with Errors over Rings , 2010, JACM.

[8]  Chris Peikert,et al.  Lattice Cryptography for the Internet , 2014, PQCrypto.

[9]  Ronald Cramer,et al.  Design and Analysis of Practical Public-Key Encryption Schemes Secure against Adaptive Chosen Ciphertext Attack , 2003, SIAM J. Comput..

[10]  Dominique Unruh,et al.  Post-Quantum Security of the Fujisaki-Okamoto and OAEP Transforms , 2016, TCC.

[11]  Tatsuaki Okamoto,et al.  Secure Integration of Asymmetric and Symmetric Encryption Schemes , 1999, Journal of Cryptology.

[12]  Seth Lloyd,et al.  Quantum private queries. , 2007, Physical review letters.

[13]  Tanja Lange,et al.  NTRU Prime: Reducing Attack Surface at Low Cost , 2017, SAC.

[14]  Fang Song,et al.  Mitigating Multi-Target Attacks in Hash-based Signatures , 2016, IACR Cryptol. ePrint Arch..

[15]  Peter Schwabe,et al.  McBits: Fast Constant-Time Code-Based Cryptography , 2013, CHES.

[16]  Mark Zhandry,et al.  Secure Signatures and Chosen Ciphertext Security in a Quantum Computing World , 2013, CRYPTO.

[17]  Kenneth G. Paterson,et al.  Efficient One-Round Key Exchange in the Standard Model , 2008, ACISP.

[18]  Damien Stehlé,et al.  CRYSTALS - Kyber: A CCA-Secure Module-Lattice-Based KEM , 2017, 2018 IEEE European Symposium on Security and Privacy (EuroS&P).

[19]  Mark Zhandry,et al.  Random Oracles in a Quantum World , 2010, ASIACRYPT.

[20]  Carl Eklund,et al.  National Institute for Standards and Technology , 2009, Encyclopedia of Biometrics.

[21]  Alexander W. Dent,et al.  A Designer's Guide to KEMs , 2003, IMACC.

[22]  Peter Schwabe,et al.  High-speed key encapsulation from NTRU , 2017, IACR Cryptol. ePrint Arch..

[23]  S. Lloyd,et al.  Experimental quantum private queries with linear optics , 2009 .

[24]  Thierry Paul,et al.  Quantum computation and quantum information , 2007, Mathematical Structures in Computer Science.

[25]  Martijn Stam,et al.  A Key Encapsulation Mechanism for NTRU , 2005, IMACC.

[26]  Dominique Unruh,et al.  Quantum Position Verification in the Random Oracle Model , 2014, CRYPTO.

[27]  David Pointcheval,et al.  REACT: Rapid Enhanced-Security Asymmetric Cryptosystem Transform , 2001, CT-RSA.

[28]  Takashi Yamakawa,et al.  Tightly-Secure Key-Encapsulation Mechanism in the Quantum Random Oracle Model , 2018, IACR Cryptol. ePrint Arch..

[29]  Jung Hee Cheon,et al.  A Practical Post-Quantum Public-Key Cryptosystem Based on spLWE , 2016, IACR Cryptol. ePrint Arch..

[30]  Jean-Sébastien Coron,et al.  GEM: A Generic Chosen-Ciphertext Secure Encryption Method , 2002, CT-RSA.

[31]  Dominique Unruh,et al.  Quantum Collision-Resistance of Non-uniformly Distributed Functions , 2016, PQCrypto.

[32]  Andris Ambainis,et al.  Quantum Attacks on Classical Proof Systems: The Hardness of Quantum Rewinding , 2014, 2014 IEEE 55th Annual Symposium on Foundations of Computer Science.

[33]  Paulo S. L. M. Barreto,et al.  CAKE: Code-Based Algorithm for Key Encapsulation , 2017, IMACC.

[34]  Mark Zhandry,et al.  Secure Identity-Based Encryption in the Quantum Random Oracle Model , 2012, CRYPTO.

[35]  Daniel R. Simon,et al.  Non-Interactive Zero-Knowledge Proof of Knowledge and Chosen Ciphertext Attack , 1991, CRYPTO.

[36]  Atsushi Fujioka,et al.  Strongly Secure Authenticated Key Exchange from Factoring, Codes, and Lattices , 2012, Public Key Cryptography.

[37]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[38]  Dominique Unruh Revocable Quantum Timed-Release Encryption , 2014, EUROCRYPT.