KDM Security for the Fujisaki-Okamoto Transformations in the QROM

Key dependent message (KDM) security is a security notion that guarantees confidentiality of communication even if secret keys are encrypted. KDM security has found a number of applications in practical situations such as hard-disk encryption systems, anonymous credentials, and bootstrapping of fully homomorphic encryptions. Recently, it also found an application in quantum delegation protocols as shown by Zhang (TCC 2019). In this work, we investigate the KDM security of existing practical public-key encryption (PKE) schemes proposed in the quantum random oracle model (QROM). Concretely, we study a PKE scheme whose KEM is constructed by using Fujisaki-Okamoto (FO) transformations in the QROM. FO transformations are applied to IND-CPA secure PKE schemes and yield IND-CCA secure key encapsulation mechanisms (KEM). Then, we show the following results. • We can reduce the KDM-CPA security in the QROM of a PKE scheme whose KEM is derived from any of the FO transformations proposed by Hofheinz et al. (TCC 2017) to the IND-CPA security of the underlying PKE scheme, without square root security loss. For this result, we use one-time-pad (OTP) as DEM to convert KEM into PKE. • We can reduce the KDM-CCA security in the QROM of a PKE scheme whose KEM is derived from a single variant of the FO transformation proposed by Hofheinz et al. (TCC 2017) to the IND-CPA security of the underlying PKE scheme, without square root security loss. For this result, we use OTP-then-MAC construction as DEM to convert KEM into PKE. Also, we require a mild injectivity assumption for the underlying IND-CPA secure PKE scheme. In order to avoid square root security loss, we use a double-sided one-way to hiding (O2H) lemma proposed by Kuchta et al. (EUROCRYPT 2020). In the context of KDM security, there is a technical hurdle for using double-sided O2H lemma due to the circularity issue. Our main technical contribution is to overcome the hurdle.

[1]  Daniel R. Simon,et al.  Non-Interactive Zero-Knowledge Proof of Knowledge and Chosen Ciphertext Attack , 1991, CRYPTO.

[2]  Mark Zhandry,et al.  Random Oracles in a Quantum World , 2010, ASIACRYPT.

[3]  Michael Hamburg,et al.  Tighter proofs of CCA security in the quantum random oracle model , 2019, IACR Cryptol. ePrint Arch..

[4]  Michael Backes,et al.  OAEP Is Secure under Key-Dependent Messages , 2008, ASIACRYPT.

[5]  Tatsuaki Okamoto,et al.  Secure Integration of Asymmetric and Symmetric Encryption Schemes , 1999, Journal of Cryptology.

[6]  Dominique Unruh,et al.  Revocable Quantum Timed-Release Encryption , 2014, J. ACM.

[7]  Andris Ambainis,et al.  Quantum security proofs using semi-classical oracles , 2019, IACR Cryptol. ePrint Arch..

[8]  Mingqiang Wang,et al.  QCCA-Secure Generic Key Encapsulation Mechanism with Tighter Security in the Quantum Random Oracle Model , 2021, IACR Cryptol. ePrint Arch..

[9]  Mihir Bellare,et al.  Possibility and Impossibility Results for Encryption and Commitment Secure under Selective Opening , 2009, EUROCRYPT.

[10]  Jan Camenisch,et al.  An Efficient System for Non-transferable Anonymous Credentials with Optional Anonymity Revocation , 2001, IACR Cryptol. ePrint Arch..

[11]  Mark Zhandry,et al.  Secure Identity-Based Encryption in the Quantum Random Oracle Model , 2012, CRYPTO.

[12]  Zhenfeng Zhang,et al.  Key Encapsulation Mechanism with Explicit Rejection in the Quantum Random Oracle Model , 2019, IACR Cryptol. ePrint Arch..

[13]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[14]  Moni Naor,et al.  Nonmalleable Cryptography , 2000, SIAM Rev..

[15]  Ron Steinfeld,et al.  Measure-Rewind-Measure: Tighter Quantum Random Oracle Model Proofs for One-Way to Hiding and CCA Security , 2020, EUROCRYPT.

[16]  Goichiro Hanaoka,et al.  On the Key Dependent Message Security of the Fujisaki-Okamoto Constructions , 2016, Public Key Cryptography.

[17]  Takashi Yamakawa,et al.  Tightly-Secure Key-Encapsulation Mechanism in the Quantum Random Oracle Model , 2018, IACR Cryptol. ePrint Arch..

[18]  Silvio Micali,et al.  Public-Key Encryption in a Multi-user Setting: Security Proofs and Improvements , 2000, EUROCRYPT.

[19]  Mihir Bellare,et al.  Optimal Asymmetric Encryption , 1994, EUROCRYPT.

[20]  Jiayu Zhang Delegating Quantum Computation in the Quantum Random Oracle Model , 2019, TCC.

[21]  Hong Wang,et al.  IND-CCA-Secure Key Encapsulation Mechanism in the Quantum Random Oracle Model, Revisited , 2018, CRYPTO.

[22]  Dominique Unruh,et al.  Post-Quantum Security of the Fujisaki-Okamoto and OAEP Transforms , 2016, TCC.

[23]  Vinod Vaikuntanathan,et al.  Simultaneous Hardcore Bits and Cryptography against Memory Attacks , 2009, TCC.

[24]  Eike Kiltz,et al.  Generic Authenticated Key Exchange in the Quantum Random Oracle Model , 2020, IACR Cryptol. ePrint Arch..

[25]  Craig Gentry,et al.  A fully homomorphic encryption scheme , 2009 .

[26]  Martín Abadi,et al.  Reconciling Two Views of Cryptography (The Computational Soundness of Formal Encryption) , 2007, Journal of Cryptology.

[27]  John Black,et al.  Encryption-Scheme Security in the Presence of Key-Dependent Messages , 2002, Selected Areas in Cryptography.

[28]  Daniel Bleichenbacher,et al.  Chosen Ciphertext Attacks Against Protocols Based on the RSA Encryption Standard PKCS #1 , 1998, CRYPTO.

[29]  Rafail Ostrovsky,et al.  Circular-Secure Encryption from Decision Diffie-Hellman , 2008, CRYPTO.

[30]  Martijn Stam,et al.  KDM Security in the Hybrid Framework , 2014, CT-RSA.

[31]  Dominique Unruh,et al.  Quantum Position Verification in the Random Oracle Model , 2014, CRYPTO.

[32]  Zhenfeng Zhang,et al.  Tighter security proofs for generic key encapsulation mechanism in the quantum random oracle model , 2019, IACR Cryptol. ePrint Arch..