Tighter proofs of CCA security in the quantum random oracle model

,


Introduction
If a general-purpose quantum computer can be built, it will break most widelydeployed public-key cryptography.The cryptographic community is busily designing new cryptographic systems to prepare for this risk.These systems typically consist of an algebraic structure with cryptographic hardness properties, plus a symmetric cryptography layer which transforms the algebraic structure into a higher level primitive like a public-key encryption (PKE) scheme, a key encapsulation mechanism (KEM), or a signature scheme.The algebraic structures underlying these so-called "post-quantum" systems have new properties, and the quantum threat model requires changes in the way security is analyzed.
Therefore the transformations turning the algebraic structures into cryptosystems have to be freshly examined.
In this work we focus on the construction of secure KEMs.In this setting the algebraic structures usually provide a PKE from which a KEM is derived via a generic transform.A new property of the algebraic structures used in many postquantum PKEs and KEMs gives them malleable ciphertexts, so they are at risk from chosen-ciphertext attacks (CCA) [HNP + 03].The standard defenses against CCA are variants of the Fujisaki-Okamoto (FO) transform [FO99].Known security proofs for the FO transform use the random oracle model (ROM) [BR93].This is for two reasons.First, the FO transform has a circular structure-it chooses coins for encryption according to the message being encrypted.This leads to obstacles which we do not know how to overcome when proving security in the standard model.In the ROM, we circumvent this by re-programming.Second, in the ROM a reduction learns all the adversary's queries to the random oracle.This allows us to formalize the intuition that an adversary must have known a challenge plaintext to extract said plaintext.
Since we are concerned with security against quantum attackers, we need to extend these proofs to the quantum-accessible random oracle model (QROM) [BDF + 11].This comes with two challenges for our setting.On the one hand, in the QROM the adversary can query all inputs in superposition.Hence, it is no longer trivial to break the circular dependency by re-programming, which results in security bounds that do not tightly match known attacks.On the other hand, a reduction cannot learn the adversarial queries by simple observation anymore.The reason is that observation of a quantum state requires a measurement which disturbs the state.Hence, more advanced techniques are required.

Our Contribution
QROM analysis of KEMs has advanced rapidly over the past several years.The initial solutions were loose by a factor of up to q 6 [TU16,HHK17], where q is the number of times the adversary queries the random oracle.This has improved to q 2 [SXY18,JZC + 18] and finally to q [HKSU18,JZM19a,JZM19c].Some works provide tight proofs under stronger assumptions [SXY18,XY19].Our work provides a proof of IND-CCA security for KEMs constructed from deterministic PKEs (Theorem 2), which is tight except for a quadratic security loss which might be impossible to avoid [JZM19b].For KEMs constructed from randomized PKEs our bound is still loose by a factor of up to q (Theorem 1).In this particular case, our bound does not essentially differ from the bound already given in [HKSU18].In [HKSU18], the proof given is called "semimodular": it is first shown that derandomization and puncturing achieve the stronger notion that [SXY18] requires to achieve tight security, and the tight proof of [SXY18] is then applied to the derandomized and punctured scheme.The strategy of [HKSU18] was deliberately chosen to deal with correctness errors: The tight proof of [SXY18] could not trivially be generalized for non-perfect schemes in a way such that the result still would have been meaningful for most lattice-based encryption schemes.Our work deals with correctness errors in a modular way by introducing an additional intermediate notion (called FFC).
At the heart of our bound is a new one-way to hiding (O2H) lemma which gives a tighter bound than previous O2H lemmas (Lemma 5).This comes at the cost of limited applicability.O2H lemmas allow to bound the difference in the success probability of an adversary when replacing its oracle function by a similar function.Previous lemmas lost a factor of roughly the number of the adversary's queries to this oracle or its square-root.Our lemma does not incur any such loss.On the downside, our lemma only applies if the reduction has access to both oracle functions and if the functions only differ in one position.See Table 1 for a comparison.
Some post-quantum schemes feature an inherent probability of decryption failure, say δ > 0 .Such failures can be used in attacks, but they also complicate security proofs.As a result, previous bounds typically contain a term q √ δ which is not known to be tight.However, most of the obstacles that arise in our CCA security proof can be avoided by assuming that encryption with a particular public key is injective (after derandomization).This is generally the case, even for imperfectly-correct systems; see Appendix D for a rough analysis of LWE schemes.In that case, the adversary's advantage is limited to the probability that it actually finds and submits a valid message that fails to decrypt.This means that our bounds apply to deterministic but failure-prone systems like certain earlier BIKE [ABB + 19] variants6 , but our result is limited by the assumption of injectivity.
Until today several variants of the FO-transform were proposed.We consider the four basic transforms U ⊥ , U ⊥ m , U ⊥ , U ⊥ m [HHK17] and, in addition, we study U ⊥ m in the presence of key confirmation.The two most notable differences reside in the use of implicit rejection (U ⊥ , U ⊥ m ) versus explicit rejection (U ⊥ , U ⊥ m ), and whether the derivation of the session key should depend on the ciphertext (U ⊥ m , U ⊥ m ) or not (U ⊥ , U ⊥ ).Another important decision is the use of key confirmation which we also partially analyze.We come to the following results.Security with implicit rejection implies security with explicit rejection (Theorem 3).The opposite holds if the scheme with explicit rejection also employs key confirmation (Theorem 4).Moreover, security is independent of the decision if the session key derivation depends on the ciphertext (Theorem 5).
Notation.We will use the following notation throughout the paper.
-For two sets X, Y , we write Y X to denote the set of functions from X to Y .
-Let H : X → Y be a (classical or quantum-accessible) random oracle.Then we denote the programming of H at x ∈ X to some y ∈ Y as H[x → y].-Let A be an algorithm.If A has access to a classical (resp., quantumaccessible) oracle H, we write A H and call A an oracle (resp., quantum oracle) algorithm.
2 One-way to Hiding ROM reductions typically simulate the random oracle in order to learn the adversary's queries.In the classical ROM, the adversary cannot learn any information about H(x) without the simulator learning both x and H(x).In the QROM things are not so simple, because measuring or otherwise recording the queries might collapse the adversary's quantum state and change its behavior.However, under certain conditions the simulator can learn the queries using "One-way to Hiding" (O2H) techniques going back to [Unr15].We will use the O2H techniques from [AHU19], and introduce a novel variant that allows for tighter results.Consider two quantum-accessible oracles G, H : X → Y .The oracles do not need to be random.Suppose that G and H differ only on some small set S ⊂ X, meaning that ∀x / ∈ S, G(x) = H(x).Let A be an oracle algorithm that takes an input z and makes at most q queries to G or H. Possibly A makes them in parallel.Therefore, suppose that the query depth, i.e., the maximum number of sequential invocations of the oracle [AHU19], is at most d ≤ q.If A G (z) behaves differently from A H (z), then the O2H techniques give a way for the simulator to find some x ∈ S with probability dependent on d and q.
We will use the following three O2H lemmas.
-Lemma 1 (original O2H) is the most general: the simulator needs to provide only G or H but it has the least probability of success.-Lemma 3 (semiclassical O2H) has a greater probability of success, but requires more from the simulator: for each query x, the simulator must be able to recognize whether x ∈ S, and if not it must return G(x) = H(x).-Lemma 5 (our new "double-sided" O2H) gives the best probability of success, but it requires the simulator to evaluate both G and H in superposition.It also can only extract x ∈ S if S has a single element.If S has many elements, but the simulator knows a function f such that {f (x) : x ∈ S} has a single element, then it can instead extract that element f (x).
We summarize the three variants of O2H as shown in Table 1.In all cases, there are two oracles H and G that differ in some set S, and the simulator outputs x ∈ S with some probability .The lemma then shows an upper bound on the difference between A H and A G as a function of .Arbitrary joint distribution.The O2H lemmas allow (G, H, S, z) to be random with arbitrary joint distribution.This is stronger than (G, H, S, z) being arbitrary fixed objects, because the probabilities in the lemma include the choice of (G, H, S, z) in addition to A's coins and measurements.Also, the lemmas are still true if the adversary consults other oracles which are also drawn from a joint distribution with (G, H, S, z).

Original O2H
We begin with the original O2H which first appeared in [Unr15].We use the phrasing from [AHU19] as it is more general and more consistent with our other lemmata.
Lemma 1 (One-way to hiding; [AHU19] Theorem 3).Let G, H : X → Y be random functions, let z be a random value, and let S ⊂ X be a random set such that ∀x / ∈ S, G(x) = H(x).(G, H, S, z) may have arbitrary joint distribution.Furthermore, let A H be a quantum oracle algorithm which queries H with depth at most d.Let Ev be an arbitrary classical event.Define an oracle algorithm B H (z) as follows: Pick i $ ← {1, . . ., d}.Run A H (z) until just before its ith round of queries to H. Measure all query input registers in the computational basis, and output the set T of measurement outcomes.Let The same result holds with B G (z) instead of B H (z) in the definition of P guess .
From this lemma we conclude the following result for pseudo-random functions (PRFs, see Definition 10).It intuitively states that a random oracle makes a good PRF, even if the distinguisher is given full access to the random oracle in addition to the PRF oracle.
Corollary 1 (PRF based on random oracle).Let H : (K × X) → Y be a quantum-accessible random oracle.This function may be used as a quantumaccessible PRF F k (x) := H(k, x) with a key k $ ← K. Suppose a PRF-adversary A makes q queries to H at depth d, and any number of queries to F k at any depth.Then Proof.The adversary's goal is to distinguish (F k , H) from (F, H), where F is an unrelated uniformly random function.This is the same as distinguishing (F, H[(k, x) → F (x)]) from (F, H), and the set of differences between these two H-oracles is S := {k} × X.By Lemma 1, the distinguishing advantage is at most 2d P guess , where Since A F,H has no information about k, and in expectation Q contains q/d parallel queries, we have Note that Corollary 1 is the same as [SXY18] Lemma 2.2 and [XY19] Lemma 4, except that it takes query depth into account.

Semi-classical O2H
We now move on to semi-classical O2H.Here B is defined in terms of punctured oracles [AHU19], which measure whether the input is in a set S as defined next.
Definition 1 (Punctured oracle).Let H : X → Y be any function, and S ⊂ X be a set.The oracle H\S ("H punctured by S") takes as input a value x.It first computes whether x ∈ S into an auxilliary qubit p, and measures p.
Then it runs H(x) and returns the result.Let Find be the event that any of the measurements of p returns 1.
The event is called Find because if the simulator chooses to, it can immediately terminate the simulation and measure the value x ∈ S which caused the event.The oracle is called "punctured" because if Find does not occur, H\S returns a result independent of H's outputs on S, as shown by the following lemma.
Lemma 2 (Puncturing is effective; [AHU19] Lemma 1).Let G, H : X → Y be random functions, let z be a random value, and let S ⊂ X be a random set such that ∀x / ∈ S, G(x) = H(x).(G, H, S, z) may have arbitrary joint distribution.Let A H be a quantum oracle algorithm.Let Ev be an arbitrary classical event.Then Also, puncturing only disturbs the adversary's state when it is likely to Find.
Lemma 3 (Semi-classical O2H; [AHU19] Theorem 1).Let G, H : X → Y be random functions, let z be a random value, and let S ⊂ X be a random set such that ∀x / ∈ S, G(x) = H(x).(G, H, S, z) may have arbitrary joint distribution.Let A H be a quantum oracle algorithm which queries H with depth at most d.Let Ev be an arbitrary classical event and let Then The theorem also holds with bound (d + 1)P find for the following alternative definitions of P right : We might expect that if the adversary has no information about S, then P find would be at most q|S|/|X|.But this is not quite true: the disturbance caused by puncturing gives the adversary information about S. This increases A's chances, but only by a factor of 4, as explained next.
Lemma 4 (Search in semi-classical oracle; [AHU19] Theorem 2).Let H : X → Y be a random function, let z be a random value, and let S ⊂ X be a random set.(H, S, z) may have arbitrary joint distribution.Let A H be a quantum oracle algorithm which queries H at most q times with depth at most d.
Let B H (z) and P guess be defined as in Lemma 1. Then In particular, if for each x ∈ X, Pr[x ∈ S] ≤ (conditioned on z, on other oracles A has access to, and on other outputs of H) then Pr[Find : A H\S (z)] ≤ 4q .

Double-sided O2H
We augment these lemmas with a new O2H lemma which achieves a tighter bound focusing on a special case.This focus comes at the price of limited applicability.Our lemma applies when the simulator can simulate both G and H.It also requires that S is a single element; alternatively if some function f is known such that f (S) is a single element, it can extract f (S).
Lemma 5 (Double-sided O2H).Let G, H : X → Y be random functions, let z be a random value, and let S ⊂ X be a random set such that ∀x / ∈ S, G(x) = H(x).(G, H, S, z) may have arbitrary joint distribution.Let A H be a quantum oracle algorithm.Let f : X → W ⊆ {0, 1} n be any function, and let f (S) denote the image of S under f .Let Ev be an arbitrary classical event.
We will define another quantum oracle algorithm B G,H (z).This B runs in about the same amount of time as A, but when A queries H, B queries both G and H, and also runs f twice.Let Thm. 5 Thm. 5 Thm. 3 Thm.4 Fig. 1.Relations of our security notions using transforms T and U ⊥ (above) and relations between the security of different types of U -constructions (below).The solid lines show implications which are tight with respect to powers of q and/or d, and the dashed line shows a non-tight implication.The hooked arrows indicate theorems with -injectivity constraints.
If f (S) = {w * } is a single element, then B will only return ⊥ or w * , and furthermore Proof.See Appendix B.
Note that if S = {x * } is already a single element, then we may take f as the identity.In this case B will return either ⊥ or x * .

KEM and PKE Security Proofs
We are now ready to get to the core of our work.All the relevant security notions are given in Appendix A. The implications are summarized in Figure 1.The following theorem shows that if a PKE P is IND-CPA secure7 , then T(P, G) is one-way secure in the quantum-accessible random oracle model.
Theorem 1.Let P be an rPKE with messages in M and random coins in R.
Let G : M → R be a quantum-accessible random oracle.Let A be an OW-CPA adversary against P := T (P, G).Suppose that A queries G at most q times with depth at most d.
Then we can construct an IND-CPA adversary B against P, running in about the same time and resources as A, such that Proof.See Appendix C.
Second preimages.In the traditional definition of one-way functions, the adversary wins by finding any m where Encr(pk, m ) = c * , whereas in our definition (cf.Definition 7) of OW-CPA the adversary must find m * itself.This only matters if there is a second preimage, and thus a decryption failure.If P is δ-correct and -injective, it is easily shown that a definition allowing second preimages adds at most min(δ, ) to the adversary's OW-CPA-advantage.
Hashing the public key.Many KEMs use a variant of T which sets the coins to G(pk, m).This is a countermeasure against multi-key attacks.In this paper we only model single-key security, so we omit pk from the hashes for brevity.The same also applies to the other transforms later in this paper, such as U ⊥ .So instead we use injectivity and a game where the adversary tries to find ciphertexts which are valid but do not decrypt correctly.

Deterministic
Definition 2 (Valid ciphertext).Let P = (Keygen, Encr, Decr) be a dPKE.Call a ciphertext c "valid" for a public key pk of P if there exists m such that c = Encr(pk, m).
We introduce a new failure-finding experiment 8 , to capture the probability that the adversary can find valid ciphertexts that cause a decryption failure.
Definition 3 (Finding Failing Ciphertext).The find-failing-ciphertexts experiment (FFC) is shown in Figure 2. The FFC-advantage of an adversary A is defined by Expt FFC P (A): The U ⊥ transform [HHK17] converts a dPKE P = (Keygen P , Encr, Decr) into a KEM K = (Keygen, Encaps, Decaps) using a PRF F : K F × C → K and a hash function H : M × C → K, modeled as a random oracle.The PRF is used for implicit rejection, returning F(prfk, c) in case of an invalid ciphertext using a secret prfk.The U ⊥ transform is defined in Figure 3.We also describe variants U ⊥ m , U ⊥ , U ⊥ m of this transform from [HHK17], which make the following changes: -On Encaps line 3 resp.Decaps line 7, the transformations -On Decaps lines 4 and 6, the transformations U ⊥ and U ⊥ m return ⊥ instead of F(prfk, c).These variants also don't need prfk as part of the private key.
The transforms U ⊥ and U ⊥ m are said to use explicit rejection because they return an explicit failure symbol ⊥.U ⊥ and U ⊥ m are said to use implicit rejection.

Keygen():
1 (pk, sk P ) ← Keygen P () 2 prfk $ ← K F 3 sk ← (sk P , prfk) 4 return (pk, sk) Encaps(pk): The next theorem states that breaking the IND-CCA security of U ⊥ (P, F, H) requires either breaking the OW-CPA security of P, causing a decapsulation failure, or breaking the PRF used for implicit rejection.In particular, we need P to be an -injective dPKE as in Definition 6.
Theorem 2. Let H : M×C → K be a quantum-accessible random oracle and F : K F × C → K be a PRF.Let P be an -injective dPKE which is independent of H. Let A be an IND-CCA adversary against the KEM U ⊥ (P, F), and suppose that A makes at most q dec decryption queries.Then we can construct three adversaries running in about the same time and resources as A: an OW-CPA-adversary B 1 against P a FFC-adversary B 2 against P, returning a list of at most q dec ciphertexts a PRF-adversary B 3 against F such that In the common case that F(prfk, c) is implemented as H(prfk, c) it holds that if A makes q queries at depth d, then Proof.Our proof is by a series of games.In some later games, we will define an outcome "draw" which is distinct from a win or loss.A draw counts as halfway between a win and a loss, as described by the adversary's score w i : Game 0 (IND-CCA).This is the original IND-CCA game against the KEM U ⊥ (P, F, H), cf.Definition 12.
Game 1 (PRF is random).Game 1 is the same as Game 0, except the simulator replaces F(prfk, •) with a random function We construct a PRF-adversary B 3 (cf.Definition 10) which replaces its calls to F(prfk, •) by calls to its oracle, runs A, and outputs 1 if A wins and 0 otherwise.Now, by construction Pr Game 2 (Draw on fail or non-injective pk).Let Fail be the event that one or more of A's decapsulation queries D(c) fails to decrypt, meaning that c = Encr(pk, m) for some m, but Decr(sk, c) = m.Let NonInj be the event that Encr(pk, •) is not injective, and let Draw := Fail∨NonInj.In Game 2 and onward, if Draw occurs then the game continues, but at the end it is a draw instead of the adversary winning or losing.
It is important to note that the event Draw is a well-defined classical event and does not depend on H, even though the simulator might not be able to determine efficiently whether it occurred.
Game 3 (Reprogram H(m, c) to R(c)).Game 3 is the same as Game 2, but the simulator reprograms H(m, c) where c = Encr(pk, m) to return R(c).
This produces the same win and draw probabilities as Game 2 as explained next.For each m, the value H(m, Encr(pk, m)) is changed to a uniformly, independently random value, except when the game is already a draw: Game 4 (Decapsulation oracle returns R(c)).Game 4 is the same as Game 3, but the simulated decapsulation oracle simply returns R(c) for all ciphertexts other than the challenge (for which it still returns ⊥).
In fact, the decapsulation oracle was already doing this in Game 3: The original decapsulation returns either H(m, c) with c = Encr(pk, m) or F(prfk, c), but both of those have been reprogrammed to return R(c).Therefore w 4 = w 3 and d 4 = d 3 .As of this game, the simulator does not use the private key anymore.
Bound draw.We now want to upper bound the draw probability.Let B 2 be the algorithm which, given a public key pk, simulates Game 4 for A and outputs a list L of all of A's decapsulation queries.Then B 2 is a FFC-adversary against P which runs in about the same time as A and succeeds whenever a draw occured during the game.Consequently, Game 5 (Change shared secret).In Game 5, the shared secret is changed to a uniformly random value r.If b = 1, then for all m such that Encr(pk, m) = c * , the oracle H(m) is reprogrammed to return r.If b = 0, then H is not reprogrammed.
If Encr(pk, •) is injective, then this is the same distribution as Game 4, and otherwise the game is a draw.Therefore w 5 = w 4 .It remains to bound A's advantage in Game 5.The simulation still runs in about the same time as A. Suppose at first that Encr(pk, •) is injective, so that the oracle H is reprogrammed only at m * .Then the b = 0 and b = 1 cases are now distinguished by a single return value from the H oracle. Hence, we can consider two oracles H and H := H[m * → r] as required by Lemma 5. Then Lemma 5, states that there is an algorithm B 1 , running in about the same time as A, such that for all H: The same inequality holds if Encr(pk, •) is not injective, for then the game is always a draw and the left-hand side is zero.(The algorithm B 1 still runs with the same efficiency in that case; it just might not return m * .)The inequality also holds in expectation over H by Jensen's inequality: Since b is either 0 or 1 each with probability 1 2 , we have by the triangle inequality: ). Summing up the differences in the previous games, we have and finally This completes the proof of Theorem 2.
Tightness.This bound is essentially tight, since breaking the one-wayness of P and finding decryption failures are both known to result in attacks.Breaking the PRF harms security if and only if implicit rejection is more secure than explicit rejection.For a correct P the bound boils down to the first two terms of the sum.The square-root loss arises from OW being a weaker security notion than IND [MW18], i.e., harder to break, and recent results [JZM19b] suggest that the square-root loss might be unavoidable in the quantum setting.

Decryption failures
When the dPKE is constructed by derandomizing an rPKE, we can also bound the FFC advantage.
Lemma 6.Let P = (Keygen, Encr, Decr) be a δ-correct rPKE with messages in M and randomness in R. Let G : M → R be a random oracle, so that T (P, G) := (Keygen, Encr 1 , Decr) is a derandomized version of P. Suppose that T (P, G) is -injective.Let A be a FFC adversary against T (P, G) which makes at most q queries at depth d to G and returns a list of at most q dec ciphertexts.Then Note that if is negligible, and if the adversary can recognize which ciphertexts will fail, then this is a Grover bound.

Explicit rejection and key confirmation
We now turn to systems with explicit rejection or key confirmation.The next theorem shows that the transform U ⊥ (with explicit rejection) never yields KEMs that are more secure than KEMs constructed via U ⊥ (with implicit rejection).
Theorem 3 (Explicit → implicit).Let P be a dPKE.Let A be an IND-CCA adversary against U ⊥ (P, F, H).Then there is an IND-CCA adversary B against U ⊥ (P, H), running in about the same time and resources as B, such that Proof.The only difference between U ⊥ (P, H) and U ⊥ (P, F, H) is that where the former would reject a ciphertext c by returning ⊥, the latter instead returns F(prfk, c).So the adversary B can simply choose a random PRF key prfk, run A, and output A's result.B forwards all of A's queries to its oracles and returns the responses with the only difference that in case the decapsulation oracle returns ⊥, B returns F(prfk, c).The algorithm B perfectly simulates the IND-CCA game for U ⊥ (P, F, H) and hence A succeeds with the same success probability as in the original game.
On the other hand, explicit rejection is secure if key confirmation is used.Key confirmation refers to adding a hash of the message to the cipher text.Let τ be the number of bits desired for the key-confirmation tag.For a PKE P = (Keygen, Encr, Decr) define the transform C(P, H t , τ ) := (Keygen, Encr 1 , Decr 1 ) using a random oracle H t : M → {0, 1} τ as in Figure 4.
If A is an IND-CCA-adversary against K 1 which makes q dec decapsulation queries, then it is also an IND-CCA-adversary against K 2 and there is a PRFadversary B against F which uses about the same time and resources as A, such that: Proof.Deferred to Appendix F.
Finally, we can show that hashing m is equivalent to hashing (m, c) in the next theorem.
Theorem 5 (U m ↔ U ).Let P be a dPKE.Let K 1 = U ⊥ (P, H 1 ) and In other words, if there is an adversary A against one, then there is an adversary B against the other, running in about the same time and with the same advantage.
The same is true for U ⊥ and U ⊥ m .Proof.This is a simple indifferentiability argument.In both the encapsulation and decapsulation functions, the IND-CCA experiment against K 1 only calls H 1 (m, c) when c = Encr(pk, m).So to simulate the K 1 -experiment playing in an IND-CCA experiment against K 2 (with oracle H 2 : M → K), sample fresh random oracle H $ ← K (M,C) and set This exactly simulates the IND-CCA experiment against K 1 .In the other direction, to simulate the IND-CCA experiment against K 2 it suffices to redirect H 2 (m) to H 1 (m, Encr(pk, m)).
The same technique works for U ⊥ and U ⊥ m .It also works for security notions other than IND-CCA, such as OW-CCA, OW-qPVCA, etc. (see for example [JZC + 18]).
-Keygen() → (pk, sk) is a randomized algorithm that returns a public key pk ∈ PK and a secret key sk ∈ SK. -Encaps(pk) → (c, κ) is a randomized algorithm that takes as input a public key pk and outputs a ciphertext c as well as a key κ ∈ K. -Decaps(sk, c) → κ or ⊥ is a deterministic algorithm that takes as input a secret key sk ∈ SK and a ciphertext c and returns a key κ ∈ K or a failure symbol ⊥ / ∈ K.
As before, we use H to denote the space of functions from which the random hash function is randomly sampled if a proof for K is being given in the ROM.
Definition 12 (IND-CCA Advantage).Let K be a KEM.The security experiment Expt IND-CCA K (A) is defined in Figure 7 for an adversary A against K, given access to a (quantum-accessible) random oracle H and a classical decapsulation oracle D.
We define the advantage of a classical (resp., quantum) adversary A against a KEM K in the classical (resp., quantum-accessible) random oracle model as Lemma 5 (Double-sided O2H).Let G, H : X → Y be random functions, let z be a random value, and let S ⊂ X be a random set such that ∀x / ∈ S, G(x) = H(x).(G, H, S, z) may have arbitrary joint distribution.Let A H be a quantum oracle algorithm.Let f : X → W ⊆ {0, 1} n be any function, and let f (S) denote the image of S under f .Let Ev be an arbitrary classical event.
We will define another quantum oracle algorithm B G,H (z).This B runs in about the same amount of time as A, but when A queries H, B queries both G and H, and also runs f twice.Let Then B H,G replaces A's oracle queries with In fact, U f = U w .On the subspace where x ∈ S, we have f (x) = w * by assumption.Therefore T f = T w and U f = U w .On the orthogonal subspace where x / ∈ S, we have G(x) = H(x), so the operation U does not depend on b or w.Therefore on that subspace, U commutes with T f and T w , so that U f = U = U w .In sum, U f = U w is an efficient implementation of the oracle by B H,G .
When A completes, B H,G measures (b, w) in the computational basis.With probability it measures (1, w * ), in which case it outputs w * .Otherwise it measures (0, 0), in which case it outputs ⊥.
The event Ev is classical and well-defined.Therefore whether it occurred is a binary measurement on the final state of A as a density operator.By [AHU19] Lemmas 3 and 4, This completes the proof for unitary adversaries A with a fixed H and G.
For non-unitary adversaries and for random distributions of H, G, we instead end in a mixture of states Ψ 0 resp.Ψ 1 , for which Euclidean distance is not appropriate but the Bures distance [NC00] is.By monotonicity and joint concavity of fidelity (exactly as in [AHU19] Lemma 6 and 9), the same bound holds for the Bures distance: This completes the proof in the general case.

D Why encryption is usually injective for LWE
Here we outline why we expect Encr G (pk, •) to be an injective function for the overwhelming majority of public keys pk in a derandomized PKE based on Learning with Errors (LWE).Consider a typical LWE PKE, where the public key has the form (A, S = sA + e) where s and e are small of dimension n, and ciphertexts have the form (As + e , Xs + e + encode(m) ).Encryption will fail to be injective for some G if there are (s 0 , e 0 ) = G(m 0 ) and (s 1 , e 1 ) = G(m 1 ) such that As 0 +e 0 = As 1 +e 1 and Xs 0 + e 0 + encode(m 0 ) = Xs 1 + e 1 + encode(m 1 ) .
For correctness, the rounded component is always larger than the message space, and is generally larger than |M | 2 .The unrounded component has size at least q n which is larger still.The function (s 0 , e 0 ) → As 0 + e 0 is almost a universal hash unless s 0 has large nullity, which is highly unlikely for any secure PKE.So the probability of collision with fewer than |M | 2 message pairs is not much bigger than q −n , which is negligible.

E Proof of Lemma 6
To prove Lemma 6, we first show a result about Bernoulli variables.Lemma 7. Let {e i : 1 ≤ i ≤ n} be a collection of n independent Bernoulli variables.Let δ := max Pr[e i ], and for each integer j let p j := Pr [ Proof.Let i := Pr[e i = 1], and without loss of generality let be given in descending order.Then Hence, p 2 1 − 3p 0 p 2 ≤ δ 2 and p 1 ≤ 3p 0 p 2 + δ 2 as claimed.We are now ready to prove Lemma 6. Lemma 6.Let P = (Keygen, Encr, Decr) be a δ-correct rPKE with messages in M and randomness in R. Let G : M → R be a random oracle, so that T (P, G) := (Keygen, Encr 1 , Decr) is a derandomized version of P. Suppose that T (P, G) is -injective.Let A be a FFC adversary against T (P, G) which makes at most q queries at depth d to G and returns a list of at most q dec ciphertexts.
Proof.Essentially, the idea is at follows: the adversary gets an advantage of about 4dqδ from querying G in search of failing ciphertexts, and at most q dec (δ + 3 √ ) from guessing blindly.The latter term comes from considering ways that some blind guess could be a failing ciphertext: if it is the encryption of one message, then δ is large, and if it is possibly the encryption of more than one message (e.g., as a general "encryption failed" output), then is large.We will formalize this in what follows.

Then
|P left − P right | ≤ 2d P guess and P left − P right ≤ 2d P guess .
P: OW-CPA P QROM ⇒ IND-CCA U ⊥ (P, F, H)Our OW-CPA to IND-CCA conversion is in the style of[JZM19d].However, that bound is based on the failure probability δ of a randomized encryption algorithm, whereas ours is based on the difficulty of finding a failure without access to the private key.This means our theorem applies to deterministic but imperfectlycorrect algorithms, such as one of the three BIKE variants, BIKE-2 [ABB + 19].

Fig. 2 .
Fig. 2. FFC experiment on a dPKE P. The instantiation of H generalizes to any number of random oracles, including zero.
c) for m = m because Encr(pk, •) is injective or else the game is a draw.-H calls R(c) only for valid ciphertexts c = Encr(pk, m ).On the other hand, the decapsulation oracle only calls R(c ) for rejected ciphertexts c , i.e. ones where c = Encr(pk, Decr(sk, c )).If a valid ciphertext has been rejected and passed to R in this way, then Draw has occurred and the return value of R does not affect w i or d i .Therefore w 3 = w 2 and d 3 = d 2 .
Fig. 7. IND-CCA security experiment in the (Q)ROM against an adversary A

P
left := Pr[Ev : A H (z)], P right := Pr[Ev : A G (z)], P extract := Pr[B G,H (z) ∈ f (S)].ensure that if at some step in the computation the state of B H,G 0 is ψ, then during the same step the state of B H,G is T w (ψ ⊗ |0 ).Since B H,G 0 replaces the oracle queries with U , B H,G should replace them with U w := T w • U • T † w .(This gives the desired result because T w commutes with all the steps of A except for the oracle queries.)To do this, let T f (|x, y, b, w ) := |x, y, b, w ⊕ (b • f (x)) .

$
← R M .LetY m := {r : Decr(sk, Encr(pk, m, r)) = m} be the set of coins such that decryption of m will succeed.Let G (m) := G(m) if G(m) ∈ Y m , G (m) $ ← R if Y m = ∅, and G (m) $ ← Y m otherwise.Thus G is uniformly random in the space G of oracles where decryption succeeds if possible.Moreover, G is independent of the behavior of messages and ciphertexts for T (P, G) which do not decrypt correctly.Now, fix (sk, pk) and G and letδ := max m∈M Pr[Decr(sk, Encr(pk, m)) = m]be the failure probability for this keypair.Let DblFail be the event that some ciphertext c is the encryption of two messages m 1 and m 2 such that Decr(sk, c) / ∈ {m 1 , m 2 }.We define := Pr[DblFail].Both δ and are independent of G .In addition, let Fail be the event that A wins the FFC game (see Definition 3), and Ev := Fail ∧ ¬DblFail.By Lemma 1, it holds that Pr[Ev : A G (pk)] − Pr[Ev : A G (pk)] ≤ 2d P guess .Since, conditioned on G , G(m) = G (m) at each m with probability at most δ and there are q/d guesses (in expectation), it holds furthermore that 2d P guess ≤ 4d 2 P guess ≤ 4dqδ .Next we define for a ciphertext c,p 1 (c) := Pr[∃ unique m ∈ M : c = Encr(pk, m, G(m)) ∧ Decr(sk, c) = m].(It is important to note that if m exists but is not unique, then DblFail occurs.)Furthermore, let p 1 := max c (p 1 (c)).Since p 1 (c) and p 1 are independent of G , we have Pr[Ev :A G (pk)] ≤ q dec • p 1 .By Lemma 7, p 1 ≤ δ + √ 3 .Plugging this in and applying the Cauchy-Schwarz corollary√ ab + √ cd ≤ (a + c)(b + d) givesPr[Ev : A G (pk)] ≤ 4dqδ + q dec • (δ + (q + q dec ).Finally, by definition of correctness and injectivity (see Definitions 5 and 6, respectively), it holds that δ = E [δ : pk, G] and ≤ E [ : pk, G].By Jensen's inequality, it holds furthermore that √ ≤ E √ : pk, G .Hence, Adv FFC T (P,G) (A) ≤ E Pr[Ev : A G (pk)] : (pk, sk) ← Keygen(); G $ ← G +

Table 1 .
Comparison of O2H variants