Paper 2023/007
Post-Quantum Security of Key Encapsulation Mechanism against CCA Attacks with a Single Decapsulation Query
Abstract
Recently, in post-quantum cryptography migration, it has been shown that an IND-1-CCA-secure key encapsulation mechanism (KEM) is required for replacing an ephemeral Diffie-Hellman (DH) in widely-used protocols, e.g., TLS, Signal, and Noise. IND-1-CCA security is a notion similar to the traditional IND-CCA security except that the adversary is restricted to one single decapsulation query. At EUROCRYPT 2022, based on CPA-secure public-key encryption (PKE), Huguenin-Dumittan and Vaudenay presented two IND-1-CCA KEM constructions called $T_{CH}$ and $T_H$, which are much more efficient than the widely-used IND-CCA-secure Fujisaki-Okamoto (FO) KEMs. The security of $T_{CH}$ was proved in both random oracle model (ROM) and quantum random oracle model (QROM). However, the QROM proof of $T_{CH}$ relies on an additional ciphertext expansion. While, the security of $T_H$ was only proved in the ROM, and the QROM proof is left open. In this paper, we prove the security of $T_H$ and $T_{RH}$ (an implicit variant of $T_H$) in both ROM and QROM with much tighter reductions than Huguenin-Dumittan and Vaudenay's work. In particular, our QROM proof will not lead to ciphertext expansion. Moreover, for $T_{RH}$, $T_H$ and $T_{CH}$, we also show that a $O(1/q)$ ($O(1/q^2)$, resp.) reduction loss is unavoidable in the ROM (QROM, resp.), and thus claim that our ROM proof is optimal in tightness. Finally, we make a comprehensive comparison among the relative strengths of IND-1-CCA and IND-CCA in the ROM and QROM.
Metadata
- Available format(s)
- Category
- Public-key cryptography
- Publication info
- A minor revision of an IACR publication in ASIACRYPT 2023
- Keywords
- quantum random oracle modelkey encapsulation mechanism1CCA securitytightnessKEM-TLS
- Contact author(s)
-
hdjiang13 @ gmail com
mzh2830 @ 163 com
zhenfeng @ iscas ac cn - History
- 2023-09-14: last of 2 revisions
- 2023-01-02: received
- See all versions
- Short URL
- https://ia.cr/2023/007
- License
-
CC BY
BibTeX
@misc{cryptoeprint:2023/007, author = {Haodong Jiang and Zhi Ma and Zhenfeng Zhang}, title = {Post-Quantum Security of Key Encapsulation Mechanism against {CCA} Attacks with a Single Decapsulation Query}, howpublished = {Cryptology {ePrint} Archive, Paper 2023/007}, year = {2023}, url = {https://eprint.iacr.org/2023/007} }