Paper 2023/007

Post-Quantum Security of Key Encapsulation Mechanism against CCA Attacks with a Single Decapsulation Query

Haodong Jiang, Henan Key Laboratory of Network Cryptography Technology
Zhi Ma, Henan Key Laboratory of Network Cryptography Technology
Zhenfeng Zhang, Institute of Software, Chinese Academy of Sciences
Abstract

Recently, in post-quantum cryptography migration, it has been shown that an IND-1-CCA-secure key encapsulation mechanism (KEM) is required for replacing an ephemeral Diffie-Hellman (DH) in widely-used protocols, e.g., TLS, Signal, and Noise. IND-1-CCA security is a notion similar to the traditional IND-CCA security except that the adversary is restricted to one single decapsulation query. At EUROCRYPT 2022, based on CPA-secure public-key encryption (PKE), Huguenin-Dumittan and Vaudenay presented two IND-1-CCA KEM constructions called $T_{CH}$ and $T_H$, which are much more efficient than the widely-used IND-CCA-secure Fujisaki-Okamoto (FO) KEMs. The security of $T_{CH}$ was proved in both random oracle model (ROM) and quantum random oracle model (QROM). However, the QROM proof of $T_{CH}$ relies on an additional ciphertext expansion. While, the security of $T_H$ was only proved in the ROM, and the QROM proof is left open. In this paper, we prove the security of $T_H$ and $T_{RH}$ (an implicit variant of $T_H$) in both ROM and QROM with much tighter reductions than Huguenin-Dumittan and Vaudenay's work. In particular, our QROM proof will not lead to ciphertext expansion. Moreover, for $T_{RH}$, $T_H$ and $T_{CH}$, we also show that a $O(1/q)$ ($O(1/q^2)$, resp.) reduction loss is unavoidable in the ROM (QROM, resp.), and thus claim that our ROM proof is optimal in tightness. Finally, we make a comprehensive comparison among the relative strengths of IND-1-CCA and IND-CCA in the ROM and QROM.

Metadata
Available format(s)
PDF
Category
Public-key cryptography
Publication info
A minor revision of an IACR publication in ASIACRYPT 2023
Keywords
quantum random oracle modelkey encapsulation mechanism1CCA securitytightnessKEM-TLS
Contact author(s)
hdjiang13 @ gmail com
mzh2830 @ 163 com
zhenfeng @ iscas ac cn
History
2023-09-14: last of 2 revisions
2023-01-02: received
See all versions
Short URL
https://ia.cr/2023/007
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2023/007,
      author = {Haodong Jiang and Zhi Ma and Zhenfeng Zhang},
      title = {Post-Quantum Security of Key Encapsulation Mechanism against {CCA} Attacks with a Single Decapsulation Query},
      howpublished = {Cryptology {ePrint} Archive, Paper 2023/007},
      year = {2023},
      url = {https://eprint.iacr.org/2023/007}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.