[Resource Topic] 2023/792: On the Fujisaki-Okamoto transform: from Classical CCA Security to Quantum CCA Security

Resource Public-key cryptography
#1

Welcome to the resource topic for 2023/792

Title:
On the Fujisaki-Okamoto transform: from Classical CCA Security to Quantum CCA Security

Authors: Jiangxia Ge, Tianshu Shan, Rui Xue

Abstract:

The Fujisaki-Okamoto (\textsf{FO}) transformation (CRYPTO 1999 and Journal of Cryptology 2013) and its KEM variants (TCC 2017) are used to construct \textsf{IND-CCA}-secure PKE or KEM schemes in the random oracle model (ROM).

In the post-quantum setting, the ROM is extended to the quantum random oracle model (QROM), and the \textsf{IND-CCA} security of \textsf{FO} transformation and its KEM variants in the QROM has been extensively analyzed. Grubbs et al. (EUROCRYPTO 2021) and Xagawa (EUROCRYPTO 2022) then focused on security properties other than \textsf{IND-CCA} security, such as the anonymity aganist chosen-ciphertext attacks (\textsf{ANO-CCA}) of \textsf{FO} transformation in the QROM.

Beyond the post-quantum setting, Boneh and Zhandry (CRYPTO 2013) considered quantum adversaries that can perform the quantum chosen-ciphertext attacks (\textsf{qCCA}). However, to the best of our knowledge, there are few results on the \textsf{IND-qCCA} or \textsf{ANO-qCCA} security of \textsf{FO} transformation and its KEM variants in the QROM.

In this paper, we define a class of security games called the oracle-hiding game, and provide a lifting theorem for it. This theorem lifts the security reduction of oracle-hiding games in the ROM to that in the QROM.
With this theorem, we prove the \textsf{IND-qCCA} and \textsf{ANO-qCCA} security of transformation \textsf{FO}^{\slashed{\bot}}, \textsf{FO}^{\bot}, \textsf{FO}_m^{\slashed{\bot}} and \textsf{FO}_m^\bot, which are KEM variants of \textsf{FO}, in the QROM.

Moreover, we prove the \textsf{ANO-qCCA} security of the hybrid PKE schemes built via the KEM-DEM paradigm, where the underlying KEM schemes are obtained by \textsf{FO}^{\slashed{\bot}}, \textsf{FO}^{\bot}, \textsf{FO}_m^{\slashed{\bot}} and \textsf{FO}_m^\bot. Notably, for those hybrid PKE schemes, our security reduction
shows that their anonymity is independent of the security of their underlying DEM schemes. Hence, our result simplifies the anonymity analysis of the hybrid PKE schemes that obtained from the \textsf{FO} transformation.

ePrint: https://eprint.iacr.org/2023/792

See all topics related to this paper.

Feel free to post resources that are related to this paper below.

Example resources include: implementations, explanation materials, talks, slides, links to previous discussions on other websites.

For more information, see the rules for Resource Topics .