FO-like Transformation in QROM & Oracle Cloning

references:

1. [RS91] Rackoff C, Simon D R. Non-interactive zero-knowledge proof of knowledge and chosen ciphertext attack[C]//Annual international cryptology conference. Berlin, Heidelberg: Springer Berlin Heidelberg, 1991: 433-444.
2. [BR93] Bellare M, Rogaway P. Random oracles are practical: A paradigm for designing efficient protocols[C]//Proceedings of the 1st ACM Conference on Computer and Communications Security. 1993: 62-73.
3. [FO99] Fujisaki, Eiichiro, and Tatsuaki Okamoto. “Secure integration of asymmetric and symmetric encryption schemes.” Annual international cryptology conference. Berlin, Heidelberg: Springer Berlin Heidelberg, 1999.
4. [OP01] Okamoto T, Pointcheval D. REACT: Rapid enhanced-security asymmetric cryptosystem transform[C]//Topics in Cryptology—CT-RSA 2001: The Cryptographers’ Track at RSA Conference 2001 San Francisco, CA, USA, April 8–12, 2001 Proceedings. Springer Berlin Heidelberg, 2001: 159-174.
5. [CS03] Cramer R, Shoup V. Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack[J]. SIAM Journal on Computing, 2003, 33(1): 167-226.
6. [Dent03] Dent A W. A designer’s guide to KEMs[C]//IMA International Conference on Cryptography and Coding. Berlin, Heidelberg: Springer Berlin Heidelberg, 2003: 133-151.
7. [HNP+03] Howgrave-Graham N, Nguyen P Q, Pointcheval D, et al. The impact of decryption failures on the security of NTRU encryption[C]//Annual International Cryptology Conference. Berlin, Heidelberg: Springer Berlin Heidelberg, 2003: 226-246.
8. [BDF+11] Boneh D, Dagdelen Ö, Fischlin M, et al. Random oracles in a quantum world[C]//Advances in Cryptology–ASIACRYPT 2011: 17th International Conference on the Theory and Application of Cryptology and Information Security, Seoul, South Korea, December 4-8, 2011. Proceedings 17. Springer Berlin Heidelberg, 2011: 41-69.
9. [FO13] Fujisaki E, Okamoto T. Secure integration of asymmetric and symmetric encryption schemes[J]. Journal of cryptology, 2013, 26: 80-101.
10. [TU16] Targhi E E, Unruh D. Post-quantum security of the Fujisaki-Okamoto and OAEP transforms[C]//Theory of Cryptography: 14th International Conference, TCC 2016-B, Beijing, China, October 31-November 3, 2016, Proceedings, Part II 14. Springer Berlin Heidelberg, 2016: 192-216.
11. [HHK17] Hofheinz D, Hövelmanns K, Kiltz E. A modular analysis of the Fujisaki-Okamoto transform[C]//Theory of Cryptography Conference. Cham: Springer International Publishing, 2017: 341-371.
12. [AOP+17] Albrecht M R, Orsini E, Paterson K G, et al. Tightly secure ring-LWE based key encapsulation with short ciphertexts[C]//Computer Security–ESORICS 2017: 22nd European Symposium on Research in Computer Security, Oslo, Norway, September 11-15, 2017, Proceedings, Part I 22. Springer International Publishing, 2017: 29-46.
13. [JZC+18] Jiang H, Zhang Z, Chen L, et al. IND-CCA-secure key encapsulation mechanism in the quantum random oracle model, revisited[C]//Advances in Cryptology–CRYPTO 2018: 38th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 19–23, 2018, Proceedings, Part III 38. Springer International Publishing, 2018: 96-125.
14. [BDG20] Bellare M, Davis H, Günther F. Separate your domains: NIST PQC KEMs, oracle cloning and read-only indifferentiability[C]//Advances in Cryptology–EUROCRYPT 2020: 39th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Zagreb, Croatia, May 10–14, 2020, Proceedings, Part II 30. Springer International Publishing, 2020: 3-32.
15. How to improve PKE security: Naor-Yung, Fischlin, Fujisaki-Okamoto
16. Quantum Computing: Basic Concepts

KEM & THEY

[RS91] gives the concept of IND-CCA security, and [BR93] gives the design paradigm of ROM.

[CS03] first proposed a method based on KEM (Asymmetrickey Key Encapsulation Mechanism) and DEM ( Symmetric Data Encapsulation Mechanism) constructs the design idea of ​​hybrid constructions. [CS03] points out that any IND-CCA KEM (weaker than PKE) combination on any One- time CCA DEM (symmetric encryption), their security attributes need to be independent of each other, then we get anIND-CCA PKE

However, IND-CCA KEM is usually difficult to construct (direct reduction to the underlying difficult problem is very troublesome), so people often construct IND-CPA KEM first, and then use some conversion schemes to obtain IND-CCA KEM

Generally, we use General-Purpose PKE directly as KEM, but it may be more efficient to implement KEM directly.

[Dent03] after popularized and proposed some simple and efficient IND-CCA KEM constructs, including KEM versionsFO and < A modernized description of /span>. REACT/GEM

Security

[HHK17] studied FO-like and found that currently the onlyonly way to improve security from CPA to IND-CCA is actually There are only FO transformations (and their variants). Additionally, the reductionof [FO13] is not tight and requires underlying PKE decryptionwithout error< a i=6>, and some otherstronger requirements. [HHK17] gives a more fine-grained conversion scheme from CPA to CCA, taking into account the robustness to decryption errors in the reduction, and combining them with each other can lead to multiple FO variants. Therefore we first give some security descriptions.

Correctness

Defects of the original [FO99] [FO13] and other variants:

1. In the reduction of FO and REACT/GEM, the decryption of the underlying PKE is required to be perfectly correct. However, LWE-based PKE inevitably introduces noise, resulting in decryption failure.
2. Additionally, the reduction of the original FO transformation is not compact; the reduction of the REACT/GEM transformation is compact, but it requires the underlying PKE to be OW-PCA safe. Due to the equivalence of D-LWE and S-LWE, many natural lattice cipher schemes cannot achieve OW-PCA security.

[HHK17] explained that the definition of decryption correctness for existing lattice ciphers is somewhat subtle, so they used a carefully chosen definition that not only satisfies the FO reduction requirements, but also satisfies this definition for possessive ciphers. .

Correctness (Correctness): We say that a PKE is $\delta$-correct，如果它满足
$$\underset{(sk,pk)\leftarrow Gen(1^{\lambda })}{\mathbb{E}}\left[\underset{m\in M}{\max }\underset{r\leftarrow R}{\mathrm{Pr}}[Dec(sk,c)\ne m\mid c\leftarrow Enc(pk,m;r)]\right]\le \delta$$
This expectation is about $(sk,pk)$, and for each determined public-private key pair, for each message $m$, all about random bands $Decryption\; failure\; probability\; of\; r$.

Or more conveniently, it can be defined based ongame:

For any (unbounded) adversary $A$, Usage:
$$\mathrm{Pr}[CO{R}_{PKE}^A\to 1]\le \delta$$
For RO Model, if the adversary has access to the random oracle $G,H,\cdots$ (several), the number of queries is limited to $q_G,q_H,\cdots$，な么用：
$$\mathrm{Pr}[COR\text{-}R{O}_{PKE}^A\to 1]\le \delta (q_G,q_H,\cdots )$$
Standard Model can be considered as a special case of RO Model (without $q_G$ and other inputs), function $\delta (q_G,q_H,\cdots )$ A certain constant $d$

valid ciphertext (valid ciphertext): decryption function $Dec$ Check whether the ciphertext is valid. For invalid ciphertext, output special symbols ⊥ ∉ M \perp \notin M Dec a>$\perp \notin M$ Display refused.

Injectivity (Injectivity): For all$(sk,pk)\leftarrow Gen$，总是有
$$Enc(pk,m;r)=Enc(pk,m^{\prime };r^{\prime })⟹(m,r)=(m^{\prime },r^{\prime }),\forall m,m^{\prime }\in M,r,r^{\prime }\in R$$
In other words, function$Enc(pk,\cdots ):M\times R\to C$ is an injective, and the necessary condition is$|C|\ge |M|\cdot |R|$ is large enough. At this time, each valid ciphertext can only decrypt a unique message and a unique random band.

Rigidity (Rigidity): This is for deterministic PKE, for all $(sk,pk)\leftarrow Gen$，总是有
$$Dec(sk,c)=\perp \text{ or }Enc(pk,Dec(sk,c))=c$$
In other words, except for illegal ciphertext, valid ciphertext can always decrypt the correct message, and there is no decryption error. Pay attention to the distinction: Reject (identify illegal ciphertext and output special symbols) , failed (the decrypted result is inconsistent with the original message ).

$E\; n\; c\; (\; p\; k\; ,\; m\; ;\; r\; )\; Enc(pk,m;r)$$Enc(pk,m;r)$ 的最小熵
$$\gamma (pk,m):=-\log \underset{c\in C}{\max }\underset{r\leftarrow R}{\mathrm{Pr}}[Enc(pk,m;r)=c]$$
Existential constant $\gamma$ ，满足 $\gamma (pk,m)\ge \gamma ,\forall (pk,sk)\leftarrow Gen,\forall m\in M$. This directly leads to
$$\underset{r\leftarrow R}{\mathrm{Pr}}\left[Enc\right(pk,m;r)=c]\le 2^{-\gamma },\forall c\in C$$
That is, for fixed $(sk,pk)$ 和 $m$，随机带 $r$ makes the encryption of this message high-entropy.

OW & IND

One-Way security (OW): This is a stronger attack target than IND, requiring the adversary to rely on the ciphertext$c^{\ast }\leftarrow Enc(pk,m^{\ast };r)$，找出消息 $m^{\prime }\in M$，满足 $m^{\prime }=Dec(sk,c^{\ast })$

Indistinguishability security (IND): only requires that the adversary cannot distinguish$c^{\ast }$ Which message is it $m_0,m_1$encryption. The attack difficulty is lower than OW, which is a stronger security requirement.

PCA & VA & PCVA

Now we consider the means of attack, where the adversary has access to certain oracles

1. Plaintext Checking OraclePlaintext Checking Oracle): Enter ciphertext $c$ 和消息 $m$，检查 NEWS $m$ Right or wrong is secret sentence $What\; is\; encrypted\; by\; c$ is recorded as $Pwhat(m,c)$
2. Ciphertext Validity OracleCiphertext Validity Oracle): Enter ciphertext$c$，检查三文 $c$ Yes or no meeting $\perp$，记为 $Cvo(c)$

Of course, the ability of the oracle needs to be restricted:

• Clear text check oracle can only answer $m\in Those\; requests\; for\; M$, for requests $(m\notin M,c)$ 应当回复 $\perp$ However $0/1$，否则 $Pwhat(\perp ,C\; v\; o\; (\; c\; )\; Cvo(c)$$Cvo\left(c\right)$
• Ciphertext validity oracle for request $c=c^{\ast }$ 应当回复 $\perp$ However $0/1$，No $Cvo(c^{\ast })$ Classification of availability $c^{Is\; \ast }$ randomly generated (if it is an illegal ciphertext) or correctly encrypted (must be a valid ciphertext)

Now we define PKE’s OW-ATK security, where ATK marks which oracles the adversary has access to:

The corresponding games are:

whileIND-CPA PKE and IND-CCA KEM The definition of security is natural, the game is:

QROM

[BDF+11] gives the concept of Quantum ROM. Basic concepts of quantum mechanics: qubits, quantum registers, orthogonal calculation basis, superposition state, measurement, collapse.

Quantum OraclesQuantum Oracles): It is a mapping
$$|x⟩|y⟩\mapsto |x⟩|y\oplus f(x)⟩$$
inside f : { 0 , 1 } n → { 0 , 1 } m f:\{0,1\}^n \to \{0,1\}^m f:{ 0,1}n→{ 0,1}m is the function to be queried, $x\in \{0,1{\}}^n$ is the classical input (superimposed on the register $|x⟩$ 中），$f(x)\in \{0,1{\}}^m$ This is the summary.

Quantum Adversaries (Quantum Adversaries): recorded as$A^{|f⟩}$，它查询 $f$ Time usage order $IN\circ f$，其中的 $U$ Koretori Sanko.

Quantum Random Oracle Model: Random oracles are quantum access, while other oracles are classical access, including Pco, Cvo , Dec are all classics.

Some articles pointed out that does not existquantum adversary$A^{|f⟩}$，仅仅查询 $q$ Sub-quantum Oracle $|f⟩$，Advertisement $2q$-wise independent function distinguish. Therefore, quantum random oracle $|G$ can be regarded as a finite field$GF\left(2^m\right)$ Upper frequency $2q_H$is a random polynomial, treating the query QRO as the evaluation of this random polynomial.

The decryption failure rate under QROM is defined as
$$\mathrm{Pr}[COR\text{-}QR{O}_{PKE}^A\to 1]\le \delta (q_G)$$
The corresponding game is

Fine-Grained FO

[HHK17] providesfine-grained transformation, first constructing IND-CPA or OW-PCA from OW-CPA, and then Continuing to construct IND-CCA, their reduction is tighter than the previous work.

By combining these fine-grained transformations with each other, you can obtaina variety of FO-like transformations:

In the reduction of the original FO, the underlying PKE is required to beerror-free. But for Lattice-based PKE, decryption failure is often inevitable; decryption failure not only affects FO reduction, but even provides weaknesses: [HNP+03] took advantage of decryption failure under the NTRU standard parameter set and gave Private key recovery attack.

In the reduction of [HHK17]Consider the impact of decryption failure rate, and the reduction process under ROM is better than previous work Tighter. However, the reduction under QROM is very loose, and the U-transform does not even give a reduction under QROM. Later [JZC+18] proved that these conversions of [HHK17] are all QROM safe (the security requirements of the underlying PKE are stronger), and gives a tighter QROM reduction.

T transform

adopted de-randomization (Derandomization) and re-encryption (Re-encryption) structure,

1. It converts any OW-CPA PKE to OW-PCA det.PKE
2. The ROM reduction is compact if the underlying PKE additionally satisfies IND-CPA
3. If the underlying PKE additionally satisfies $\gamma$-spraed, then the obtained det.PKE is also OW-VA

Encrypt-with-Hash construction: Given the underlying encryption scheme $PKE$ Japanese haki function $G$, outgoing $PK{E}_1=T[PKE,G]$ is a deterministic encryption scheme.

加密：将 $G(m)$ 作为随机带，
$$En{c}_1(pk,m):=Enc(pk,m;G(m))$$
解密：先计算 $m^{\prime }\leftarrow Dec(sk,c)$, and then use re-encryption to check the validity of the ciphertext,
$$From{c}_1(sk,c):=\{\begin{array}{rlr}{m}^{\prime },& & [En{c}_1(pk,m^{\prime })=c]\\ \perp ,& & \left[En{c}_1\right(pk,m^{\prime })\ne c]\end{array}$$
Under ROM, the reduction from OW-CPA to OW-PCA is not Tight,

Under ROM, the reduction from IND-CPA to OW-PCA is compact of,

UnderQROM, the transformation T is also safe, but the reduction isnot tight< /span>,

U transform

[HHK17] gives four transformations based on implicit/explicit rejection and the calculation method to generate the shared secret key,

• They convert OW-PCA PKE into IND-CCA KEM
• If PKE is additionally deterministic, then it only needs to be OW-CPA

一、采取 $K=H(c,m)$ conversion scheme (the underlying PKE is arbitrary), packaging algorithm: random sampling$m\leftarrow M$，
$$Encaps(pk):=(c\leftarrow Enc(pk,m;r),K:=H(c,m))$$
Depackaging: first calculate$m^{\prime }\leftarrow Dec(sk,c)$，But then I will refuse to refuse，

1. 隐式拒绝（implicit rejection）
   $$Decap{s}^{/\perp }(sk,c):=\{\begin{array}{rlr}H(c,m^{\prime }),& & [m^{\prime }\ne \perp ]\\ H(c,s),& & [m^{\prime }=\perp ]\end{array}$$
   inside s ∈ { 0 , 1 } n s \in \{0,1\}^n s∈{ 0,1}n is a random seed, as $sk$ target part

2. 显式拒绝（explicit rejection）
   $$Decap{s}^{\perp }(sk,c):=\{\begin{array}{rlr}H(c,m^{\prime }),& & [m^{\prime }\ne \perp ]\\ \perp ,& & [m^{\prime }=\perp ]\end{array}$$
   This is actually KEM version of REACT/GEM transformation, see [Dent03]

二、采取 $K=The\; conversion\; scheme\; of\; H\left(m\right)$ (it PKE is required to bedeterministic, such as the result of T transformation), packaging algorithm: random sampling$m\leftarrow M$，
$$Encap{s}_m(pk):=(c\leftarrow det.Enc(pk,m),K:=H(m))$$
解封装：先计算 $m^{\prime }\leftarrow Dec(sk,c)$，But then I will refuse to refuse，

1. 隐式拒绝（implicit rejection）
   $$Decap{s}_m^{/\perp }(sk,c):=\{\begin{array}{rlr}H(m^{\prime }),& & [m^{\prime }\ne \perp ]\\ H(c,s),& & [m^{\prime }=\perp ]\end{array}$$
   inside s ∈ { 0 , 1 } n s \in \{0,1\}^n s∈{ 0,1}n is a random seed, as $sk$ target part

2. 显式拒绝（explicit rejection）
   $$Decap{s}_m^{\perp }(sk,c):=\{\begin{array}{rlr}H\left(m^{\prime }\right),& & [m^{\prime }\ne \perp ]\\ \perp ,& & [m^{\prime }=\perp ]\end{array}$$
   This is actually the KEM version of the original FO transformation, see [Dent03]

Under ROM, change ${IN}^{\perp }$ 的归约是紧的，

Under ROM, transform ${IN}^{/\perp }$ 的归约是紧的，

Under ROM, change ${IN}_m^{\perp }$The reduction of istight, requiring PKE to be det

Under ROM, transform ${IN}_m^{/\perp }$The reduction of istight, requiring PKE to be det

U transform does not work under QROM.

FO-like CHEM

Now, by combining T transformation and U transformation, we can getfour kinds of FO transformations:

Under ROM, the reduction results of T transformation and U transformation are combined to give the final advantage of the IND-CCA opponent, as well as relevant parameter selection suggestions:

QU transform

can prove that T transformation still works under QROM, but the above four U transformations do not. Slightly modified ${IN}_m^{\perp }$, you can obtain a quantum-safe conversion solution.

Packaging algorithm: random sampling $m\leftarrow M$，Mitsubun 中额外Addition $m$ 的摘要 $d$，requirements $H^{\prime },H$ 是独立的 QRO，
$$QEncap{s}_m(pk):=(ct:=(c\leftarrow Enc(pk,m),d:=H^{\prime }(m)),K:=H(m))$$
解封装：< /span>

1. Explicit rejection: calculate first$m^{\prime }\leftarrow Dec(sk,(c,d))$，然后检查是否拒绝，
   $$QDecap{s}_m^{\perp }(sk,c):=\{\begin{array}{rlr}H(m^{\prime }),& & [m^{\prime }\ne \perp ]\wedge [H^{\prime }(m^{\prime })=d]\\ \perp ,& & [m^{\prime }=\perp ]\vee \left[H^{\prime }\right(m^{\prime })\ne d]\end{array}$$

2. Implicit rejection: calculate first$m^{\prime }\leftarrow Dec(sk,(c,d))$，然后检查是否拒绝，
   $$QDecap{s}_m^{/\perp }(sk,c):=\{\begin{array}{rlr}H\left(m^{\prime }\right),& & [m^{\prime }\ne \perp ]\wedge \left[H^{\prime }\right(m^{\prime })=d]\\ H((c,d),s),& & [m^{\prime }=\perp ]\vee \left[H^{\prime }\right(m^{\prime })\ne d]\end{array}$$

Under QROM, transform $Q{U}_m^{\perp }$The reduction of isnot compact. Note that PKE is no longer required to be det,

Under QROM, transform $Q{U}_m^{/\perp }$The reduction of isnot compact. Note that PKE does not need to be det here.

Besides, there is ROM The lower two are capital紧的.

As much as KEM

Now, we combine T transform and QU transform to gettwo QFO transforms:

above的$G,H,H^{The\; inputs\; of\; \prime }$ are all the same $m$, so when instantiating, you can use a output Hash function that is long enough (NTTRU idea), uniformly calculate the random digest, and then divide it into 3 pieces for use respectively.

S transform

Since the T transformation from OW-CPA to IND-CPA is not compact, [HHK17] gives a trade-off between efficiency and tightness., The use of multiple independent PKE ciphertexts makes it easier to embed the OW-CPA challenge during reduction, and the number of guesses becomes smaller, thereby reducing the loss factor.

Encryption: random sampling $x_1,\cdots ,x_l$, and random band $r_1,\cdots ,r_l$，
$$En{c}_l(pk,m):=(m\oplus F(x_1,\cdots ,x_l),Enc(pk,x_1;r_1),\cdots ,Enc(pk,x_l;r_l))$$
解密：计算 $x_i^{\prime }\leftarrow Dec(sk,c_i),\forall i=1,\cdots ,l$，
$$From{c}_l(sk,(c_0,c_1,\cdots ,c_l))=c_0\oplus F(x_1^{\prime },\cdots ,x_l^{\prime })$$
Under ROM, from OW-CPA to IND-CPA is tight at the cost It is the increase in computing efficiency and the increase in decryption failure rate.

It does not work under QROM.

Reduce RLWE to IND-CCA

[AOP+17] Using the unique weakly homomorphic properties of the underlying RLWE-based PKE, RLWE is directly reduced to IND-CCA KEM, there is no intermediate IND-CPA PKE, and a tight reduction is obtained. It is not a universal conversion, only applicable to lattice ciphers, which they call LIMA (LattILattI a>ce MAthematics). The general results of contrasting [Dent03] are not tight.

In addition, LIMA's IND-CCA KEM does not have ciphertext overhead compared to IND-CPA PKE , and the communication overhead of the two is completely the same.

First, construct IND-CPA secure RLWE-based PKE,

It is then simply transformed into an IND-CCA KEM based on the modernized FO-KEM description of [Dent03],

However, if the universalreduction result of [Dent03] is applied directly (from OW a>-CPA to IND-CCA), it is not tight. [HHK17] has shown that the general construction of [Dent03] is compact for IND-CPA . The above-mentioned RLWE-based PKE is tightly reduced to the RLWE problem, so [AOP+17] can be regarded as a special case of [HHK17].

Aiming at the particularity of LWE, [AOP+17] gives anon-universal compact reduction,

That's in it $Ad{v}^{LWE}$ 游戏是：

Remove the Additional Hash

[BDF+11] gives the concept of Quantum ROM, because the simulator under QROM cannot learn the adversary's RO queries information (There is no RO-query List technology and proved that it means security under QROM. history-free reduction), they introduced a

[TU16] proposes to addadditional length-preserving hash to the ciphertext, which is modeled is RO, then during the reduction process, the simulator can use an independent function to simulate this RO, so that the decryption response can be given directly without the need for a private key. However, some articles believe that it seems that this long-lasting hash is just a reduction technique and does not provide security.

For the Modular FO transformations proposed by [HHK17], they only proved that the transformation T works under QROM, and did not give the reduction of the transformation U under QROM. They used the technique of [TU16] to add an additional hash function to the ciphertext and proved that the transformation QU is secure under QROM.

In general, in order to provide $128$ bit quantum security only needs to make the output length of the hash function $256$ bits. However, the reduction technique of [TU16] strongly relies on length-preserving hashes, but the size of the message space is often much larger than $256$ 性特（Compare NTRU 的为 $1128$ bits), resulting in a larger expansion of the ciphertext size. [JZC+18] developed a new reduction technique under QROM that eliminates the need for the simulator to read adversary RO queries, therebyremoving this hash. They gave a reduction of the transformation U under QROM, and by reducing the number of calls to the one-way to hiding (OW2H) lemma, a reduction to a tighter FO than the QFO of [HHK17].

qPCA & qPVCA & DS Security

[JZK+18] proposed two quantum enhanced security: qPCA and qPVCA , that is, the adversary can quantum access plaintext checking oracle (Pco), but the validity checking oracle (Val) is still classic.

In addition, for deterministic PKE (abbreviationDPKE), you can define a non- StandardSafety: Disjoint Simulatability (Disjoint Simulatability, DS),

All DS-secure DPKEs are OW-qPCA secure, and if the underlying DPKE meets this security, then the QROM reduction of transformation U can be made tighter< /span>.

Modular FO in QROM

The results of [JZK+18] are summarized as follows:

First are the QROM reduction results of [HHK17]'stwo FO transformations,

1. 定义 $KEM\text{-}I:=F{O}^{/\perp }[PKE,G,H]$, inside $G$ used to generate the underlying PKErandom strip $G(m)$，$H$ Usage generationShared secret $H(m,c)$，它们都 Buildingmodel为RO
2. 定义 $KEM\text{-}II:=F{O}_m^{/\perp }[PKE,G,H,f]$, inside $G$ Random band used to generate underlying PKE $G\left(m\right)$，$H$ is used to generate the shared secret $H(m)$，另外的 $f$ is a family of PRF, used for implicit Reject $f_s\left(c\right)$, present [HHK17] Middle school application example $H(s,c)$

Their reduction under QROM is tighter than the QFO of [HHK17] :

Next is the QROM reduction result oftransformation T, abbreviated as$PK{E}^{\prime }=T[PKE,G]$, [HHK17] has proven that its conversion result is OW-CPA safe under QROM, while [JZK+18 ] further demonstrated that it is alsoOW-qPCA safe.

Finally are the QROM reduction results offour U transformations,

1. 定义 $KEM\text{-}III:={IN}^{/\perp }[PK{E}^{\prime },H]$，隐 type refusal order $H(s,c)$
2. defined义 $KEM\text{-}IIN:={IN}^{\perp }[PK{E}^{\prime },H]$，显形refuse
3. 定义 $KEM\text{-}V:={IN}_m^{/\perp }[PK{E}^{\prime },H,f]$, implicitly rejected as $f_s\left(c\right)$，这りの $f$ is PRF
4. set义 $KEM\text{-}VI:={IN}_m^{\perp }[PK{E}^{\prime },H]$，显形refuse

[HHK17] failed to give their reduction under QROM, [JZK+18] adopted new reduction technology, Their QROM reductions are given and are sufficiently tight.

对于 $K=H(m,Two\; transformations\; of\; c)$, which require the underlying PKE to be qPCAqPVCA are safe, while in [HHK17] only PCA and PCVA are required (but QROM does not work),

对于 $K=Two\; transformations\; of\; H\left(m\right)$, [JZK+18] requires the same conditions as [HHK17],

Oracle Cloning

Domain Separation

[BR93] clarifiedRandom Oracle paradigm, and provided CCA-PKE, Hash-based Sign, FS-type NIZK application.

ROM paradigm process:

1. Formally define cryptographic protocol $\Pi$ (ideal world), each participant can access a Random Oracle
2. Designing effective cryptographic protocols $P$ (real world, but RO accessible)
3. Proof Agreement $P$ full foot $\Pi$ 目扉义
4. Replace RO with some Hash function

[BR93] pointed out that both difficult problems and cryptographic protocols should be independent of the Hash function, otherwise a scheme can be constructed such that it It can be proven safe under ROM, but it is not safe to instantiate this Hash function!

Although existing Hash functions are not necessarily good, their structure can be broken through some simple transformations:

1. truncatecut（truncate）someonefolding（ fold）
2. IntroductionLimited length, example $|x|\le 256$
3. is called in a non-standardized way, for example$H(x)\to H(xx)$
4. Execute firstblock compression (block compress), for example H ′ : { 0 , 1 } 512 → { 0 , 1 } 128 H':\{0,1\}^{512} \to \{0,1\}^{128} H′:{ 0,1}512→{ 0,1}128， set $H(H^{\prime }(x))$

Oracle Cloning Functor

[BDG20] points out that if a cryptographic protocol uses multiple ROs,different RO instantiations should be independent of each other. Otherwise there are particularly efficient attacks that even break several NIST PQC 1-Round KEM schemes. Three independent ROs need to be used in the FO/QFO of [HHK17]. In addition, the underlying PKE itself also needs to use an RO. A total of four random oracles are required. The question now is how to safely instantiate all oracles in IND-CCA KEM using onlya single Hash function.

[BDG20] formalizes domain separation and defines "Oracle Cloning Technology". They proposed a read-only indiscernibility (Read-Only Indifferentiability, rd-indiff) whose strength is between MRH-indiff and reset-indiff. The security framework can maintain security in multi-stage games, which is sufficient for KEM's needs.

函子 $\text{F}:SS\to ES$, domain is a set of starting functions (Starting-function Space), range is a set of ending functions (Ending-function Space), The indistinguishability of functor refers to, $F[s],s{\leftarrow }_{R}ES$ 可以 MOD拟 $It\; is{\leftarrow }_{R}ES$, so usecomposition theorem (composition theorem) in the cryptographic protocol$e$ 可以被 $F\left(s\right)$ Safe ground alternative.

They proposedtranslatable functors (translating functors) and their inverse(invertibility),

We call a certain functor $\text{F}$ is translatable if QT (query translator) and AT (answer translator), such that$\text{F}={\text{TF}}_{QT,AT}$. We call a certain functor $\text{F}$ Guanyu work area $W$ It is reversible, the result exists QTI Sum ATI，Usage value $\forall e\in ES,\forall W\in \mathcal{W}$ 都有 ${\text{TF}}_{QT,AT}[P[e{]}_{QTI,ATI}](W)=e(W)$. [BDG20] proved that any reversible translatable functor is rd-indiff safe.

They gave three practical functors: let $s$ is a single Hash function, we need to construct $n$ 个 RO Example $e(i,\cdot )$，

• Prefix functor (prefix functor): a publicly determined vector$p=[p_i{]}_{i\in I}$, it is prefix-free, that is, every $p_i$ None $p_j,j\ne i$ 目前缀，NA么结义
  $${\text{F}}_{pf(p)}[s](i,X):=s(p_i\Vert X)$$

• 分裂函子（output-splitting functor）：假设 $The\; output\; length\; of\; s$ satisfies $l_{}=l_1+\cdots +l_n$, inside $l_i$ This is each one $e(i,\cdot )$ Target export length, setting $L_i=l_1+\cdots +l_i$，那么定义
  $${\text{F}}_{spl}\left[s\right](i,X):=s(X)[L_{i-1}+1,\cdots ,L_i]$$

• Identity functor (identity functor): This functor is directly
  $${\text{F}}_{id}\left[s\right](i,X):=s\left(X\right)$$
  but requires additional constraints< /span> e ( i , ⋅ ) e(i,\ cdot) (virtual domain separation), that is, for different Virtual domain separation$e(i,\cdot )$ Their input values ​​are different from each other. For example, force input length differentiation (length differentiation), that is, for different $e(i,\cdot )$ Their input lengths are different.

In addition, [BDG20] also defines the concept of working domain, even if a functor is not full-domain rd-indiff, rd-indiff security can still be achieved on appropriate subdomains. They further proposed the compatible working-domain-conscious composition theorem (working-domain-conscious composition theorem for KEMs), and the reduction is Tight, thus completing the RO instantiation in CCA-IND KEM.