CCA-Secure Hybrid Encryption in Correlated Randomness Model and KEM Combiners

Somnath Panja, Setareh Sharifian, Shaoquan Jiang, and Reihaneh Safavi-Naini Somnath Panja and Reihaneh Safavi-Naini are with the University of Calgary, Canada.Setareh Sharifian is with Intel Corporation.Shaoquan Jiang is with the University of Windsor, Canada.

Abstract

A hybrid encryption (HE) system is an efficient public key encryption system for arbitrarily long messages. An HE system consists of a public key component called key encapsulation mechanism (KEM), and a symmetric key component called data encapsulation mechanism (DEM). The HE encryption algorithm uses a KEM generated key k to encapsulate the message using DEM, and send the ciphertext together with the encapsulaton of k, to the decryptor who decapsulates k and uses it to decapsulate the message using the corresponding KEM and DEM components. The KEM/DEM composition theorem proves that if KEM and DEM satisfy well-defined security notions, then HE will be secure with well defined security.

We introduce HE in correlated randomness model where the encryption and decryption algorithms have samples of correlated random variables that are partially leaked to the adversary. Security of the new KEM/DEM paradigm is defined against computationally unbounded or polynomially bounded adversaries. We define iKEM and cKEM with respective information theoretic computational security, and prove a composition theorem for them and a computationally secure DEM, resulting in secure HEs with proved computational security (CPA and CCA) and without any computational assumption. We construct two iKEMs that provably satisfy the required security notions of the composition theorem. The iKEMs are used to construct two efficient quantum-resistant HEs when used with an AES based DEM. We also define and construct combiners with proved security that combine the new KEM/DEM paradigm of HE with the traditional public key based paradigm of HE.

Index Terms:

Post-quantum cryptography, Hybrid encryption, Correlated randomness model, Key Encapsulation Mechanism.

I Introduction

A hybrid Encryption (HE) system is a public-key encryption system with two components: a public-key key encapsulation mechanism (KEM) that generates a pair $(k,c_{1})$ where $k$ is a secret key and $c_{1}$ is the encapsulation of $k$ under the KEM’s public-key, and an efficient symmetric key component called data encapsulation mechanism (DEM) that will use $k$ to efficiently encrypt an arbitrary long message $m$ , and generate the ciphertext $c_{2}$ . Decryption algorithm has the private key of KEM and takes $(c_{1},c_{2})$ as input. It decapsulates $c_{1}$ to find $k$ and uses it to decrypt $c_{2}$ , and recover $m$ . This is an attractive construction that effectively provides a computationally efficient public key encryption system for arbitrarily long messages, by using the computationally expensive public key KEM once, and encrypt long messages by employing a computationally efficient DEM that can be constructed using efficient and standardised secure symmetric key ciphers such as AES (Advanced Encryption Standard) in one of the known modes of operation such as counter mode. Cramer and Shoup [1] defined KEM/DEM paradigm, formalized security of KEM and DEM, and proved a general composition theorem that shows that if KEM is CCA (chosen ciphertext attack) secure, and DEM is a one-time symmetric key encryption with CCA security, then the resulting hybrid encryption system will be CCA secure (see section III for definitions). This level of security is known as the gold standard of security for modern encryption systems. KEM/DEM paradigm has been widely studied and more refined notions of security for KEM have been proposed and the corresponding composition theorems for HE have been proved [2, 3]. There is a large body of work on the construction of KEM [4, 5, 6, 3, 7] that are all public key based and rely on computational assumptions. KEM has been widely used for securing communication over the Internet including as part of TLS (Transport Layer Security) [8].

Quantum-resistant security of an HE system requires quantum-resistant security of KEM and DEM. Shor’s invention of efficient quantum algorithms for integer factorization and discrete logarithm problems [9] has made KEM constructions that rely on these assumptions, and constitute all existing KEMs in practice, insecure. KEM has been one of the first cryptographic primitives that has been standardized by NIST (National Institute of Standards and Technology) post-quantum cryptography standardization effort [10, 11]. DEM component of an HE system uses symmetric block cipher algorithms such as AES, for which the main known quantum attack is the speed-up for secret key search that is offered by the Grover’s algorithm [12]. This speed-up however can be compensated by doubling the length of the secret key and so the research on quantum-resistant security of KEM/DEM paradigm has primarily focused on the quantum-resistant security of KEM.

Information theoretic key agreement. Our main observation is that KEM is effectively a one-way secret key agreement (OWSKA) algorithm, a widely studied topic in information theoretic cryptography, but with a somewhat different definition of security.

Information theoretic key agreement was first introduced by Maurer [13] and Ahlswede [14] (independently) in what is known as the source model, where Alice and Bob have samples of two correlated random variables $\mathbf{X}$ and $\mathbf{Y}$ that are distributed according to $P_{\mathbf{X}\mathbf{Y}\mathbf{Z}}$ and are partially leaked to Eve through the variable $\mathbf{Z}$ . The probability distribution $P_{\mathbf{X}\mathbf{Y}\mathbf{Z}}$ is public but the concrete samples $\mathbf{x}$ , $\mathbf{y}$ and $\mathbf{z}$ are private to Alice, Bob and Eve, respectively. There is a long line of research on deriving fundamental results on the possibility of secret key agreement, bounds on rate and capacity of information theoretic key agreement in this model and its variations, and providing constructions for optimal (capacity achieving) systems [15, 16, 17, 18], together with the finite length analysis of the constructions [16, 19].

Information theoretic key agreement has also been considered in fuzzy extractor (FE) setting [20] where Alice and Bob, respectively, have samples $w$ and $w^{\prime}$ of the same randomness source, satisfying $dist(w,w^{\prime})\leq t$ where $dist(.,.)$ is a distance function. FE setting can be seen as a special case of the source model where $\mathbf{x}$ and $\mathbf{y}$ are samples of the same source with a guaranteed upper bound on the distance between the two samples, and there is no initial information leakage to the adversary ( $\mathbf{Z}=0$ ). One of the main application areas of FE is key establishment using sources that employ biometric data as the source of randomness. Security model of FE is in part influenced by capturing attacks on biometric systems in practice [21, 22, 23, 24, 25].

A third important direction in the study of information theoretic key agreement is quantum key distribution (QKD) protocols that use quantum theoretic assumptions as the basis of security. Protocols such as BB84 QKD [26], use communication over a quantum channel to generate correlated random variables between two parties, which is later reconciled into a shared secret string that is partially leaked to Eve, and is used to extract a shared (close to) random key between the two parties.

In all above settings, there is an initial correlated randomness between Alice and Bob that is leveraged to establish an information theoretically secure shared secret key. Definitions of security in these settings range from security against a passive eavesdropping adversary [13, 14, 15, 16, 19, 20, 22, 25], to security against an active attacker with different levels of access to the system and communication channels [27, 28, 29, 24]. In all cases, security is against a computationally unbounded adversary and so the protocol remains secure against an adversary with access to a quantum computer.

Extending secure key agreement protocols with information theoretic security, to the establishment of secure message transmission channels using KEM/DEM approach, will allow the wealth of research and development in information theoretic key agreement protocols to be used in quantum-resistant cryptographic systems.

Cryptographic combiners combine cryptographic schemes with the same functionality into a single scheme with the guarantee that the combined scheme is secure if at least one of the component schemes is secure. Combiners mitigate the risk of possible design flaws, attacks and breaks of each of the component cryptographic schemes, and provide robustness for security systems. Combiners for public key KEMs have been introduced, their security properties have been formalized, and secure constructions for KEM combiners have been proposed [30, 31]. Cryptographic combination of public key KEM with KEMs with information theoretic security will seamlessly integrate the new KEMs into the existing applications of KEM and expand the range of KEMs that are available in designing cryptographic systems.

I-A Our Results

We propose KEM/DEM paradigm in correlated randomness model (which in cryptography, is also referred to as preprocessing model¹¹1This is because correlated randomness is generated in an initialization stage and before the actual algorithms start.). We define security and prove a composition theorem that relates security of the HE to the security of the KEM and DEM components.

Notation: To make distinction between traditional public key KEMs and KEMs in the new setting, we use pKEM to denote a KEM scheme in preprocessing model, and reserve iKEM and cKEM to refer to the information theoretic and computationally secure versions of pKEM.

The new paradigm allows KEM and DEM components to be defined with security against a computationally unbounded, or computationally bounded adversary. While one can define pKEM and associated DEM with security against information theoretic and computational adversaries, our focus is on the design of an efficient quantum-resistant encryption system (HE) that can be used in practice, and so we consider composition of iKEMs (KEMs with information theoretic security) and DEMs with computational security. We design two iKEMs with proved security in our proposed security models, one with security against passive adversaries, and one with security against active adversaries that tamper with the communication channel. The two iKEMs will have CEA (Chosen Encapsulation Attack) and CCA (Chosen Ciphertext Attack) security, respectively, and when used with a DEM with appropriate security will result in an HE with CPA (Chosen Plaintext Attack) and CCA security, respectively. We also define and construct cryptographic combiners that combine a public key KEM and an iKEM. More details below.

KEM/DEM in correlated randomness model. A KEM in correlated randomness model is a tuple of algorithms denoted by $p\mathcal{KEM}=(\mathsf{pkem.Gen},\mathsf{pkem.Enc},\mathsf{pkem.Dec})$ , where $\mathsf{pkem.Gen}$ is a correlation generation algorithm that takes a distribution $P_{\mathbf{X}\mathbf{Y}\mathbf{Z}}$ , generates correlated random samples $\mathbf{x}$ , $\mathbf{y}$ and side information $\mathbf{z}$ for Alice, Bob, and Eve, respectively, and privately delivers the samples to the corresponding parties; $\mathsf{pkem.Enc}$ is an encapsulation algorithm that uses the private sample of Alice and generates a pair $(k,c_{1})$ , where $k$ is a random session key for DEM, and $c_{1}$ is an (encapsulation) ciphertext; $\mathsf{pkem.Dec}$ is a decapsulation algorithm that uses $c_{1}$ and the private sample of Bob to recover $k$ .

Security of KEM is defined using key indistinguishability games between a challenger and an adversary (Figure 3). The adversary’s power is modelled by its query access to the encapsulation oracle and decapsulation oracle. An oracle implements its corresponding algorithm and has access to the private information of the party that legitimately uses the algorithm, and so the encapsulation and decapsulation oracles have the private random samples of Alice and Bob, respectively. The oracles correctly answer queries of the adversary as defined by the security game. We define these security games similar to the corresponding ones in public key KEMs [3, 1], with the difference that in public key KEM, the encapsulation algorithm has a public key for encapsulation and so the adversary can freely access the encapsulation algorithm, while in pKEM, the encapsulation algorithm uses the private sample of Alice, and the adversary can query the encapsulation oracle. A (chosen encapsulation attack (CEA) ) query to the encapsulation oracle results in an output $(k,c_{1})$ . Decapsulation queries, also referred to as chosen ciphertext attack (CCA) queries, are the same as in public-key KEMs and allow the adversary to verify validity of a chosen pair $(k^{\prime},c^{\prime})$ against the decapsulation algorithm when using the private sample of Bob, and the response is either a key or $\perp$ . The two security notions of IND-CEA (indistinguishability against CEA) and IND-CCA (indistinguishability against CCA) capture indistinguishability of the final key from a uniform random string of the same length, when the attacker has access to CEA, or both CEA and CCA, queries respectively. Adversary can be computationally unbounded (information theoretic), or its computation be bounded by a polynomial function of the system’s security parameter (computational). The number of allowed queries in the two cases are different: for information theoretic adversary the number of allowed queries is a predefined constant (system parameter), while for computational adversary, it is a polynomial function of the security parameter of the system. We use iKEM to denote information theoretically secure pKEMs where the adversary is computationally unbounded, and use cKEM to refer to computationally secure pKEM, where the adversary is computationally bounded. This latter is to distinguish computationally secure pKEMs from traditional public key KEMs, both providing security against a polynomial time adversary but cKEM using an initial correlated randomness instead of a public key.

We define DEM and its security against a computationally bounded adversary, the same as DEMs in public-key setting [1]. DEM security notions are variations of IND-CPA (indistinguishability against CPA) security and IND-CCA (indistinguishability against CCA) security for encryption systems. DEM security can also be defined against a computationally unbounded adversary. Our definition of computationally secure DEM however is motivated by our goal of constructing quantum-resistant HE schemes that use a short (constant length) key to encrypt arbitrary long messages.

Composition Theorem. The following composition theorem (which is a restatement of Theorem 2) proves (computational) security of an HE system that is obtained by the composition of a pKEM (iKEM or cKEM) and a computationally secure DEM.

Theorem.

Let $c\mathcal{KEM}$ and $i\mathcal{KEM}$ be a cKEM and an iKEM, respectively, and $\mathcal{SE}$ denote a one-time symmetric key encryption scheme that is compatible with the corresponding $c\mathcal{KEM}$ or $i\mathcal{KEM}$ . Then the following composition results hold for the hybrid encryption in preprocessing model, against a computationally bounded adversary with access to the following queries for HE: $q_{e}$ encapsulation and $q_{d}$ decapsulation queries when $i\mathcal{KEM}$ is used, and polynomially bounded number of queries for both types of queries, when $c\mathcal{KEM}$ is used.

	$\displaystyle\mbox{1. IND-CEA }c\mathcal{KEM}+\mbox{IND-OT }\mathcal{SE}\rightarrow\mbox{IND-CPA }\mathsf{HE}_{c\mathcal{KEM},\mathcal{SE}}$
	$\displaystyle\mbox{2. IND-CCA }c\mathcal{KEM}+\mbox{IND-OTCCA }\mathcal{SE}\rightarrow\mbox{IND-CCA }\mathsf{HE}_{c\mathcal{KEM},\mathcal{SE}}$
	$\displaystyle\mbox{3. IND-}q_{e}\mbox{-CEA }i\mathcal{KEM}+\mbox{IND-OT }\mathcal{SE}\rightarrow\mbox{IND-}q_{e}\mbox{-CPA }\mathsf{HE}_{i\mathcal{KEM},\mathcal{SE}}$
	$\displaystyle\mbox{4. IND-}(q_{e};q_{d})\mbox{-CCA }i\mathcal{KEM}+\mbox{IND-OTCCA }\mathcal{SE}\rightarrow\mbox{IND-}(q_{e};q_{d})\mbox{-CCA }\mathsf{HE}_{i\mathcal{KEM},\mathcal{SE}}.$

IND-OT and IND-OTCCA refer to indistinguishability security for one-time secure DEM with CPA and CCA security, respectively (see Definition 3).

In all cases, security of the hybrid encryption system is against a computationally bounded adversary. In (1) and (2), $c\mathcal{KEM}$ is secure against a computationally bounded adversary who has access to polynomially bounded number of encapsulation and decapsulation queries, and the final HE satisfies CPA and CCA definition of security of computationally secure encryption systems (see Definition in section IV-A). In (3) and (4) however, $i\mathcal{KEM}$ is secure against a computationally unbounded adversary with access to a constant number of encapsulation ( $q_{e}$ ) and decapsulation ( $q_{d}$ ) queries, and the final HE is bounded CPA and CCA secure, respectively [1].

Constructions of iKEM. In section V, we consider the case that the correlated randomness is obtained by repeated sampling a public distribution, and $P_{\mathbf{X}\mathbf{Y}\mathbf{Z}}=\prod_{i=1}^{n}P_{X_{i}Y_{i}Z_{i}}$ where $P_{X_{i}Y_{i}Z_{i}}=P_{XYZ}$ for $1\leq i\leq n$ . We have $\mathbf{X}=(X_{1},\cdots,X_{n})$ , $\mathbf{Y}=(Y_{1},\cdots,Y_{n})$ , $\mathbf{Z}=(Z_{1},\cdots,Z_{n})$ respectively, with the corresponding private samples, $\mathbf{x}=(x_{1},\cdots,x_{n})$ , $\mathbf{y}=(y_{1},\cdots,y_{n})$ and $\mathbf{z}=(z_{1},\cdots,z_{n})$ .

We propose two constructions of iKEM for Satellite scenario, Construction 1 and Construction 2, that provide IND-CEA and IND-CCA security, respectively. Both constructions are based on the OWSKA in [19], where Alice sends a single message to Bob over a public authenticated channel. The message includes information that will be used for information reconciliation that enables Bob to recover Alice’s sample with some leakage, and the description of a hash function to be used for key extraction. The OWSKA construction uses two universal hash functions $h$ and $h^{\prime}$ for the two tasks. This construction was first proposed in [32] for an iKEM with IND-CEA security for $q_{e}$ encapsulation queries (and no decapsulation queries), and used two strongly universal hash functions, $h$ and $h^{\prime}$ . Construction 1 has the same security properties but uses universal hash families. The construction slightly modifies the initialization process of iKEM that improves the length of the established key without affecting security. The encapsulation ciphertext in Construction 1 is $c=(h(\mathbf{x},s),s^{\prime})$ , where $s$ and $s^{\prime}$ are random strings that are used in $h$ (reconciliation) and $h^{\prime}$ (extraction) respectively. Our observation is that $s$ , the seed for $h$ that is used for reconciliation, can stay the same in all instances of the protocol and so can be generated and distributed to all parties (including to Eve) during initialization.

We prove security of this construction for any pair $h$ and $h^{\prime}$ of universal hash functions with appropriate parameters.

The second construction is a pKEM with IND-CCA security that removes the need for a public authenticated channel between Alice and Bob, and provides security against an adversary who can tamper with the KEM ciphertext. We define INT-CTXT (ciphertext integrity) for pKEM (Definition 6) that requires any tampering with the cipherext to be detectable by Bob. Theorem 1 proves that in preprocessing model, a KEM that is IND-CEA and INT-CTXT secure, is IND-CCA secure. Our IND-CCA secure Construction 2 requires a specific construction of $h$ (whereas in Construction 1, $h$ can be any universal hash function).

To show IND-CCA security of the Construction 2, we show that it is an IND-CEA and INT-CTXT secure KEM, and so it provides IND-CCA security. The construction is based on the OWSKA construction in [29] that provides security against an active adversary. Our iKEM construction slightly modifies the reconciliation message of the OWSKA, revises and corrects its security analysis, and obtains new parameters for the system. The encapsulation ciphertext in Construction 2 is given by $c=(h(\mathbf{x},(s^{\prime},s)),s^{\prime},s)$ which includes $s^{\prime}$ as part of the input to $h$ also. The hash function $h$ is designed to $(i)$ provide information reconciliation to allow Bob to securely recover Alice’s sample $\mathbf{x}$ and $(ii)$ serves as a MAC (message authentication code) to protect integrity of the encapsulation ciphertext. The decapsulation algorithm checks the validity of a received encapsulation ciphertext by computing the hash function $h$ using the candidate key $\hat{\mathbf{x}}$ that is derived for Alice and the received $(s^{\prime},s)$ , and compares the result with $h(\mathbf{x},(s^{\prime},s))$ . We bound the success probability of the adversary in forging a valid encapsulation ciphertext by bounding the guessing probability of the secret keys that are used in the encapsulation and decapsulation algorithms.

In Theorem 5, we prove integrity of the ciphertext (IND-CTXT) of the iKEM Construction 2 against an active adversary with access to one encapsulation and $q_{d}$ decapsulation queries. The $h$ construction in section V-E can be extended to provide security against $q_{e}>1$ queries. The final extracted key length however will be reduced (almost) linearly with higher $q_{e}$ . We note that security against $q_{e}>1$ encapsulation queries, is only necessary if the same sample $\mathbf{x}$ is used in multiple instances of HE, and not required in applications such as QKD where each message transmission will use its dedicated quantum communication round (and so new values of $\mathbf{x}$ , $\mathbf{y}$ and $\mathbf{z}$ ).

KEM Combiners. We define KEM combiners that securely combine a pKEM (iKEM or cKEM) and a public key KEM. In this combination, if at least one of the component KEMs is an iKEM, the resulting KEM will be an iKEM and secure against a computationally unbounded adversary (for fixed number of encapsulation/decapsulation queries) and so a quantum-resistant KEM. The resulting KEM will also be computationally secure with polynomial (in security parameter) number of encapsulation/decapsulation queries, as long as at least one of the component KEMs is computationally secure (public-key KEM or cKEM).

We give two blackbox constructions of KEM combiners for an iKEM and a public key KEM that satisfy the above security properties (information theoretic security for fixed number of queries and computational security for polynomial number of queries as long as the corresponding component KEM is secure). The constructions are based on the XOR combiner and PRF-then-XOR combiner of [30] that were proposed for public key KEMs. We extend these constructions to our setting where one of the KEMs is an iKEM. The XOR combiner XORs the output keys of the component KEMs. The construction maintains IND-CEA security of the resulting KEM (Theorem 6) but will not result in an IND-CCA KEM when the component KEMs are IND-CCA secure. The PRF-then-XOR combiner uses PRFs (Pseudorandom functions). A PRF is a family of functions indexed by a secret key, that guarantees that for a uniformly chosen key, the function output is indistinguishable from the output of a random function for an adversary who can see the evaluations of the function on an adaptive adversary chosen set of values (see Definition 8). We use two types of PRFs: with statistical indistinguishability for constant number of queries, and computational indistinguishability for polynomial number of queries (see Definition 8).

The PRF-then-XOR combiner XORs the outputs of a set of PRFs, each associated with one of the KEMs, where the $i^{th}$ PRF uses the secret key $k_{i}$ that is the output of the $i^{th}$ KEM, and computes the value of the function on an input that is the concatenation of the ciphertexts of all other KEMs (except the $i^{th}$ one). We require PRF with statistical indistinguishability for iKEMs, and with computational indistinguishability for computational KEMs. Theorems 6 and 7 respectively, prove IND-CEA, and IND-CCA security of the resulting KEMs, and relate their security to the security of the component KEMs and the PRFs.

Discussion. Security of KEM/DEM paradigm in correlated randomness model does not rely on any (unproven) computationally hard problem. Hybrid encryption system in this model is neither a public key, nor a symmetric key encryption system. Rather, it relies on the communicating parties secret inputs (that we refer to as key) that are not identical, but are correlated, and can be partially leaked. The final security of the HE is computational. The paradigm provides flexibility to consider security against computationally unbounded or bounded adversaries for each component (KEM and DEM). Our focus on iKEM and computationally bounded DEM is motivated by real-life application of HE in quantum-resistant systems.

Organization. Related work is in section II. Section III is preliminaries. Section IV is on KEM in preprocessing model. Instantiations of iKEM and their security proofs are in Section V. Section VI is on combiners and their constructions. Section VII provides concluding remarks.

II Related work

KEM/DEM paradigm has been widely used in public key based hybrid encryption for encrypting arbitrary length messages with proved security. The approach was first formalized by Cramer and Shoup [1] who proved that that a CCA secure KEM and one-time secure CCA symmetric key encryption system (DEM) result in a CCA secure hybrid encryption system. The relation between different security notions of KEM and DEM, and the resulting hybrid encryption system is given in [2]. There are numerous generic and specific constructions of public-key KEM including [33, 34, 35]. There are also constructions of KEM that use hardness assumptions for which there is no known quantum algorithm. This includes constructions [36, 37, 10] that use LWE (Learning with Error) and other lattice based assumptions. Quantum-resistant secure KEM has been part of NIST post-quantum competition [38] and CRYSTALS-Kyber is the standardized quantum-resistant KEM [10]. KEM combiners are studied in [30, 39, 31, 40].

All above works are in public-key setting. KEM/DEM in correlated randomness setting was introduced in [32] where authors considered passive adversaries with access to encapsulation queries, only. We extend this work in a number of ways. We consider security against active attackers and prove a general composition theorem for CCA security of HE, and construct a CCA secure iKEM that results in a CCA secure ( quantum-resistant) HE. We also construct combiners for iKEM and public-key KEM, that when used with a computationally secure DEM, result in a provably secure CCA encryption system.

Information theoretic key agreement in source model was first studied by Maurer [13], and Ahlswede and Csiszár [14], and has led to a long line of research on this topic and more specific related topics including information reconciliation [41, 42, 43, 44]. OWSKA uses a single message from Alice to Bob to establish a shared key [15, 17, 18, 19]. Key establishment in correlated randomness model with security against active adversary was studied in [45, 28, 46, 47].

Combining cryptographic primitives was first considered by Shannon who studied security of an encryption system that is obtained by combining multiple encryption systems, and suggested “weighted sum” and “product ciphers” to combine secrecy systems to achieve stronger security [48]. Combiners have been studied for numerous cryptographic primitives including encryption systems [49, 50] and hash functions [51]. Robust combiners for cryptographic systems were studied by Herzberg [52] and later extended [40] to include parallel and cascade constructions, where constructions for various primitives including OWF (One Way Functions), signatures and MACs are given. A robust combiner for a cryptographic primitive $\cal P$ takes multiple candidate schemes that implement $\cal P$ , and combine them into a single scheme such that the resulting scheme remains secure even if some of the schemes become insecure. In a $(k,n)$ -robust combiner [40] security is guaranteed if at least $t$ out of $n$ constructions remains secure.

Combiners for public key KEM was studied in Giacon et al. [30], and with security against quantum adversaries were considered and constructed in Bindel et al. [31].

Correlated randomness model has been used in cryptography to remove impossibility results, including key establishment in presence of computationally unbounded adversaries [13], oblivious transfer [53] and multi-party computation (MPC) protocols [54, 55, 56]. Correlated randomness for key agreement can be realized in settings such as biometric authentication, transmission over noisy (wiretapped) channels, and using communication over quantum channel.

III Preliminaries

We denote random variables (RVs) with upper-case letters, (e.g., $X$ ), and their realizations with lower-case letters (e.g., $x$ ). The probability distribution associated with a random variable $X$ is denoted by $\mathrm{P}_{X}(x)=\mathsf{Pr}(X=x)$ , and the conditional probability distribution associated with $X$ given $Y$ is denoted by $\mathrm{P}_{X|Y}(x|y)=\mathsf{Pr}(X=x|Y=y)$ . Shannon entropy of an RV $X$ is defined by $H(X)=-\sum_{x}\mathrm{P}_{X}(x)\log(\mathrm{P}_{X}(x))$ . The min-entropy $H_{\infty}(X)$ of a random variable $X\in\mathcal{X}$ with probability distribution $\mathrm{P}_{X}$ is $H_{\infty}(X)=-\log(\max_{x}(\mathrm{P}_{X}({x})))$ . The average conditional min-entropy [21] is defined as, $\tilde{H}_{\infty}(X|Y)=-\log\mathbb{E}_{{y}\leftarrow Y}\max_{{x}\in\mathcal{X}}\mathrm{P}_{X|Y}({x}|{y}).$ The statistical distance between two random variables $X$ and $Y$ with the same domain $\mathcal{T}$ is given by ${\rm\Delta}(X,Y)=\frac{1}{2}\sum_{v\in{\cal T}}|\Pr[X=v]-\Pr[Y=v]|$ . For an $n$ -bit variable $\mathbf{x}$ , we use $[x]_{i\cdots j}$ to denote the block of bits from the $i$ th bit to the $j$ th bit in $x.$ For $\ell\in\mathbb{N}$ , $U_{\ell}$ denotes an RV with uniform distribution over $\{0,1\}^{\ell}$ . Vectors are denoted using boldface letters, e.g. $\mathbf{X}=(X_{1},\cdots,X_{n})$ is a vector of $n$ RVs, and its realization is given by $\mathbf{x}=(x_{1},\cdots,x_{n})$ .

To define closeness of two families of distributions that are indexed by $\lambda$ using the notion of indistinguishability (statistical and computational), we use two classes of functions called ${SMALL}$ and ${NEGL}$ as defined in [57]. The class of negligible functions ${NEGL}$ , contains all functions $s:\mathbb{N}\to\mathbb{R}_{\geq 0}$ where for every positive polynomial $f(\cdot)$ , $\exists n_{0}\in\mathbb{N}$ such that $\forall n\geq n_{0},|s(n)|<\frac{1}{f(n)}$ , where $\mathbb{R}_{\geq 0}$ is the set of non-negative real numbers. A set ${SMALL}$ is a class of small functions $\mathbb{N}\to\mathbb{R}_{\geq 0}$ if: $(i)$ it is closed under addition, and $(ii)$ a function $s^{\prime}\in SMALL$ implies that all functions $f^{\prime}:\mathbb{N}\to\mathbb{R}_{\geq 0}$ with $f^{\prime}\leq s^{\prime}$ are also in the set $SMALL$ .

Universal hash functions have been used to generate close to uniform RVs from non-uniform entropy sources with sufficient min-entropy. This is proved in Leftover Hash Lemma [58]. We use a variant of Leftover Hash Lemma, called Generalized Leftover Hash Lemma [21, Lemma 2.4].

Definition 1 (Universal hash family).

A family of hash functions $h:\mathcal{X}\times\mathcal{S}\to\mathcal{Y}$ is called a universal hash family if $\forall x_{1},x_{2}\in\mathcal{X}$ , $x_{1}\neq x_{2}$ , we have $\mathrm{Pr}[h(x_{1},S)=h(x_{2},S)]\leq\frac{1}{|\mathcal{Y}|}$ , where the probability is over the uniform choices of $\mathcal{S}$ .

Lemma 1 (Generalized Leftover Hash Lemma [21]).

Let $h:\mathcal{X}\times\mathcal{S}\rightarrow\{0,1\}^{\ell}$ be a universal hash family. Then for any two variables $A\in\mathcal{X}$ and $B\in\mathcal{Y}$ , applying $h$ on $A$ can extract a uniform random variable whose length $\ell$ satisfies the following $\Delta(h(A,S),S,B;U_{\ell},S,B)\leq\frac{1}{2}\sqrt{2^{-\tilde{H}_{\infty}(A|B)}\cdot 2^{\ell}}$ , where $S$ is chosen uniformly from $\mathcal{S}$ .

For $\lambda\in\mathbb{N}$ , the unary representation of $\lambda$ given by $1^{\lambda}$ , is used to specify the running time of the algorithm as a function of $\lambda$ . For efficient algorithm, the running time is a polynomial in $\lambda$ . We use $\lambda$ as the security parameter of the system.

An algorithm $\mathsf{D}$ that takes inputs $x,y,\cdots$ , and generates the output $u$ , while having access to oracles $\mathsf{O}_{1},\mathsf{O}_{2},\dots$ , by $u\leftarrow\mathsf{D}^{\mathsf{O}_{1},\mathsf{O}_{2},...}(x,y,\cdots)$ .

KEM and DEM. Hybrid encryption and the notion of KEM was first introduced and formalized in [1]. Properties of KEM and DEM were formally defined in [2].

Definition 2 (KEM distinguishing advantage [2]).

Let $\mathsf{D}=(\mathsf{D}_{1},\mathsf{D}_{2})$ be an adversary and $\mathsf{kem}=(\mathsf{kem.Gen},\mathsf{kem.Enc},\mathsf{kem.Dec})$ be a KEM with security parameter $\lambda$ and key space $\{0,1\}^{\mathsf{kem.Len}(\lambda)}$ . For $atk\in\{cpa,,cca1,cca2\}$ , the key indistinguishability (kind) advantage of $\mathsf{kem}$ is defined as

Adv^{kind\text{-}atk}_{\mathsf{kem},\mathsf{D}}(\lambda)\triangleq|\mathrm{Pr}[\mathrm{KIND}_{\mathsf{kem},\mathsf{D}}^{atk\text{-}0}(\lambda)=1]-\mathrm{Pr}[\mathrm{KIND}_{\mathsf{kem},\mathsf{D}}^{atk\text{-}1}(\lambda)=1]|,

(1)

where the distinguishing game $\mathrm{KIND}_{\mathsf{kem},\mathsf{D}}^{atk\text{-}b}$ for $b\in\{0,1\}$ is defined in Figure. 1.

Game $\mathrm{KIND}_{\mathsf{kem},\mathsf{D}}^{atk\text{-}b}(\lambda)$

(pk,sk)\stackrel{{\scriptstyle\$}}{{\leftarrow}}\mathsf{kem.Gen}(1^{\lambda})

st\stackrel{{\scriptstyle\$}}{{\leftarrow}}\mathsf{D}_{1}^{\mathsf{O}_{1}}(pk)

(k^{*},c^{*})\stackrel{{\scriptstyle\$}}{{\leftarrow}}\mathsf{kem.Enc}(pk)

k_{0}\leftarrow k^{*}

k_{1}\stackrel{{\scriptstyle\$}}{{\leftarrow}}\{0,1\}^{\mathsf{kem.Len}(\lambda)}

b^{\prime}\stackrel{{\scriptstyle\$}}{{\leftarrow}}\mathsf{D}_{2}^{\mathsf{O}_{2}}(c^{*},st,k_{b})

7:Return

b^{\prime}

Oracles $\mathsf{O}_{1}$ and $\mathsf{O}_{2}$

$atk$	$\mathsf{O}_{1}(\cdot)$	$\mathsf{O}_{2}(\cdot)$
$cpa$	$\ \varepsilon$	$\varepsilon$
$cca1$	$\mathsf{kem.Dec}(sk,\cdot)$	$\varepsilon$
$cca2$	$\mathsf{kem.Dec}(sk,\cdot)$	$\mathsf{kem.Dec}(sk,\cdot)$

Figure 1: The distinguishing game

\mathrm{KIND}_{\mathsf{kem},\mathsf{D}}^{atk\text{-}b}

, where

b\stackrel{{\scriptstyle\$}}{{\leftarrow}}\{0,1\}

, and

atk\in\{cpa,cca1,cca2\}

. The decapsulation oracle

\mathsf{kem.Dec}(sk,\cdot)

has the private key

sk

. Oracle output

\mathsf{O}_{i}=\varepsilon,i\in\{1,2\}

, means

\mathsf{O}_{i}

returns the empty string

\varepsilon

\mathsf{O}_{2}

cannot be asked to decapsulate

c^{*}

A KEM is IND-CPA (CCA1 or CCA2) secure if for all polynomial-time adversaries $\mathsf{D}$ that corresponds to $atk=cpa$ , $atk=cca1$ or $atk=cca2$ , the advantage function (in equation 1) is negligible in ${\lambda}$ . In this paper, we only consider CCA2 security, and refer to it as CCA-security.

Data Encapsulation Mechanism (DEM) is a symmetric key encryption algorithm. We use the following definition in [2].

Definition 3 (Security of DEM: IND-OT, IND-OTCCA, IND-CPA, IND-CCA1, IND-CCA2 [2]).

Let
$\mathsf{dem}=(\mathsf{dem.Gen},\mathsf{dem.Enc},\mathsf{dem.Dec})$ be a DEM scheme with security parameter $\lambda$ and key space $\{0,1\}^{{\mathsf{dem.Len}}(\lambda)}$ , and let $\mathsf{D}=(\mathsf{D}_{1},\mathsf{D}_{2})$ be an adversary. For $atk\in\{ot,otcca,cpa,cca1,cca2\}$ and $\lambda\in\mathbb{N}$ , the indistinguishability (ind) advantage of $\mathsf{dem}$ is defined as

Adv^{ind\text{-}atk}_{\mathsf{dem},\mathsf{D}}(\lambda)\triangleq|\mathrm{Pr}[\mathrm{IND}_{\mathsf{dem},\mathsf{D}}^{atk\text{-}0}(\lambda)=1]-\mathrm{Pr}[\mathrm{IND}_{\mathsf{dem},\mathsf{D}}^{atk\text{-}1}(\lambda)=1]|,

(2)

where the distinguishing game $\mathrm{IND}_{\mathsf{dem},\mathsf{D}}^{atk\text{-}b}$ for $b\in\{0,1\}$ is defined in Figure. 2.

Game $\mathrm{IND}_{\mathsf{d}em,\mathsf{D}}^{atk\text{-}b}(\lambda)$

k\stackrel{{\scriptstyle\$}}{{\leftarrow}}\mathsf{dem.Gen}(1^{\lambda})

(st,m_{0},m_{1})\stackrel{{\scriptstyle\$}}{{\leftarrow}}\mathsf{D}_{1}^{\mathsf{O}_{1}}()

c^{*}\stackrel{{\scriptstyle\$}}{{\leftarrow}}\mathsf{dem.Enc}(k,m_{b})

b^{\prime}\stackrel{{\scriptstyle\$}}{{\leftarrow}}\mathsf{D}_{2}^{\mathsf{O}_{2}}(c^{*},st)

5:Return

b^{\prime}

Oracles $\mathsf{O}_{1}$ and $\mathsf{O}_{2}$

$atk$	$\mathsf{O}_{1}$	$\mathsf{O}_{2}$
$ot$	$\varepsilon$	$\varepsilon$
$otcca$	$\varepsilon$	${\mathsf{dem.Dec}}(k,\cdot)$
$cpa$	$\mathsf{dem.Enc}(k,\cdot)$	$\varepsilon$
$cca1$	$\{\mathsf{dem.Enc}(k,\cdot),{\mathsf{dem.Dec}}(k,\cdot)\}$	$\varepsilon$
$cca2$	$\{\mathsf{dem.Enc}(k,\cdot),{\mathsf{dem.Dec}}(k,\cdot)\}$	$\{\mathsf{dem.Enc}(k,\cdot),{\mathsf{dem.Dec}}(k,\cdot)\}$

Figure 2: DEM distinguishing game. Here,

\mathsf{dem.Enc}(k,\cdot)

and

\mathsf{dem.Dec}(k,\cdot)

are encryption and decryption oracles with key

k

, respectively, and

\varepsilon

denotes an empty string.

A DEM is $\sigma(\lambda)\text{-}IND\text{-}ATK$ for $ATK\in\{OT,OTCCA,CPA,CCA1,CCA2\}$ if for all polynomial-time adversaries $\mathsf{D}$ , $Adv^{ind\text{-}atk}_{\mathsf{dem},\mathsf{D}}(\lambda)\leq\sigma(\lambda)$ , where $\sigma(\cdot)$ is a non-negative negligible function in $\lambda$ .

The formalization and construction of HE in [1] uses one-time symmetric key encryption schemes with a specific security definition (adversary with access to decryption oracle only). The one-time symmetric key encryption that is defined below, is a DEM with OTCCA security.

A one-time symmetric key encryption $\mathsf{SE}=(\mathsf{SE.Enc},\mathsf{SE.Dec})$ with security parameter $\lambda$ and the key space $\{0,1\}^{\mathsf{SE.Len}(\lambda)}$ consists of two deterministic²²2Thus, for all $k\in\{0,1\}^{\mathsf{SE.Len}(\lambda)}$ and $m\in\{0,1\}^{*}$ , $\mathrm{Pr}[\mathsf{SE.Dec}\big{(}k,\mathsf{SE.Enc}(k,m)\big{)}=m]=1$ . algorithms such that: i) the encryption algorithm $\mathsf{SE.Enc}(k,m)$ encrypts a message $m\in\{0,1\}^{*}$ under a uniformly chosen key $k\in\{0,1\}^{\mathsf{SE.Len}(\lambda)}$ and outputs a ciphertext $c$ , and ii) the decryption algorithm $\mathsf{SE.Enc}(c,k)$ that decrypts the ciphertext $c$ using the key $k$ , and either recovers the message $m$ , or outputs a special rejection symbol $\perp$ .

Security of $\mathsf{SE}$ is tailored for its application in hybrid encryption systems, and matches the OTCCA security in Definition 3.

IV KEM in correlated randomness model

A KEM in correlated randomness model (also called preprocessing model) has two phases. In the initialization phase that is also called offline phase, Alice, Bob and Eve, respectively, privately receive $r_{A}$ , $r_{B}$ and $r_{E}$ , that is obtained by sampling a public joint distribution $P_{\mathbf{X}\mathbf{Y}\mathbf{Z}}$ (e.g. an efficient probabilistic experiment). In the online phase Alice and Bob use their private values in the encapsulation and decapsulation algorithms, respectively, to obtain a shared key. Here $r_{E}$ represents Eve’s initial information about Alice and Bob’s samples.

Definition 4 (KEM in Preprocessing Model (pKEM)).

KEM in preprocessing model (pKEM) with security parameter $\lambda$ , joint distribution $P_{\mathbf{X}\mathbf{Y}\mathbf{Z}}$ , and key space $\mathsf{KeySP_{\mathsf{pkem}}}(\lambda)=\{0,1\}^{\mathsf{pkem.Len}(\lambda)}$ , is a triple of algorithms
$\mathsf{pkem}=(\mathsf{pkem.Gen},\mathsf{pkem.Enc},\mathsf{pkem.Dec})$ , where $\mathsf{pkem.Gen}(1^{\lambda},P_{\mathbf{X}\mathbf{Y}\mathbf{Z}})$ is a randomized generation algorithm that produces private samples $(r_{A},r_{B},r_{E})$ that are privately given to the corresponding parties, $\mathsf{pkem.Enc}(r_{A})$ is the randomized encapsulation algorithm that outputs a pair of ciphertext and key $(c,k)$ for $c\in\mathcal{C}$ and $k\in\{0,1\}^{\mathsf{pkem.Len}(\lambda)}$ , and $\mathsf{pkem.Dec}(r_{B},c)$ is the deterministic decapsulation algorithm that outputs a key $k$ or a symbol $\perp$ (for an invalid ciphertext).

Correctness. A pKEM is $\epsilon(\lambda)$ -correct if for all $\lambda\in\mathbb{N}$ and $(r_{A},r_{B},r_{E})\leftarrow\mathsf{pkem.Gen}(1^{\lambda},P_{\mathbf{X}\mathbf{Y}\mathbf{Z}})$ ,
$\text{Pr}[\mathsf{pkem.Dec}(r_{B},c)\neq\mathsf{pkem.Enc}(r_{A}).{key}]\leq\epsilon(\lambda)$ , where $\epsilon:\mathbb{N}\to[0,1)$ is a small function of $\lambda$ , and $\mathsf{pkem.Enc}(r_{A}).{key}=k$ and the probability is over all random coins of $\mathsf{pkem.Enc}(\cdot)$ and $\mathsf{pkem.Gen}(\cdot)$ .

Security of pKEM. We consider three types of attacks: One-time attack (OT), Chosen Encapsulation Attack (CEA), and Chosen Ciphertext Attack (CCA), specified by access to the encapsulation and decapsulation oracles $\mathsf{pkem.Enc}(r_{A},\cdot)$ and $\mathsf{pkem.Dec}(r_{B},\cdot)$ , respectively. The corresponding security notions are denoted by IND-OT, IND-CEA and IND-CCA, respectively. An encapsulation query to $\mathsf{pkem.Enc}(r_{A},\cdot)$ is a call to generate a key and ciphertext pair $(c,k)$ and does not take any input from the adversary. For a query to $\mathsf{pkem.Dec}(r_{B},\cdot)$ , the attacker chooses a ciphertext $c$ , and receives the corresponding key $k$ , or $\perp$ .

Definition 5 (pKEM distinguishing advantage).

Let $\mathsf{pkem}=(\mathsf{pkem.Gen},\mathsf{pkem.Enc},\mathsf{pkem.Dec})$ be a pKEM and let $\mathsf{D}=(\mathsf{D}_{1},\mathsf{D}_{2})$ be a distinguisher. The preprocessing key indistinguishability advantage (pkind) is denoted by $Adv^{pkind\text{-}atk}_{\mathsf{pkem},\mathsf{D}}(\lambda)$ and defined as follows:

\displaystyle|\mathrm{Pr}[\mathrm{pKIND}_{\mathsf{pkem},\mathsf{D}}^{atk\text{-}0}(\lambda)=1]-\mathrm{Pr}[\mathrm{pKIND}_{\mathsf{pkem},\mathsf{D}}^{atk\text{-}1}(\lambda)=1]|,

(3)

where the distinguishing game $\mathrm{pKIND}_{\mathsf{pkem},\mathsf{D}}^{atk\text{-}b}$ for a random bit $b\stackrel{{\scriptstyle\$}}{{\leftarrow}}\{0,1\}$ , is defined in Figure. 3.

Game $\mathrm{pKIND}_{\mathsf{pkem},\mathsf{D}}^{atk\text{-}b}(\lambda)$ Oracles $\mathsf{O}_{1}$ and $\mathsf{O}_{2}$

(r_{A},r_{B},r_{E})\stackrel{{\scriptstyle\$}}{{\leftarrow}}\mathsf{pkem.Gen}(1^{\lambda},{P_{\mathbf{X}\mathbf{Y}\mathbf{Z}}})

st_{1}\stackrel{{\scriptstyle\$}}{{\leftarrow}}\mathsf{D}_{1}^{\mathsf{O}_{1}}(r_{E})

(k^{*},c^{*})\stackrel{{\scriptstyle\$}}{{\leftarrow}}\mathsf{pkem.Enc}(r_{A})

k_{0}\leftarrow k^{*}

k_{1}\stackrel{{\scriptstyle\$}}{{\leftarrow}}\{0,1\}^{\mathsf{pkem.Len}(\lambda)}

b^{\prime}\stackrel{{\scriptstyle\$}}{{\leftarrow}}\mathsf{D}_{2}^{\mathsf{O}_{2}}(st_{1},c^{*},k_{b})

7:Return

b^{\prime}

$atk$	$\mathsf{O}_{1}(\cdot)$	$\mathsf{O}_{2}(\cdot)$
$ot$	$\varepsilon$	$\varepsilon$
$cea$	$\mathsf{\mathsf{pkem.Enc}}(r_{A},\cdot)$	$\mathsf{\mathsf{pkem.Enc}}(r_{A},\cdot)$
$cca$	$\{\mathsf{\mathsf{pkem.Enc}}(r_{A},\cdot),$ $\mathsf{\mathsf{pkem.Dec}}(r_{B},\cdot)\}$	$\{\mathsf{\mathsf{pkem.Enc}}(r_{A},\cdot),$ $\mathsf{\mathsf{pkem.Dec}}(r_{B},\cdot)\}$

Figure 3: The security game

\mathrm{pKIND}_{\mathsf{pkem},\mathsf{D}}^{atk\text{-}b}

where

b\stackrel{{\scriptstyle\$}}{{\leftarrow}}\in\{0,1\}

and

atk\in\{ot,cea,cca\}

. Here

\mathsf{O}_{1}(\cdot)

and

\mathsf{O}_{2}(\cdot)

are oracles that are accessed before and after the challenge is seen, respectively.

\mathsf{O}_{i}=\varepsilon

, for

i\in\{1,2\}

, means

\mathsf{O}_{i}

returns the empty string

\varepsilon

. The number of queries for computational (resp. unbounded) adversaries will be a polynomial in

\lambda

(resp. constant number

q_{e}

encapsulation and

q_{d}

decapsulation queries). The adversary

\mathsf{D}_{2}

cannot ask

c^{*}

to decryption oracle.

For $\text{ATK}\in\{\text{OT,CEA,CCA}\}$ , a pKEM is $\sigma(\lambda)$ -IND-ATK secure if $Adv^{pkind\text{-}atk}_{\mathsf{pkem},\mathsf{D}}(\lambda)$ is bounded by $\sigma(\lambda)$ for $\text{atk}\in\{\text{ot,cea,cca}\}$ , respectively, where $\sigma:\mathbb{N}\to[0,1)$ is a small function of $\lambda$ . The adversary $\mathsf{D}$ may be computationally $(i)$ bounded, or $(ii)$ unbounded. We call the KEM in the former case a computational KEM (cKEM), and in the latter case an information theoretic KEM (iKEM), both in preprocessing model. For a secure cKEM, $\sigma(\cdot)\in NEGL$ and for a secure iKEM $\sigma(\cdot)\in SMALL$ .

Remark 1 (iKEM with bounded-query security).

The number of queries when the adversary is computationally bounded (Definition 5) is a polynomial in $\lambda$ . We define $q$ -bounded adversaries for iKEM, where the number of queries is bounded by a known predetermined polynomial in $\lambda$ . $q$ -bounded CCA security for public-key encryption has been considered in [59] to overcome impossibility results that hold for general CCA encryption. In iKEM, the bound on the number of queries is because of the adversary’s unlimited computation power. Indistinguishability security against a $q_{e}$ -bounded CEA adversary with access to at most $q_{e}$ encapsulation queries is denoted by IND- $q_{e}$ -CEA security. Similarly, IND- $(q_{e};q_{d})$ -CCA security is defined against an attacker that is $q_{e}$ -bounded for encapsulation queries and $q_{d}$ -bounded for decapsulaton queries, where the queries can be asked according to the distinguishing game of Figure. 3.

IV-1 Ciphertext Integrity (INT-CTXT) in preprocessing model.

Ciphertext integrity (INT-CTXT) requires that the adversary’s tampering of the ciphertext be detected by a high probability. Ciphertext integrity was defined by Bellare et al. [60] for symmetric key encryption systems and it was proved that in symmetric key encryption systems, IND-CPA security together with INT-CTXT security implies IND-CCA security ([60, Theorem 3.2]). In [61], the notion of ciphertext existential unforgeability is proposed and a composition theorem ([61, Theorem 1]) is proved that shows existential unforgeability of the ciphertext together with CPA security of the encryption system, leads to CCA security of the encryption system. In the following we define integrity for KEM in preprocessing model, and prove a composition theorem to obtain CCA security.

Definition 6 (pKEM ciphertext integrity).

A pKEM $\mathsf{pkem}=(\mathsf{pkem.Gen},\mathsf{pkem.Enc},\mathsf{pkem.Dec})$ with security parameter $\lambda$ , initial joint distribution $P_{\mathbf{X}\mathbf{Y}\mathbf{Z}}$ , and the key space $\mathsf{KeySP}(\lambda)=\{0,1\}^{\mathsf{pkem.Len}(\lambda)}$ provides ciphertext integrity (INT-CTXT), if for all initial correlated samples $\big{(}r_{A},r_{B},r_{E}\big{)}$ (generated by $\mathsf{pkem.Gen}(1^{\lambda},P_{\mathbf{X}\mathbf{Y}\mathbf{Z}})$ ), and all adversaries $\mathsf{A}$ with access to the encapsulation and decapsulation queries, the key integrity advantage defined as $Adv^{kint}_{\mathsf{pkem},\mathsf{A}}(\lambda)\triangleq\mathrm{Pr}[\mathrm{KINT}_{\mathsf{pkem},\mathsf{A}}=1]$ is upper bounded by $\delta(\lambda)$ , a small function of $\lambda$ , where the integrity game $\mathrm{KINT}_{\mathsf{pkem},\mathsf{A}}$ is given in Figure. 4.

Game $\mathrm{KINT}_{\mathsf{pkem},\mathsf{A}}(\lambda)$

(r_{A},r_{B},r_{E})\stackrel{{\scriptstyle\$}}{{\leftarrow}}\mathsf{pkem.Gen}(1^{\lambda},{P_{\mathbf{X}\mathbf{Y}\mathbf{Z}}})

\hat{c}\stackrel{{\scriptstyle\$}}{{\leftarrow}}\mathsf{A}^{\mathsf{pkem.Enc}(r_{A},\cdot),\mathsf{pkem.Dec}(r_{B},\cdot)}(r_{E})

3:If

\mathsf{pkem.Dec}(r_{B},\hat{c})\neq\perp

: Return 1

Figure 4: The integrity game of pKEM. Computationally bounded adversaries can make any-poly encapsulation and decapsulation queries. Unbounded adversaries can make fixed-poly

q_{e}

encapsulation and

q_{d}

decapsulation queries.

\hat{c}

cannot be a queries output of

\mathsf{pkem.Enc}(r_{A},\cdot)

We define INT- $(q_{e};q_{d})$ -CTXT for an adversary with $q_{e}\geq 0$ encapsulation and $q_{d}>0$ decapsulation queries, where the number of allowed queries depends on the adversary being computationally bounded or unbounded.

The following theorem shows that a pKEM that is IND-CEA and INT-CTXT secure is IND-CCA secure.

Theorem 1.

Let $\mathsf{pkem}=(\mathsf{pkem.Gen},\mathsf{pkem.Enc},\mathsf{pkem.Dec})$ be a pKEM with security parameter $\lambda$ and the input distribution $P_{\mathbf{X}\mathbf{Y}\mathbf{Z}}$ . For an adversary $\mathsf{D}=(\mathsf{D}_{1},\mathsf{D}_{2})$ in the CCA key distinguishing game $\mathrm{pKIND}_{\mathsf{pkem},\mathsf{D}}^{cca\text{-}b}(\lambda)$ , there are adversaries $\mathsf{A}$ and $\mathsf{B}$ for $\mathrm{KINT}_{\mathsf{pkem},\mathsf{A}}(\lambda)$ and the CEA key distinguishing game $\mathrm{pKIND}_{\mathsf{pkem},\mathsf{B}}^{cea\text{-}b}(\lambda)$ , respectively that satisfy the following:

Adv^{pkind\text{-}cca}_{\mathsf{pkem},\mathsf{D}}(\lambda)\leq 2q_{d}Adv^{kint}_{\mathsf{pkem},\mathsf{A}}(\lambda)+Adv^{pkind\text{-}cea}_{\mathsf{pkem},\mathsf{B}}(\lambda).

If $\mathsf{D}$ makes $q_{e}$ encapsulation and $q_{d}$ decapsulation queries, $\mathsf{A}$ makes $q_{e}-1$ encapsulation and $q_{d}$ decapsulation queries to its decapsulation oracles, and $\mathsf{B}$ makes $q_{e}$ queries to its encapsulation oracle, we have the following.

1.

For computationally bounded adversaries

$\mbox{INT-CTXT cKEM }+\mbox{IND-CEA cKEM}\rightarrow\mbox{IND-CCA cKEM}.$

For computationally unbounded adversaries,

\displaystyle\mbox{INT-$(q^{\prime}_{e};q_{d})$-CTXT iKEM}+\mbox{IND-$q_{e}$-CEA iKEM}\rightarrow\mbox{IND-$(q^{\prime\prime}_{e};q_{d})$-CCA iKEM},

where $q^{\prime\prime}_{e}=min(q_{e};q^{\prime}_{e}-1)$ .

Proof sketch. For the proof of the first part, we use a sequence of two games $\mathrm{G}^{0\text{-}b}_{\mathsf{pkem},\mathsf{D}}$ and $\mathrm{G}^{1\text{-}b}_{\mathsf{pkem},\mathsf{D}}$ played by the distinguisher $\mathsf{D}$ , where $b$ is uniformly chosen from $\{0,1\}$ . The first game $\mathrm{G}^{0\text{-}b}_{\mathsf{pkem},\mathsf{D}}$ is the CCA distinguishing game ( $\mathrm{pKIND}_{\mathsf{pkem},\mathsf{D}}^{cca\text{-}b}(\lambda)$ in Figure 3). The second game, $\mathrm{G}^{1\text{-}b}_{\mathsf{pkem},\mathsf{D}}$ , is the same as $\mathrm{G}^{0\text{-}b}_{\mathsf{pkem},\mathsf{D}}$ except for its decapsulation oracle that always outputs $\perp$ , an empty string. We bound the CCA advantage of the adversary by bounding the advantage of these games. The proof of the second part uses the same sequence of games, but is against a computationally unbounded adversary. See the complete proof in Appendix A. ∎

IV-A Hybrid encryption in Preprocessing Model

We define hybrid encryption (HE) and KEM/DEM paradigm for preprocessing model, where during the offline phase, Alice, Bob and possibly Eve, receive correlated private inputs, and during the online phase, pKEM generates the key that will be used by DEM.

Definition 7 (Hybrid encryption in preprocessing model).

For a security parameter $\lambda$ , let
$\mathsf{pkem}=(\mathsf{pkem.Gen},\mathsf{pkem.Enc};\mathsf{pkem.Dec})$ be a pKEM and $\mathsf{SE}=(\mathsf{SE.Enc},\mathsf{SE.Dec})$ be a DEM with the same key space $\{0,1\}^{\ell(\lambda)}$ , for each $\lambda$ . A hybrid encryption in preprocessing model denoted by $\mathsf{HE}_{\mathsf{pkem},\mathsf{SE}}=(\mathsf{HE.Gen},\mathsf{HE.Enc},\mathsf{HE.Dec})$ is defined as given in Figure 5.

$\mathbf{Alg}\ \mathsf{HE.Gen}(1^{\lambda},P_{\mathbf{X}\mathbf{Y}\mathbf{Z}})$
$(r_{A},r_{B},r_{E})\stackrel{{\scriptstyle\$}}{{\leftarrow}}\mathsf{pkem.Gen}(1^{\lambda},P_{\mathbf{X}\mathbf{Y}\mathbf{Z}})$
Return $(r_{A},r_{B},r_{E})$

$\mathbf{Alg}\ \mathsf{HE.Enc}(r_{A},m)$	$\mathbf{Alg}\ \mathsf{HE.Dec}(r_{B},c_{1},c_{2})$
$(c_{1},k)\stackrel{{\scriptstyle\$}}{{\leftarrow}}\mathsf{pkem.Enc}(r_{A})$	If $\perp\leftarrow\mathsf{pkem.Dec}(r_{B},c_{1})$ :
$c_{2}\leftarrow\mathsf{SE.Enc}(k,m)$	Return $\perp$
Return $(c_{1},c_{2})$	Else: $m\leftarrow\mathsf{SE.Dec}(c_{2},k)$
	Return $m$

Figure 5: Hybrid encryption

\mathsf{HE}_{\mathsf{pkem},\mathsf{SE}}

in preprocessing model

Security of hybrid encryption in preprocessing model. $\mathsf{HE}_{\mathsf{pkem},\mathsf{SE}}$ is a private input encryption system, where Alice and Bob’s private inputs are not the same but are correlated. We use indistinguishability security and consider three security notions depending on the attacker’s access to the encryption and decryption oracles (during the online phase): i) no oracle access (IND-OT), ii) access to encryption queries (IND-CPA), and iii) access to encryption and decryption queries, where access in the latter two cases will be before and after receiving the challenge ciphertext (IND-CCA). The number of queries for computationally bounded adversaries is polynomial in $\lambda$ , and for unbounded adversary is a predetermined polynomial in $\lambda$ . The security notions in the latter case for $q_{e}$ encryption queries, and for $q_{e}$ encryption and $q_{d}$ decryption queries are denoted by IND- $q_{e}$ -CEA and IND- $(q_{e};q_{d})$ -CCA, respectively. The security games are similar to the security games in symmetric key encryption schemes: the adversary (after making queries according to the game type) generates two equal length (in bits) messages $m_{0}$ and $m_{1}$ , and for a random $b\in\{0,1\}$ , receives $c^{*}=\mathsf{HE}_{\mathsf{pkem},\mathsf{SE}}(m_{b})$ . It then (after making enough queries) outputs a bit $\hat{b}\in\{0,1\}$ . The indistinguishability advantage for a computationally bounded adversary $\mathsf{D}$ and $atk\in\{ot,cpa,cca\}$ , and computationally unbounded adversary $\mathsf{D}^{\prime}$ and $atk\in\{ot,q_{e}\text{-}cpa,(q_{e};q_{d})\text{-}cca\}$ , are $Adv^{ind\text{-}atk}_{\mathsf{HE}_{\mathsf{pkem},\mathsf{SE}},x}(\lambda)\triangleq|\mathrm{Pr}[\hat{b}=1|b=0]-\mathrm{Pr}[\hat{b}=1|b=1]|$ , where $x\in\{\mathsf{D},\mathsf{D}^{\prime}\}$ , $\mathsf{pkem}=\mathsf{ckem}$ when $x=\mathsf{D}$ and $\mathsf{pkem}=\mathsf{ikem}$ when $x=\mathsf{D}^{\prime}$ . The advantage is bounded by $\sigma(\lambda)$ , where $\sigma(\cdot)\in NEGL$ for adversary $\mathsf{D}$ and $\sigma(\cdot)\in SMALL$ for adversary $\mathsf{D}^{\prime}$ .

The following theorem is the counterpart for Theorem $7.2$ in [1] in preprocessing model. Theorem 7.2 in [1] considers only public key KEM. We prove the following theorem for both computational and information-theoretic KEMs (cKEM and iKEM, respectively). The theorem is proved for two types of query accesses for the adversary. One can consider similar types of results for other KEMs as defined in [2].

Theorem 2 (Hybrid encryption composition theorem).

For a security parameter $\lambda\in\mathbb{N}$ , let,

– $\mathsf{ckem}=(\mathsf{ckem.Gen},\mathsf{ckem.Enc},\mathsf{ckem.Dec})$ be an $\epsilon(\lambda)$ -correct cKEM in preprocessing model, and

– $\mathsf{ikem}=(\mathsf{ikem.Gen},\mathsf{ikem.Enc},\mathsf{ikem.Dec})$ be an $\epsilon(\lambda)$ -correct iKEM in preprocessing model,

and let $\mathsf{SE}$ denote a one-time symmetric key encryption scheme with security parameter $\lambda$ that is compatible with the corresponding $\mathsf{ckem}$ or $\mathsf{ikem}$ . Then,

	$\displaystyle 1)\quad\sigma(\lambda)\mbox{-IND-CEA}~{}\mathsf{ckem}+\sigma^{\prime}(\lambda)\mbox{-IND-OT}~{}\mathsf{SE}\rightarrow(2\sigma(\lambda)+\sigma^{\prime}(\lambda))\mbox{-IND-CPA}~{}\mathsf{HE}_{\mathsf{ckem},\mathsf{SE}}$
	$\displaystyle 2)\quad\sigma(\lambda)\mbox{-IND-CCA}~{}\mathsf{ckem}+\sigma^{\prime}(\lambda)\mbox{-IND-OT}~{}\mathsf{SE}\rightarrow(2\epsilon(\lambda)+2\sigma(\lambda)+\sigma^{\prime}(\lambda))\mbox{-IND-CCA}~{}\mathsf{HE}_{\mathsf{ckem},\mathsf{SE}}$
	$\displaystyle 3)\quad\sigma(\lambda)\mbox{-IND-}q_{e}\mbox{-CEA }\mathsf{ikem}+\sigma^{\prime}(\lambda)\mbox{-IND-OT }\mathsf{SE}\rightarrow(2\sigma(\lambda)+\sigma^{\prime}(\lambda))\mbox{-IND-}q_{e}\mbox{-CPA }\mathsf{HE}_{\mathsf{ikem},\mathsf{SE}}$
	$\displaystyle 4)\quad\sigma(\lambda)\mbox{-IND-}(q_{e};q_{d})\mbox{-CCA }\mathsf{ikem}+\sigma^{\prime}(\lambda)\mbox{-IND-OTCCA }\mathsf{SE}\rightarrow(2\epsilon(\lambda)+2\sigma(\lambda)+\sigma^{\prime}(\lambda))\mbox{-IND-}(q_{e};q_{d})\mbox{-CCA }\mathsf{HE}_{\mathsf{ikem},\mathsf{SE}}$

Security of the hybrid encryption scheme in all above cases is with respect to a computationally bounded adversary.

Proof Sketch. We prove the theorem for the first two cases; the proofs of the last two cases will be similar. We use a sequence of three games $\mathrm{G}^{0\text{-}b}_{\mathsf{D}}$ , $\mathrm{G}^{1\text{-}b}_{\mathsf{D}}$ , and $\mathrm{G}^{2\text{-}b}_{\mathsf{D}}$ , all played by a computationally bounded adversary (distinguisher) $\mathsf{D}$ . $\mathrm{G}^{0\text{-}b}_{\mathsf{D}}$ is identical to the distinguishing game of the hybrid encryption in preprocessing model. $\mathrm{G}^{1\text{-}b}_{\mathsf{D}}$ differs from $\mathrm{G}^{0\text{-}b}_{\mathsf{D}}$ in its decapsulation oracle response. For the challenge HE ciphertext $c^{*}=(c_{1}^{*},c_{2}^{*})$ , where $c_{1}^{*}$ is the ciphertext output of $\mathsf{ckem.Enc}$ and $c_{2}^{*}$ is generated by $\mathsf{SE.Enc}$ , the response will be as follows. If the decryption query $c=(c_{1},c_{2})\neq(c_{1}^{*},c_{2}^{*})$ and $c_{1}=c_{1}^{*}$ (and $c_{2}\neq c_{2}^{*}$ ), the response will be the key $k_{1}^{*}$ that was generated by the encapsulation oracle (corresponding to $c_{1}^{*}$ ); otherwise the decryption oracle of $\mathrm{G}^{1\text{-}b}_{\mathsf{D}}$ uses $\mathsf{ckem.Dec}$ to decrypt $c$ . Finally, $\mathrm{G}^{2\text{-}b}_{\mathsf{D}}$ differs from $\mathrm{G}^{1\text{-}b}_{\mathsf{D}}$ in using a uniformly sampled key instead of the key generated by the cKEM. The differences between the success probabilities of the first two, and the last two games are bounded by the failure probability of encapsulation, and the indistinguishability advantage of the of the $\mathsf{SE}$ . The complete proof is given in Appendix B. $\ \ \qed$

Note that in cases (3) and (4) of the theorem above, the iKEM is secure against a computationally unbounded adversary. Therefore, as long as the symmetric encryption scheme is quantum safe, the resulting hybrid encryption scheme will be quantum-resistant.

V Instantiating iKEM

In this section, we construct two iKEMs in correlated random model and prove their security properties. In the first construction (Construction 1) the adversary can only query the encapsulation oracle. In the second construction (Construction 2) however, the adversary can query both the encapsulation and decapsulation oracles.

For both constructions we consider the probabilistic experiment that underlies the generation of correlated triplet to be $n$ times independent repetition of a probabilistic experiment, and so $\mathbf{X}=(X_{1},\cdots,X_{n})$ , $\mathbf{Y}=(Y_{1},\cdots,Y_{n})$ and $\mathbf{Z}=(Z_{1},\cdots,Z_{n})$ respectively, where $P_{\mathbf{X}\mathbf{Y}\mathbf{Z}}(\mathbf{x},\mathbf{y},\mathbf{z})=\prod_{i=1}^{n}P_{XYZ}(x_{i},y_{i},z_{i})$ , where $\mathbf{x}=(x_{1},\cdots,x_{n})$ , $\mathbf{y}=(y_{1},\cdots,y_{n})$ and $\mathbf{z}=(z_{1},\cdots,z_{n})$ . Alice, Bob and Eve privately receive realizations of the random variables $\mathbf{X}$ , $\mathbf{Y}$ and $\mathbf{Z}$ , respectively.

This setting is considered in commonly used source model [13, 27].

V-A A CEA secure construction

An IND- $q_{e}$ -CEA secure iKEM allows adversary to query tha encapsulation oracle, and can be used to construct an IND- $q_{e}$ -CPA secure hybrid encryption where the adversary has access to encryption queries. The construction slightly modifies the IND- $q_{e}$ -CEA secure iKEM construction in [32] to increase the length of the extracted key, without compromising its security.

Construction 1 (CEA secure iKEM.).

We define an iKEM $\mathsf{ikem}_{cea}=(\mathsf{ikem.Gen},\mathsf{ikem.Enc},\mathsf{ikem.Dec})$ , as follows:

Let $P_{\mathbf{X}\mathbf{Y}\mathbf{Z}}=\prod_{i=1}^{n}P_{X_{i}Y_{i}Z_{i}}$ be the public joint distribution as defined above, and $P_{X_{i}Y_{i}Z_{i}}=P_{XYZ}$ for all $i\in\{1,\cdots,n\}$ .

Let $h:\mathcal{X}^{n}\times\mathcal{S}\rightarrow\{0,1\}^{t}$ and $h^{\prime}:\mathcal{X}^{n}\times\mathcal{S^{\prime}}\rightarrow\{0,1\}^{\ell}$ be two universal hash families. Let the ciphertext and key space be defined as $\mathcal{C}=\{0,1\}^{t}\times S^{\prime}$ and $\mathcal{K}=\{0,1\}^{\ell}$ , respectively. The iKEM $\mathsf{ikem}_{cea}$ ’s three algorithms $(\mathsf{ikem.Gen},\mathsf{ikem.Enc},\mathsf{ikem.Dec})$ are described in Algorithm 1, Algorithm 2 and Algorithm 3 respectively. The parameters $t$ and $\ell$ depend on the security parameter $\lambda$ and their relationship with other system parameters is given in section V-B.

In $\mathsf{ikem.Dec}$ (Algorithm 3), we use a parameter $\nu$ to define a set $\mathcal{R}$ . This is a decapsulation algorithm parameter that depends on $P_{\mathbf{X}\mathbf{Y}\mathbf{Z}}$ , the correlation between the RVs $\mathbf{X}$ and $\mathbf{Y}$ , and is chosen using the required correctness (and security) of the derived key. Higher correlation between the RVs $\mathbf{X}$ and $\mathbf{Y}$ leads to smaller $\nu$ for the same correctness level. The details of parameter derivation for $\nu$ and $t$ are in [19] and are also repeated in the proof of Theorem 4 which uses the same reconciliation algorithm to obtain $\mathbf{x}$ from $\mathbf{y}$ . Theorem 3 derives that the length of the extracted key gives is upper bounded or $\ell$ , the extracted key length by constructing a protocol, improving the results in [19].

Note that $\mathsf{ikem.Gen}(P_{\mathbf{X}\mathbf{Y}\mathbf{Z}})$ , in addition to the random samples, generates a random seed $s$ of appropriate size that is distributed to the parties over public authenticated channels.

Input : A public distribution

P_{\mathbf{X}\mathbf{Y}\mathbf{Z}}

Output :

(\mathbf{x},\mathbf{y},\mathbf{z})

, the seed

s

(public)

1: Samples

(\mathbf{x},\mathbf{y},\mathbf{z})\xleftarrow{\$}P_{\mathbf{X}\mathbf{Y}\mathbf{Z}}

and

send privately to Alice, Bob and Eve, respectively.

2: Sample and publish

s\xleftarrow{\$}\mathcal{S}

for

h(\cdot)

Algorithm 1

\mathsf{ikem.Gen}(P_{\mathbf{X}\mathbf{Y}\mathbf{Z}})

Input :

\mathbf{x}

and the seed

s

(output of

\mathsf{ikem.Gen}

)

Output : The final key =

k

, ciphertext =

c

1: Sample

s^{\prime}\xleftarrow{\$}\mathcal{S^{\prime}}

for

h^{\prime}(\cdot)

k

h^{\prime}(\mathbf{x},s^{\prime})

c

(h(\mathbf{x},s),s^{\prime})

4: Output =

(k,c)

Algorithm 2

\mathsf{ikem.Enc}(\mathbf{x})

Input :

\mathbf{y}

, ciphertext

c

and the seed

s

(output of

\mathsf{ikem.Gen}

)

Output : The final key

k

\perp

1: Parse

c

(v,s^{\prime})

, where

v

is a

t

-bit string

2: Let

\mathcal{R}=\{\mathbf{x}:-\log(P_{\mathbf{X}|\mathbf{Y}}(\mathbf{x}|\mathbf{y}))\leq\nu\}

3: For each

\hat{\mathbf{x}}\in\mathcal{R}

, Bob checks whether

v=h(\hat{\mathbf{x}},s)

4: if there is a unique $\hat{\mathbf{x}}\in\mathcal{R}$ such that $v=h(\hat{\mathbf{x}},s)$ then

Output

k=h^{\prime}(\hat{\mathbf{x}},s^{\prime})

else

Output

\perp

end if

Algorithm 3

\mathsf{ikem.Dec}(\mathbf{y},c)

V-B Security analysis of iKEM construction 1

Theorem 3 provides the relationship among parameters of construction 1.

The protocol is based on the OWSKA in [19]. The parameters $\nu$ and $t$ are derived in [19, Theorem 2] such that the error probability of the protocol will be upperbounded by the correctness (reliability) parameter $\epsilon$ . The iKEM construction 1 uses the same reconciliation information in all queries. That is, in the encapsulation ciphertext $c=(h(\mathbf{x},s),s^{\prime})$ , the value of $h(\mathbf{x},s)$ that is used by Bob to recover recover $\mathbf{x}$ (reconciliation information) will be the same in all queries. Each query however will include a new value of $s^{\prime}$ and so a new final key. In our construction 1, the randomness $s$ is generated during the initialization and published (or sent to Bob over a public authenticated channel). The CEA secure iKEM protocol construction in [32] however updates both parts of $c$ in each query, which results in higher information leakage from $\mathbf{x}$ and shorter length for the final key. In appendix I we have reproduced the protocol in [32] for ease of reference.

The following lemma for conditional min-entropy is proved in [29, Lemma 2], and will be used in Theorem 3.

Lemma 2.

[29] For any $X_{1}Z_{1},\cdots,X_{n}Z_{n}$ independently and identically distributed according to $P_{XZ}$ , it holds that
$\tilde{H}_{\infty}({\mathbf{X}}|{\mathbf{Z}})=n\tilde{H}_{\infty}(X|Z)$ , where ${\mathbf{X}}=(X_{1},\cdots,X_{n})$ and ${\mathbf{Z}}=(Z_{1},\cdots,Z_{n}).$

Theorem 3 (IND- $q_{e}$ -CEA).

The iKEM $\mathsf{ikem}_{cea}$ described in construction 1 establishes a secret key of length

\ell\leq\frac{n\tilde{H}_{\infty}(X|Z)+2\log(\sigma)+2-t}{q_{e}+1}

that is $2\sigma$ -indistinguishable from random by an adversary with access to $q_{e}$ encapsulation queries, where $q_{e}\geq 0$ (i.e. $2\sigma$ -IND- $q_{e}$ -CEA secure).

Proof sketch. The response to an encapsulation query leaks some information about Alice’s private sample $\mathbf{x}$ and this reduces the length of the final shared key. The response to the $i$ th encapsulation query is a key and ciphertext pair $(K_{i},C_{i})$ , where $C_{i}=(h(\mathbf{x},s),s^{\prime}_{i})$ and $h(\mathbf{x},s)$ is the same in all responses. Here $K_{i}$ and $C_{i}$ are RVs over $\{0,1\}^{\ell}$ and $\{0,1\}^{t}$ , respectively.

After seeing $(K_{i},C_{i})$ , the remaining min-entropy entropy of $\mathbf{x}$ using [21, Lemma 2.2(b)], will be lowerbounded by $\tilde{H}_{\infty}(\mathbf{X}|\mathbf{Z},\mathbf{W}^{cea}_{i})=\tilde{H}_{\infty}(\mathbf{X}|\mathbf{Z},K_{i},C_{i})\geq\tilde{H}_{\infty}(\mathbf{X}|\mathbf{Z})-\ell-t$ . Since $h(\mathbf{x},s)$ is the same in all responses, after $q_{e}$ queries, the min-entropy entropy of $\mathbf{x}$ will be $\tilde{H}_{\infty}(\mathbf{X}|\mathbf{Z})-q_{e}\ell-t$ which will be used to bound the key distinguishing advantage of the adversary. The complete proof of the theorem is in Appendix E. ∎

Comparison. The construction in [32, Theorem 2] provides a key of length

\ell\leq\frac{\tilde{H}_{\infty}(\mathbf{X}|\mathbf{Z})+2\log(\sigma)+2}{q_{e}+1}-t-\log(\frac{q_{e}}{\sigma})

that is $2\sigma$ -indistinguishable from random ( $2\sigma$ -IND- $q_{e}$ -CEA). Our Construction 1 results in a key of length

\ell\leq\frac{n\tilde{H}_{\infty}(X|Z)+2\log(\sigma)+2-t}{q_{e}+1}

that is $2\sigma$ -indistinguishable from random ( $2\sigma$ -IND- $q_{e}$ -CEA), improving the result in [32, Theorem 2].

V-C A CCA secure construction

In this section, we modify the IND- $q_{e}$ -CEA secure iKEM construction 1 in Section V-A to provide stronger security. More specifically, we extend the construction to an IND- $(q_{e};q_{d})$ -CCA secure iKEM which provides security against an adversary with access to $q_{e}$ encapsulation and $q_{d}$ decapsulation oracle queries. Access to decapsulation queries models an adversary who can tamper with the encapsulation ciphertext, and see the result of the decapsulation algorithm on its manufactured fraudulent encapsulation ciphertext.

To provide security against such adversaries we use the notion of ciphertext integrity (INT-CTXT) that requires the iKEM to satisfy definition 6 and guarantee that any tampering with $c$ will be detected by the decapsulation algorithm, with a high probability.

The iKEM construction 2 provides ciphertext integrity. According to Theorem 1, the IND- $q_{e}$ -CEA security and $(q^{\prime}_{e},q_{d})$ -ciphertext integrity (INT- $(q^{\prime}_{e},q_{d})$ -CTXT) of iKEM together lead to IND- $(q^{\prime\prime}_{e};q_{d})$ -CCA security, where $q^{\prime\prime}_{e}=\min\{q_{e},q^{\prime}_{e}-1\}$ , which is the strongest and widely used notion of security for encryption systems. The construction is based on the construction 1 but modifies its ciphertext, and requires the hash function $h$ to be a universal hash function with additional properties.

Construction 2 (CCA secure iKEM.).

We define an iKEM, $\mathsf{ikem}_{cca}=(\mathsf{ikem.Gen},\mathsf{ikem.Enc},\mathsf{ikem.Dec})$ , as follows:

Let the joint distribution of the three random variables $\mathbf{X}$ , $\mathbf{Y}$ and $\mathbf{Z}$ be described by the distribution $P_{\mathbf{X}\mathbf{Y}\mathbf{Z}}=\prod_{i=1}^{n}P_{X_{i}Y_{i}Z_{i}}$ that is obtained as product of $n$ independent copies of the distribution $(X,Y,Z)$ , where $\mathbf{X}=(X_{1},\cdots,X_{n})$ , $\mathbf{Y}=(Y_{1},\cdots,Y_{n})$ , $\mathbf{Z}=(Z_{1},\cdots,Z_{n})$ and $P_{X_{i}Y_{i}Z_{i}}=P_{XYZ}$ for $1\leq i\leq n$ . The joint distribution $P_{\mathbf{X}\mathbf{Y}\mathbf{Z}}$ is used to generate the correlated random samples of $\mathbf{X},\mathbf{Y},\mathbf{Z}\in{\mathcal{X}}^{n}$ .

Let $h^{\prime}:\mathcal{X}^{n}\times\mathcal{S^{\prime}}\rightarrow\{0,1\}^{\ell}$ be a universal hash family, and $h:\mathcal{X}^{n}\times(\mathcal{S^{\prime}}\times\mathcal{S})\rightarrow\{0,1\}^{t}$ denote a second universal hash family with extra properties as constructed in Section V-E.

Let $\mathcal{C}=\{0,1\}^{t}\times\mathcal{S^{\prime}}\times\mathcal{S}$ and $\mathcal{K}=\{0,1\}^{\ell}$ denote the ciphertext and key domains, respectively.

The $\mathsf{ikem}_{cca}$ algorithms $(\mathsf{ikem.Gen},\mathsf{ikem.Enc},\mathsf{ikem.Dec})$ are, Algorithm 4, Algorithm 5 and Algorithm 6, respectively.

The hash function parameters $t$ and $\ell$ are functions of the security parameter $\lambda$ and together with the other iKEM parameters are derived in Theorem 4 and Theorem 5 in section V-D. The parameter $\nu$ is defined and used the same as in Construction 1. Note that the initialization phase is only used to generate and securely distribute the private inputs of participants. The seed $s$ will be generated independently for each instance of the protocol and will be protected against the adversary’s tampering through the additional properties of $h$ .

Input : Distribution

P_{\mathbf{X}\mathbf{Y}\mathbf{Z}}

Output :

(\mathbf{x},\mathbf{y},\mathbf{z})

1: Samples

(\mathbf{x},\mathbf{y},\mathbf{z})\xleftarrow{\$}P_{\mathbf{X}\mathbf{Y}\mathbf{Z}}

; and

send privately to Alice, Bob and Eve, respectively.

Algorithm 4

\mathsf{ikem.Gen}(P_{\mathbf{X}\mathbf{Y}\mathbf{Z}})

Input :

\mathbf{x}

Output : extracted key =

k

, ciphertext =

c

1: Generate seed

s^{\prime}\xleftarrow{\$}\mathcal{S^{\prime}}

for

h^{\prime}(\cdot)

2: Generate seed

s\xleftarrow{\$}\mathcal{S}

for

h(\cdot)

k

h^{\prime}(\mathbf{x},s^{\prime})

c

(h(\mathbf{x},(s^{\prime},s)),s^{\prime},s)

5: Output =

(k,c)

Algorithm 5

\mathsf{ikem.Enc}(\mathbf{x})

Input :

\mathbf{y}

and ciphertext

c

Output : An extracted key

k

\perp

1: Parse

c

(v,s^{\prime},s)

, where

v

is a

t

-bit string

\displaystyle\text{2: }\mathcal{R}=\{\mathbf{x}:-\log(P_{\mathbf{X}|\mathbf{Y}}(\mathbf{x}|\mathbf{y}))\leq\nu\}

(4)

3: For each

\hat{\mathbf{x}}\in\mathcal{R}

, Bob checks whether

v=h(\hat{\mathbf{x}},(s^{\prime},s))

4: if there is a unique $\hat{\mathbf{x}}\in\mathcal{R}$ such that $v=h(\hat{\mathbf{x}},(s^{\prime},s))$ then

Output

k=h^{\prime}(\hat{\mathbf{x}},s^{\prime})

else

Output

\perp

end if

Algorithm 6

\mathsf{ikem.Dec}(\mathbf{y},c)

V-C1 Relation with CEA secure iKEM

To provide CCA security in Construction 2, we modify Construction 1 and use the seeds of both hash functions as input to $h$ , which is randomly selected from a function family that in addition to being a universal hash function family, can be interpreted as an information theoretic MAC with partially leaked secret key $\mathbf{x}$ , that detects tampering with the seeds $s^{\prime}$ and seed $s$ . More specifically, $h(\mathbf{x},(s^{\prime},s))$ is a universal hash function family with seed $(s^{\prime},s)$ that is evaluated on the input $\mathbf{x}$ , and a MAC with key $\mathbf{x}$ that is evaluated on the message $(s^{\prime},s)$ . The construction of $h$ is given in Section V-E, and proof of CCA security of iKEM is given in Section V-E.

V-D Security analysis of iKEM construction 2

We prove security properties of the construction using two main theorems. The proofs also determine parameters that must be used to guarantee the required levels of correctness and security. Theorem 4 proves reliability and IND- $q_{e}$ -CEA security of the iKEM. Theorem 5 proves ciphertext integrity of the construction, and together with Theorem 4 proves IND- $(0,q_{d})$ -CCA security of the construction.

Theorem 4 (reliability and IND- $q_{e}$ -CEA).

Let $\nu$ and $t$ satisfy,

	$\displaystyle\nu$	$\displaystyle=$	$\displaystyle nH(X\|Y)+\sqrt{n}\log(\|\mathcal{X}\|+3)\sqrt{\log(\frac{\sqrt{n}}{(\sqrt{n}-1)\epsilon})},$
	$\displaystyle t$	$\displaystyle\geq$	$\displaystyle nH(X\|Y)+\sqrt{n}\log(\|\mathcal{X}\|+3)\sqrt{\log(\frac{\sqrt{n}}{(\sqrt{n}-1)\epsilon})}+\log(\frac{\sqrt{n}}{\epsilon}).$

Then the iKEM $\mathsf{ikem}_{cca}$ in construction 2 establishes a secret key of length $\ell\leq\frac{n\tilde{H}_{\infty}(X|Z)+2\log(\sigma)+2}{q_{e}+1}-t$ that is $\epsilon$ -correct and $2\sigma$ -indistinguishable from random by an adversary with access to $q_{e}$ encapsulation queries, where $q_{e}\geq 0$ (i.e. $2\sigma$ -IND- $q_{e}$ -CEA secure).

Proof sketch.

Correctness (reliability). We first determine the values of $\nu$ and $t$ that guarantee correctness (reliability) for the given $\epsilon$ , and then prove security. Decapsulation algorithm $\mathsf{ikem.Dec}(\cdot)$ searches the set $\mathcal{R}$ that is defined by $P_{\mathbf{X}|\mathbf{Y}}$ and $\nu$ , to find a unique value $\hat{\mathbf{x}}$ that satisfies $h(\hat{\mathbf{x}},(s^{\prime},s))=v$ were $v$ is the received hash value. The algorithm fails if at least one of the following events occurs:

	$\displaystyle\mathcal{E}_{1}=\{\mathbf{x}:\mathbf{x}\notin\mathcal{R}\}=\{\mathbf{x}:-\log(P_{\mathbf{X}\|\mathbf{Y}}(\mathbf{x}\|\mathbf{y}))>\nu\}\text{ and }$
	$\displaystyle\mathcal{E}_{2}=\{\mathbf{x}\in\mathcal{R}:\exists\text{ }\hat{\mathbf{x}}\in\mathcal{R}\text{ s.t. }h(\mathbf{x},(s^{\prime},s))=h(\hat{\mathbf{x}},(s^{\prime},s)\}.$

We use [62, Theorem 2] and the property of universal hash function $h$ to bound these two probabilities and prove that with appropriate choice of parameters, the sum of these two probabilities is bounded by $\epsilon$ .

Security: Key indistinguishability. The response to and encapsulation query, $(K_{i},C_{i})$ , leaks information about the secret key $\mathbf{x}$ . We use [21, Lemma 2.2(b)] to estimate the remaining min-entropy entropy of $\mathbf{x}$ as,

\tilde{H}_{\infty}(\mathbf{X}|\mathbf{Z},\mathbf{W}^{cea}_{i})=\tilde{H}_{\infty}(\mathbf{X}|\mathbf{Z},K_{i},C_{i})\geq\tilde{H}_{\infty}(\mathbf{X}|\mathbf{Z})-\ell-t,

where $K_{i}$ and $C_{i}$ are RVs over $\{0,1\}^{\ell}$ and $\{0,1\}^{t}$ respectively. By bounding the total leakage of $q_{e}$ queries, we bound the key distinguishing advantage of the adversary.

The complete proof of the theorem is in Appendix F. ∎

V-E Ciphertext integrity of construction 2

To achieve ciphertext integrity, we use the construction of a universal hash function $h:\mathcal{X}^{n}\times(\mathcal{S^{\prime}}\times\mathcal{S})\to\{0,1\}^{t}$ described below.

Construction of $h$ . For a vector of $n$ components denoted by $\mathbf{x}$ , let $\mathbf{x}_{1}=[\mathbf{x}]_{1\cdots t}$ and $\mathbf{x}_{2}=[\mathbf{x}]_{t+1\cdots n}$ , where $\mathbf{x}=\mathbf{x}_{2}\parallel\mathbf{x}_{1}$ and $t\leq n/2$ .

We define a universal hash family with seed space $(\mathcal{S^{\prime}}\times\mathcal{S})$ and input space ${\mathcal{X}}^{n}$ , where $\mathcal{S}=GF(2^{n-t})\times GF(2^{t})$ , $\mathcal{S^{\prime}}=GF(2^{w})$ , for some suitable $w\in\mathbb{N}$ , and $\mathcal{X}^{n}=GF(2^{n})$ . Let $s^{\prime}\in\mathcal{S^{\prime}}$ . We write $s^{\prime}$ as a vector of elements $(s^{\prime}_{1},\cdots,s^{\prime}_{r})$ where each element is from $GF(2^{n-t})$ , where $r$ is an even number satisfying:
$(r-2)(n-t)<w\leq r(n-t)$ . (We use padding with 1’s for $s^{\prime}_{r}$ and $s^{\prime}_{r-1}$ , when needed.). Let $s=(s_{2},s_{1})\in\mathcal{S}$ with $s_{2}\in GF(2^{n-t})$ and $s_{1}\in GF(2^{t})$ .

The hash function $h\big{(}\mathbf{x},(s^{\prime},s)\big{)}$ with seed $(s^{\prime},s)$ and input $\mathbf{x}\in{\mathcal{X}}^{n}$ is given by,

	$\displaystyle h\big{(}\mathbf{x},(s^{\prime},s)\big{)}=h\big{(}\mathbf{x},(s^{\prime},s_{2},s_{1})\big{)}$		(5)
	$\displaystyle\qquad\qquad\quad\hskip 3.00003pt=\big{[}(\mathbf{x}_{2})^{r+3}+{\sum}_{i=1}^{r}s^{\prime}_{i}(\mathbf{x}_{2})^{i+1}+s_{2}\mathbf{x}_{2}\big{]}_{1\cdots t}+(\mathbf{x}_{1})^{3}+s_{1}\mathbf{x}_{1}.$

Lemma 3.

$h$ is a universal hash family.

Proof is in Appendix G.

Proving ciphertext integrity. In Theorem 5, we prove that the construction 2 is an iKEM that satisfies ciphertext integrity as given in Definition 6, for $q_{e}=1$ and $q_{d}$ . The proof of the theorem relies on Lemmas 4, 5, and 6.

Lemma 4.

Consider a joint distribution $P_{\mathbf{X}\mathbf{Y}}$ , and let $A$ denote a random variable over a set of size at most $2^{\alpha}$ . Then,

	$\displaystyle\underset{a\leftarrow A}{\mathbb{E}}\max_{\mathbf{x}}\sum_{\mathbf{y}:P_{\mathbf{X}\|\mathbf{Y}}(\mathbf{x}\|\mathbf{y}))\geq 2^{-\nu}}\mathrm{Pr}[\mathbf{Y}=\mathbf{y}\|A=a]$
	$\displaystyle\leq 2^{\alpha}\max_{\mathbf{x}}\sum_{\mathbf{y}:P_{\mathbf{X}\|\mathbf{Y}}(\mathbf{x}\|\mathbf{y}))\geq 2^{-\nu}}\mathrm{Pr}[\mathbf{Y}=\mathbf{y}].$

Proof.

	$\displaystyle\underset{a\leftarrow A}{\mathbb{E}}\max_{\mathbf{x}}\sum_{\mathbf{y}:P_{\mathbf{X}\|\mathbf{Y}}(\mathbf{x}\|\mathbf{y}))\geq 2^{-\nu}}\mathrm{Pr}[\mathbf{Y}=\mathbf{y}\|A=a]$
	$\displaystyle=\sum_{a}\mathrm{Pr}[A=a]\max_{\mathbf{x}}\sum_{\mathbf{y}:P_{\mathbf{X}\|\mathbf{Y}}(\mathbf{x}\|\mathbf{y}))\geq 2^{-\nu}}\mathrm{Pr}[\mathbf{Y}=\mathbf{y}\|A=a]$
	$\displaystyle=\sum_{a}\max_{\mathbf{x}}\sum_{\mathbf{y}:P_{\mathbf{X}\|\mathbf{Y}}(\mathbf{x}\|\mathbf{y}))\geq 2^{-\nu}}\mathrm{Pr}[\mathbf{Y}=\mathbf{y}\|A=a]\mathrm{Pr}[A=a]$
	$\displaystyle=\sum_{a}\max_{\mathbf{x}}\sum_{\mathbf{y}:P_{\mathbf{X}\|\mathbf{Y}}(\mathbf{x}\|\mathbf{y}))\geq 2^{-\nu}}\mathrm{Pr}[\mathbf{Y}=\mathbf{y},A=a]$
	$\displaystyle\leq\sum_{a}\max_{\mathbf{x}}\sum_{\mathbf{y}:P_{\mathbf{X}\|\mathbf{Y}}(\mathbf{x}\|\mathbf{y}))\geq 2^{-\nu}}\mathrm{Pr}[\mathbf{Y}=\mathbf{y}]$
	$\displaystyle\leq 2^{\alpha}\max_{\mathbf{x}}\sum_{\mathbf{y}:P_{\mathbf{X}\|\mathbf{Y}}(\mathbf{x}\|\mathbf{y}))\geq 2^{-\nu}}\mathrm{Pr}[\mathbf{Y}=\mathbf{y}]$

∎

Let $P_{S}$ denote the best success probability of the adversary in guessing a key $\mathbf{x}_{f}$ for the encapsulation algorithm 5, such that it is considered valid by the decapsulation algorithm 6. That is, $\Pr(\mathbf{x}_{f}|\mathbf{y})\geq 2^{-\nu}$ for (the unknown) decapsulation key $\mathbf{y}$ .

Lemma 5.

The success probability of constructing a ciphertext $c_{f}$ that is accepted by the decapsulation algorithm is bounded as follows.

\displaystyle\mbox{$P_{S}$}\geq\max\{\max_{\mathbf{x}}\sum_{\mathbf{y}^{\prime}:\Pr(\mathbf{x}|\mathbf{y}^{\prime})\geq 2^{-\nu}}\Pr(\mathbf{x},\mathbf{y}^{\prime}|\mathbf{z}),\max_{\mathbf{y}}\sum_{\mathbf{x}^{\prime}:\Pr(\mathbf{x}^{\prime}|\mathbf{y})\geq 2^{-\nu}}\Pr(\mathbf{x}^{\prime},\mathbf{y}|\mathbf{z})\}.

(6)

2. Assuming equality in the above bound,

\displaystyle\mbox{$P_{S}$}\leq\max\{\max_{\mathbf{x}}\sum_{\mathbf{y}^{\prime}:\Pr(\mathbf{x}|\mathbf{y}^{\prime})\geq 2^{-\nu}}P_{\mathbf{Y}}(\mathbf{y}^{\prime}|\mathbf{z}),\max_{\mathbf{y}}\sum_{\mathbf{x}^{\prime}:\Pr(\mathbf{x}^{\prime}|\mathbf{y})\geq 2^{-\nu}}P_{\mathbf{X}}(\mathbf{x}^{\prime}|\mathbf{z})\}

Proof.

1. The encapsulation algorithm uses the key $\mathbf{x}$ , and the decapsulation algorithm uses the key $\mathbf{y}$ , both unknown to the adversary. To be accepted by the decapsulation algorithm, a guessed value $\mathbf{x}^{\prime}$ must belong to the set $\cal R$ defined by the decapsulation algorithm 6. That is $\Pr(\mathbf{x}^{\prime}|\mathbf{y})\geq 2^{-\nu}$ for the unknown $\mathbf{y}$ . The adversary may use two types of guessing strategies to find a candidate $\mathbf{x}_{f}$ : guess Alice’s key from ${\cal X}^{n}$ such that it belongs to $\cal R$ for the unknown $\mathbf{y}$ , or guess a Bob’s key $\mathbf{y}$ , and choose one of the $\mathbf{x}^{\prime}$ that satisfy $\cal R$ defined with respect to $\mathbf{y}$ . The best success probabilities of these two types of guessing strategies are denoted by $P^{(\mathbf{X})}_{S}$ and $P^{(\mathbf{Y})}_{S}$ , respectively.

We have

	$\displaystyle P_{S}$	$\displaystyle\geq$	$\displaystyle\max\{\Pr(\mbox{Guess $\mathbf{x}$ from ${\cal X}^{n}$},\Pr(\mbox{Guess $\mathbf{y}$ from ${\cal Y}^{n}$})\}$		(7)
		$\displaystyle\geq$	$\displaystyle\max\{P^{(\mathbf{X})}_{S},P^{(\mathbf{Y})}_{S}\}$		(7)

The encapsulation and decapsulation algorithms are deterministic and probabilities are over the probability space $\Pr(\mathbf{x},\mathbf{y},\mathbf{z})$ .

$(i)$ To bound $P^{(\mathbf{X})}_{S}=\Pr(\mbox{Guess}\mathbf{x}\mbox{from }{\cal X}^{n})$ , we note that each $\mathbf{x}$ will be accepted by all $\mathbf{y}$ that satisfy $\Pr(\mathbf{x}|\mathbf{y})\geq 2^{-\nu}$ .

This means that the adversary’s success probability that a ciphertext $c=(v,s^{\prime},s)$ that is constructed using a guessed key $\mathbf{X}=\mathbf{x}$ be accepted by decapsulation algorithm that uses the unknown key $\mathbf{y}$ , corresponds to the probability of the set of sample points $(\mathbf{X}=\mathbf{x},\mathbf{Y}=\mathbf{y}^{\prime})$ (key pairs) where

\sum_{\mathbf{y}^{\prime}:\Pr(\mathbf{x}|\mathbf{y}^{\prime})\geq 2^{-\nu}}\Pr(\mathbf{x},\mathbf{y}^{\prime}|\mathbf{z})

which can be computed by the adversary (conditional distribution $\Pr(\mathbf{X},\mathbf{Y}|\mathbf{Z})$ ). Therefore, to each $\mathbf{x}\in{\cal X}^{n}$ we associate a weight $\sum_{\mathbf{y}^{\prime}:\Pr(\mathbf{x}|\mathbf{y}^{\prime})\geq 2^{-\nu}}\Pr(\mathbf{x},\mathbf{y}^{\prime}|\mathbf{z})$ that is the acceptance probability of the ciphertext by some $\mathbf{y}\in{\cal Y}^{n}$ . The best guess for $\mathbf{x}$ will be by finding the element of ${\cal X}^{n}$ with the highest acceptance probability,

P^{(\mathbf{X})}_{S}=\max_{\mathbf{x}}\sum_{\mathbf{y}^{\prime}:\Pr(\mathbf{x}|\mathbf{y}^{\prime})\geq 2{-\nu}}\Pr(\mathbf{x},\mathbf{y}^{\prime}|\mathbf{z}).

(This also determines the value ${\mathbf{x}}^{*}$ (i.e. $\mathbf{x}_{f}$ ) that can be used to construct $c_{f}$ .) (We note that the acceptance probabilities attached to elements of ${\cal X}^{n}$ do not form a probability distribution on $\cal X$ .)

$(ii)$ To find $P^{(\mathbf{Y})}_{S}$ using ${\cal Y}^{n}$ , we note that each $\mathbf{y}$ will accept all Alice’s key values $\mathbf{x}^{\prime}$ s that satisfy $\Pr(\mathbf{x}^{\prime}|\mathbf{y})\geq 2^{-\nu}$ .

This attaches an acceptance probability to each $\mathbf{y}\in{\cal Y}^{n}$ that is the total probability of ciphertexts $c=(v,s^{\prime},s)$ being accepted by a $\mathbf{y}$ when Alice’s key is not known, and is obtained by summing probabilities of the set $(\mathbf{x}^{\prime},\mathbf{y})$ of sample points (key instances) as follows

\sum_{\mathbf{x}^{\prime}:\Pr(\mathbf{x}^{\prime}|\mathbf{y})\geq 2^{-\nu}}\Pr(\mathbf{x}^{\prime},\mathbf{y}|\mathbf{z}).

Thus, the best guess for Bob’s key $\mathbf{y}$ for accepting a ciphertext when Alice’s key is unknown, is given by

\displaystyle P^{(\mathbf{Y})}_{S}=\max_{\mathbf{y}}\sum_{\mathbf{x}^{\prime}:\Pr(\mathbf{x}^{\prime}|\mathbf{y})\geq 2^{-\nu}}\Pr(\mathbf{x}^{\prime},\mathbf{y}|\mathbf{z}).

(8)

Therefore,

	$\displaystyle P_{S}\geq\max\{P^{(\mathbf{X})}_{S},P^{(\mathbf{Y})}_{S}\}$
	$\displaystyle\quad\geq\max\{\max_{\mathbf{x}}\sum_{\mathbf{y}^{\prime}:\Pr(\mathbf{x}\|\mathbf{y}^{\prime})\geq 2^{-\nu}}\Pr(\mathbf{x},\mathbf{y}^{\prime}\|\mathbf{z}),\max_{\mathbf{y}}\sum_{\mathbf{x}^{\prime}:\Pr(\mathbf{x}^{\prime}\|\mathbf{y})\geq 2^{-\nu}}\Pr(\mathbf{x}^{\prime},\mathbf{y}\|\mathbf{z})\}$		(9)

2. Simplifying the bound: Consider the case that the expression 6 holds with equality. That is the $\mathbf{x}$ value that results in the highest success probability for successful ciphertext forgery can be obtained by using one of the two key guessing strategies outlined above to guess a key $\mathbf{x}_{f}$ and compute $h(\mathbf{x},(s^{\prime},s))$ . This is true because any ciphertext that is accepted by the decapsulation algorithm must be well formed, and correspond to the evaluation of a polynomial defined by $(s^{\prime},s)$ using a key that satisfies $P(\mathbf{x}|\mathbf{y})\geq 2^{-\nu}$ . A computationally unbounded adversary can always find the roots of such a polynomial, and so any forged ciphertext can be generated by choosing a key $\mathbf{x}_{f}$ that satisfies the required condition, and using the encapsulation algorithm. This is somewhat similar to the notion of plaintext awareness in computational security [63, 64], where it is assumed that the adversary can create ciphertexts for which it is able to “extract” the corresponding plaintext.

Thus we have,

P_{S}=\max\{P^{(\mathbf{X})}_{S},P^{(\mathbf{Y})}_{S}\}.

We then use the following approximation in terms of marginal distributions of $\Pr_{\mathbf{X}}(\mathbf{x})$ and $\Pr_{\mathbf{Y}}(\mathbf{y})$ .

Let $\mathbf{x}^{*}$ and $\mathbf{y}^{*}$ be the $\mathbf{x}$ and $\mathbf{y}$ values that maximize the expressions, $\max_{\mathbf{x}}\sum_{\mathbf{y}^{\prime}:\Pr(\mathbf{x}|\mathbf{y}^{\prime})\geq 2^{-\nu}}\Pr(\mathbf{x},\mathbf{y}^{\prime}|\mathbf{z})$ and
$\max_{\mathbf{y}}\sum_{\mathbf{x}^{\prime}:\Pr(\mathbf{x}^{\prime}|\mathbf{y})\geq 2^{-\nu}}\Pr(\mathbf{x}^{\prime},\mathbf{y}|\mathbf{z})$ , respectively, and $\Pr_{\mathbf{X}}(\mathbf{x})$ and $\Pr_{\mathbf{Y}}(\mathbf{y})$ denote marginal distributions of $\mathbf{X}$ and $\mathbf{Y}$ .

Since $\Pr_{\mathbf{X},\mathbf{Y}}(\mathbf{x},\mathbf{y}|\mathbf{z})\leq\Pr_{\mathbf{X}}(\mathbf{x}|\mathbf{z})$ , we have

\displaystyle P_{S}

\displaystyle\leq\max\{\sum_{\mathbf{y}^{\prime}:\Pr_{\mathbf{X}|\mathbf{Y}}(\mathbf{x}^{*}|\mathbf{y}^{\prime})\geq 2^{-\nu}}\Pr_{\mathbf{Y}}(\mathbf{y}^{\prime}|\mathbf{z}),\sum_{\mathbf{x}^{\prime}:\Pr_{\mathbf{X}|\mathbf{Y}}(\mathbf{x}^{\prime}|\mathbf{y}^{*})\geq 2^{-\nu}}\Pr_{\mathbf{X}}(\mathbf{x}^{\prime}|\mathbf{z})\}

Note that

	$\displaystyle\sum_{\mathbf{y}^{\prime}:\Pr(\mathbf{x}^{*}\|\mathbf{y}^{\prime})\geq 2^{-\nu}}\Pr_{\mathbf{Y}}(\mathbf{y}^{\prime}\|\mathbf{z})\leq\max_{\mathbf{x}}\sum_{\mathbf{y}^{\prime}:\Pr(\mathbf{x}\|\mathbf{y}^{\prime})\geq 2^{-\nu}}\Pr_{\mathbf{Y}}(\mathbf{y}^{\prime}\|\mathbf{z})$		(10)
	$\displaystyle\sum_{\mathbf{x}^{\prime}:\Pr(\mathbf{x}^{\prime}\|\mathbf{y}^{*})\geq 2^{-\nu}}\Pr_{\mathbf{X}}(\mathbf{x}^{\prime}\|\mathbf{z})\leq\max_{\mathbf{y}}\sum_{\mathbf{x}^{\prime}:\Pr(\mathbf{x}^{\prime}\|\mathbf{y})\geq 2^{-\nu}}\Pr_{\mathbf{X}}(\mathbf{x}^{\prime}\|\mathbf{z})$		(11)

This is true because the RHSs of 10 and 11 are maximizing over all $\mathbf{x}$ values of $\mathbf{x}$ and $\mathbf{y}$ , respectively.

Therefore,

\displaystyle P_{S}

\displaystyle\leq\max\{\max_{\mathbf{x}}\sum_{\mathbf{y}^{\prime}:\Pr(\mathbf{x}|\mathbf{y}^{\prime})\geq 2^{-\nu}}\Pr_{\mathbf{Y}}(\mathbf{y}^{\prime}|\mathbf{z}),\max_{\mathbf{y}}\sum_{\mathbf{x}^{\prime}:\Pr(\mathbf{x}^{\prime}|\mathbf{y})\geq 2^{-\nu}}\Pr_{\mathbf{X}}(\mathbf{x}^{\prime}|\mathbf{z})\}.

(12)

∎

Note. We will use the above calculation for conditional distributions that takes into account all the adversary’s information about $\mathbf{x}$ , in particular after one query, that is $(k,c)$ ,

\displaystyle P_{S}

\displaystyle\leq\max\{\max_{\mathbf{x}}\sum_{\mathbf{y}^{\prime}:\Pr(\mathbf{x}|\mathbf{y}^{\prime})\geq 2^{-\nu}}P_{\mathbf{Y}}(\mathbf{y}^{\prime}|(k,c),\mathbf{z}),\max_{\mathbf{y}}\sum_{\mathbf{x}^{\prime}:\Pr(\mathbf{x}^{\prime}|\mathbf{y})\geq 2^{-\nu}}P_{\mathbf{X}}(\mathbf{x}^{\prime}|(k,c),\mathbf{z})\}.

(13)

In the following we will use $h(\mathbf{x},(s^{\prime},s))$ and recall the following notations: $(i)$ $\mathbf{x}\in{\cal X}^{n}$ is written as $\mathbf{x}=(\mathbf{x}_{2}\parallel\mathbf{x}_{1})$ and $\mathbf{x}_{2}=(x_{n},x_{n-1},\cdots x_{t+1})$ , and $\mathbf{x}_{1}=(x_{t},x_{t-1},\cdots x_{1})$ where $``\parallel"$ denotes concatenation of two vectors; and $(ii)$ $s^{\prime}$ , suitably padded, is written as a sequence $(s^{\prime}_{1},\cdots,s^{\prime}_{r})$ where $s^{\prime}_{i}\in GF(2^{n-t})$ , $\forall i\in\{1,\cdots,r\}$ , and $s=(s_{2},s_{1})$ where $s_{2}\in GF(2^{n-t})$ and $s_{1}\in GF(2^{t})$ .

Lemma 6.

The lemma has two parts.

(i)

The number of $\mathbf{x}=(\mathbf{x}_{2}\parallel\mathbf{x}_{1})$ that satisfies the following two equations (in $GF(2^{t})$ ) for two values of $v$ and $v_{f}$ :

	$\displaystyle v$	$\displaystyle=$	$\displaystyle h(\mathbf{x},(s^{\prime},s))=\big{[}(\mathbf{x}_{2})^{r+3}+{\sum}_{i=1}^{r}s^{\prime}_{i}(\mathbf{x}_{2})^{i+1}+s_{2}\mathbf{x}_{2}\big{]}_{1\cdots t}+(\mathbf{x}_{1})^{3}+s_{1}\mathbf{x}_{1}$		(14)
	$\displaystyle v_{f}$	$\displaystyle=$	$\displaystyle h(\mathbf{x},s_{f}^{\prime},s_{f})=\big{[}(\mathbf{x}_{2})^{r+3}+{\sum}_{i=1}^{r}s^{\prime}_{f,i}(\mathbf{x}_{2})^{i+1}+s_{f,2}\mathbf{x}_{2}\big{]}_{1\cdots t}+(\mathbf{x}_{1})^{3}+s_{f,1}\mathbf{x}_{1},$		(15)

is at most $3(r+1)2^{n-2t}$ .

In these equations, $\mathbf{x}_{2},s_{2},s_{f,2},s_{f,1}^{\prime},..~{},s_{f,r}^{\prime},s^{\prime}_{1},..~{},s^{\prime}_{r}\in GF(2^{n-t})$ , $v,v_{f},\mathbf{x}_{1},s_{1},s_{f,1}\in GF(2^{t})$ , and
$((s^{\prime}_{f,1},\cdots,s^{\prime}_{f,r}),(s_{f,2},s_{f,1}))\neq((s^{\prime}_{1},\cdots,s^{\prime}_{r}),(s_{2},s_{1}))$ .

(ii)

Let $\mathbf{x}=(\mathbf{x}_{2}\parallel\mathbf{x}_{1})$ and $\mathbf{x}^{\prime}=(\mathbf{x}^{\prime}_{2}\parallel\mathbf{x}^{\prime}_{1})$ satisfy $v=h(\mathbf{x},(s^{\prime},s))$ and $v_{f}=h(\mathbf{x}^{\prime},s^{\prime}_{f},s_{f})$ , respectively, where $s^{\prime}_{f}$ and $s_{f}$ are defined as in $(i)$ . Assume $\mathbf{x}=\mathbf{x}^{\prime}+\mathbf{e}$ for some $\mathbf{e}=(\mathbf{e}_{2}\parallel\mathbf{e}_{1})\in GF(2^{n})$ , $\mathbf{e}_{2}\in GF(2^{n-t}),\mathbf{e}_{1}\in GF(2^{t})$ and $\mathbf{e}\neq{\bf 0}$ . Then the number of $\mathbf{x}^{\prime}=(\mathbf{x}^{\prime}_{2}\parallel\mathbf{x}^{\prime}_{1})$ that satisfies the following equations:

	$\displaystyle v$	$\displaystyle=$	$\displaystyle\big{[}(\mathbf{x}^{\prime}_{2}+\mathbf{e}_{2})^{r+3}+{\sum}_{i=1}^{r}s^{\prime}_{i}(\mathbf{x}^{\prime}_{2}+\mathbf{e}_{2})^{i+1}+s_{2}(\mathbf{x}^{\prime}_{2}+\mathbf{e}_{2})\big{]}_{1\cdots t}+(\mathbf{x}^{\prime}_{1}+\mathbf{e}_{1})^{3}+s_{1}(\mathbf{x}^{\prime}_{1}+\mathbf{e}_{1})$		(16)
	$\displaystyle v_{f}$	$\displaystyle=$	$\displaystyle\big{[}(\mathbf{x}^{\prime}_{2})^{r+3}+{\sum}_{i=1}^{r}s^{\prime}_{f,i}(\mathbf{x}^{\prime}_{2})^{i+1}+s_{f,2}\mathbf{x}^{\prime}_{2}\big{]}_{1\cdots t}+(\mathbf{x}^{\prime}_{1})^{3}+s_{f,1}\mathbf{x}^{\prime}_{1},$		(17)

is at most $(r+3)(r+2)2^{n-2t}$ where, $(\mathbf{e}_{2}\parallel\mathbf{e}_{1})$ is a non-zero vector and
$(v_{f},(s^{\prime}_{f,1},\cdots,s^{\prime}_{f,r}),(s_{f,2},s_{f,1}))\neq(v,(s^{\prime}_{1},\cdots,s^{\prime}_{r}),(s_{2},s_{1}))$ .

Proof.

$(i)$ From equation 14 and equation 15, we have

\displaystyle v-v_{f}=

\displaystyle\big{[}{\sum}_{i=1}^{r}(s^{\prime}_{i}-s^{\prime}_{f,i})(\mathbf{x}_{2})^{i+1}+(s_{2}-s_{f,2})\mathbf{x}_{2}\big{]}_{1\cdots t}+(s_{1}-s_{f,1})\mathbf{x}_{1}

(18)

where arithmetic operations are in the corresponding binary extension finite fields. If $(s_{1}=s_{f,1})$ , then
$((s^{\prime}_{1},\cdots,s^{\prime}_{r}),s_{2})\neq((s^{\prime}_{f,1},\cdots,s^{\prime}_{f,r}),s_{f,2})$ as $(s^{\prime}_{f},s_{f})\neq(s^{\prime},s)$ . Therefore, the degree of the equation 18 in $\mathbf{x}_{2}$ is at most $(r+1)$ . The term $\big{[}{\sum}_{i=1}^{r}(s^{\prime}_{i}-s^{\prime}_{f,i})(\mathbf{x}_{2})^{i+1}+(s_{2}-s_{f,2})\mathbf{x}_{2}\big{]}$ takes on each element of the field $GF(2^{n-t})$ at most $(r+1)$ times as $\mathbf{x}_{2}$ varies. This is because the degree of the polynomial is $(r+1)$ and so there are at most $(r+1)(2^{n-t}/2^{t})=(r+1)2^{n-2t}$ values of $\mathbf{x}_{2}$ that satisfy equation 18.

Equation 14, for fixed $v_{f}$ and $\mathbf{x}_{2}$ , is a polynomial of degree three, and hence for each value of $\mathbf{x}_{2}$ , will be satisfied by at most three values of $\mathbf{x}_{1}$ , and so there are at most $3(r+1)2^{n-2t}$ values of $(\mathbf{x}_{2}\parallel\mathbf{x}_{1})$ that satisfy both equations 14 and 18.

If $(s_{1}\neq s_{f,1})$ , we use equation 18 to express $\mathbf{x}_{1}$ as a polynomial in $\mathbf{x}_{2}$ , and by substituting it in equation 14, obtain
$v=[-(s_{1}-s_{f,1})^{-3}(s_{r}-s_{f,r})^{3}(\mathbf{x}_{2})^{3(r+1)}]_{{}_{1\cdots t}}+g(\mathbf{x}_{2})$ for some polynomial $g(\mathbf{x}_{2})$ of degree at most $3r+2$ . Therefore, there are at most $3(r+1)2^{n-2t}$ values of $\mathbf{x}_{2}$ that satisfy this equation. From equation 18, for each value of $\mathbf{x}_{2}$ , there is a unique $\mathbf{x}_{1}$ that satisfies the equation.

Therefore, in both cases, there are at most $3(r+1)2^{n-2t}$ values of $(\mathbf{x}_{2}||\mathbf{x}_{1})$ that satisfy both the equation 14 and equation 18.

$(ii)$ From equation 16 and equation 17, we have

	$\displaystyle v-v_{f}=$	$\displaystyle\Big{[}\big{[}(\mathbf{x}_{2}+\mathbf{e}_{2})^{r+3}+{\sum}_{i=1}^{r}s^{\prime}_{i}(\mathbf{x}_{2}+\mathbf{e}_{2})^{i+1}+s_{2}(\mathbf{x}_{2}+\mathbf{e}_{2})\big{]}_{1\cdots t}+(\mathbf{x}_{1}+\mathbf{e}_{1})^{3}+s_{1}(\mathbf{x}_{1}+\mathbf{e}_{1})\Big{]}$
		$\displaystyle-\Big{[}\big{[}(\mathbf{x}_{2})^{r+3}+{\sum}_{i=1}^{r}s^{\prime}_{f,i}(\mathbf{x}_{2})^{i+1}+s_{f,2}\mathbf{x}_{2}\big{]}_{1\cdots t}+(\mathbf{x}_{1})^{3}+s_{f,1}\mathbf{x}_{1}\Big{]}.$		(19)

This is an equation in two indeterminates $\mathbf{x}_{2}$ and $\mathbf{x}_{1}$ of degree at most $(r+2)$ . The equation 17 is also an equation in two indeterminants $\mathbf{x}_{2}$ and $\mathbf{x}_{1}$ of degree at most $(r+3)$ . Since $(v_{f},(s^{\prime}_{f,1},\cdots,s^{\prime}_{f,r}),(s_{f,2},s_{f,1}))\neq(v,(s^{\prime}_{1},\cdots,s^{\prime}_{r}),(s_{2},s_{1}))$ , by Bézout’s theorem [65, 66], recalled in Section H, we have that there are at most $(r+3)(r+2)2^{n-t}/2^{t}=(r+3)(r+2)2^{n-2t}$ values of $(\mathbf{x}^{\prime}_{2}\parallel\mathbf{x}^{\prime}_{1})$ (i.e. $\mathbf{x}^{\prime}$ ) that satisfy both equation 19 and equation 17.

∎

Theorem 5 (Ciphertext integrity (INT- $(1;q_{d})$ -CTXT)).

For an adversary that makes at most one encapsulation query and $q_{d}$ decapsulation queries, the ciphertext integrity defined in Definition 6 is broken with probability at most

\displaystyle q_{d}(r+3)(r+2)2^{n+\ell-t}\max\{\mathbb{E}_{\mathbf{z}\leftarrow\mathbf{Z}}\Big{[}\max_{\mathbf{x}}\sum_{\mathbf{y}^{\prime}:\Pr(\mathbf{x}|\mathbf{y}^{\prime})\geq 2^{-\nu}}P(\mathbf{y}^{\prime}|\mathbf{Z}=\mathbf{z})\Big{]},\mathbb{E}_{\mathbf{z}\leftarrow\mathbf{Z}}\Big{[}\max_{\mathbf{y}}\sum_{\mathbf{x}^{\prime}:\Pr(\mathbf{x}^{\prime}|\mathbf{y})\geq 2^{-\nu}}P(\mathbf{x}^{\prime}|\mathbf{Z}=\mathbf{z})\Big{]}\}

For the above number of queries the iKEM $\mathsf{ikem}_{cca}$ construction 2 establishes a secret key of length

	$\displaystyle\ell$	$\displaystyle\leq$	$\displaystyle t+\min\{-\log(\mathbb{E}_{\mathbf{z}\leftarrow\mathbf{Z}}\Big{[}\max_{\mathbf{x}}\sum_{\mathbf{y}^{\prime}:\Pr(\mathbf{x}\|\mathbf{y}^{\prime})\geq 2^{-\nu}}P(\mathbf{y}^{\prime}\|\mathbf{Z}=\mathbf{z})\Big{]}),-\log(\mathbb{E}_{\mathbf{z}\leftarrow\mathbf{Z}}\Big{[}\max_{\mathbf{y}}\sum_{\mathbf{x}^{\prime}:\Pr(\mathbf{x}^{\prime}\|\mathbf{y})\geq 2^{-\nu}}P(\mathbf{x}^{\prime}\|\mathbf{Z}=\mathbf{z})\Big{]})\}$
			$\displaystyle-n-\log\big{(}\frac{q_{d}(r+3)(r+2)}{\delta}\big{)},$

that is $\delta$ -INT- $(1;q_{d})$ -CTXT secure.

Proof.

The proof uses Lemma 4, 5 and 6. We first provide an outline of the main proof steps, and then expand each step.

Let $P_{Succ}(k,c)$ denote the maximum success probability of the adversary that has access to $(k,c)$ (i.e. response to an encapsulation query) and constructs a forged ciphertext $c_{f}=(v_{f},s^{\prime}_{f},s_{f})$ where $c_{f}\neq c$ . That is, $P_{Succ}(k,c)$ is the highest success probability of constructing $c_{f}$ that is accepted by the decapsulation algorithm Algorithm 6. Let $P_{Succ}$ denote the expected value of $P_{Succ}(k,c)$ over all query responses $(k,c)$ , and $P_{Succ}^{q_{d}}$ denote the expected final success probability with one encapsulation, and $q_{d}$ decapsulation query.

The upper bound on $P_{Succ}^{q_{d}}$ will be obtained in three steps: (1) bounding $P_{Succ}(k,c)$ , (2) bounding $P_{Succ}$ by finding the expectation over the random variables corresponding to the adversary’s information, that is the received response $(k,c)$ , and finally (3) bounding $P_{Succ}^{q_{d}}$ that takes into account the decapsulation queries.

Step 1. Bounding $P_{Succ}(k,c)$ .

The adversary has the key and the ciphertext pair $(k,c)=(k,(v,s^{\prime},s))$ , where $v$ is computed using Alice’s secret key $\mathbf{x}$ and $h(\mathbf{x},(s^{\prime},s))$ given by the equation 5 (section V-E). The ciphertext will be accepted by the decapsulation algorithm ikem.Dec() (Algorithm 6) using Bob’s key $\mathbf{y}$ with probability at least $1-\epsilon$ .

A forged ciphertext $c_{f}=(v_{f},s^{\prime}_{f},s_{f})$ that is accepted by the decapsulation algorithm must pass the test $v\stackrel{{\scriptstyle?}}{{=}}h(\mathbf{x}^{\prime},(s^{\prime},s))$ for a unique $\mathbf{x}^{\prime}\in{\cal R}$ that is found by the decapsulation algorithm using Bob’s key $\mathbf{y}$ . Thus a ciphertext that is accepted by the decapsulation algorithm must be generatable by the generation Algorithm 5 using some (guessed) key. We call ciphertexts that satisfy $v=h(\mathbf{x}^{\prime},s^{\prime},s)$ as well-formed.

We assume the adversary can only make a well-formed $c_{f}$ by using the encapsulation algorithm (Algorithm 5) for a guessed key. That is there is no shortcut algorithm can be used by the adversary to generate a new well-formed ciphertext from other available information. This assumption holds if the encapsulation algorithm is modelled as a random function (random oracle) for the generation of $c$ .

The encapsulation algorithm is deterministic, and so $P_{Succ}(k,c)$ can be obtained by,

1.

Finding $P_{S}$ , the best guessing probability of a key $\mathbf{x}_{f}$ that satisfies $\mathbf{x}_{f}\in{\cal R}$ for Bob’s (unknown) $\mathbf{y}$ . We use Lemma 5, part $(ii)$ , that assumes the best guessing probability is by using one of the two direct guessing strategies outlined in the lemma.
2.

Take into account the number of $\mathbf{x}^{\prime}\neq\mathbf{x}_{f}$ that results in the same $c_{f}=(v_{f},s^{\prime}_{f},s_{f})$ that is constructed using the key $\mathbf{x}_{f}$ . An upper bound on this number, denoted by $L$ , is obtained in Lemma 6.

Step 2. $P_{Succ}$ : Expectation over the adversary’s view. For fixed $(s^{\prime},s)$ , let $K$ , $C$ , $\mathbf{X}$ , $\mathbf{X}_{1}$ , $\mathbf{X}_{2}$ , $V$ be random variables corresponding to $k$ , $c$ , $\mathbf{x}$ , $\mathbf{x}_{1}$ , $\mathbf{x}_{2}$ and $v$ respectively, where the randomness is over $P_{\mathbf{X}\mathbf{Y}\mathbf{Z}}$ . The adversary has $(k,c)$ derived from $\mathbf{x}$ , guesses $\mathbf{x}_{f}$ , and generates the ciphertext $c_{f}=(v_{f},s^{\prime}_{f},s_{f})$ where $v_{f}=h(\mathbf{x}_{f},s^{\prime}_{f},s_{f})$ .

We consider two cases: $(i)$ the adversary’s guess $\mathbf{x}_{f}=\mathbf{x}$ where $\mathbf{x}$ is Alice’s key, and $(ii)$ the adversary’s guessed key $\mathbf{x}_{f}=\mathbf{x}^{\prime}\neq\mathbf{x}$ where $\mathbf{x}^{\prime}\in\mathcal{R}$ for the unknown $\mathbf{y}$ . Let the success probabilities of the adversary in generating a ciphertext $c_{f}$ corresponding to the above two cases be $\delta_{\mathbf{x}}$ and $\delta_{\mathbf{x}^{\prime}}$ respectively. The decapsulation algorithm $\mathsf{ikem.Dec}(\cdot)$ searches for a unique element in $\mathcal{R}$ and so only one of the above two cases will occur, and the success probability of the adversary in generating a $c_{f}$ will be

\displaystyle\mbox{$P_{Succ}$}=\max\{\delta_{\mathbf{x}},\delta_{\mathbf{x}^{\prime}}\}

(20)

where probability is over $P_{\mathbf{X}\mathbf{Y}\mathbf{Z}}$ .

Computing $\delta_{\mathbf{x}}$ . The success probability of forging a ciphertext, given a key and ciphertext pair $(k,c)$ , is:

\displaystyle\mathbb{E}_{(k,c,\mathbf{z})\leftarrow(K,C,\mathbf{Z})}\Big{[}\mathsf{Pr}\big{[}v_{f}=\big{[}(\mathbf{x}_{2})^{r+3}+{\sum}_{i=1}^{r}s^{\prime}_{f,i}(\mathbf{x}_{2})^{i+1}+s_{f,2}\mathbf{x}_{2}\big{]}_{1\cdots t}+(\mathbf{x}_{1})^{3}+s_{f,1}\mathbf{x}_{1}\text{ $|$ }K=k,C=c,\mathbf{Z}=\mathbf{z}\big{]}\Big{]}.

The known ciphertext $c=(v,s^{\prime},s)$ and the forged ciphertext $(v_{f},s^{\prime}_{f},s_{f})$ must satisfy equation 14 and equation 15, respectively, with $(v_{f},s^{\prime}_{f},s_{f})\neq(v,s^{\prime},s)$ . Note that if $(s^{\prime}_{f},s_{f})=(s^{\prime},s)$ , then it must be that $v_{f}\neq v$ and because $h(\mathbf{x},(s^{\prime},s))$ is a single value, $v_{f}\neq h(\mathbf{x},s_{f},s)$ and $\mathsf{ikem.Dec}(\cdot)$ will reject, which is a contradiction. Therefore, we only need to consider the case that $(s^{\prime}_{f},s_{f})\neq(s^{\prime},s)$ .

From Lemma 6 part $(i)$ , the number of $\mathbf{x}=(\mathbf{x}_{2}\parallel\mathbf{x}_{1})$ that satisfy both equation 14 and equation 15 is at most
$3(r+1)2^{n-2t}$ .

Since the adversary is given a key and ciphertext pair $\big{(}k,(v,s^{\prime},s)\big{)}$ , from Lemma 5 part (2) and equation 13, we have that the adversary can guess $(\mathbf{x}_{2}\parallel\mathbf{x}_{1})$ with probability at most

\displaystyle\max\{

\displaystyle\max_{\mathbf{x}}\sum_{\mathbf{y}^{\prime}:\Pr(\mathbf{x}|\mathbf{y}^{\prime})\geq 2^{-\nu}}P(\mathbf{y}^{\prime}|\mathbf{z},v,k),\max_{\mathbf{y}}\sum_{\mathbf{x}^{\prime}:\Pr(\mathbf{x}^{\prime}|\mathbf{y})\geq 2^{-\nu}}P(\mathbf{x}^{\prime}|\mathbf{z},v,k)\},

(21)

where $\mathbf{Z}$ is the attacker’s initial side information. Since $|k|=\ell$ and $|v|=t$ , from Lemma 4, we have

		$\displaystyle\mathbb{E}_{(k,c,\mathbf{z})\leftarrow(K,C,\mathbf{Z})}\Big{[}\max\{\max_{\mathbf{x}}\sum_{\mathbf{y}^{\prime}:\Pr(\mathbf{x}\|\mathbf{y}^{\prime})\geq 2^{-\nu}}P(\mathbf{y}^{\prime}\|\mathbf{Z}=\mathbf{z},V=v,K=k),\max_{\mathbf{y}}\sum_{\mathbf{x}^{\prime}:\Pr(\mathbf{x}^{\prime}\|\mathbf{y})\geq 2^{-\nu}}P(\mathbf{x}^{\prime}\|\mathbf{Z}=\mathbf{z},V=v,K=k)\}\Big{]}$
		$\displaystyle\leq 2^{t+\ell}\mathbb{E}_{\mathbf{z}\leftarrow\mathbf{Z}}\Big{[}\max\{\max_{\mathbf{x}}\sum_{\mathbf{y}^{\prime}:\Pr(\mathbf{x}\|\mathbf{y}^{\prime})\geq 2^{-\nu}}P(\mathbf{y}^{\prime}\|\mathbf{Z}=\mathbf{z}),\max_{\mathbf{y}}\sum_{\mathbf{x}^{\prime}:\Pr(\mathbf{x}^{\prime}\|\mathbf{y})\geq 2^{-\nu}}P(\mathbf{x}^{\prime}\|\mathbf{Z}=\mathbf{z})\}\Big{]}.$		(22)

Therefore,

$\displaystyle\delta_{\mathbf{x}}$	$\displaystyle=\text{ Success probability of the adversary with }(v_{f},s^{\prime}_{f},s_{f}),\text{ when verified with $\mathbf{x}$, given the pair $(k,(v,s^{\prime},s))$ }$
	$\displaystyle=\mathbb{E}_{(k,c,\mathbf{z})\leftarrow(K,C,\mathbf{Z})}\Big{[}\mathsf{Pr}\big{[}v_{f}=\big{[}(\mathbf{x}_{2})^{r+3}+{\sum}_{i=1}^{r}s^{\prime}_{f,i}(\mathbf{x}_{2})^{i+1}+s_{f,2}\mathbf{x}_{2}\big{]}_{1\cdots t}+(\mathbf{x}_{1})^{3}+s_{f,1}\mathbf{x}_{1}\text{ $\|$ }K=k,C=c,\mathbf{Z}=\mathbf{z}\big{]}\Big{]}$
	$\displaystyle=\mathbb{E}_{(k,c,\mathbf{z})\leftarrow(K,C,\mathbf{Z})}\Big{[}\mathsf{Pr}\big{[}v_{f}=\big{[}(\mathbf{x}_{2})^{r+3}+{\sum}_{i=1}^{r}s^{\prime}_{f,i}(\mathbf{x}_{2})^{i+1}+s_{f,2}\mathbf{x}_{2}\big{]}_{1\cdots t}+(\mathbf{x}_{1})^{3}+s_{f,1}\mathbf{x}_{1}$
	$\displaystyle\qquad\qquad\qquad\qquad\qquad\wedge v=\big{[}(\mathbf{x}_{2})^{r+3}+{\sum}_{i=1}^{r}s^{\prime}_{i}(\mathbf{x}_{2})^{i+1}+s_{2}\mathbf{x}_{2}\big{]}_{1\cdots t}+(\mathbf{x}_{1})^{3}+s_{1}\mathbf{x}_{1}\text{ $\|$ }K=k,C=c,\mathbf{Z}=\mathbf{z}\big{]}\Big{]}$	(23)
	$\displaystyle=\mathbb{E}_{(k,c,\mathbf{z})\leftarrow(K,C,\mathbf{Z})}\Big{[}\mathsf{Pr}\Big{[}v-v_{f}=\big{[}{\sum}_{i=1}^{r}(s^{\prime}_{i}-s^{\prime}_{f,i})(\mathbf{x}_{2})^{i+1}+(s_{2}-s_{f,2})\mathbf{x}_{2}\big{]}_{1\cdots t}+(s_{1}-s_{f,1})\mathbf{x}_{1}$
	$\displaystyle\qquad\qquad\qquad\qquad\qquad\wedge v=\big{[}(\mathbf{x}_{2})^{r+3}+{\sum}_{i=1}^{r}s^{\prime}_{i}(\mathbf{x}_{2})^{i+1}+s_{2}\mathbf{x}_{2}\big{]}_{1\cdots t}+(\mathbf{x}_{1})^{3}+s_{1}\mathbf{x}_{1}\text{ $\|$ }K=k,C=c,\mathbf{Z}=\mathbf{z}\Big{]}\Big{]}$	(24)
	$\displaystyle\leq\mathbb{E}_{(k,c,\mathbf{z})\leftarrow(K,C,\mathbf{Z})}\big{[}3(r+1)2^{n-2t}\cdot\max\{\max_{\mathbf{x}}\sum_{\mathbf{y}^{\prime}:\Pr(\mathbf{x}\|\mathbf{y}^{\prime})\geq 2^{-\nu}}P(\mathbf{y}^{\prime}\|\mathbf{Z}=\mathbf{z},v,k),\max_{\mathbf{y}}\sum_{\mathbf{x}^{\prime}:\Pr(\mathbf{x}^{\prime}\|\mathbf{y})\geq 2^{-\nu}}P(\mathbf{x}^{\prime}\|\mathbf{Z}=\mathbf{z},v,k)\}\big{]}$	(25)
	$\displaystyle\leq 3(r+1)2^{n-2t}2^{t+\ell}\mathbb{E}_{\mathbf{z}\leftarrow\mathbf{Z}}\Big{[}\max\{\max_{\mathbf{x}}\sum_{\mathbf{y}^{\prime}:\Pr(\mathbf{x}\|\mathbf{y}^{\prime})\geq 2^{-\nu}}P(\mathbf{y}^{\prime}\|\mathbf{Z}=\mathbf{z}),\max_{\mathbf{y}}\sum_{\mathbf{x}^{\prime}:\Pr(\mathbf{x}^{\prime}\|\mathbf{y})\geq 2^{-\nu}}P(\mathbf{x}^{\prime}\|\mathbf{Z}=\mathbf{z})\}\Big{]}$	(26)
	$\displaystyle=3(r+1)2^{n+\ell-t}\mathbb{E}_{\mathbf{z}\leftarrow\mathbf{Z}}\Big{[}\max\{\max_{\mathbf{x}}\sum_{\mathbf{y}^{\prime}:\Pr(\mathbf{x}\|\mathbf{y}^{\prime})\geq 2^{-\nu}}P(\mathbf{y}^{\prime}\|\mathbf{Z}=\mathbf{z}),\max_{\mathbf{y}}\sum_{\mathbf{x}^{\prime}:\Pr(\mathbf{x}^{\prime}\|\mathbf{y})\geq 2^{-\nu}}P(\mathbf{x}^{\prime}\|\mathbf{Z}=\mathbf{z})\}\Big{]}$	(27)

where equation 24 is obtained from subtracting the two equations within the probability expression in equation 23; equation 25 follows from equation 21; equation 26 follows from equation 22. The expectation is taken over the distribution of $P_{\mathbf{X}|K=k,C=c,\mathbf{Z}=\mathbf{z}}$ .

Computing $\delta_{\mathbf{x}^{\prime}}$ .

Let $\mathbf{x}_{f}=\mathbf{x}^{\prime}\neq\mathbf{x}$ . The forged ciphertext $(v_{f},s^{\prime}_{f},s_{f})$ will be,

	$\displaystyle v_{f}$	$\displaystyle=$	$\displaystyle h\big{(}\mathbf{x}^{\prime},(s^{\prime}_{f},s_{f})\big{)}$		(28)
		$\displaystyle=$	$\displaystyle\big{[}(\mathbf{x}^{\prime}_{2})^{r+3}+{\sum}_{i=1}^{r}s^{\prime}_{f,i}(\mathbf{x}^{\prime}_{2})^{i+1}+s_{f,2}\mathbf{x}^{\prime}_{2}\big{]}_{1\cdots t}+(\mathbf{x}^{\prime}_{1})^{3}+s_{f,1}\mathbf{x}^{\prime}_{1}$		(28)

, where $(v_{f},s^{\prime}_{f},s_{f})\neq(v,s^{\prime},s)$ , and all other variables are defined as in Lemma 6 and equation 5.

Let $(k,c)=(k,(v,s^{\prime},s)$ is constructed using $\mathbf{x}$ . We can write $\mathbf{x}=\mathbf{x}^{\prime}+\mathbf{e}$ for some (unknown) vector $\mathbf{e}=(\mathbf{e}_{2}\parallel\mathbf{e}_{1})\in GF(2^{n})$ and $(\mathbf{x}_{2}\parallel\mathbf{x}_{1})=((\mathbf{x}^{\prime}_{2}+\mathbf{e}_{2})\parallel(\mathbf{x}^{\prime}_{1}+\mathbf{e}_{1}))$ . Replacing $\mathbf{x}_{2}$ and $\mathbf{x}_{1}$ with $(\mathbf{x}^{\prime}_{2}+\mathbf{e}_{2})$ and $(\mathbf{x}^{\prime}_{1}+\mathbf{e}_{1})$ , respectively in equation 5, we obtain

\displaystyle v

\displaystyle=\big{[}(\mathbf{x}^{\prime}_{2}+\mathbf{e}_{2})^{r+3}+{\sum}_{i=1}^{r}s^{\prime}_{i}(\mathbf{x}^{\prime}_{2}+\mathbf{e}_{2})^{i+1}+s_{2}(\mathbf{x}^{\prime}_{2}+\mathbf{e}_{2})\big{]}_{1\cdots t}+(\mathbf{x}^{\prime}_{1}+\mathbf{e}_{1})^{3}+s_{1}(\mathbf{x}^{\prime}_{1}+\mathbf{e}_{1})

(29)

From Lemma 6 part $(ii)$ , the number of $(\mathbf{x}^{\prime}_{2}\parallel\mathbf{x}^{\prime}_{1})$ (i.e. $\mathbf{x}^{\prime}$ ) that satisfy both the equation 29 and equation 28 is at most $(r+3)(r+2)2^{n-2t}$ .

Let $\mathbf{X}^{\prime}_{1}$ , $\mathbf{X}^{\prime}_{2}$ and $\mathbf{X}^{\prime}$ denote the random variables corresponding to $\mathbf{x}^{\prime}_{1}$ , $\mathbf{x}^{\prime}_{2}$ and $\mathbf{x}^{\prime}$ respectively.

Define $h_{1}(\mathbf{x}_{2},s^{\prime},s)=(\mathbf{x}_{2})^{r+3}+{\sum}_{i=1}^{r}s^{\prime}_{i}(\mathbf{x}_{2})^{i+1}+s_{2}\mathbf{x}_{2}$ .

$\displaystyle\delta_{\mathbf{x}^{\prime}}$	$\displaystyle=$	$\displaystyle\text{ $P_{Succ}(k,c)$~{} with }(v_{f},s^{\prime}_{f},s_{f})\text{ corresponding to }\mathbf{x}^{\prime}$	(30)
	$\displaystyle=$	$\displaystyle\mathbb{E}_{(k,c,\mathbf{z})\leftarrow(K,C,\mathbf{Z})}\Big{[}\Pr\big{[}v_{f}=\big{[}(\mathbf{x}^{\prime}_{2})^{r+3}+{\sum}_{i=1}^{r}s^{\prime}_{f,i}(\mathbf{x}^{\prime}_{2})^{i+1}+s_{f,2}\mathbf{x}^{\prime}_{2}\big{]}_{1\cdots t}+(\mathbf{x}^{\prime}_{1})^{3}+s_{f,1}\mathbf{x}^{\prime}_{1}\|K=k,C=c,\mathbf{Z}=\mathbf{z}\big{]}\Big{]}$
	$\displaystyle=$	$\displaystyle\mathbb{E}_{(k,c,\mathbf{z})\leftarrow(K,C,\mathbf{Z})}\Big{[}\mathsf{Pr}\big{[}v_{f}=\big{[}h_{1}(\mathbf{x}^{\prime}_{2},s^{\prime}_{f},s_{f})\big{]}_{1\cdots t}+(\mathbf{x}^{\prime}_{1})^{3}+s_{f,1}\mathbf{x}^{\prime}_{1}\wedge$
		$\displaystyle\qquad\qquad\qquad\qquad\quad v=\big{[}h_{1}(\mathbf{x}_{2},s^{\prime},s)\big{]}_{1\cdots t}+(\mathbf{x}_{1})^{3}+s_{1}\mathbf{x}_{1}\|K=k,C=c,\mathbf{Z}=\mathbf{z}\big{]}\Big{]}$
	$\displaystyle\leq$	$\displaystyle\mathbb{E}_{(k,c,\mathbf{z})\leftarrow(K,C,\mathbf{Z})}\big{[}(r+3)(r+2)2^{n-2t}\max\{\max_{\mathbf{x}}\sum_{\mathbf{y}^{\prime}:\Pr(\mathbf{x}\|\mathbf{y}^{\prime})\geq 2^{-\nu}}P(\mathbf{y}^{\prime}\|\mathbf{Z}=\mathbf{z},V=v,K=k),$
		$\displaystyle\qquad\qquad\qquad\qquad\quad\qquad\qquad\qquad\qquad\quad\max_{\mathbf{y}}\sum_{\mathbf{x}^{\prime}:\Pr(\mathbf{x}^{\prime}\|\mathbf{y})\geq 2^{-\nu}}P(\mathbf{x}^{\prime}\|\mathbf{Z}=\mathbf{z},V=v,K=k)\}\big{]}$
	$\displaystyle\leq$	$\displaystyle(r+3)(r+2)2^{n-2t}2^{t+\ell}\mathbb{E}_{\mathbf{z}\leftarrow\mathbf{Z}}\Big{[}\max\{\max_{\mathbf{x}}\sum_{\mathbf{y}^{\prime}:\Pr(\mathbf{x}\|\mathbf{y}^{\prime})\geq 2^{-\nu}}P(\mathbf{y}^{\prime}\|\mathbf{Z}=\mathbf{z}),\max_{\mathbf{y}}\sum_{\mathbf{x}^{\prime}:\Pr(\mathbf{x}^{\prime}\|\mathbf{y})\geq 2^{-\nu}}P(\mathbf{x}^{\prime}\|\mathbf{Z}=\mathbf{z})\}\Big{]}$	(31)
	$\displaystyle=$	$\displaystyle(r+3)(r+2)2^{n+\ell-t}\mathbb{E}_{\mathbf{z}\leftarrow\mathbf{Z}}\Big{[}\max\{\max_{\mathbf{x}}\sum_{\mathbf{y}^{\prime}:\Pr(\mathbf{x}\|\mathbf{y}^{\prime})\geq 2^{-\nu}}P(\mathbf{y}^{\prime}\|\mathbf{Z}=\mathbf{z}),\max_{\mathbf{y}}\sum_{\mathbf{x}^{\prime}:\Pr(\mathbf{x}^{\prime}\|\mathbf{y})\geq 2^{-\nu}}P(\mathbf{x}^{\prime}\|\mathbf{Z}=\mathbf{z})\}\Big{]}$	(32)

where equation 30 follows from Lemma 5 part (2) and equation 13 since the adversary is given a key and ciphertext pair $\big{(}k,(v,s^{\prime},s)\big{)}$ ; equation 31 follows from Lemma 4.

Therefore, from equations 20, 27 and 32, we have that after one encapsulation query, the probability that an adversary will be able to forge a ciphertext is at most

\displaystyle(r+3)(r+2)2^{n+\ell-t}\mathbb{E}_{\mathbf{z}\leftarrow\mathbf{Z}}\Big{[}\max\{\max_{\mathbf{x}}\sum_{\mathbf{y}^{\prime}:\Pr(\mathbf{x}|\mathbf{y}^{\prime})\geq 2^{-\nu}}P(\mathbf{y}^{\prime}|\mathbf{Z}=\mathbf{z}),\max_{\mathbf{y}}\sum_{\mathbf{x}^{\prime}:\Pr(\mathbf{x}^{\prime}|\mathbf{y})\geq 2^{-\nu}}P(\mathbf{x}^{\prime}|\mathbf{Z}=\mathbf{z})\}\Big{]}.

Step 3: $P_{Succ}^{q_{d}}$ : Including decapsulation queries. For each decapsulation query, the adversary receives either a key, if the forged ciphertext is accepted by the decapsulation algorithm, and or $\perp$ , otherwise. The adversary succeeds with the first query that is successful. After $q_{d}$ unsuccessful decapsulation queries, the size of the set of possible guesses will reduce by $\log(q_{d})$ . Thus, after one encapsulation query and $q_{d}$ decapsulation queries, $P_{Succ}$ is bounded by

$P_{Succ}$	$\displaystyle\leq$	$\displaystyle 2^{\log(q_{d})}(r+3)(r+2)2^{n+\ell-t}\mathbb{E}_{\mathbf{z}\leftarrow\mathbf{Z}}\Big{[}\max\{\max_{\mathbf{x}}\sum_{\mathbf{y}^{\prime}:\Pr(\mathbf{x}\|\mathbf{y}^{\prime})\geq 2^{-\nu}}P(\mathbf{y}^{\prime}\|\mathbf{Z}=\mathbf{z}),\max_{\mathbf{y}}\sum_{\mathbf{x}^{\prime}:\Pr(\mathbf{x}^{\prime}\|\mathbf{y})\geq 2^{-\nu}}P(\mathbf{x}^{\prime}\|\mathbf{Z}=\mathbf{z})\}\Big{]}$
	$\displaystyle=$	$\displaystyle q_{d}(r+3)(r+2)2^{n+\ell-t}\max\{\mathbb{E}_{\mathbf{z}\leftarrow\mathbf{Z}}\Big{[}\max_{\mathbf{x}}\sum_{\mathbf{y}^{\prime}:\Pr(\mathbf{x}\|\mathbf{y}^{\prime})\geq 2^{-\nu}}P(\mathbf{y}^{\prime}\|\mathbf{Z}=\mathbf{z})\Big{]},$
		$\displaystyle\qquad\qquad\qquad\qquad\qquad\qquad\quad\mathbb{E}_{\mathbf{z}\leftarrow\mathbf{Z}}\Big{[}\max_{\mathbf{y}}\sum_{\mathbf{x}^{\prime}:\Pr(\mathbf{x}^{\prime}\|\mathbf{y})\geq 2^{-\nu}}P(\mathbf{x}^{\prime}\|\mathbf{Z}=\mathbf{z})\Big{]}\}\leq\delta.$

Therefore, if

	$\displaystyle\ell\leq t+\min\{-\log(\mathbb{E}_{\mathbf{z}\leftarrow\mathbf{Z}}\Big{[}\max_{\mathbf{x}}\sum_{\mathbf{y}^{\prime}:\Pr(\mathbf{x}\|\mathbf{y}^{\prime})\geq 2^{-\nu}}P(\mathbf{y}^{\prime}\|\mathbf{Z}=\mathbf{z})\Big{]}),-\log(\mathbb{E}_{\mathbf{z}\leftarrow\mathbf{Z}}\Big{[}\max_{\mathbf{y}}\sum_{\mathbf{x}^{\prime}:\Pr(\mathbf{x}^{\prime}\|\mathbf{y})\geq 2^{-\nu}}P(\mathbf{x}^{\prime}\|\mathbf{Z}=\mathbf{z})\Big{]})\}$
	$\displaystyle\quad-n-\log\big{(}\frac{q_{d}(r+3)(r+2)}{\delta}\big{)},$

the iKEM $\mathsf{ikem}_{cca}$ given in construction 2 is $\delta$ -INT- $(1;q_{d})$ -CTXT secure. ∎

Corollary 1 (CCA security).

The iKEM construction 2 is an IND- $(0;q_{d})$ -CCA secure iKEM.

Proof.

According to Theorems 4 and 5 the iKEM construction 2 is both IND- $q_{e}$ -CEA secure with $q_{e}$ encapsulation queries, and INT- $(1;q_{d})$ -CTXT secure with one encapsulation and $q_{d}$ decapsulation queries. Then according to Theorems 1, the iKEM is also IND- $(0;q_{d})$ -CCA secure with $q_{d}$ decapsulation queries and zero encapsulation query. Therefore, if the parameters $\ell$ , $t$ and $\nu$ are chosen to satisfy both Theorems 4 and 5, then the iKEM construction 2 is also IND- $(0;q_{d})$ -CCA secure. ∎

VI KEM combiners for iKEM

Cryptographic combiners provide robustness for cryptographic schemes against possible flaws or security breaks of the component schemes. Combiners for KEM were introduced by Giacon et al. [30] who defined a framework for combining two or more public-key KEMs. Our goal in this section is to extend their framework to allow pKEMs to be combined with public key KEMs. This is well-motivated because iKEMs are post-quantum secure and so a much wider set of KEMs with post-quantum security becomes available to the system designers.

In this section, we first define combiners for combining pKEMs (i.e. in correlated randomness model) with a public-key KEM, and then give constructions and prove their security. We focus on combiners for iKEM and public key KEMs because of subtleties of combining security of two tyoes of schemes: security against computationally unbounded and computationally bounded adversaries.

Combiners. Using the framework of Giacon et al. [30], for security parameter $\lambda$ , we define a core function for combining an iKEM $\mathsf{ikem}=(\mathsf{ikem.Gen},\mathsf{ikem.Enc},\mathsf{ikem.Dec})$ with correlation generating distribution $P_{\mathbf{X}\mathbf{Y}\mathbf{Z}}$ , output key space $\mathsf{KeySP}_{\mathsf{ikem}}(\lambda)=\mathcal{K}_{1}$ , and ciphertext space ${\cal C}_{1}$ , with a public-key KEM $\mathsf{kem}=(\mathsf{kem}.\mathsf{Gen},\mathsf{kem}.\mathsf{Enc},\mathsf{kem}.\mathsf{Dec})$ with public-key space ${\cal PK}$ , output key space $\mathsf{KeySP}_{\mathsf{kem}}(\lambda)=\mathcal{K}_{2}$ , and ciphertext space $\mathcal{C}_{2}$ . The combiner
$\mathsf{Comb}_{\mathsf{ikem},\mathsf{kem}}=(\mathsf{Comb.Gen},\mathsf{Comb.Enc},\mathsf{Comb.Dec})$ is a KEM with three algorithms $\mathsf{Comb.Gen}$ ; $\mathsf{Comb.Enc}$ ; and $\mathsf{Comb.Dec}$ for key generation, encapsulation and decapsulation, respectively, that uses a core function, $\mathsf{W}:\mathcal{K}_{1}\times\mathcal{K}_{2}\times\mathcal{C}_{1}\times\mathcal{C}_{2}\to\mathcal{K}^{*}$ , to generate a session key in the key space $\mathcal{K}^{*}$ , using the algorithms defined in Figure. 6.

$\mathbf{Algo}\ \mathsf{Comb.Gen}({1^{\lambda}},P_{\mathbf{X}\mathbf{Y}\mathbf{Z}})$	$\mathbf{Algo}\ \mathsf{Comb.Enc}(r_{A},pk)$
$(r_{A},r_{B},r_{E})\stackrel{{\scriptstyle\$}}{{\leftarrow}}\mathsf{ikem.Gen}(1^{\lambda},{P_{\mathbf{X}\mathbf{Y}\mathbf{Z}}})$	$(c_{1},k_{1})\stackrel{{\scriptstyle\$}}{{\leftarrow}}\mathsf{ikem.Enc}(r_{A})$
$(pk,sk)\stackrel{{\scriptstyle\$}}{{\leftarrow}}\mathsf{kem.Gen}(1^{\lambda})$	$(c_{2},k_{2})\stackrel{{\scriptstyle\$}}{{\leftarrow}}\mathsf{kem.Enc}({pk})$
Return $(r_{A},r_{B},r_{E},{pk},{sk})$	${k}\leftarrow\mathsf{W}(k_{1},k_{2},c_{1},c_{2})$
	Return $(k,c_{1},c_{2})$

$\mathbf{Algo}\ \mathsf{Comb.Dec}(r_{B},sk,c_{1},c_{2})$
$k_{1}\leftarrow\mathsf{ikem.Dec}(r_{B},c_{1})$
$k_{2}\leftarrow\mathsf{kem.Dec}({sk},c_{2})$
$\quad\text{If }k_{1}=\perp\vee\ k_{2}=\perp:{\text{Return}\perp}$
${k}\leftarrow\mathsf{W}(k_{1},k_{2},c_{1},c_{2})$
Return $k$

Figure 6: Combining an iKEM with a public-key KEM

One can also define combiners for other combinations of component KEMs, i.e. two iKEMs , two cKEMs, an iKEM and a cKEM, and a cKEM and public key KEM, with private samples $(r_{A},r_{B},r_{E}$ ) that generates a pair $(c_{1},k_{1})$ where key $k_{1}\in\{0,1\}^{\mathsf{ikem.Len}(\lambda)}$ and ciphertext $c_{1}\in\mathcal{C}_{1}$ , and let KEM $\mathsf{K}$ be a public-key with public and private key pair $(pk,sk)$ that generates

Construction 3 (XOR combiner.).

Let $\mathsf{ikem}$ be an iKEM with with private samples $(r_{A},r_{B},r_{E})$ , and $\mathsf{kem}$ be a public-key KEM with public and private key pair $(pk,sk)$ that generate keys $k_{1}\in\{0,1\}^{\mathsf{ikem.Len}(\lambda)}$ and $k_{2}\in\{0,1\}^{\mathsf{kem.Len}(\lambda)}$ , respectively, and let $\{0,1\}^{\mathsf{ikem.Len}(\lambda)}=\{0,1\}^{\mathsf{kem.Len}(\lambda)}=\{0,1\}^{\ell(\lambda)}$ . The combiner $\mathsf{Comb}_{\mathsf{ikem},\mathsf{kem}}^{\oplus}$ with an XOR core function $\mathsf{W}$ , outputs $k=\mathsf{W}(k_{1},k_{2})=k_{1}\oplus k_{2}$ when none of $k_{i}$ ’s for $i\in\{1,2\},$ is $\perp$ , and outputs $\perp$ otherwise.

The following theorem shows that for a given $q_{e}\geq 0$ , the XOR combiner retains the IND- $q_{e}$ -CEA security of the component iKEM. The proof is given in Appendix C.

Theorem 6.

For security parameter $\lambda$ , let $\mathsf{ikem}=(\mathsf{ikem.Gen},\mathsf{ikem.Enc},\mathsf{ikem.Dec})$ be an IND- $q_{e}$ -CEA secure iKEM that generates $k_{1}\in\{0,1\}^{\ell(\lambda)}$ , and $\mathsf{kem}=(\mathsf{kem.Gen},\mathsf{kem.Enc},\mathsf{kem.Dec})$ be a public-key KEM with the same security parameter that generates $k_{2}\in\{0,1\}^{\ell(\lambda)}$ of the same length. Consider a combiner KEM $\mathsf{Comb}^{\oplus}_{\mathsf{ikem},\mathsf{kem}}$ using the XOR core function that combines $\mathsf{ikem}$ and $\mathsf{kem}$ , and generates the key $k=k_{1}\oplus k_{2}$ . For a computationally unbounded adversary $\mathsf{D}$ , there exists a computationally unbounded adversary $\mathsf{D}^{\prime}$ , such that

Adv^{pkind\text{-}q_{e}\text{-}cea}_{\mathsf{Comb}_{\mathsf{ikem},\mathsf{kem}}^{\oplus},\mathsf{D}}(\lambda)\leq Adv^{pkind\text{-}q_{e}\text{-}cea}_{\mathsf{ikem},\mathsf{D}^{\prime}}(\lambda).

In the above theorem, computational security of $\mathsf{Comb}^{\oplus}_{\mathsf{ikem},\mathsf{kem}}$ follows [30, Lemma 1] as an iKEM can be seen as an insecure KEM for polynomial number of queries.

CCA security. The XOR combiner cannot retain the IND- $(q_{e};q_{d})$ -CCA security of the component iKEM (with similar reasoning as [30, Lemma 2]).

We show the PRF-then-XOR core function in [30] can be used to combine an iKEM with a public-key KEM such that, in addition to resulting in a secure public-key KEM, if the PRF output is indistinguishable from uniform by a computationally unbounded and query-bounded adversary, the resulting KEM will be an IND- $(q_{e};q_{d})$ -CCA secure iKEM.

Definition 8 (PRF and its security).

Let $\lambda$ be a security parameter. We use $\lambda$ as an argument for values to make dependence on $\lambda$ as a parameter, explicit. A family of functions $\mathsf{F}:\mathcal{K}\times\mathcal{X}\to\mathcal{Y}$ , where $\mathcal{K}$ , $\mathcal{X}$ and $\mathcal{Y}$ , respectively, are finite sets corresponding to key, input and outputs, is a secure PRF, if the advantage of an adversary in the distinguishing game of PRF, defined in Figure. 7, satisfies the following:

(i)

Computationally secure PRF: For any computationally bounded adversary $\mathsf{B}$ with access to $q(\lambda)$ queries, where $q$ is a polynomial, the advantage of the adversary defined as, $Adv^{PRF}_{\mathsf{F},\mathsf{B}}(\lambda)\triangleq|\Pr[\mathrm{PRI}^{0}_{\mathsf{F},\mathsf{B}}(\lambda)=1]-\Pr[\mathrm{PRI}^{1}_{\mathsf{F},\mathsf{B}}(\lambda)=1]|$ , is a negligible function of $\lambda$ .
(ii)

Information theoretic PRF: For any computationally unbounded adversary $\mathsf{U}$ with access to $q(\lambda)$ queries, where $q$ is a pre-defined polynomial in $\lambda$ , the advantage of the adversary defined as,
$Adv^{q\text{-}PRF}_{\mathsf{F},\mathsf{U}}(\lambda)\triangleq|\Pr[\mathrm{PRI}^{q\text{-}IND\text{-}0}_{\mathsf{F},\mathsf{U}}(\lambda)=1]-\Pr[\mathrm{PRI}^{q\text{-}IND\text{-}1}_{\mathsf{F},\mathsf{U}}(\lambda)=1]|$ , is a small function $\sigma(\cdot)$ of $\lambda$ i.e. $\sigma(\cdot)\in SMALL$ .

The games $\mathrm{PRI}_{\mathsf{F},\mathsf{B}}^{b}$ (or the games $\mathrm{PRI}^{q\text{-}IND\text{-}b}_{\mathsf{F},\mathsf{U}}$ ) are chosen using a uniformly random bit $b\in\{0,1\}$ .

PRF distinguishing game. The PRF distinguishing game for a function family $\mathsf{F}:\mathcal{K}\times\mathcal{X}\to\mathcal{Y}$ where $\mathcal{K}$ , $\mathcal{X}$ and $\mathcal{Y}$ , respectively, are finite sets corresponding to key, input and output, is defined in Figure 7.

Game $\mathrm{PRI}^{b}_{\mathsf{F},\mathsf{D}}(\lambda)$ Oracle $\mathsf{Eval}(x)$

\mathcal{X}\leftarrow\emptyset

k\stackrel{{\scriptstyle\$}}{{\leftarrow}}\mathcal{K}

b^{\prime}\stackrel{{\scriptstyle\$}}{{\leftarrow}}\mathsf{D}_{2}^{\mathsf{Eval}}

4:Return

b^{\prime}

1:If

x\in\mathcal{X}

: Abort

\mathcal{X}=\mathcal{X}\cup\{x\}

y\leftarrow\mathsf{F}(k,x)

y_{0}\leftarrow y;y_{1}\stackrel{{\scriptstyle\$}}{{\leftarrow}}\mathcal{Y}

5:Return

y_{b}

Figure 7: PRF distinguishing game

Construction 4 (PRF-then-XOR combiner.).

Let $\lambda$ be the security parameter. Consider an iKEM $\mathsf{ikem}$ with private samples $(r_{A},r_{B},r_{E})$ that generates a pair $(c_{1},k_{1})$ where key $k_{1}\in\{0,1\}^{\mathsf{ikem.Len}(\lambda)}$ and ciphertext $c_{1}\in\mathcal{C}_{1}$ , and let KEM $\mathsf{K}$ be a public-key with public and private key pair $(pk,sk)$ that generates a pair $(c_{2},k_{2})$ where key $k_{2}\in\{0,1\}^{\mathsf{kem.Len}(\lambda)}$ and ciphertext $c_{2}\in\mathcal{C}_{2}$ . Further, let $\mathsf{F}_{1}:\mathcal{\{}0,1\}^{\mathsf{ikem.Len}(\lambda)}\times\mathcal{C}_{2}\to\mathcal{K}$ and $\mathsf{F}_{2}:\{0,1\}^{\mathsf{kem.Len}(\lambda)}\times\mathcal{C}_{1}\to\mathcal{K}$ be two PRFs with information theoretic and computational security, respectively.

The combiner $\mathsf{Comb}_{\mathsf{ikem},\mathsf{kem}}^{\mathrm{PtX}}$ with the core function PRF-then-XOR outputs $\mathsf{W}(k_{1},k_{2},c_{1},c_{2})=\mathsf{F}_{1}(k_{1},c_{2})\oplus\mathsf{F}_{2}(k_{2},c_{1})$ when neither $k_{1}$ nor $k_{2}$ is $\perp$ , and outputs $\perp$ otherwise.

Theorem 7.

In Construction 4, let $\mathsf{ikem}$ and $\mathsf{kem}$ be an IND- $(q_{e};q_{d})$ -CCA secure iKEM and an IND-CCA secure KEM, respectively, and let $\mathsf{F}_{1}(\cdot)$ and $\mathsf{F}_{2}(\cdot)$ be two PRFs, with security against a computationally unbounded adversary with $(q_{d}+1)$ queries, and a computationally bounded adversary with polynomial number of queries, respectively. Then for any

(a) computationally bounded distinguisher $\mathsf{B}$ , there exists computationally bounded adversaries $\mathsf{B}_{1}$ and $\mathsf{B}_{2}$ for games $\mathrm{pKIND}^{cca}_{\mathsf{kem}}$ and $\mathrm{PRI}^{b}_{\mathsf{F}_{2}}$ , respectively, such that,

Adv^{kind\text{-}cca}_{\mathsf{Comb}^{\mathrm{PtX}}_{\mathsf{ikem},\mathsf{kem}},\mathsf{D}}(\lambda)\leq 2\Big{(}Adv^{kind\text{-}cca}_{\mathsf{kem},\mathsf{B}_{1}}(\lambda)+Adv^{PRF}_{\mathsf{F}_{2},\mathsf{B}_{2}}(\lambda)\Big{)},

(33)

(b) computationally unbounded distinguisher $\mathsf{D}^{\prime}$ , there exists a computationally unbounded adversaries $\mathsf{U}_{1}$ and $\mathsf{U}_{2}$ for games $\mathrm{pKIND}^{(q_{e};q_{d})\text{-}cca}_{\mathsf{ikem}}$ and $\mathrm{PRI}^{(q_{d}+1)\text{-}IND\text{-}b}_{\mathsf{F}_{1}}$ , respectively, such that

\displaystyle Adv^{pkind\text{-}(q_{e};q_{d})\text{-}cca}_{\mathsf{Comb}^{\mathrm{PtX}}_{\mathsf{ikem},\mathsf{kem}},\mathsf{D}^{\prime}}(\lambda)\leq 2\Big{(}Adv^{pkind\text{-}(q_{e};q_{d})\text{-}cca}_{\mathsf{ikem},\mathsf{U}_{1}}(\lambda)+Adv^{(q_{d}+1)\text{-}PRF}_{\mathsf{F}_{1},\mathsf{U}_{2}}(\lambda)\Big{)}.

Proof sketch. The proof for a computationally bounded adversary will follow the approach of Theorem 3 in [30], noting that the iKEM will loose its security when the number of queries exceed the design parameter of iKEM after repeated queries. The proof for a computationally unbounded adversary is given in Appendix D. ∎

Instantiating PRF for construction 4. To construct a PRF with security against a computationally unbounded adversary with access to $(q_{d}+1)$ -queries, we can use a $(q_{d}+2)$ -independent hash function. An example construction using polynomials over finite fields is given in [67, Section 4.1].

The drawback of this PRF however is its large key size. We leave more efficient constructions of information-theoretic PRF $\mathsf{F}_{1}(\cdot)$ for the required number of queries for future work.

Note that security of PRF $\mathsf{F}_{1}(\cdot)$ in the combiner construction 4 against computationally unbounded adversaries, does not depend on the number of encapsulation queries to the combiner. Intuitively, this is because in each encapsulation query to combiner, the component iKEM generates a fresh uniform and independent key which is used as the secret key in PRF $\mathsf{F}_{1}(\cdot)$ , and so the output of PRF $\mathsf{F}_{1}(\cdot)$ is independent of previous encapsulation and decapsulation queries.

VI-A Composing a “combined” KEM with a DEM

Security requirements of DEM in Theorem 2 is identical to Cramer et. al’s [1, Theorem 7.2] and so the same DEM can be used for secure hybrid encryption for information theoretically secure KEM and public key KEM. The KEM combiner’s output will be used with a secure DEM (example construction is given in [1]), and depending on the security of the component KEM, will result in a secure hybrid encryption with one of the following security properties:

(i)

If the component KEM is a secure iKEM with IND- $q_{e}$ -CEA (IND- $(q_{e};q_{d})$ -CCA) security, the combiner’s output key will be secure against computationally unbounded attackers, and the resulting hybrid encryption provides security according to Theorem 2, cases (3) and (4).
(ii)

If an IND-CEA (IND-CCA) cKEM is used as a component in the preprocessing model, the combiner’s output will be secure against computationally bounded adversary, and the resulting hybrid encryption will be secure according to Theorem 2, cases (1) and (2).
(iii)

If the public-key KEM is secure, the resulting hybrid encryption provides security according to [1, Theorem 7.2].

VII Concluding remarks.

KEM/DEM in the preprocessing model is a natural and useful extension of KEM/DEM paradigm that does not require public keys and so computational assumptions. The paradigm is defined for information theoretic and computational security. That is each of the two components KEM and DEM, and the final HE, may be defined against a computationally unbounded or bounded adversaries. We prove a general composition theorem for KEM and DEM when security of KEM is against a computationally unbounded or bounded adversary, and security of DEM is against a computationally bounded adversary. We focused on these combinations of adversaries to obtain a key efficient HE. Defining DEM with information theoretic security will lead to HE constructions with high secret key requirement (i.e. essentially similar to one-time-pad).

We also defined and constructed combiners with provable security that combine KEMs in preprocessing model with public-key KEMs. Efficient and secure construction of core functions for combining iKEM and public key KEMs that retain CCA security of component KEMs is an interesting direction for future work.

An HE in preprocessing model is a private key encryption where the private keys are correlated random strings (not symmetric), and so security notions are defined similar to symmetric key encryption systems. Combiners for iKEM and public-key KEM widens the range of possible KEMs, and allow fuzzy data to be used for communication with provable security.

Construction of KEMs with computational security in preprocessing model for specific $P_{\mathbf{X}\mathbf{Y}\mathbf{Z}}$ is an interesting direction for future work.

References

[1] R. Cramer and V. Shoup, “Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack,” SIAM J. Comput., vol. 33, no. 1, pp. 167–226, 2003. [Online]. Available: https://doi.org/10.1137/S0097539702403773
[2] J. Herranz, D. Hofheinz, and E. Kiltz, “Some (in)sufficient conditions for secure hybrid encryption,” Inf. and Computat., vol. 208, no. 11, pp. 1243–1257, 2010. [Online]. Available: https://www.sciencedirect.com/science/article/pii/S089054011000132X
[3] E. Kiltz, “Chosen-Ciphertext Security from Tag-Based Encryption,” in Theory of Cryptogr. Conf. Springer, 2006, pp. 581–600. [Online]. Available: http://link.springer.com/10.1007/11681878{_}30
[4] K. Kurosawa and Y. Desmedt, “A new paradigm of hybrid encryption scheme,” in Annu. Int. Cryptol. Conf. Springer, 2004, pp. 426–442.
[5] J. Herranz, D. Hofheinz, and E. Kiltz, “The kurosawa-desmedt key encapsulation is not chosen-ciphertext secure.” IACR Cryptol. ePrint Arch., vol. 2006, p. 207, 2006.
[6] M. Abe, R. Gennaro, K. Kurosawa, and V. Shoup, “Tag-kem/dem: A new framework for hybrid encryption and a new analysis of kurosawa-desmedt kem,” in Advances in Cryptology – EUROCRYPT 2005. Springer Berlin Heidelberg, 2005, pp. 128–146.
[7] H. Shacham, “A cramer-shoup encryption scheme from the linear assumption and from progressively weaker linear variants,” Cryptology ePrint Archive, Paper 2007/074, 2007, https://eprint.iacr.org/2007/074. [Online]. Available: https://eprint.iacr.org/2007/074
[8] P. Schwabe, D. Stebila, and T. Wiggers, “Post-quantum tls without handshake signatures,” in Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security, ser. CCS ’20. New York, NY, USA: Association for Computing Machinery, 2020, p. 1461–1480. [Online]. Available: https://doi.org/10.1145/3372297.3423350
[9] P. Shor, “Algorithms for quantum computation: discrete logarithms and factoring,” in Proceedings 35th Annual Symposium on Foundations of Computer Science, 1994, pp. 124–134.
[10] J. Bos, L. Ducas, E. Kiltz, T. Lepoint, V. Lyubashevsky, J. M. Schanck, P. Schwabe, G. Seiler, and D. Stehle, “CRYSTALS - Kyber: A CCA-Secure Module-Lattice-Based KEM,” in 2018 IEEE Eur. Symp. Secur. Priv. (EuroS&P), IEEE. IEEE, apr 2018, pp. 353–367. [Online]. Available: https://ieeexplore.ieee.org/document/8406610/
[11] N. I. of Standards and T. group, “Post-quantum cryptography standardization,” https://csrc.nist.gov/Projects/post-quantum-cryptography/post-quantum-cryptography-standardization/round-3-submissions, 2022, national Institute of Standards and Technology.
[12] L. K. Grover, “A fast quantum mechanical algorithm for database search,” in Proceedings of the Twenty-Eighth Annual ACM Symposium on Theory of Computing, ser. STOC ’96. New York, NY, USA: Association for Computing Machinery, 1996, p. 212–219. [Online]. Available: https://doi.org/10.1145/237814.237866
[13] U. Maurer, “Secret Key Agreement by Public Discussion from Common Information,” IEEE Trans. Inf. Theory, vol. 39, no. 3, pp. 733–742, may 1993. [Online]. Available: https://ieeexplore.ieee.org/document/256484/
[14] R. Ahlswede and I. Csiszar, “Common Randomness in Information Theory and Cryptography. I. Secret Sharing,” IEEE Trans. Inf. Theory, vol. 39, no. 4, pp. 1121–1132, 1993. [Online]. Available: http://ieeexplore.ieee.org/document/243431/
[15] T. Holenstein and R. Renner, “One-way secret-key agreement and applications to circuit polarization and immunization of public-key encryption,” in Annu. Int. Cryptol. Conf. Springer, 2005, pp. 478–493.
[16] T. Holenstein, “Strengthening Key Agreement using Hard-core Sets,” Ph.D. dissertation, ETH Zurich, 2006.
[17] J. M. Renes, R. Renner, and D. Sutter, “Efficient One-Way Secret-Key Agreement and Private Channel Coding via Polarization,” in Int. Conf. Theory Appl. Cryptol. Inf. Secur., ser. LNCS, K. Sako and P. Sarkar, Eds. Springer, 2013, vol. 8269, pp. 194–213. [Online]. Available: http://link.springer.com/10.1007/978-3-642-42033-7{_}11
[18] R. A. Chou, M. R. Bloch, and E. Abbe, “Polar Coding for Secret-Key Generation,” IEEE Trans. Inf. Theory, vol. 61, no. 11, pp. 6213–6237, nov 2015. [Online]. Available: http://ieeexplore.ieee.org/document/7217814/
[19] S. Sharifian, A. Poostindouz, and R. Safavi-Naini, “A capacity-achieving one-way key agreement with improved finite blocklength analysis,” in Int. Symp. on Inf. Theory and Its Appl., ISITA 2020. IEEE, 2020, pp. 407–411. [Online]. Available: https://ieeexplore.ieee.org/document/9366148
[20] Y. Dodis, L. Reyzin, and A. D. Smith, “Fuzzy extractors: How to generate strong keys from biometrics and other noisy data,” in Advances in Cryptol. - EUROCRYPT 2004,, ser. LNCS, C. Cachin and J. Camenisch, Eds., vol. 3027. Springer, 2004, pp. 523–540. [Online]. Available: https://doi.org/10.1007/978-3-540-24676-3_31
[21] Y. Dodis, R. Ostrovsky, L. Reyzin, and A. D. Smith, “Fuzzy extractors: How to generate strong keys from biometrics and other noisy data,” SIAM J. Comput., vol. 38, no. 1, pp. 97–139, 2008. [Online]. Available: https://doi.org/10.1137/060651380
[22] X. Boyen, “Reusable cryptographic fuzzy extractors,” in Proceedings of the 11th ACM Conf. on Computer and communications security, 2004, pp. 82–91.
[23] X. Boyen, Y. Dodis, J. Katz, R. Ostrovsky, and A. Smith, “Secure remote authentication using biometric data,” in Annual Int. Conf. Theory Appl. Cryptographic Techniques. Springer, 2005, pp. 147–163.
[24] Y. Dodis, B. Kanukurthi, J. Katz, L. Reyzin, and A. D. Smith, “Robust fuzzy extractors and authenticated key agreement from close secrets,” IEEE Trans. Inf. Theory, vol. 58, no. 9, pp. 6207–6222, 2012. [Online]. Available: https://doi.org/10.1109/TIT.2012.2200290
[25] R. Canetti, B. Fuller, O. Paneth, L. Reyzin, and A. Smith, “Reusable fuzzy extractors for low-entropy distributions,” in Annual Int. Conf. Theory Appl. Cryptographic Techniques. Springer, 2016, pp. 117–146.
[26] C. H. Bennett and G. Brassard, “Quantum cryptography: Public key distribution and coin tossing,” in Proceedings of IEEE International Conference on Computers, Systems and Signal Processing, 1984, pp. 175–179.
[27] U. Maurer, “Information-theoretically secure secret-key agreement by not authenticated public discussion,” in EUROCRYPT ’97, 1997, pp. 209–225.
[28] U. Maurer and S. Wolf, “Secret-Key Agreement over Unauthenticated Public Channels-Part II: The Simulatability Condition,” IEEE Trans. Inf. Theory, vol. 49, no. 4, pp. 832–838, apr 2003. [Online]. Available: http://ieeexplore.ieee.org/document/1193794/
[29] S. Panja, S. Jiang, and R. Safavi-Naini, “A one-way secret key agreement with security against active adversaries,” in 2023 IEEE International Symposium on Information Theory (ISIT), 2023, pp. 2314–2319.
[30] F. Giacon, F. Heuer, and B. Poettering, “KEM Combiners,” in IACR Int. Work. Public Key Cryptogr. Springer, 2018, pp. 190–218. [Online]. Available: http://link.springer.com/10.1007/978-3-319-76578-5{_}7
[31] N. Bindel, J. Brendel, M. Fischlin, B. Goncalves, and D. Stebila, “Hybrid key encapsulation mechanisms and authenticated key exchange,” in Int. Conf. Post-Quantum Cryptogr. Springer, 2019, pp. 206–226.
[32] S. Sharifian and R. Safavi-Naini, “Information-theoretic key encapsulation and its application to secure communication,” in 2021 IEEE Int. Symp. on Inf. Theory (ISIT). IEEE, 2021, pp. 2393–2398.
[33] A. W. Dent, “A Designer’s Guide to KEMs,” in IMA Int. Conf. on Cryptogr. and Coding. Springer, 2003, pp. 133–151. [Online]. Available: http://link.springer.com/10.1007/978-3-540-40974-8{_}12
[34] K. Bentahar, P. Farshim, J. Malone-Lee, and N. P. Smart, “Generic Constructions of Identity-Based and Certificateless KEMs,” J. Cryptol., vol. 21, no. 2, pp. 178–199, apr 2008. [Online]. Available: http://link.springer.com/10.1007/s00145-007-9000-z
[35] K. Haralambiev, T. Jager, E. Kiltz, and V. Shoup, “Simple and Efficient Public-Key Encryption from Computational Diffie-Hellman in the Standard Model,” in IACR Int. Work. Public Key Cryptogr. Springer, 2010, pp. 1–18. [Online]. Available: http://link.springer.com/10.1007/978-3-642-13013-7{_}1
[36] J. Ding, X. Xie, and X. Lin, “A Simple Provably Secure Key Exchange Scheme Based on the Learning with Errors Problem.” IACR Cryptol. ePrint Archive, vol. 2012, p. 688, 2012.
[37] C. Peikert, “Lattice Cryptography for the Internet,” in Int. Work. Post-Quantum Cryptogr. Springer, 2014, pp. 197–219. [Online]. Available: http://link.springer.com/10.1007/978-3-319-11659-4{_}12
[38] M. Albrecht, C. Cid, K. Paterson, C. Tjhai, and M. Tomlinson, “Nts-kem — round 2 submission,” https://csrc.nist.gov/CSRC/media/Presentations/nts-kem-round-2-presentation/images-media/nts-kem.pdf, 2019, national Institute of Standards and Technology.
[39] T. Matsuda and J. C. N. Schuldt, “A New Key Encapsulation Combiner,” in 2018 Int. Symp. Inf. Theory Its Appl. (ISITA). IEEE, 2018, pp. 698–702.
[40] D. Harnik, J. Kilian, M. Naor, O. Reingold, and A. Rosen, “On Robust Combiners for Oblivious Transfer and Other Primitives,” in Annu. Int. Conf. Theory Appl. Cryptographic Techniques. Springer, 2005, pp. 96–113. [Online]. Available: http://link.springer.com/10.1007/11426639{_}6
[41] C. H. Bennett, G. Brassard, and J.-M. Robert, “Privacy Amplification by Public Discussion,” SIAM J. Comput., vol. 17, no. 2, pp. 210–229, apr 1988. [Online]. Available: http://epubs.siam.org/doi/10.1137/0217014
[42] R. Renner and S. Wolf, “Smooth Renyi Entropy and Applications,” in 2004 IEEE Int. Symp. Inf. Theory (ISIT)., IEEE. IEEE, 2004, pp. 232–232. [Online]. Available: http://ieeexplore.ieee.org/document/1365269/
[43] T. Holenstein and R. Renner, “On the Randomness of Independent Experiments,” IEEE Trans. Inf. Theory, vol. 57, no. 4, pp. 1865–1871, apr 2011. [Online]. Available: http://ieeexplore.ieee.org/document/5730579/
[44] M. Tomamichel, J. Martinez-Mateo, C. Pacher, and D. Elkouss, “Fundamental finite key limits for information reconciliation in quantum key distribution,” in 2014 IEEE Int. Symp. on Inf. Theory, 2014, pp. 1469–1473.
[45] U. Maurer and S. Wolf, “Secret-Key Agreement over Unauthenticated Public Channels-Part I: Definitions and a Completeness Result,” IEEE Trans. Inf. Theory, vol. 49, no. 4, pp. 822–831, apr 2003. [Online]. Available: http://ieeexplore.ieee.org/document/1193793/
[46] R. Renner and S. Wolf, “The exact price for unconditionally secure asymmetric cryptography,” in Adv. Cryptol. - EUROCRYPT 2004, C. Cachin and J. L. Camenisch, Eds. Berlin, Heidelberg: Springer Berlin Heidelberg, 2004, pp. 109–125.
[47] B. Kanukurthi and L. Reyzin, “Key Agreement from Close Secrets over Unsecured Channels,” in Annu. Int. Conf. Theory Appl. Cryptographic Techniques. Springer, 2009, pp. 206–223. [Online]. Available: http://link.springer.com/10.1007/978-3-642-01001-9{_}12
[48] C. E. Shannon, “Communication Theory of Secrecy Systems*,” Bell System Technical Journal, vol. 28, no. 4, pp. 656–715, oct 1949. [Online]. Available: http://ieeexplore.ieee.org/lpdocs/epic03/wrapper.htm?arnumber=6769090
[49] S. Even and O. Goldreich, “On the power of cascade ciphers,” in Adv. Cryptol. Boston, MA: Springer US, 1985, vol. 3, pp. 43–50. [Online]. Available: http://link.springer.com/10.1007/978-1-4684-4730-9{_}4
[50] U. M. Maurer and J. L. Massey, “Cascade Ciphers: The Importance of Being First,” J. Cryptol., vol. 6, no. 1, pp. 55–61, mar 1993. [Online]. Available: http://link.springer.com/10.1007/BF02620231
[51] M. Fischlin and A. Lehmann, “Security-amplifying combiners for collision-resistant hash functions,” in Advances in Cryptology - CRYPTO 2007, A. Menezes, Ed. Berlin, Heidelberg: Springer Berlin Heidelberg, 2007, pp. 224–243.
[52] A. Herzberg, “Folklore, practice and theory of robust combiners,” Cryptology ePrint Archive, Paper 2002/135, 2002, https://eprint.iacr.org/2002/135. [Online]. Available: https://eprint.iacr.org/2002/135
[53] D. Beaver, “Precomputing oblivious transfer,” in Annu. Int. Cryptol. Conf. Springer, 1995, pp. 97–109.
[54] R. Bendlin, I. Damgård, C. Orlandi, and S. Zakarias, “Semi-homomorphic Encryption and Multiparty Computation,” in Annu. Int. Conf. Theory Appl. Cryptographic Techniques. Springer, 2011, pp. 169–188. [Online]. Available: http://link.springer.com/10.1007/978-3-642-20465-4{_}11
[55] Y. Ishai, E. Kushilevitz, S. Meldgaard, C. Orlandi, and A. Paskin-Cherniavsky, “On the power of correlated randomness in secure computation,” in Theory of Cryptogr. Conf. Springer, 2013, pp. 600–620.
[56] S. Garg, Y. Ishai, and A. Srinivasan, “Two-round mpc: information-theoretic and black-box,” in Theory of Cryptogr. Conf. Springer, 2018, pp. 123–151.
[57] B. Pfitzmann and M. Waidner, “A model for asynchronous reactive systems and its application to secure message transmission,” in Proc. 2001 IEEE Symp. Secur. Privacy. S&P 2001. IEEE, 2000, pp. 184–200.
[58] R. Impagliazzo, L. A. Levin, and M. Luby, “Pseudo-Random Generation from One-Way Functions,” in Proc. 21st Annu. ACM Symp. Theory Comput. -STOC ’89. New York, New York, USA: ACM Press, 1989, pp. 12–24. [Online]. Available: http://portal.acm.org/citation.cfm?doid=73007.73009
[59] R. Cramer, G. Hanaoka, D. Hofheinz, H. Imai, E. Kiltz, R. Pass, A. Shelat, and V. Vaikuntanathan, “Bounded CCA2-Secure Encryption,” in Int. Conf. Theory Appl. Cryptol. Inf. Secur. Springer, 2007, pp. 502–518. [Online]. Available: http://link.springer.com/10.1007/978-3-540-76900-2{_}31
[60] M. Bellare and C. Namprempre, “Authenticated encryption: Relations among notions and analysis of the generic composition paradigm,” in Int. Conf. Theory Appl. Cryptol. Inf. Secur. Springer, 2000, pp. 531–545.
[61] J. Katz and M. Yung, “Characterization of security notions for probabilistic private-key encryption,” J. Cryptol., vol. 19, no. 1, pp. 67–95, 2006.
[62] T. Holenstein and R. Renner, “On the randomness of independent experiments,” IEEE Trans. Inf. Theor., vol. 57, no. 4, pp. 1865–1871, 2011.
[63] M. Bellare and P. Rogaway, “Optimal asymmetric encryption,” in Advances in Cryptology — EUROCRYPT’94, A. De Santis, Ed. Berlin, Heidelberg: Springer Berlin Heidelberg, 1995, pp. 92–111.
[64] M. Bellare and A. Palacio, “Towards plaintext-aware public-key encryption without random oracles,” in Advances in Cryptology - ASIACRYPT 2004, P. J. Lee, Ed. Berlin, Heidelberg: Springer Berlin Heidelberg, 2004, pp. 48–62.
[65] J. L. Coolidge, “A treatise on algebraic plane curves,” New York: Dover, 1959, p. 10.
[66] E. W. Weisstein, “Bézout’s theorem,” From MathWorld–A Wolfram Web Resource, https://mathworld.wolfram.com/BezoutsTheorem.html. [Online]. Available: https://mathworld.wolfram.com/BezoutsTheorem.html
[67] B. Barak, R. Shaltiel, and E. Tromer, “True Random Number Generators Secure in a Changing Environment,” in Int. Workshop on Cryptographic Hardware and Embedded Systems. Springer, 2003, pp. 166–180. [Online]. Available: http://link.springer.com/10.1007/978-3-540-45238-6{_}14
[68] M. Bellare and P. Rogaway, “Introduction to modern cryptography,” 2005, https://web.cs.ucdavis.edu/~rogaway/classes/227/spring05/book/main.pdf. [Online]. Available: https://web.cs.ucdavis.edu/~rogaway/classes/227/spring05/book/main.pdf

Appendix A Proof of Theorem 1

$1.$ To prove the first part of the theorem, we define two consecutive games: the first game $\mathrm{G}^{0\text{-}b}_{\mathsf{pkem},\mathsf{D}}$ is the CCA distinguishing game $\mathrm{pKIND}_{\mathsf{pkem},\mathsf{D}}^{cca\text{-}b}(\lambda)$ in Fig 3 and $\mathrm{G}^{1\text{-}b}_{\mathsf{pkem},\mathsf{D}}$ is the same game except for its decapsulation oracle that always outputs $\perp$ . We have:

$\displaystyle Adv^{pkind\text{-}cca}_{\mathsf{pkem},\mathsf{D}}(\lambda)$	$\displaystyle=\|\mathrm{Pr}[\mathrm{pKIND}_{\mathsf{pkem},\mathsf{D}}^{cca\text{-}0}(\lambda)=1]-\mathrm{Pr}[\mathrm{pKIND}_{\mathsf{pkem},\mathsf{D}}^{cca\text{-}1}(\lambda)=1]\|$
	$\displaystyle=\|\mathrm{Pr}[\mathrm{G}^{0\textbf{-}0}_{\mathsf{pkem},\mathsf{D}}=1]-\mathrm{Pr}[\mathrm{G}^{0\textbf{-}1}_{\mathsf{pkem},\mathsf{D}}=1]\|$	(35)
	$\displaystyle=\|\mathrm{Pr}[\mathrm{G}^{0\textbf{-}0}_{\mathsf{pkem},\mathsf{D}}=1]-\mathrm{Pr}[\mathrm{G}^{1\textbf{-}0}_{\mathsf{pkem},\mathsf{D}}=1]+\mathrm{Pr}[\mathrm{G}^{1\textbf{-}0}_{\mathsf{pkem},\mathsf{D}}=1]$
	$\displaystyle\quad-\mathrm{Pr}[\mathrm{G}^{1\textbf{-}1}_{\mathsf{pkem},\mathsf{D}}=1]+\mathrm{Pr}[\mathrm{G}^{1\textbf{-}1}_{\mathsf{pkem},\mathsf{D}}=1]-\mathrm{Pr}[\mathrm{G}^{0\textbf{-}1}_{\mathsf{pkem},\mathsf{D}}=1]\|$
	$\displaystyle\leq\|\mathrm{Pr}[\mathrm{G}^{0\textbf{-}0}_{\mathsf{pkem},\mathsf{D}}=1]-\mathrm{Pr}[\mathrm{G}^{1\textbf{-}0}_{\mathsf{pkem},\mathsf{D}}=1]\|+\|\mathrm{Pr}[\mathrm{G}^{1\textbf{-}0}_{\mathsf{pkem},\mathsf{D}}=1]-\mathrm{Pr}[\mathrm{G}^{1\textbf{-}1}_{\mathsf{pkem},\mathsf{D}}=1]\|$
	$\displaystyle\quad+\|\mathrm{Pr}[\mathrm{G}^{1\textbf{-}1}_{\mathsf{pkem},\mathsf{D}}=1]-\mathrm{Pr}[\mathrm{G}^{0\textbf{-}1}_{\mathsf{pkem},\mathsf{D}}=1]\|$

where equation 35 is simply using $\mathrm{G}^{0\textbf{-}0}_{\mathsf{pkem},\mathsf{D}}$ and $\mathrm{G}^{0\textbf{-}1}_{\mathsf{pkem},\mathsf{D}}$ in lieu of $\mathrm{pKIND}_{\mathsf{pkem},\mathsf{D}}^{cca\text{-}0}$ and $\mathrm{pKIND}_{\mathsf{pkem},\mathsf{D}}^{cca\text{-}1}$ respectively, and inequality 35 is by triangle inequality.

To bound the first and the last terms of inequality 35, let $U_{1}$ be the event that $\mathsf{D}$ outputs 1 in game $\mathrm{G}^{0\text{-}b}_{\mathsf{pkem},\mathsf{D}}$ and $U_{2}$ be the event that $\mathsf{D}$ outputs 1 in game $\mathrm{G}^{1\text{-}b}_{\mathsf{pkem},D}$ for $b\in\{0,1\}$ . These two games are identical except when the decapsulation oracle output is not $\perp$ in $\mathrm{G}^{0\text{-}b}_{\mathsf{pkem},D}$ , lets call this event F. The event F is the union of $q_{d}$ events $\cup^{q_{d}}_{i=1}F_{i}$ , where $F_{i}$ is the event that the output of the decapsulation oracle in the $i$ -th call is not $\perp$ . Let A be the adversary in game $\mathrm{KINT}_{\mathsf{pkem},A}$ that makes $q_{d}$ queries to the decapsulation oracle. We have $\mathrm{Pr}[F_{i}]\leq Adv^{kint}_{\mathsf{pkem},A}(\lambda)$ and therefore, from the union bound $\mathrm{Pr}[F]\leq\sum^{q_{d}}_{i=1}\mathrm{Pr}[F_{i}]\leq q_{d}\mathrm{Pr}[\mathrm{KINT}_{\mathsf{pkem},A}=1]=q_{d}Adv^{kint}_{\mathsf{pkem},A}(\lambda)$ , and from Lemma $6.2$ of [1]:

\displaystyle|\mathrm{Pr}[\mathrm{G}^{0\text{-}b}_{\mathsf{pkem},D}=1]-\mathrm{Pr}[\mathrm{G}^{1\text{-}b}_{\mathsf{pkem},D}=1]|=|\mathrm{Pr}[U_{1}]-\mathrm{Pr}[U_{2}]|\leq\mathrm{Pr}[F]\leq q_{d}Adv^{kint}_{\mathsf{pkem},A}(\lambda)

(36)

To bound the second term in inequality 35, we note that in $\mathrm{G}^{1\text{-}b}_{\mathsf{pkem},D}$ for $b\in\{0,1\}$ , the decapsulation oracle always output $\perp$ and simulates the IND-CEA game $\mathrm{pKIND}^{cea\text{-}b}_{\mathsf{pkem},B}(\lambda)$ . Therefore,

|\mathrm{Pr}[\mathrm{G}^{1\text{-}0}_{\mathsf{pkem},D}=1]-\mathrm{Pr}[\mathrm{G}^{1\text{-}1}_{\mathsf{pkem},D}=1]|\leq Adv^{pkind\text{-}cea}_{\mathsf{pkem},B}(\lambda)

(37)

Finally, from inequalities 36 and 37 we have

Adv^{pkind\text{-}cca}_{\mathsf{pkem},D}(\lambda)\leq 2q_{d}Adv^{kint}_{\mathsf{pkem},A}(\lambda)+Adv^{pkind\text{-}cea}_{\mathsf{pkem},B}(\lambda)

$2.$ The proof of the second part of the theorem uses the same sequence of games, but against a computationally unbounded adversary. We can similarly bound the CCA advantage of the adversary by bounding the advantage of these games. ∎

Appendix B Proof of Theorem 2

We first show the claim of the theorem for the second case that is, an IND-CCA secure KEM in preprocessing model and an IND-OTCCA secure DEM construct an IND-CCA secure hybrid encryption scheme in preprocessing model. The proof of the first case will follow from the proof of the second case. The proof of the third and forth cases are identical to the proof of first and second cases respectively and noting that the adversary for the iKEM is query-bounded and computationally unbounded.

We define a sequence of three games $\mathrm{G}^{0\text{-}b}$ , $\mathrm{G}^{1\text{-}b}$ , and $\mathrm{G}^{2\text{-}b}$ that simulate adversary’s actual or modified interaction with the encryption system during the attack procedure. Each game operates on the same underlying probability space. In particular, private inputs of parties, randomness of the adversary’s algorithm, and the hidden bit b take on identical values across all games. At the end of each game, the adversary outputs a bit $\hat{b}$ . For a game $\mathrm{G}^{i\text{-}b}$ , where $i\in\{0,1,2\}$ with output $\hat{b}$ , $T_{i}$ denotes the event that $\hat{b}=b$ . All games are played by a computationally bounded distinguisher D. $\mathrm{G}^{0\text{-}b}_{D}$ is identical to the distinguishing game of hybrid encryption in preprocessing model explained above. $\mathrm{G}^{1\text{-}b}_{D}$ only differs from $\mathrm{G}^{0\text{-}b}_{D}$ in its decapsulation oracle. Suppose the challenge HE ciphertext $c^{*}=(c_{1}^{*},c_{2}^{*})$ , where $c_{1}^{*}$ is generated by $\mathsf{ckem.Enc}$ and $c_{2}^{*}$ is generated by SE.Enc. Then for any decryption query $c=(c_{1},c_{2})\neq(c_{1}^{*},c_{2}^{*})$ , the decryption oracle of $\mathrm{G}^{1\text{-}b}_{D}$ uses $\mathsf{ckem.Dec}$ to decrypt the ciphertext unless $c_{1}=c_{1}^{*}$ (and $c_{2}\neq c_{2}^{*})$ . In this case, the key $k_{1}$ corresponding to $c_{1}^{*}$ that is generated by $\mathsf{ckem.Enc}$ will be used for the decryption of $c_{2}^{*}$ . Finally, $\mathrm{G}^{2\text{-}b}_{D}$ only differs from $\mathrm{G}^{1\text{-}b}_{D}$ in using a uniformly sampled key instead of the key generated by cKEM for encryption and answering encryption and decryption queries. We bound $Adv^{ind\text{-}cca}_{\mathsf{HE}_{\mathsf{ckem},\mathsf{SE}},D}(\lambda)$ using the defined games: For a given sample sam = $(r_{A},r_{B},r_{E})$ generated by $\mathsf{ckem.Gen}$ , we define $BK_{sam}$ , a set of bad keys k, generated by $\mathsf{ckem.Enc}$ , as $BK_{sam}=\{k:\mathsf{ckem.Dec}(r_{B},c)\neq k\}$ . According to the correctness of $\mathsf{ckem}$ , for $k\leftarrow^{\$}\{0,1\}^{l(\lambda)}$ we have $\mathrm{Pr}[k\in BK_{sam}]\leq\epsilon$ . The two events $T_{0}$ and $T_{1}$ are only different when the event $[\mathsf{ckem.Dec}(r_{B},c_{1}^{*})\in BK_{sam}]$ happens. Using Lemma $6.2$ of [1], we have

|\mathrm{Pr}[T_{0}]-\mathrm{Pr}[T_{1}]|\leq\mathrm{Pr}[k\in BK_{sam}]\leq\epsilon

(38)

We now consider the game $\mathrm{G}^{2\text{-}b}_{D}$ and $\mathrm{G}^{1\text{-}b}_{D}$ . The game $\mathrm{G}^{2\text{-}b}_{D}$ is same as $\mathrm{G}^{1\text{-}b}_{D}$ except that $\mathrm{G}^{2\text{-}b}_{D}$ uses a uniformly sampled key instead of the key generated by cKEM for encryption and decryption queries. Since the KEM’s key is $\sigma$ -IND-CCA secure, there exists an adversary $D^{\prime}$ such that

|\mathrm{Pr}[T_{1}]-\mathrm{Pr}[T_{2}]|=Adv^{kind\text{-}cca}_{\mathsf{ckem},D^{\prime}}(\lambda)\leq\sigma

(39)

In the above case, the adversary $D^{\prime}$ just runs the adversary $D$ . Specifically, $D^{\prime}$ is playing an attack game against KEM in which $k_{b}$ is equal to $k^{*}$ in game $\mathrm{G}^{1\text{-}b}_{D}$ , whereas $k_{b}$ is a uniformly sampled random value in the game $\mathrm{G}^{2\text{-}b}_{D}$ .

Lastly, note that in game $\mathrm{G}^{2\text{-}b}_{D}$ , a new random key is sampled for each encryption/decryption query. Thus in this game, the adversary $D$ is just executing a chosen ciphertext attack against SE. Therefore, there exists an adversary $D^{\prime\prime}$ such that

|\mathrm{Pr}[T_{2}]-1/2|=\frac{1}{2}Adv^{ind\text{-}otcca}_{SE,D^{\prime\prime}}(\lambda)\leq\frac{\sigma^{\prime}}{2}

(40)

Since $Adv^{ind\text{-}cca}_{\mathsf{HE}_{\mathsf{ckem},\mathsf{SE}},D}(\lambda)=2|\mathrm{Pr}[T_{0}]-1/2|$ , using inequalities 38, 39, 40 we have

	$\displaystyle Adv^{ind\text{-}cca}_{\mathsf{HE}_{\mathsf{ckem},\mathsf{SE}},D}(\lambda)$	$\displaystyle=2\|\mathrm{Pr}[T_{0}]-1/2\|$
		$\displaystyle=2\|\mathrm{Pr}[T_{0}]-\mathrm{Pr}[T_{1}]+\mathrm{Pr}[T_{1}]-\mathrm{Pr}[T_{2}]+\mathrm{Pr}[T_{2}]-1/2\|$
		$\displaystyle\leq 2\|\mathrm{Pr}[T_{0}]-\mathrm{Pr}[T_{1}]\|+2\|\mathrm{Pr}[T_{1}]-\mathrm{Pr}[T_{2}]\|+2\|\mathrm{Pr}[T_{2}]-1/2\|$
		$\displaystyle\leq 2\epsilon+2\sigma+\sigma^{\prime}.$

For the proof of the first part, we note that $\mathrm{G}^{0\text{-}b}_{D}$ and $\mathrm{G}^{1\text{-}b}_{D}$ are identical because no decryption query is issued. Therefore, $|\mathrm{Pr}[T_{1}]-\mathrm{Pr}[T_{0}]|=0$ . Also since there is no decryption query and the KEM is $\sigma$ -IND-CEA secure we have,

|\mathrm{Pr}[T_{1}]-\mathrm{Pr}[T_{2}]|\leq Adv^{kind\text{-}q_{e}\text{-}cea}_{\mathsf{ckem},D}(\lambda)\leq\sigma;

and since the DEM is $\sigma^{\prime}$ -IND-OT secure, we have,

|\mathrm{Pr}[T_{2}]-1/2|=(Adv^{ind\text{-}ot}_{SE,D}(\lambda))/2\leq\sigma^{\prime}/2

and finally,

Adv^{ind\text{-}cea}_{\mathsf{HE}_{\mathsf{ckem},\mathsf{SE}},D}(\lambda)=2|\mathrm{Pr}[T_{0}]-1/2|\leq 2\sigma+\sigma^{\prime}.

∎

Appendix C Proof of Theorem 6

In the $q_{e}$ -CEA distinguishing game of $\mathsf{ikem}$ , the distinguisher $\mathsf{D}^{\prime}$ receives $r_{E}$ , $\mathbf{v}^{q_{e}\text{-}cea}=({v_{1}}^{cea},\cdots,{v_{q_{e}}}^{cea})$ , where ${v_{i}}^{cea}$ is the encapsulation oracle’s output to the $i$ th encapsulation query, and the pair of challenge ciphertext and key $(c_{1}^{*},k^{*}_{1_{b}})$ , and is supposed to distinguish if $k^{*}_{1_{b}}$ is generated by $\mathsf{ikem}$ or is sampled uniformly. ${\mathsf{D}}^{\prime}$ uses the KEM $\mathsf{kem}$ to generate $(pk,sk)$ and produces $({c^{\prime}}_{2}^{*},{k^{\prime}}_{2}^{*})\stackrel{{\scriptstyle\$}}{{\leftarrow}}\mathsf{kem.Enc}(pk)$ . Then sends $\mathbf{c}^{*}$ and $k^{*}$ to $\mathsf{D}$ , where $\mathbf{c}^{*}=(c_{1}^{*},{c^{\prime}}_{2}^{*})$ and ${k}^{*}=k_{1_{b}}^{*}\oplus{k^{\prime}}_{2}^{*}$ to $\mathsf{D}$ . Finally, $\mathsf{D}^{\prime}$ outputs $b^{\prime}$ equal to $\mathsf{D}$ ’s output. The advantages of $\mathsf{D}$ and is upper bounded by $\mathsf{D}^{\prime}$ because $k^{*}$ is a sample from the uniform distribution only if $k_{1_{b}}$ is a sample from the uniform distribution. Since we assumed that $\mathsf{D}$ breaks the IND- $q_{e}$ -CEA security of the combined key, then $\mathsf{D}^{\prime}$ can break the IND- $q_{e}$ -CEA security of the iKEM which is a contradiction. $\ \qed$

Appendix D Proof of Theorem 7

The proof for a computationally bounded adversary will be based on the proof of Theorem 3 in [30], and noting that the iKEM will loose its security after a fixed number of repeated queries. We shall prove part $(b)$ of the theorem 7.

To prove the part $(b)$ of the Theorem 7, let $D^{\prime}=(D_{1},D_{2})$ denote a computationally unbounded adversary attacking the CCA security of the combiner $Comb^{PtX}_{\mathsf{ikem},\mathsf{kem}}$ by making at most $q_{e}$ encapsulation and $q_{d}$ ciphertext (decapsulation) queries in the CCA distinguishing game $\mathrm{pKIND}^{(q_{e};q_{d})\text{-}cca\text{-}b}_{Comb,D^{\prime}}$ , and $b$ be uniform over {0,1}.

$\mathrm{pKIND}^{(q_{e};q_{d})\text{-}cca\text{-}b}_{Comb,D^{\prime}}:=\mathrm{G}^{0\text{-}b}_{Comb,D^{\prime}}$ 1: $Ret[.]\leftarrow\perp$

2: $(r_{A},r_{B},r_{E})\xleftarrow{\$}\mathsf{ikem.Gen}(1^{\lambda},P_{\mathbf{X}\mathbf{Y}\mathbf{Z}})$

3: $(s_{k},p_{k})\xleftarrow{\$}\mathsf{kem.Gen}(1^{\lambda})$

4: $st_{1}\xleftarrow{\$}D^{O_{1}}_{1}(r_{E},p_{k})$

5: $(k^{*}_{1},c^{*}_{1})\xleftarrow{\$}\mathsf{ikem.Enc}(r_{A})$

% $\mathrm{G}^{1\text{-}b}_{D^{\prime}}-\mathrm{G}^{3\text{-}b}_{D^{\prime}}:$ $k^{*}_{1}\xleftarrow{\$}\{0,1\}^{\mathsf{ikem.Len}(\lambda)}$

6: $(k^{*}_{2},c^{*}_{2})\xleftarrow{\$}\mathsf{kem.Enc}(p_{k})$

7: $c^{*}\leftarrow(c^{*}_{1},c^{*}_{2})$

8: $y^{*}_{1}\leftarrow F_{1}(k^{*}_{1},c^{*}_{2})$

% $\mathrm{G}^{2\text{-}b}_{D^{\prime}}-\mathrm{G}^{4\text{-}b}_{D^{\prime}}$ : $y^{*}_{1}\xleftarrow{\$}\mathcal{K}$

9: $k^{*}\leftarrow y^{*}_{1}\oplus F_{2}(k^{*}_{2},c^{*}_{1})$

10: $k^{\prime}_{0}\leftarrow k^{*};k^{\prime}_{1}\xleftarrow{\$}\mathcal{K}$

11: $b^{\prime}\xleftarrow{\$}D^{O_{2}}_{2}(st_{1},c^{*},k^{\prime}_{b})$

12: Return $b^{\prime}$

Oracle $\mathsf{Comb.Enc}(r_{A},pk)$ 1: $(k_{11},c_{11})\xleftarrow{\$}\mathsf{ikem.Enc}(r_{A})$

2: $(k_{21},c_{21})\xleftarrow{\$}\mathsf{kem.Enc}(p_{k})$

3: $k\leftarrow F_{1}(k_{11},c_{21})\oplus F_{2}(k_{21},c_{11})$

4: Return $(k,c_{11},c_{21})$

Oracle $\mathsf{Comb.Dec}(r_{B},sk,c)$ 1: If $c=c^{*}$ : Abort

2: If $Ret[c]\neq\perp:$ Return $Ret[c]$

3: $c_{1},c_{2}\leftarrow c$

4: If $c_{1}=c^{*}_{1}$ :

5: $k_{1}\leftarrow k^{*}_{1}$

6: $y_{1}\leftarrow F_{1}(k_{1},c_{2})$

% $\mathrm{G}^{2\text{-}b}_{D^{\prime}}:$ $y_{1}\xleftarrow{\$}\mathcal{K}$

% $\mathrm{G}^{3\text{-}b}_{D^{\prime}}:$ $y_{1}\xleftarrow{\$}F_{1}(k_{1},c_{2})$

7: else

8: $k_{1}\xleftarrow{\$}\mathsf{ikem.Dec}(r_{B},c_{1})$

9: If $k_{1}=\perp$ : Return $\epsilon$

10: $y_{1}\leftarrow F_{1}(k_{1},c_{2})$

11: $k_{2}\leftarrow\mathsf{kem.Dec}(s_{k},c_{2})$

12: If $k_{2}=\perp$ : Return $\epsilon$

13: $Ret[c]\leftarrow y_{1}\oplus F_{2}(k_{2},c_{1})$

14: Return $Ret[c]$

Figure 8: Games

\mathrm{G}^{0\text{-}b}_{Comb,D^{\prime}}

\mathrm{G}^{4\text{-}b}_{Comb,D^{\prime}}

to prove security of the PRF-then-XOR combiner

The proof uses a sequence of five games. We define five games $\mathrm{G}^{0\text{-}b}_{Comb,D^{\prime}}$ to $\mathrm{G}^{4\text{-}b}_{Comb,D^{\prime}}$ for a uniform $b$ over {0,1}, played by the adversary $D^{\prime}=(D_{1},D_{2})$ . Figure 8 depicts these games. In each game, $D^{\prime}$ outputs $b^{\prime}\in\{0,1\}$ . Note that, if the adversary has already queried the oracle for the same input, the oracle returns the same output.

Adversary $D^{\prime}=(D_{1},D_{2})$ can call two oracles, $\mathsf{Comb.Enc}(r_{A},pk)$ and $\mathsf{Comb.Dec}(r_{B},sk,\cdot)$ that correspond to the encapsulation and decapsulation algorithms of the combiner, and have access to the associated keys of the component KEMs. We use $O_{1}$ and $O_{2}$ to refer to oracle calls of $D^{\prime}$ before and after seeing the challenge ciphertext.

$\mathrm{G}^{0\text{-}b}_{Comb,D^{\prime}}$ is the CCA distinguishing game of the combiner $Comb^{PtX}_{\mathsf{ikem},\mathsf{kem}}$ with the distinguisher $D^{\prime}$ making at most $q_{e}$ encapsulation and $q_{d}$ decapsulation queries. That is, $\mathrm{pKIND}^{(q_{e};q_{d})\text{-}cca\text{-}b}_{Comb,D^{\prime}}=\mathrm{G}^{0\text{-}b}_{Comb,D^{\prime}}$ . Note that according to the PRF-then-XOR construction of the combiner (figure 8), the decapsulation oracle outputs “ $\perp$ ” when the ciphertext of at least one of the components decapsulates to “ $\perp$ ”.

\mathrm{Pr}[\mathrm{pKIND}^{(q_{e};q_{d})\text{-}cca\text{-}0}_{Comb,D^{\prime}}(\lambda)=1]=\mathrm{Pr}[\mathrm{G}^{0\text{-}0}_{Comb,D^{\prime}}(\lambda)=1]

(41)

In $\mathrm{G}^{1\text{-}b}_{Comb,D^{\prime}}$ , the iKEM key $k^{*}_{1}$ is replaced by a uniform random key (this replacement is also reflected in the decapsulation oracle Line 5 using $k_{1}\leftarrow k^{*}_{1}$ ).

Claim 1.

There exists a computationally unbounded adversary $U_{1}$ whose advantage in the CCA distinguishing game of iKEM $\mathsf{ikem}$ with at most $q_{e}$ encapsulation and $q_{d}$ decapsulation queries is $Adv^{pkind\text{-}(q_{e};q_{d})\text{-}cca}_{\mathsf{ikem},U_{1}}$ such that

\displaystyle|\mathrm{Pr}[\mathrm{G}^{0\text{-}0}_{Comb,D^{\prime}}(\lambda)=1]-\mathrm{Pr}[\mathrm{G}^{1\text{-}0}_{Comb,D^{\prime}}(\lambda)=1]|\leq Adv^{pkind\text{-}(q_{e};q_{d})\text{-}cca}_{\mathsf{ikem},U_{1}}

(42)

Proof.

(claim 1) We construct the adversary $U_{1}=(U_{11},U_{12})$ for the CCA distinguishing game of iKEM as given in figure 9.

Adversary $U_{11}$ takes $r_{E}$ as input. The adversary $U_{12}$ runs on the challenge $(c^{*}_{1},k^{*}_{1})$ . At the end, $U_{12}$ relays whatever $D_{2}$ outputs.

Adversary $U^{O_{1}}_{11}(r_{E})$ 1: $(s_{k},p_{k})\xleftarrow{\$}\mathsf{kem.Gen}()$

2: $st_{1}\xleftarrow{\$}D^{O_{1}}_{1}(r_{E},p_{k})$

3: Return $st_{1}$

Adversary $U^{O_{2}}_{12}(st_{1},c^{*}_{1},k^{*}_{1})$ 1. $(k^{*}_{2},c^{*}_{2})\xleftarrow{\$}\mathsf{kem.Enc}(p_{k})$

2: $c^{*}\leftarrow(c^{*}_{1},c^{*}_{2})$

3. $y^{*}_{1}\leftarrow F_{1}(k^{*}_{1},c^{*}_{2})$

4: $k^{*}\leftarrow y^{*}_{1}\oplus F_{2}(k^{*}_{2},c^{*}_{1})$

5: $b^{\prime}\xleftarrow{\$}D^{O_{2}}_{2}(st_{1},c^{*},k^{*})$

6: Return $b^{\prime}$

Oracle $\mathsf{Comb.Enc}(r_{A},pk)$ 1: $(k_{11},c_{11})\xleftarrow{\$}\mathsf{ikem.Enc}(r_{A})$

2: $(k_{21},c_{21})\xleftarrow{\$}\mathsf{kem.Enc}(p_{k})$

3: $k\leftarrow F_{1}(k_{11},c_{21})\oplus F_{2}(k_{21},c_{11})$

4: Return $(k,c_{11},c_{21})$

Oracle $\mathsf{Comb.Dec}(r_{B},sk,c)$ 1: If $c=c^{*}$ : Abort

2: $c_{1},c_{2}\leftarrow c$

3: If $c_{1}=c^{*}_{1}$ :

4: $k_{1}\leftarrow k^{*}_{1}$

5: else

6: $k_{1}\xleftarrow{\$}\mathsf{ikem.Dec}(r_{B},c_{1})$

7: If $k_{1}=\perp$ : Return $\epsilon$

8: $y_{1}\leftarrow F_{1}(k_{1},c_{2})$

9: $k_{2}\leftarrow\mathsf{kem.Dec}(s_{k},c_{2})$

10: If $k_{2}=\perp$ : Return $\epsilon$

11: $k\leftarrow y_{1}\oplus F_{2}(k_{2},c_{1})$

12: Return $k$

Figure 9: Adversary

U_{1}=(U_{11},U_{12})

is in CCA key indistinguishing game of iKEM

\mathsf{ikem}

, and

D^{\prime}=(D_{1},D_{2})

is the adversary in CCA key indistinguishing game of the combiner

In this construction, $U_{1}$ issues at most as many queries as $D^{\prime}$ . Now if $U_{1}$ is run by the game $\mathrm{pKIND}^{(q_{e};q_{d})\text{-}cca\text{-}0}_{\mathsf{ikem},U_{1}}$ , and thus, $k^{*}_{1}$ is the actual key output of $\mathsf{ikem.Enc}()$ , then $U_{1}$ simulates the game $\mathrm{G}^{0\text{-}0}_{Comb,D^{\prime}}$ . On the other hand, if $U_{1}$ is run by the game $\mathrm{pKIND}^{(q_{e};q_{d})\text{-}cca\text{-}1}_{\mathsf{ikem},U_{1}}$ , that is, $k^{*}_{1}$ is uniformly sampled, then $U_{1}$ perfectly simulates the game $\mathrm{G}^{1\text{-}0}_{Comb,D^{\prime}}$ . Therefore, $\mathrm{Pr}[\mathrm{G}^{0\text{-}0}_{Comb,D^{\prime}}(\lambda)=1]=\mathrm{Pr}[\mathrm{pKIND}^{(q_{e};q_{d})\text{-}cca\text{-}0}_{\mathsf{ikem},U_{1}}(\lambda)=1]$ and $\mathrm{Pr}[\mathrm{G}^{1\text{-}0}_{Comb,D^{\prime}}(\lambda)=1]=\mathrm{Pr}[\mathrm{pKIND}^{(q_{e};q_{d})\text{-}cca\text{-}1}_{\mathsf{ikem},U_{1}}(\lambda)=1]$ .

Hence,

	$\displaystyle\|\mathrm{Pr}[\mathrm{G}^{0\text{-}0}_{Comb,D^{\prime}}(\lambda)=1]-\mathrm{Pr}[\mathrm{G}^{1\text{-}0}_{Comb,D^{\prime}}(\lambda)=1]\|$
	$\displaystyle=\|\mathrm{Pr}[\mathrm{pKIND}^{(q_{e};q_{d})\text{-}cca\text{-}0}_{\mathsf{ikem},U_{1}}(\lambda)=1]-\mathrm{Pr}[\mathrm{pKIND}^{(q_{e};q_{d})\text{-}cca\text{-}1}_{\mathsf{ikem},U_{1}}(\lambda)=1]\|$
	$\displaystyle\leq Adv^{pkind\text{-}(q_{e};q_{d})\text{-}cca}_{\mathsf{ikem},U_{1}}.$

∎

In $\mathrm{G}^{2\text{-}b}_{Comb,D^{\prime}}$ , the output of PRF $F_{1}$ is replaced by a uniform sample from the output set of the PRF (line 8). This change is also applied to the decapsulation oracle (line 6).

Claim 2.

There exists a computationally unbounded adversary $U_{2}$ whose advantage, after making at most $q_{d}+1$ $Eval$ queries, in distinguishing the output of PRF $F_{1}$ from a uniform sample is $Adv^{(q_{d}+1)\text{-}PRF}_{F_{1},U_{2}}$ such that

|\mathrm{Pr}[\mathrm{G}^{1\text{-}0}_{Comb,D^{\prime}}(\lambda)=1]-\mathrm{Pr}[\mathrm{G}^{2\text{-}0}_{Comb,D^{\prime}}(\lambda)=1]|\leq Adv^{(q_{d}+1)\text{-}PRF}_{F_{1},U_{2}}.

(43)

Proof.

(claim 2) We construct the adversary $U_{2}$ as given in figure 10. From line 1 and 2 of the decapsulation oracle, we ensure that the input to $Eval$ is always different.

Adversary $U_{2}^{Eval}$ 1: $Ret[.]\leftarrow\perp$

2: $(r_{A},r_{B},r_{E})\xleftarrow{\$}\mathsf{ikem.Gen}(P_{\mathbf{X}\mathbf{Y}\mathbf{Z}})$

3: $(s_{k},p_{k})\xleftarrow{\$}\mathsf{kem.Gen}()$

4: $st_{1}\xleftarrow{\$}D^{O_{1}}_{1}(r_{E},p_{k})$

5: $(k^{*}_{1},c^{*}_{1})\xleftarrow{\$}\mathsf{ikem.Enc}(r_{A})$

6: $(k^{*}_{2},c^{*}_{2})\xleftarrow{\$}\mathsf{kem.Enc}(p_{k})$

7: $c^{*}\leftarrow(c^{*}_{1},c^{*}_{2})$

8: $y^{*}_{1}\leftarrow Eval(c^{*}_{2})$

9: $k^{*}\leftarrow y^{*}_{1}\oplus F_{2}(k^{*}_{2},c^{*}_{1})$

11: $b^{\prime}\xleftarrow{\$}D^{O_{2}}_{2}(st_{1},c^{*},k^{*})$

12: Return $b^{\prime}$

Oracle $\mathsf{Comb.Enc}(r_{A},pk)$ 1: $(k_{11},c_{11})\xleftarrow{\$}\mathsf{ikem.Enc}(r_{A})$

2: $(k_{21},c_{21})\xleftarrow{\$}\mathsf{kem.Enc}(p_{k})$

3: $k\leftarrow F_{1}(k_{11},c_{21})\oplus F_{2}(k_{21},c_{11})$

4: Return $(k,c_{11},c_{21})$

Oracle $\mathsf{Comb.Dec}(r_{B},sk,c)$ 1: If $c=c^{*}$ : Abort

2: If $Ret[c]\neq\perp:$ Return $Ret[c]$

3: $c_{1},c_{2}\leftarrow c$

4: If $c_{1}=c^{*}_{1}$ :

5: $y_{1}\leftarrow Eval(c_{2})$

:: else

6: $k_{1}\xleftarrow{\$}\mathsf{ikem.Dec}(r_{B},c_{1})$

7: If $k_{1}=\perp$ : Return $\epsilon$

8: $y_{1}\leftarrow F_{1}(k_{1},c_{2})$

9: $k_{2}\leftarrow\mathsf{kem.Dec}(s_{k},c_{2})$

10: If $k_{2}=\perp$ : Return $\epsilon$

11: $Ret[c]\leftarrow y_{1}\oplus F_{2}(k_{2},c_{1})$

12: Return $Ret[c]$

Figure 10: Adversary

U_{2}

against distinguishing output of the PRF

F_{1}

from a uniform sample. Adversary

D^{\prime}=(D_{1},D_{2})

is the adversary in CCA key indistinguishing game of the combiner.

From the construction of the adversary $U_{2}$ , we observe that $Eval$ is called only once by $U_{2}$ during generation of the challenge. In addition, for each query to the decapsulation oracle by $D^{\prime}$ , $Eval$ is called at most once by $U_{2}$ . Hence, $U_{2}$ queries $Eval$ at most $(q_{d}+1)$ times. Now when $U_{2}$ is run by the game $\mathrm{PRI}^{(q_{d}+1)\text{-}IND\text{-}0}_{F_{1},U_{2}}$ , $k^{*}_{1}$ is the key generated by the game $\mathrm{PRI}^{(q_{d}+1)\text{-}IND\text{-}0}_{F_{1},U_{2}}$ . Thus, $U_{2}$ emulates the game $\mathrm{G}^{1\text{-}0}_{Comb,D^{\prime}}$ . On the other hand, when $U_{2}$ is run by the game $\mathrm{PRI}^{(q_{d}+1)\text{-}IND\text{-}1}_{F_{1},U_{2}}$ , $Eval$ outputs uniformly sampled value, that is, $y^{*}_{1}$ in line 8 of $U_{2}^{Eval}$ algorithm (and line 5 of decapsulation Oracle queries) is uniformly generated. Hence $U_{2}$ perfectly simulates the game $\mathrm{G}^{2\text{-}0}_{Comb,D^{\prime}}$ . Therefore,

\mathrm{Pr}[\mathrm{G}^{1\text{-}0}_{Comb,D^{\prime}}(\lambda)=1]=\mathrm{Pr}[\mathrm{PRI}^{(q_{d}+1)\text{-}IND\text{-}0}_{F_{1},U_{2}}(\lambda)=1]

and

\mathrm{Pr}[\mathrm{G}^{2\text{-}0}_{Comb,D^{\prime}}(\lambda)=1]=\mathrm{Pr}[\mathrm{PRI}^{(q_{d}+1)\text{-}IND\text{-}1}_{F_{1},U_{2}}(\lambda)=1].

Thus,

	$\displaystyle\|\mathrm{Pr}[\mathrm{G}^{1\text{-}0}_{Comb,D^{\prime}}(\lambda)=1]-\mathrm{Pr}[\mathrm{G}^{2\text{-}0}_{Comb,D^{\prime}}(\lambda)=1]\|$
	$\displaystyle=\|\mathrm{Pr}[\mathrm{PRI}^{(q_{d}+1)\text{-}IND\text{-}0}_{F_{1},U_{2}}(\lambda)=1]-\mathrm{Pr}[\mathrm{PRI}^{(q_{d}+1)\text{-}IND\text{-}1}_{F_{1},U_{2}}(\lambda)=1]\|$
	$\displaystyle\leq Adv^{(q_{d}+1)\text{-}PRF}_{F_{1},U_{2}}.$

∎

In $\mathrm{G}^{3\text{-}b}_{Comb,D^{\prime}}$ , we reverse the modifications of the decapsulation oracle that we introduced in game $\mathrm{G}^{2\text{-}0}_{Comb,D^{\prime}}$ . Consequently, if an adversary queries its decapsulation oracle on a ciphertext $c$ whose first component is $c_{1}$ , the oracle computes $y_{1}$ by invoking the function $F_{1}$ instead of returning a uniformly random value. Then, there exists an adversary $U^{\prime}_{2}$ whose advantage in distinguishing the output of PRF $F_{1}$ from a uniform sample is $Adv^{q_{d}\text{-}PRF}_{F_{1},U^{\prime}_{2}}$ such that,

\displaystyle|\mathrm{Pr}[\mathrm{G}^{2\text{-}0}_{Comb,D^{\prime}}(\lambda)=1]-\mathrm{Pr}[\mathrm{G}^{3\text{-}0}_{Comb,D^{\prime}}(\lambda)=1]|\leq Adv^{q_{d}\text{-}PRF}_{F_{1},U^{\prime}_{2}},

(44)

and $U^{\prime}_{2}$ issues at most $q_{d}$ $Eval$ queries. We can construct such adversary $U^{\prime}_{2}$ by replacing line 8 of the adversary $U_{2}$ in figure 10 with uniform value ( $y^{*}_{1}\leftarrow\mathcal{K}$ ). The proof is same as claim 2. In this case, as $y^{*}_{1}$ is uniform, $U^{\prime}_{2}$ calls $Eval$ at most $q_{d}$ times.

In $\mathrm{G}^{4\text{-}b}_{Comb,D^{\prime}}$ , we reverse the modifications added in the game $\mathrm{G}^{1\text{-}b}_{Comb,D^{\prime}}$ by replacing the uniform key $k^{*}_{1}$ in line 5 of the game in figure 8 with an actual key output of $\mathsf{ikem.Enc}()$ . Then, there exists a computationally unbounded adversary $U^{\prime}_{1}$ whose advantage in the CCA distinguishing game of iKEM $\mathsf{ikem}$ with $q_{e}$ encapsulation and $q_{d}$ decapsulation queries is $Adv^{pkind\text{-}(q_{e};q_{d})\text{-}cca}_{\mathsf{ikem},U^{\prime}_{1}}$ such that

\displaystyle|\mathrm{Pr}[\mathrm{G}^{3\text{-}0}_{Comb,D^{\prime}}(\lambda)=1]-\mathrm{Pr}[\mathrm{G}^{4\text{-}0}_{Comb,D^{\prime}}(\lambda)=1]|\leq Adv^{pkind\text{-}(q_{e};q_{d})\text{-}cca}_{\mathsf{ikem},U^{\prime}_{1}}

(45)

To construct such adversary $U^{\prime}_{1}$ , we replace line 3 of $U^{O_{2}}_{12}(st_{1},c^{*}_{1},k^{*}_{1})$ algorithm of the adversary $U_{1}$ in figure 9 with $(y^{*}_{1}\xleftarrow{\$}\mathcal{K})$ . The proof is similar to claim 1.

Finally, we note that since in $\mathrm{G}^{4\text{-}b}_{Comb,D^{\prime}}$ , $y^{*}_{1}$ is sampled from uniform distribution, then $k^{*}$ is uniformly distributed and

\mathrm{Pr}[\mathrm{pKIND}^{(q_{e};q_{d})\text{-}cca\text{-}1}_{Comb,D^{\prime}}(\lambda)=1]=\mathrm{Pr}[\mathrm{G}^{4\text{-}0}_{Comb,D^{\prime}}(\lambda)=1]

(46)

Now using triangular inequality on inequalities 41 to 46, we have

	$\displaystyle Adv^{pkind\text{-}(q_{e};q_{d})\text{-}cca}_{Comb^{PtX}_{\mathsf{ikem},\mathsf{kem}},D^{\prime}}(\lambda)$		$\displaystyle=\|\mathrm{Pr}[\mathrm{pKIND}^{(q_{e};q_{d})\text{-}cca\text{-}0}_{Comb,D^{\prime}}(\lambda)=1]-\mathrm{Pr}[\mathrm{pKIND}^{(q_{e};q_{d})\text{-}cca\text{-}1}_{Comb,D^{\prime}}(\lambda)=1]\|$
			$\displaystyle\leq 2(Adv^{pkind\text{-}(q_{e};q_{d})\text{-}cca}_{\mathsf{ikem},U_{1}}(\lambda)+Adv^{(q_{d}+1)\text{-}PRF}_{F_{1},U_{2}}(\lambda)).$

∎

Appendix E Proof of Theorem 3

We need to prove that the construction 1 satisfies definition 5 for chosen encapsulation attack (CEA) security. In response to an encapsulation query, the oracle returns a key $k$ and a ciphertext $c$ to the adversary. Let, after $q_{e}$ queries, the adversary’s received responses be the vector ${\mathbf{w}}^{q_{e}\text{-}cea}=(w_{1}^{cea},\cdots,w_{q_{e}}^{cea})$ , where $w_{i}^{cea}=(k_{i},c_{i}),\forall i\in\{1,\cdots,q_{e}\}$ . The remaining entropy about $\mathbf{X}$ that can be used to extract the secret key is $\tilde{H}_{\infty}(\mathbf{X}|\mathbf{Z},{\mathbf{W}}^{q_{e}\text{-}cea}={\mathbf{w}}^{q_{e}\text{-}cea})$ , where $\mathbf{Z}$ corresponds to $\mathbf{z}$ , the attacker’s initial information. Now the $i$ -th query’s response to the adversary is $w_{i}^{cea}=(k_{i},c_{i})$ , where $c_{i}=\big{(}h(\mathbf{x},s),s^{\prime}_{i}\big{)}$ and $k_{i}=h^{\prime}(\mathbf{x},s^{\prime}_{i})$ . For the $i$ -th response, the RVs $K_{i}$ and $C_{i}$ are distributed over $\{0,1\}^{\ell}$ and $\{0,1\}^{t}$ respectively. Now using [21, Lemma 2.2(b)], for RVs $K_{i}$ and $C_{i}$ , we have $\tilde{H}_{\infty}(\mathbf{X}|\mathbf{Z},\mathbf{W}^{cea}_{i})=\tilde{H}_{\infty}(\mathbf{X}|\mathbf{Z},K_{i},C_{i})\geq\tilde{H}_{\infty}(\mathbf{X}|\mathbf{Z})-\ell-t$ . Since $h(\mathbf{x},s)$ remains the same in all $q_{e}$ responses and the challenge, after $q_{e}$ encapsulation queries, from [21, Lemma 2.2(b)], we have

	$\displaystyle\tilde{H}_{\infty}(\mathbf{X}\|\mathbf{Z},\mathbf{W}^{q_{e}\text{-}cea})$	$\displaystyle=\tilde{H}_{\infty}\left(\mathbf{X}\|\mathbf{Z},(\mathbf{W}^{cea}_{1},\cdots,\mathbf{W}^{cea}_{q_{e}})\right)$
		$\displaystyle\geq\tilde{H}_{\infty}(\mathbf{X}\|\mathbf{Z})-t-q_{e}\cdot\ell$		(47)

Now since $\tilde{H}_{\infty}(\mathbf{X}|Z^{*},h\left(\mathbf{X},(S^{\prime},S)\right))\geq\tilde{H}_{\infty}(\mathbf{X}|Z^{*})-t$ , from Lemma 1, we have

	$\displaystyle\Delta\Big{(}h^{\prime}(\mathbf{X},S^{\prime}),h\left(\mathbf{X},(S^{\prime},S)\right),S^{\prime},S,Z^{};U_{\ell},h\left(\mathbf{X},(S^{\prime},S)\right),S^{\prime},S,Z^{}\Big{)}$
	$\displaystyle\leq\frac{1}{2}\sqrt{2^{-\tilde{H}_{\infty}(\mathbf{X}\|Z^{},h\left(\mathbf{X},(S^{\prime},S)\right))}\cdot 2^{\ell}}\leq\frac{1}{2}\sqrt{2^{-\tilde{H}_{\infty}(\mathbf{X}\|Z^{})}\cdot 2^{\ell+t}}.$		(48)

Therefore, from equation E and noting that $h(\mathbf{x},s)$ remains the same in all $q_{e}$ responses and the challenge, putting $Z^{*}=(\mathbf{Z},\mathbf{W}^{q_{e}\text{-}cea})$ in inequality 48, we have

		$\displaystyle\Delta\Big{(}h^{\prime}(\mathbf{X},S^{\prime}),h(\mathbf{X},S),S^{\prime},S,\mathbf{Z},\mathbf{W}^{q_{e}\text{-}cea};U_{\ell},h(\mathbf{X},S),S^{\prime},S,\mathbf{Z},\mathbf{W}^{q_{e}\text{-}cea}\Big{)}$
		$\displaystyle\leq\frac{1}{2}\sqrt{2^{(q_{e}+1)\ell+t-\tilde{H}_{\infty}(\mathbf{X}\|\mathbf{Z})}}$
		$\displaystyle=\frac{1}{2}\sqrt{2^{(q_{e}+1)\ell+t-n\tilde{H}_{\infty}(X\|Z)}}$		(49)
		$\displaystyle\leq\sigma$		(50)

In above, step 49 uses $\tilde{H}_{\infty}({\mathbf{X}}|{\mathbf{Z}})=n\tilde{H}_{\infty}(X|Z)$ in Lemma 2, and the last step 50 holds if $\ell\leq\frac{n\tilde{H}_{\infty}(X|Z)+2\log(\sigma)+2-t}{q_{e}+1}$ . To complete the proof, we use [32, Lemma 1] and [68, Proposition 5.9] , that relates the statistical distance to $Adv^{pkind\text{-}cea}_{\mathsf{pkem},\mathsf{D}}(\lambda)$ , concluding that the extracted key is $2\sigma$ -indistinguishable from random, and we have $2\sigma$ -IND- $q_{e}$ -CEA security. ∎

Appendix F Proof of Theorem 4

Correctness (reliability). We first determine the value of $\nu$ and $t$ , and then compute the extracted secret key length $\ell$ . In the decapsulation algorithm $\mathsf{ikem.Dec}(\cdot)$ , Bob searches the set $\mathcal{R}$ for $\hat{\mathbf{x}}$ whose hash value matches with the received hash value $v$ and checks whether a unique such $\hat{\mathbf{x}}$ is found. It declares success if a unique $\hat{\mathbf{x}}$ is found in the set $\mathcal{R}$ with such required property. Therefore, the algorithm fails if one of these two events occurs: $(i)$ there is no element $\mathbf{x}$ in the set $\mathcal{R}$ such that its hash value matches with the received hash value i.e. $\mathbf{x}$ is not in the set $R$ , $(ii)$ there are more than one element in the set $R$ , whose hash values are equal to the received hash value $v$ . Hence, the probability that Bob fails to recover the correct key is upper bounded by the sum of the probabilities of these two events. These two cases corresponds to the events:

	$\displaystyle\mathcal{E}_{1}=\{\mathbf{x}:\mathbf{x}\notin\mathcal{R}\}=\{\mathbf{x}:-\log(P_{\mathbf{X}\|\mathbf{Y}}(\mathbf{x}\|\mathbf{y}))>\nu\}\text{ and }$
	$\displaystyle\mathcal{E}_{2}=\{\mathbf{x}\in\mathcal{R}:\exists\text{ }\hat{\mathbf{x}}\in\mathcal{R}\text{ s.t. }h(\mathbf{x},(s^{\prime},s))=h(\hat{\mathbf{x}},(s^{\prime},s)\}.$

For any $\epsilon>0$ , choose $\epsilon_{1}>0$ and $\epsilon_{2}>0$ such that $\epsilon_{1}+\epsilon_{2}\leq\epsilon$ . Let $\epsilon_{1}=2^{\frac{-n{\delta_{1}}^{2}}{2\log^{2}(|\mathcal{X}|+3)}}$ and $\nu=H(\mathbf{X}|\mathbf{Y})+n\delta_{1}$ . Now, $\mathsf{Pr}(\mathcal{E}_{1})={\mathsf{Pr}}\Big{(}-\log(P_{\mathbf{X}|\mathbf{Y}}(\mathbf{x}|\mathbf{y}))>H(\mathbf{X}|\mathbf{Y})+n\delta_{1}\Big{)}\leq\epsilon_{1}$ (from [62], Theorem 2). To bound $\mathsf{Pr}(\mathcal{E}_{2})$ , note that since $h$ is a universal hash family with input space $\mathcal{X}^{n}$ and seed space $(\mathcal{S^{\prime}}\times\mathcal{S})$ , for any $\mathbf{x},\hat{\mathbf{x}}\in\mathcal{R}$ , $\mathbf{x}\neq\hat{\mathbf{x}}$ , $s^{\prime}\in\mathcal{S^{\prime}}$ and randomly chosen $s\in\mathcal{S}$ , we have $\mathsf{Pr}\left(h(\mathbf{x},(s^{\prime},s))=h(\hat{\mathbf{x}},(s^{\prime},s))\right)\leq 2^{-t}$ , where probability is over the random choices $(s^{\prime},s)$ from $(\mathcal{S^{\prime}}\times\mathcal{S})$ . Thus, $\mathsf{Pr}(\mathcal{E}_{2})\leq|\mathcal{R}|\cdot 2^{-t}$ . Equation 4 implies that the probability of each element of $\mathcal{R}$ is lower bounded by $2^{-\nu}$ . Therefore, using equation 4 and noting that the sum of probability of elements of $\mathcal{R}$ is less than or equal to 1, we have $\frac{|\mathcal{R}|}{2^{\nu}}\leq\mathsf{Pr}(\mathcal{R})\leq 1\Rightarrow|\mathcal{R}|\leq 2^{\nu}$ . Thus, $\mathsf{Pr}(\mathcal{E}_{2})\leq|\mathcal{R}|\cdot 2^{-t}\leq 2^{\nu-t}.$ Let $t=\nu-\log(\epsilon_{2})$ , then we have $\mathsf{Pr}(\mathcal{E}_{2})\leq\epsilon_{2}$ . Therefore, for $t=H(\mathbf{X}|\mathbf{Y})+n\delta_{1}-\log(\epsilon_{2})$ , the probability that Bob fails to recover the correct key is less than or equal to $\mathsf{Pr}(\mathcal{E}_{1})+\mathsf{Pr}(\mathcal{E}_{2})\leq\epsilon_{1}+\epsilon_{2}=\epsilon$ . Moreover, since $\mathbf{X},\mathbf{Y}$ are generated due to $n$ independent and identical experiments $P_{X_{i}Y_{i}Z_{i}}=P_{XYZ}$ for all $i\in\{1,\cdots,n\}$ , we have $H(\mathbf{X}|\mathbf{Y})=nH(X|Y)$ . Finally, by choosing $\epsilon_{1}=(\sqrt{n}-1)\epsilon/\sqrt{n}$ and $\epsilon_{2}=\epsilon/\sqrt{n}$ , we conclude that if $\nu=nH(X|Y)+\sqrt{n}\log(|\mathcal{X}|+3)\sqrt{\log(\frac{\sqrt{n}}{(\sqrt{n}-1)\epsilon})}$ and
$t\geq nH(X|Y)+\sqrt{n}\log(|\mathcal{X}|+3)\sqrt{\log(\frac{\sqrt{n}}{(\sqrt{n}-1)\epsilon})}+\log(\frac{\sqrt{n}}{\epsilon})$ , then $\mathsf{Pr}(\mathcal{E}_{1})+\mathsf{Pr}(\mathcal{E}_{2})\leq\epsilon$ . Thus, the construction 2 is $\epsilon$ -correct, and the reliability condition is satisfied.

Security. To prove chosen encapsulation attack (CEA) security, we need to prove that the construction 2 satisfies definition 5. In response to an encapsulation query, the encapsulation oracle returns a pair of key and ciphertext $(k,c)$ to the adversary. Let the adversary’s received responses to its $q_{e}$ encapsulation queries be the vector ${\mathbf{w}}^{q_{e}\text{-}cea}=(w_{1}^{cea},\cdots,w_{q_{e}}^{cea})$ , where $w_{i}^{cea}=(k_{i},c_{i}),\forall i\in\{1,\cdots,q_{e}\}$ . The remaining entropy about $\mathbf{X}$ is $\tilde{H}_{\infty}(\mathbf{X}|\mathbf{Z},{\mathbf{W}}^{q_{e}\text{-}cea}={\mathbf{w}}^{q_{e}\text{-}cea})$ , where $\mathbf{Z}$ corresponds to $\mathbf{z}$ , the attacker’s initial information. This remaining entropy about $\mathbf{X}$ is used to extract the key. Now consider the $i$ -th query’s response $w_{i}^{cea}=(k_{i},c_{i})$ , where $c_{i}=\Big{(}h\big{(}\mathbf{x},(s^{\prime}_{i},s_{i})\big{)},s^{\prime}_{i},s_{i}\Big{)}$ and $k_{i}=h^{\prime}(\mathbf{x},s^{\prime}_{i})$ . For the $i$ -th response, the RVs $K_{i}$ and $C_{i}$ are distributed over $\{0,1\}^{\ell}$ and $\{0,1\}^{t}$ respectively. Using [21, Lemma 2.2(b)], for RVs $K_{i}$ and $C_{i}$ and noting that $s^{\prime}_{i},s_{i}$ are randomly chosen and independent of RV $\mathbf{X}$ , we have $\tilde{H}_{\infty}(\mathbf{X}|\mathbf{Z},\mathbf{W}^{cea}_{i})=\tilde{H}_{\infty}(\mathbf{X}|\mathbf{Z},K_{i},C_{i})=\tilde{H}_{\infty}\big{(}\mathbf{X}|\mathbf{Z},K_{i},h\big{(}\mathbf{X},(S^{\prime}_{i},S_{i})\big{)}\big{)}\geq\tilde{H}_{\infty}(\mathbf{X}|\mathbf{Z})-\ell-t$ . Therefore, after $q_{e}$ encapsulation queries, from [21, Lemma 2.2(b)], we have

	$\displaystyle\tilde{H}_{\infty}(\mathbf{X}\|\mathbf{Z},\mathbf{W}^{q_{e}\text{-}cea})$	$\displaystyle=\tilde{H}_{\infty}\left(\mathbf{X}\|\mathbf{Z},(\mathbf{W}^{cea}_{1},\cdots,\mathbf{W}^{cea}_{q_{e}})\right)$
		$\displaystyle\geq\tilde{H}_{\infty}(\mathbf{X}\|\mathbf{Z})-q_{e}(t+\ell)$		(51)

Now since $\tilde{H}_{\infty}(\mathbf{X}|Z^{*},h\left(\mathbf{X},(S^{\prime},S)\right))\geq\tilde{H}_{\infty}(\mathbf{X}|Z^{*})-t$ , from Lemma 1, we have

	$\displaystyle\Delta\Big{(}h^{\prime}(\mathbf{X},S^{\prime}),h\left(\mathbf{X},(S^{\prime},S)\right),S^{\prime},S,Z^{};U_{\ell},h\left(\mathbf{X},(S^{\prime},S)\right),S^{\prime},S,Z^{}\Big{)}$
	$\displaystyle\leq\frac{1}{2}\sqrt{2^{-\tilde{H}_{\infty}(\mathbf{X}\|Z^{},h\left(\mathbf{X},(S^{\prime},S)\right))}\cdot 2^{\ell}}\leq\frac{1}{2}\sqrt{2^{-\tilde{H}_{\infty}(\mathbf{X}\|Z^{})}\cdot 2^{\ell+t}}.$		(52)

Therefore, from inequality F and putting $Z^{*}=(\mathbf{Z},\mathbf{W}^{q_{e}\text{-}cea})$ in inequality 52, we have

		$\displaystyle\Delta\Big{(}h^{\prime}(\mathbf{X},S^{\prime}),h\left(\mathbf{X},(S^{\prime},S)\right),S^{\prime},S,\mathbf{Z},\mathbf{W}^{q_{e}\text{-}cea};U_{\ell},h\left(\mathbf{X},(S^{\prime},S)\right),S^{\prime},S,\mathbf{Z},\mathbf{W}^{q_{e}\text{-}cea}\Big{)}$
		$\displaystyle\leq\frac{1}{2}\sqrt{2^{-\left(\tilde{H}_{\infty}(\mathbf{X}\|\mathbf{Z})-q_{e}(t+\ell)\right)}\cdot 2^{\ell+t}}$
		$\displaystyle=\frac{1}{2}\sqrt{2^{(q_{e}+1)(t+\ell)-\tilde{H}_{\infty}(\mathbf{X}\|\mathbf{Z})}}$
		$\displaystyle=\frac{1}{2}\sqrt{2^{(q_{e}+1)(t+\ell)-n\tilde{H}_{\infty}(X\|Z)}}$		(53)
		$\displaystyle\leq\sigma$		(54)

The equality 53 follows from Lemma 2 that proves $\tilde{H}_{\infty}({\mathbf{X}}|{\mathbf{Z}})=n\tilde{H}_{\infty}(X|Z)$ . The inequality 54 holds if
$\ell\leq\frac{n\tilde{H}_{\infty}(X|Z)+2\log(\sigma)+2}{q_{e}+1}-t$ . To complete the proof, we use [32, Lemma 1] and [68, Proposition 5.9] , that relates the statistical distance to $Adv^{pkind\text{-}cea}_{\mathsf{pkem},\mathsf{D}}(\lambda)$ , concluding that the extracted key is $2\sigma$ -indistinguishable from random, and we have $2\sigma$ -IND- $q_{e}$ -CEA security. ∎

Appendix G Proof of Lemma 3.

Proof.

We show that $h$ satisfies Definition 1. Let $\mathbf{x}$ and $\mathbf{y}$ be such that $\mathbf{x}\neq\mathbf{y}$ . We need to show that
$\Pr[h(\mathbf{x},(S^{\prime},S))=h(\mathbf{y},(S^{\prime},S))]\leq\frac{1}{2^{t}}$ , where the probability is over the uniformly random choices of $(\mathcal{S^{\prime}}\times\mathcal{S})$ , $\mathcal{S^{\prime}}=GF(2^{w})$ and $\mathcal{S}=GF(2^{n-t})\times GF(2^{t})$ . Note that $s=(s_{2},s_{1})$ with $s_{2}\in GF(2^{n-t})$ and $s_{1}\in GF(2^{t})$ .

Since $\mathbf{x}\neq\mathbf{y}$ , we have $(\mathbf{x}_{2}\parallel\mathbf{x}_{1})\neq(\mathbf{y}_{2}\parallel\mathbf{y}_{1})$ .

Case 1. Let $\mathbf{x}_{1}\neq\mathbf{y}_{1}$ . For fixed values of $s^{\prime}=(s^{\prime}_{1},\cdots,s^{\prime}_{r})\in(GF(2^{n-t}))^{r}$ and $s_{2}\in GF(2^{n-t})$ , there is a unique value of $s_{1}$ for which we have,

		$\displaystyle\big{[}(\mathbf{x}_{2})^{r+3}+{\sum}_{i=1}^{r}s^{\prime}_{i}(\mathbf{x}_{2})^{i+1}+s_{2}\mathbf{x}_{2}\big{]}_{1\cdots t}+(\mathbf{x}_{1})^{3}+s_{1}\mathbf{x}_{1}=\big{[}(\mathbf{y}_{2})^{r+3}+{\sum}_{i=1}^{r}s^{\prime}_{i}(\mathbf{y}_{2})^{i+1}+s_{2}\mathbf{y}_{2}\big{]}_{1\cdots t}+(\mathbf{y}_{1})^{3}+s_{1}\mathbf{y}_{1}$
		$\displaystyle\Leftrightarrow s_{1}(\mathbf{x}_{1}-\mathbf{y}_{1})=\big{[}(\mathbf{y}_{2})^{r+3}+{\sum}_{i=1}^{r}s^{\prime}_{i}(\mathbf{y}_{2})^{i+1}+s_{2}\mathbf{y}_{2}\big{]}_{1\cdots t}+(\mathbf{y}_{1})^{3}-\big{[}(\mathbf{x}_{2})^{r+3}+{\sum}_{i=1}^{r}s^{\prime}_{i}(\mathbf{x}_{2})^{i+1}+s_{2}\mathbf{x}_{2}\big{]}_{1\cdots t}-(\mathbf{x}_{1})^{3}$		(55)

Therefore, for a random choice of $(s^{\prime},s)$ , we have that $\Pr[h(\mathbf{x},(S^{\prime},S))=h(\mathbf{y},(S^{\prime},S))]$ is given by $\frac{1}{2^{t}}$ .

Case 2. Let $\mathbf{x}_{2}\neq\mathbf{y}_{2}$ .

For fixed values of $s^{\prime}=(s^{\prime}_{1},\cdots,s^{\prime}_{r})\in(GF(2^{n-t}))^{r}$ and $s_{1}\in GF(2^{t})$ , there is a unique value of $\big{[}s_{2}(\mathbf{x}_{2}-\mathbf{y}_{2})\big{]}_{1\cdots t}$ for which we have,

		$\displaystyle\big{[}(\mathbf{x}_{2})^{r+3}+{\sum}_{i=1}^{r}s^{\prime}_{i}(\mathbf{x}_{2})^{i+1}+s_{2}\mathbf{x}_{2}\big{]}_{1\cdots t}+(\mathbf{x}_{1})^{3}+s_{1}\mathbf{x}_{1}=\big{[}(\mathbf{y}_{2})^{r+3}+{\sum}_{i=1}^{r}s^{\prime}_{i}(\mathbf{y}_{2})^{i+1}+s_{2}\mathbf{y}_{2}\big{]}_{1\cdots t}+(\mathbf{y}_{1})^{3}+s_{1}\mathbf{y}_{1}$
		$\displaystyle\Leftrightarrow\big{[}s_{2}(\mathbf{x}_{2}-\mathbf{y}_{2})\big{]}_{1\cdots t}=\big{[}(\mathbf{y}_{2})^{r+3}+{\sum}_{i=1}^{r}s^{\prime}_{i}(\mathbf{y}_{2})^{i+1}\big{]}_{1\cdots t}+(\mathbf{y}_{1})^{3}+s_{1}\mathbf{y}_{1}-$
		$\displaystyle\qquad\qquad\qquad\qquad\qquad\big{[}(\mathbf{x}_{2})^{r+3}+{\sum}_{i=1}^{r}s^{\prime}_{i}(\mathbf{x}_{2})^{i+1}\big{]}_{1\cdots t}-(\mathbf{x}_{1})^{3}-s_{1}\mathbf{x}_{1}$		(56)

For every $\big{[}s_{2}(\mathbf{x}_{2}-\mathbf{y}_{2})\big{]}_{1\cdots t}$ , there are $2^{n-2t}$ values of $s_{2}(\mathbf{x}_{2}-\mathbf{y}_{2})$ , where each, for fixed $(\mathbf{x}_{2}-\mathbf{y}_{2})$ , determines a single value for $s_{2}$ . Thus there are exactly $2^{n-2t}$ values of $s_{2}$ for which the above equation 56 holds true.

Thus, for a random choice of $(s^{\prime},s)$ the probability of collision in this case is, exactly $\frac{2^{n-2t}}{2^{n-t}}=\frac{1}{2^{t}}$ .

Therefore, $h$ is a universal hash family. ∎

Appendix H Bézout’s theorem [65, 66]

Bézout’s Theorem [65, 66]. In general, two algebraic curves of degree $m$ and $n$ can intersect in $m\cdot n$ points and cannot meet in more than $m\cdot n$ points unless they have a common factor (i.e. the two equations have a common factor).

Moreover, $N$ polynomial equations of degrees $n_{1},n_{2},\cdots,n_{N}$ in $N$ variables have in general $n_{1}n_{2}\cdots n_{N}$ common solutions.

Appendix I CEA secure iKEM protocol of Sharifian et al. [32]

Definition 9 (strongly universal hash family).

A family of hash functions $h:\mathcal{X}\times\mathcal{S}\rightarrow\mathcal{Y}$ is called a strongly universal hash family if for all $x\neq y$ , and any $a,b\in\mathcal{Y}$ , $\mathrm{Pr}[h(x,S)=a\wedge h(y,S)=b]=\frac{1}{|\mathcal{Y}|^{2}}$ , where the probability is over the uniform choices over $\mathcal{S}$ .

We briefly recall the construction of CEA secure iKEM protocol due to Sharifian et al. [32]. .

Construction 5.

The iKEM $iK_{OWSWA}$ ’s three algorithms $(Gen,Encap,Decap)$ are as follows: The protocol is designed for preprocessing model in which Alice, Bob and Eve have $n$ components of the source $(\mathbf{X},\mathbf{Y},\mathbf{Z})$ respectively according to a distribution $P_{\mathbf{X}\mathbf{Y}\mathbf{Z}}$ . The protocol uses two strongly universal hash families: $h:\mathcal{X}^{n}\times\mathcal{S}\to\{0,1\}^{t}$ and $h^{\prime}:\mathcal{X}^{n}\times\mathcal{S^{\prime}}\to\{0,1\}^{\ell}$ . $\mathcal{C}=\{0,1\}^{t}\times\mathcal{S^{\prime}}\times{S}$ and $\mathcal{K}=\{0,1\}^{\ell}$ denote the ciphertext space and key space respectively.

1.

$Gen(P_{\mathbf{X}\mathbf{Y}\mathbf{Z}})$ . A trusted sample samples the distribution $P_{\mathbf{X}\mathbf{Y}\mathbf{Z}}$ independently $n$ times and gives $\mathbf{x}$ , $\mathbf{y}$ and $\mathbf{z}$ privately to Alice, Bob and Eve respectively.
2.

$Encap(\mathbf{x})$ . The encapsulation algorithm takes Alice’s private input $\mathbf{x}$ , randomly sample the seeds $s^{\prime}\xleftarrow{\$}\mathcal{S^{\prime}}$ and $s\xleftarrow{\$}\mathcal{S}$ for two strongly universal hash families $h^{\prime}$ and $h$ respectively. It generates the key $k=h^{\prime}(\mathbf{x},s^{\prime})$ and the ciphertext $c=(h(\mathbf{x},s),s^{\prime},s)$ .
3.

$Decap(\mathbf{y},c)$ . The decapsulation algorithm takes Bob’s private key $\mathbf{y}$ and the ciphertext $c$ . It parses $c$ as $(g,s^{\prime},s)$ , where $g$ is a $t$ -bit string. It defines a set $\mathcal{T(\mathbf{X}|\mathbf{y})}=\{\mathbf{x}:-\log(P_{\mathbf{X}|\mathbf{Y}}(\mathbf{x}|\mathbf{y}))\leq\nu\}$ , and for each vector $\hat{\mathbf{x}}\in\mathcal{T(\mathbf{X}|\mathbf{y})}$ checks whether $g=h(\hat{\mathbf{x}},s)$ . The decapsulation algorithm outputs the key $h^{\prime}(\hat{\mathbf{x}},s^{\prime})$ if there is a unique $\hat{\mathbf{x}}$ that satisfies $g=h(\hat{\mathbf{x}},s)$ ; otherwise, it outputs $\perp$ .

	$\displaystyle\underset{a\leftarrow A}{\mathbb{E}}\max_{\mathbf{x}}\sum_{\mathbf{y}:P_{\mathbf{X}\|\mathbf{Y}}(\mathbf{x}\|\mathbf{y}))\geq 2^{-\nu}}\mathrm{Pr}[\mathbf{Y}=\mathbf{y}\|A=a]$
	$\displaystyle=\sum_{a}\mathrm{Pr}[A=a]\max_{\mathbf{x}}\sum_{\mathbf{y}:P_{\mathbf{X}\|\mathbf{Y}}(\mathbf{x}\|\mathbf{y}))\geq 2^{-\nu}}\mathrm{Pr}[\mathbf{Y}=\mathbf{y}\|A=a]$
	$\displaystyle=\sum_{a}\max_{\mathbf{x}}\sum_{\mathbf{y}:P_{\mathbf{X}\|\mathbf{Y}}(\mathbf{x}\|\mathbf{y}))\geq 2^{-\nu}}\mathrm{Pr}[\mathbf{Y}=\mathbf{y}\|A=a]\mathrm{Pr}[A=a]$
	$\displaystyle=\sum_{a}\max_{\mathbf{x}}\sum_{\mathbf{y}:P_{\mathbf{X}\|\mathbf{Y}}(\mathbf{x}\|\mathbf{y}))\geq 2^{-\nu}}\mathrm{Pr}[\mathbf{Y}=\mathbf{y},A=a]$
	$\displaystyle\leq\sum_{a}\max_{\mathbf{x}}\sum_{\mathbf{y}:P_{\mathbf{X}\|\mathbf{Y}}(\mathbf{x}\|\mathbf{y}))\geq 2^{-\nu}}\mathrm{Pr}[\mathbf{Y}=\mathbf{y}]$
	$\displaystyle\leq 2^{\alpha}\max_{\mathbf{x}}\sum_{\mathbf{y}:P_{\mathbf{X}\|\mathbf{Y}}(\mathbf{x}\|\mathbf{y}))\geq 2^{-\nu}}\mathrm{Pr}[\mathbf{Y}=\mathbf{y}]$

$\displaystyle Adv^{pkind\text{-}cca}_{\mathsf{pkem},\mathsf{D}}(\lambda)$	$\displaystyle=\|\mathrm{Pr}[\mathrm{pKIND}_{\mathsf{pkem},\mathsf{D}}^{cca\text{-}0}(\lambda)=1]-\mathrm{Pr}[\mathrm{pKIND}_{\mathsf{pkem},\mathsf{D}}^{cca\text{-}1}(\lambda)=1]\|$
	$\displaystyle=\|\mathrm{Pr}[\mathrm{G}^{0\textbf{-}0}_{\mathsf{pkem},\mathsf{D}}=1]-\mathrm{Pr}[\mathrm{G}^{0\textbf{-}1}_{\mathsf{pkem},\mathsf{D}}=1]\|$	(35)
	$\displaystyle=\|\mathrm{Pr}[\mathrm{G}^{0\textbf{-}0}_{\mathsf{pkem},\mathsf{D}}=1]-\mathrm{Pr}[\mathrm{G}^{1\textbf{-}0}_{\mathsf{pkem},\mathsf{D}}=1]+\mathrm{Pr}[\mathrm{G}^{1\textbf{-}0}_{\mathsf{pkem},\mathsf{D}}=1]$
	$\displaystyle\quad-\mathrm{Pr}[\mathrm{G}^{1\textbf{-}1}_{\mathsf{pkem},\mathsf{D}}=1]+\mathrm{Pr}[\mathrm{G}^{1\textbf{-}1}_{\mathsf{pkem},\mathsf{D}}=1]-\mathrm{Pr}[\mathrm{G}^{0\textbf{-}1}_{\mathsf{pkem},\mathsf{D}}=1]\|$
	$\displaystyle\leq\|\mathrm{Pr}[\mathrm{G}^{0\textbf{-}0}_{\mathsf{pkem},\mathsf{D}}=1]-\mathrm{Pr}[\mathrm{G}^{1\textbf{-}0}_{\mathsf{pkem},\mathsf{D}}=1]\|+\|\mathrm{Pr}[\mathrm{G}^{1\textbf{-}0}_{\mathsf{pkem},\mathsf{D}}=1]-\mathrm{Pr}[\mathrm{G}^{1\textbf{-}1}_{\mathsf{pkem},\mathsf{D}}=1]\|$
	$\displaystyle\quad+\|\mathrm{Pr}[\mathrm{G}^{1\textbf{-}1}_{\mathsf{pkem},\mathsf{D}}=1]-\mathrm{Pr}[\mathrm{G}^{0\textbf{-}1}_{\mathsf{pkem},\mathsf{D}}=1]\|$

	$\displaystyle Adv^{ind\text{-}cca}_{\mathsf{HE}_{\mathsf{ckem},\mathsf{SE}},D}(\lambda)$	$\displaystyle=2\|\mathrm{Pr}[T_{0}]-1/2\|$
		$\displaystyle=2\|\mathrm{Pr}[T_{0}]-\mathrm{Pr}[T_{1}]+\mathrm{Pr}[T_{1}]-\mathrm{Pr}[T_{2}]+\mathrm{Pr}[T_{2}]-1/2\|$
		$\displaystyle\leq 2\|\mathrm{Pr}[T_{0}]-\mathrm{Pr}[T_{1}]\|+2\|\mathrm{Pr}[T_{1}]-\mathrm{Pr}[T_{2}]\|+2\|\mathrm{Pr}[T_{2}]-1/2\|$
		$\displaystyle\leq 2\epsilon+2\sigma+\sigma^{\prime}.$

	$\displaystyle\tilde{H}_{\infty}(\mathbf{X}\|\mathbf{Z},\mathbf{W}^{q_{e}\text{-}cea})$	$\displaystyle=\tilde{H}_{\infty}\left(\mathbf{X}\|\mathbf{Z},(\mathbf{W}^{cea}_{1},\cdots,\mathbf{W}^{cea}_{q_{e}})\right)$
		$\displaystyle\geq\tilde{H}_{\infty}(\mathbf{X}\|\mathbf{Z})-t-q_{e}\cdot\ell$		(47)

	$\displaystyle\tilde{H}_{\infty}(\mathbf{X}\|\mathbf{Z},\mathbf{W}^{q_{e}\text{-}cea})$	$\displaystyle=\tilde{H}_{\infty}\left(\mathbf{X}\|\mathbf{Z},(\mathbf{W}^{cea}_{1},\cdots,\mathbf{W}^{cea}_{q_{e}})\right)$
		$\displaystyle\geq\tilde{H}_{\infty}(\mathbf{X}\|\mathbf{Z})-q_{e}(t+\ell)$		(51)

CCA-Secure Hybrid Encryption in Correlated Randomness Model and KEM Combiners

Abstract

Index Terms:

I Introduction

I-A Our Results

Theorem.

II Related work

III Preliminaries

Definition 1 (Universal hash family).

Lemma 1 (Generalized Leftover Hash Lemma [21]).

Definition 2 (KEM distinguishing advantage [2]).

Definition 3 (Security of DEM: IND-OT, IND-OTCCA, IND-CPA, IND-CCA1, IND-CCA2 [2]).

IV KEM in correlated randomness model

Definition 4 (KEM in Preprocessing Model (pKEM)).

Definition 5 (pKEM distinguishing advantage).

Remark 1 (iKEM with bounded-query security).

IV-1 Ciphertext Integrity (INT-CTXT) in preprocessing model.

Definition 6 (pKEM ciphertext integrity).

Theorem 1.

IV-A Hybrid encryption in Preprocessing Model

Definition 7 (Hybrid encryption in preprocessing model).

Theorem 2 (Hybrid encryption composition theorem).

V Instantiating iKEM

V-A A CEA secure construction

Construction 1 (CEA secure iKEM.).

V-B Security analysis of iKEM construction 1

Lemma 2.

Theorem 3 (IND-qeq_{e}-CEA).

V-C A CCA secure construction

Construction 2 (CCA secure iKEM.).

V-C1 Relation with CEA secure iKEM

V-D Security analysis of iKEM construction 2

Theorem 4 (reliability and IND-qeq_{e}-CEA).

V-E Ciphertext integrity of construction 2

Lemma 3.

Lemma 4.

Proof.

Lemma 5.

Proof.

Lemma 6.

Proof.

Theorem 5 (Ciphertext integrity (INT-(1;qd)(1;q_{d})-CTXT)).

Proof.

Corollary 1 (CCA security).

Proof.

VI KEM combiners for iKEM

Construction 3 (XOR combiner.).

Theorem 6.

Definition 8 (PRF and its security).

Construction 4 (PRF-then-XOR combiner.).

Theorem 7.

VI-A Composing a “combined” KEM with a DEM

VII Concluding remarks.

References

Appendix A Proof of Theorem 1

Appendix B Proof of Theorem 2

Appendix C Proof of Theorem 6

Appendix D Proof of Theorem 7

Claim 1.

Proof.

Claim 2.

Proof.

Appendix E Proof of Theorem 3

Appendix F Proof of Theorem 4

Appendix G Proof of Lemma 3.

Proof.

Appendix H Bézout’s theorem [65, 66]

Appendix I CEA secure iKEM protocol of Sharifian et al. [32]

Definition 9 (strongly universal hash family).

Construction 5.

Theorem 3 (IND- $q_{e}$ -CEA).

Theorem 4 (reliability and IND- $q_{e}$ -CEA).

Theorem 5 (Ciphertext integrity (INT- $(1;q_{d})$ -CTXT)).