Quantum security of the Fujisaki-Okamoto transform

In this paper, we present a hybrid encryption scheme that is chosen ciphertext secure in the quantum random oracle model. Our scheme is a combination of an asymmetric and a symmetric encryption scheme that are secure in a weak sense. It is a slight modi cation of Fujisaki and Okamoto's transformation that is secure against classical adversaries. keywords: Quantum, Random Oracle, Indistinguishability against chosen ciphertext attack. Motivation: The interest in verifying the security of cryptosystems in the presence of a quantum adversary increased after the celebrated paper of Shor [Sho97]. Shor showed that any cryptosystem based on factoring problem and discrete logarithm problem is breakable in the existence of a quantum adversary. Also, many e cient classical cryptosystems are proved to be secure in the random oracle model [BR93] and many of them still lack equivalent proof in the quantum setting. Therefore to construct an e cient cryptosystem secure against quantum adversaries, even if we nd a cryptographic primitive immune to quantum attacks, we may have to consider its security in the quantum random oracle model in which adversary has quantum access to the random oracle. Fujisaki and Okamoto [FO99] constructed a hybrid encryption scheme that is secure against chosen ciphertext attack in the random oracle model. Their scheme is combination of a symmetric and an asymmetric encryption scheme using two hash functions where the symmetric and asymmetric encryption schemes are secure in a very weak sense. However, their proof of security works against a classical adversary and it is not clear how one can x their proof in the quantum setting. Following, we mention the parts of the classical proof that may not follow against quantum adversaries. The classical proof uses the record list of random oracles to simulate the decryption algorithm without possessing the secret key of the asymmetric encryption scheme. In the quantum case, where adversary has quantum access to random oracles and submits queries in superpositions, there is no such a list. Also, the classical proof uses the fact that changing output of random oracle on one random input does not make it distinguishable from the original random oracle and this may not occur in the quantum case as long as adversary can query the random oracle in superposition of all inputs and see all corresponding outputs in one query. Finally, the classical proof uses the fact that nding a collision for a function whose outputs have a high min-entropy is di cult with classical access to the function and polynomial number of queries. However, this may not happen when adversary has quantum access to the function. Consequently, the quantum security of the scheme is left as an open problem in the related works of Boneh et al.[BDF11] and Zhandry [Zha12]. Our Contribution: We modify the hybrid encryption scheme presented by Fujisaki and Okamoto using an extra hash function. We prove that our scheme is indistinguishable secure against chosen ciphertext attack in the quantum random oracle model. For message m, the encryption algorithm of our scheme, Enc pk , works as follows: Enc pk(m; δ) = ( Enc pk ( δ;H ( δ, Enc G(δ)(m) )) , Enc G(δ)(m), H ′(δ) ) where pk and sk are the public key and the secret key of the asymmetric encryption scheme. Enc pk and Enc sk are the asymmetric and symmetric encryption algorithms respectively. δ is a random element ∗Full paper: http://www.cs.ut.ee/~unruh/qro.pdf