ChapterPDF Available

CCA-Secure (Puncturable) KEMs from Encryption with Non-Negligible Decryption Errors


Abstract and Figures

Public-key encryption (PKE) schemes or key-encapsulation mechanisms (KEMs) are fundamental cryptographic building blocks to realize secure communication protocols. There are several known transformations that generically turn weakly secure schemes into strongly (i.e., IND-CCA) secure ones. While most of these transformations require the weakly secure scheme to provide perfect correctness, Hofheinz, Hövelmanns, and Kiltz (HHK) (TCC 2017) have recently shown that variants of the Fujisaki-Okamoto (FO) transform can work with schemes that have negligible correctness error in the (quantum) random oracle model (QROM). Many recent schemes in the NIST post-quantum competition (PQC) use variants of these transformations. Some of their CPA-secure versions even have a non-negligible correctness error and so the techniques of HHK cannot be applied.
Content may be subject to copyright.
CCA-Secure (Puncturable) KEMs from
Encryption With Non-Negligible Decryption
Valerio Cini, Sebastian Ramacher, Daniel Slamanig, and Christoph Striecks
AIT Austrian Institute of Technology, Vienna, Austria
Abstract. Public-key encryption (PKE) schemes or key-encapsulation
mechanisms (KEMs) are fundamental cryptographic building blocks to
realize secure communication protocols. There are several known trans-
formations that generically turn weakly secure schemes into strongly (i.e.,
IND-CCA) secure ones. While most of these transformations require the
weakly secure scheme to provide perfect correctness, Hofheinz, Hövel-
manns, and Kiltz (HHK) (TCC 2017) have recently shown that variants
of the Fujisaki-Okamoto (FO) transform can work with schemes that
have negligible correctness error in the (quantum) random oracle model
(QROM). Many recent schemes in the NIST post-quantum competition
(PQC) use variants of these transformations. Some of their CPA-secure
versions even have a non-negligible correctness error and so the tech-
niques of HHK cannot be applied.
In this work, we study the setting of generically transforming PKE
schemes with potentially large, i.e., non-negligible, correctness error to
ones having negligible correctness error. While there have been previ-
ous treatments in an asymptotic setting by Dwork, Naor, and Reingold
(EUROCRYPT 2004), our goal is to come up with practically efficient
compilers in a concrete setting and apply them in two different contexts.
Firstly, we show how to generically transform weakly secure determinis-
tic or randomized PKEs into CCA-secure KEMs in the (Q)ROM using
variants of HHK. This applies to essentially all candidates to the NIST
PQC based on lattices and codes with non-negligible error for which we
provide an extensive analysis. We thereby show that it improves some
of the code-based candidates. Secondly, we study puncturable KEMs
in terms of the Bloom Filter KEM (BFKEM) proposed by Derler et al.
(EUROCRYPT 2018) which inherently have a non-negligible correctness
error. BFKEMs are a building block to construct fully forward-secret
zero round-trip time (0-RTT) key-exchange protocols. In particular, we
show the first approach towards post-quantum secure BFKEMs generi-
cally from lattices and codes by applying our techniques to identity-based
encryption (IBE) schemes with (non-)negligible correctness error.
This is the full version of a paper which appears in Advances in Cryptology - ASI-
ACRYPT 2020 - 26th International Conference on the Theory and Application of
Cryptology and Information Security. The proceedings version is available online at:
1 Introduction
Public-key encryption (PKE) schemes or key-encapsulation mechanisms (KEMs)
are fundamental cryptographic building blocks to realize secure communica-
tion protocols. The security property considered standard nowadays is security
against chosen-ciphertext attacks (IND-CCA security). This is important to avoid
pitfalls and attacks in the practical deployments of such schemes, e.g., padding-
oracle attacks as demonstrated by Bleichenbacher [Ble98] and still showing up
very frequently [JSS12,ASS+16,BSY18,RGG+19]. Also, for key exchange
protocols that achieve the desirable forward-secrecy property, formal analysis
shows that security against active attacks is required (cf. [JKSS12,KPW13,
DFGS15,PST20]). This equally holds for recent proposals for fully forward-
secret zero round-trip time (0-RTT) key-exchange protocols from puncturable
KEMs [GHJL17,DJSS18,DGJ+18] and even for ephemeral KEM keys for a
post-quantum secure TLS handshake without signatures [SSW20].
In the literature, various different ways of obtaining CCA security generically
from weaker encryption schemes providing only chosen-plaintext (IND-CPA) or
one-way (OW-CPA) security are known. These can be in the standard model us-
ing the double-encryption paradigm due to Naor and Yung [NY90], the compiler
from selectively secure identity-based encryption (IBE) due to Canetti, Halevi
and Katz [CHK04], or the more recent works due to Koppula and Waters [KW19]
based on so called hinting pseudo-random generators and Hohenberger, Koppula,
and Waters [HKW20] from injective trapdoor functions. In the random oracle
model (ROM), CCA security can be generically obtained via the well-known
and widely-used Fujisaki-Okamoto (FO) transform [FO99,FO13] yielding par-
ticularly practical efficiency.
Perfect correctness and (non-)negligible correctness error. A property
common to many compilers is the requirement for the underlying encryption
schemes to provide perfect correctness, i.e., there are no valid ciphertexts where
the decryption algorithm fails when used with honestly generated keys. Recently,
Hofheinz, Hövelmanns, and Kiltz (HHK) [HHK17a] investigated different vari-
ants of the FO transform also in a setting where the underlying encryption
scheme has non-perfect correctness and in particular decryption errors may oc-
cur with a negligible probability in the security parameter. This is interesting
since many PKE schemes or KEMs based on conjectured quantum-safe assump-
tions and in particular assumptions on lattices and codes do not provide per-
fect correctness. Even worse, some of the candidates submitted to the NIST
post-quantum competition (PQC) suffer from a non-negligible correctness er-
ror and so the FO transforms of HHK cannot be applied. Ad-hoc approaches
to overcome this problem that are usually chosen by existing constructions in
practice — if the problem is considered at all — is to increase the parame-
ters to obtain a suitably small decryption error, applying an error correcting
code on top or implementing more complex decoders. In practice, these ad-hoc
methods come with drawbacks. Notably, LAC, which is a Learning With Errors
(LWE) based IND-CCA secure KEM in the 2nd round of the NIST PQC that
applies an error correcting code, is susceptible to a key-recovery attack recently
proposed by Guo et al. [GJY19]. Also, code-based schemes have a history of
attacks [GJS16,SSPB19,FHS+17] due to decoding errors. Recently, Bindel and
Schanck [BS20] proposed a failure boosting attack for lattice-based schemes with
a non-zero correctness error. For some code-based schemes, the analysis of the
decoding error is a non-trivial task as it specifically depends on the decoder.
For instance, the analysis of BIKE’s decoder, another 2nd round NIST PQC
candidate, has recently been updated [SV19].
Consequently, it would be interesting to have rigorous and simple approaches
to remove decryption errors (to a certain degree) from PKE schemes and KEMs.
Immunizing encryption schemes. The study of “immunizing” encryp-
tion schemes from decryption errors is not new. Goldreich, Goldwasser, and
Halevi [GGH97] studied the reduction or removal of decryption errors in the
Ajtai-Dwork encryption scheme as well as Howgrave-Graham et al. [HNP+03]
in context of NTRU. The first comprehensive and formal treatment has been
given by Dwork, Naor, and Reingold [DNR04] who study different amplification
techniques in the standard and random oracle model to achieve non-malleable
(IND-CCA secure) schemes. One very intuitive compiler is the direct product
compiler Enc`which encrypts a message Munder a PKE Π= (KGen,Enc,Dec)
with a certain decryption error δunder `independent public keys from KGen,
i.e,. pk0:= (pk1,...,pk`)as Enc0(pk0, M ) := (Enc(pk1, M),...,Enc(pk`, M )).
Dec0, given C0= (C1, . . . , C`)tries to decrypt Ci,1i`, and returns the
result of a majority vote among all decrypted messages, yielding an encryption
scheme with some error δ0δ. Their asymptotic analysis, however, and
limitation to PKEs with a binary message space does not make it immediate
what this would mean in a concrete setting and in particular how to choose `
for practically interesting values of δand δ0. For turning a so-obtained amplified
scheme with negligible correctness error into a CCA-secure one in the ROM,
they provide a transform using similar ideas, but more involved than the FO
transform. Bitansky and Vaikuntanathan [BV17] go a step further and turn
encryption schemes with a correctness error into perfectly correct ones, whereas
they even consider getting completely rid of bad keys (if they exist) and, thus,
completely immunize encryption schemes. They build upon the direct product
compiler of Dwork et al. and then apply reverse randomization [Nao90] and
Nisan-Wigderson style derandomization [NW94]. Thereby, they partition the
randomness space into good and bad randomness, and ensure that only good
randomness is used for encryption and key generation.
Our goals. In this work, we are specifically interested in transformations that
lift weaker schemes with non-negligible correctness error into CCA-secure ones
with negligible error. Thereby, our focus is on modular ways of achieving this
and can be seen as a concrete treatment of ideas that have also be discussed by
Dwork et al. [DNR04], who, however, treat their approaches in an asymptotic
setting only. We show that the direct product compiler can be used with
variants of the standard FO transform considered by HHK [HHK17a] (in the
ROM) as well as Bindel et al. [BHH+19] and Jiang et al. [JZM19] (in the
quantum ROM (QROM) [BDF+11]). They are used by many candidates of the
NIST PQC, when starting from PKE schemes having non-negligible correctness
error generically. As we are particularly interested in practical compilers in a
concrete setting to obtain CCA security for KEMs in the (Q)ROM, we analyze
the concrete overhead of this compiler and its use with widely used variants
of the transforms from HHK. Moreover, we provide a rigorous treatment of
non-black-box applications of these ideas and show that they yield better
concrete results than the direct application of the direct product compiler.
Importantly, it gives a generic way to deal with the error from weaker schemes
(e.g., IND-CPA secure ones with non-negligible error) which are easier to design.
An interesting question that we will study is how does increasing from one to
`ciphertexts compare to increasing the parameters at comparable resulting
decryption errors for existing round-two submissions in the NIST PQC. As it
turns out, our approach performs well in context of code-based schemes but
gives less advantage for lattice-based schemes.
We also study our approach beyond conventional PKE schemes and KEMs.
In particular, a class of KEMs that have recently found interest especially in con-
text of full forward-secrecy for zero round-trip time (0-RTT) key-exchange (KE)
protocols are so-called puncturable KEMs [GM15,GHJL17,DJSS18,SSS+20]
and, in particular, Bloom Filter KEMs (BFKEMs) [DJSS18,DGJ+18]. BFKEMs
schemes are CCA-secure KEMs that inherently have non-negligible correctness
error. Interestingly, however, the non-negligible correctness error comes from
the Bloom filter layer and the underlying IBE scheme (specifically, the Boneh-
Franklin [BF01] instantiation in [DJSS18]) is required to provide perfect correct-
ness. Thus, as all post-quantum IBEs have at least negligible correctness error,
there are no known post-quantum BFKEMs.
1.1 Contribution
Our contributions on a more technical level can be summarized as follows:
Generic transform. We revisit the ideas of the direct product compiler of
Dwork et al. [DNR04] (dubbed Cp,rand Cp,dfor randomized and deterministic
PKEs, respectively) in the context of the modular framework of HHK [HHK17a].
In particular, we present a generic transform dubbed T?that, given any random-
ized PKE scheme with non-negligible correctness error, produces a derandomized
PKE scheme with negligible correctness error. We analyze the transform both in
the ROM and QROM and give a tight reduction in the ROM and compare it to
a generic application of the direct product compiler. The transform naturally fits
into the modular framework of HHK [HHK17a], and, thus, by applying the U6⊥
transform, gives rise to an IND-CCA-secure KEM. For the analysis in the QROM,
we follow the work of Bindel et al. [BHH+19]. We show that the T?transform
also fits into their framework. Hence, given the additional injectivity assumption,
we also obtain a tight proof for U6⊥. But even if this assumption does not hold,
the non-tight proofs of Jiang et al. [JZM19] and Hövelmanns et al. [HKSU20]
still apply. Compared to the analysis of the Ttransform that is used in the
Theorem 7U6⊥
[HHK17a] Thm. 3.4
[HHK17a] Thm. 3.1
Corollary 1
Corollary 1
[HHK17a] Thm. 3.6
Fig. 1. Overview of the transformations in the ROM with the results related to T?
highlighted in blue. rPKE denotes a randomized PKE. dPKE denotes a deterministic
PKE. The prefix nn indicates encryption schemes with non-negligible correctness error.
Theorem 8
Lemma 2
[JZM19] Thm. 6
[KSS+20] Thm. 4.6
T[BHH+19] Thm. 1
Corollary 1
Corollary 1
[HKSU20] Thm. 3.2
Fig. 2. Overview of the transformations in the QROM using the notation from Figure 1.
A dashed arrow denotes a non-tight reduction. DS denotes disjoint simulatability.
: Obtained by applying the modifications from Theorems 7and 8to [HKSU20, Thm
modular frameworks, our reductions lose a factor of `, i.e., the number of paral-
lel ciphertexts required to reach a negligible correctness error, in the ROM and
a factor of `2in the QROM. For concrete schemes, this number is small (e.g.,
5) and, thus, does not impose a significant loss. An overview of the trans-
formations and how our transform fits into the modular frameworks is given in
Figure 1(ROM) and Figure 2(QROM). Furthermore, using ideas similar to T?,
we discuss a modified version of the deterministic direct product compiler Cp,d
which we denote by C?
p,d, that compared to the original one allows to reduce the
number of parallel repetitions needed to achieve negligible correctness error.
Evaluation. We evaluate T?based on its application to code- and lattice-based
second-round candidates in the NIST PQC. In particular, we focus on schemes
that offer IND-CPA secure versions with non-negligible correctness error such
as ROLLO [ABD+19], BIKE [ABB+19], and Round5 [GZB+19]. We compare
their IND-CCA variants with our transform applied to the IND-CPA schemes. In
particular, for the code-based schemes such as ROLLO we can observe improve-
ments in the combined size of public keys and ciphertexts, a metric important
when used in protocols such as TLS, as well as its runtime efficiency. We also ar-
gue the ease of implementing our so-obtained schemes which can rely on simpler
decoders. For lattice-based constructions, we find that the use of the transform
results in an increase in the sum of ciphertext and public-key size of 30% even in
the best case scenario, i.e., for an IND-CPA version of KEM Round5 [GZB+19].
Nevertheless, it offers easier constant-time implementations and the opportunity
of decreasing the correctness error without changing the underlying parameter
set and, thus, the possibility to focus on analyzing and implementing one pa-
rameter set for both, IND-CPA and IND-CCA security.
Bloom Filter KEMs. Finally, we revisit puncturable KEMs from Bloom fil-
ter KEMs (BFKEMs) [DJSS18,DGJ+18], a recent primitive to realize 0-RTT
key exchange protocols with full forward-secrecy [GHJL17]. Currently, it is un-
clear how to instantiate BFKEMs generically from IBE and, in particular, from
conjectured post-quantum assumptions due to the correctness error of the re-
spective IBE schemes. We show that one can construct BFKEMs generically
from any IBE and even base it upon IBEs with a (non-)negligible correctness
error. Consequently, our results allow BFKEMs to be instantiated from lattice-
and code-based IBEs and, thereby, we obtain candidates for post-quantum CCA-
secure BFKEMs.
On the progress in the NIST PQC. We note that our work has been done
during the second round of the NIST PQC. Meanwhile, NIST has announced
the third-round candidates and from the schemes that are suitable for our com-
pilers, BIKE [ABB+19] and FrodoKEM [NAB+19] still remain as alternate can-
didates in the competition. Moreover, we concretely analyze the submissions to
the second round and want to note that meanwhile there are additional results
on the cryptanalysis of some relevant second round schemes, i.e., for ROLLO
in [BBC+20] as well as for LEDAcrypt in [APRS20]. These results might require
a change in the parameters compared to the versions that we use in this work.
2 Preliminaries
Notation. For nN, let [n] := {1, . . . , n}, and let λNbe the security
parameter. For a finite set S, we denote by s$Sthe process of sampling
suniformly from S. For an algorithm A, let yA(λ, x)be the process of
running Aon input (λ, x)with access to uniformly random coins and assigning
the result to y(we may assume that all algorithms take λas input). To make the
random coins rexplicit, we write A(x;r). We say an algorithm Ais probabilistic
polynomial time (PPT) if the running time of Ais polynomial in λ. A function
fis negligible if its absolute value is smaller than the inverse of any polynomial,
i.e., if ck0s.t. λk0:|f(λ)|<1c.
2.1 Public-Key Encryption and Key-Encapsulation Mechanisms
Public-key encryption. A public-key encryption (PKE) scheme Πwith mes-
sage space Mconsists of the three PPT algorithms (KGen,Enc,Dec):KGen(λ), on
input security parameter λ, outputs public and secret keys (pk,sk).Enc(pk, M),
on input pk and message M∈ M, outputs a ciphertext C.Dec(sk, C), on input
sk and C, outputs M∈ M{⊥}. We may assume that pk is implicitly available
in Dec.
Exp. Exppke-ind-cpa
Π,A (λ)
(M0, M1)A(pk)
CEnc(pk, Mb)
if b=b0then return 1
else return 0
Exp. Exppke-ow-cpa
Π,A (λ)
CEnc(pk, M )
M0A(pk, C)
if M=M0then return
1else return 0
Exp. Exppke-ow-pca
Π,A (λ)
CEnc(pk, M )
M0APco(·,·)(pk, C)
if M=M0then return 1
else return 0
Fig. 3. PKE-x-ysecurity with x∈ {OW,IND},y∈ {CPA,PCA}for Π.
Correctness. We recall the definition of δ-correctness of [HHK17a]. A PKE Π
is δ-correct if
M∈M Pr[cEnc(pk, M ) : Dec(sk, C)6=M]δ,
where the expected value is taken over all (pk,sk)KGen(λ).
PKE-IND-CPA, PKE-OW-CPA, and PKE-OW-PCA security. We say
a PKE Πis PKE-IND-CPA-secure if and only if any PPT adversary Ahas
only negligible advantage in the following security experiment. First, Agets an
honestly generated public key pk.Aoutputs equal-length messages (M0, M1)
and, in return, gets C
bEnc(pk, Mb), for b${0,1}. Eventually, Aoutputs a
guess b0. If b=b0, then the experiment outputs 1. For PKE-OW-CPA security,
Adoes not receive a ciphertext for A-chosen messages, but only a ciphertext
CEnc(pk, M )for M$Mand outputs M0; if M=M0, then the experiment
outputs 1. For PKE-OW-PCA security, Aadditionally has access to a plaintext
checking oracle Pco(M, C)returning 1if M=Dec(sk, C )and 0otherwise.
Definition 1. For any PPT adversary Athe advantage function
Π,A (λ) := PrhExppke-ind-cpa
Π,A (λ)=1i1
is negligible in λ, where the experiment Exppke-ind-cpa
Π,A (λ)is given in Figure 3and
Πis a PKE as above.
Definition 2. For any PPT adversary A, and y∈ {CPA,PCA}the advantage
Π,A (λ) := PrhExppke-OW-y
Π,A (λ) = 1i,
is negligible in λ, where the experiments Exppke-ow-cpa
Π,A (λ)and Exppke-ow-pca
Π,A (λ)are
given in Figure 3and Πis a PKE as above.
We recall a well known lemma below:
Lemma 1. For any adversary Bthere exists an adversary Awith the same
running time as that of Bsuch that
Π,B (λ)Advpke-ind-cpa
Π,A (λ) + 1
Exp. Exppke-ffc
Π,A (λ)
if exists CLwith M∈ M such that Enc(pk, M ) = Cand Dec(sk, C)6=M
then return 1else return 0
Fig. 4. Finding-failing-ciphertext experiment for Π.
We note that Lemma 1equivalently holds for the `-IND-CPA notion below.
Multi-challenge setting. We recall some basic observations from [BBM00]
regarding the multi-challenge security of PKE schemes. In particular, for our
construction we need the relation between OW-CPA/IND-CPA security in the
conventional single-challenge and single-user setting and n-OW-CPA/n-IND-CPA
respectively, which represents the multi-challenge and multi-user setting. In par-
ticular, latter means that the adversary is allowed to obtain multiple challenges
under multiple different public keys.
Theorem 1 (Th. 4.1 [BBM00]). Let Π= (KGen,Enc,Dec)be a PKE scheme
that provides x-CPA security with x∈ {OW,IND}. Then, it holds that:
Π,A (λ)1
Π,A (λ),
where nis the number of public keys and Amakes at most qqueries to any of
its nchallenge oracles.
Although the loss imposed by the reduction in Theorem 1can be significant
when used in a general multi-challenge and multi-user setting, in our application
we only have cases where n= 1 and small q(q= 5 at most), or vice versa (i.e.,
q= 1 and n= 5 at most) thus tightness in a concrete setting is preserved.
Finding failing ciphertexts and injectivity. For the QROM security proof
we will need the following two definitions from [BHH+19].
Definition 3 (ε-injectivity). A PKE Πis called ε-injective if
Πis deterministic and
Pr[(pk,sk)KGen(λ) : M7→ Enc(pk, M )is not injective ]ε.
Πis non-deterministic with randomness space Rand
M, M 0$M, r, r0$R:Enc(pk, M;r) = Enc(pk, M0;r0)#ε.
Definition 4 (Finding failing ciphertexts). For a deterministic PKE, the
FFC-advantage of an adversary Ais defined as
Π,A (λ) := PrhExppke-ffc
Π,A (λ)=1i,
where the experiment Exppke-ffc
Π,A is given in Figure 4.
Exp. Expkem-ind-cca
KEM,A (λ)
b0ADecaps(sk,·)(pk, C,kb)
if b=b0then return 1else return 0
Fig. 5. KEM-IND-CCA security experiment for KEM.
Key-encapsulation mechanism. A key-encapsulation mechanism (KEM)
scheme KEM with key space Kconsists of the three PPT algorithms
(KGen,Encaps,Decaps):KGen(λ), on input security parameter λ, outputs public
and secret keys (pk,sk).Encaps(pk), on input pk, outputs a ciphertext Cand
key k.Decaps(sk, C), on input sk and C, outputs kor {⊥}.
Correctness of KEM.We call a KEM δ-correct if for all λN, for all (pk,sk)
KGen(λ), for all (C, k)Enc(pk), we have that
Pr[Dec(sk, C)6=k]δ.
KEM-IND-CCA security. We say a KEM KEM is KEM-IND-CCA-secure if
and only if any PPT adversary Ahas only negligible advantage in the following
security experiment. First, Agets an honestly generated public key pk as well
as a ciphertext-key pair (C,kb), for (C,k0)Encaps(pk), for k1$K, and
for b${0,1}.Ahas access to a decapsulation oracle Dec(sk,·)and we require
that Anever queries Decaps(sk, C). Eventually, Aoutputs a guess b0. Finally,
if b=b0, then the experiment outputs 1.
Definition 5. For any PPT adversary A, the advantage functions
KEM,A (λ) := PrhExpkem-ind-cca
KEM,A (λ) = 1i1
is negligible in λ, where the experiment Expkem-ind-cca
KEM,A (λ)is given in Figure 5and
KEM is a KEM as above.
2.2 Identity-Based Encryption
An identity-based encryption (IBE) scheme IBE with identity space ID and mes-
sage space Mconsists of the PPT algorithms (KGen,Ext,Enc,Dec):KGen(λ)on
input security parameter λ, outputs main public and secret keys (mpk,msk).
Ext(msk,id )on input identity id ∈ ID, outputs an identity secret key skid .
Enc(mpk,id , M )on input mpk,id ∈ ID, and message M∈ M, outputs a ci-
phertext C.Dec(skid , C)on input skid and C, outputs M M ∪ {⊥}.
Correctness of IBE.Analogous to [HHK17a] we define δ-correctness of an IBE
IBE for any id ∈ ID as
M∈M Pr[CEnc(mpk,id , M ) : Dec(skid, C )6=M]δ(λ),
where the expected value is taken over all (mpk,msk)KGen(λ)and skid
Ext(msk,id ).
IBE-sIND-CPA security of IBE.We say an IBE scheme IBE is IBE-sIND-
CPA-secure if and only if any PPT adversary Ahas only negligible advantage
in the following security experiment. First, Aoutputs the target identity id
and, subsequently, gets an honestly generated main public key mpk. During the
experiment, but after providing id,Ahas access to a secret-key extraction
oracle Ext(msk,·)where we require that Anever queries an identity secret key
for id . At some point, Aoutputs equal-length messages (M0, M1)and receives
a challenge ciphertext CEnc(mpk,id , Mb), for b${0,1}. Eventually, A
outputs a guess b0; if b=b0, then the experiment outputs 1. The experiment is
depicted in Figure 6.
Definition 6. For any PPT adversary A, the advantage function
IBE,B (λ) := PrhExpibe-sind-cpa
IBE,A (λ) = 1i1
is negligible in λ, where the experiment Expibe-sind-cpa
IBE,A (λ)is given in Figure 6and
IBE is an IBE scheme.
Exp. Expibe-sind-cpa
IBE,A (λ)
id A(λ)
(M0, M1)AExt(msk,·)(mpk)
CEnc(mpk,id , Mb)
if b=b0then return 1else return 0
Fig. 6. IBE-sIND-CPA experiment for IBE scheme IBE.
γ-spreadness of IBE.In order to prove our Bloom filter KEM CCA-secure in
Section 5, we need an additionally property of the underlying IBE scheme which
essentially guarantees that honestly generated IBE ciphertexts have large-enough
Definition 7 (γ-Spreadness of IBE). For all λN, an IBE scheme IBE is γ-
spread, if for any (mpk,·)KGen(λ), any identity id ∈ ID, any message M
M, any C∈ C, and r$R, where Cand Rare the ciphertext and randomness
spaces of IBE, respectively, we have that Pr[C=Enc(mpk,id , M ;r)] 2γholds,
where the probability is taken over the random coins of KGen.
3 CCA Security from Non-Negligible Correctness Errors
In this section, we present our approaches to generically achieve CCA secure
KEMs in the (Q)ROM with negligible correctness error when starting from an
OW-CPA or IND-CPA secure PKE with non-negligible correctness error. We start
by discussing the definitions of correctness errors of PKE and KEMs. Then,
we present a generic transform based on the direct product compiler of Dwork
et al. [DNR04] and revisit certain FO transformation variants from [HHK17a]
(in particular the Tand Utransformations), their considerations in the
QROM [BHH+19] and their application with the direct product compiler. As a
better alternative, we analyze the non-black-box use of the previous technique
yielding transformation T?, that combines the direct product compiler with the
Ttransformation. Finally, we provide a comprehensive comparison of the two
3.1 On the Correctness Error
In this work, we use the δ-correctness for PKEs given by HHK in [HHK17a]. With
this definition, particularly bad keys in terms of correctness error only contribute
a fraction to the overall correctness error as it averages the error probability over
all key pairs: if there are negligible many keys with a higher correctness error,
then those keys do not really contribute to the overall correctness error. At the
same time this definition is tailored, via maxing over all possible messages, to the
security proofs of the FO-transforms where an adversary could actively search
for the worst possible message, in order to trigger decryption failure. As also
done by Dwork et al. [DNR04], we explicitly write the correctness error as a
function in the security parameter:
Definition 8. APKE Πis δ(·)-correct if
M∈M Pr[CEnc(pk, M ) : Dec(sk, C)6=M]δ(λ),
where the expected value is taken over all (pk,sk)KGen(λ).
It will be important for our transform to make explicit that the correctness error
depends on the security level, as this allows us to chose a function `(·)such that
δ(λ)`(λ)2λ. We will often just write δ=δ(λ)and `=`(λ)for simplicity.
An alternative but equivalent definition, as used in [HHK17a], can be given
in the following form: a PKE Πis called δ(·)-correct if we have for all (possibly
unbounded) adversaries Athat
Π,A(λ) = Pr Expcor
Π,A(λ) = 1 δ(λ),
where the experiment is given in Figure 7. If Πis defined relative to a random
oracle H, then the adversary is given access to the random oracle and δis ad-
ditionally a function in the number of queries qH, i.e., the bound is given by
Exp. Expcor
if M6=Dec(sk,Enc(pk, M )) then return 1else return 0
Fig. 7. Correctness experiment for PKE.
δ(λ, qH). We note that in [BS20] an alternative definition of correctness was
proposed, where the adversary does not get access to sk and the adversary’s
runtime is bounded. With this change, it can be run as part of the IND-CCA
experiment which does not change the power of the IND-CCA adversary and ad-
ditionaly removes a factor qHfrom the correctness error and advantage analysis.
In particular, one can obtain an upper bound for IND-CCA security of a scheme
via the correctness error.
We recall, for completeness, the definition of correctness error, here denoted
as DNR-δ-correctness (from Dwork-Naor-Reingold), used by Dwork et al.:
Definition 9 (Def. 2, Def. 3 [DNR04]). APKE Πis
DNR-δ(·)-correct if we have that
Pr[Dec(sk,Enc(pk, M )) 6=M]δ(λ),
where the probability is taken over the choice of key pairs (pk,sk)KGen(λ),
M∈ M and over the random coins of Enc and Dec.
DNR-(almost-)all-keys δ(·)-correct if for all (but negligible many) keys
(pk,sk)KGen(λ), we have that
Pr[Dec(sk,Enc(pk, M )) 6=M]δ(λ),
where the probability is taken over the choice of M∈ M and over the random
coins of Enc and Dec.
Correctness error in this sense still allows bad key pairs that potentially have an
even worse error but it is not suited for our security proofs as the probability
is also taken over M$M. Recently Drucker et al. [DGKP20] introduced the
notion of message agnostic PKE and showed that all the versions of BIKE, a
2nd round candidate in the NIST PQC, are message-agnostic: in such a PKE,
the probability that, given (sk,pk), the encryption of a message M∈ M cor-
rectly decrypts is independent of the message M∈ M itself. For such PKEs the
definitions of δ-correctness and DNR-δ-correctness coincide (Cor. 1 [DGKP20]).
3.2 Compiler for Immunizing Decryption Errors
Now we present two variants of a compiler Cpdenoted Cp,d(for deterministic
schemes) and Cp,r(for randomized schemes) which is based on the direct prod-
uct compiler by Dwork et al. [DNR04]. We recall that the idea is to take a PKE
Π0.KGen0(λ, `)
// if Cp,r
return Π.KGen(λ)
// if Cp,d
for i[`]
pk := (pk1,...,pk`)
sk := (sk1,...,sk`)
return (pk,sk)
Π0.Enc0(pk, M )
for i[`]
// if Cp,r
CiΠ.Enc(pk, M ;ri)
// if Cp,d
CiΠ.Enc(pki, M )
C:= (C1....,C`)
return C
Π0.Dec0(sk, C)
C:= (C1....,C`)
for i[`]
// if Cp,r
i:= Π.Dec(sk, Ci)
// if Cp,d
i:= Π.Dec(ski, Ci)
return maj(M0
Fig. 8. Compilers Cp,dand Cp,r.
scheme Π= (KGen,Enc,Dec)with non-negligible correctness error δ(and ran-
domness space Rin case of randomized schemes) and output a PKE scheme
Π0= (KGen0,Enc0,Dec0)with negligible correctness error δ0(and randomness
space R0:= R`, for some `N, in case of a randomized schemes). We present a
precise description of the compilers in Figure 8. Note that in Dec0, the message
that is returned most often by Dec is returned. If two or more messages are tied,
one of them is returned arbitrarily and we denote this operation as maj(M0).
Analyzing correctness. Dwork et al. in [DNR04] explicitly discuss the ampli-
fication of the correctness for encryption schemes with a binary message space
M={0,1}and obtain that to achieve DNR-δ0-correctness ` > c/(1 δ)2·log 1/δ0
when starting from a scheme with DNR-δ-correctness. As cis some constant
that is never made explicit, the formula is more of theoretical interest and for
concrete instances it is hard to estimate the number of required ciphertexts. We
can however analyze the probabilities that the majority vote in Dec0returns the
correct result. As far as the correctness notion used in this work is concerned,
in order to prove an acceptable good lower bound for the δ-correctness of the
direct product compiler, it suffices to find an event, in which the decryption
procedure fails, that happens with a large enough probability. The following
reasoning applies to both its deterministic and randomized versions, Cp,dand
Cp,rrespectively. One such case is the following: only 1 ciphertext correctly de-
crypts and all other `1ciphertexts decrypt to `1distinct wrong messages.
During the maj operation, one of the “wrong” messages is then returned. The
probability of this event is
`1δ`1(1 δ)M1
M1·· · M(`1)
Looking ahead to our compiler Tpresented in Section 3.4, if the message space
is sufficiently large, this probability is bigger than δ`1(1 δ), which gives that
at least one more ciphertext is needed to achieve the same decryption error as
with our compiler T. The results are shown in Table 1. One can compute the
exact probability of decryption error by listing all cases in which the decryption
fails and summing up all these probabilities to obtain the overall decryption
failure of the direct product compiler. This computation is not going to give a
significantly different result from the lower bound that we have just computed.
Table 1. Estimation of the correctness error for the direct product compilers. δ0(`)
denotes the correctness error for `ciphertexts.
δ δ0(2) δ0(3) δ0(4)
232 232 263 294
264 264 2127 2190
296 296 2191 2284
We note that using 2 parallel ciphertexts does not improve the correctness
error, so the direct product compiler only becomes interesting for `3: indeed
for `= 2, we have 3 possible outcomes in which the decryption algorithm can
fail: 1) the first ciphertext decrypts and the second does not, 2) vice versa, 3)
both fail to decrypt. In 1), 2), half the time the wrong plaintext is returned.
Summing these probabilities gives exactly δ.
Remark 1. As far as the deterministic direct product compiler Cp,dis concerned,
the correctness error can be improved by modifying the decryption: instead of
relying on the maj operation, we can re-encrypt the plaintexts obtained during
decryption with the respective keys and compare them to the original cipher-
texts. Only if this check passes, the plaintext is returned. If this is done, then
decryption fails iff no ciphertext decrypts correctly, i.e., with probability δ`,
and thereby the number of parallel repetition necessary to achieve negligible
correctness-error is reduced at the cost of a computational overhead in the de-
cryption. We denote this version of the deterministic direct product compiler by
Their security follows by applying Theorem 1with q= 1 and n=`in the
deterministic case, for both Cp,dand C?
p,d, or vice versa with q=`and n= 1 in
the randomized case:
Corollary 1. For any x-CPA adversary Bagainst Π0obtained via applying Cp,y
to Π, there exists an x-CPA adversary Asuch that:
Π0,B (λ)`·Advpke-x-cpa
Π,A (λ),
where y=dif x=OW and y=rif x=IND.
As the analysis above suggests, `will be a small constant, so the loss in `does
not pose a problem regarding tightness.
3.3 Transformations Tand U6⊥
Subsequently, we discuss basic transformations from [HHK17b] to first trans-
form an IND-CPA secure PKE into an OW-PCA secure PKE (transformation T
in [HHK17b]) and then to convert an OW-PCA secure PKE into an IND-CCA
secure KEM with implicit rejection (transformation U6⊥ in [HHK17b]) and we
discuss alternative transformations later. We stress that these transformations
Π0.Enc(pk, M )
C:= Π.Enc(pk, M ;G(M))
return C
Π0.Dec(sk, C)
M0:= Π.Dec(sk, C )
if M0=or C6=Π.Enc(pk, M 0;G(M0))
else return M0
Fig. 9. OW-PCA-secure scheme Π0=T[Π, G]with deterministic encryption.
either work for perfectly correct schemes or schemes with a negligible correctness
T:IND-CPA =OW-PCA (ROM)/OW-CPA (QROM). The transform Tis
a simple de-randomization of a PKE by deriving the randomness rused by
the algorithm Enc via evaluating a random oracle (RO) on the message to be
encrypted. More precisely, let Π= (KGen,Enc,Dec)be a PKE with message
space Mand randomness space Rand G:M→Rbe a RO. We denote the PKE
Π0obtained by applying transformation Tdepicted in Figure 9as Π0=T[Π, G],
where Π0.KGen =Π.KGen and is thus omitted.
For the ROM, we recall the following theorem:
Theorem 2 (Thm. 3.2 [HHK17b] (ΠIND-CPA =Π0OW-PCA)). As-
sume Πto be δ-correct. Then, Π0is δ1(qG) = qG·δcorrect and for any OW-PCA
adversary Bthat issues at most qGqueries to the RO Gand qPqueries to a
plaintext checking oracle Pco, there exists an IND-CPA adversary Arunning in
about the same time as Bsuch that
Π0,B (λ)qG·δ+2qG+ 1
|M| + 3 ·Advpke-ind-cpa
Π,A (λ).
And for the QROM, we recall the following theorem:
Theorem 3 (Thm. 1 [BHH+19] (ΠIND-CPA =Π0OW-CPA)). If A
is an OW-CPA-adversary against Π0=T[Π, G]issuing at most qGqueries to
the quantum-accessible RO Gof at most depth d, then there exists an IND-CPA
adversary Bagainst Πrunning in about the same time as Asuch that
Π0,A (λ)(d+ 1)Advpke-ind-cpa
Π,B (λ) + 8(qG+ 1)
|M| .
U6⊥:OW-PCA =IND-CCA.The transformation U6⊥ transforms any OW-PCA
secure PKE Π0into an IND-CCA secure KEM in the (Q)ROM. The basic idea
is that one encrypts a random message Mfrom the message space Mof Π0
and the encapsulated key is the RO evaluated on the message Mand the cor-
responding ciphertext Cunder Π0. This transformation uses implicit rejection
and on decryption failure does not return , but an evaluation of the RO on
the ciphertext and a random message s∈ M, being part of sk of the resulting
KEM, as a “wrong” encapsulation key. It is depicted in Figure 10.
In the ROM, we have the following result:
sk := (sk0, s)
return (pk0,sk)
CΠ0.Enc(pk, M )
K:= H(M, C )
return (K, C)
KEM.Decaps (sk,C)
Parse sk = (sk0, s)
M0:= Π0.Dec(sk0, C)
if M06=
return K:= H(M0, C)
else return K:= H(s, C)
Fig. 10. IND-CCA-secure KEM scheme KEM =U6⊥[Π0,H].
Theorem 4 (Thm. 3.4 [HHK17b] (Π0OW-PCA =KEM IND-CCA)).
If Π0is δ1-correct, then KEM is δ1-correct in the random oracle model. For any
IND-CCA adversary Bagainst KEM, issuing at most qHqueries to the random
oracle H, there exists an OW-PCA adversary Aagainst Π0running in about the
same time as Bthat makes at most qHqueries to the Pco oracle such that
KEM,B (λ)qH
|M| +Advpke-ow-pca
Π0,A (λ).
For the QROM, we have the following non-tight result:
Theorem 5 (Thm. 6 [JZM19] (Π0OW-PCA =KEM IND-CCA)). Let
Π0be a deterministic PKE scheme which is independent of H. Let Bbe an
IND-CCA adversary against the KEM U6⊥[Π0,H], and suppose that Amakes at
most qd(classical) decryption queries and qHqueries to quantum-accessible ran-
dom oracle Hof depth at most d, then there exists and adversary Bagainst Π0
such that
U6⊥[Π0,H],A (λ)2·qH
p|M| + 2 ·q(qH+ 1)(2 ·δ+Advpke-ow-cpa
Π0,B (λ)).
If we assume ε-injectivity and FFC, respectively, we have tighter bounds:
Theorem 6 (Thm. 4.6 [KSS+20] (Π0OW-CPA+FFC =KEM IND-CCA)).
Let Π0be an ε-injective deterministic PKE scheme which is independent of
H. Suppose that Ais an IND-CCA adversary against the KEM U6⊥[Π0,H], and
suppose that Amakes at most qd(classical) decryption queries and qHqueries
to quantum-accessible random oracle Hof depth at most d, then there exist two
adversaries running in about the same time as A:
an OW-CPA-adversary B1against Π0and
aFFC-adversary B2against Π0returning a list of at most qdciphertexts,
such that
U6⊥[Π0,H],A (λ)4d·Advpke-ow-cpa
Π0,B2(λ) + (4d+ 6) ·ε.
FO6⊥[Π, G,H].By combining transformation Twith U6⊥ one consequently obtains
an IND-CCA secure KEM KEM from an IND-CPA secure PKE Π. Note that the
security reduction of the FO6⊥ := U6⊥ Tvariant of the FO is tight in the random
oracle model and works even if Πhas negligible correctness error instead of
perfect correctness.
FO6⊥[Π, G,H]in the QROM. Hofheinz et al. in [HHK17b] also provide vari-
ants of the FO transform that are secure in the QROM, but they are (highly)
non-tight. Bindel et al. [BHH+19] presented a tighter proof for U6⊥ under an ad-
ditional assumption of ε-injectivity. This result was recently improved by Kuchta
et al. [KSS+20]. Additionally, Jiang et al. [JZM19] provided tighter proofs for
the general case.
mand other approaches. Besides the transform with implicit re-
jection, U6⊥, one can also consider explicit rejection, Uand versions of both
where the derived session key depends on the ciphertext, U6⊥
mand U
m, respec-
tively. Bindel et al. [BHH+19] show that security of implicit rejection implies
security with explicit rejection. The opposite direction also holds if the scheme
with explicit rejection also employs key confirmation. Moreover, they show that
the security is independent of including the ciphertext in the session key deriva-
A different approach was proposed by Saito et al. [SXY18], where they start
from a deterministic disjoint simulatable PKE and apply U6⊥
mwith an addi-
tional re-encryption step in the decryption algorithm. While the original con-
struction relied on a perfectly correct PKE, Jiang et al. gave non-tight reduc-
tions for schemes with negligible correctness error in [JZC+18]. Hövelmanns et
al. [HKSU20] improve over this approach by giving a different modularization of
Saito et al.’s TPunc.
Black-box use of the compiler Cp,d/C?
p,d/Cp,r.Using Cp,d,C?
p,dor Cp,rfrom
Section 3.2, we can transform any deterministic or randomized PKE with non-
negligible correctness error into one with negligible correctness error. Conse-
quently, Theorem 1as a result yields a scheme that is compatible with all the
results on the Tand variants of the Utransformations in this section. Note
that in particular this gives us a general way to apply these variants of the FO
transform to PKE schemes with non-negligible correctness error.
3.4 Non Black-Box Use: the Transformation T?
Since the direct product compiler is rather complicated to analyze, we alterna-
tively investigate to start from an IND-CPA secure PKE Πwith non-negligible
correctness error δand introduce a variant of the transform Tto de-randomize
a PKE, denoted T?. The idea is that we compute `independent encryptions of
the same message Munder the same public key pk using randomness G(M, i),
i[`], where Gis a RO (see Figure 11 for a compact description). The resulting
de-randomized PKE Π0has then correctness error δ0:= δ`, where `is chosen in
a way that δ`is negligible. To the resulting PKE Π0we can then directly apply
the transformation U6⊥ to obtain an IND-CCA secure KEM KEM with negligible
correctness error in the (Q)ROM.
Note that as we directly integrate the product compiler into the Ttransform,
the correctness of the message can be checked via the de-randomization. Hence,
we can get rid of the majority vote in the direct product compiler. With this
Π0.Enc(pk, M )
for i= 1,...,` do
Ci:= Π.Enc(pk, M ;G(M, i))
C:= (C1,...,C`)
return C
Π0.Dec(sk, C)
res ← ⊥,check ← ⊥
for i= 1,...,` do
res[i] := Π.Dec(sk, Ci)
for i[`]s.t. res[i]6=do
if j[`] : Cj=Π.Enc(pk,res[i],G(res[i], j))
check i
if check 6=
return res[check]
Fig. 11. OW-PCA-secure scheme Π0=T?[Π, G]with deterministic encryption and
correctness error δ`from IND-CPA secure scheme Πwith correctness error δ.
change the analysis of the concrete choice of `becomes simpler and, more impor-
tantly, allows us to choose smaller `than in the black-box use of the compiler.
Remark 2. Note that in Figure 11 we explicitly consider the case where Dec
of the PKE scheme Πmay return something arbitrary on failed decryption.
For the simpler case where we have a PKE scheme Πwhich always returns
on failed decryption, we can easily adapt the approach in Figure 11.
Namely, we would decrypt all `ciphertexts Ci,i[`]. Let h[`]be the
minimum index such that res[h]6=. Then for every element j[`]run
j:= Π.Enc(pk,res[h]; G(res[h], j). If for all j[`]we have C0
return res[h]. If this is not the case we return . Note that all ` C0
jhave to
be re-encrypted and checked against Cj, as otherwise IND-CCA-security is not
achieved. The difference is, that only `encryptions instead of `2are required.
We now show the following theorem.
Theorem 7 (ΠIND-CPA =Π0OW-PCA). Assume Πto be δ-correct.
Then, Π0is δ1(qG, `)qG
`·δ`correct and for any OW-PCA adversary Bthat
issues at most qGqueries to the random oracle Gand qPqueries to a plaintext
checking oracle Pco, there exists an IND-CPA adversary Arunning in about the
same time as Bsuch that
Π0,B (λ)qG
`·δ`+2qG+ 1
|M| + 3`·Advpke-ind-cpa
Π,A (λ).
We provide the proof which closely follows the proof of [HHK17b, Thm 3.2] in
Appendix B.1. Note that we lose an additional factor of `. Additionally, when
using the bounded δ-correctness notion from Bindel. et al. [BS20], the factor of
We now have an OW-PCA secure PKE Π0with negligible correctness error
and can thus directly use U6⊥ and by invoking Theorem 4obtain an IND-CCA
secure KEM KEM. Note that all steps in the reduction are tight. For the security
in the QROM, we can directly conclude from Corollary 1that the generic frame-
work of Bindel et al. [BHH+19] can be applied to Cp,dand Cp,rwith the additional
constraint of ε-injectivity and FFC, respectively. Without these additional con-
straints, the results of Jiang et al. [JZM19] or Hövelmanns et al. [HKSU20]1
apply without the tighter reductions that the Bindel et al.’s and Kuchta et al.’s
results offer.
The security of the T?transform in the QROM follows in a similar vein. To
highlight how `influences the advantages, we follow the proof strategy of Bindel
et al. [BHH+19]. Therefore, we first show that a randomized IND-CPA-secure
PKE scheme with a non-negligible correctness error is transformed to OW-CPA-
secure deterministic PKE scheme with negligible correctness error. Second, we
prove that if the T?-transformed version is also ε-injective, then it provides FFC.
With these two results in place, we can apply Theorem 6to obtain an IND-CCA-
secure KEM.
In the following theorem, we prove OW-CPA security of the T?transform in
the QROM (see Appendix A.1). We follow the strategy of the proof of [BHH+19,
Thm. 1] and adapt it to our transform. Compared to the Ttransform, we lose a
factor of `2. Once the loss is incurred by Theorem 1and once by the semi-classical
one-way to hiding Theorem [AHU19].
Theorem 8 (ΠIND-CPA =Π0OW-CPA). Let Πbe a non-deterministic
PKE with randomness space Rand decryption error δ. Let `Nsuch that δ`
is negligible in the security parameter λ. Let G:M × [`]→ R be a quantum-
accessible random oracle and let qGthe number queries with depth at most d.
If Ais an OW-CPA-adversary against T?[Π, G, `], then there exists an IND-CPA
adversary Bagainst Π, running in about same time as A, such that
T?[Π,G,`],A(λ)(d+`+ 1)`·Advpke-ind-cpa
Π,B (λ) + 8(qG+ 1)
|M| .
We refer to Appendix B.2 for the proof. Next, we show that the transform
provides the FFC property (cf. [BHH+19, Lemma 6]).
Lemma 2. If Πis a δ-correct non-deterministic PKE with randomness space
R,`Nsuch that δ`is negligible in the security parameter λ,G:M × [`]→ R
is a random oracle so that Π0=T?[Π, G, `]is ε-injective, then the advantage for
any FFC-adversary Aagainst Π0which makes at most qGqueries at depth dto
Gand which returns a list of at most qLciphertexts is bounded by
Π0,A (λ)(4d+ 1)δ`+3ε(qG+qL) + ε.
For the proof we refer to Appendix B.3.
3.5 Comparison of the Two Approaches
The major difference between the generic approach using the direct product
compiler Cp,y,y∈ {r,d}, and T?(or the modified deterministic direct product
1Without restating [HKSU20, Thm 3.2], note that we can adopt it the same way
we highlight in Theorems 7and 8. So, we start with their Punc to obtain disjoint
simutability and then apply T?and U6⊥
Table 2. Comparison of the runtime and bandwidth overheads of Cp,y,y∈ {r,d}, with
`ciphertexts and T?and C?
p,dwith `0ciphertexts such that ``0+ 1.
|pk| |C|KGen Enc Dec
Cp,y1(r) / `(d)`1(r) / `(d)` `
compiler C?
p,d) is the number of ciphertexts required to reach a negligible correct-
ness error. As observed in Section 3.2, the analysis of the overall decryption error
is rather complicated and Cp,yrequires at least `3. With T?/C?
the situation is simpler. As soon as one ciphertext decrypts correctly, the overall
correctness of the decryption can be guaranteed. Also, for the cases analysed in
Table 1,Cp,yrequires at least one ciphertext more than T?and C?
p,d. For the
correctness error, we have a loss in the number of random oracle queries in both
cases. For the comparison of the runtime and bandwidth overheads, we refer
to Table 2. Note that if the Dec of the underlying PKE Πreports decryption
failures with , then the overhead of T?for Dec is only a factor `(cf. Remark 2).
4 Our Transform in Practice
The most obvious use-case for IND-CCA secure KEMs in practice is when consid-
ering static long-term keys. Systems supporting such a setting are for example
RSA-based key exchange for SSH [Har06] or similarly in TLS up to version 1.2.
But since the use of long-term keys precludes forward-secrecy guarantees, using
static keys is not desirable. For ephemeral keys such as used in the ephemeral
Diffie-Hellman key exchange, an IND-CPA secure KEM might seem sufficient.
Yet, in the post-quantum setting accidental re-use of an ephemeral key leads to
a wide range of attacks [BGRR19]. But also from a theoretical viewpoint it is
unclear whether CPA security actually would be enough. Security analysis of the
TLS handshake protocol suggests that in the case of version 1.2 an only passively
secure version is insufficient [JKSS12,KPW13] (cf. also [PST20]). Also, secu-
rity analysis of the version 1.3 handshake requires IND-CCA security [DFGS15].
Thus, even in the case of ephemeral key exchanges, using a IND-CCA secure
KEM is actually desirable and often even necessary as highlighted by Schwabe
et al. [SSW20].
For comparing KEMs in this context, the interesting metric is hence not the
ciphertext size alone, but the combined public key and ciphertext size. Both
parts influence the communication cost of the protocols. Additionally, the com-
bined runtime of the key generation, encapsulation and decapsulation is also an
interesting metric. All three operations are performed in a typical ephemeral key
exchange and hence give a lower bound for the overall runtime of the protocol.
Table 3. Sizes (in bytes) and runtimes (in ms and millions of cycles for BIKE), where
Odenotes the transformed scheme. The LEDAcrypt instances with postfix NN refer
to those with non-negligible DFR. Runtimes are taken from the respective submission
documents and are only intra-scheme comparable.
KEM δpk CPKGen Encaps Decaps
O[ROLLO-I-L1,5] 2150 465 2325 2790 0.10 0.02/0.10 0.26/1.30
ROLLO-II-L1 2128 1546 1674 3220 0.69 0.08 0.53
O[ROLLO-I-L3,4] 2128 590 2360 2950 0.13 0.02/0.08 0.42/1.68
ROLLO-II-L3 2128 2020 2148 4168 0.83 0.09 0.69
O[ROLLO-I-L5,4] 2168 947 7576 8523 0.20 0.03/0.12 0.78/3.12
ROLLO-II-L5 2128 2493 2621 5114 0.79 0.10 0.84
O[BIKE-2-L1,3] 2147 10163 30489 40652 4.79 0.14/0.42 3.29/9.88
BIKE-2-CCA-L1 2128 11779 12035 23814 6.32 0.20 4.12
O[LEDAcrypt-L5-NN,2] 2128 22272 22272 44544 5.04 0.14/0.29 1.55/3.11
LEDAcrypt-L5 2128 19040 19040 38080 4.25 0.84 2.28
In the following comparison, we assume that the underlying PKE never re-
turns on failure, but an incorrect message instead. Thereby we obtain an upper
bound for the runtime of the Decaps algorithm. For specific cases where Decaps
explicitly returns on failure, the runtime figures would get better since the
overhead to check the ciphertexts is reduced to a factor of `(cf. Remark 2).
4.1 Code-Based KEMs
KEMs based on error correcting codes can be parametrized such that the decod-
ing failure rate (DFR) is non-negligible, negligible, or 0. Interestingly, the DFR
rate is also influenced by the actual decoder. Even for the same choice of code
and the exact same instance of the code, a decoder might have a non-negligible
DFR, whereas another (usually more complex) decoder obtains a negligible DFR.
For the submissions in the NIST PQC we can observe all three choices. The
candidates providing IND-CPA-secure variants with non-negligible DFR include:
BIKE [ABB+19], ROLLO [ABD+19], and LEDAcrypt [BBC+19]. We discuss
the application of our transform to those schemes below. For the comparison in
Table 3, we consider the DFR as upper bound for correctness error.
In Table 3, we present an overview of the comparison (see Appendix Cfor
the full comparison). First we consider ROLLO, and in particular ROLLO-I,
where we obtain the best results: public key and ciphertext size combined is
always smaller than for ROLLO-II and the parallel implementation is faster
even in case of a `2overhead. For both BIKE (using T?) and LEDAcrypt (using
p,dsince it starts from a deterministic PKE), we observe a trade-off between
bandwidth and runtime.
4.2 Lattice-Based KEMs
For lattice-based primitives the decryption error depends both on the modulus q
and the error distribution used. As discussed in [SAB+19], an important decision
that designers have to make is whether to allow decryption failures or choose
parameters that not only have a negligible, but a zero chance of failure. Hav-
ing a perfectly correct encryption makes transforms to obtain IND-CCA security
and security proofs easier, but with the disadvantage that this means either de-
creasing security against attacks targeting the underlying lattice problem or de-
creasing performance. The only NIST PQC submissions based on lattices which
provide parameter sets achieving both negligible and non-negligible decryption
failure are ThreeBears [Ham19] and Round5 [GZB+19]. The IND-CCA-secure
version of ThreeBears is obtained by tweaking the error distribution, hence, our
approach does not yield any improvements. For Round5 we achieve a trade-off be-
tween bandwidth and runtime. We also considered FrodoKEM [NAB+19], com-
paring its version [BCD+16] precedent to the NIST PQC, which only achieved
non-negligible failure probability, to the ones in the second round of the above
competition, but we do not observe any improvements for this scheme. For the
full comparison we refer to Appendix C. It would be interesting to understand
the reasons why the compiler does not perform well on lattice-based scheme com-
pared to the code-based ones and whether this is due to the particular schemes
analysed or due to some intrinsic difference between code- and lattice-based
4.3 Implementation Aspects
One of the strengths of T?compared to the black-box use of Cp,y,y∈ {r,d}
(and Cp,d?), is that besides the initial generation of the encapsulated key, all the
random oracle calls can be evaluated independently. Therefore, the encryptions
of the underlying PKE do not depend on each other. Thus, the encapsulation
algorithms are easily parallelizable – both in software and hardware. The same
applies to the decapsulation algorithm. While in this case only one successful
run of the algorithm is required, doing all of them in parallel helps to obtain a
constant-time implementation. Then, after all ciphertexts have been processed,
the first valid one can be used to re-compute the ciphertexts, which can be done
again in parallel. For software implementations on multi-core CPUs as seen on
today’s desktops, servers, and smartphones with 4 or more cores, the overhead
compared to the IND-CPA secure version is thus insignificant as long as the error
is below 232. If not implemented in a parallel fashion, providing a constant-time
implementation of the decapsulation algorithms is more costly. In that case, all of
the ciphertexts have to be dealt with to not leak the index of invalid ciphertexts.
Note that a constant-time implementation of the transform is important to avoid
key-recovery attacks [GJN20].
The T?transform also avoids new attack vectors such as [GJY19] that are
introduced via different techniques to decrease the correctness error, e.g., by
applying an error-correcting code on top. Furthermore, since the same parameter
sets are used for the IND-CPA and IND-CCA secure version when applying our
transforms, the implementations of proposals with different parameter sets can
be simplified. Thus, more focus can be put on analysing one of the parameter
sets and also on optimizing the implementation of one of them.
5 Application to Bloom Filter KEMs
A Bloom Filter Key Encapsulation Mechanism (BFKEM) [DJSS18,DGJ+18] is
a specific type of a puncturable encryption scheme [GM15,GHJL17,DJSS18,
SSS+20] where one associates a Bloom Filter (BF) [Blo70] to its public-secret key
pair depending on the BF-parameters k, m N. The initial (i.e., non-punctured)
secret key is associated to an empty BF where all bits are set to 0. (In particu-
lar, the BF allows for a compact binary representation Tof [m].) Encapsulation,
depending on a so-called tag uin the universe of the BF, takes the public key,
and returns a ciphertext and an encapsulation key kcorresponding to the BF-
evaluation of u, i.e., khash evaluations on uyielding so-called indexes in the
domain [m]. Puncturing, on input a ciphertext C(associated to tag u) and a
secret key sk0, punctures sk0on Cand returns the resulting secret key. Decap-
sulation, on input a ciphertext C(with an associated tag u) and secret key sk0
is able to decapsulate the ciphertext to kif sk0was not punctured on C. We
want to mention, as in [DGJ+18], we solely focus on KEMs since a Bloom Filter
Encryption (BFE) scheme (which encrypts a message from some message space)
can be generically derived from a BFKEM (cf. [FO99]).
The basic instantiation of a BFKEM in [DJSS18,DGJ+18] is non-black box
and based on the pairing-based Boneh-Franklin Identity-Based Encryption (IBE)
scheme [BF01], where sk contains an IBE secret key for every “identity” i[m]
of the BF bits (according to T) and puncturing amounts to inserting tag uin
the BF and deleting the IBE secret keys for the corresponding bits. Although
the BFKEM is defined with respect to a non-negligible correctness error, the
underlying variant of the Boneh-Franklin IBE has perfect correctness. So the
non-negligible error in the BFKEM is only introduced on an abstraction (at
the level of the BF) above the Fujisaki-Okamoto (FO) transform [FO99,FO13]
applied to the kBoneh-Franklin IBE ciphertexts (so the application of the FO
can be done as usual for perfectly correct encryption schemes).
However, if one targets instantiations of BFKEM where the underlying IBE
does not have perfect correctness (e.g., lattice- or code-based IBEs), it is not
obvious whether the security proof using the Boneh-Franklin IBE as presented
in [DJSS18,DGJ+18] can easily be adapted to this setting.2
2For practical reasons, we want the size of the BFKEM public key to be independent
of the BF parameters (besides the descriptions of the hash functions). Right now, we
only can guarantee this with IBE schemes as such schemes allow for exponentially
many identity-based secret keys (in the security parameter) while maintaining a
short public key.
We first recall necessary definitions for BFs, BFKEMS, and their properties
from [DGJ+18] and show a generic construction of BFKEM from any IBE scheme
with (non-)negligible correctness error in Section 5.1.
Definition 10 (Bloom Filter). A Bloom Filter (BF) [Blo70]BF consists of
the PPT algorithms (BFGen,BFUpdate,BFCheck):
BFGen(m, k) : BF generation, on input BF parameters m, k N, samples k
universal hash functions H1, . . . , Hk, where Hj:U → [m], for all j[k],
defines H:= (Hj)j[k], sets T0:= 0m, i.e., an m-bit array of all 0, and
outputs (H, T0).
BFUpdate(H, T , u): The BF-update algorithm, on input H= (Hj)j[k],T
{0,1}m, and u∈ U, sets T0:= Tand, afterwards, T0[Hj(u)] := 1, where
T0[i]denotes the i-th bit of T0, for all j[k]. The algorithms outputs the
updated state T0.
BFCheck(H, T , u): The BF-check algorithm, on input H= (Hj)j[k],
T∈ {0,1}m, and u∈ U, returns a bit b:= Vj[k]T[Hj(u)], where T[i]
denotes the i-th bit of T.
For all m, k N, we require the following properties of BF:
Perfect completeness. For all (H, T0)BFGen(m, k), for all nN, for all
(u1, . . . , un)∈ Un, for all i[n], for all TiBFUpdate(H, Ti1, ui), we
require that BFCheck(H, Tn, ui)=1holds.
Compact representation of any U0⊂ U.The size of the any representation
Ti, for all Tias output of BFUpdate, is a constant number of mbits inde-
pendent of the size of any set U0⊂ U and the representation of any element
in U.
Bounded false-positive probability. For all (H, T0)BFGen(m, k),
for all nN, for all U0= (u1, . . . , un)∈ Un, for all i[n], for
all TiBFUpdate(H, Ti1, ui), for all u U \ U0, we require that
Pr [BFCheck(H, Tn, u) = 1] 1e(n+1/2)k
m1kholds, where the probabil-
ity is taken over the random coins of BFGen.
In the following, we recap the BFKEM and its formal properties
from [DGJ+18] which tolerates a non-negligible correctness error and the
key generation takes parameters mand kas input which specify the correct-
ness error. Furthermore, we slightly adapt their BFKEM properties extended
correctness,separable randomness, and publicly-checkable puncturing to allow
a negligible decryption error for extended correctness and publicly-checkable
puncturing properties while extending the input space for the separable
randomness property.
Definition 11 (Bloom Filter Key Encapsulation Mechanism).
A BFKEM BFKEM with key space Kconsists of the PPT algorithms
KGen(λ, m, k): Key generation, on input security parameter λand BF param-
eters m, k, outputs public and secret keys (pk,sk0). (We assume that pk is
available to Punc and Decaps implicitly.)
Encaps(pk): Encapsulation, on input pk, outputs a ciphertext Cand key k.
Punc(sk, C) : Secret-key puncturing, on input sk and C, outputs an updated se-
cret key sk0.
Decaps(sk, C) : Decapsulation, on input sk and C, outputs kor {⊥}.
Definition 12 (Correctness of BFKEM). For all λ, m, k, n Nand any
(pk,sk0)KGen(λ, m, k), we require that for any (arbitrary interleaved) se-
quence of invocations of skiPunc(ski1, Ci1),for (Ci1,ki1)Encaps(pk),
for i[n], it holds that
Pr [Decaps(skn, Cn)6=kn]1e(n+1/2)k
where (Cn,kn)Encaps(pk)and εis a negligible function in λ. The probability
is taken over the random coins of KGen,Encaps, and Punc.
Definition 13 (Extended Correctness of BFKEM). For all λ, m, k, n N
and any (pk,sk0)KGen(λ, m, k), we require that for any (arbitrary inter-
leaved) sequence of invocations of skiPunc(ski1, Ci1), where i[n]and
(Ci1,ki1)Encaps(pk), it holds that:
(a) Impossibility of false-negatives: Decaps(skn, Cj1) = , for all j[n].
(b) Correctness of the initial secret key: Pr [Decaps(sk0, C)6=k]ε(λ), for all
(C, k)Encaps(pk)and εis a negligible function in λ.
(c) Semi-correctness of punctured secret keys: if Decaps(skj, C)6=then
Pr[Decaps(skj, C)6=Decaps(sk0, C) ] ε(λ), for all j[n], any C, and εis
a negligible function in λ.
All probabilities are taken over the random coins of KGen,Punc,and Encaps. The
difference to [DGJ+18] is that we allow for a negligible error in (b) and (c).
Definition 14 (Separable Randomness of BFKEM). For all λ, m, k N,
for (pk,·)KGen(λ, m, k), a BFKEM BFKEM has the property separable ran-
domness if the encapsulation algorithm Encaps can be written as
(C, k)Encaps(pk) = Encaps(pk; (r, k)),
for some (r, k)∈ R × K, for randomness space R={0,1}ρ× · ·· × {0,1}ρ
| {z }
key space Kof BFKEM, for large-enough integer ρ. Hence, pk, r and kas input
to deterministic Encaps uniquely determine (C, k). The difference to [DGJ+18]
is that we extend the randomness space as input to Encaps.
Definition 15 (Publicly-Checkable Puncturing of BFKEM). For all
λ, m, k, ` N,BFKEM has the publicly-checkable puncturing property if
there exists a PPT algorithm CheckPunc such that after running (pk,sk0)
KGen(λ, m, k),(Ci1,ki1)Encaps(pk), and skiPunc(ski1, Ci1), for
i[`], we have that
Pr [Decaps(sk`, C) = 6CheckPunc(pk,L, C) = ]ε(λ),
holds, for L= (C0, . . . , C`1), for any C, and εis a negligible function in λ.
The probability is taken over the random coins of KGen,Punc,and Encaps.
Definition 16 (γ-Spreadness of BFKEM). For all λ, m, k, ρ N,
a BFKEM BFKEM with separable randomness is γ-spread, if for any
(pk,·)KGen(λ, m, k), any keys k∈ K,r← R, and any C∈ C, where Rand
Care the randomness and ciphertext spaces of BFKEM, respectively, we have
that Pr[(C, ·) = Encaps(pk; (r, k))] 2γholds, where the probability is taken
over the random coins of KGen.
BFKEM-IND-CPA and BFKEM-IND-CCA security. We say a BFKEM
BFKEM is BFKEM-IND-CPA or BFKEM-IND-CCA secure if and only if any
PPT adversary Ahas only negligible advantage in the following security experi-
ments. First, Agets an honestly generated public key pk as well as a ciphertext-
key pair (C,k
b), for (C,k0)Encaps(pk), for k1$K, and for b${0,1}.
Furthermore, Ahas access to Punc0-, Cor-, and Decaps0-oracle (with initially
empty set Lwith `:= 0 and the latter oracle only in the BFKEM-IND-CCA-
security experiment):
Punc0(C): on input C, set L:= L∪{C}and `:= `+ 1, compute sk`
Punc(sk`1, C), store and return sk`.
Cor :if C∈ L, then return sk`, else outputs .
Decaps0(C): on input C, if C6=C, then return Decaps(sk0, C), else return .
Eventually, Aoutputs a guess b0. Finally, if b=b0, then the experiment outputs
1. The formal experiments are depicted in Figure 12.
Definition 17. For any PPT adversary Aand all λ, m, k N, the advantage
BFKEM,A (λ, m, k) := PrhExpbfkem-ind-y
BFKEM,A (λ, m, k) = 1i1
for y∈ {cpa,cca}, are negligible in λ, where the experiments Expbfkem-ind-y
BFKEM,A (λ, m, k)
are given in Figure 12 and BFKEM is a BFKEM.
5.1 IBE with Negligible from Non-Negligible Correctness Error
We follow the approach for randomized PKE schemes in Section 3.2 adapted
for the IBE case (cf. Figure 13).3Let IBE = (KGen,Ext,Enc,Dec)be an IBE
3We explicitly mention that we are only concerned with randomized IBEs. Adopting
Cp,dfor deterministic IBEs will work as well. Though in the latter case, one can
further optimize the compiler depending on whether the IBE has deterministic or
randomized key extraction Ext.
Exp. Expbfkem-ind-y
BFKEM,A (λ,m,k)
(pk,sk0)KGen(λ, m, k)
b0APunc0(·),Cor,Decaps0(·)(pk, C,k
if b=b0then return 1else return 0
Fig. 12. BFKEM-IND-ysecurity experiments for BFKEM, for y∈ {CPA,CCA}.
The differences between BFKEM-IND-CPA and BFKEM-IND-CCA are given by
Enc0(mpk,id , M )
for i[`]
CiEnc(mpk,id , M ;ri)
return (C1,...,C`)
Dec0(usk id , C)
C=: (C1,...,C`)
for i[`]
i:= Dec(usk id , Ci)
return maj(M0
Fig. 13. Compiler for Enc0and Dec0for constructing an IBE scheme IBE0with negligible
correctness error from an IBE scheme IBE with non-negligible correctness error.
scheme with identity, message spaces, and randomness spaces ID,M, and R,
respectively, with non-negligible correctness error δ(λ), we construct an IBE
scheme IBE0= (KGen0,Ext0,Enc0,Dec0)with identity and message spaces ID0:=
ID and M0:= M, respectively, with negligible correctness error δ0(λ). The
construction is as follows. Set KGen0:= KGen and Ext0:= Ext while Enc0and
Dec0are given in Figure 13. See that `=`(λ)can be chosen appropriately to
accommodate a negligible correctness error δ0(λ).
As for randomized PKE schemes, by an analogue of Theorem 1for IBEs with
q=`and n= 1, the security claim follows:
Corollary 2. For any IBE-sIND-CPA adversary Bagainst IBE0obtained via
applying the above transformation to IBE, there exists an IBE-sIND-CPA adver-
sary Asuch that
IBE0,B (λ)`·Advibe-sind-cpa
IBE,A (λ).
The correctness-error analysis is again equivalent to the one in the PKE scenario.
We refer to Section 3.2 for a more in-depth discussion.
5.2 BFKEM from IBE with Negligible Correctness Error
The intuition for our generic construction from any IBE scheme IBE with negli-
gible correctness error is as follows. We associate “user-secret keys” of IBE with
the indexes i[m]of the Bloom filter BF and annotate sk0
0as a special key for
“fixed identity” 0. We consider the encapsulation key as k= (k0,k1)where the
first share is encrypted under “identity” 0 (yielding C0
0) while the other share
KGen(λ, m, k):
(H, T0)BFGen(m, k)
id Ext(msk,id ),id [m]∪ {0}
pk := (mpk, H),sk := (T0,(sk0
id )id )
return (pk,sk0)
Punc(ski1, C):
(T, sk0
id )id[m]) := ski1
(C0, . . .) := C
T0:= BFUpdate(H, T , C0)
id := (sk0
id if T0[id ] = 0,
if T0[id ] = 1,
return (T0,sk0
id )id[m])
(mpk, H) := pk with (Hj)j[k]:= H
id j:= Hj(C0), for all j[k]
CidjEnc(mpk,id j,k1)
return ((C0,(Cidj)j),(k0,k1))
Decaps(ski, C):
(T, (sk0