Tight Multi-Target Security for Key Encapsulation Mechanisms

Abstract

The use of symmetric encryption schemes requires that the communicating parties have access to a shared secret key. A key encapsulation mechanism (KEM) is a cryptographic tool for the secure establishment of such a key. The KEMs most commonly used at this time are vulnerable to adversaries with access to a large quantum computer. This project concerns KEMs that are resistant to all known quantum attacks, such as lattice-based schemes.

A desirable property for any KEM is multi-target security, capturing the idea that security does not degrade below the targeted level as the number of users of a protocol or the amount of communication per user scales to a certain threshold. For schemes based on prime-order groups, multi-ciphertext security can be trivially reduced to singleciphertext security using self reducibility arguments, but these arguments are not available for lattice-based schemes. Indeed, one of the alternates in NIST’s post-quantum cryptography standardization project, FrodoKEM, was susceptible to simple attacks in the multi-target setting.

The standard approach to building IND-CCA secure KEMs has been to start with an IND-CPA secure public key encryption scheme (PKE) and apply the Fujisaki-Okamoto transform (FO). In this paper, we introduce a new variant of the FO transform, called the salted FO transform (SFO) which adds a uniformly random salt to the generation of ciphertexts. We then show that the resulting KEM’s have much tighter security bounds compared to their generic counterparts. We then apply our results to FrodoKEM to resolve the aforementioned simple attacks.