## Motivation

Let us consider asymmetric cryptography. We want to encrypt and decrypt a message with a public/secret keypair.

We have an encryption step using the public key of the communication partner and a decryption step using your own secret key. To perform a decryption step, some untrusted communication entity provides the ciphertext (i.e. encrypted message). Since that entity is untrusted, the party can modify this ciphertext and the cryptosystem needs to ensure that no secret data is leaked because faulty ciphertext might be processed. We want to be secure against chosen ciphertext attacks. IND-CCA2 is a security property ensuring this.

In particular, IND-CPA (“chosen plaintext attack”) is the weakest notion of security, we consider. IND-CCA1 (“indistinguishability against a-priori chosen-ciphertext attacks”) is stronger, because the adversary is allowed to access the decryption oracle before the challenge ciphertext is given. IND-CCA2 (“indistinguishability against a-posteriori chosen-ciphertext attacks”) allows the adversary to access the decryption oracle even after the challenge ciphertext is given (but must not use the challenge ciphertext obviously). IND-CCA2 is abbreviated as IND-CCA.

Naturally, in PQCRYPTO all schemes want to achieve IND-CAA2 security. But how? Many schemes are specified only with IND-CPA security in mind and the Fujisaki-Okamoto transform does the remaining part to reach IND-CCA2 security.

## The paper

In 1999, E. Fujisaki and T. Okamoto (FO) [fo99] described a transform of a weak symmetric and asymmetric encryption scheme into a hybrid scheme secure against chosen-ciphertext attacks. After the transform, they also provided a proof of the claimed security properties and implementations for two schemes. Be aware, that the paper [fo99] is the original one, but we discuss the paper from 2013 [fo13]. It is an update, or as the authors put it:

“This is the full version of the paper by fixing bugs and providing a clean, formal proof associated with a better security bound.”

One difference is that [fo99] requires the symmetric encryption scheme to be deterministic and bijective, but such restrictions have been removed in [fo13]. In this article I am only going to sum up the transform itself.

[fo99] | (1, 2, 3) Fujisaki, E., & Okamoto, T. (1999, August). Secure integration of asymmetric and symmetric encryption schemes. In Annual International Cryptology Conference (pp. 537-554). Springer, Berlin, Heidelberg. |

[fo13] | (1, 2, 3) Fujisaki, E., & Okamoto, T. (2013). Secure integration of asymmetric and symmetric encryption schemes. Journal of cryptology, 26(1), 80-101. |

## An IND-CCA2 secure scheme

We define a hybrid encryption scheme Π^{hy} = (K^{hy}, E^{hy}, D^{hy}) which will satisfy desired security properties.
The scheme is built using a symmetric and an asymmetric encryption scheme.

### Asymmetric encryption scheme

Let Π^{asym} = (K^{asym}, E^{asym}, D^{asym}) be the asymmetric encryption scheme.
Let k be sufficiently large.

- K
^{asym}is a polynomial-time (in k), probabilistic algorithm. Given 1^{k}, it returns (pk, sk) which is a pair of public/secret keys respectively. - E
^{asym}is a polynomial-time (in k), probabilistic algorithm. Given public key pk, message x and seed r, it returns ciphertext y. - D
^{asym}is a polynomial-time (in k), deterministic algorithm. Given secret key sk and ciphertext y, it returns x := D_{sk}(y).

**Properties:**

- Seed r must be uniformly distributed.
- The correctness property must be satisfied by Π
^{asym}: ∀ k ∈ ℕ ∀ (pk, sk) of K^{asym}(1^{k}) ∀ x: D^{asym}(sk, E^{asym}(pk, x; r)) = x. - Any adversary cannot
*entirely*decrypt the encryption of a random plaintext. Here “not entirely” means that that ω(log k) bits of the plaintext are infleasible to determine. Thus, if k increases an adversary's advantage over guessing the decryption vanishes superpolynomial.

### Symmetric encryption scheme

Let Π^{sym} = (K^{sym}, E^{sym}, D^{sym}) be the symmetric encryption scheme. Let k be sufficiently large.

- E
^{sym}is a polynomial-time (in k), probabilistic algorithm. Given secret key a, message x and seed r, it returns ciphertext y. - D
^{sym}is a polynomial-time (in k), deterministic algorithm. Given secret key a and ciphertext y, it returns message x.

**Properties:**

- Seed r must be uniformly distributed.
- The correctness property must be satisfied by Π
^{sym}: ∀ k ∈ ℕ ∀ a ∀ x: D^{sym}(a, E^{sym}(a, x); r) = x.

### The hybrid scheme

Let G and H be two hash functions. G maps a finite binary string into the key space of the symmetric scheme. H maps two finite binary strings into the space of random seeds for the asymmetric scheme. In the security proofs, G and H are considered to be random oracles.

**Key Generation:** KG(1^{k})

- (pk, sk) := K
^{asym}(1^{k}) - Return (pk, sh)

**Encryption:** Enc(pk, m)

- σ samples uniformly from the asymmetric message space
- c := E
^{sym}(G(σ), m) - e := E
^{asym}(pk, σ; H(σ, c)) - Return e ∥ c

**Decryption:** Dec(sk, e ∥ c)

- (e, c) := e ∥ c
- If admissible, continue
- else, return ε

- σ' := D
^{asym}(sk, e)- If admissible, continue
- else, return ε

- a' := G(σ')
- h' := H(σ', c)
- Test whether e == E
^{asym}(pk, σ'; h')- If yes, return D
^{sym}(a', c) - else, return ε

- If yes, return D

**Properties:**

- Fail symbol ε must be the same in all cases
- Ciphertext “e ∥ c” is emitted into the public and might be modified, right? Consider its manipulation.
- Then either step 1.2, 2.2, or 5.2. is going to be triggered and thus a failure will be reported.
- Really? Why can I not create fake “e ∥ c” values? If so, we need to ensure “e == E
^{asym}(pk, D^{asym}(sk, e); H(D^{asym}(sk, e), c))” which is obviously difficult to achieve and seemingly requires knowledge of sk.

- The reencryption step in step 5 in the Decryption is computationally expensive in practice.
- Theorem 6.1 in [fo13] is the fundamental theorem proving IND-CCA security
- As pointed out in section 1.3, this framework is different of the KEM structure we frequently use in post-quantum cryptography. KEMs enable the sender to create encrypted session keys independent of messages and thus generate keys ”on the fly“.

An another interesting quote:

“Any asymmetric encryption scheme can be converted to an asymmetric encryption scheme with ω(log k)-spread, and a one-time secure symmetric encryption scheme can be constructed by extending private key a to a pseudo random string with the same length of message m (via a pseudo random generator) and xoring it with m. Therefore, the above transformation provides a generic conversion from any one-way asymmetric encryption scheme to an IND-CCA asymmetric encryption scheme.”

## FO transform continued

We have seen a transform to create IND-CCA2 secure schemes in the random oracle model. But what about the quantum random oracle model? For those unfamiliar with the terminology: the question is “is it secure on quantum computers?”.

The following papers are follow-ups:

- Targhi and Unruh [tu] gave a variant of this transform and showed IND-CCA security against a quantum adversary in the quantum random oracle
- Hofheinz et al. [hhk] gave a variant which does not imply perfect correctness for the public key encryption scheme. This makes it possible to apply it to LWE schemes.
- Jiang et al. [j18] introduced a novel proof technique and presented QROM security reductions.

The lattice-based LPR schemes NewHope, Kyber, and Saber are built on top of [hhk].

[tu] | Targhi, E. E., & Unruh, D. (2016, November). Post-quantum security of the Fujisaki-Okamoto and OAEP transforms. In Theory of Cryptography Conference (pp. 192-216). Springer, Berlin, Heidelberg. |

[hhk] | (1, 2) Hofheinz, D., Hövelmanns, K., & Kiltz, E. (2017, November). A modular analysis of the Fujisaki-Okamoto transformation. In Theory of Cryptography Conference (pp. 341-371). Springer, Cham. |

[j18] | Jiang, H., Zhang, Z., Chen, L., Wang, H., & Ma, Z. (2018, August). IND-CCA-secure key encapsulation mechanism in the quantum random oracle model, revisited. In Annual International Cryptology Conference (pp. 96-125). Springer, Cham. |

## Metadata

### Outline of the 1999 paper

### Outline of the 2013 paper

Limited to a maximum depth of 2.

### Definitions in the 2013 paper

All of them in section 5 (thus they have identifier “5.N” in the paper):

- One-Way Encryption
- γ-spread
- IND-CCA in RO (“indistinguishability in chosen-ciphertext attacks” in the “random oracle” model)
- OT (one-time security)