Treating dishonest ciphertexts in post-quantum KEMs -- explicit vs. implicit rejection in the FO transform

Kathrin Hövelmanns; Mikhail Kudinov

Paper 2025/062

Treating dishonest ciphertexts in post-quantum KEMs -- explicit vs. implicit rejection in the FO transform

Kathrin Hövelmanns

, Eindhoven University of Technology

Mikhail Kudinov

, Eindhoven University of Technology

Abstract

We revisit a basic building block in the endeavor to migrate to post-quantum secure cryptography, Key Encapsulation Mechanisms (KEMs). KEMs enable the establishment of a shared secret key, using only public communication. When targeting chosen-ciphertext security against quantum attackers, the go-to method is to design a Public-Key Encryption (PKE) scheme and then apply a variant of the PKE-to-KEM conversion known as the Fujisaki-Okamoto (FO) transform, which we revisit in this work. Intuitively, FO ensures chosen-ciphertext security by rejecting dishonest messages. This comes in two flavors -- the KEM could reject by returning 'explicit' failure symbol $\bot$ or instead by returning a pseudo-random key ('implicit' reject). During the NIST post-quantum standardization process, designers chose implicit rejection, likely due to the availability of security proofs against quantum attackers. On the other hand, implicit rejection introduces complexity and can easily deteriorate into explicit rejection in practice. While it was proven that implicit rejection is not less secure than explicit rejection, the other direction was less clear. This is relevant because the available security proofs against quantum attackers still leave things to be desired. When envisioning future improvements, due to, e.g., advancements in quantum proof techniques, having to treat both variants separately creates unnecessary overhead. In this work, we thus re-evaluate the relationship between the two design approaches and address the so-far unexplored direction: in the classical random oracle model, we show that explicit rejection is not less secure than implicit rejection, up to a rare edge case. This, however, uses the observability of random oracle queries. To lift the proof into the quantum world, we make use of the extractable QROM (eQROM). As an alternative that works without the eQROM, we give an indirect proof that involves a new necessity statement on the involved PKE scheme.

Metadata

Available format(s): PDF
Category: Public-key cryptography
Publication info: Published elsewhere. PQCrypto 2025
Keywords: Post-quantum Public-key encryption Key Encapsulation Fujisaki-Okamoto transform QROM NIST
Contact author(s): kathrin @ hoevelmanns net
mishel kudinov @ gmail com
History: 2025-01-16: approved; 2025-01-15: received; See all versions
Short URL: https://ia.cr/2025/062
License: CC BY

BibTeX

@misc{cryptoeprint:2025/062,
      author = {Kathrin Hövelmanns and Mikhail Kudinov},
      title = {Treating dishonest ciphertexts in post-quantum {KEMs} -- explicit vs. implicit rejection in the {FO} transform},
      howpublished = {Cryptology {ePrint} Archive, Paper 2025/062},
      year = {2025},
      url = {https://eprint.iacr.org/2025/062}
}