
























Rongmao Chen, National University of Defense Technology
Yi Wang, National University of Defense Technology
Haodong Jiang, Information Engineering University
Xinyi Huang, Nanjing University of Aeronautics and Astronautics
Xiaofeng Chen, Xidian University
In the NIST post-quantum standardization process, Fujisaki-Okamoto-like (FO-like) transformation has become the de facto paradigm for constructing IND-CCA secure key encapsulation mechanisms (KEMs) from public-key encryption (PKE). However, most post-quantum PKE schemes exhibit decryption error, which poses significant challenges for the security proofs of FO-like PKE-to-KEM transformations, particularly in the quantum-accessible random oracle model (QROM). Hofheinz, Hövelmanns, and Kiltz (TCC 2017) gave the first QROM security proofs for PKE-to-KEM transformations under \textit{worst-case} decryption error. To relax this to the more designer-friendly one of \textit{average-case} decryption error, Duman et al. (PKC 2023) presented two transformations, $\mathsf{FOAC}_0$ and $\mathsf{FOAC}$, which are under average-case decryption error but introduce substantial loss in QROM reduction tightness ($\mathcal{O}(q^8)$ for $\mathsf{FOAC}_0$ and $\mathcal{O}(q^6)$ for $\mathsf{FOAC}$) and the need for the $\gamma$-spread assumption on the underlying PKEs. Very recently, Ge et al. (ePrint 2025) removed the $\gamma$-spread assumption for $\mathsf{FOAC}_0$ and improved the QROM reduction tightness to $\mathcal{O}(q^4)$ for both $\mathsf{FOAC}_0$ and $\mathsf{FOAC}$. In this work, we make further advances by introducing two refined variants: $\mathsf{FOAC}'_0$ and $\mathsf{FOAC'}$. We provide new security analyses in both the ROM and the QROM, and present the following key contributions: (1) Compared with previous transformations under average-case decryption error, $\mathsf{FOAC}'_0$ and $\mathsf{FOAC'}$ exhibit tighter security proofs with QROM reduction loss of only $\mathcal{O}(q^2)$ for $\mathsf{FOAC}'_0$ and $\mathcal{O}(q^3)$ for $\mathsf{FOAC'}$ when the underlying PKE is OW‑CPA secure, and just $\mathcal{O}(q)$ when it is deterministic or IND‑CPA security; (2) Both $\mathsf{FOAC}'_0$ and $\mathsf{FOAC'}$ eliminate the $\gamma$-spread assumption entirely, further relaxing the requirements on the underlying PKE. To support our QROM proofs, we provide three new QROM proof techniques that build on Zhandry's compressed oracle technique (CRYPTO 2019). These techniques may be of independent interest and could have broader applicability in post-quantum cryptography.
Note: Corrected minor typos.
BibTeX
@misc{cryptoeprint:2026/468,
author = {Jinrong Chen and Rongmao Chen and Yi Wang and Haodong Jiang and Cong Peng and Xinyi Huang and Debiao He and Xiaofeng Chen},
title = {Tighter Proofs for {PKE}-to-{KEM} Transformations under Average-Case Decryption Error and without $\gamma$-Spread},
howpublished = {Cryptology {ePrint} Archive, Paper 2026/468},
year = {2026},
url = {https://eprint.iacr.org/2026/468}
}
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。