Post-quantum Security of Key Encapsulation Mechanism Against CCA Attacks with a Single Decapsulation Query

Recently, in post-quantum cryptography migration, it has been shown that an IND-1-CCA-secure key encapsulation mechanism (KEM) is required for replacing an ephemeral Diffie-Hellman (DH) in widely-used protocols, e.g., TLS, Signal, and Noise. IND-1-CCA security is a notion similar to the traditional IND-CCA security except that the adversary is restricted to one single decapsulation query. At EUROCRYPT 2022, based on CPA-secure public-key encryption (PKE), Huguenin-Dumittan and Vaudenay presented two IND-1-CCA KEM constructions called T-CH and T-H, which are much more efficient than the widely-used IND-CCA-secure Fujisaki-Okamoto (FO) KEMs. The security of T-CH was proved in both random oracle model (ROM) and quantum random oracle model (QROM). However, the QROM proof of T-CH relies on an additional ciphertext expansion. While, the security of T-H was only proved in the ROM, and the QROM proof is left open. In this paper, we prove the security of T-H and T-RH (an implicit variant of T-H) in both ROM and QROM with much tighter reductions than Huguenin-Dumittan and Vaudenay's work. In particular, our QROM proof will not lead to ciphertext expansion. Moreover, for T-RH, T-H and T-CH, we also show that a O(1/q) (O(1/q(2)), resp.) reduction loss is unavoidable in the ROM (QROM, resp.), and thus claim that our ROM proof is optimal in tightness. Finally, we make a comprehensive comparison among the relative strengths of IND-1-CCA and IND-CCA in the ROM and QROM.