IND-CCA Security of Kyber in the Quantum Random Oracle Model, Revisited

In this paper, we answer the open question pointed out by Grubbs et al. (EUROCRYPT 2022) and Xagawa (EUROCRYPT 2022), i.e., the $$\textit{concrete}$$ $$\textsf{IND}$$ - $$\textsf{CCA}$$ security proof of $$\textsf{Kyber}$$ . In order to add robustness, $$\textsf{Kyber}$$ uses a slightly tweaked Fujisaki-Okamoto (FO) transformation. Specifically, it uses a “double-nested-hash” to generate the final key. This makes the proof techniques (Jiang et al., CRYPTO 2018) of proving standard FO transformation invalid. Hence, we develop a novel approach to overcome the difficulties, and prove that $$\textsf{Kyber}$$ is $$\textsf{IND}$$ - $$\textsf{CCA}$$ secure in the quantum random oracle model (QROM) if the underlying encryption scheme is $$\textsf{IND}$$ - $$\textsf{CPA}$$ secure. Our result provides a solid quantum security guarantee for the post-quantum cryptography standard of NIST competition, $$\textsf{Kyber}$$ algorithm.