Douglas Stebila

On the multi-target security of post-quantum key encapsulation mechanisms

Summary of security results on the salted Fujiaki–Okamoto (SFO) transform

Abstract

Practical deployments of key encapsulation mechanisms (KEMs) may entail large servers each using their public keys to communicate with potentially millions of clients simultaneously. While the standard IND-CCA security definition for KEMs considers only a single challenge public key and single challenge ciphertext, it can be relevant to consider multi-target scenarios where the adversary aims to break one of many challenge ciphertexts, for one of many challenge public keys. Many post-quantum KEMs have been built by applying the Fujisaki-Okamoto (FO) transform to a public key encryption (PKE) scheme. Although the FO transform incurs only a few bits of security loss for the standard, single-challenge IND-CCA property, this does not hold in the multi-target setting. Attacks have been identified against standards-track FO-based KEMs with 128-bit message spaces (FrodoKEM-640 and HQC-128) which become feasible if the adversary is given many challenge ciphertexts. These attacks exploit the deterministic encryption induced by the FO transform which allows the IND-CCA experiment to be reduced to a search problem on the message space, which in some cases may not be large enough to avoid collisions between pre-computation and challenge values. A cost effective way to amplify the hardness of this search problem is to add a random but public salt during encapsulation. While revised versions of FrodoKEM and HQC have used salts, there has been no proof showing that salting provides multi-ciphertext security. In this work, we formally analyze a salted variant of the Fujisaki-Okamoto transform, in the classical and quantum random oracle model (ROM); for the classical ROM, we show that multi-target IND-CCA security of the resulting KEM tightly reduces to the multi-target IND-CPA security of the underlying PKE. Our results imply that, for FrodoKEM and HQC at the 128-bit security level, replacing the FO transform with the salted variant can recover 62 bits of multi-target security, at the cost of a very small overhead increase.

Keywords: Fujisaki–Okamoto transform, key exchange, quantum random oracle model, post-quantum, multi-challenge security, FrodoKEM

Reference

Lewis Glabush, Kathrin Hövelmanns, Douglas Stebila. On the multi-target security of post-quantum key encapsulation mechanisms. Technical report. October 2025.

Download

BibTeX

@misc{EPRINT:GlaHovSte25,
 	Author = {Lewis Glabush and Kathrin H{\" o}velmanns and Douglas Stebila},
 	Month = oct,
 	Note = {\url{https://eprint.iacr.org/2025/343}},
 	Title = {On the multi-target security of post-quantum key encapsulation mechanisms},
 	Year = {2025}
 }

Funding

• Natural Sciences and Engineering Research Council of Canada (NSERC) Discovery grant RGPIN-2022-03187
• NSERC Alliance grant ALLRP 578463-22
• NWO VENI grant (Project No. VI.Veni.222.397)