1970-01-01

(2026-03) Tighter Proofs for PKE-to-KEM Transformations under Average-Case Decryption Error and without -gamma-Spread

[[Jinrong Chen]]
[[Rongmao Chen]]
[[Yi Wang]]
[[Haodong Jiang]]
[[Cong Peng]]
[[Xinyi Huang]]
[[Debiao He]]
[[Xiaofeng Chen]]

2026-03-06

Abstract

In the NIST post-quantum standardization process, Fujisaki-Okamoto-like (FO-like) transformation has become the de facto paradigm for constructing IND-CCA secure key encapsulation mechanisms (KEMs) from public-key encryption (PKE). However, most post-quantum PKE schemes exhibit decryption error, which poses significant challenges for the security proofs of FO-like PKE-to-KEM transformations, particularly in the quantum-accessible random oracle model (QROM). Hofheinz, Hövelmanns, and Kiltz (TCC 2017) gave the first QROM security proofs for PKE-to-KEM transformations under \textit{worst-case} decryption error. To relax this to the more designer-friendly one of \textit{average-case} decryption error, Duman et al. (PKC 2023) presented two transformations, $\mathsf{FOAC}_0$ and $\mathsf{FOAC}$ , which are under average-case decryption error but introduce substantial loss in QROM reduction tightness ( $\mathcal{O}(q^8)$ for $\mathsf{FOAC}_0$ and $\mathcal{O}(q^6)$ for $\mathsf{FOAC}$ ) and the need for the $\gamma$ -spread assumption on the underlying PKEs. Very recently, Ge et al. (ePrint 2025) removed the $\gamma$ -spread assumption for $\mathsf{FOAC}_0$ and improved the QROM reduction tightness to $\mathcal{O}(q^4)$ for both $\mathsf{FOAC}_0$ and $\mathsf{FOAC}$ .

In this work, we make further advances by introducing two refined variants: $\mathsf{FOAC}'_0$ and $\mathsf{FOAC'}$ . We provide new security analyses in both the ROM and the QROM, and present the following key contributions: (1) Compared with previous transformations under average-case decryption error, $\mathsf{FOAC}'_0$ and $\mathsf{FOAC'}$ exhibit tighter security proofs with QROM reduction loss of only $\mathcal{O}(q^2)$ for $\mathsf{FOAC}'_0$ and $\mathcal{O}(q^3)$ for $\mathsf{FOAC'}$ when the underlying PKE is OW‑CPA secure, and just $\mathcal{O}(q)$ when it is deterministic or IND‑CPA security; (2) Both $\mathsf{FOAC}'_0$ and $\mathsf{FOAC'}$ eliminate the $\gamma$ -spread assumption entirely, further relaxing the requirements on the underlying PKE.

To support our QROM proofs, we provide three new QROM proof techniques that build on Zhandry's compressed oracle technique (CRYPTO 2019). These techniques may be of independent interest and could have broader applicability in post-quantum cryptography.