Fujisaki-Okamoto U Transform #
This file defines the U-transform family on top of the T-transform oracle world.
A reusable FO hash world packages the public hash-oracle interface together with the variant-specific ways of deriving encryption coins and shared keys.
- QueryCache : Type
- initCache : self.QueryCache
- queryImpl : QueryImpl hashOracleSpec (StateT self.QueryCache ProbComp)
Instances For
Rejection behavior is factored out from the FO hash world so explicit and implicit rejection share the same core construction.
- FallbackState : Type
- keygen : ProbComp self.FallbackState
- onReject : self.FallbackState → C → Option K
Instances For
Explicit rejection returns none and carries no extra secret state.
Instances For
Implicit rejection stores a PRF key and derives a fallback shared key from the ciphertext.
Instances For
Bundled subprobabilistic semantics for an FO hash world, obtained by hiding the variant-specific cache after running the public-randomness-plus-hash simulation.
Instances For
Full public-randomness runtime for an FO hash world.
Instances For
Generic FO construction parameterized by a hash world and a rejection policy.
Instances For
The public hash-oracle interface for the two-RO U-transform: one oracle derives encryption coins from plaintexts and the other derives shared keys from the chosen derivation input.
Instances For
The full oracle world for the U-transform, consisting of unrestricted public randomness plus the two public hash oracles.
Instances For
Cache state for the U-transform's two lazy random oracles.
Instances For
Lazy random oracle for encryption coins, threaded through the combined U-transform state.
Instances For
Lazy random oracle for key derivation, threaded through the combined U-transform state.
Instances For
Query implementation for the full two-RO FO hash world.
Instances For
Two-RO FO hash world: one oracle derives coins from the message, the other derives the shared
key from a variant-chosen encoding of (m, c).
Instances For
The generic two-RO U-transform family. The argument kdInput chooses whether the shared key
is derived from m, (m, c), or some other encoding of the recovered plaintext and ciphertext.
Instances For
If each of the two U-transform oracle families is assigned a constant weight, encapsulation incurs exactly the sum of those family weights.
Under per-family upper bounds on the two U-transform oracle families, encapsulation incurs weighted query cost at most the sum of those bounds.
Unit-cost specialization: U-transform encapsulation always makes exactly two oracle queries, one to derive coins and one to derive the shared key.
Expected weighted query cost of U-transform encapsulation under constant per-family weights.
Expected weighted query cost of U-transform encapsulation is bounded by the sum of the per-family bounds.
Expected query count of U-transform encapsulation is exactly 2.
If deterministic decryption fails immediately, U-transform decapsulation incurs zero weighted query cost.
Under per-family upper bounds on the two U-transform oracle families, decapsulation incurs weighted query cost at most the sum of those bounds.
If deterministic decryption fails immediately, decapsulation has expected weighted query cost
0.
Expected weighted query cost of U-transform decapsulation is bounded by the sum of the per-family bounds.
Unit-cost specialization: U-transform decapsulation makes at most two oracle queries.
Expected query count of U-transform decapsulation is at most 2.
Runtime bundle for the two-RO U-transform oracle world.
Instances For
The generic U-transform CCA bound. The proof is intentionally deferred, but the reduction artifacts are now existentially quantified rather than passed in as unrelated inputs.