Fujisaki–Okamoto Verification
- Fujisaki–Okamoto verification is defined as the check that a ciphertext equals the reencryption of its candidate message, ensuring decapsulation correctness.
- It is integral to schemes like Kyber and ML-KEM, where the re-encrypt-and-compare step determines whether to accept a key or trigger fallback handling.
- The analysis combines proof-theoretic justifications in ROM/QROM with practical insights, highlighting potential side-channel vulnerabilities in hardware implementations.
Searching arXiv for papers on Fujisaki–Okamoto verification and related FO analyses. Fujisaki–Okamoto (FO) verification is the decapsulation acceptance test that checks whether an incoming ciphertext is consistent with the deterministic reencryption implied by an FO-transformed public-key encryption scheme. In the standard explicit-reject formulation, decapsulation decrypts to a candidate message and accepts only if the ciphertext equals a reencryption of under random-oracle-derived randomness; otherwise it rejects, or in implicit-reject variants derives a fallback key instead (Hövelmanns et al., 2022). In ML-KEM/Kyber, FO verification is the re-encrypt-and-compare step inside decapsulation (Ranney et al., 30 Jun 2026). More recent work treats FO verification not only as an algorithmic check, but also as a proof object in ROM/QROM reductions, a target of black-box decapsulation certification, and a practical side-channel hotspot in hardware (Jiménez, 3 Jun 2026).
1. Formal role in FO-transformed KEMs
In the syntax analyzed for explicit-reject FO, one starts from a randomized public-key encryption scheme with message space , randomness space , and random oracles . The PKE is first derandomized with : and decryption performs an acceptance check: The corresponding explicit-reject FO KEM encapsulates by sampling 0, computing 1, and setting 2; decapsulation outputs 3 only if the reencryption check succeeds, and otherwise returns 4 (Hövelmanns et al., 2022).
Within this formulation, FO verification is exactly the predicate
5
It formalizes whether decapsulation is self-consistent with honest encapsulation. This check is the point at which the FO transform turns a weakly secure, randomized PKE into a KEM with chosen-ciphertext resistance. A plausible implication is that FO verification should be understood as the cryptographic boundary between mere decryption and accepted decapsulation: before the check, 6 is only a candidate plaintext; after the check, it becomes an admissible source for key derivation.
The same literature distinguishes two rejection semantics. In explicit reject, decapsulation returns 7 whenever 8 or the reencryption check fails. In implicit reject, decapsulation always returns a key, typically by substituting a pseudorandom fallback such as 9 on failure (Hövelmanns et al., 2022). This distinction is proof-relevant and implementation-relevant: explicit reject is the object of direct QROM analysis, while implicit-reject variants are related to it by tight reductions.
2. Instantiation in Kyber and ML-KEM decapsulation
In ML-KEM/Kyber, FO verification appears as the decapsulation comparison between the received ciphertext 0 and a recomputed ciphertext 1. The algorithmic structure summarized for ML-KEM decapsulation is
2
Here the FO verification is the equality test “if 3 then …”, and the key-selection logic realizes implicit rejection by replacing the “good” key with 4 on failure (Ranney et al., 30 Jun 2026).
For software-style constant-time code, the comparison is implemented as a masked equality test over all ciphertext bytes, followed by a constant-time conditional move between the candidate key and the implicit-rejection key. In the hardware study, the unprotected comparison is represented by a sequential byte-wise XOR/OR loop on a Cortex-M4 and by chunk-wise parallel comparison modules on FPGA, with 32-bit, 128-bit, and 512-bit datapaths (Ranney et al., 30 Jun 2026). The formal verification condition remains the same across these implementations; what changes is the physical realization of the compare-and-select logic.
This ML-KEM formulation shows that FO verification is not an auxiliary check added after decapsulation. It is the terminal condition that determines whether the decapsulation output is interpreted as a valid shared secret or replaced by the rejection path. In implementation terms, this makes FO verification the last semantic gate before key confirmation.
3. Decryption failures and QROM verification theory
The main proof-theoretic complication in FO verification is decryption failure. A decryption failure is any event in which, for some 5, message 6, and randomness 7,
8
or yields 9. In FO, the relevant ciphertexts are specifically of the form
0
because those are the ciphertexts produced by encapsulation and reencryption in the transform (Hövelmanns et al., 2022).
Earlier QROM analyses bounded the gap between real and simulated decapsulation by a correctness game in which the adversary was given 1 and had to find a failing plaintext. This produced a Grover-style loss of order
2
typically written as 3, where 4 is the number of random-oracle queries (Hövelmanns et al., 2022). The later analysis in "Failing gracefully" replaces that modeling with three games: 5, 6, and 7. The key structural decomposition is
8
Here 9 isolates key-independent failures, while 0 measures non-generic, key-dependent structure (Hövelmanns et al., 2022).
The corresponding QROM FO reduction for explicit reject has the form
1
where 2 is the spreadness parameter and 3 is the number of decapsulation queries (Hövelmanns et al., 2022). Two consequences are emphasized in that analysis. First, the dominant failure term grows at most linearly in 4, or logarithmically under a better tail bound, rather than quadratically. Second, the multiplicative factor on the failure terms is 5, not 6, so exploitation of decryption failures is bottlenecked by decapsulation queries rather than by random-oracle queries.
This verification theory reorients FO analysis away from a single worst-case correctness parameter and toward a split between statistical failure tails and computational hardness of key-dependent failure-finding. A plausible implication is that FO verification in QROM is best viewed as a joint problem of reencryption consistency, transcript simulation, and failure-structure control, rather than as a single correctness lemma.
4. Compatibility with hybrid and quantum-enhanced designs
A later Kyber-based construction states that a CHSH-augmented design “remains fully compatible with the Fujisaki–Okamoto (FO) transform, preserving chosen-ciphertext attack (CCA) security and Kyber’s efficiency profile” (Cherkaoui et al., 15 Nov 2025). The paper gives the combined CCA bound
7
with 8 the number of random-oracle queries. Its account of FO is deliberately black-box: FO is not rewritten, and the main novelty lies in arguing that the CHSH layer does not disturb the conditions under which FO yields IND-CCA security.
The same source describes the CHSH mechanism as a quantum verification overlay that runs concurrently with classical Kyber encapsulation, while the classical ciphertext structure remains unchanged. It further states that CHSH data are not fed into FO hashes, and that FO-related randomness and hashing remain purely classical (Cherkaoui et al., 15 Nov 2025). This suggests that FO verification, in that hybrid setting, continues to mean the classical reencryption-and-compare check, while the CHSH layer acts as an additional physical certification signal rather than as an alteration of the FO transform itself.
Under that interpretation, FO compatibility means that the algebraic and distributional properties required by Kyber’s FO transform are preserved even when an independent quantum nonlocality test is composed with the protocol. The paper explicitly presents FO as the mechanism that still lifts an IND-CPA Module-LWE primitive to an IND-CCA KEM, with the novelty being that the underlying CPA hardness is now dual, combining Module-LWE and CHSH-linked hardness assumptions (Cherkaoui et al., 15 Nov 2025).
5. Honest-reference certification and what black-box FO tests can certify
A separate line of work studies FO verification as a black-box testing problem for confirmation-code-augmented KEMs. In that model, an honest-reference harness samples an instance
9
with hidden final-key point
0
and checks whether the system under test outputs the same shared key without ever revealing 1 or 2 directly (Jiménez, 3 Jun 2026). The relevant localized final-key query list is
3
and the central event is the list hit 4.
The main pass-probability theorem is
5
Thus acceptance is bounded by honest correctness error, adversarial aliasing, final-key freshness defects, a hit on the localized suffix list, and the fresh-key coincidence term 6 (Jiménez, 3 Jun 2026). The same paper proves a one-query optimality result: any predictor of 7 can be converted into a 1-localized system whose pass probability matches the predictor’s success probability up to the 8 term. In that sense, the list-hit event is the black-box obstruction actually measured by the harness.
The framework then provides two principal ways to bound the list-hit term. A cUP-faithful harness certificate transfers source confirmation-code unpredictability with a 9-loss, yielding
0
An alternative average conditional min-entropy argument gives
1
and for hashed diagnostic codes the bound becomes
2
The paper applies these theorems to ML-KEM and HQC, distinguishing theorem-covered positive rows, finite-catalog artifact rows, and non-certification rows carrying a cone-inactivity certificate (Jiménez, 3 Jun 2026).
The negative result is as important as the positive one. If the black-box observation factors through the confirmation-observable final-key target, then every operation outside the support-active dependency cone has a coupled erasure implementation with the same transcript distribution, and any execution certifier must satisfy
3
This means that nontrivial certification is information-theoretically impossible for operations outside that cone (Jiménez, 3 Jun 2026). FO verification tests can therefore certify only those operations that influence the hidden witness and the associated final-key target; they cannot certify arbitrary internal reencryption steps merely from black-box honest-reference observation.
6. Side-channel exposure of FO verification in hardware
In hardware-oriented work on ML-KEM, FO verification is identified as “the ‘re-encrypt-and-compare’ step inside decapsulation” and as one of the most sensitive points for side-channel leakage (Ranney et al., 30 Jun 2026). Three verification implementations are evaluated on both a microcontroller and an FPGA: unprotected comparison, hash-based first-order protection, and higher-order masked comparison. The paper reports that the higher-order masked designs still leak information about the underlying data due to hardware-level effects and data-dependent processing, and that their parallelized processing on FPGAs introduces sufficient first-order leakage for full secret-key recovery.
For the unprotected byte-wise comparison, the Cortex-M4 implementation measured with 8,000 traces per class achieved 4 and classification accuracy 5. On FPGA, widening the comparison path increased leakage sharply: the 32-bit design achieved 6 and 7 classification accuracy, the 128-bit design 8 and 9, and the 512-bit design 0 and 1 (Ranney et al., 30 Jun 2026). The explanation given is that, under wide parallel comparison, success traces have very low XOR Hamming weight while failure traces approach half the datapath width, and the variance averages out across many gates.
The hash-based countermeasure computes SHAKE-128 on 2 and 3 and compares the digests rather than the ciphertexts directly. The strongest leakage was found in the Rho/Pi subfunction within the first Keccak round, and a clustering-based classifier achieved 4 accuracy from a single time point. Randomizing the row-processing order within Keccak did not eliminate the leakage: the row order itself was recovered with 5 accuracy, enabling realignment and renewed classification (Ranney et al., 30 Jun 2026).
For higher-order masked comparison, the FPGA implementations of 4-share and 6-share GF-based reduction achieved classification accuracies of 6 and 7, respectively, both higher than the 8 classification reported for the microcontroller implementation of the same masking scheme. The reported area and throughput figures were 14,353 LUTs, 6,641 FFs, 5,345 slices, and 9 Gb/s for the 4-share FPGA design; 18,565 LUTs, 8,621 FFs, 6,975 slices, and 0 Gb/s for the 6-share design; and 1 Gb/s for the microcontroller implementation (Ranney et al., 30 Jun 2026). The paper’s conclusion is that countermeasures designed for serial microcontrollers do not carry over safely to parallel FPGAs, and that FO verification becomes a side-channel oracle whenever the success/failure condition can be physically distinguished.
These results place implementation-level FO verification in tension with proof-level FO verification. The transform’s security arguments assume that malformed ciphertexts do not reveal useful acceptance information beyond the defined output behavior; the hardware study shows that the re-encrypt-and-compare step can reintroduce precisely such an oracle through power or electromagnetic leakage (Ranney et al., 30 Jun 2026).