# Tightly Secure PKE Combiner in the Quantum Random Oracle Model

^{*}

^{†}

## Abstract

**:**

## 1. Introduction

**Hybrid Cryptography and Combiners**. So-called classical–quantum hybrid cryptography, which combines classically secure and quantum-resistant algorithms to produce a new secure scheme, represents a stopgap solution to the dilemma of transitioning from classical to quantum-resistant cryptographic infrastructure and the need to secure data and communications versus the cost, and the time, to fully transition. Harnik et al. [2] formalized this idea of combining algorithms as a $(k,n)$-robust combiner, where n represents the number of inputs and k represents the threshold of secure inputs required to achieve security. Hybrid combiners have been the subject of previous works for various primitives, such as Bindel et al. [3] on hybrid signatures and Bindel et al. [4] on hybrid key encapsulation mechanisms (KEMs) and hybrid authenticated key exchange.

**Our Contributions.**In this work, we present a (mostly) generic construction of a $(1,2)$-robust combiner for PKEs that preserves $\mathsf{IND}\text{-}\mathsf{CCA}$-security in the random oracle model and in the quantum random oracle model, which we call the Quantum Augmented KEM-DEM (or QuAKe) combiner. Furthermore, the security reduction of our construction is tight in both the classical and, more importantly, quantum random oracle models. We achieve this with the use of two PKEs, one of which we require to be built from the KEM-DEM paradigm put forth by Cramer and Shoup [14], and a pair of random oracles, ${\mathsf{Hash}}_{1},{\mathsf{Hash}}_{2}$. Our construction relies on preventing an adversary from obtaining both the symmetrically encrypted message, along with a random seed, and the asymmetrically encrypted key by encrypting the symmetric ciphertext under the second PKE. By doing this, an adversary can only obtain the encrypted message and key if they were already able to break the security of both the KEM-DEM and the second PKE. Additionally, the random seed is used to guard against re-encryption and re-encapsulation attacks, as well as mix-and-match attacks. We then prove the security reduction of QuAKe is tight in both the classical and quantum random oracle models.

## 2. Preliminaries

#### 2.1. Notation

#### 2.2. Random Oracle Model and Quantum Random Oracle Model

#### 2.2.1. Random Oracles

#### 2.2.2. QROM Lemmas

**Lemma**

**1**

**(One-way-to-hiding, probabilities).**Let $S\subseteq X$ be random. Let $G,H:X\to Y$ be random functions satisfying $\forall x\notin S,G\left(x\right)=H\left(x\right)$. Let z be a random bit string ($S,G,H,z$ may have arbitrary joint distribution). Let $\mathcal{A}$ be a quantum oracle algorithm with query depth q (not necessarily unitary). Let ${\mathcal{B}}^{H}$ be an oracle algorithm that on input z does the following: pick $i\phantom{\rule{0.222222em}{0ex}}\leftarrow {\scriptstyle \$}\phantom{\rule{0.222222em}{0ex}}\{1,\cdots ,q\}$ run ${\mathcal{A}}^{H}\left(z\right)$ until (just before) the ith query, measure all query input registers in the computational basis, output the set T of measurement outcomes. Let

**Lemma**

**2.**

#### 2.3. Public-Key Encryption

**Definition**

**1**

**(Public-Key Encryption Scheme).**We say a triple of algorithms ${\mathsf{\Pi}}^{\mathit{asym}}=$$(\mathsf{KeyGen},\mathsf{Enc},\mathsf{Dec})$ form a public-key encryption (PKE) scheme, if:

- $\mathsf{KeyGen}$: the key generation algorithm is a probabilistic algorithm which on input ${1}^{n}$$(n\in \mathbb{N})$ outputs a related pair, $(pk,sk)$, of public and secret keys.
- $\mathsf{Enc}$: the encryption algorithm is a probabilistic algorithm that takes two inputs, a public-key $pk$, and a plaintext m, from a designated message space, ${\mathcal{M}}_{{\mathsf{\Pi}}^{\mathit{asym}}}$, and outputs a ciphertext c.
- $\mathsf{Dec}$: the decryption algorithm is a deterministic algorithm that takes as input a secret key $sk$, and ciphertext c, and returns the plaintext m, or a special designated rejection symbol ⊥.

**Definition**

**2**

**-Security for PKEs in the ROM).**We say that a PKE, ${\mathsf{\Pi}}^{\mathit{asym}}$, is $\mathsf{IND}\text{-}\mathsf{CCA}$-secure in the random oracle model if, for all adversaries $\mathcal{A}$, and a random oracle H, we have that

Algorithm 1 The $\mathsf{IND}\text{-}\mathsf{CCA}$-security experiments for PKEs in the ROM, ${\mathrm{Expt}}_{{\mathsf{\Pi}}^{\mathit{asym}}}^{\mathsf{IND}\text{-}\mathsf{CCA}}\left(\mathcal{A}\right)$. |

1: $(pk,sk)\phantom{\rule{0.222222em}{0ex}}\leftarrow {\scriptstyle \$}\phantom{\rule{0.222222em}{0ex}}{\mathsf{\Pi}}^{\mathit{asym}}.\mathsf{KeyGen}\left({1}^{n}\right)$ |

2: ${m}_{0},{m}_{1},\mathsf{st}\leftarrow {\mathcal{A}}^{{\mathsf{\Pi}}^{\mathit{asym}}.\mathsf{Dec}(sk,\xb7),H(\xb7)}\left(pk\right)$ |

3: $b\phantom{\rule{0.222222em}{0ex}}\leftarrow {\scriptstyle \$}\phantom{\rule{0.222222em}{0ex}}\{0,1\}$ |

4: ${c}^{*}\leftarrow {\mathsf{\Pi}}^{\mathit{asym}}.\mathsf{Enc}(pk,{m}_{b})$ |

5: ${b}^{\prime}\leftarrow {\mathcal{A}}^{{\mathsf{\Pi}}^{\mathit{asym}}.\mathsf{Dec}(sk,\xb7\ne {c}^{*}),H(\xb7)}(pk,\mathsf{st},{c}^{*})$ |

6: Return $[b={b}^{\prime}]$ |

#### 2.4. Key/Data Encapsulation Mechanisms

**Definition**

**3**

**(Key Encapsulation Mechanism).**We say the triple of algorithms $\mathcal{K}=$$(\mathsf{KeyGen}$, $\mathsf{Encaps}$,$\mathsf{Decaps})$ form a key encapsulation mechanism (KEM), if:

- $\mathsf{KeyGen}$: the key generation algorithm is a probabilistic algorithm which on input ${1}^{n}$$(n\in \mathbb{N})$, outputs a related pair, $(ek,dk)$, of a public encapsulation and secret decapsulation keys.
- $\mathsf{Encaps}$: the encapsulation algorithm is a probabilistic algorithm that takes one input, a public encapsulation key $ek$, and produces a pair of related outputs, a ciphertext c, and an ephemeral key k, from a designated key space ${\mathcal{KS}}_{\mathcal{K}}$.
- $\mathsf{Decaps}$: the decapsulation algorithm is a deterministic algorithm that takes as input a secret decapsulation key $dk$, and ciphertext c, and returns the related ephemeral key k, or a specially designated rejection symbol ⊥.

**Definition**

**4**

**(**$\mathsf{IND}\text{-}\mathsf{CCA}$

**-Security for KEMs)**. We say that a KEM, $\mathcal{K}$, is $\mathsf{IND}\text{-}\mathsf{CCA}$ if, for all adversaries $\mathcal{A}$, we have that

Algorithm 2 The $\mathsf{IND}\text{-}\mathsf{CCA}$-security experiments for KEMs, ${\mathrm{Expt}}_{\mathcal{K}}^{\mathsf{IND}\text{-}\mathsf{CCA}}\left(\mathcal{A}\right)$. |

1: $(ek,dk)\phantom{\rule{0.222222em}{0ex}}\leftarrow {\scriptstyle \$}\phantom{\rule{0.222222em}{0ex}}\mathcal{K}.\mathsf{KeyGen}\left({1}^{n}\right)$ |

2: $\mathsf{st}\leftarrow {\mathcal{A}}^{\mathcal{K}.\mathsf{Decaps}(dk,\xb7)}\left(ek\right)$ |

3: $({c}^{*},{k}_{0})\leftarrow \mathcal{K}.\mathsf{Encaps}\left(ek\right)$ |

4: ${k}_{1}\phantom{\rule{0.222222em}{0ex}}\leftarrow {\scriptstyle \$}\phantom{\rule{0.222222em}{0ex}}{\mathcal{KS}}_{\mathcal{K}}$ |

5: $b\phantom{\rule{0.222222em}{0ex}}\leftarrow {\scriptstyle \$}\phantom{\rule{0.222222em}{0ex}}\{0,1\}$ |

6: ${b}^{\prime}\leftarrow {\mathcal{A}}^{\mathcal{K}.\mathsf{Decaps}(dk,\xb7\ne {c}^{*})}(ek,\mathsf{st},{c}^{*},{k}_{b})$ |

7: Return $[b={b}^{\prime}]$ |

**Definition**

**5**

**(Data Encapsulation Mechanism/Symmetric Encryption Scheme).**We say a triple of algorithms ${\mathsf{\Pi}}^{\mathit{sym}}=(\mathsf{KeyGen},\mathsf{Enc},\mathsf{Dec})$ form a (stateless) data encapsulation mechanism (DEM), or symmetric encryption scheme, if:

- $\mathsf{KeyGen}$: the key generation algorithm is a probabilistic algorithm that on input ${1}^{n}$$(n\in \mathbb{N})$ outputs a secret key k.
- $\mathsf{Enc}$: the encryption algorithm is a deterministic algorithm that takes two inputs, a secret key k and a plaintext m, from a designated message space ${\mathcal{M}}_{{\mathsf{\Pi}}^{\mathit{sym}}}$, and outputs a ciphertext c.
- $\mathsf{Dec}$: the decryption algorithm is a deterministic algorithm that takes as input a secret key k and ciphertext c, and returns the plaintext m, or a special designated rejection symbol ⊥.

**Definition**

**6**

**(**$\mathsf{IND}\text{-}\mathsf{OT}\text{-}\mathsf{CCA}$

**-Security for DEMs).**We say that a DEM $\mathcal{K}$ is $\mathsf{IND}\text{-}\mathsf{OT}\text{-}\mathsf{CCA}$ if, for all adversaries $\mathcal{A}$, we have that:

Algorithm 3 The $\mathsf{IND}\text{-}\mathsf{OT}\text{-}\mathsf{CCA}$-security experiments for DEMs, ${\mathrm{Expt}}_{{\mathsf{\Pi}}^{\mathit{sym}}}^{\mathsf{IND}\text{-}\mathsf{OT}\text{-}\mathsf{CCA}}\left(\mathcal{A}\right)$. |

1: $(ek,dk)\phantom{\rule{0.222222em}{0ex}}\leftarrow {\scriptstyle \$}\phantom{\rule{0.222222em}{0ex}}\mathcal{K}.\mathsf{KeyGen}\left({1}^{n}\right)$ |

2: $k\phantom{\rule{0.222222em}{0ex}}\leftarrow {\scriptstyle \$}\phantom{\rule{0.222222em}{0ex}}{\mathsf{\Pi}}^{\mathit{sym}}.\mathsf{KeyGen}\left({1}^{n}\right)$ |

3: ${m}_{0},{m}_{1},\mathsf{st}\leftarrow \mathcal{A}\left({1}^{n}\right)$ |

4: $b\phantom{\rule{0.222222em}{0ex}}\leftarrow {\scriptstyle \$}\phantom{\rule{0.222222em}{0ex}}\{0,1\}$ |

5: ${c}^{*}\leftarrow {\mathsf{\Pi}}^{\mathit{sym}}.\mathsf{Enc}(k,{m}_{b})$ |

6: ${b}^{\prime}\leftarrow {\mathcal{A}}^{{\mathsf{\Pi}}^{\mathit{sym}}.\mathsf{Dec}(sk,\xb7\ne {c}^{*})}(\mathsf{st},{c}^{*})$ |

7: Return $[b={b}^{\prime}]$ |

#### KEM-DEM Paradigm

**Theorem**

**1.**

Algorithm 4$(\mathcal{K},{\mathsf{\Pi}}^{\mathit{sym}}).\mathsf{KeyGen}\left({1}^{n}\right)$. |

1: $(ek,dk)\phantom{\rule{0.222222em}{0ex}}\leftarrow {\scriptstyle \$}\phantom{\rule{0.222222em}{0ex}}\mathcal{K}.\mathsf{KeyGen}\left({1}^{n}\right)$ |

2: Return $(ek,dk)$ |

Algorithm 5$(\mathcal{K},{\mathsf{\Pi}}^{\mathit{sym}}).\mathsf{Enc}(ek,m)$. |

1: $({c}_{1},k)\leftarrow \mathcal{K}.\mathsf{Encaps}\left(ek\right)$ |

2: ${c}_{2}\leftarrow {\mathsf{\Pi}}^{\mathit{sym}}.\mathsf{Enc}(k,n)$ |

3: Return $({c}_{1},{c}_{2})$ |

Algorithm 6$(\mathcal{K},{\mathsf{\Pi}}^{\mathit{sym}}).\mathsf{Dec}(dk,({c}_{1},{c}_{2}))$. |

1: $k\leftarrow \mathcal{K}.\mathsf{Decaps}(dk,{c}_{1})$ |

2: $m\leftarrow {\mathsf{\Pi}}^{\mathit{sym}}.\mathsf{Dec}(k,{c}_{2})$ |

**Corollary**

**1.**

#### 2.5. Combiners

**Definition**

**7**

**((k,n)-Robust Combiner).**Let $\mathbb{P}$ be a set of cryptographic primitives. A $(k,n)$-robust combiner is an algorithm that gets n candidate schemes from $\mathbb{P}$ as inputs, and whose output is a single algorithm that is secure to some security specification s, if the following holds:

- If at least k candidates securely implement the security specification s, then the result of the combiner also securely implements s.
- The running time of the result of the combiner is polynomial in the security parameter m, in n, and in the lengths of the inputs to $\mathbb{P}$.

## 3. QuAKe

#### 3.1. Construction

Algorithm 7$\mathsf{\Pi}.\mathsf{KeyGen}\left({1}^{n}\right)$. |

1: $(pk,sk)\phantom{\rule{0.222222em}{0ex}}\leftarrow {\scriptstyle \$}\phantom{\rule{0.222222em}{0ex}}{\mathsf{\Pi}}^{\mathit{asym}}.\mathsf{KeyGen}\left({1}^{n}\right)$ |

2: $(ek,dk)\phantom{\rule{0.222222em}{0ex}}\leftarrow {\scriptstyle \$}\phantom{\rule{0.222222em}{0ex}}\mathcal{K}.\mathsf{KeyGen}\left({1}^{n}\right)$ |

3: $p{k}^{\prime}\leftarrow (pk,ek)$ |

4: $s{k}^{\prime}\leftarrow (sk,dk)$ |

5: Return $(p{k}^{\prime},s{k}^{\prime})$ |

Algorithm 8$(\mathcal{K},{\mathsf{\Pi}}^{\mathit{sym}}).\mathsf{Enc}(ek,m)$. |

1: $\delta \phantom{\rule{0.222222em}{0ex}}\leftarrow {\scriptstyle \$}\phantom{\rule{0.222222em}{0ex}}{\{0,1\}}^{l}$ |

2: $({c}_{KEM},k)\leftarrow \mathcal{K}.\mathsf{Encaps}(ek;{\mathsf{Hash}}_{1}\left(\delta \right))$ |

3: ${c}_{DEM}\leftarrow {\mathsf{\Pi}}^{\mathit{sym}}.\mathsf{Enc}(k,m\parallel \delta )$ |

4: ${c}_{PKE}\leftarrow {\mathsf{\Pi}}^{\mathit{asym}}.\mathsf{Enc}(pk,{c}_{DEM};{\mathsf{Hash}}_{2}\left(\delta \right))$ |

5: Return $({c}_{KEM},{c}_{PKE})$ |

Algorithm 9$\mathsf{\Pi}.\mathsf{Dec}((sk,dk),({c}_{KEM},{c}_{PKE}))$. |

1: ${c}_{DEM}\leftarrow {\mathsf{\Pi}}^{\mathit{asym}}.\mathsf{Dec}(sk,{c}_{PKE})$ |

2: $k\leftarrow \mathcal{K}.\mathsf{Decaps}(dk,{c}_{KEM})$ |

3: $m\parallel \delta \leftarrow {\mathsf{\Pi}}^{\mathit{sym}}.\mathsf{Dec}(k,{c}_{DEM})$ |

4: if
$m\parallel \delta =\perp $
then |

5: Return ⊥ |

6: else |

7: if $({c}_{KEM},-)\leftarrow \mathcal{K}.\mathsf{Encaps}(ek;{\mathsf{Hash}}_{1}\left(\delta \right))\wedge {c}_{PKE}\leftarrow {\mathsf{\Pi}}^{\mathit{asym}}.\mathsf{Enc}(pk,{c}_{DEM};{\mathsf{Hash}}_{2}\left(\delta \right))$ then |

8: Return m |

9: else |

10: Return ⊥ |

11: end if |

12: end if |

#### 3.2. Security of QuAKe

#### 3.2.1. $\mathsf{IND}\text{-}\mathsf{CCA}$-Security of QuAKe

**Theorem**

**2.**

**Proof.**

Algorithm 10 Game 0 for the proof of Theorem 2, ${G}_{0}$. |

1: $((pk,ek),(sk,dk))\phantom{\rule{0.222222em}{0ex}}\leftarrow {\scriptstyle \$}\phantom{\rule{0.222222em}{0ex}}\mathsf{\Pi}.\mathsf{KeyGen}\left({1}^{n}\right)$ |

2: ${m}_{0},{m}_{1},st\leftarrow {\mathcal{A}}^{\mathsf{Dec}((sk,dk),\xb7),{\mathsf{Hash}}_{1}(\xb7),{\mathsf{Hash}}_{2}(\xb7)}(pk,ek)$ |

3: $b\phantom{\rule{0.222222em}{0ex}}\leftarrow {\scriptstyle \$}\phantom{\rule{0.222222em}{0ex}}\{0,1\}$ |

4: ${\delta}^{*}\phantom{\rule{0.222222em}{0ex}}\leftarrow {\scriptstyle \$}\phantom{\rule{0.222222em}{0ex}}{\{0,1\}}^{l}$ |

5: $({c}_{KEM}^{*},{k}^{*})\leftarrow \mathcal{K}.\mathsf{Encaps}(ek;{\mathsf{Hash}}_{1}\left({\delta}^{*}\right))$ |

6: ${c}_{DEM}^{*}\leftarrow {\mathsf{\Pi}}^{\mathit{sym}}.\mathsf{Enc}({k}^{*},{m}_{b}\parallel {\delta}^{*})$ |

7: ${c}_{PKE}^{*}\leftarrow {\mathsf{\Pi}}^{\mathit{asym}}.\mathsf{Enc}(pk,{c}_{DEM}^{*};{\mathsf{Hash}}_{2}\left({\delta}^{*}\right))$ |

8: ${b}^{\prime}\leftarrow {\mathcal{A}}^{\mathsf{Dec}((sk,dk),\xb7\ne ({c}_{KEM}^{*},{c}_{PKE}^{*})),{\mathsf{Hash}}_{1}(\xb7),{\mathsf{Hash}}_{2}(\xb7)}(pk,ek,st,({c}_{KEM}^{*},{c}_{PKE}^{*}))$ |

9: Return $[{b}^{\prime}=b]$ |

Algorithm 11 Game 1 for the proof of Theorem 2, ${G}_{1}$. |

1: $((pk,ek),(sk,dk))\phantom{\rule{0.222222em}{0ex}}\leftarrow {\scriptstyle \$}\phantom{\rule{0.222222em}{0ex}}\mathsf{\Pi}.\mathsf{KeyGen}\left({1}^{n}\right)$ |

2: ${m}_{0},{m}_{1},st\leftarrow {\mathcal{A}}^{\mathsf{Dec}((sk,dk),\xb7),{\mathsf{Hash}}_{1}(\xb7),{\mathsf{Hash}}_{2}(\xb7)}(pk,ek)$ |

3: $b\phantom{\rule{0.222222em}{0ex}}\leftarrow {\scriptstyle \$}\phantom{\rule{0.222222em}{0ex}}\{0,1\}$ |

4: ${\delta}^{*}\phantom{\rule{0.222222em}{0ex}}\leftarrow {\scriptstyle \$}\phantom{\rule{0.222222em}{0ex}}{\{0,1\}}^{l}$ |

5: ${h}^{\prime}\phantom{\rule{0.222222em}{0ex}}\leftarrow {\scriptstyle \$}\phantom{\rule{0.222222em}{0ex}}{\mathsf{Hash}}_{1}.Range$$//$ Using random coins in place of ${\mathsf{Hash}}_{1}\left({\delta}^{*}\right)$ |

6: ${h}^{\u2033}\phantom{\rule{0.222222em}{0ex}}\leftarrow {\scriptstyle \$}\phantom{\rule{0.222222em}{0ex}}{\mathsf{Hash}}_{2}.Range$$//$ Using random coins in place of ${\mathsf{Hash}}_{2}\left({\delta}^{*}\right)$ |

7: $({c}_{KEM}^{*},{k}^{*})\leftarrow \mathcal{K}.\mathsf{Encaps}(ek;{h}^{\prime})$ |

8: ${c}_{DEM}^{*}\leftarrow {\mathsf{\Pi}}^{\mathit{sym}}.\mathsf{Enc}({k}^{*},{m}_{b}\parallel {\delta}^{*})$ |

9: ${c}_{PKE}^{*}\leftarrow {\mathsf{\Pi}}^{\mathit{asym}}.\mathsf{Enc}(pk,{c}_{DEM}^{*};{h}^{\u2033})$ |

10: ${b}^{\prime}\leftarrow {\mathcal{A}}^{\mathsf{Dec}((sk,dk),\xb7\ne ({c}_{KEM}^{*},{c}_{PKE}^{*})),{\mathsf{Hash}}_{1}(\xb7),{\mathsf{Hash}}_{2}(\xb7)}(pk,ek,st,({c}_{KEM}^{*},{c}_{PKE}^{*}))$ |

11: Return $[{b}^{\prime}=b]$ |

**Proof.**

**Proof.**

**Proof.**

- $(c,{c}_{PKE}^{*})$: ${\mathcal{B}}_{2}$ cannot query ${c}_{PKE}^{*}$ to its own decryption oracle. However, ${\mathcal{B}}_{2}$ answers the query as follows: use $dk$ to decapsulate c; if the result is ${k}^{*}$, query ${\mathsf{Hash}}_{1}$ and ${\mathsf{Hash}}_{2}$ on r, a uniform random value, then return ⊥; otherwise, simply return ⊥ without querying the random oracles. In the first case, the real $\mathsf{IND}\text{-}\mathsf{CCA}$ experiment would reject, as the re-encapsulation check would fail. While in the second case, the symmetric decryption algorithm would reject as ${c}_{DEM,b}^{*}$ was encrypted under ${k}^{*}$ and the key given was different.
- $({c}_{KEM}^{*},{c}_{PKE})\wedge \mathsf{Dec}(sk,{c}_{PKE})={c}_{DEM,b}^{*}$: ${\mathcal{B}}_{2}$ will always return ⊥ and query ${\mathsf{Hash}}_{1}$ and ${\mathsf{Hash}}_{2}$ on r, a uniform random value. In a real experiment, such a query would be rejected as it would fail the re-encryption check.

#### 3.2.2. ${\mathsf{Q}}^{\mathsf{c}}\mathsf{Q}\text{-}\mathsf{IND}\text{-}\mathsf{CCA}$-Security of QuAKe

**Theorem**

**3.**

**Proof.**

Algorithm 12 O2H Simulator algorithm, ${\mathcal{B}}^{\mid {\mathsf{Hash}}_{1}\times {\mathsf{Hash}}_{2}\rangle}\left({\delta}^{*}\right)$. |

1: $i\phantom{\rule{0.222222em}{0ex}}\leftarrow {\scriptstyle \$}\phantom{\rule{0.222222em}{0ex}}\{1,...,{q}^{\prime}\}$ |

2: run ${\mathcal{A}}^{\mid {\mathsf{Hash}}_{1}\times {\mathsf{Hash}}_{2}\rangle}({\delta}^{*},({\mathsf{Hash}}_{1}\left({\delta}^{*}\right),{\mathsf{Hash}}_{2}\left({\delta}^{*}\right))$ until the ith query. |

3: if $i>$ the number of queries made to $\mid {\mathsf{Hash}}_{1}\times {\mathsf{Hash}}_{2}\rangle $ then |

4: Return ⊥ |

5: else Measure the query $\widehat{\delta}$ |

6: return $\left[[\widehat{\delta}={\delta}^{*}]\right]$ |

7: end if |

## 4. Comparisons

#### 4.1. PKE Combiners

#### 4.2. KEM Combiners

## 5. Conclusions

## Author Contributions

## Funding

## Institutional Review Board Statement

## Informed Consent Statement

## Data Availability Statement

## Conflicts of Interest

## Appendix A

**A**acting linearly on quantum states is given by

## Appendix B

**Definition**

**A1**

**(Correctness of PKEs).**We say that a public-key encryption scheme ${\mathsf{\Pi}}^{\mathit{asym}}$ is ϵ-correct, if for all messages m in the message space ${\mathcal{M}}_{{\mathsf{\Pi}}^{\mathit{asym}}}$:

**Definition**

**A2**

**(**$\mathsf{IND}\text{-}\mathsf{CCA}$

**-Security for PKEs in the QROM).**We say that a PKE ${\mathsf{\Pi}}^{\mathit{asym}}$ is $\mathsf{IND}\text{-}\mathsf{CCA}$-secure in the QROM (${\mathsf{Q}}^{\mathsf{c}}\mathsf{Q}\text{-}\mathsf{IND}\text{-}\mathsf{CCA}$-secure) in the quantum random oracle model, if, for all quantum adversaries ${\mathcal{A}}_{\mathsf{Q}}$ and a quantum random oracle $\mid H\rangle $, we have that

Algorithm A1 The ${\mathsf{Q}}^{\mathsf{c}}\mathsf{Q}\text{-}\mathsf{IND}\text{-}\mathsf{CCA}$-security experiments for PKEs in the QROM, ${\mathrm{Expt}}_{{\mathsf{\Pi}}^{\mathit{asym}}}^{{\mathsf{Q}}^{\mathsf{c}}\mathsf{Q}\text{-}\mathsf{IND}\text{-}\mathsf{CCA}}\left({\mathcal{A}}_{\mathsf{Q}}\right)$. |

1: $(pk,sk)\phantom{\rule{0.222222em}{0ex}}\leftarrow {\scriptstyle \$}\phantom{\rule{0.222222em}{0ex}}{\mathsf{\Pi}}^{\mathit{asym}}.\mathsf{KeyGen}\left({1}^{n}\right)$ |

2: ${m}_{0},{m}_{1},\mathsf{st}\leftarrow {\mathcal{A}}_{\mathsf{Q}}^{{\mathsf{\Pi}}^{\mathit{asym}}.\mathsf{Dec}(sk,\xb7),\mid H(\xb7)\rangle}\left(pk\right)$ |

4: ${c}^{*}\leftarrow {\mathsf{\Pi}}^{\mathit{asym}}.\mathsf{Enc}(pk,{m}_{b})$ |

5: ${b}^{\prime}\leftarrow {\mathcal{A}}_{\mathsf{Q}}^{{\mathsf{\Pi}}^{\mathit{asym}}.\mathsf{Dec}(sk,\xb7\ne {c}^{*}),\mid H(\xb7)\rangle}(pk,\mathsf{st},{c}^{*})$ |

6: Return $[b={b}^{\prime}]$ |

**Definition**

**A3**

**(Correctness of KEMs).**We say that a KEM $\mathcal{K}$ is ϵ-correct, if:

**Definition**

**A4**

**(Correctness of DEMs).**We say that a DEM ${\mathsf{\Pi}}^{\mathit{sym}}$ is ϵ-correct, if for all messages m in the message space ${\mathcal{M}}_{{\mathsf{\Pi}}^{\mathit{sym}}}$:

## References

- Post-Quantum Cryptography. 2017. Available online: https://csrc.nist.gov/projects/post-quantum-cryptography (accessed on 7 March 2022).
- Harnik, D.; Kilian, J.; Naor, M.; Reingold, O.; Rosen, A. On Robust Combiners for Oblivious Transfer and Other Primitives. In Advances in Cryptology—EUROCRYPT 2005; Springer: Berlin/Heidelberg, Germany, 2005; pp. 96–113. [Google Scholar]
- Bindel, N.; Herath, U.; McKague, M.; Stebila, D. Transitioning to a Quantum-Resistant Public Key Infrastructure. In Post-Quantum Cryptography; Lange, T., Takagi, T., Eds.; Springer International Publishing: Cham, Switzerland, 2017; pp. 384–405. [Google Scholar]
- Bindel, N.; Brendel, J.; Fischlin, M.; Goncalves, B.; Stebila, D. Hybrid Key Encapsulation Mechanisms and Authenticated Key Exchange. In Post-Quantum Cryptography; Ding, J., Steinwandt, R., Eds.; Springer International Publishing: Cham, Switzerland, 2019; pp. 206–226. [Google Scholar]
- Asmuth, C.; Blakley, G. An Efficient Algorithm for Constructing a Cryptosystem Which is Harder to Break than Two Other Cryptosystems. Comput. Math. Appl.
**1981**, 7, 447–450. [Google Scholar] [CrossRef] [Green Version] - Herzberg, A. Folklore, Practice and Theory of Robust Combiners. J. Comput. Secur.
**2009**, 17, 159–189. [Google Scholar] [CrossRef] [Green Version] - Zhang, C.; Cash, D.; Wang, X.; Yu, X.; Chow, S.S.M. Combiners for Chosen-Ciphertext Security. In Computing and Combinatorics; Dinh, T.N., Thai, M.T., Eds.; Springer International Publishing: Cham, Switzerland, 2016; pp. 257–268. [Google Scholar]
- Hohenberger, S.; Lewko, A.; Waters, B. Detecting Dangerous Queries: A New Approach for Chosen Ciphertext Security. In Advances in Cryptology—EUROCRYPT 2012; Pointcheval, D., Johansson, T., Eds.; Springer: Berlin/Heidelberg, Germany, 2012; pp. 663–681. [Google Scholar]
- Dodis, Y.; Katz, J. Chosen-Ciphertext Security of Multiple Encryption. In Theory of Cryptography; Kilian, J., Ed.; Springer: Berlin/Heidelberg, Germany, 2005; pp. 188–209. [Google Scholar]
- Giacon, F.; Heuer, F.; Poettering, B. KEM Combiners. In Public-Key Cryptography—PKC 2018; Abdalla, M., Dahab, R., Eds.; Springer International Publishing: Cham, Switzerland, 2018; pp. 190–218. [Google Scholar]
- Kampanakis, P.; Panburana, P.; Daw, E.; Van Geest, D. The Viability of Post-Quantum X.509 Certificates. In IACR Cryptology ePrint Archive, Report 2018/063; 2018; Available online: http://www.eprint.mirror.cypherpunks.ru/2018/063.pdf (accessed on 4 March 2022).
- Braithwaite, M. Google Security Blog: Experimenting with Post-Quantum Cryptography. 2016. Available online: https://security.googleblog.com/2016/07/experimenting-with-post-quantum.html (accessed on 12 October 2021).
- Langley, A. Intent to Implement and Ship: CECPQ1 for TLS, 2016. Google Group. Available online: https://groups.google.com/a/chromium.org/forum/#!topic/security-dev/DS9pp2U0SAc (accessed on 12 October 2021).
- Cramer, R.; Shoup, V. Design and Analysis of Practical Public-Key Encryption Schemes Secure Against Adaptive Chosen Ciphertext Attack. SIAM J. Comput.
**2004**, 33, 167–226. [Google Scholar] [CrossRef] - Nielsen, M.A.; Chuang, I.L. Quantum Computation and Quantum Information: 10th Anniversary Edition, 10th ed.; Cambridge University Press: Cambridge, UK, 2011. [Google Scholar]
- Bellare, M.; Rogaway, P. Random Oracles are Practical: A Paradigm for Designing Efficient Protocols. In Proceedings of the 1st ACM Conference on Computer and Communications Security—CCS ’93, Fairfax, VA, USA, 3–5 November 1993; ACM: New York, NY, USA, 1993; pp. 62–73. [Google Scholar] [CrossRef]
- Boneh, D.; Dagdelen, Ö.; Fischlin, M.; Lehmann, A.; Schaffner, C.; Zhandry, M. Random Oracles in a Quantum World. In Advances in Cryptology—ASIACRYPT 2011; Lee, D.H., Wang, X., Eds.; Springer: Berlin/Heidelberg, Germany, 2011; pp. 41–69. [Google Scholar]
- Unruh, D. Revocable Quantum Timed-Release Encryption. J. ACM
**2015**, 62, 1–76. [Google Scholar] [CrossRef] - Ambainis, A.; Hamburg, M.; Unruh, D. Quantum Security Proofs Using Semi-classical Oracles. In Advances in Cryptology—CRYPTO 2019; Boldyreva, A., Micciancio, D., Eds.; Springer International Publishing: Cham, Switzerland, 2019; pp. 269–295. [Google Scholar]
- Zhandry, M. Secure Identity-Based Encryption in the Quantum Random Oracle Model. In Advances in Cryptology—CRYPTO 2012; Safavi-Naini, R., Canetti, R., Eds.; Springer: Berlin/Heidelberg, Germany, 2012; pp. 758–775. [Google Scholar]
- Herranz, J.; Hofheinz, D.; Kiltz, E. Some (in)sufficient Conditions forSecure Hybrid Encryption. Inf. Comput.
**2010**, 208, 1243–1257. [Google Scholar] [CrossRef]

Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations. |

© 2022 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).

## Share and Cite

**MDPI and ACS Style**

Goncalves, B.; Mashatan, A.
Tightly Secure PKE Combiner in the Quantum Random Oracle Model. *Cryptography* **2022**, *6*, 15.
https://doi.org/10.3390/cryptography6020015

**AMA Style**

Goncalves B, Mashatan A.
Tightly Secure PKE Combiner in the Quantum Random Oracle Model. *Cryptography*. 2022; 6(2):15.
https://doi.org/10.3390/cryptography6020015

**Chicago/Turabian Style**

Goncalves, Brian, and Atefeh Mashatan.
2022. "Tightly Secure PKE Combiner in the Quantum Random Oracle Model" *Cryptography* 6, no. 2: 15.
https://doi.org/10.3390/cryptography6020015