Tightly Secure PKE Combiner in the Quantum Random Oracle Model

: The development of increasingly sophisticated quantum computers poses a long-term threat to current cryptographic infrastructure. This has spurred research into both quantum-resistant algorithms and how to safely transition real-world implementations and protocols to quantum-resistant replacements. This transition is likely to be a gradual process due to both the complexity and cost associated with transitioning. One method to ease the transition is the use of classical–quantum hybrid schemes, which provide security against both classical and quantum adversaries. We present a new combiner for creating hybrid encryption schemes directly from traditional encryption schemes. Our construction is the only existing proposal in the literature with IND - CCA -security in the classical and quantum random oracle models, respectively.


Introduction
As the age of scalable quantum computing comes closer to becoming a reality, research into cryptographic algorithms that are secure against quantum adversaries becomes increasingly important. The transition to new algorithms for real-world applications and protocols has historically been slow. It took nearly two decades [1] for current public-key cryptographic infrastructure to be fully deployed; hence, new post-quantum infrastructure can be expected to take a similar amount of time. Additionally, maintaining legacy systems and addressing concerns of potential downgrade attacks should be considered when the transition begins. Finally, while quantum-resistant schemes have been increasingly studied and analyzed, the underlying hardness assumptions remain relatively novel, in which future cryptanalysis may show that they are vulnerable to quantum attacks or, even worse, classical attacks. As the release of standards is still years away and full deployment of quantum-resistant algorithms is a long-term effort, there is still a need to secure today's data from quantum adversaries.
Hybrid Cryptography and Combiners. So-called classical-quantum hybrid cryptography, which combines classically secure and quantum-resistant algorithms to produce a new secure scheme, represents a stopgap solution to the dilemma of transitioning from classical to quantum-resistant cryptographic infrastructure and the need to secure data and communications versus the cost, and the time, to fully transition. Harnik et al. [2] formalized this idea of combining algorithms as a (k, n)-robust combiner, where n represents the number of inputs and k represents the threshold of secure inputs required to achieve security. Hybrid combiners have been the subject of previous works for various primitives, such as Bindel et al. [3] on hybrid signatures and Bindel et al. [4] on hybrid key encapsulation mechanisms (KEMs) and hybrid authenticated key exchange.
Traditional combiners for public-key encryption (PKE), the focus of this work, have also been studied by Asmuth and Blakely [5], Herzberg [6], and Zhang et al. [7]. However, these previous results either failed to achieve IND-CCA-security [6], required every input to be secure [8], or lacked a proof against quantum adversaries [9].
In the place of PKE combiners, there has been successful work in the field of KEM combiners. Giacon et al. presented a swath of different construction of robust IND-CCA combiners for KEMs using different core function constructions to produce the final key [10]. However, the results are limited to only KEMs with perfect correctness, which many quantum-resistant schemes do not have. Bindel et al. additionally provided three more constructions of robust KEM combiners against adversaries with varying levels of quantum capabilities over time [4].
Currently, there is interest in both academia and industry for hybrid cryptography. As mentioned, both Bindel et al. [3], and Bindel et al. [4] constructed hybrid primitives, digital signatures, and KEMs, respectively, with the latter also presenting a design for a hybrid authenticated key exchange built from hybrid KEMs. Mirroring the interest in hybrid cryptography, ISARA and Cisco investigated the viability of hybrid X.509 digital certificates [11] in 2018. Meanwhile, in 2016, Google experimented with combining elliptic curve Diffie-Hellman (ECDH) and ring-learning with errors (R-LWE) key exchange in the transport layer security (TLS) stack in a test version of its Chrome web browser [12,13].
Our Contributions. In this work, we present a (mostly) generic construction of a (1, 2)robust combiner for PKEs that preserves IND-CCA-security in the random oracle model and in the quantum random oracle model, which we call the Quantum Augmented KEM-DEM (or QuAKe) combiner. Furthermore, the security reduction of our construction is tight in both the classical and, more importantly, quantum random oracle models. We achieve this with the use of two PKEs, one of which we require to be built from the KEM-DEM paradigm put forth by Cramer and Shoup [14], and a pair of random oracles, Hash 1 , Hash 2 . Our construction relies on preventing an adversary from obtaining both the symmetrically encrypted message, along with a random seed, and the asymmetrically encrypted key by encrypting the symmetric ciphertext under the second PKE. By doing this, an adversary can only obtain the encrypted message and key if they were already able to break the security of both the KEM-DEM and the second PKE. Additionally, the random seed is used to guard against re-encryption and re-encapsulation attacks, as well as mix-and-match attacks. We then prove the security reduction of QuAKe is tight in both the classical and quantum random oracle models.
The paper is organized as follows. In Section 2, we define our notation lemmas required for our proof in the quantum random oracle mode and give some preliminary cryptographic definitions. In Section 3, we present our construction and its security. In Section 4, we review previous results on PKE and KEM combiners, and then provide a comparison with previous results. We then conclude our paper in Section 5.

Preliminaries
In this section, we cover the preliminaries used in this work. We begin with the notation used, then an introduction to the random oracle model, the security notions and definitions used, and finally define (k, n)-robust combiners.

Notation
By y ← A(x) we denote an algorithm, A (either classical or quantum), that runs on (classical) input x, and (classical) outputs y. When A has access to an oracle, B, we write this as A(x) B(·) . If A is an algorithm that uses some randomness in its execution on input x and we wish to specify what the randomness is, say r, we denote it as A(x; r). We refer to specific subroutines within A(·) as A.Subroutine. We consider all adversaries as algorithms (either classical or quantum) that are probabilistic polynomial time on their input length.
We write x ←$ S to denote that x was outputted by S probabilistically, where if S is some algorithm, then x was selected according to some internal distribution, and if S is some space, such as {0, 1} l , then we implicitly mean for x to be sampled uniformly at random.
We say a function g mapping non-negative integers to non-negative reals is called negligible, if for all positive numbers c, there exists an integer λ 0 (c) ≥ 0 such that for all λ > λ 0 (c) we have g(λ) < 1 λ c . A family of functions F is called q-wise independent if for any distinct x 1 , . . . , x q and for f ←$ F the values f (x 1 ), . . . , f (x q ) are independently uniformly distributed.

Random Oracle Model and Quantum Random Oracle Model
In this section, we briefly describe the random oracle model (ROM) and quantum random oracle model (QROM) and state the lemmas that will be used in the main result when proving the Q c Q-IND-CCA-security of QuAKe. We provide a brief introduction to quantum computing in Appendix A and refer to Nielsen and Chuang [15] as a standard text for a more complete explanation.

Random Oracles
In the classical random oracle model (ROM), we assume the existence of a truly random function H and give all parties access to query this function [16]. When implemented, a suitable hash function, Hash, is used in place of H. Any queries to the random oracle, made by any party, is then replaced with an evaluation of Hash on the query.
As in the ROM, in the quantum random oracle model (QROM), all parties are given access to a random function H, which, when implemented, is replaced by a suitable hash function Hash. However, in quantum settings, since a quantum algorithm can evaluate Hash in a superposition of inputs, an adversary must also be allowed to query H in superposition. This is called the quantum random oracle model [17]. To denote when superposition access to H is available, we will adopt the notation |H .

QROM Lemmas
We next state two useful lemmas regarding quantum random oracles. First is the one-way-to-hiding (O2H) Lemma, proven by Unruh [18]. The O2H lemma, informally, states that if a quantum adversary makes at most q queries to a quantum random oracle, |H , and is able to distinguish (x, H(x)) from (x, y), where y was sampled uniformly at random, then a simulator can recover x by measuring one of the queries to |H . In other words, this lemma reduces distinguishing H(x) from y to guessing x. We present the updated statement of the O2H Lemma as formulated by Ambainis et al. [19].
Lemma 1 (One-way-to-hiding, probabilities). Let S ⊆ X be random. Let G, H : X → Y be random functions satisfying ∀x / ∈ S, G(x) = H(x). Let z be a random bit string (S, G, H, z may have arbitrary joint distribution). Let A be a quantum oracle algorithm with query depth q (not necessarily unitary). Let B H be an oracle algorithm that on input z does the following: pick i ←$ {1, · · · , q} run A H (z) until (just before) the ith query, measure all query input registers in the computational basis, output the set T of measurement outcomes. Let Then, P le f t − P right ≤ 2q P guess , and P le f t − P right ≤ 2q P guess .
We refer to the algorithm B as the O2H simulator. As noted by Ambainis et al., the original statement of the O2H Lemma by Unruh is a consequence of the updated version [19].
The next lemma concerns simulating quantum random oracles. In the original QROM introduced by Boneh et al. [17], reduction or simulator algorithms are not allowed access to a random oracle, and therefore, must somehow simulate the oracle itself. Zhandry [20] demonstrated that a simulator can use a 2q-wise independent function to successfully simulate a random oracle, where q denotes the number of queries made by the adversary. Moreover, they proved the simulation of the random oracle is perfect, and no adversary can distinguish between a true random oracle and a 2q-wise independent function.

Lemma 2.
Let H be an oracle drawn from the set of 2q-wise independent functions uniformly at random. Then, the advantage any quantum algorithm making at most q queries to H has in distinguishing H from a truly random function is identically 0.
For the security reduction of the main result in the QROM, we implicitly assume the use of 2q-wise independent functions by any simulators to answer the adversary's oracle queries.

Public-Key Encryption
In this section, we provide an overview of public-key encryption algorithms and the relevant security definitions. We begin by defining a public-key encryption (PKE) algorithm. We define the correctness of PKEs in Appendix B.

Definition 1 (Public-Key Encryption Scheme).
We say a triple of algorithms Π asym = (KeyGen, Enc, Dec) form a public-key encryption (PKE) scheme, if: • KeyGen: the key generation algorithm is a probabilistic algorithm which on input 1 n (n ∈ N) outputs a related pair, (pk, sk), of public and secret keys. • Enc: the encryption algorithm is a probabilistic algorithm that takes two inputs, a public-key pk, and a plaintext m, from a designated message space, M Π asym , and outputs a ciphertext c. • Dec: the decryption algorithm is a deterministic algorithm that takes as input a secret key sk, and ciphertext c, and returns the plaintext m, or a special designated rejection symbol ⊥.
We now define the IND-CCA-security (also referred to as IND-CCA2-security in the literature) and security experiment for PKEs in the random oracle model.
In this work, when we discuss security against quantum adversaries, we are considering the case of an adversary with quantum computational powers, including the ability to query the random oracle in superposition but who only has classical access to decryption oracles. We adopt the X y Z notation, introduced in Bindel et al. [3], to denote security against such adversaries, where X denotes whether the adversary is classical or quantum while they have decryption oracle access, y denotes whether the adversary can perform classical or superposition decryption queries, and Z denotes whether the adversary is classical or quantum after they lose access to decryption oracles. Thus, IND-CCA-security against a quantum adversary with only classical decryption queries in the quantum random oracle model is denoted as Q c Q-IND-CCA. Security against an Q c Q-IND-CCA-adversary is defined analogously to Algorithm 1, and we include the full definition in Appendix B.

Key/Data Encapsulation Mechanisms
In this section, we define both key encapsulation mechanisms (KEMs), data encapsulation mechanisms (DEMs), and the security notions necessary for this work. We then describe the KEM-DEM paradigm to build a public-key encryption algorithm and the necessary conditions to attain IND-CCA-security using the paradigm. We define the correctness for both KEMs and DEMs in Appendix B.
First, we define a key encapsulation algorithm [21].

Definition 3 (Key Encapsulation Mechanism).
We say the triple of algorithms K = (KeyGen, Encaps,Decaps) form a key encapsulation mechanism (KEM), if: • KeyGen: the key generation algorithm is a probabilistic algorithm which on input 1 n (n ∈ N), outputs a related pair, (ek, dk), of a public encapsulation and secret decapsulation keys.

•
Encaps: the encapsulation algorithm is a probabilistic algorithm that takes one input, a public encapsulation key ek, and produces a pair of related outputs, a ciphertext c, and an ephemeral key k, from a designated key space KS K . • Decaps: the decapsulation algorithm is a deterministic algorithm that takes as input a secret decapsulation key dk, and ciphertext c, and returns the related ephemeral key k, or a specially designated rejection symbol ⊥.
Note that a KEM can be built from a public-key encryption algorithm by simply sampling a message uniformly at random, to be used as the key, then encrypting it and sending the ciphertext.
The next definition is for IND-CCA-security of KEMs. We use the standard model in the following definition, but the definition lifts to the random oracle model in a natural way.

Definition 4 (IND-CCA-Security for KEMs).
We say that a KEM, K, is IND-CCA if, for all adversaries A, we have that We now informally define IND-CCA-security for KEMs against quantum adversaries in the QROM. As in the PKE case, this security is an extension of classical CCA-security to the QROM with a quantum adversary that is restricted to only classical decryption queries. Once again, we adopt the X y Z notation and refer to this security notion as Q c Q-IND-CCAsecurity for KEMs, or simply Q c Q-IND-CCA when the context is clear.
We now define the symmetric primitive and data encapsulation mechanisms (DEMs) [21].

Definition 5 (Data Encapsulation Mechanism/Symmetric Encryption Scheme).
We say a triple of algorithms Π sym = (KeyGen, Enc, Dec) form a (stateless) data encapsulation mechanism (DEM), or symmetric encryption scheme, if: • KeyGen: the key generation algorithm is a probabilistic algorithm that on input 1 n (n ∈ N) outputs a secret key k. • Enc: the encryption algorithm is a deterministic algorithm that takes two inputs, a secret key k and a plaintext m, from a designated message space M Π sym , and outputs a ciphertext c. • Dec: the decryption algorithm is a deterministic algorithm that takes as input a secret key k and ciphertext c, and returns the plaintext m, or a special designated rejection symbol ⊥.
In this work, referring to such an algorithm as a DEM rather than symmetric encryption emphasizes the relation between KEMs and DEMs covered in the next section.
Next, we define the primary security definition for DEMs this work is concerned with, the IND-OT-CCA-security introduced by Cramer and Shoup [14]. Informally, IND-OT-CCA is similar to the IND-CCA-security experiment, except that the adversary cannot encrypt any messages of their choice and only after receiving the challenge ciphertext is given access to a decryption oracle. When we wish to consider security of a DEM against a quantum capable adversary, we again make use of the X y Z notation and denote OT-CCAsecurity for a DEM against a quantum adversary with only classical decryption queries as Q c Q-IND-OT-CCA-security.
Definition 6 (IND-OT-CCA-Security for DEMs). We say that a DEM K is IND-OT-CCA if, for all adversaries A, we have that: We go on to describe how a public-key encryption system can be built from a KEM and DEM pair.
Intuitively, a KEM can be used to generate a key from the key space of the DEM, which, in turn, is used to encrypt the message. The KEM-DEM paradigm of constructing a PKE was first proposed by Cramer and Shoup [14]. The PKE is built by using the KEM keys as the public and private key, generating a ciphertext-key pair from the KEM, then using the key as the symmetric key to encrypt the message and sending the asymmetric and symmetric ciphertexts. Decryption is defined in the natural way. Traditionally, the KEM-DEM is referred to in the literature as a hybrid scheme, referencing public-key-symmetric-key hybrid. To avoid confusion, we elect to use the term KEM-DEM paradigm instead and use hybrid schemes to refer to classical-quantum hybrid schemes.
In addition to proposing the KEM-DEM paradigm, Cramer and Shoup outlined the necessary conditions on the KEM, K, and DEM, Π sym , for the resulting PKE, (K, Π sym ), to achieve IND-CCA-security. The following theorem outlines these conditions. Theorem 1. If K, a KEM, is IND-CCA-secure and Π sym , a DEM, is IND-OT-CCA-secure, then (K, Π sym ), described in Algorithms 4-6 is an IND-CCA-secure PKE.
We include an informal outline of the proof of Theorem 1. Since K is IND-CCA-secure, the key used to encrypt the challenge message k * is indistinguishable from a bit string of equal length sampled uniformly at random, say r. The challenger then generates (c * KEM , k * ), but instead of using k * to encrypt the message, r is used. From here, the adversary is then given (c * KEM , c * Π sym ) and is effectively in the IND-OT-CCA-security experiment for Π sym .
We make the observation that the proof of this theorem is also directly applicable in the quantum setting, and as a corollary state the quantum version of Theorem 1.

Combiners
In this section, we introduce and formally define robust combiners. We provide a review of previous PKE and KEM combiners in Section 4.
First, we define the notion of a (k, n)-robust combiner. Informally, a (k, n)-robust combiner is an algorithm that accepts inputs of n of the same type of cryptographic schemes to produce a new cryptographic scheme, and so long as at least k of the inputs satisfies the same security notion the output is also equally secure. The formal definition of a robust combiner was first proposed by Harnik et al. [2] to formalize such combinations. Definition 7 ((k, n)-Robust Combiner). Let P be a set of cryptographic primitives. A (k, n)robust combiner is an algorithm that gets n candidate schemes from P as inputs, and whose output is a single algorithm that is secure to some security specification s, if the following holds: 1.
If at least k candidates securely implement the security specification s, then the result of the combiner also securely implements s.

2.
The running time of the result of the combiner is polynomial in the security parameter m, in n, and in the lengths of the inputs to P.

QuAKe
In this section, we propose the Quantum Augmented KEM-DEM (QuAKe) combiner and then prove it is a (1, 2)-robust combiner for both IND-CCAand Q c Q-IND-CCA-security in the classical and quantum random oracle models, respectively.

Construction
We first outline the QuAKe combiner. Informally, QuAKe encrypts the message with the KEM-DEM scheme, (K, Π sym ), then encrypts the DEM component of the ciphertext using the second PKE, Π asym . Intuitively, we prevent an adversary who can break the IND-CCA-security of (K, Π sym ) from having the (K, Π sym ) ciphertexts and prevent an adversary who can break the IND-CCA-security of Π asym from directly seeing the message encrypted within. Importantly, along with the message, we encrypt a secret random value, δ. Two hashes of δ are used as the randomness for the encapsulation of the KEM, K, and the encryption under Π asym , respectively. This δ value is then later used during the decryption process to provide a method of ensuring that the ciphertext was well-formed. This ensures that the adversary cannot perform any re-encryption/encapsulation attacks on a ciphertext. We formally present QuAKe in Algorithms 7-9.
1: (pk, sk) ←$ Π asym .KeyGen(1 n ) 2: (ek, dk) ←$ K.KeyGen(1 n ) 3: pk ← (pk, ek) 4: sk ← (sk, dk) 5: Return (pk , sk )  We first provide some insight into the construction of QuAKe. As mentioned, the use of δ is to deterministically randomize the encryption (encapsulation) of Π asym (K) and perform a check. This check is intended to guard against adversaries capable of total manipulation of either Π asym or K. For example, if an adversary is able to recover the key from any ciphertext of K, as well as encapsulate any key they wish, the adversary may attempt to recover the key used in the challenge ciphertext, re-encapsulate to a different ciphertext, and then submit it to the decryption oracle. Without a check, the decryption oracle would then return the challenge message directly to the adversary. The case of Π asym being completely broken by the adversary is analogous to the situation described above. Thus, without any check, there is no hope for security if one of Π asym or K is broken by the adversary.

Security of QuAKe
In this section, we prove that QuAKe is a (1, 2)-robust combiner with a tight security reduction for both IND-CCA and Q c Q-IND-CCA-security in the classical and quantum random oracle models, respectively.  (8) where the run times of all B i are approximately equal to that of A, q Dec is the number of decryption queries made by A, and q Hash i is the number of queries made to the random oracle Hash i by A.
We begin with the correctness of Π. It is straightforward to see that Π is perfectly correct if both (K, Π sym ) and Π asym are perfectly correct. If (K, Π sym ) is perfectly correct, then the real encrypted message m δ in (c KEM , c DEM ) is always recovered when running the (K, Π sym ) part of the decryption. If Π asym is perfectly correct, then c PKE always correctly decrypts to c DEM . Finally, the deterministic re-encryption check is done; thus, an honestly generated ciphertext δ would have been used to generate the randomness for both c KEM and c PKE and so would pass the re-encryption check. Therefore, we have that Π is perfectly correct.
We now suppose that (K, Π sym ) and Π asym are both not perfectly correct, but are 1 -and 2 -correct, respectively. Whenever a decryption query is made, both K.Decaps and Π asym .Dec are performed. In the case of a decapsulation error occurring, a different symmetric key is recovered and used to decrypt some c DEM and obtain some m δ . The case where m δ is equal to the actual message and randomness used is overwhelmingly unlikely. Therefore, either ⊥ is returned if either check fails or a different message is returned if the checks are passed. As decapsulation errors happen with probability 1 , the probability of returning a different output instead of the true message is bounded above by probability 1 . The argument is analogous when considering the case of a decryption error occurring, and the probability of an output that is not the true message being returned is bounded above by 2 . We thus conclude that Π is -correct, where = max{ 1 , 2 }. Proof. We now prove the security of Π. First, we assume (K, Π sym ) is an IND-CCA-secure KEM-DEM encryption scheme.
G 0 : Game 0, described in Algorithm 10, is the IND-CCA-security experiment for Π so, Algorithm 10 Game 0 for the proof of Theorem 2, G 0 .
1: ((pk, ek), (sk, dk)) ←$ Π.KeyGen(1 n ) 2: m 0 , m 1 , st ← A Dec((sk,dk),·),Hash 1 (·),Hash 2 (·) (pk, ek) G 1 : For Game 1, outlined in Algorithm 11, we replace both Hash 1 (δ * ) and Hash 2 (δ * ) with h and h , respectively, chosen uniformly at random from the ranges of Hash 1 and Hash 2 , so that if Hash i is called on δ * , either h or h is returned instead of Hash 1 (δ * ), or Hash 2 (δ * ), respectively. This replacement is done consistently with the decryption algorithm so that if Hash i is evaluated on δ * during decryption, h and h are used to perform the checks. The probability of distinguishing between the first two games is upper bounded by the probability of A guessing δ * and querying it. As δ * was sampled uniformly at random, and as A has no access to δ * , unless they are able to completely invert both Π asym and (K, Π sym ) since the decryption oracle never returns δ * , we have that where q Hash i is the number of queries A makes to Hash i . We can now demonstrate that if A can win Game 1, then A can be used as an oracle algorithm to win the IND-CCA experiment of (K, Π sym ). Claim: [1] Pr Proof. In the IND-CCA experiment of (K, Π sym ), B 1 is first given the encapsulation key ek of K, then it runs Π asym and generates (pk, sk), and picks two random oracles Hash 1 and Hash 2 , then forwards (pk, ek) to A. Here, B 1 is able to perfectly simulate the oracles A would have at this point, until eventually A terminates and outputs its two challenge messages m 0 and m 1 . Then, B 1 picks δ * uniformly at random and submits m 0 δ * and m 1 δ * as its challenge messages. It then receives (c * KEM , c * DEM ) before picking h uniformly at random and computing c * PKE ← Π asym .Enc(pk, c * DEM ; h ) and giving (c * KEM , c * PKE ) to A. To answer decryption queries for A, when B 1 receives (c KEM , c PKE ) it first decrypts c PKE itself by using sk, then uses its decryption oracle (c KEM , c PKE ), and finally performs the checks after receiving the decryption m δ . Note that if (c KEM , c DEM ) = (c * KEM , c * DEM ), then B 1 cannot query its decryption oracle, but it does not need to do so, as in the real experiment such a query, provided a decryption error does not occur, would fail the reencryption check. Thus, B 1 will just perform a hash query to each of Hash 1 and Hash 2 before returning ⊥. As a result, the simulation is then perfect unless an error occurs in Game 1 during decryption and results in a message being returned. Eventually, A will submit a guess and B 1 will submit the same guess.
Let E denote the event that A performs a query of the form, (c * KEM , c PKE ) and Dec(sk, c PKE ) = c * DEM , that does not return ⊥ in Game 1 but does return ⊥ when simulated by B 1 .
We have that First, note that ¬E corresponds to B 1 's simulation of A's decryption oracle being perfect, that is B 1 's answer to queries of the form (c * KEM , c PKE ) and Dec(sk, c PKE ) = c * DEM agree with A's decryption oracle. Thus, we have We now bound from above Pr [E]. As described, if decryption was performed correctly, the oracle would return ⊥ as the query would fail the re-encryption check; thus, E could only have occurred if a decryption error had taken place. Since QuAKe is -correct we apply a uniform bound across all decryption queries and conclude that Pr[E] ≤ · q Dec .
Thus , we have As a result, by combing the inequalities above, we have We now consider the case where Π asym is an IND-CCA PKE.
Proof. G 0 : Game 0, as described in Algorithm 10, is the IND-CCA-security experiment for Π so, G 1 : For Game 1, we perform the same game hop as before in Algorithm 11, and replace both Hash 1 (δ * ) and Hash 2 (δ * ) with h and h , chosen independently and uniformly at random from the ranges of Hash 1 and Hash 2 . This change is done consistently with the random oracles and the decryption oracle so that if δ * is queried during decryption, h and h are used for the check. By the same argument as above we have that the probability that A distinguishes between these games is where q Hash i is the number of queries A makes to Hash i . We are now able to show that if A can win Game 1, then A can be used as an oracle algorithm to win the IND-CCA experiment of Π asym .
Claim: [2] Pr Proof. Suppose that A can win Game 1 in the classical setting with non-negligible probability, then it can be used as an oracle algorithm to break the IND-CCA-security of Π asym as follows. Once B 2 is given pk by the IND-CCA challenger it runs (K, Π sym ) to generate the key pair (ek, dk), then it selects Hash 1 and Hash 2 uniformly at random, and finally forwards the (pk, ek) to A. At this stage, B 2 can perfectly act as a random oracle to A and uses its decryption oracle for Π asym to act as a decryption oracle for Π. Eventually, A terminates and outputs challenge messages m 0 and m 1 to B 2 who then selects δ * and h uniformly at random and performs the following computations: Then, B 2 submits c * DEM,0 , c * DEM,1 as its challenge messages. Next, B 2 then receives c * PKE and forwards (c * KEM , c * PKE ) to A and acts as the decryption oracle. We note that there are special cases of decryption queries that B 2 will not fully perform, but can answer. 1.
(c, c * PKE ): B 2 cannot query c * PKE to its own decryption oracle. However, B 2 answers the query as follows: use dk to decapsulate c; if the result is k * , query Hash 1 and Hash 2 on r, a uniform random value, then return ⊥; otherwise, simply return ⊥ without querying the random oracles. In the first case, the real IND-CCA experiment would reject, as the re-encapsulation check would fail. While in the second case, the symmetric decryption algorithm would reject as c * DEM,b was encrypted under k * and the key given was different.

2.
(c * KEM , c PKE ) ∧ Dec(sk, c PKE ) = c * DEM,b : B 2 will always return ⊥ and query Hash 1 and Hash 2 on r, a uniform random value. In a real experiment, such a query would be rejected as it would fail the re-encryption check.
For all other queries, B 2 is able to perform decryption queries perfectly matching A's oracles.
Eventually, A terminates and outputs a guess, which B 2 matches. Let F denote the event that A performs a special case decryption query that does not return ⊥ in Game 1 but returns ⊥ when simulated by B 2 .
We have that First, note that ¬F corresponds to B 2 's simulation of A's decryption oracle being perfect, as it was able to correctly answer all special case decryption queries. Thus, we have We now bound from above Pr[F]. As outlined above in how B 2 answers special decryption cases, if decryption was performed correctly, both cases would return ⊥, thus F could only have occurred if a decryption error had taken place. Since QuAKe is -correct we apply a uniform bound across all decryption queries and conclude that Pr[F] ≤ · q Dec .
Thus, we have Finally, we can conclude if Π asym is in an IND-CCA PKE, then where the run times of all B i are approximately equal to that of A, and the hash queries performed by each B i are equal to A.
Proof. We will outline the proof of Q c Q-IND-CCA-security of QuAKe. It is virtually identical to that of Theorem 2, except Hash 1 and Hash 2 are replaced with quantum random oracles, |Hash 1 and |Hash 2 , the simulator algorithms use 2q -wise independent functions, where q is the number of queries the adversary makes in the reduction, and the adversaries are quantum. The primary difference is the first game hop to G 1 , as described in Algorithm 11 in both halves of the proof. In the classical setting, we employ a simple replacement of Hash i (δ) with h or h . However, such a replacement does not work in the quantum random oracle model. This is due to the inability of the challenger to read the oracle queries and perform the replacement of Hash 1 (δ) with h and Hash 2 (δ) with h in the quantum random oracle model as a result of superposition access to the oracles. Instead, we invoke the O2H Lemma 1 to replace the hashes with random values and otherwise continue in the same manner. We provide a description of the O2H simulator B below in Algorithm 12, where A is the Q c Q-IND-CCA adversary from the security experiment. After this replacement, the proof continues in the same fashion as in Theorem 2.
Finally, P guess is then described in Algorithm 12. Note, as δ * was chosen uniformly at random from {0, 1} l , we have P guess = 1 2 l . We also note that B makes at most q Hash 1 + q Hash 2 + q Dec queries to its oracle |Hash 1 × Hash 2 to answer A's queries, and so we have that q = q Hash 1 + q Hash 2 + q Dec . Thus, by the O2H Lemma, we have that As mentioned before, from here, the proof proceeds in the same fashion as in Theorem 2, and we can then conclude

Comparisons
We next include a brief discussion on the previous results on combiners, beginning with PKE combiners and then KEM combiners.

PKE Combiners
Asmuth and Blakely [5] proposed what would retroactively become one of the first PKE combiner with the so-called "XOR-Input" combiner, defined as c = (Π 1 .Enc(pk 1 , r), Π 2 .Enc(pk 2 , m ⊕ r)), where r is a uniformly random value. However, Harnik et al. would later prove that such a combiner is not robust for IND-CCA-security, but rather is only robust for weaker notions, such as IND-CPA and IND-CCA1-security [6]. Additionally, Harnik et al. proved that the nested, or cascade, encryption combiner is also not robust for IND-CCA-security. Hohenberger et al. [8] proposed a combiner which does attain IND-CCA-security but requires three encryption schemes, each of which are required to be secure according to three different security notions, meaning it is, in essence, a (3, 3)-robust combiner. This undermines the appeal of using combiners in that the resulting algorithm is secure without full trust in the security of all inputs. Furthermore, there does not exist any result on the necessary and, more importantly, sufficient conditions to reach Q c Q-IND-CCA-security. Thus, the viability of this combiner for classical and quantum schemes is unclear.

KEM Combiners
Giacon et al. provided several IND-CCA-robust KEM combiners with different constructions assuming either the standard, random oracle, or ideal cipher models [10]. In this work, various key-mixing functions, or core functions, as Giacon et al. termed them, are used to combine the different keys and ciphertexts to produce a new secure key. Moreover, the authors establish a sufficient condition for the core function, such that the respective combiners retain IND-CCA-security from any one of the input KEMs. This condition is a novel security notion called split-key pseudorandomness. Informally, split-key pseudorandomness states that so long as any of the input keys are uniformly distributed, then the resulting evaluation of the core function will also be uniformly distributed. The specific core functions used in this work include: evaluating a pseudorandom function (PRF) on an individual key and all ciphertexts before XORing all evaluations together, using a random oracle on the ciphertexts and the keys or in a nested series of keyed permutations, and finally evaluating a PRF on the ciphertexts and a nested series of ideal cipher evaluations.
Bindel et al. provided further constructions of KEM combiners with the further consideration of adversaries with different levels of quantum capabilities, so-called X y Z adversaries [4]. The results of this approach were three KEM combiners in the same vein as Giacon et al.'s core functions which combine the different keys to produce the new key while also being secure against both classical and quantum adversaries. Specifically, the combiners constructed are the so-called "XOR-then MAC" combiners where the keys are split to produce an ephemeral key and MAC key to be computed over the ciphertexts and two combiners using a dual PRF as well as traditional PRFs.
Ultimately, the most successful previous works are those which present constructions of hybrid secure robust KEM combiners, that hybridize PKEs according to Theorem 1 and Corollary 1. However, this is done utilizing a similar approach, namely generating multiple keys and using core functions to sufficiently randomize them and creating a single symmetric key.
In comparison, our construction relies on fewer and relatively traditional assumptions of cryptographic primitives than the previous constructions. However, our construction does have the drawback of worse performance during decryption due to the re-encryption and re-encapsulation checks performed. Finally, most of the previous constructions rely on the secure KEM component having perfect correctness. This limits which quantum-resistant algorithms can be used as inputs due to the correctness error present in many lattice-based schemes. Our construction does not have this limitation.

Conclusions
Hybrid cryptographic algorithms, which combine both classical and quantum-resistant primitives, offer an appealing solution to the upcoming problems associated with the transitioning of the cryptographic infrastructure. Such algorithms provide quantum-resistance without the risk of losing current-day security assurances and satisfy existing standards. While there have been earlier work on the theory of hybrid cryptography, there have not been any results on direct constructions of hybrid PKEs or hybrid combiners for PKEs. The more common approach has been to develop KEM combiners and then convert the resulting KEM into a PKE.
In this work, we furthered the theory of hybrid cryptography by proposing a new provably secure (1, 2)-robust combiner, QuAKe, with tight reduction for both IND-CCAsecurity in the random oracle model, and Q c Q-IND-CCA-security in the quantum random oracle model. Our combiner built from the KEM-DEM paradigm first proposed by Cramer and Shoup [14] and augmented the paradigm to directly construct a new, fully secure PKE. Moreover, our construction was built with fewer components and security assumptions when compared with previous results, as well as not being limited to schemes with perfect decryption correctness.

Conflicts of Interest:
The authors declare no conflict of interest. The funding agencies had no role in the design of the study; in the analyses, in the writing of the manuscript, or in the decision to publish the results.

Appendix A
We now provide a brief introduction to quantum computation knowledge used for this work. Nielsen and Chuang [15] provide a standard text with a more complete explanation of the subject.
Let H be a finite-dimensional complex Hilbert space with an inner product. Vectors in H are denoted with "bra-ket" notation, with |x being a vector in H, and x| denoting the complex conjugate transpose of |x . The inner product on |x , |y is then given by x, y|x, y . A quantum state is defined as a vector in H with norm 1. Let {|x } x be a basis for H, then any quantum state |y in H can be represented in superposition as, where φ x are complex numbers such that |y has norm 1.
For two quantum systems H 1 and H 2 , the joint quantum system is given by the tensor product H 1 ⊗ H 2 ; for two states |x in H 1 and |y in H 2 , the joint quantum state is represented as |x |y , or |x, y . Quantum operations on H are represented by the unitary transformations U. Consequently, these quantum operations are, in fact, reversible prior to measurement, as during quantum computation they are unitary matrices. This is notable as it imposes some constraints with the quantization of classical operations such as decryption or decapsulation. In particular, let A be a classical algorithm with input x in {0, 1} a and output y in {0, 1} b and be a classical reversible mapping. Then, the corresponding unitary transformation A acting linearly on quantum states is given by For full generality, an additional workspace register may be included with the input and output registers. Thus, the general quantization of the classical algorithm is 1: (pk, sk) ←$ Π asym .KeyGen(1 n ) 2: m 0 , m 1 , st ← A Π asym .Dec(sk,·),|H(·) Q (pk) 3: b ←$ {0, 1} 4: c * ← Π asym .Enc(pk, m b ) 5: b ← A Π asym .Dec(sk,· =c * ),|H(·) Q (pk, st, c * ) 6: return [b = b ] Definition A3 (Correctness of KEMs). We say that a KEM K is -correct, if: Pr[Decaps(dk, c) = k|(ek, dk) ← KeyGen, (c, k) ← Encaps(ek)] ≤ . (A6) We say a KEM K is perfectly correct, if = 0.
Definition A4 (Correctness of DEMs). We say that a DEM Π sym is -correct, if for all messages m in the message space M Π sym :