(2026-03) StarHunters— Secure Hybrid Post-Quantum KEMs From IND-CCA2 PKEs
2026-03-02
This paper formally specifies and analyzes the CK hybrid key encapsulation mechanism (KEM) construction from the IRTF CFRG’s recent draft on hybrid (post-quantum/traditional) KEMs CK combines two KEMs using a PRF to produce a hybrid KEM. Unlike the QSF framework of Barbosa et al., which combines an IND-CCA KEM with a nominal group (Diffie-Hellman-style), CK combines a C2PRI-secure post-quantum-secure KEM with an IND-CCA traditionlly-secure KEM constructed from an IND-CCA2 public key encryption (PKE) scheme, such as RSA-OAEP. We additionally show how to securely promote an IND-CCA2 PKE into an IND-CCA KEM. We perform two complementary security analyses of CK in the standard model: the first shows CK is IND-CCA assuming the traditional KEM is IND-CCA, the post-quantum KEM is C2PRI, and the KDF is a secure PRF; the second shows CK is IND-CCA assuming the post-quantum KEM is IND-CCA and the KDF is a secure PRF, even if the traditional KEM is completely broken. Neither proof requires the random oracle model.