(2026-04) Panther; Robust Hybrid KEM Combiners via Structural Splicing
2026-04-20
We present Panther, a family of six robust hybrid key encapsulation mechanism (KEM) combiners that pair FrodoKEM (unstructured LWE) with ML-KEM (module-LWE, FIPS 203) so that IND-CCA2 security holds whenever either assumption is hard. The family includes five hardened variants of the textbook combiners—parallel HKDF, SHAKE256 splitkey, sequential chaining, XOR, and nested—each made to satisfy a uniform robustness predicate (transcript binding, domain separation, implicit rejection, length normalisation, ∨-security), together with a novel structural-splicing construction Panther-SS that interleaves the constituent ciphertexts and binds the cut-positions via a structural tag. Every combiner admits a systematic Market-Theoretic Security Framework proof in which each bidding round is documented by its purpose, the scheme component it replaces, and its complexity cost; the framework extends cleanly to correctness, unbounded session security, QROM security, and quantitative side-channel resistance. We complement the theory with extensive benchmarks on liboqs-backed reference implementations, including a head-to-head comparison of Panther combiners against the keyencapsulation candidates that appeared in NIST PQC Rounds 1–4 (Kyber/ML-KEM, FrodoKEM, NTRU, SABER, NTRU Prime, Classic McEliece, BIKE, HQC). The experiments cover keygen/encaps/decaps latency, throughput, memory footprint, ciphertext and key sizes, scaling with query count, CPU-cycle counts, security-vs-performance Pareto analysis, and an attack-vsdefence matrix against published side-channel attacks on both constituents. The results confirm that hybrid robustness is essentially free over the slower constituent, that Panther-SS uniquely achieves full robustness with combiner-only overhead below half a percent of total latency, and that the Panther family sits on the Pareto frontier of post-quantum KEM candidates.