Seamless Post-Quantum Transition:
Agile and Efficient Encryption for Data-at-Rest
Federico Valbusa
1, a
, Stephan Krenn
2 b
, Thomas Lor
¨
unser
2,3 c
and Sebastian Ramacher
2 d
1
PACY Lab @ RI CODE Universit
¨
at der Bundeswehr M
¨
unchen, Munich, Germany
2
Department of Digital Safety and Security, AIT Austrian Institute of Technology, Vienna, Austria
3
Digital Factory Vorarlberg GmbH, Dornbirn, Austria
Keywords:
Post-Quantum Migration, Crypto-Agility, Key Encapsulation Mechanism, Authenticated Encryption.
Abstract:
As quantum computing advances, its threat to traditional cryptographic protocols, especially for long-term en-
crypted data, becomes critical. This paper presents an agile cryptosystem designed to ease the transition from
pre-quantum to post-quantum security by supporting efficient integration of post-quantum Key Encapsulation
Mechanisms (KEMs). Our approach combines a CCA-secure KEM with robust Authenticated Encryption
(AE), allowing only the encapsulated key to be updated during migration, without re-encrypting large data
payloads—saving both computation and bandwidth. We formalize cryptographic agility via an agile-CCA
security model, ensuring that neither the original nor updated ciphertexts leak information. A game-based
proof shows that the construction remains agile-CCA secure if the underlying KEM and AE are individually
CCA-secure in the random oracle model. The result is a future-proof scheme that enables enterprises and
cloud providers to safeguard vast data volumes against emerging quantum threats with minimal disruption.
1 INTRODUCTION
The rise of quantum computing threatens classi-
cal encryption schemes, with algorithms such as
Shor’s (Shor, 1997) endangering widely used public-
key cryptosystems (Rivest et al., 1978; Diffie and
Hellman, 1976). Preparing for a post-quantum world
is critical, especially for securing data-at-rest, which
typically relies on hybrid encryption. This paper ad-
dresses PQC migration for large encrypted datasets,
such as in cloud storage, and introduces a new scheme
that enables secure, efficient, and flexible transitions
to PQ secure key encapsulations (Sullivan, 2009).
Motivation. The combination of asymmetric and
symmetric encryption as hybrid encryption (Zhang,
2021) is the de facto standard for applications requir-
ing the storage or communication of large amounts of
data, balancing the flexibility of asymmetric methods
with the efficiency of symmetric ciphers.
a
https://orcid.org/0009-0006-2065-2673
b
https://orcid.org/0000-0003-2835-9093
c
https://orcid.org/0000-0002-1829-4882
d
https://orcid.org/0000-0003-1957-3725
Work conducted while the author was affiliated with
the AIT Austrian Institute of Technology.
While quantum computers pose only moderate
risks to symmetric cryptography, they threaten the se-
curity of asymmetric schemes, making efficient mi-
gration to post-quantum encryption essential—ideally
without re-encrypting all plaintext. This is partic-
ularly critical for storage applications where large
datasets reside on remote servers or in the cloud.
The urgency of the transition is underlined by a
BSI report (Wilhelm et al., 2024) predicting scalable
quantum computers within 10–15 years. Similarly,
the UK’s National Cyber Security Centre urges im-
mediate migration to meet a 2035 readiness target
1
,
in line with the US NSAs guidance for the Commer-
cial National Security Algorithm Suite 2.0
2
.
Following a multi-year selection process, NIST
standardized the first post-quantum encryption
scheme, ML-KEM (FIPS 203), in 2024. Standards
like ML-KEM specify Key Encapsulation Mecha-
nisms (KEMs) (Cramer and Shoup, 2004), which are
tailored to encrypt only symmetric keys, sufficient for
1
https://www.ncsc.gov.uk/guidance/pqc-migration-tim
elines, accessed 2025-03-26.
2
https://www.nsa.gov/Press-Room/News-Highlights/
Article/Article/3148990/nsa-releases-future-quantum-resis
tant-qr-algorithm-requirements-for-national-se/, accessed
2025-03-26
Valbusa, F., Krenn, S., Lorünser, T. and Ramacher, S.
Seamless Post-Quantum Transition: Agile and Efficient Encryption for Data-at-Rest.
DOI: 10.5220/0013641000003979
In Proceedings of the 22nd International Conference on Security and Cryptography (SECRYPT 2025), pages 759-764
ISBN: 978-989-758-760-3; ISSN: 2184-7711
Copyright © 2025 by Paper published under CC license (CC BY-NC-ND 4.0)
759
most applications (Barnes et al., 2022; Poettering and
Rastikian, 2023). However, KEMs are conceptually
different from traditional modes like RSA-OAEP
(Kaliski and Staddon, 1998). Further post-quantum
KEMs are expected to be standardized soon (Alagic
et al., 2025), including by ISO/IEC under ISO/IEC
18033
3
.
New cryptographic schemes must support both the
PQC transition and general cryptographic agility—
the ability to easily swap algorithms (Alnahawi et al.,
2023; Ott et al., 2023). This flexibility is crucial but
remains under-researched.
Finally, the secure combination of classical and
quantum-safe algorithms, known as hybridization
(Bruckner et al., 2023), may further bolster security
by requiring adversaries to break multiple schemes.
Our construction naturally supports such hybrid ap-
proaches, as will be detailed later.
Related Work. The PQC migration is accelerat-
ing, with a growing body of research addressing key
challenges. Ott et al. (Ott et al., 2022) and (Wies-
maier et al., 2021) emphasize crypto-agility and hy-
brid schemes, while (Ott et al., 2019) highlights gaps
in formal modeling.
Few frameworks address crypto-agility for our ap-
plication (Badertscher et al., 2023). We focus on hy-
brid encryption (Zhang, 2021), combining symmet-
ric and asymmetric methods for secure, efficient data
protection (AbdElnapi et al., 2016; P. et al., 2020).
The FO transform (Fujisaki and Okamoto, 2013)
provides IND-CCA-secure hybrid encryption but
lacks agility, as KEMs require full re-encryption upon
key updates. We extend this approach to improve
agility, inspired by (Fujisaki and Okamoto, 2013) for
security proofs.
Our Contribution. We present a novel hybrid en-
cryption protocol enabling cryptographic agility with-
out re-encrypting large bulk data when updating the
asymmetric part, supporting PQC transitions through
KEM-based key generation. Motivated by real-world
cloud migration, we define a new agile-CCA secu-
rity model that extends CCA security with an update
mechanism. Our scheme builds on the FO transform
for hybrid PQC encryption and allows for efficient
and straightforward updates.
2 PRELIMINARIES
Throughout this document, n will denote the main se-
curity parameter. We write s
$
S to denote that s
3
https://www.iso.org/standard/86890.html, accessed
2025-03-26
was sampled uniformly at random from a set S. By
a A(in) we denote that a is the output of a poten-
tially randomized algorithm A on input in. If not men-
tioned explicitly, all algorithms in this document are
assumed to be probabilistic polynomial time (PPT).
We further write a
?
= b to denote the of result of the
comparison of a and b, i.e., it corresponds to 1 if and
only if a = b. By H : {0, 1}
{0, 1}
n
we denote a
random oracle. A function ε : N R
0
is said to be
negligible if c > 0. m N : ε(n)
1
n
c
for all n > m.
Key Encapsulation Mechanism (KEM). Intuitively,
a KEM can be thought of as a special type of asym-
metric encryption mechanism. However, instead of
encrypting a message directly, a KEM encapsulates
a randomly generated symmetric key using asymmet-
ric encryption, allowing the recipient to securely re-
trieve and use the key for fast symmetric encryption
of actual data. More precisely, a KEM consists of
three algorithms: a key generation algorithm Gen
KEM
,
which outputs a pair of keys (a public key and a pri-
vate key); an encapsulation algorithm Encaps, which
takes a public key as input and outputs a key k
along
with a ciphertext c (essentially an encryption of k
un-
der the public key); and a decapsulation algorithm,
which takes as input a ciphertext and a private key and
outputs either a key or an error symbol . A correct-
ness condition requires that, for any key pair gener-
ated by Gen
KEM
, decapsulating a ciphertext produced
by encapsulating along with k
should recover k
.
A KEM is said to be CCA-secure (secure against
chosen ciphertext attacks) if no adversary can gain
any information about the secret key encapsulated
inside a ciphertext, even after having seen decap-
sulations on arbitrary ciphertexts of its own choice.
That is, any polynomial time adversary should not be
able to distinguish a ciphertext coming from an en-
capsulated value from a random element in the ci-
phertext space with more than negligible probability
ε
KEM cca
(n), where n is a security parameter.
Authenticated Encryption (AE). An AE scheme is
a symmetric encryption mechanism that ensures both
confidentiality and integrity of a message. That is, it
not only encrypts the message to keep it secret but
also produces an authentication tag that allows the re-
cipient to verify that the ciphertext has not been tam-
pered with before decrypting. Specifically, an AE
scheme consists of three algorithms: a key genera-
tion algorithm Gen
AE
, which outputs a secret key k;
an encryption algorithm Enc, which takes a key k and
an arbitrary-length message m as input and outputs a
ciphertext c; and a decryption algorithm Dec, which
takes a key k and a ciphertext c as input and outputs
either the original message or an error message. The
scheme must satisfy the correctness property that de-
SECRYPT 2025 - 22nd International Conference on Security and Cryptography
760
crypting a ciphertext produced by encrypting a mes-
sage m under the same key k recovers m.
Intuitively, chosen-ciphertext attack (CCA) secu-
rity for an authenticated encryption scheme ensures
that an attacker cannot learn anything about the plain-
text, even if they can obtain decryptions of arbitrary
ciphertexts (excluding the target ciphertext). This
means that the scheme remains secure against adver-
saries who attempt to manipulate ciphertexts and ob-
serve their decryptions, preventing attacks such as ci-
phertext malleability or oracle-based decryption ex-
ploits. In particular, any polynomial time adversary
is not able to distinguish, given a ciphertext which is
the encryption of one of two (known) messages, from
which message the ciphertext has been obtained with
more than negligible probability ε
AE cca
(n). For for-
mal definitions of KEM, AE, and their associated se-
curity notions, see (Krenn et al., 2025)).
3 SECURITY MODEL
Our proposed scheme is designed as a public key en-
cryption system for data at rest, with the capability
to securely store large volumes of encrypted data. It
aims to provide users with the ability to efficiently
and securely rotate encryption keys and switch be-
tween encryption schemes. For this reason, we refer
to it as an agile cryptosystem. The distinguishing fea-
ture compared to a traditional public key encryption
scheme is as follows: ciphertexts consist of two parts
- a static one and a dynamic one. For concreteness, the
static one can be thought of as the encryption of the
actual payload, while the dynamic part is the encryp-
tion of the symmetric key. Now, by the availability
of an Update algorithm, the dynamic part can be up-
dated (e.g., to a fresh key or an entirely new scheme)
without requiring access to the actual payload.
Definition 1. An agile public key encryption scheme
Π with a message space M
Π
, ciphertext space C
Π
=
C
st
× C
dyn
, public key space P K
Π
and private key
space S K
Π
consists of a tuple of PPT algorithms
(Gen
Π
,Enc,Update,Dec) such that:
Gen
Π
takes as input a security parameter 1
n
and
outputs a couple of keys (pk, sk) P K
Π
× SK
Π
.
We refer to the first as the public key and the sec-
ond as the private key. We assume for conve-
nience that pk and sk each have length at least n
and that n can be determined from pk, sk.
Enc takes as input a public key pk and a message
m from some underlying plaintext space M
Π
(that
may depend on pk). It outputs a ciphertext C =
(c
st
, c
dyn
) C
Π
, which we write as C Enc
pk
(m).
Here, c
st
stands for static ciphertext and c
dyn
for
dynamic ciphertext.
Update takes as input the public key pk, the se-
cret key sk and the dynamic component of a ci-
phertext c
dyn
and outputs a new dynamic com-
ponent of a ciphertext c
dyn
. We write c
dyn
Update
pk,sk
(c
dyn
).
Dec takes as input a private key sk and a ciphertext
C, and outputs a message m or a special symbol
denoting failure. Without loss of generality, we
assume that Dec is deterministic and write this as
m Dec
sk
(C ).
We use the term “updated ciphertext” to indicate
a ciphertext where the dynamic part results from the
update algorithm and the static part is not changed.
Namely, C
= (c
st
, c
dyn
) is the updated ciphertext of
C = (c
st
, c
dyn
), where c
dyn
= Update
pk,sk
(c
dyn
).
For agile cryptosystems, correctness is guaran-
teed if decryption of original and updated cipher-
texts always yields the underlying message. That
is, we require that for all n N, every (pk, sk) out-
put by Gen(1
n
), and every message m in the ap-
propriate underlying plaintext space, the following
equality holds: Dec
sk
(Enc
pk
(m)) = m. Moreover,
Dec
sk
(c
st
, Update
t
pk,sk
(c
dyn
)) = m for every t N, for
every n, (pk, sk), and m as before, where Update
t
means that the algorithm Update is executed t times
and (c
st
, c
dyn
) Enc
pk
(m).
In the following we now define the security of
agile cryptosystems. The following definition is
strongly inspired by the IND-CCA notion; how-
ever, in addition, we grad the adversary access to an
Update oracle as well. The adversary now wins, if
it is able to decide which of two adversarially-chosen
messages is contained within a challenge ciphertext,
as long as neither the challenge ciphertext, nor any
updated version of it, have been queried to the de-
cryption oracle.
This security concept ensures that an adversary
cannot gain any information from a ciphertext, even
when multiple ciphertexts and the updated version
are available. It effectively models a scenario where
a malicious server storing users’ encrypted data at-
tempts to disclose it.
Exp
ag-cca
A,Π
(1
n
) :
1 : (pk, sk) Gen
Π
(1
n
)
2 : (m
0
, m
1
) A
Dec
sk
(·),Update
pk,sk
(·)
()
3 : b
$
{0, 1}
4 : C
Enc
pk
(m
b
)
5 : b
A
Dec
sk
(·),Update
pk,sk
(·)
(C
)
6 : return b
?
= b
Seamless Post-Quantum Transition: Agile and Efficient Encryption for Data-at-Rest
761
Definition 2. An agile encryption scheme Π = (Gen
Π
,
Enc, Update, Dec) is said to be agile-CCA secure
if for all PPT adversaries A there exists a negligible
function ε
Π agcca
such that
P[Exp
ag-cca
A,Π
(1
n
) = 1]
1
2
+ ε
Π agcca
(n),
where A is not allowed to query the decryption ora-
cle Dec
k
(·) with the challenge ciphertext C
, and any
updated version of it, and the experiment is defined in
the previous table.
4 DEFINITION OF OUR SCHEME
In the following we present an agile cryptosystem,
denoted Π, satisfying all the requirements defined in
the previous section within the random oracle model.
In a nutshell, the protocol follows the hybrid encryp-
tion paradigm, where the message is encrypted using
a symmetric key coming from a KEM, and the encap-
sulation of the symmetric key is stored alongside the
ciphertext. Agility is ensured by allowing the public
key encryption of the symmetric key to be changed
without the need to re-encrypt the (potentially large)
message itself.
As discussed earlier, this would be trivial if a pub-
lic key encryption scheme was used for the encryption
of the symmetric key, as one could simply decrypt the
ciphertext and re-encrypt it using a different scheme;
however, for KEMs, one does not have control over
the secret key (as it is output rather than an input).
We thus insert a XOR-component, which we use to de-
couple the dependency of the symmetric key from the
KEM’s output, but rather use the KEM’s key to blind
the (static) symmetric key in a one-time-pad manner.
Our scheme has four components: First, the mes-
sage is encrypted using a CCA-secure symmetric au-
thenticated encryption scheme AE, with a randomly
generated key k. Second, a CCA-secure KEM en-
capsulates another key k
, and the encapsulation e is
part of the ciphertext. Third, the ciphertext includes
the XOR e
of the symmetric key k and the KEM-
derived key k
, assuming both keys are encodable as
strings of the same length. Finally, a random oracle
applied to (k
, e, e
) ensures integrity and completes
the ciphertext. Note that the symmetric key can be
encrypted using multiple cryptosystems by employ-
ing a combined KEM (e.g., based on pre-quantum and
post-quantum assumptions), combining their security
features (Giacon et al., 2018). This approach ensures
that an adversary must break each of the cryptosys-
tems individually to recover the symmetric key.
Observe that, with a slight abuse of notation, we
refer to the encryption and decryption operations as
Enc and Dec respectively, for both the symmetric
scheme AE and the agile scheme Π. However, it is
important to distinguish between these operations. In
the symmetric case, the subscript k (the symmetric
key) is used (namely, Enc
k
and Dec
k
), while in the
other case, the public key pk and secret key sk are
used (Enc
pk
and Dec
sk
). When these indices are not
explicitly provided, the context clarifies which of the
two algorithms is being referred to.
Specifically, the algorithms of the scheme are im-
plemented in this way:
The key generation Gen
Π
simply generates a key
pair (pk, sk) of the key encapsulation scheme KEM.
The encryption algorithm Enc takes as input the
message m and the public key pk. It generates a ran-
dom symmetric key k, a ciphertext, and a key using
the Encaps algorithm of KEM (e and k
, respectively),
which is fed with the public key pk. The scheme then
computes the XOR of the two generated keys, en-
crypts the message m with the AE algorithm using the
symmetric key k, obtaining a symmetric ciphertext c,
and generates a tag τ using the random oracle H . This
tag binds together the key and ciphertext generated by
Encaps and the XOR (namely, τ = H (k
, e, e
)). Fi-
nally, everything computed, except for the symmetric
key k and the key produced by Encaps k
, is output
as the ciphertext. To simplify the notation, sometimes
the symbol C is used to indicate the ciphertext of the
encryption scheme, i.e., C
:
= (c, e, e
, τ). Observe that
C = (c
st
, c
dyn
) where c
st
= c and all the other compo-
nents of C constitute c
dyn
.
The update procedure Update takes as input the
public key pk, the secret key sk, and the dynamic part
c
dyn
= (e, e
, τ) of a ciphertext C = (c, c
dyn
), i.e. the
encapsulated key e, the XOR component e
, and the
expected tag τ. First, the algorithm decapsulates the
encapsulated key e using the secret key sk to obtain a
candidate key k
. It then computes the symmetric key
k by XORing the recovered key k
with the XOR com-
ponent e
. The algorithm checks whether the result of
the random oracle function H (k
, e, e
) equals the ex-
pected tag τ. If the check passes, the algorithm pro-
ceeds by generating a new encapsulated key e
2
and a
new key k
2
using the Encaps procedure with the pub-
lic key pk. It then computes a new XOR component
e
2
by XORing the symmetric key k with the new key
k
2
and calculates a new tag τ
2
using the random oracle
function H with input (k
2
, e
2
, e
2
). The updated val-
ues, including the new encapsulated key e
2
, the new
XOR component e
2
, the original ciphertext c, and the
new tag τ
2
, are returned. If the random oracle check
fails, the algorithm returns the error symbol , indi-
cating that the update operation cannot be performed.
The decryption algorithm Dec inputs the secret
SECRYPT 2025 - 22nd International Conference on Security and Cryptography
762
key sk and the ciphertext. First, it decapsulates the
Encaps ciphertext and XORs the result with the XOR
component of the ciphertext to recover the symmetric
key k. It then performs the random oracle check using
the components from the ciphertext. If the check suc-
ceeds, the algorithm decrypts the symmetric cipher-
text using the recovered key k. The result is output. If
the random oracle check fails, the error symbol is
output (see (Krenn et al., 2025) for an explicit version
of all the procedures). It is clear that the correctness
property holds from the correctness of the encapsula-
tion scheme KEM and the correctness of the authenti-
cated encryption AE. Furthermore, the scheme is ef-
ficient, as the Update algorithm does not require the
symmetric ciphertext c for its operation.
5 PROOF OF SECURITY
Our goal is to prove that the previously defined
scheme Π satisfies the agile-CCA security property,
cf. Definition 2. The security is proven under the as-
sumptions that KEM is CCA secure and AE is CCA
secure. The strategy employed for the proof is the
classical game-based approach relying on indistin-
guishable transitions. In every transition, the update
Update
pk,sk
and decryption Dec
sk
oracles can be sim-
ulated with Update
pk
and Dec described after the
hops.
Transitions:
Game G
0
is our original CCA game.
Exp
cca
A,Π
(1
n
) : (Game G
0
)
1 : (pk, sk) Gen
KEM
(1
n
)
2 : (m
0
, m
1
) A
Dec
sk
(·,·,·,·),Update
pk,sk
(·,·,·)
(pk)
3 : b
$
{0, 1}
4 : k Gen
AE
(1
n
)
5 : e,k
Encaps(pk)
6 : e
= k k
7 : c Enc
k
(m
b
)
8 : τ H (k, e, e
)
9 : C := (c, e, e
, τ)
10 : b
A
Dec
sk
(·,·,·,·),Update
pk,sk
(·,·,·)
(C)
11 : return b
?
= b
G
0
G
1
: Under the assumption that KEM is
CCA secure, the adversary is not able to distin-
guish a key k
produced by the Encaps algorithm
from a random string r
k
of the same type with
non-negligible probability. So, we can replace
e, k
with independent ciphertext and key r
e
, r
k
re-
spectively. e
can also be renamed with r
e
, as it is
the XOR of two strings, and one of those is inde-
pendent of everything else.
G
1
G
2
here we replace c with a random encryp-
tion, i.e. we can replace it with an encryption of
the zero string of the same length as |m
b
|. This is
allowed by the CCA property of AE.
After these transitions, the adversary has only ran-
dom data, i.e., nothing can be inferred regarding the
ciphertext, so
P[G
2
= 1] =
1
2
.
It remains to show that the oracles can be simu-
lated. This is feasible thanks to the use of the random
oracle H . Upon receiving a ciphertext for decryp-
tion or update, the simulator checks a list of previ-
ously encrypted or updated ciphertexts. If a match is
found, the corresponding plaintext is known, making
it straightforward to produce a new encryption (for an
update) or return the plaintext (for a decryption). If
the ciphertext was not previously generated, the ad-
versary must have forged it, effectively guessing the
output of the random oracle—a task that succeeds
only with negligible probability (see (Krenn et al.,
2025) for a more detailed proof). In the end, consider-
ing all the transitions and simulations, we obtain that
the protocol satisfies the agile-CCA security property.
This proof relies on the CCA security of the inner
KEM: even if an adversary obtains multiple cipher-
texts and XORs several KEM-derived keys, no in-
formation about any single key leaks, assuming keys
are independently drawn from a distribution indistin-
guishable from uniform. If keys are correlated or
non-uniform, this guarantee fails. Similarly, breaking
the authenticated encryption compromises the overall
scheme. Finally, the random-oracle model binds each
key to its ciphertext; without it, encapsulations remain
malleable and at best IND-CPA secure.
6 CONCLUSION
We proposed a simple encryption scheme tailored to
data-at-rest, enabling efficient key rotation and facil-
itating migration to post-quantum cryptography. Un-
like conventional methods that require transmission
and re-encryption of full ciphertexts, our approach
updates only a small key encapsulation, saving band-
width proportional to ciphertext size. We focus on
agility by replacing only the public-key component,
as symmetric key changes without ciphertext updates
do not make sense, i.e. maintain efficiency. In ad-
dition to external storage, our method could also en-
hance attribute-based encryption (Bethencourt et al.,
Seamless Post-Quantum Transition: Agile and Efficient Encryption for Data-at-Rest
763
2007) (ABE), particularly in settings where ABE-
KEM (Chotard et al., 2017) is used, thus improving
efficiency (see (Krenn et al., 2025) for details).
ACKNOWLEDGEMENT
This work has received funding from the European
Union’s Horizon Europe research and innovation
program under Grant Agreement No. 101114043
(“QSNP”), from the DIGITAL-2021-QCI-01 Dig-
ital European Program under Project number No.
101091642 and the Austrian National Foundation
for Research, Technology and Development(“QCI-
CAT”), and EU Digital Europe Programme under
Grant Agreement No. 101190366 (PiQASO).
REFERENCES
AbdElnapi, N. M., Omara, F. A., and Omran, N. F. (2016).
A hybrid hashing security algorithm for data storage
on cloud computing.
Alagic, G., Maxime, B., Pierre, C., David, C., Quynh, D.,
Thinh, D., John, K., Jacob, L., Yi-Kai, L., Carl, M.,
Dustin, M., Rene, P., Ray, P., Angela, R., Hamilton,
S., Daniel, S.-T., and Noah, W. (2025). Status report
on the fourth round of the NIST post-quantum cryp-
tography standardization process. Technical Report
NIST IR 8545, National Institute of Standards and
Technology.
Alnahawi, N., Schmitt, N., Wiesmaier, A., Heinemann, A.,
and Grasmeyer, T. (2023). On the state of crypto-
agility. Cryptology ePrint Archive, Paper 2023/487.
Badertscher, C., Ciampi, M., and Kiayias, A. (2023). Ag-
ile cryptography: A universally composable approach.
In Rothblum, G. and Wee, H., editors, Theory of
Cryptography, pages 480–509, Cham. Springer Na-
ture Switzerland.
Barnes, R., Bhargavan, K., Lipp, B., and Wood, C. A.
(2022). Hybrid Public Key Encryption. RFC 9180.
Bethencourt, J., Sahai, A., and Waters, B. (2007).
Ciphertext-policy attribute-based encryption. In 2007
IEEE Symposium on Security and Privacy (S&P
2007), 20-23 May 2007, Oakland, California, USA,
pages 321–334. IEEE Computer Society.
Bruckner, S., Ramacher, S., and Striecks, C. (2023).
Muckle+: End-to-end hybrid authenticated key ex-
changes. In Johansson, T. and Smith-Tone, D., editors,
Post-Quantum Cryptography, pages 601–633, Cham.
Springer Nature Switzerland.
Chotard, J., Phan, D. H., and Pointcheval, D. (2017).
Homomorphic-policy attribute-based key encapsula-
tion mechanisms. In Nguyen, P. Q. and Zhou, J., edi-
tors, Information Security - 20th International Confer-
ence, ISC 2017, Ho Chi Minh City, Vietnam, Novem-
ber 22-24, 2017, Proceedings, volume 10599 of Lec-
ture Notes in Computer Science, pages 155–172.
Springer.
Cramer, R. and Shoup, V. (2004). Design and analy-
sis of practical public-key encryption schemes secure
against adaptive chosen ciphertext attack. SIAM J.
Comput., 33(1):167–226.
Diffie, W. and Hellman, M. (1976). New directions in cryp-
tography. IEEE Transactions on Information Theory,
22(6):644–654.
Fujisaki, E. and Okamoto, T. (2013). Secure integration
of asymmetric and symmetric encryption schemes. In
Journal of Cryptology, vol. 26, no. 1, 2013, pages 80–
101.
Giacon, F., Heuer, F., and Poettering, B. (2018). KEM com-
biners. Cryptology ePrint Archive, Paper 2018/024.
Kaliski, B. and Staddon, J. (1998). PKCS #1: RSA cryp-
tography specifications version 2.0. Request for Com-
ments RFC 2437, Internet Engineering Task Force.
Num Pages: 39.
Krenn, S., Lor
¨
unser, T., Ramacher, S., and Valbusa, F.
(2025). Seamless post-quantum transition: Agile and
efficient encryption for data-at-rest. Cryptology ePrint
Archive, Paper 2025/742.
Ott, D., Moreau, D., and Gaur, M. (2022). Planning for
cryptographic readiness in an era of quantum comput-
ing advancement. In International Conference on In-
formation Systems Security and Privacy.
Ott, D., Paterson, K., and Moreau, D. (2023). Where is
the research on cryptographic transition and agility?
Communications of the ACM, 66(4):29–32.
Ott, D., Peikert, C., and other workshop participants (2019).
Identifying research challenges in post quantum cryp-
tography migration and cryptographic agility.
P., D., Babu, S., and Vijayalakshmi, Y. (2020). Enhance-
ment of e-commerce security through asymmetric key
algorithm. Computer Communications, 153:125–134.
Poettering, B. and Rastikian, S. (2023). A study of kem gen-
eralizations. In G
¨
unther, F. and Hesse, J., editors, Se-
curity Standardisation Research, pages 53–77, Cham.
Springer Nature Switzerland.
Rivest, R. L., Shamir, A., and Adleman, L. (1978). A
method for obtaining digital signatures and public-key
cryptosystems. Commun. ACM, 21(2):120–126.
Shor, P. W. (1997). Polynomial-time algorithms for
prime factorization and discrete logarithms on a
quantum computer. SIAM Journal on Computing,
26(5):1484–1509.
Sullivan, B. (2009). Cryptographic agility. https://learn.mi
crosoft.com/en-us/archive/msdn-magazine/2009/bro
wnfield/cryptographic-agility.
Wiesmaier, A., Alnahawi, N., Grasmeyer, T., Geißler, J.,
Zeier, A., Bauspieß, P., and Heinemann, A. (2021).
On pqc migration and crypto-agility.
Wilhelm, F. K., Steinwandt, R., Zeuch, D., Lageyre, P., and
Kirchhoff, S. (2024). Status of quantum computer
development - Entwicklungsstand Quantencomputer.
Technical report, German Federal Office for Informa-
tion Security.
Zhang, Q. (2021). An overview and analysis of hybrid en-
cryption: The combination of symmetric encryption
and asymmetric encryption. In 2021 2nd International
Conference on Computing and Data Science (CDS),
pages 616–622.
SECRYPT 2025 - 22nd International Conference on Security and Cryptography
764