Adaptive versus Static Multi-oracle Algorithms, and Quantum Security of a Split-key PRF

In the first part of the paper, we show a generic compiler that transforms any oracle algorithm that can query multiple oracles *adaptively*, i.e., can decide on *which* oracle to query at what point dependent on previous oracle responses, into a *static* algorithm that fixes these choices at the beginning of the execution. Compared to naive ways of achieving this, our compiler controls the blow-up in query complexity for each oracle *individually*, and causes a very mild blow-up only. In the second part of the paper, we use our compiler to show the security of the very efficient hash-based *split-key PRF* proposed by Giacon, Heuer and Poettering (PKC~2018), in the *quantum* random-oracle model. Using a split-key PRF as the key-derivation function gives rise to a secure KEM combiner. Thus, our result shows that the hash-based construction of Giacon et al. can be safely used in the context of quantum attacks, for instance to combine a well-established but only classically-secure KEM with a candidate KEM that is believed to be quantum-secure. Our security proof for the split-key PRF crucially relies on our adaptive-to-static compiler, but we expect our compiler to be useful beyond this particular application. Indeed, we discuss a couple of other, known results from the literature that would have profitted from our compiler, in that these works had to go though serious complications in oder to deal with adaptivity.