\subsection{Problem 5}
\subsubsection{Solution 1:}
%Fix the message space $\mathcal{M} = \{0, 1\}$. 
Let $\mathsf{PKE}_A = (\mathsf{Gen}_A, \mathsf{Enc}_A, \mathsf{Dec}_A)$ and $\mathsf{PKE}_B = (\mathsf{Gen}_B, \mathsf{Enc}_B, \mathsf{Dec}_B)$
satisfy correctness, and assume that at least one of them is CPA--secure.

\textbf{Construction of the new scheme $\mathsf{PKE}_{\oplus} = (\mathsf{Gen}, \mathsf{Enc}, \mathsf{Dec})$.}
\begin{itemize}
    \item $\mathsf{Gen}(1^n)$:
    Run $(\mathsf{pk}_A, \mathsf{sk}_A) \leftarrow \mathsf{Gen}_A(1^n)$ and $(\mathsf{pk}_B, \mathsf{sk}_B) \leftarrow \mathsf{Gen}_B(1^n)$. Output
    $\mathsf{pk} := (\mathsf{pk}_A, \mathsf{pk}_B)$, $\mathsf{sk} := (\mathsf{sk}_A, \mathsf{sk}_B)$.
\end{itemize}

\begin{itemize}
    \item $\mathsf{Enc}_{\mathsf{pk}}(m\in \{0, 1\})$:
    Choose $r \leftarrow \{0, 1\}$ and compute
    $c_A := \mathsf{Enc}_A(\mathsf{pk}_A, r)$, $c_B := \mathsf{Enc}_B(\mathsf{pk}_B, m \oplus r)$.
    Return $c := (c_A, c_B)$.
    
    \item $\mathsf{Dec}_{\mathsf{sk}}(c_A, c_B)$:
    Compute
    $r := \mathsf{Dec}_A(\mathsf{sk}_A, c_A)$, $s := \mathsf{Dec}_B(\mathsf{sk}_B, c_B)$,
    and output $m := r \oplus s$.
\end{itemize}

\textbf{Correctness.} For every $m \in \{0, 1\}$ and every randomness $r$ used during encryption,
\[
\mathsf{Dec}_{\mathsf{sk}}(\mathsf{Enc}_{\mathsf{pk}}(m)) = \mathsf{Dec}_A(c_A) \oplus \mathsf{Dec}_B(c_B) = r \oplus (m \oplus r) = m,
\]
because both underlying schemes are correct.

\textbf{CPA security.} Assume, for the sake of contradiction, that there exists a non-uniform probabilistic
polynomial-time adversary $\mathcal{E}$ and a polynomial $p(\cdot)$ such that
\[
\Pr[\mathcal{E} \text{ wins the CPA game against } \mathsf{PKE}_{\oplus}] \geq \frac{1}{2} + \frac{1}{p(n)} \text{ for infinitely many } n. \quad (1)
\]
Define two polynomial-time adversaries $\mathcal{B}_A$ and $\mathcal{B}_B$ that will attack $\mathsf{PKE}_A$ and $\mathsf{PKE}_B$, respectively.

\textbf{Adversary $\mathcal{B}_B$ (against $\mathsf{PKE}_B$).}
\begin{enumerate}
    \item Receive the public key $\mathsf{pk}_B$ from its CPA challenger.
    \item Generate $(\mathsf{pk}_A, \mathsf{sk}_A) \leftarrow \mathsf{Gen}_A(1^n)$ and give $\mathsf{pk} := (\mathsf{pk}_A, \mathsf{pk}_B)$ to $\mathcal{E}$.
    \item Upon receiving $(m_0,m_1)$ from $\mathcal{E}$, pick $r \leftarrow \{0, 1\}$ and send
    $m^*_0 := m_0 \oplus r$, $m^*_1 := m_1 \oplus r$
    to the $\mathsf{PKE}_B$ challenger.
    \item Let the challenger return the challenge ciphertext $c_B$, which encrypts $m^*_b$ for some secret bit
    $b \in \{0, 1\}$. Compute $c_A := \mathsf{Enc}_A(\mathsf{pk}_A, r)$ and forward
    $(c_A, c_B)$
    to $\mathcal{E}$.
    \item Relay $\mathcal{E}$'s guess $b'$ to the challenger as $\mathcal{B}_B$'s own output.
\end{enumerate}

\textbf{Simulation quality.} The ciphertext given to $\mathcal{E}$ is distributed exactly as in the real $\mathsf{PKE}_{\oplus}$ game with
challenge bit $b$. Therefore
\[
\Pr[ \mathcal{B}_B \text{ outputs } b ] = \Pr[ \mathcal{E} \text{ wins } ] = \frac{1}{2} + \frac{1}{p(n)}
\]
for the same values of $n$ as in (1). Hence
\[
\mathrm{Adv}^{\mathsf{PKE}_B}_{\mathcal{B}_B}(n) \geq \frac{1}{p(n)} \quad (2)
\]
is non-negligible.

\textbf{Adversary $\mathcal{B}_A$ (against $\mathsf{PKE}_A$).} $\mathcal{B}_A$ proceeds symmetrically:

\begin{enumerate}
    \item Obtain $\mathsf{pk}_A$ from its challenger and generate $(\mathsf{pk}_B, \mathsf{sk}_B)$ locally.
    \item Forward $\mathsf{pk} = (\mathsf{pk}_A, \mathsf{pk}_B)$ to $\mathcal{E}$.
    \item When $\mathcal{E}$ outputs $(m_0,m_1)$, pick $r \leftarrow \{0, 1\}$ and send $m_0 \oplus r$, $m_1 \oplus r$ to the $\mathsf{PKE}_A$ challenger.
    \item Receive $c_A$ encrypting $m_b \oplus r$, compute $c_B := \mathsf{Enc}_B(\mathsf{pk}_B, r)$, return $(c_A, c_B)$ to $\mathcal{E}$, and output $\mathcal{E}$'s guess.
\end{enumerate}
Since $$(c_A,c_B)=(\mathsf{Enc}_{pk_A}(m_b \oplus r),\mathsf{Enc}_{pk_B}(r))=(\mathsf{Enc}_{pk_A}(m_b \oplus r),\mathsf{Enc}_{pk_B}(m_b\oplus (m_b\oplus r)),$$
and $m_b\oplus r$ is uniformly random, we have $\mathcal B_A$ perfectly simulates the CPA-security game of PKE$_\oplus$ to $\mathcal E$. Therefore, 
\[
\mathrm{Adv}^{\mathsf{PKE}_A}_{\mathcal{B}_A}(n) \geq \frac{1}{p(n)}. \quad (3)
\]

\textbf{Deriving the contradiction.} By assumption, at least one of $\mathsf{PKE}_A$, $\mathsf{PKE}_B$ is CPA-secure. If $\mathsf{PKE}_B$ is secure, (2) contradicts its security; if $\mathsf{PKE}_A$ is secure, (3) gives the contradiction. Thus the premise (1) is impossible, which proves
\[
\Pr[ \mathcal{E} \text{ wins against } \mathsf{PKE}_{\oplus} ] \leq \frac{1}{2} + \mathsf{negl}(n)
\]
for every probabilistic polynomial-time adversary $\mathcal{E}$. Therefore the scheme $\mathsf{PKE}_{\oplus}$ is CPA-secure.
\subsubsection{Solution 2:}


We construct a new PKE scheme $\text{PKE}_C = (\text{Gen}, \text{Enc}, \text{Dec})$ as follows:

\subsubsection{Construction}

\textbf{$\text{Gen}(1^n)$:}
\begin{algorithmic}[1]
  \State Run $(pk_A, sk_A) \leftarrow \text{Gen}_A(1^n)$ and $(pk_B, sk_B) \leftarrow \text{Gen}_B(1^n)$
  \State Return $pk _C= (pk_A, pk_B)$ and $sk_C = (sk_A, sk_B)$
\end{algorithmic}

\textbf{$\text{Enc}_{pk_C}(m)$:}\\
For $pk_C = (pk_A, pk_B)$ and message $m \in \{0,1\}$:
\begin{algorithmic}[1]
  \State Compute $c_A = \text{Enc}_{pk_A}(m)$
  \State Parse $c_A = c_A[1]c_A[2]\cdots c_A[\ell]$ where $\ell = |c_A|$
  \State For each bit $c_A[i]$, compute $c_B[i] = \text{Enc}_{pk_B}(c_A[i])$
  \State Return $c = (c_B[1], c_B[2], \ldots, c_B[\ell])$
\end{algorithmic}

\textbf{$\text{Dec}_{sk_C}(c)$:}\\
For $sk_C = (sk_A, sk_B)$ and ciphertext $c = (c_B[1], \ldots, c_B[\ell])$:
\begin{algorithmic}[1]
  \State For each $i$, compute $c_A[i] = \text{Dec}_{sk_B}(c_B[i])$
  \State Reconstruct $c_A = c_A[1]c_A[2]\cdots c_A[\ell]$
  \State Return $m = \text{Dec}_{sk_A}(c_A)$
\end{algorithmic}

\subsubsection{Correctness:}
This results directly from the correctness of PKE$_A$ and PKE$_B$.

\subsubsection{CPA Security:}

\textbf{Case 1: PKE$_A$ is CPA-secure.}
Suppose there exists a PPT adversary $\mathcal{A}$ that breaks the CPA-security of PKE$_C$. Then we construct a PPT adversary $\mathcal{B}^{\mathcal A}$ that breaks the CPA-security of PKE$_A$.

\begin{itemize}
    \item[]\textbf{Algorithm} $\mathcal{B}^{\mathcal A}$:
    \item Receive $pk_A$ from the $\text{PKE}_A$ challenger.
    \item Generate $(pk_B, sk_B) \leftarrow \text{Gen}_B(1^n)$.
    \item Send challenge messages $m_0 , m_1 $ to the $\text{PKE}_A$ challenger.
    \item Receive challenge ciphertext $c_A^* = \text{Enc}_{pk_A}(m_b)$ for random $b$.
    \item For each bit $c_A^*[i]$, compute $c_B[i] = \text{Enc}_{pk_B}(c_A^*[i])$.
    \item Give $(pk_A, pk_B, (c_B[1], \ldots, c_B[\ell]))$ to $\mathcal{A}$.
    \item Pass $\mathcal{A}$'s response to the challenger.
\end{itemize}
We have $\mathcal{B}^{\mathcal A}$ perfectly simulates the IND-CPA game of PKE$_C$ for $\mathcal A$, so it manages to break the CPA-security of PKE$_A$. This results in a contradiction. Therefore, PKE$_C$ is CPA-secure of PKE$_A$ is CPA-secure.

\textbf{Case 2: PKE$_B$ is CPA-secure.}

We use a hybrid argument. For $i = 0, 1, \ldots, \ell$, define game $H_i$ as follows.
\begin{itemize}
    \item[] $H_i$:
    \item The challenger sends $pk_A,pk_B$ to the adversary.
    \item The adversary sends challenge messages $m_0, m_1$ to the $\text{PKE}_C$ challenger.
    \item The challenger computes $c_{A,0}:=\text{Enc}_{pk_A}(m_0),c_{A,1}:=\text{Enc}_{pk_A}(m_1)$. Then for every $j=1,\dots,\ell$, it continues to compute
    $$c_B[j]:=\left\{\begin{array}{cc}
       \text{Enc}_{pk_B}(c_{A,1}[j]),  & j\leq i \\
       \text{Enc}_{pk_B}(c_{A,0}[j]),  & j>i
    \end{array}\right.,$$
    and sends $c_B=(c_B[1],\dots,c_B[\ell])$ to the adversary.
    \item The adversary outputs a bit as the response.
\end{itemize}
Denote by $c_B^{(i)}$ the challenge ciphertext in $H_i$. Then we have $c_B^{(0)}$ (resp. $c_B^{(\ell)}$) is the encryption of $0$ (resp. $1$) in PKE$_C$. Therefore, to prove the CPA security of PKE$_C$, we only need to prove the indistinguishablity between $H_0$ and $H_\ell$.

For any $i=1,\dots,\ell$, suppose there exists a p.p.t. adversary $\mathcal A_i$ that distinguishes $H_i$ from $H_{i-1}$ with non-negligible advantage, we can construct an adversary against $\text{PKE}_B$ as follows.
\begin{itemize}
    \item []\textbf{Algorithm} $\mathcal B_i^{\mathcal A_i}$:
    \item Receive $pk_B$ from the challenger.
    \item Call the key generation algorithm of PKE$_A$ to get $(pk_A,sk_A)$.
    \item Send $(pk_A,pk_B)$ to $\mathcal A_i$.
    \item Receive $m_0,m_1$ from $\mathcal A_i$.
    \item Compute $c_{A,0}:=\text{Enc}_{pk_A}(m_0),c_{A,1}:=\text{Enc}_{pk_A}(m_1)$.
    \item Send $c_{A,0}[i],c_{A,1}[i]$ to the challenger.
    \item Receive $c^*$ from the challenger.
    \item For every $j=1,\dots,\ell$, compute
     $$c_B[j]:=\left\{\begin{array}{cc}
       \text{Enc}_{pk_B}(c_{A,1}[j]),  & j< i \\
       c^*,&j=i\\
       \text{Enc}_{pk_B}(c_{A,0}[j]),  & j>i
    \end{array}\right.,$$
    and sends $c_B=(c_B[1],\dots,c_B[\ell])$ to $\mathcal A_i$.
    \item Pass $\mathcal{A}_i$'s response to the challenger.
\end{itemize}
We have $\mathcal{B}_i$ perfectly simulates $H_i$ (resp. $H_{i-1}$) for $\mathcal A$ when $c^*$ is the encryption of $c_{A,1}[i]$ (resp. $c_{A,0}[i]$). Since we assume $\mathcal A_i$ that distinguishes $H_i$ from $H_{i-1}$ with non-negligible advantage, it holds that $\mathcal{B}_i$ breaks the CPA-security of PKE$_B$ with non-negligible advantage, which results in a contradiction.

Therefore, we have $H_i$ and $H_{i-1}$ is indistinguishable for every $i=0,\dots,\ell-1$. This means
$H_0$ is indistinguishable from $H_\ell$, and thus PKE$_C$ is CPA-secure.\qed