Paper 2019/088

Continuous Key Agreement with Reduced Bandwidth

Nir Drucker and Shay Gueron


Continuous Key Agreement (CKA) is a two-party procedure used by Double Ratchet protocols (e. g., Signal). This is a continuous and synchronous protocol that generates a fresh key for every sent/received message. It guarantees forward secrecy and Post-Compromise Security (PCS). PCS allows for reestablishing the security within a few rounds after the state of one of the parties has been compromised. Alwen et al. have recently proposed a new KEM-based CKA construction where every message contains a ciphertext and a fresh public key. This can be made quantum-safe by deploying a quantum-safe KEM. They mention that the bandwidth can be reduced when using an ElGamal KEM (which is not quantum-safe). In this paper, we generalized their approach by defining a new primitive, namely Merged KEM (MKEM). This primitive merges the key generation and the encapsulation steps of a KEM. This is not possible for every KEM and we discuss cases where a KEM can be converted to an MKEM. One example is the quantum-safe proposal BIKE1, where the BIKE-MKEM saves 50% of the communication bandwidth, compared to the original construction. In addition, we offer the notion and two constructions for hybrid CKA.

Available format(s)
Publication info
Preprint. MINOR revision.
Double Ratchet ProtocolContinuous Key AgreementPost Quantum CryptographyCode-based CryptographyBIKE
Contact author(s)
drucker nir @ gmail com
shay gueron @ gmail com
2019-01-28: received
Short URL
Creative Commons Attribution


      author = {Nir Drucker and Shay Gueron},
      title = {Continuous Key Agreement with Reduced Bandwidth},
      howpublished = {Cryptology ePrint Archive, Paper 2019/088},
      year = {2019},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.