eprint.iacr.org will be offline for approximately an hour for routine maintenance at 11pm UTC on Tuesday, April 16. We lost some data between April 12 and April 14, and some authors have been notified that they need to resubmit their papers.

Paper 2019/1356

Towards Post-Quantum Security for Signal's X3DH Handshake

Jacqueline Brendel, Marc Fischlin, Felix Günther, Christian Janson, and Douglas Stebila


Modern key exchange protocols are usually based on the Diffie-Hellman (DH) primitive. The beauty of this primitive, among other things, is its potential reusage of key shares: DH shares can be either used a single time or in multiple runs. Since DH-based protocols are insecure against quantum adversaries, alternative solutions have to be found when moving to the post-quantum setting. However, most post-quantum candidates, including schemes based on lattices and even supersingular isogeny DH, are not known to be secure under key reuse. In particular, this means that they cannot be necessarily deployed as an immediate DH substitute in protocols. In this paper, we introduce the notion of a split key encapsulation mechanism (split KEM) to translate the desired key-reusability of a DH-based protocol to a KEM-based flow. We provide the relevant security notions of split KEMs and show how the formalism lends itself to lifting Signal's X3DH handshake to the post-quantum KEM setting without additional message flows. Although the proposed framework conceptually solves the raised issues, instantiating it securely from post-quantum assumptions proved to be non-trivial. We give passively secure instantiations from (R)LWE, yet overcoming the above-mentioned insecurities under key reuse in the presence of active adversaries remains an open problem. Approaching one-sided key reuse, we provide a split KEM instantiation that allows such reuse based on the KEM introduced by Kiltz (PKC 2007), which may serve as a post-quantum blueprint if the underlying hardness assumption (gap hashed Diffie-Hellman) holds for the commutative group action of CSIDH (Asiacrypt 2018). The intention of this paper hence is to raise awareness of the challenges arising when moving to KEM-based key exchange protocols with key-reusability, and to propose split KEMs as a specific target for instantiation in future research.

Available format(s)
Cryptographic protocols
Publication info
Published elsewhere. Selected Areas in Cryptography (SAC 2020)
post-quantumkey encapsulation mechanismskey exchangeSignal protocolX3DH
Contact author(s)
mail @ jbrendel-info de
2020-10-05: revised
2019-11-27: received
See all versions
Short URL
Creative Commons Attribution


      author = {Jacqueline Brendel and Marc Fischlin and Felix Günther and Christian Janson and Douglas Stebila},
      title = {Towards Post-Quantum Security for Signal's X3DH Handshake},
      howpublished = {Cryptology ePrint Archive, Paper 2019/1356},
      year = {2019},
      note = {\url{https://eprint.iacr.org/2019/1356}},
      url = {https://eprint.iacr.org/2019/1356}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.