Cryptology ePrint Archive: Report 2019/1356

Challenges in Proving Post-Quantum Key Exchanges Based on Key Encapsulation Mechanisms

Jacqueline Brendel and Marc Fischlin and Felix G�nther and Christian Janson and Douglas Stebila

Abstract: Modern key exchange protocols are usually based on the Diffie�Hellman (DH) primitive. The beauty of this primitive, among other things, is its potential reusage of key shares: DH shares can be either used once as an ephemeral key or used in multiple runs as a (semi-)static key. Since DH-based protocols are insecure against quantum adversaries, alternative solutions have to be found when moving to the post-quantum setting. However, most post-quantum candidates, including schemes based on lattices and even supersingular isogeny DH, are not known to be secure under key reuse. In particular, this means that they cannot be necessarily deployed as an immediate DH substitute in protocols.

In this paper, we introduce the notion of a split key encapsulation mechanism (split KEM) to translate the desired properties of a DH-based protocol, namely contributiveness and key-reusability, to a KEM-based protocol flow. We provide the relevant security notions of split KEMs and show that the formalism lends itself to lift Signal�s X3DH to the post-quantum KEM setting. While the proposed framework conceptually solves the raised issues, we did not succeed in providing a strongly-secure, post- quantum instantiation of a split KEM yet. The intention of this paper hence is to raise further awareness of the challenges arising when moving to KEM-based key exchange protocols with contributiveness and key-resusability, and to enable others to start investigating potential solutions.

Category / Keywords: cryptographic protocols / key encapsulation mechanisms, key exchange, post-quantum, Diffie-Hellman

Date: received 25 Nov 2019, last revised 26 Nov 2019

Contact author: jacqueline brendel at cryptoplexity de

Available format(s): PDF | BibTeX Citation

Version: 20191127:081325 (All versions of this report)

Short URL: ia.cr/2019/1356

[ Cryptology ePrint archive ]