XHMQV: Better Efficiency and Stronger Security for Signal’s Initial Handshake based on HMQV

Rune Fiedler; Felix Günther; Jiaxin Pan; Runzhi Zeng

Paper 2025/1049

XHMQV: Better Efficiency and Stronger Security for Signal’s Initial Handshake based on HMQV

Rune Fiedler, Technische Universität Darmstadt

Felix Günther

, IBM Research Europe – Zurich

Jiaxin Pan

, University of Kassel

Runzhi Zeng

, University of Kassel

Abstract

The Signal protocol is the most widely deployed end-to-end-encrypted messaging protocol. Its initial handshake protocol X3DH allows parties to asynchronously derive a shared session key without the need to be online simultaneously, while providing implicit authentication, forward secrecy, and a form of offline deniability. The X3DH protocol has been extensively studied in the cryptographic literature and is acclaimed for its strong "maximum-exposure" security guarantees, hedging against compromises of users' long-term keys and medium-term keys but also the ephemeral randomness used in the handshake. This maximum-exposure security is achieved by deriving keys from the concatenation of 3–4 Diffie–Hellman (DH) secrets, each combining two long-term, medium-term, or ephemeral DH shares. Remarkably, X3DH's approach of concatenating plain DH combinations is sub-optimal, both in terms of maximum-exposure security and performance. Indeed, Krawczyk's well-known HMQV protocol (Crypto '05) is a high-performance, DH-based key exchange that provides strong security against long-term and ephemeral key compromise. One might hence wonder: why not base Signal's initial handshake on HMQV? In this work, we study this question and show that a carefully adapted variant of HMQV, which we call XHMQV, indeed enables stronger security and efficiency while matching the constraints of Signal's initial handshake. Most notably, HMQV does not work as a drop-in replacement for X3DH, as the latter's asynchronicity requires the protocol to handle cases where one party runs out of ephemeral keys (pre-uploaded to the Signal server). Our XHMQV design hence augments HMQV with medium-term keys analogous to those used in X3DH. We prove that XHMQV provides security in all 3–4 compromise scenarios where X3DH does and additionally in 1–2 further scenarios, strengthening the handshake's maximum-exposure guarantees while using more efficient group operations. We further confirm that our XHMQV design achieves deniability guarantees comparable to X3DH. Our security model is the first to capture Signal's long-term key reuse between DH key exchange and signatures, which may be of independent interest.

Metadata

Available format(s): PDF
Category: Cryptographic protocols
Publication info: A major revision of an IACR publication in CRYPTO 2025
Keywords: Signal key exchange key reuse X3DH XHMQV
Contact author(s): rune fiedler @ cryptoplexity de
mail @ felixguenther info
jiaxin pan @ uni-kassel de
runzhi zeng @ uni-kassel de
History: 2025-06-10: revised; 2025-06-05: received; See all versions
Short URL: https://ia.cr/2025/1049
License: CC BY

BibTeX

@misc{cryptoeprint:2025/1049,
      author = {Rune Fiedler and Felix Günther and Jiaxin Pan and Runzhi Zeng},
      title = {{XHMQV}: Better Efficiency and Stronger Security for Signal’s Initial Handshake based on {HMQV}},
      howpublished = {Cryptology {ePrint} Archive, Paper 2025/1049},
      year = {2025},
      url = {https://eprint.iacr.org/2025/1049}
}