Towards post-quantum security for Signal's X3DH handshake

Communication flow for a split KEM

Abstract

Modern key exchange protocols are usually based on the Diffie–Hellman (DH) primitive. The beauty of this primitive, among other things, is its potential reusage of key shares: DH shares can be either used once as an ephemeral key or used in multiple runs as a (semi-)static key. Since DH-based protocols are insecure against quantum adversaries, alternative solutions have to be found when moving to the post-quantum setting. However, most post-quantum candidates, including schemes based on lattices and even supersingular isogeny DH, are not known to be secure under key reuse. In particular, this means that they cannot be necessarily deployed as an immediate DH substitute in protocols.

In this paper, we introduce the notion of a split key encapsulation mechanism (split KEM) to translate the desired properties of a DH-based protocol, namely contributiveness and key-reusability, to a KEM-based protocol flow. We provide the relevant security notions of split KEMs and show that the formalism lends itself to lift Signal's X3DH to the post-quantum KEM setting. While the proposed framework conceptually solves the raised issues, we did not succeed in providing a strongly-secure, post- quantum instantiation of a split KEM yet. The intention of this paper hence is to raise further awareness of the challenges arising when moving to KEM-based key exchange protocols with contributiveness and key-resusability, and to enable others to start investigating potential solutions.

Keywords: key encapsulation mechanisms, key exchange, post-quantum, Diffie–Hellman

Reference

Jacqueline Brendel, Marc Fischlin, Felix Günther, Christian Janson, Douglas Stebila. Towards post-quantum security for Signal's X3DH handshake. In Michael J. Jacobson Jr., Orr Dunkelman, Colin O’Flynn, editors, Selected Areas in Cryptography (SAC) 2020, LNCS, vol. 12804, pp. 404–430. Springer, October 2020. © Springer.

Download

BibTeX

Funding

This research was supported by:
  • Natural Sciences and Engineering Research Council of Canada (NSERC) Discovery grant RGPIN-2016-05146
  • NSERC Discovery Accelerator Supplement grant RGPIN-2016-05146
  • German Research Foundation (DFG) as part of project S4 within the CRC 1119 CROSSING
  • German Research Foundation (DFG) as part of project P2 within the CRC 1119 CROSSING
  • German Research Foundation (DFG) as part of project D.2 within the RTG 2050 "Privacy and Trust for Mobile Users"
  • German Research Foundation (DFG) Research Fellowship grant GU 1859/1-1
  • National Science Foundation (NSF) grants CNS-1526801 and CNS-1717640