#
Compiled Constructions towards Post-Quantum Group Key Exchange: A Design from `Kyber`

^{1}

^{2}

^{*}

## Abstract

**:**

`Kyber`suite of post-quantum tools in a (slightly modified) compiler from Abdalla et al. (TCC 2007). More precisely, taking as a starting point an IND-CPA encryption scheme from the

`Kyber`portfolio, we derive, using results from Hövelmanns et al. (PKC 2020), a two-party key exchange protocol and an IND-CCA encryption scheme and prove them fit as building blocks for our compiled construction. The resulting GAKE protocol is secure under the Module-LWE assumption, and furthermore achieves authentication without the use of (expensive) post-quantum signatures.

## 1. Introduction

**Related work.**Several group key exchange protocols which can be considered to resist quantum attacks have been proposed so far. Fujioka et al. [1] presented two one-round authenticated protocols, whose security is based on a certain algebraic-geometric problem related to the problem of finding a so-called isogeny mapping between two supersingular elliptic curves with the same number of points.

**Our contribution.**In this work, we take the so-called

`Kyber`family [7] of post-quantum cryptographic tools and use it as a base for a GAKE design. More precisely, our construction is a compiled system using Abdalla et al.’s [8] as design frame. From the results of Hövelmanns et al. [9], we assess that both a suitable commitment scheme and a secure two-party AKE can be obtained from the encryption scheme

`Kyber.CPA${}^{\prime}$`(this result was hinted, yet not explicitly proven by Hövelmanns et al. [9]). As far as we are aware, our instantiation is the first group authenticated key exchange protocol which provides post-quantum security guarantees based solely on the so-called Module-LWE assumption, doing without (often unaffordably expensive) post-quantum signatures.

**Our GAKE: overview.**The workflow of our construction is depicted in Figure 1. Our construction relies on Abdalla et al.’s compiler [8] that requires a two-party AKE and a commitment scheme and we need both building blocks to fulfill post-quantum security. To achieve post-quantum security, we apply the Kyber family and its derived tools (see green rectangle in Figure 1).

`Kyber`[7] is a KEM based on lattices whose security relies on Module-LWE assumption (Definition 1), claimed to be post-quantum secure. Our GAKE inherits the Module-LWE assumption. The two-party AKE and the commitment scheme are derived from the initial IND-CPA PKE in [7] named

`Kyber.CPA${}^{\prime}$`. The two-party AKE (named Kyber.2AKE) is the result of applying the transformation ${\mathrm{FO}}_{\mathrm{AKE}}$ [9] to

`Kyber.CPA${}^{\prime}$`. Finally, a commitment scheme can be achieved from any IND-CCA PKE, as pointed out in [8]. In our construction, we turn

`Kyber.CPA${}^{\prime}$`into a KEM applying the ${\mathrm{FO}}_{m}^{\overline{)\perp}}$ transformation [9] obtaining ${\mathrm{Kyber}}^{\overline{)\perp}}$, which is transformed into an IND-CCA PKE (Kyber.PKE) as a result of [10].

**Comparison with other schemes.**We present two tables that summarize some features of other GAKE schemes with quantum-resistance and compare them with our proposal.

**Paper Roadmap.**We start with a brief outline of the preliminaries in Section 2, where we introduce Abdalla et al.’s compiler from [8] and comment on the basics of post-quantum security. Further, we explain in Section 3 how to derive building blocks for our construction (AKE and a commitment scheme) from the

`Kyber`family. In particular, we use the results from [9] to prove that we can obtain both a suitable commitment scheme and a secure two-party AKE from the encryption scheme

`Kyber.CPA${}^{\prime}$`. Our compiled construction is then described and proven secure in Section 4, where we also make explicit the security model used. We conclude this contribution with a brief conclusion.

## 2. Preliminaries

#### 2.1. Abdalla et al.’s Compiler

- Each user ${U}_{i}\in \mathcal{G}$ owns a pair $(p{k}_{i},s{k}_{i})$ consisting of a public key $p{k}_{i}$ and a secret key $s{k}_{i}$, and all needed public keys may be distributed to all protocol participants during the initialization phase.
- Each pair of users ${U}_{i},{U}_{j}\in \mathcal{G}$, $i\ne j$, shares a high entropy symmetric key, or the complete set of participants $\mathcal{G}$ shares one common secret (different instances of a user may hold different long-term secrets).
- Each pair of users ${U}_{i},{U}_{j}\in \mathcal{G}$, $i\ne j$, shares a low entropy password. In this case, we assume a publicly available dictionary $\mathcal{D}\subseteq {\{0,1\}}^{*},$ from which passwords are chosen uniformly at random.

**A non-interactive non-malleable commitment scheme**$\mathtt{C}$ that is perfectly binding and achieves non-malleability for multiple commitments.**A collision-resistant pseudorandom function family**$\mathtt{F}={\left\{{F}^{\ell}\right\}}_{\ell \in \mathbb{N}}$ with ${F}^{\ell}={\left\{{F}_{\eta}^{\ell}\right\}}_{\eta \in {\{0,1\}}^{L}}$ to be indexed by a set ${\{0,1\}}^{L}$ of polynomial size, and two publicly known values ${v}_{0}$ and ${v}_{1}$ such that no ppt adversary can find two different indices $\lambda \ne \mu \in {\{0,1\}}^{L}$ such that ${F}_{\lambda}^{\ell}\left({v}_{j}\right)={F}_{\mu}^{\ell}\left({v}_{j}\right)$, $j=0,1$.**A hash function**$\mathtt{H}$ selected from a family of universal hash functions that maps the concatenation of bitstrings from ${\{0,1\}}^{k\phantom{\rule{0.166667em}{0ex}}n}$ and the set of participants $\mathcal{G}$ onto ${\{0,1\}}^{L}$, where n is the number of participants in $\mathcal{G}$ and $k\in \mathbb{N}$.

#### 2.2. Security in a Post-Quantum Setting

- Collision-freeness. In [12], it is proven that the best quantum algorithm for finding a collision for a random function $H:{\{0,1\}}^{n}\mapsto {\{0,1\}}^{n}$ (i.e., a pair of distinct $x,{x}^{\prime}\in {\{0,1\}}^{n}$ such that $H\left(x\right)=H\left({x}^{\prime}\right)$) is $\tilde{\mathcal{O}}\left({2}^{\frac{n}{5}}\right)$. (Notation $\tilde{O}$ “wipes out” logarithmic factors in $\mathcal{O}$, namely, $f\left(n\right)\in \tilde{\mathcal{O}}\left(h\left(n\right)\right)\iff \phantom{\rule{0.166667em}{0ex}}\exists k\in \mathbb{N}s.t.f\left(n\right)\in \mathcal{O}\left(h\left(n\right)lo{g}^{k}\left(h\left(n\right)\right)\right)$). The analogous classical bound is $\mathcal{O}\left({2}^{\frac{n}{2}}\right).$ While being suboptimal in number of queries, this algorithm is the most efficient in terms of time complexity with small quantum memory. Thus, in the sequel, we may assume that (even for a quantum adversary) finding a collision pair for a quantum-accessible random oracle can only be done with negligible probability (this is used in Section 4.3.1).
- Pseudorandomness. Following again Hövelmanns et al. [9], we use the argument of Zhandry (see [13]) stating that no quantum algorithm, making at most q quantum queries to a quantum random oracle $\widehat{H}$ implementing a random function $\mathcal{H}:{\{0,1\}}^{m}\mapsto {\{0,1\}}^{n}$, can distinguish between $\widehat{H}$ and a random polynomial of degree $2q$ defined over the field ${\mathbb{F}}_{{2}^{n}}.$ As a result, if the input to a quantum random oracle contains enough entropy, then the probability of distinguishing its output from a value chosen uniformly at random is negligible. In other words, when the input is unknown and chosen uniformly at random, the fact that the random oracle can be queried in superposition is of no help in distinguishing the oracle’s output from a randomly chosen element. This is used in the quantum random oracle proof from Section 4.3.

## 3. Post-Quantum Primitives: $\mathtt{2}\mathtt{AKE}$ and Commitment Scheme

`Kyber`’s public key encryption (PKE) scheme and state its security properties that are of importance to the construction of the primitives mentioned above.

`Kyber.CPA`${}^{\prime}$) of the CPA-secure PKE scheme introduced in [7] as part of

`Kyber`’s package submitted to NIST’s post-quantum standardization effort. We describe the ${\mathrm{FO}}_{\mathrm{AKE}}$ transformation which turns a secure PKE into a secure AKE. This subsection ends by proving that

`Kyber.CPA`${}^{\prime}$ is DS secure and, therefore, it is possible to construct an AKE secure in the QROM by applying the ${\mathrm{FO}}_{\mathrm{AKE}}$ to it.

`Kyber.CPA`${}^{\prime}$, the same primitive we use to construct the two-party AKE.

#### 3.1. Kyber’s IND-CPA PKE

`Kyber.CPA`introduced in [7] as part of the Cryptographic Suite for Algebraic Lattices (CRYSTALS), a package of cryptographic primitives submitted to NIST’s post-quantum standardization effort. In fact, what we really describe and work with is a slightly modified version, also proposed in [7], called

`Kyber.CPA${}^{\prime}$`.

`Kyber.CPA`${}^{\prime}$, as well as its CPA-security under the Module-LWE hardness assumption (Definition 1).

`Kyber.CPA`${}^{\prime}$ is based on the hardness of the Module-LWE problem, which generalizes the Learning with Errors (LWE) problem. Learning with errors (LWE) is the computational problem of inferring a linear n-ary function f over a finite ring from given (slightly incorrect) samples ${y}_{i}=f\left({\mathbf{x}}_{i}\right)$. Recall that Ring Learning with Errors (RLWE) is the variant of LWE specialized to polynomial rings over finite fields. Informally, Module-LWE can be seen as the result of replacing single ring elements in the RLWE problem with module elements over the same ring (thus, RLWE can be seen as Module-LWE with module rank 1).

**Definition**

**1**

`Kyber`’s PKE scheme

`Kyber.CPA${}^{\prime}$`= (

`KeyGen`,

`Enc`,

`Dec`) is parameterized by the positive integers $k,\phantom{\rule{0.166667em}{0ex}}{d}_{u}$, and ${d}_{v}$. The value of these parameters vary for different security levels. Moreover, $\mathcal{M}={\{0,1\}}^{n}$ is the message space and ciphertexts are of the form $(\mathbf{u},v)\in {\{0,1\}}^{n\phantom{\rule{0.166667em}{0ex}}k\phantom{\rule{0.166667em}{0ex}}{d}_{u}}\times {\{0,1\}}^{n\phantom{\rule{0.166667em}{0ex}}{d}_{v}}$. The definition of the key generation, encryption, and decryption of

`Kyber.CPA${}^{\prime}$`is given in Algorithms 1–3 as defined in [7]. Unlike

`Kyber.CPA${}^{\prime}$`, the unmodified PKE scheme

`Kyber.CPA`compresses $\mathbf{t}$ on Line 4 of Algorithm 1 and, therefore, must decompress $\mathbf{t}$ in Algorithm 2.

`Kyber.CPA${}^{\prime}$`was shown to be IND-CPA secure under the Module-LWE hardness assumption in [7]. This result is stated in the following theorem.

**Theorem**

**1**

`Kyber.CPA`${}^{\prime}$, let define the advantage

Algorithm 1:Kyber.CPA${}^{\prime}$.KeyGen() |

1
$\rho ,\sigma \stackrel{}{\leftarrow}{\{0,1\}}^{n}$ 2 $\mathbf{A}\sim {R}_{q}^{k\times k}:=\mathtt{Sam}\left(\rho \right)$ 3 $(\mathbf{s},\mathbf{e})\sim {\beta}_{\eta}^{k}\times {\beta}_{\eta}^{k}:=\mathtt{Sam}\left(\sigma \right)$ 4 $\mathbf{t}:=\mathbf{As}+\mathbf{e}$ 5 return $(pk:=(\mathbf{t},\rho ),sk:=\mathbf{s})$ |

Algorithm 2:Kyber.CPA${}^{\prime}$.Enc($pk=(\mathbf{t},\rho ),m\in \mathcal{M})$) |

1 $r\stackrel{}{\leftarrow}{\{0,1\}}^{n}$ 2 $\mathbf{A}\sim {R}_{q}^{k\times k}:=\mathtt{Sam}\left(\rho \right)$ 3 $(\mathbf{r},{\mathbf{e}}_{1},{e}_{2})\sim {\beta}_{\eta}^{k}\times {\beta}_{\eta}^{k}\times {\beta}_{\eta}$ 4 $\mathbf{u}:={\mathtt{Compress}}_{q}({\mathbf{A}}^{T}\mathbf{r}+{\mathbf{e}}_{1},{d}_{u})$ 5 $v:={\mathtt{Compress}}_{q}({\mathbf{t}}^{T}\mathbf{r}+{e}_{2}+\lceil \frac{q}{2}\rfloor \xb7m,{d}_{v})$ 6 return $c:=(\mathbf{u},v)$ |

Algorithm 3:Kyber.CPA${}^{\prime}$.Dec($sk=\mathbf{s},c=(\mathbf{u},v)$) |

1 $\mathbf{u}:={\mathtt{Decompress}}_{q}(\mathbf{u},{d}_{u})$ 2 $v:={\mathtt{Decompress}}_{q}(v,{d}_{v})$ 3 return ${\mathtt{Compress}}_{q}(v-{\mathbf{s}}^{T}\mathbf{u},1)$ |

#### 3.2. The ${\mathrm{FO}}_{\mathrm{AKE}}$ Transformation: From PKE to AKE

`Kyber.CPA${}^{\prime}$`scheme we have previously introduced. Another nice feature is that it avoids the use of (usually expensive) quantum-secure signature schemes. ${\mathrm{FO}}_{\mathrm{AKE}}$ can be seen as an extension of the Fujisaki–Okamoto transform (which turns IND-CPA encryption schemes into IND-CCA ones) for the AKE setting.

- The attacker knows either the long-term secret key or the secret state information (but not both) of both parties involved in the test session, as long as it did not modify the message received by the test session.
- If the attacker modified the message received by the test session, as long as it obtained neither the long-term secret key of the test session’s peer
**nor the test session’s state**.

**Definition**

**2**

**Theorem**

**2**

**Proof.**

`KeyGen`is substituted by a uniform random value. It follows from the Module-LWE security of $\mathtt{Kyber}.{\mathtt{CPA}}^{\prime}$ that the value $\mathbf{t}$ and the uniform random value are indistinguishable from each other. Next, the values ${\mathbf{A}}^{T}\mathbf{r}+{\mathbf{e}}_{1}$ and ${\mathbf{t}}^{T}\mathbf{r}+{e}_{2}+\lceil \frac{q}{2}\rfloor \xb7m$ used in the generation of the challenge ciphertext are simultaneously substituted with uniform random values. Again, it follows from the Module-LWE security of $\mathtt{Kyber}.{\mathtt{CPA}}^{\prime}$ that ${\mathbf{A}}^{T}\mathbf{r}+{\mathbf{e}}_{1}$ and ${\mathbf{t}}^{T}\mathbf{r}+{e}_{2}+\lceil \frac{q}{2}\rfloor \xb7m$ are indistinguishable from the random values. As in [7], we deduce that there exists an adversary $\mathcal{B}$ with the same running time as that of $\mathcal{A}$ such that ${\mathsf{Adv}}_{\mathtt{Kyber}.{\mathtt{CPA}}^{\prime}}^{\mathtt{DS}}\left(\mathcal{A}\right)\phantom{\rule{0.166667em}{0ex}}\le \phantom{\rule{0.166667em}{0ex}}2\phantom{\rule{0.166667em}{0ex}}{\mathsf{Adv}}_{k+1,k,\eta}^{\mathit{mlwe}}\left(\mathcal{B}\right)$.

`Kyber.2AKE`, is depicted in Figure 4. Here, and are random oracles and ${}_{R}^{\prime}$, ${}_{L1}^{\prime}$, ${}_{L2}^{\prime}$, and ${}_{L3}^{\prime}$ are internal random oracles that cannot be accessed directly and could be implemented with a pseudorandom function. Note that this is not the same two-party AKE proposed in [7]. For reference, we include the precise statement of Theorem 3 [9] in Appendix B.

#### 3.3. The Commitment Scheme

`Kyber.CPA`${}^{\prime}$, we apply the ${\mathrm{FO}}_{m}^{\overline{)\perp}}$ transformation. This is analogous to the ${\mathrm{FO}}_{\mathrm{AKE}}$ transformation that transforms a PKE scheme that is both IND-CPA and DS secure into a CCA-secure KEM. As shown in [9], unlike similar transformations, ${\mathrm{FO}}_{m}^{\overline{)\perp}}$ is robust against correctness errors and its security reduction is tighter than the one that results from applying other known transformations. In cases where the PKE is not already DS, this requirement can be waived with negligible loss of efficiency. In the case of

`Kyber.CPA`${}^{\prime}$, there is no loss of efficiency since it is IND-CPA secure and, as shown in Theorem 2, it is DS secure as well. The Algorithms 1, 4, and 5 show the KEM ${\mathtt{Kyber}}^{\overline{)\perp}}$ = (

`Kyber.CPA`${}^{\prime}$

`.KeyGen`,

`Encaps`,

`Decaps`) that results from applying the transformation ${\mathrm{FO}}_{m}^{\overline{)\perp}}$ to

`Kyber.CPA`${}^{\prime}$. Here, and are random oracles and ${}_{r}$ is an internal random oracle that cannot be accessed directly and could be implemented with a pseudorandom function. For reference, we include the precise statement of Theorem 2 [9] in Appendix C.

Algorithm 4:${\mathtt{Kyber}}^{\overline{)\perp}}.\mathtt{Encaps}$($pk$) |

1 $m\stackrel{\$}{\leftarrow}\mathcal{M}$ 2 $c:=\mathtt{Kyber}.{\mathtt{CPA}}^{\prime}.\mathtt{Enc}(pk,m;\left(m\right))$ 3 k := H(m)4 return $(\mathtt{k},c)$ |

Algorithm 5:${\mathtt{Kyber}}^{\overline{)\perp}}.\mathtt{Decaps}$($sk,c$) |

`Kyber.PKE`. The security of this transformation follows from Theorem 5 in [10]. As pointed out in [8], a commitment scheme with the required security properties can be obtained in a straightforward way from the IND-CCA PKE.

## 4. Our Post-Quantum Group Key Exchange

`GAKE`. Informally, let us recall the setting we are considering. Our participants are honest entities which can be modeled as probabilistic polynomial time Turing machines (thus, have no access to quantum computing resources). These participants can only exchange messages through an insecure network, which is fully under adversarial control (adversaries may insert, delay, suppress or forward messages at will). Moreover, the adversarial computing capabilities are superior to those of participants, as we assume adversaries can preform quantum polynomial time computations and have quantum access to any hash function (modeled as a random oracle) involved. With this in mind, the goal pursued by our protocol is to guarantee that, whenever a participant has computed a session key through the network, this key is indistinguishable from a random value for those outside the intended group of participants involved in that concrete execution. Note that (as is standard in GKE proposals) we cannot expect to prove that the protocol will always terminate when executed by honest parties, we rather pursue formal assurance that, whenever the protocol indeed produces an output key for a participant, this key is secure for subsequent use.

#### 4.1. Security Model

#### 4.1.1. Protocol Instances

- ${\mathsf{used}}_{i}^{{s}_{i}}$
- indicates whether this instance is or has been used for a protocol run. The ${\mathsf{used}}_{i}^{{s}_{i}}$ flag can only be set through a protocol message received by the instance due to a call to the $\mathsf{Execute}$- or to the $\mathsf{Send}$-oracle (see below).
- ${\mathsf{state}}_{i}^{{s}_{i}}$
- keeps the state information needed during the protocol execution as well as the long term keys needed for authentication.
- ${\mathsf{term}}_{i}^{{s}_{i}}$
- shows if the execution has terminated.
- ${\mathsf{sid}}_{i}^{{s}_{i}}$
- denotes a public session identifier that can serve as identifier for the session key ${\mathsf{sk}}_{i}^{{s}_{i}}.$ Note that, even though we do not construct session identifiers as session transcripts, the adversary is allowed to learn all session identifiers.
- ${\mathsf{pid}}_{i}^{{s}_{i}}$
- stores the set of identities of those users that ${\mathsf{\Pi}}_{i}^{{s}_{i}}$ aims at establishing a key with—including ${U}_{i}$ himself.
- ${\mathsf{acc}}_{i}^{{s}_{i}}$
- indicates if the protocol instance was successful, i. e., the user accepted the session key.
- ${\mathsf{sk}}_{i}^{{s}_{i}}$
- stores the session key once it is accepted by ${\mathsf{\Pi}}_{i}^{{s}_{i}}.$ Before acceptance, it stores a distinguished null value.

#### 4.1.2. Communication Network

#### 4.1.3. Adversarial Capabilities

- $\mathsf{Send}({U}_{i},{s}_{i},M)$ This sends message M to the instance ${\mathsf{\Pi}}_{i}^{{s}_{i}}$ and returns the reply generated by this instance. If $\mathcal{A}$ queries this oracle with an unused instance ${\mathsf{\Pi}}_{i}^{{s}_{i}}$ and $M\subseteq \mathcal{P}$ a set of identities of principals, the ${\mathsf{used}}_{i}^{{s}_{i}}$-flag is set, ${\mathsf{pid}}_{i}^{{s}_{i}}$ initialized with ${\mathsf{pid}}_{i}^{{s}_{i}}:=\left\{{U}_{i}\right\}\cup M$, and the initial protocol message of ${\mathsf{\Pi}}_{i}^{{s}_{i}}$ is returned.
- $\mathsf{Execute}\left(\{{\mathsf{\Pi}}_{{u}_{1}}^{{s}_{{u}_{1}}},\cdots ,{\mathsf{\Pi}}_{{u}_{\mu}}^{{s}_{{u}_{\mu}}}\}\right)$ This executes a complete protocol run among the specified unused instances of the respective users. The adversary obtains a transcript of all messages sent over the network. A query to the Executeoracle is supposed to reflect a passive eavesdropping.
- $\mathsf{Reveal}({U}_{i},{s}_{i})$ This yields the value stored in ${\mathsf{sk}}_{i}^{{s}_{i}}$.
- $\mathsf{Test}({U}_{i},{s}_{i})$ Let b be a bit chosen uniformly at random. Provided that the session key is defined (i. e., ${\mathsf{acc}}_{i}^{{s}_{i}}=\mathsf{true}$ and ${\mathsf{sk}}_{i}^{{s}_{i}}\ne \mathrm{null}$) and instance ${\mathsf{\Pi}}_{i}^{{s}_{i}}$ is fresh (see the definition of freshness below), $\mathcal{A}$ can execute this oracle query at any time when being activated. Then, the session key ${\mathsf{sk}}_{i}^{{s}_{i}}$ is returned if $b=0$ and a uniformly chosen random session key is returned if $b=1$. In this model, an arbitrary number of Testqueries is allowed for the adversary $\mathcal{A}$, but, once the $\mathsf{Test}$ oracle has returned a value for an instance ${\mathsf{\Pi}}_{i}^{{s}_{i}}$, it will return the same value for all instances partnered with ${\mathsf{\Pi}}_{i}^{{s}_{i}}$ (see the definition of partnering below).
- $\mathsf{Corrupt}\left({U}_{i}\right)$ This returns all long-term secrets of user ${U}_{i}$—in our case, the private keys used for authentication in $\mathtt{Kyber}.\mathtt{2}\mathtt{AKE}$.

#### 4.1.4. Correctness, Integrity and Secrecy

**Partnering.**We refer to instances ${\mathsf{\Pi}}_{i}^{{s}_{i}}$ and ${\mathsf{\Pi}}_{j}^{{s}_{j}}$ as being partnered if ${\mathsf{pid}}_{i}^{{s}_{i}}={\mathsf{pid}}_{j}^{{s}_{j}}$, ${\mathsf{sid}}_{i}^{{s}_{i}}={\mathsf{sid}}_{j}^{{s}_{j}}$, ${\mathsf{sk}}_{i}^{{s}_{i}}={\mathsf{sk}}_{j}^{{s}_{j}}$ and ${\mathsf{acc}}_{i}^{{s}_{i}}={\mathsf{acc}}_{j}^{{s}_{j}}=\mathsf{true}$.

**Definition**

**3.**

**Definition**

**4.**

**Definition**

**5.**

- For some ${U}_{j}\in {\mathsf{pid}}_{i}^{{s}_{i}}$, a query $\mathsf{Corrupt}\left({U}_{j}\right)$ was executed before a query of the form $\mathsf{Send}({U}_{k},{s}_{k},M)$ has taken place, for some message (or set of identities) M and some ${U}_{k}\in {\mathsf{pid}}_{i}^{{s}_{i}}$.
- The adversary earlier queried $\mathsf{Reveal}({U}_{j},{s}_{j})$ with ${\mathsf{\Pi}}_{i}^{{s}_{i}}$ and ${\mathsf{\Pi}}_{j}^{{s}_{j}}$ being partnered.

**Definition**

**6.**

#### 4.2. Our Construction

- We simplify the session key and session identifier computation using two hash functions to extract them from the shared master key K. Indeed, as the $\mathtt{2}\mathtt{AKE}$ we use as building block is proven secure in the (quantum) random oracle model, it no longer makes sense to use the (somewhat complicated) key extraction procedure defined in [8] to dodge idealized hash functions. Thus, we forgo Tools 1 and 2 mentioned in Section 2.1 and use two hash functions $\widehat{\mathtt{H}}$ and $\widehat{\mathtt{F}}$ instead. Thus, at the final
**Computation**phase, each user ${U}_{i}$ will set the session key as ${\mathtt{sk}}_{i}=\widehat{\mathtt{H}}\left(K\right)$ and the corresponding session identifier as ${\mathtt{sid}}_{i}=\widehat{\mathtt{F}}\left(K\right)$, where K is the master key shared by everyone involved in the execution. - Further, we make an additional requirement on the compiled $\mathtt{2}\mathtt{AKE}$, needed for the security proof. Indeed, as pointed out by Nam in [18], an extra condition on the two party protocol used as a base must be imposed in Theorem 1 of [8]. Indeed, the underlying $\mathtt{2}\mathtt{AKE}$ should fulfill integrity in order to thwart a simple replay attack (in the proof of Theorem 1 of [8], it is actually assumed that integrity is fulfilled—see the argument related to Game 1). We thus slightly tune up the two-party $\mathtt{2}\mathtt{AKE}$ to make sure integrity is achieved.

#### 4.3. Security Arguments and Proofs

- (i)
- (ii)
- The encryption scheme $\mathtt{Kyber}.\mathtt{PKE}$ yields a non-interactive commitment scheme that is both non-malleable for multiple commitments and perfectly binding. This comes straightforward as a result of this scheme being IND-CCA (see Section 3.3 and [15]).

#### 4.3.1. A Variant of $\mathtt{Kyber}.\mathtt{2}\mathtt{AKE}$ Attaining Integrity

#### 4.3.2. Security of Our Proposed Group Protocol

**Theorem**

**3.**

**Proof.**

**Correctness**. In an honest execution of the protocol, it is easy to verify that all participants in the protocol will terminate by accepting and computing the same session identifier and session key.

**Integrity**. Owing to the collision-resistance of the random oracle $\widehat{\mathtt{F}}$ all oracles that accept with identical session identifiers also hold with overwhelming probability the same master key K and $\mathsf{pid}$ (which can be read from K) will therefore also derive the same session key $\widehat{\mathtt{H}}\left(K\right).$

**Key secrecy**. The proof of key secrecy will proceed in a sequence of games, starting with the real attack against the key secrecy of the group key exchange protocol and ending in a game in which the adversary’s advantage is 0, and for which we can bound the difference in the adversary’s advantage between any two consecutive games. Following standard notation, we denote by $\mathsf{Adv}(\mathcal{A},{G}_{i})$ the advantage of the adversary $\mathcal{A}$ in Game i. Furthermore, for clarity, we classify the $\mathsf{Send}$ queries into three categories, depending on the stage of the protocol to which the query is associated, starting with $\mathsf{Send}-\mathsf{0}$ and ending with $\mathsf{Send}-\mathsf{2}$. $\mathsf{Send}-$t denotes the $\mathsf{Send}$ query associated with round t for $t=0,1,2$.

**Game**$\mathbf{0}$. This first game corresponds to a real attack, in which all the parameters, such as the public parameters in the common reference string and the long-term secrets associated with each user, are chosen as in the actual scheme. By definition, $\mathsf{Adv}(\mathcal{A},{G}_{0})=\mathsf{Adv}\left(\mathcal{A}\right).$

**Game**$\mathbf{1}$. In this game, for $i=1,\dots ,n$, we modify the simulation of the $\mathsf{Send}$ and $\mathsf{Execute}$ oracles so that, whenever an instance ${\mathsf{\Pi}}_{i}^{{s}_{i}}$ is still considered fresh at the end of Round 2, the keys ${\overleftarrow{K}}_{i}$ and ${\overrightarrow{K}}_{i}$ that it shares with instances ${\mathsf{\Pi}}_{i-1}^{{s}_{i-1}}$ and ${\mathsf{\Pi}}_{i+1}^{{s}_{i+1}}$ are replaced with random values from the appropriate set.

**Game**$\mathbf{2}$. In this game, we change the simulation of the $\mathsf{Send}$ oracle so that a fresh instance ${\mathsf{\Pi}}_{i}^{{s}_{i}}$ does not accept in Round 4 whenever one commitment ${C}_{j}$ for $j\ne i$ it receives in Round 3 was generated by the simulator but not generated by the respective instance ${\mathsf{\Pi}}_{j}^{{s}_{j}}$, $j\ne i$ in the same session.

**Game**$\mathbf{3}$. This game reproduces the modification also for adversary-generated commitments: The simulation of the $\mathsf{Send}$ oracle changes so that a fresh instance ${\mathsf{\Pi}}_{i}^{{s}_{i}}$ does not accept in Round 4 whenever one commitment ${C}_{j}$ for $j\ne i$ it receives in Round 3 was adversary-generated. The adversary’s advantage diverges only negligibly from the previous game:

**Game**$\mathbf{4}$. Now, the simulations of the Execute and Send oracles are modified at the point of computing the session key. The simulator keeps a list of strings $({K}_{1},\cdots ,{K}_{n},\mathcal{G})$. Once an instance receives the last $\mathsf{Send}-\mathsf{2}$ query, the simulator computes ${K}_{1},\cdots ,{K}_{n}$ and checks if for the corresponding string $({K}_{1},\cdots ,{K}_{n},\mathcal{G})$ a master key was already issued. If this is the case, it assigns the corresponding master key to the instance. If no such entry exists in the list, the simulator chooses a session key ${\mathsf{sk}}_{i}^{{s}_{i}}\in {\{0,1\}}^{\ell}$ uniformly at random. Note that, even if the messages from Round 4 are sent out, the master key is still containing sufficient entropy so that the random oracle output $\widehat{\mathtt{H}}$ is indistinguishable from a random ${\mathsf{sk}}_{i}^{{s}_{i}}$ with negligible probability only. As a result,

**Theorem**

**4.**

**Proof.**

## 5. Conclusions

`Kyber`suite [7] as main building block, not only because it is a good design fit for our compiled strategy, but also considering its promising security properties (as

`Kyber`is one of the four remaining finalists for public key encryption in the Third Round of the NIST competition). More precisely, we evidence that a secure

`2AKE`as needed for our compiled construction can be derived using the ${\mathrm{FO}}_{\mathrm{AKE}}$ transformation proposed in [9], by proving the encryption scheme $\mathtt{Kyber}.{\mathtt{CPA}}^{\prime}$ to be DS secure.

## Author Contributions

## Funding

## Conflicts of Interest

## Appendix A. Non-Perfect Correctness of `Kyber.CPA`′

**Theorem**

**A1.**

- Choose uniformly-random $\mathbf{y}\leftarrow {R}^{k}$
**return**$(y-{\mathsf{Descompress}}_{q}({\mathsf{Compress}}_{q}(\mathbf{y},d),d))\phantom{\rule{4pt}{0ex}}{\mathrm{mod}}^{\pm}\phantom{\rule{4pt}{0ex}}q$

## Appendix B. Transformation from IND-CPA PKE to Secure 2AKE

**Theorem**

**A2**

`PKE`=(

`KG`,

`Enc`,

`Dec`) to be $(1-\delta )$-correct, and to come with a sampling algorithm $\overline{\mathsf{Enc}}$ such that it is ε-disjoint. Let N be the number of parties, and suppose that any attacker is granted access to an oracle REVEAL which reveals the respective session’s key (if already defined). Then, for any IND-StAA adversary $\mathcal{B}$ that establishes S sessions and issues at most ${q}_{R}$ (classical) queries to REVEAL, at most ${q}_{G}$ (quantum) queries to random oracle G, and at most ${q}_{H}$ (quantum) queries to random oracle H, there exist adversaries ${\mathcal{A}}_{\mathsf{DS}}$ and ${\mathcal{A}}_{\mathsf{CPA}}$ against

`PKE`such that

## Appendix C. Transformation from IND-CPA PKE to IND-CCA KEM

**Theorem**

**A3**

`PKE`=(

`KG`,

`Enc`,

`Dec`) to be $(1-\delta )$-correct, and to come with a sampling algorithm $\overline{\mathsf{Enc}}$ such that it is ${\epsilon}_{\mathit{dis}}$-disjoint. Suppose that any attacker is granted access to an oracle DECAPS. Then, for any (quantum) IND-CCA adversary $\mathcal{A}$ issuing at most ${q}_{D}$ (classical) queries to decapsulation oracle DECAPS, at most ${q}_{G}$ quantum queries to random oracle G, and at most ${q}_{H}$ quantum queries to random oracle H, there exist (quantum) adversaries ${\mathcal{B}}_{\mathsf{DS}}$ and ${\mathcal{A}}_{\mathsf{CCA}}$ against

`PKE`such that

## References

- Fujioka, A.; Takashima, K.; Yoneyama, K. One-Round Authenticated Group Key Exchange from Isogenies. ProvSec. Lect. Notes Comput. Sci.
**2019**, 11821, 330–338. [Google Scholar] - Apon, D.; Dachman-Soled, D.; Gong, H.; Katz, J. Constant-Round Group Key Exchange from the Ring-LWE Assumption. PQCrypto. Lect. Notes Comput. Sci.
**2019**, 11505, 189–205. [Google Scholar] - Katz, J.; Yung, M. Scalable Protocols for Authenticated Group Key Exchange. In Advances in Cryptology— CRYPTO 2003, 23rd Annual International Cryptology Conference, Santa Barbara, CA, USA, 17–21 August 2003, Proceedings; Boneh, D., Ed.; Springer: Berlin/Heidelberg, Germany, 2003; Volume 2729, pp. 110–125. [Google Scholar] [CrossRef] [Green Version]
- Choi, R.; Hong, D.; Kim, K. Constant-round Dynamic Group Key Exchange from RLWE Assumption. IACR Cryptol. ePrint Arch.
**2020**, 2020, 35. [Google Scholar] - Persichetti, E.; Steinwandt, R.; Corona, A.S. From Key Encapsulation to Authenticated Group Key Establishment—A Compiler for Post-Quantum Primitives †. Entropy
**2019**, 21, 1183. [Google Scholar] [CrossRef] [Green Version] - González Vasco, M.; Pérez del Pozo, A.; Steinwandt, R. Group Key Establishment in a Quantum-Future Scenario. Informatica
**2020**, 1–18. [Google Scholar] [CrossRef] - Bos, J.W.; Ducas, L.; Kiltz, E.; Lepoint, T.; Lyubashevsky, V.; Schanck, J.M.; Schwabe, P.; Seiler, G.; Stehlé, D. CRYSTALS—Kyber: A CCA-Secure Module-Lattice-Based KEM. In Proceedings of the 2018 IEEE European Symposium on Security and Privacy (EuroS&P), London, UK, 24–26 April 2018; pp. 353–367. [Google Scholar]
- Abdalla, M.; Bohli, J.; Vasco, M.I.G.; Steinwandt, R. (Password) Authenticated Key Establishment: From 2-Party to Group. TCC. Lect. Notes Comput. Sci.
**2007**, 4392, 499–514. [Google Scholar] - Hövelmanns, K.; Kiltz, E.; Schäge, S.; Unruh, D. Generic Authenticated Key Exchange in the Quantum Random Oracle Model. In Public-Key Cryptography—PKC 2020; Kiayias, A., Kohlweiss, M., Wallden, P., Zikas, V., Eds.; Springer International Publishing: Cham, Switzerland, 2020; pp. 389–422. [Google Scholar]
- Cramer, R.; Shoup, V. Design and Analysis of Practical Public-Key Encryption Schemes Secure against Adaptive Chosen Ciphertext Attack. SIAM J. Comput.
**2003**, 33, 167–226. [Google Scholar] [CrossRef] - David Jao, E.A. Supersingular Lsogeny Key Encapsulation. Submission to NIST Post-Quantum Project. 2017. Available online: https://sike.org/#nist-submission (accessed on 16 October 2020).
- Chailloux, A.; Naya-Plasencia, M.; Schrottenloher, A. An Efficient Quantum Collision Search Algorithm and Implications on Symmetric Cryptography. In Advances in Cryptology—ASIACRYPT 2017—23rd International Conference on the Theory and Applications of Cryptology and Information Security, Hong Kong, China, 3–7 December 2017; Takagi, T., Peyrin, T., Eds.; Springer: Berlin/Heidelberg, Germany, 2017; Volume 10625, pp. 211–240. [Google Scholar] [CrossRef]
- Zhandry, M. Secure Identity-Based Encryption in the Quantum Random Oracle Model. In Advances in Cryptology—CRYPTO 2012—32nd Annual Cryptology Conference, Santa Barbara, CA, USA, 19–23 August 2012; Safavi-Naini, R., Canetti, R., Eds.; Springer: Berlin/Heidelberg, Germany, 2012; Volume 7417, pp. 758–775. [Google Scholar] [CrossRef] [Green Version]
- Boneh, D.; Dagdelen, Ö.; Fischlin, M.; Lehmann, A.; Schaffner, C.; Zhandry, M. Random Oracles in a Quantum World. In Advances in Cryptology—ASIACRYPT 2011—17th International Conference on the Theory and Application of Cryptology and Information Security, Seoul, Korea, 4–8 December 2011; Lee, D.H., Wang, X., Eds.; Springer: Berlin/Heidelberg, Germany, 2011; Volume 7073, pp. 41–69. [Google Scholar] [CrossRef] [Green Version]
- Hövelmanns, K.; Kiltz, E.; Schäge, S.; Unruh, D. Generic Authenticated Key Exchange in the Quantum Random Oracle Model. IACR Cryptol. ePrint Arch.
**2018**, 2018, 928. [Google Scholar] - Bellare, M.; Pointcheval, D.; Rogaway, P. Authenticated Key Exchange Secure against Dictionary Attacks. In Advances in Cryptology—EUROCRYPT 2000, International Conference on the Theory and Application of Cryptographic Techniques, Bruges, Belgium, 14–18 May 2000; Preneel, B., Ed.; Springer: Berlin/Heidelberg, Germany, 2000; Volume 1807, pp. 139–155. [Google Scholar] [CrossRef] [Green Version]
- Bohli, J.; Vasco, M.I.G.; Steinwandt, R. Secure group key establishment revisited. Int. J. Inf. Sec.
**2007**, 6, 243–254. [Google Scholar] [CrossRef] - Nam, J.; Paik, J.; Won, D. A security weakness in Abdalla et al.’s generic construction of a group key exchange protocol. Inf. Sci.
**2011**, 181, 234–238. [Google Scholar] [CrossRef] - Hofheinz, D.; Hövelmanns, K.; Kiltz, E. A Modular Analysis of the Fujisaki-Okamoto Transformation. TCC (1). Lect. Notes Comput. Sci.
**2017**, 10677, 341–371. [Google Scholar]

Protocol | # Rounds | Avoids PQ-Sign. | # Broadcast Messages | # PtP Messages |
---|---|---|---|---|

n-UM [1] | 1 | Yes | n | 0 |

BC n-DH [1] | 1 | Yes | n | 0 |

Apon et al. [2] | 3 | Yes (but is unauth.) | $2n+1$ | 0 |

STAG [4] | 3 | No | $2n+1$ | 0 |

Pers. et al. [5] | 3 | No | n | $2n$ |

Gonz. et al. [6] | 2 | Yes | n | ${n}^{2}-n$ |

This work | 4 | Yes | $2n$ | $2n$ |

Protocol | Assumption Type | Model | FutQ/PostQ | Authent. |
---|---|---|---|---|

n-UM [1] | Isogeny | QROM | PostQ | Yes |

BC n-DH [1] | Isogeny | ROM | PostQ | Yes |

Apon et al. [2] | Lattice | ROM | PostQ | No |

STAG [4] | Lattice | ROM | PostQ | Yes |

Pers. et al. [5] | Compiler | No RO added | PostQ | Yes |

Gonz. et al. [6] | Compiler | No RO added | FutQ | Yes |

This work | Lattice | QROM | PostQ | Yes |

Notation | Representation |
---|---|

Bold lower-case | Vectors with coefficients in R or ${R}_{q}$. All vector will be column vectors by default. |

Regular font letter | Elements in R or ${R}_{q}$. |

Bold upper-case | Matrices. |

$s\leftarrow S$ | If S is a set, s is chosen uniformly at random from S. If S is a distribution, s is chosen according to such distribution S. |

$y\sim S:=\mathtt{Sam}\left(x\right)$ where Sam is an eXtendable Output Function (XOF) | Value y that is distributed according to distribution S (or uniformly over a set S). This is a deterministic procedure. |

$v\leftarrow {\beta}_{\eta}$, $\mathbf{v}\leftarrow {\beta}_{\eta}^{k}$ | $v\in R$ is generated from a distribution where each of its coefficients are generated from ${B}_{\eta}$. A k-dimensional vector of polynomials $\mathbf{v}\in {R}^{k}$ can be generated according to the distribution ${\beta}_{\eta}^{k}$. |

$\lceil \xb7\rfloor $ | $\lceil \xb7\rfloor $ is the rounding function i.e., $\lceil x\rfloor =\u230ax+{\displaystyle \frac{1}{2}}\u230b$ where $x\in \mathbb{Q}$ and $\lfloor \xb7\rfloor $ is the floor function. |

${r}^{\prime}=r\phantom{\rule{4pt}{0ex}}{\mathrm{mod}}^{\pm}\phantom{\rule{4pt}{0ex}}\alpha $ | For an even (respectively, odd) integer $\alpha $, ${r}^{\prime}=r\phantom{\rule{4pt}{0ex}}{\mathrm{mod}}^{\pm}\phantom{\rule{4pt}{0ex}}\alpha $ is the unique element ${r}^{\prime}$ in the range $-\frac{\alpha}{2}<r\le \frac{\alpha}{2}$ (respectively, $-\frac{\alpha -1}{2}<r\le \frac{\alpha +1}{2}$) such that ${r}^{\prime}=r\phantom{\rule{3.33333pt}{0ex}}mod\phantom{\rule{0.277778em}{0ex}}\alpha $. |

Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations. |

© 2020 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (http://creativecommons.org/licenses/by/4.0/).

## Share and Cite

**MDPI and ACS Style**

Escribano Pablos, J.I.; González Vasco, M.I.; Marriaga, M.E.; Pérez del Pozo, Á.L.
Compiled Constructions towards Post-Quantum Group Key Exchange: A Design from `Kyber`. *Mathematics* **2020**, *8*, 1853.
https://doi.org/10.3390/math8101853

**AMA Style**

Escribano Pablos JI, González Vasco MI, Marriaga ME, Pérez del Pozo ÁL.
Compiled Constructions towards Post-Quantum Group Key Exchange: A Design from `Kyber`. *Mathematics*. 2020; 8(10):1853.
https://doi.org/10.3390/math8101853

**Chicago/Turabian Style**

Escribano Pablos, José Ignacio, María Isabel González Vasco, Misael Enrique Marriaga, and Ángel Luis Pérez del Pozo.
2020. "Compiled Constructions towards Post-Quantum Group Key Exchange: A Design from `Kyber`" *Mathematics* 8, no. 10: 1853.
https://doi.org/10.3390/math8101853