#
Compiled Constructions towards Post-Quantum Group Key Exchange: A Design from `Kyber`

^{1}

^{2}

^{*}

Next Article in Journal

Next Article in Special Issue

Next Article in Special Issue

Previous Article in Journal

Previous Article in Special Issue

Previous Article in Special Issue

MACIMTE, U. Rey Juan Carlos, 28933 Móstoles, Spain

BBVA Next Technologies, 28050 Madrid, Spain

Author to whom correspondence should be addressed.

Received: 15 September 2020 / Revised: 9 October 2020 / Accepted: 13 October 2020 / Published: 21 October 2020

(This article belongs to the Special Issue Mathematics Cryptography and Information Security)

A group authenticated key exchange (GAKE) protocol allows a set of parties belonging to a certain designated group to agree upon a common secret key through an insecure communication network. In the last few years, many new cryptographic tools have been specifically designed to thwart attacks from adversaries which may have access to (different kinds of) quantum computation resources. However, few constructions for group key exchange have been put forward. Here, we propose a four-round GAKE which can be proven secure under widely accepted assumptions in the Quantum Random Oracle Model. Specifically, we integrate several primitives from the so-called Kyber suite of post-quantum tools in a (slightly modified) compiler from Abdalla et al. (TCC 2007). More precisely, taking as a starting point an IND-CPA encryption scheme from the Kyber portfolio, we derive, using results from Hövelmanns et al. (PKC 2020), a two-party key exchange protocol and an IND-CCA encryption scheme and prove them fit as building blocks for our compiled construction. The resulting GAKE protocol is secure under the Module-LWE assumption, and furthermore achieves authentication without the use of (expensive) post-quantum signatures.

The search for cryptographic primitives that will remain secure once quantum computing is a reality has been on going for over twenty years. Noticeably, in the last few years this search has gained greater attention from academia and industry, especially since the US National Institute of Standards and Technology (NIST) launched a competition towards standardizing quantum-resistant (also called post-quantum) public-key cryptographic algorithms in 2017. While this competition is focused on constructions for public key encryption, two party key establishment and digital signatures, research towards different post-quantum primitives has also been aroused as a side effect.

Group key establishment protocols (GKE) are fundamental cryptographic constructions. Indeed, for many real life applications of information technologies, the crucial starting point is establishing a “secure session”, i.e., setting confidential communication channels among users. GKE protocols allow a group of $n\ge $ 2 users, interacting through an insecure communication network, to establish a common known high entropy secret that can be used to secure their subsequent communication. Typically, once this secret has been agreed upon, tools from symmetric cryptography can be used to attain confidentiality, and thus the communication network is understood as secure for confidential transmissions within the group of honest users. Using a GKE in this setting clearly outperforms the use of two party solutions, as establishing different session keys for every pair of participants (e.g., using a two party key exchange) would force each participant to store a large number of keys. Moreover, every message intended for the whole group should be encrypted multiple times ($n-1$) with different keys, while GKE can be used in a broadcast fashion (as messages are processed the same way for each group member). There might, however, be no way of assessing origin and integrity of messages. In this case, when authenticated channels are not available, protocols pursuing this goal—GAKE protocols—get way more involved and often need to rely on an external public key infrastructure to be able to authenticate legitimate group members, frequently adding a significant cost to the constructions.

Other protocols use lattice problems as a base. For instance, Apon et al. [2] constructed a three-round unauthenticated protocol proven secure under the so-called ring learning with errors (RLWE) assumption. This scheme may be transformed into an authenticated one by using the Katz and Yung compiler [3]. However, the resulting protocol has one additional round of communication and each message that is sent must be signed, adding a significant computation and communication overhead if a post-quantum signature scheme is employed. Using the same problem as a base, Choi et al. [4] built on [3] and proposed three group protocols: the first is unauthenticated, the second adds authentication, and the third is, in addition, dynamic. The second one, STAG, is a three-round authenticated protocol in which each user computes two signatures.

Finally, we have compilers which produce a quantum-resistant group authenticated key exchange (GAKE) from simpler post-quantum primitives. Persichetti et al. [5] presented a three-round protocol constructed from a key encapsulation mechanism (KEM) and a signature scheme; each user needs to compute only one signature. González Vasco et al. [6] introduced a two-round password GAKE protocol derived from a KEM and a message authentication code (MAC). However, in this construction, security holds in the so-called future-quantum scenario, where the adversary is assumed to have access to quantum computation only after the protocol execution is completed.

Table 1 summarizes some parameters related to the performance of the schemes. The number of communication rounds is one of the most important parameters when dealing with GAKE protocols. In addition, for each scheme, we point out whether the use of post-quantum signatures is avoided, which is a nice feature, as this kind of signatures are usually expensive in terms of both computation and size. Note that the scheme in [2] does not use post-quantum signatures but is unauthenticated. Finally, we include the total number of messages sent throughout an execution involving n parties, pointing out whether messages are broadcasted or just sent point-to-point (PtP) (i.e., from one party to another).

Table 2 is focused on security issues. In the first column, we include the type of assumption (isogeny/lattice) the security of the scheme is based on. In the second column, we state in which of the idealized models the security claim and corresponding proof hold: either in the Random Oracle Model (ROM) or the Quantum Random Oracle Model (QROM). The latter is stronger than the former because, as discussed in Section 2, it assumes a more powerful adversary. Next, it is specified if quantum resistant features hold in a future quantum (FutQ) or post-quantum (PostQ) scenario. The latter, where it is assumed that the adversary has access to quantum computation during protocol executions, is preferable to the former, where key secrecy is only guaranteed against adversaries that cannot make quantum computations during protocol executions but have access to this option at some point in the future. Finally, we indicate if the key exchange is authenticated. Note that the compilers [5,6] have a special treatment, as the assumption type and the model depend on the underlying post-quantum tools used to implement them.

Seeing the two comparison tables, it seems clear that the only scheme outperforming our construction is n-UM [1], which is based on the isogeny paradigm. However, it is fair to say that lattice-based constructions such as ours seem somewhat more promising in this field, considering the recent outcome of the Third Round of the NIST competition for standardizing post-quantum tools. While several lattice-based constructions made it to this last round, no isogeny-based scheme is in the final (and only one proposal, SIKE [11], is considered as alternative for replacing finalists that may be discarded in the last phase).

Here, we describe a compiler constructed by Abdalla et al. in [8], which enables the derivation of a group authenticated key establishment protocol $\mathtt{GAKE}$ from an arbitrary two-party key establishment $\mathtt{2}\mathtt{AKE}$. The compiler does not rely on further authentication techniques than those used in $\mathtt{2}\mathtt{AKE}$, nor on further idealization assumptions. Moreover, if $\mathtt{2}\mathtt{AKE}$ requires r rounds of communication, then $\mathtt{GAKE}$ requires $r+2$ rounds.

Let $\mathcal{P}$ be the set of users that can participate in the protocol $\mathtt{GAKE}$. This set $\mathcal{P}$ is assumed to be of polynomial size. The set $\mathcal{G}=\{{U}_{0},\phantom{\rule{0.166667em}{0ex}}{U}_{1},\cdots ,{U}_{n-1}\}\subset \mathcal{P}$ denotes the set of $n>2$ participants that wish to establish a common session key. Each protocol participant ${U}_{i}\in \mathcal{G}$, $i=0,\dots ,n-1$, may be involved in distinct, possibly parallel, executions of $\mathtt{GAKE}$.

Since $\mathtt{2}\mathtt{AKE}$ is an authenticated key establishment protocol, it is assumed that long-term secrets required for $\mathtt{2}\mathtt{AKE}$ have been established during a trusted authentication phase. One of the following three cases is assumed:

- Each user ${U}_{i}\in \mathcal{G}$ owns a pair $(p{k}_{i},s{k}_{i})$ consisting of a public key $p{k}_{i}$ and a secret key $s{k}_{i}$, and all needed public keys may be distributed to all protocol participants during the initialization phase.
- Each pair of users ${U}_{i},{U}_{j}\in \mathcal{G}$, $i\ne j$, shares a high entropy symmetric key, or the complete set of participants $\mathcal{G}$ shares one common secret (different instances of a user may hold different long-term secrets).
- Each pair of users ${U}_{i},{U}_{j}\in \mathcal{G}$, $i\ne j$, shares a low entropy password. In this case, we assume a publicly available dictionary $\mathcal{D}\subseteq {\{0,1\}}^{*},$ from which passwords are chosen uniformly at random.

The compiler uses the following cryptographic tools:

**A non-interactive non-malleable commitment scheme**$\mathtt{C}$ that is perfectly binding and achieves non-malleability for multiple commitments.**A collision-resistant pseudorandom function family**$\mathtt{F}={\left\{{F}^{\ell}\right\}}_{\ell \in \mathbb{N}}$ with ${F}^{\ell}={\left\{{F}_{\eta}^{\ell}\right\}}_{\eta \in {\{0,1\}}^{L}}$ to be indexed by a set ${\{0,1\}}^{L}$ of polynomial size, and two publicly known values ${v}_{0}$ and ${v}_{1}$ such that no ppt adversary can find two different indices $\lambda \ne \mu \in {\{0,1\}}^{L}$ such that ${F}_{\lambda}^{\ell}\left({v}_{j}\right)={F}_{\mu}^{\ell}\left({v}_{j}\right)$, $j=0,1$.**A hash function**$\mathtt{H}$ selected from a family of universal hash functions that maps the concatenation of bitstrings from ${\{0,1\}}^{k\phantom{\rule{0.166667em}{0ex}}n}$ and the set of participants $\mathcal{G}$ onto ${\{0,1\}}^{L}$, where n is the number of participants in $\mathcal{G}$ and $k\in \mathbb{N}$.

When proving a certain cryptographic construction secure, it is necessary to depict a precise security model making explicit claims and assumptions that can be formally proven and verified. This is, however, not always the case in the post-quantum scenario, as quantum adversaries are often modeled in a very different fashion. Most often, constructions are substantiated on computational assumptions that explicitly state that an adversary is assumed not to be able to efficiently complete a certain computational task (e.g., decoding a word with respect to a certain partially known code or solving certain approximation problems in lattices). However, the way this quantum adversary is assumed to interact with other system-related idealizations (e.g., the oracles modeling information leakage or misuse) is often disregarded, while it may play a central role in a security proof. A paradigmatic example of this situation is the case of hash functions, typically modeled as so-called random oracles.

Random oracles are classically used in cryptography to model idealized hash functions, which are deterministic algorithms that select, for each new query, an output chosen uniformly at random from a certain given range. It is assumed that all users and processes from a certain system are given access to the same random oracles, which means that, for security proofs, if the real cryptographic environment is simulated for an adversary, all random oracle queries must be consistently answered with values that are indistinguishable from random (uniform). In the quantum setting, queries to a random oracle can be done in superposition, which complicates significantly the translations of many classical proofs into this new scenario.

Following Hövelmanns et al. [9], in this work, we consider quantum adversaries that are given quantum access to the (offline) quantum random oracle involved in our design. More precisely, we need to make use of two basic properties of this so-called quantum-accessible random oracles:

- Collision-freeness. In [12], it is proven that the best quantum algorithm for finding a collision for a random function $H:{\{0,1\}}^{n}\mapsto {\{0,1\}}^{n}$ (i.e., a pair of distinct $x,{x}^{\prime}\in {\{0,1\}}^{n}$ such that $H\left(x\right)=H\left({x}^{\prime}\right)$) is $\tilde{\mathcal{O}}\left({2}^{\frac{n}{5}}\right)$. (Notation $\tilde{O}$ “wipes out” logarithmic factors in $\mathcal{O}$, namely, $f\left(n\right)\in \tilde{\mathcal{O}}\left(h\left(n\right)\right)\iff \phantom{\rule{0.166667em}{0ex}}\exists k\in \mathbb{N}s.t.f\left(n\right)\in \mathcal{O}\left(h\left(n\right)lo{g}^{k}\left(h\left(n\right)\right)\right)$). The analogous classical bound is $\mathcal{O}\left({2}^{\frac{n}{2}}\right).$ While being suboptimal in number of queries, this algorithm is the most efficient in terms of time complexity with small quantum memory. Thus, in the sequel, we may assume that (even for a quantum adversary) finding a collision pair for a quantum-accessible random oracle can only be done with negligible probability (this is used in Section 4.3.1).
- Pseudorandomness. Following again Hövelmanns et al. [9], we use the argument of Zhandry (see [13]) stating that no quantum algorithm, making at most q quantum queries to a quantum random oracle $\widehat{H}$ implementing a random function $\mathcal{H}:{\{0,1\}}^{m}\mapsto {\{0,1\}}^{n}$, can distinguish between $\widehat{H}$ and a random polynomial of degree $2q$ defined over the field ${\mathbb{F}}_{{2}^{n}}.$ As a result, if the input to a quantum random oracle contains enough entropy, then the probability of distinguishing its output from a value chosen uniformly at random is negligible. In other words, when the input is unknown and chosen uniformly at random, the fact that the random oracle can be queried in superposition is of no help in distinguishing the oracle’s output from a randomly chosen element. This is used in the quantum random oracle proof from Section 4.3.

We strongly suggest the interested reader consult [14] for a comprehensive introduction to the quantum random oracle model.

In this section, we describe the post-quantum tools used in the construction of our $\mathtt{GAKE}$, namely a two-party authenticated key exchange (AKE) and a commitment scheme. The relations between these tools are summarized in Figure 3.

In the first subsection, we describe `Kyber`’s public key encryption (PKE) scheme and state its security properties that are of importance to the construction of the primitives mentioned above.

In the second subsection, we detail how the $\mathtt{2}\mathtt{AKE}$ is obtained from a generic construction proposed in [9], of two-message AKE provably secure in the quantum random oracle model (QROM) from PKE schemes that possess both Disjoint Simulatability (DS) (Definition 2) and IND-CPA security. In particular, we use a slight modification (called `Kyber.CPA`${}^{\prime}$) of the CPA-secure PKE scheme introduced in [7] as part of `Kyber`’s package submitted to NIST’s post-quantum standardization effort. We describe the ${\mathrm{FO}}_{\mathrm{AKE}}$ transformation which turns a secure PKE into a secure AKE. This subsection ends by proving that `Kyber.CPA`${}^{\prime}$ is DS secure and, therefore, it is possible to construct an AKE secure in the QROM by applying the ${\mathrm{FO}}_{\mathrm{AKE}}$ to it.

The third subsection is devoted to the construction of the post-quantum commitment scheme mentioned in Section 2. It must be a non-interactive non-malleable commitment scheme that is perfectly binding and achieves non-malleability for multiple commitments. As pointed out in [8], this can be directly constructed from a public key encryption scheme which achieves the well-known IND-CCA security notion. To this end, we use another transformation described in [9], specifically ${\mathrm{FO}}_{m}^{\overline{)\perp}}$, which turns an IND-CPA and DS PKE into an IND-CCA KEM. Then, we recall that it is straightforward to obtain an IND-CCA PKE from an IND-CCA KEM. Putting everything together, we obtain the desired commitment scheme from `Kyber.CPA`${}^{\prime}$, the same primitive we use to construct the two-party AKE.

In this subsection, we describe the CPA-secure PKE scheme `Kyber.CPA` introduced in [7] as part of the Cryptographic Suite for Algebraic Lattices (CRYSTALS), a package of cryptographic primitives submitted to NIST’s post-quantum standardization effort. In fact, what we really describe and work with is a slightly modified version, also proposed in [7], called `Kyber.CPA${}^{\prime}$`.

First, we introduce some definitions needed to understand how the PKE has been constructed and summarize in Table 3 the notation used in the sequel. Then, we describe the key generation, encryption, and decryption algorithms used in `Kyber.CPA`${}^{\prime}$, as well as its CPA-security under the Module-LWE hardness assumption (Definition 1).

Denote by R the ring $\mathbb{Z}\left[X\right]/({X}^{n}+1)$ and by ${R}_{q}$ the ring ${\mathbb{Z}}_{q}\left[X\right]/({X}^{n}+1)$, where $n={2}^{{n}^{\prime}-1}$ such that ${X}^{n}+1$ is the ${2}^{{n}^{\prime}}$th cyclotomic polynomial. As in [7], we fix the values for n, ${n}^{\prime}$ and q to 256, 9 and 7681.

For some positive integer $\eta $, define the centered binomial distribution ${B}_{\eta}$ as follows ([7]):

$$\mathrm{Sample}{\left\{({a}_{i},{b}_{i})\right\}}_{i=1}^{\eta}\leftarrow {\left({\{0,1\}}^{2}\right)}^{\eta}$$

$$\mathrm{and}\text{}\mathrm{output}\sum _{i=1}^{\eta}({a}_{i}-{b}_{i}).$$

The security assumption underlying `Kyber.CPA`${}^{\prime}$ is based on the hardness of the Module-LWE problem, which generalizes the Learning with Errors (LWE) problem. Learning with errors (LWE) is the computational problem of inferring a linear n-ary function f over a finite ring from given (slightly incorrect) samples ${y}_{i}=f\left({\mathbf{x}}_{i}\right)$. Recall that Ring Learning with Errors (RLWE) is the variant of LWE specialized to polynomial rings over finite fields. Informally, Module-LWE can be seen as the result of replacing single ring elements in the RLWE problem with module elements over the same ring (thus, RLWE can be seen as Module-LWE with module rank 1).

(Module-LWE assumption [7]). The Module-LWE problem consists in distinguishing uniform samples $({\mathbf{a}}_{i},{b}_{i})\leftarrow {R}_{q}^{k}\times {R}_{q}$ from samples $({\mathbf{a}}_{i},{\mathbf{a}}_{i}^{T}\mathbf{s}+{e}_{i})\in {R}_{q}^{k}\times {R}_{q}$ where ${\mathbf{a}}_{i}\leftarrow {R}_{q}^{k}$ is uniform, $\mathbf{s}\leftarrow {\beta}_{\eta}^{k}$ common to all samples, and ${e}_{i}\leftarrow {\beta}_{n}$ is fresh for every sample. The advantage of an adversary $\mathcal{A}$ is defined as
The Module-LWE assumption states that the above advantage is negligible for any given adversary $\mathcal{A}$.

$${\mathsf{Adv}}_{m,k,\eta}^{\mathit{mlwe}}\left(\mathcal{A}\right)=\left|\mathrm{Pr}\left[{b}^{\prime}=1:\begin{array}{c}\mathbf{A}\leftarrow {R}_{q}^{m\times k};\hfill \\ (\mathbf{s},\mathbf{e})\leftarrow {\beta}_{\eta}^{k}\times {\beta}_{\eta}^{m};\hfill \\ \mathbf{b}=\mathbf{As}+\mathbf{e};\hfill \\ {b}^{\prime}=\mathcal{A}(\mathbf{A},\mathbf{b})\hfill \end{array}\right]-\mathrm{Pr}\left[{b}^{\prime}=1:\begin{array}{c}\mathbf{A}\leftarrow {R}_{q}^{m\times k};\hfill \\ \mathbf{b}\leftarrow {R}_{q}^{m};\hfill \\ {b}^{\prime}\leftarrow \mathcal{A}(\mathbf{A},\mathbf{b})\hfill \end{array}\right]\right|.$$

The authors of [7] defined a function ${\mathtt{Compress}}_{q}(x,d)$ that takes an element $x\in {\mathbb{Z}}_{q}$ and outputs an integer in $\{0,1,\dots ,{2}^{d}-1\}$, where $d<\lceil {log}_{2}\left(q\right)\rceil $. Furthermore, a function ${\mathtt{Decompress}}_{q}$ is defined such that
is an element close to x. More specifically,
The functions satisfying these requirements are defined in [7] as:

$${x}^{\prime}={\mathtt{Decompress}}_{q}({\mathtt{Compress}}_{q}(x,d),d)$$

$$|{x}^{\prime}-x\phantom{\rule{0.166667em}{0ex}}{\mathrm{mod}}^{\pm}q|\le \u2308\frac{q}{{2}^{d+1}}\u230b.$$

$$\begin{array}{ccc}\hfill {\mathtt{Compress}}_{q}(x,d)& =\hfill & \lceil ({2}^{d}/q)\xb7x\rfloor \phantom{\rule{3.33333pt}{0ex}}mod\phantom{\rule{0.277778em}{0ex}}{2}^{d},\hfill \\ \hfill {\mathtt{Decompress}}_{q}(x,d)& =\hfill & \lceil (q/{2}^{d})\xb7x\rfloor .\hfill \end{array}$$

([7]). For any adversary $\mathcal{A}$ against the CPA security of`Kyber.CPA`${}^{\prime}$, let define the advantage
Then, there exists an adversary $\mathcal{B}$ such that

$${\mathsf{Adv}}_{\mathsf{Kyber}.{\mathsf{CPA}}^{\prime}}^{\mathit{cpa}}\left(\mathcal{A}\right)=\left|\mathrm{Pr}\left[b={b}^{\prime}:\begin{array}{c}(pk,\phantom{\rule{0.166667em}{0ex}}sk)\leftarrow \mathsf{KeyGen}\left(\right);\hfill \\ ({m}_{0},\phantom{\rule{0.166667em}{0ex}}{m}_{1},\phantom{\rule{0.166667em}{0ex}}s)\leftarrow \mathcal{A}\left(pk\right);\hfill \\ b\leftarrow \{0,1\};\phantom{\rule{4pt}{0ex}}{c}^{*}\leftarrow \mathsf{Enc}(pk,\phantom{\rule{0.166667em}{0ex}}{m}_{b});\hfill \\ {b}^{\prime}\leftarrow \mathcal{A}(s,\phantom{\rule{0.166667em}{0ex}}{c}^{*})\hfill \end{array}\right]-\frac{1}{2}\right|.$$

$${\mathsf{Adv}}_{\mathsf{Kyber}.{\mathsf{CPA}}^{\prime}}^{\mathit{cpa}}\left(\mathcal{A}\right)\le 2\phantom{\rule{0.166667em}{0ex}}{\mathsf{Adv}}_{k+1,k,\eta}^{\mathit{mlwe}}\left(\mathcal{B}\right).$$

Finally, it is worth pointing out that neither $\mathtt{Kyber}.\mathtt{CPA}$ nor $\mathtt{Kyber}.{\mathtt{CPA}}^{\prime}$ provides perfect correctness. This is discussed in [7], where a value for $\delta $, the probability of decryption error, is obtained for $\mathtt{Kyber}.\mathtt{CPA}$. This is easily adapted to $\mathtt{Kyber}.{\mathtt{CPA}}^{\prime}$; the details can be found in Appendix A.

Algorithm 1:Kyber.CPA${}^{\prime}$.KeyGen() |

1
$\rho ,\sigma \stackrel{}{\leftarrow}{\{0,1\}}^{n}$ 2 $\mathbf{A}\sim {R}_{q}^{k\times k}:=\mathtt{Sam}\left(\rho \right)$ 3 $(\mathbf{s},\mathbf{e})\sim {\beta}_{\eta}^{k}\times {\beta}_{\eta}^{k}:=\mathtt{Sam}\left(\sigma \right)$ 4 $\mathbf{t}:=\mathbf{As}+\mathbf{e}$ 5 return $(pk:=(\mathbf{t},\rho ),sk:=\mathbf{s})$ |

Algorithm 2:Kyber.CPA${}^{\prime}$.Enc($pk=(\mathbf{t},\rho ),m\in \mathcal{M})$) |

1 $r\stackrel{}{\leftarrow}{\{0,1\}}^{n}$ 2 $\mathbf{A}\sim {R}_{q}^{k\times k}:=\mathtt{Sam}\left(\rho \right)$ 3 $(\mathbf{r},{\mathbf{e}}_{1},{e}_{2})\sim {\beta}_{\eta}^{k}\times {\beta}_{\eta}^{k}\times {\beta}_{\eta}$ 4 $\mathbf{u}:={\mathtt{Compress}}_{q}({\mathbf{A}}^{T}\mathbf{r}+{\mathbf{e}}_{1},{d}_{u})$ 5 $v:={\mathtt{Compress}}_{q}({\mathbf{t}}^{T}\mathbf{r}+{e}_{2}+\lceil \frac{q}{2}\rfloor \xb7m,{d}_{v})$ 6 return $c:=(\mathbf{u},v)$ |

Algorithm 3:Kyber.CPA${}^{\prime}$.Dec($sk=\mathbf{s},c=(\mathbf{u},v)$) |

1 $\mathbf{u}:={\mathtt{Decompress}}_{q}(\mathbf{u},{d}_{u})$ 2 $v:={\mathtt{Decompress}}_{q}(v,{d}_{v})$ 3 return ${\mathtt{Compress}}_{q}(v-{\mathbf{s}}^{T}\mathbf{u},1)$ |

${\mathrm{FO}}_{\mathrm{AKE}}$ is a generic construction proposed in [9], which transforms an IND-CPA secure PKE scheme into an AKE protocol, provably secure in the QROM. The construction admits that the PKE scheme has non-perfect correctness, which makes it suitable for the `Kyber.CPA${}^{\prime}$` scheme we have previously introduced. Another nice feature is that it avoids the use of (usually expensive) quantum-secure signature schemes. ${\mathrm{FO}}_{\mathrm{AKE}}$ can be seen as an extension of the Fujisaki–Okamoto transform (which turns IND-CPA encryption schemes into IND-CCA ones) for the AKE setting.

The resulting AKE after applying the ${\mathrm{FO}}_{\mathrm{AKE}}$ transformation is quite efficient in terms of communication. In [9], it is called a two-message protocol, meaning that it is a two-round AKE protocol where one party sends a message in the first round while the other party answers with another message in the second round. As an interesting additional contribution, the authors of [9] defined a security model and two security notions for two-message AKEs: key indistinguishability agains active attacks (IND-AA) and the weaker notion of indistinguishability against active attacks without state reveal in the test session (IND-StAA). We are interested in the second one, as the security of the AKE obtained by using the ${\mathrm{FO}}_{\mathrm{AKE}}$ transformation is proved in [9] under this slightly weaker model. Nevertheless, this is enough for our purposes because, as discussed in Section 5 of [15] (the extended version of [9]), IND-StAA implies security in the sense required in the compiler from [8].

A high level description of the IND-StAA model, as formulated in [9], is the following. It states that the session key remains indistinguishable from a random one even if:

- The attacker knows either the long-term secret key or the secret state information (but not both) of both parties involved in the test session, as long as it did not modify the message received by the test session.
- If the attacker modified the message received by the test session, as long as it obtained neither the long-term secret key of the test session’s peer
**nor the test session’s state**.

The authors of the ${\mathrm{FO}}_{\mathrm{AKE}}$ transformation proved its IND-StAA security in the QROM as long as the PKE is IND-CPA, and it is possible to efficiently fake ciphertexts that are indistinguishable from proper encryptions, while the probability that the sampling algorithm hits a proper encryption is small. This last notion is called Disjoint Simulatability (DS) of ciphertexts, and is defined in [9] as follows.

(DS). Let $\mathsf{PKE}=(\mathsf{KG},\mathsf{Enc},\mathsf{Dec})$ be a PKE scheme with message space $\mathcal{M}$ and ciphertext space $\mathcal{C}$, coming with an additional ppt algorithm $\overline{\mathsf{Enc}}$. For quantum adversaries $\mathcal{A}$, we define the advantage against $\mathsf{PKE}$’s disjoint simulatability as
When there is no chance of confusion, we drop $\overline{\mathsf{Enc}}$ from the advantage’s subscript for convenience. We call $\mathsf{PKE}$ ${\epsilon}_{\mathrm{dis}}$-disjoint if for all $pk\in \mathit{supp}\left(\mathsf{KG}\right)$,
where $\mathcal{R}=\mathcal{R}\left(pk\right)$ is a finite randomness space defined by $pk$.

$${\mathsf{Adv}}_{\mathsf{PKE},\phantom{\rule{0.166667em}{0ex}}\overline{\mathsf{Enc}}}^{\mathsf{DS}}\left(\mathcal{A}\right)=\left|\mathrm{Pr}\left[\begin{array}{c}pk\leftarrow \mathsf{KG},\hfill \\ m\leftarrow \mathcal{M},\hfill \\ c\leftarrow \mathsf{Enc}(pk,m)\hfill \end{array}:1\leftarrow \mathcal{A}(pk,c)\right]-\mathrm{Pr}\left[\begin{array}{c}pk\leftarrow \mathsf{KG},\hfill \\ c\leftarrow \overline{\mathsf{Enc}}\hfill \end{array}:1\leftarrow \mathcal{A}(pk,c)\right]\right|.$$

$$\mathit{Pr}[c\leftarrow \overline{\mathsf{Enc}}\phantom{\rule{0.166667em}{0ex}}:\phantom{\rule{0.166667em}{0ex}}c\in \mathsf{Enc}(pk,\phantom{\rule{0.166667em}{0ex}}\mathcal{M};\phantom{\rule{0.166667em}{0ex}}\mathcal{R})]\le {\epsilon}_{\mathit{dis}},$$

The authors of the ${\mathrm{FO}}_{\mathrm{AKE}}$ transformation suggested that many lattice-based schemes fulfill DS in a natural way as follows: fake encryptions could be sampled uniformly random. DS would follow from the LWE assumption, and since LWE samples are relatively sparse, uniform sampling should be disjoint.

The following theorem establishes that the DS security of $\mathtt{Kyber}.{\mathtt{CPA}}^{\prime}$ equipped with an additional algorithm $\overline{\mathtt{Enc}}$ reduces to its Module-LWE security.

(DS security of $\mathtt{Kyber}.{\mathtt{CPA}}^{\prime}$). Let $\eta ,\phantom{\rule{0.166667em}{0ex}}k,\phantom{\rule{0.166667em}{0ex}}{d}_{u}$, and ${d}_{v}$ be positive integer parameters for $\mathsf{Kyber}.{\mathsf{CPA}}^{\prime}$. If $\mathsf{Kyber}.{\mathsf{CPA}}^{\prime}$ is equipped with a ppt algorithm $\overline{\mathsf{Enc}}$ which samples a uniform ciphertext when given a public key, then, for any adversary $\mathcal{A}$, there exists an adversary $\mathcal{B}$ such that
Furthermore, $\mathsf{Kyber}.{\mathsf{CPA}}^{\prime}$ is ${\epsilon}_{\mathit{dis}}$-disjoint with

$${\mathsf{Adv}}_{\mathsf{Kyber}.{\mathsf{CPA}}^{\prime}}^{\mathsf{DS}}\left(\mathcal{A}\right)\phantom{\rule{0.166667em}{0ex}}\le \phantom{\rule{0.166667em}{0ex}}2\phantom{\rule{0.166667em}{0ex}}{\mathsf{Adv}}_{k+1,k,\eta}^{\mathit{mlwe}}\left(\mathcal{B}\right).$$

$${\epsilon}_{\mathit{dis}}={\displaystyle \frac{1}{{2}^{n\phantom{\rule{0.166667em}{0ex}}({d}_{u}\phantom{\rule{0.166667em}{0ex}}k+{d}_{v}-2)}}}.$$

Let $\mathcal{A}$ be an adversary attacking the DS security of $\mathtt{Kyber}.{\mathtt{CPA}}^{\prime}$. We obtain a bound for ${\mathsf{Adv}}_{\mathtt{Kyber}.{\mathtt{CPA}}^{\prime}}^{\mathtt{DS}}\left(\mathcal{A}\right)$ following the sequence of games in the proof of Theorem 2 in [7].

First, the value $\mathbf{t}:=\mathbf{As}+\mathbf{e}$ which is used in `KeyGen` is substituted by a uniform random value. It follows from the Module-LWE security of $\mathtt{Kyber}.{\mathtt{CPA}}^{\prime}$ that the value $\mathbf{t}$ and the uniform random value are indistinguishable from each other. Next, the values ${\mathbf{A}}^{T}\mathbf{r}+{\mathbf{e}}_{1}$ and ${\mathbf{t}}^{T}\mathbf{r}+{e}_{2}+\lceil \frac{q}{2}\rfloor \xb7m$ used in the generation of the challenge ciphertext are simultaneously substituted with uniform random values. Again, it follows from the Module-LWE security of $\mathtt{Kyber}.{\mathtt{CPA}}^{\prime}$ that ${\mathbf{A}}^{T}\mathbf{r}+{\mathbf{e}}_{1}$ and ${\mathbf{t}}^{T}\mathbf{r}+{e}_{2}+\lceil \frac{q}{2}\rfloor \xb7m$ are indistinguishable from the random values. As in [7], we deduce that there exists an adversary $\mathcal{B}$ with the same running time as that of $\mathcal{A}$ such that ${\mathsf{Adv}}_{\mathtt{Kyber}.{\mathtt{CPA}}^{\prime}}^{\mathtt{DS}}\left(\mathcal{A}\right)\phantom{\rule{0.166667em}{0ex}}\le \phantom{\rule{0.166667em}{0ex}}2\phantom{\rule{0.166667em}{0ex}}{\mathsf{Adv}}_{k+1,k,\eta}^{\mathit{mlwe}}\left(\mathcal{B}\right)$.

To prove the ${\epsilon}_{\mathrm{dis}}$-disjointness of $\mathtt{Kyber}.{\mathtt{CPA}}^{\prime}$ with ${\epsilon}_{\mathrm{dis}}={2}^{n\phantom{\rule{0.166667em}{0ex}}(2-{d}_{u}\phantom{\rule{0.166667em}{0ex}}k-{d}_{v})}$, we recall that $\mathcal{M}={\{0,1\}}^{n}$, $\mathcal{C}={\{0,1\}}^{n\phantom{\rule{0.166667em}{0ex}}k\phantom{\rule{0.166667em}{0ex}}{d}_{u}}\times {\{0,1\}}^{n\phantom{\rule{0.166667em}{0ex}}{d}_{v}}$, and $\mathcal{R}={\{0,1\}}^{n}$ are the message, ciphertext and random spaces, respectively. Since $\left|\mathtt{Enc}(pk,\phantom{\rule{0.166667em}{0ex}}\mathcal{M};\phantom{\rule{0.166667em}{0ex}}\mathcal{R})\right|\le \left|\mathcal{M}\right|\phantom{\rule{0.166667em}{0ex}}\left|\mathcal{R}\right|={2}^{2\phantom{\rule{0.166667em}{0ex}}n}$, we obtain
which is the desired result. □

$$\begin{array}{cc}\mathrm{Pr}[c\leftarrow \overline{\mathtt{Enc}}\phantom{\rule{0.166667em}{0ex}}:\phantom{\rule{0.166667em}{0ex}}c\in \mathtt{Enc}(pk,\phantom{\rule{0.166667em}{0ex}}\mathcal{M};\phantom{\rule{0.166667em}{0ex}}\mathcal{R})]\hfill & {\displaystyle \le \underset{(pk,\phantom{\rule{0.166667em}{0ex}}sk)\in \mathtt{KeyGen}\left(\mathcal{R}\right)}{max}{\displaystyle \frac{\left|\mathtt{Enc}\right(pk,\phantom{\rule{0.166667em}{0ex}}\mathcal{M};\phantom{\rule{0.166667em}{0ex}}\mathcal{R}\left)\right|}{\left|\mathcal{C}\right|}}}\hfill \\ \\ \phantom{\rule{1.em}{0ex}}\hfill & \le {\displaystyle \frac{{2}^{2\phantom{\rule{0.166667em}{0ex}}n}}{{2}^{n\phantom{\rule{0.166667em}{0ex}}({d}_{u}\phantom{\rule{0.166667em}{0ex}}k+{d}_{v})}}}\hfill \\ \\ \phantom{\rule{1.em}{0ex}}\hfill & ={\displaystyle \frac{1}{{2}^{n\phantom{\rule{0.166667em}{0ex}}({d}_{u}\phantom{\rule{0.166667em}{0ex}}k+{d}_{v}-2)}}},\hfill \end{array}$$

Now that Theorems 1 and 2 guarantee that $\mathtt{Kyber}.{\mathtt{CPA}}^{\prime}$ satisfies the hypotheses of Theorem 3 in [9], we can use it to produce a two-party AKE which fulfills IND-StAA security in the QROM. The resulting scheme, which we denote by `Kyber.2AKE`, is depicted in Figure 4. Here, and are random oracles and ${}_{R}^{\prime}$, ${}_{L1}^{\prime}$, ${}_{L2}^{\prime}$, and ${}_{L3}^{\prime}$ are internal random oracles that cannot be accessed directly and could be implemented with a pseudorandom function. Note that this is not the same two-party AKE proposed in [7]. For reference, we include the precise statement of Theorem 3 [9] in Appendix B.

In this section, we describe how to obtain an IND-CCA PKE from an IND-CPA PKE. This process can be achieved in two steps:

To achieve an IND-CCA secure KEM from `Kyber.CPA`${}^{\prime}$, we apply the ${\mathrm{FO}}_{m}^{\overline{)\perp}}$ transformation. This is analogous to the ${\mathrm{FO}}_{\mathrm{AKE}}$ transformation that transforms a PKE scheme that is both IND-CPA and DS secure into a CCA-secure KEM. As shown in [9], unlike similar transformations, ${\mathrm{FO}}_{m}^{\overline{)\perp}}$ is robust against correctness errors and its security reduction is tighter than the one that results from applying other known transformations. In cases where the PKE is not already DS, this requirement can be waived with negligible loss of efficiency. In the case of `Kyber.CPA`${}^{\prime}$, there is no loss of efficiency since it is IND-CPA secure and, as shown in Theorem 2, it is DS secure as well. The Algorithms 1, 4, and 5 show the KEM ${\mathtt{Kyber}}^{\overline{)\perp}}$ = (`Kyber.CPA`${}^{\prime}$`.KeyGen`, `Encaps`, `Decaps`) that results from applying the transformation ${\mathrm{FO}}_{m}^{\overline{)\perp}}$ to `Kyber.CPA`${}^{\prime}$. Here, and are random oracles and ${}_{r}$ is an internal random oracle that cannot be accessed directly and could be implemented with a pseudorandom function. For reference, we include the precise statement of Theorem 2 [9] in Appendix C.

Algorithm 4:${\mathtt{Kyber}}^{\overline{)\perp}}.\mathtt{Encaps}$($pk$) |

1 $m\stackrel{\$}{\leftarrow}\mathcal{M}$ 2 $c:=\mathtt{Kyber}.{\mathtt{CPA}}^{\prime}.\mathtt{Enc}(pk,m;\left(m\right))$ 3 k := H(m)4 return $(\mathtt{k},c)$ |

Algorithm 5:${\mathtt{Kyber}}^{\overline{)\perp}}.\mathtt{Decaps}$($sk,c$) |

Finally, an IND-CCA PKE is obtained after applying the transformation introduced in [10] to ${\mathtt{Kyber}}^{\overline{)\perp}}$ with a secure one-time symmetric key encapsulation (SKE or DEM). We call this scheme `Kyber.PKE`. The security of this transformation follows from Theorem 5 in [10]. As pointed out in [8], a commitment scheme with the required security properties can be obtained in a straightforward way from the IND-CCA PKE.

In this section, we present our compiled construction of `GAKE`. Informally, let us recall the setting we are considering. Our participants are honest entities which can be modeled as probabilistic polynomial time Turing machines (thus, have no access to quantum computing resources). These participants can only exchange messages through an insecure network, which is fully under adversarial control (adversaries may insert, delay, suppress or forward messages at will). Moreover, the adversarial computing capabilities are superior to those of participants, as we assume adversaries can preform quantum polynomial time computations and have quantum access to any hash function (modeled as a random oracle) involved. With this in mind, the goal pursued by our protocol is to guarantee that, whenever a participant has computed a session key through the network, this key is indistinguishable from a random value for those outside the intended group of participants involved in that concrete execution. Note that (as is standard in GKE proposals) we cannot expect to prove that the protocol will always terminate when executed by honest parties, we rather pursue formal assurance that, whenever the protocol indeed produces an output key for a participant, this key is secure for subsequent use.

Now, to make the text fully self-contained, we start by describing the main notations and formalism used in the sequel.

Our security model is inherited from Abdalla et al. [8], which in turn builds upon the seminal work of Bellare et al. [16]. However, ours is a less generic scenario; while in [8] all the proofs are in the common reference string model, our proofs are in the (quantum) random oracle model. More precisely, we assume that all public keys and parameters needed for implementing $\mathtt{Kyber}.\mathtt{2}\mathtt{AKE}$ and $\mathtt{Kyber}.\mathtt{PKE}$ are publicly known (and certified), as well as the description of all involved hash functions, which are idealized as random oracles. Further, we will assume that the long term keys needed for authentication in $\mathtt{Kyber}.\mathtt{2}\mathtt{AKE}$ are generated and distributed to all potential protocol participants in a trusted initialization phase. As customary, we use variables to detail the information stored by users with respect to each protocol execution, and oracles to model adversarial action.

Each protocol participant ${U}_{i}\in \mathcal{U}$ ($i\in \mathbb{N}$) may execute a polynomial number of protocol instances in parallel. A single instance ${\mathsf{\Pi}}_{i}^{{s}_{i}}$ can be interpreted as a process executed by protocol participant ${U}_{i}$. Throughout, the notation ${\mathsf{\Pi}}_{i}^{{s}_{i}}$ is used to refer to instance ${s}_{i}$ of protocol participant ${U}_{i}\in \mathcal{U}$. To each instance, we assign seven variables:

- ${\mathsf{used}}_{i}^{{s}_{i}}$
- indicates whether this instance is or has been used for a protocol run. The ${\mathsf{used}}_{i}^{{s}_{i}}$ flag can only be set through a protocol message received by the instance due to a call to the $\mathsf{Execute}$- or to the $\mathsf{Send}$-oracle (see below).
- ${\mathsf{state}}_{i}^{{s}_{i}}$
- keeps the state information needed during the protocol execution as well as the long term keys needed for authentication.
- ${\mathsf{term}}_{i}^{{s}_{i}}$
- shows if the execution has terminated.
- ${\mathsf{sid}}_{i}^{{s}_{i}}$
- denotes a public session identifier that can serve as identifier for the session key ${\mathsf{sk}}_{i}^{{s}_{i}}.$ Note that, even though we do not construct session identifiers as session transcripts, the adversary is allowed to learn all session identifiers.
- ${\mathsf{pid}}_{i}^{{s}_{i}}$
- stores the set of identities of those users that ${\mathsf{\Pi}}_{i}^{{s}_{i}}$ aims at establishing a key with—including ${U}_{i}$ himself.
- ${\mathsf{acc}}_{i}^{{s}_{i}}$
- indicates if the protocol instance was successful, i. e., the user accepted the session key.
- ${\mathsf{sk}}_{i}^{{s}_{i}}$
- stores the session key once it is accepted by ${\mathsf{\Pi}}_{i}^{{s}_{i}}.$ Before acceptance, it stores a distinguished null value.

We do not make explicit the initialization and evolution of all variables mentioned above, yet omissions are straightforward to understand from the context.

We assume arbitrary point-to-point connections among users to be available. The network is non-private and fully asynchronous: The adversary may delay, eavesdrop, insert, and delete messages at will.

Following Hövelmanns et al. [15], we consider adversaries that can preform (quantum) polynomial time computations, and have classical access to all (online) oracles listed below. Furthermore, as explained in Section 2.2, our adversaries are given quantum access to any (offline) random oracles involved.

The capabilities of an adversary $\mathcal{A}$ are made explicit through access to oracles allowing $\mathcal{A}$ to communicate with protocol instances run by the users:

- $\mathsf{Send}({U}_{i},{s}_{i},M)$ This sends message M to the instance ${\mathsf{\Pi}}_{i}^{{s}_{i}}$ and returns the reply generated by this instance. If $\mathcal{A}$ queries this oracle with an unused instance ${\mathsf{\Pi}}_{i}^{{s}_{i}}$ and $M\subseteq \mathcal{P}$ a set of identities of principals, the ${\mathsf{used}}_{i}^{{s}_{i}}$-flag is set, ${\mathsf{pid}}_{i}^{{s}_{i}}$ initialized with ${\mathsf{pid}}_{i}^{{s}_{i}}:=\left\{{U}_{i}\right\}\cup M$, and the initial protocol message of ${\mathsf{\Pi}}_{i}^{{s}_{i}}$ is returned.
- $\mathsf{Execute}\left(\{{\mathsf{\Pi}}_{{u}_{1}}^{{s}_{{u}_{1}}},\cdots ,{\mathsf{\Pi}}_{{u}_{\mu}}^{{s}_{{u}_{\mu}}}\}\right)$ This executes a complete protocol run among the specified unused instances of the respective users. The adversary obtains a transcript of all messages sent over the network. A query to the Executeoracle is supposed to reflect a passive eavesdropping.
- $\mathsf{Reveal}({U}_{i},{s}_{i})$ This yields the value stored in ${\mathsf{sk}}_{i}^{{s}_{i}}$.
- $\mathsf{Test}({U}_{i},{s}_{i})$ Let b be a bit chosen uniformly at random. Provided that the session key is defined (i. e., ${\mathsf{acc}}_{i}^{{s}_{i}}=\mathsf{true}$ and ${\mathsf{sk}}_{i}^{{s}_{i}}\ne \mathrm{null}$) and instance ${\mathsf{\Pi}}_{i}^{{s}_{i}}$ is fresh (see the definition of freshness below), $\mathcal{A}$ can execute this oracle query at any time when being activated. Then, the session key ${\mathsf{sk}}_{i}^{{s}_{i}}$ is returned if $b=0$ and a uniformly chosen random session key is returned if $b=1$. In this model, an arbitrary number of Testqueries is allowed for the adversary $\mathcal{A}$, but, once the $\mathsf{Test}$ oracle has returned a value for an instance ${\mathsf{\Pi}}_{i}^{{s}_{i}}$, it will return the same value for all instances partnered with ${\mathsf{\Pi}}_{i}^{{s}_{i}}$ (see the definition of partnering below).
- $\mathsf{Corrupt}\left({U}_{i}\right)$ This returns all long-term secrets of user ${U}_{i}$—in our case, the private keys used for authentication in $\mathtt{Kyber}.\mathtt{2}\mathtt{AKE}$.

To define our correctness and security goals, we introduce partnering to express which instances are associated in a common protocol session.

An instance ${\mathsf{\Pi}}_{i}^{{s}_{i}}$ is assumed to accept the session key constructed at the end of the corresponding protocol run if no deviation from the protocol specification has occurred. Moreover, without adversarial interference, all users involved in a certain session should come up with the same session key.

We call a group key establishment protocol $\mathsf{P}$ correct, if in the presence of a passive adversary $\mathcal{A}$—i. e., $\mathcal{A}$ must neither use the Send nor the Corrupt oracle—the following holds: for all $i,j$ with both ${\mathsf{sid}}_{i}^{{s}_{i}}={\mathsf{sid}}_{j}^{{s}_{j}}$ and ${\mathsf{acc}}_{i}^{{s}_{i}}={\mathsf{acc}}_{j}^{{s}_{j}}=\mathsf{true}$, we have ${\mathsf{sk}}_{i}^{{s}_{i}}={\mathsf{sk}}_{j}^{{s}_{j}}\ne \mathrm{null}$ and ${\mathsf{pid}}_{i}^{{s}_{i}}={\mathsf{pid}}_{j}^{{s}_{j}}$.

Some sort of correctness should also be guaranteed even if adversaries actively participate in a concrete executions: the notion of integrity, introduced in [17], captures this idea.

We say that a correct group key establishment protocol fulfills integrity if, with overwhelming probability, all instances of honest principals that have accepted with the same session identifier ${\mathtt{sid}}_{j}^{{s}_{j}}$ hold identical session keys ${\mathtt{sk}}_{j}^{{s}_{j}}$ and associated this key with the same principals ${\mathtt{pid}}_{j}^{{s}_{j}}$.

Next, for detailing the security definition, we have to specify under which conditions a $\mathsf{Test}$-query may be executed.

A $\mathsf{Test}$-query should only be allowed to those instances holding a key that is not for trivial reasons known to the adversary. To this aim, an instance ${\mathsf{\Pi}}_{i}^{{s}_{i}}$ is called fresh if none of the following holds:

- For some ${U}_{j}\in {\mathsf{pid}}_{i}^{{s}_{i}}$, a query $\mathsf{Corrupt}\left({U}_{j}\right)$ was executed before a query of the form $\mathsf{Send}({U}_{k},{s}_{k},M)$ has taken place, for some message (or set of identities) M and some ${U}_{k}\in {\mathsf{pid}}_{i}^{{s}_{i}}$.
- The adversary earlier queried $\mathsf{Reveal}({U}_{j},{s}_{j})$ with ${\mathsf{\Pi}}_{i}^{{s}_{i}}$ and ${\mathsf{\Pi}}_{j}^{{s}_{j}}$ being partnered.

The idea of this definition is that revealing a session key from an instance ${\mathsf{\Pi}}_{i}^{{s}_{i}}$ trivially yields the session key of all instances partnered with ${\mathsf{\Pi}}_{i}^{{s}_{i}}$, and hence this kind of “attack” will be excluded in the security definition.

For a secure group key establishment protocol, we have to impose a corresponding bound on the adversary’s advantage: The advantage ${\mathsf{Adv}}_{\mathcal{A}}(\ell )$ of a ppt adversary $\mathcal{A}$ in attacking protocol $\mathsf{P}$ is a function in the security parameter ℓ, defined as
Here, $\mathsf{Succ}$ is the probability that the adversary queries $\mathsf{Test}$ only on fresh instances and guesses correctly the bit b used by the $\mathsf{Test}$ oracle (without violating the freshness of those instances queried with $\mathsf{Test}):$

$${\mathsf{Adv}}_{\mathcal{A}}:=|2\xb7\mathsf{Succ}-1|.$$

We say that an authenticated group key establishment protocol $\mathsf{P}$ is secure if for every ppt adversary $\mathcal{A}$ the following inequality holds for some negligible function $\mathrm{negl}$:

$${\mathsf{Adv}}_{\mathcal{A}}(\ell )\le \mathrm{negl}(\ell ),$$

We aim at a full description of a GAKE protocol that can be proven secure against quantum adversaries, building on a post-quantum $\mathtt{2}\mathtt{AKE}$ and using the compiler described in Section 2.1. Our proposal is depicted in Figure 5. Note that in our compiled design we take as starting point a slightly modified version of the compiler from [8], in two ways:

- We simplify the session key and session identifier computation using two hash functions to extract them from the shared master key K. Indeed, as the $\mathtt{2}\mathtt{AKE}$ we use as building block is proven secure in the (quantum) random oracle model, it no longer makes sense to use the (somewhat complicated) key extraction procedure defined in [8] to dodge idealized hash functions. Thus, we forgo Tools 1 and 2 mentioned in Section 2.1 and use two hash functions $\widehat{\mathtt{H}}$ and $\widehat{\mathtt{F}}$ instead. Thus, at the final
**Computation**phase, each user ${U}_{i}$ will set the session key as ${\mathtt{sk}}_{i}=\widehat{\mathtt{H}}\left(K\right)$ and the corresponding session identifier as ${\mathtt{sid}}_{i}=\widehat{\mathtt{F}}\left(K\right)$, where K is the master key shared by everyone involved in the execution. - Further, we make an additional requirement on the compiled $\mathtt{2}\mathtt{AKE}$, needed for the security proof. Indeed, as pointed out by Nam in [18], an extra condition on the two party protocol used as a base must be imposed in Theorem 1 of [8]. Indeed, the underlying $\mathtt{2}\mathtt{AKE}$ should fulfill integrity in order to thwart a simple replay attack (in the proof of Theorem 1 of [8], it is actually assumed that integrity is fulfilled—see the argument related to Game 1). We thus slightly tune up the two-party $\mathtt{2}\mathtt{AKE}$ to make sure integrity is achieved.

To prove that our compiled version is secure, we build upon the security of our underlying tools. More precisely, we use the following results:

- (i)
- (ii)
- The encryption scheme $\mathtt{Kyber}.\mathtt{PKE}$ yields a non-interactive commitment scheme that is both non-malleable for multiple commitments and perfectly binding. This comes straightforward as a result of this scheme being IND-CCA (see Section 3.3 and [15]).

Informally, it is easy to modify in a standard way the construction $\mathtt{Kyber}.\mathtt{2}\mathtt{AKE}$ to attain integrity. The main idea is to add a second random oracle $\mathtt{F}$ which, at the point of key derivation, will be applied to the same input as $\mathtt{H}$ in order to derive a session identifier. Then, it is trivial to state that integrity of this modified $\mathtt{Kyber}.\mathtt{2}\mathtt{AKE}$ construction is attained both in the ROM and in the QROM, due to the collision resistance of the involved random oracles (see Section 2.2). Indeed, suppose that $\mathtt{k}={\mathtt{k}}^{\prime}$. Since $\mathtt{H}$ and $\mathtt{F}$ are random oracles, their collision resistance guarantees that, with overwhelming probability, both participants have the same partner identifiers and, therefore, use the same session key k. This argument is valid both in the classical and quantum-accessible random oracle model (see Section 2.2). In the sequel, we assume this modification is in place and thus $\mathtt{Kyber}.\mathtt{2}\mathtt{AKE}$ attains integrity.

In the random oracle model, the protocol presented in Figure 5 is a correct and secure authenticated group key establishment protocol fulfilling integrity, in the sense of Definitions 3, 6, and 4.

This proof is a (somewhat) straightforward adaptation of the security proof of Theorem 1 of [8], which we use as a main tool in our construction.

The first three games from this proof are exactly the same as those in the proof of Theorem 1 of [8]. We only summarize the reduction and refer the interested reader to the original paper for a detailed description.

It is easy to see that the distance between this game and the previous one is bounded by the probability that the adversary breaks the security of any of the underlying $\mathsf{2}-\mathsf{AKE}$ protocols. As a result, it holds
where ${q}_{\mathrm{send}}$ represents the number of different protocol instances in $\mathsf{Send}$ queries.

$$|\mathsf{Adv}(\mathcal{A},{G}_{1})-\mathsf{Adv}(\mathcal{A},{G}_{0})|\le 2\xb7{\mathsf{Adv}}_{\mathsf{2}-\mathsf{AKE}}(\ell ,2\xb7{q}_{\mathrm{send}}),$$

The adversary $\mathcal{A}$ can detect the difference to Game ${G}_{1}$ if $\mathcal{A}$ replayed a commitment that should have led to acceptance in Round 4 in that game. Because the committed value ${X}_{i}$ is a random value independent of previous messages, the probability for this is negligible.

$$|\mathsf{Adv}(\mathcal{A},{G}_{2})-\mathsf{Adv}(\mathcal{A},{G}_{1})|\le \mathrm{negl}(\ell )$$

$$|\mathsf{Adv}(\mathcal{A},{G}_{3})-\mathsf{Adv}(\mathcal{A},{G}_{2})|\le \mathrm{negl}(\ell )$$

$$|\mathsf{Adv}(\mathcal{A},{G}_{4})-\mathsf{Adv}(\mathcal{A},{G}_{3})|\le \mathrm{negl}(\ell ).$$

Now, clearly, in Game ${G}_{4}$, all session keys are chosen uniformly at random and the adversary has no advantage.
□

$$\mathsf{Adv}(\mathcal{A},{G}_{4})=0.$$

In the quantum random oracle model, the protocol presented in Figure 5 is a correct and secure authenticated group key establishment protocol fulfilling integrity, in the sense of Definitions 3, 6, and 4.

(sketch) The proof follows the exact reasoning of Theorem 3; we only need to stress that the argument from Game 4 is still valid when considering quantum-accessible random oracles. Indeed, in this last game, the simulations of the Execute and Send oracles are modified at the point of computing the session key. The simulator keeps a list of strings $({K}_{1},\cdots ,{K}_{n},\mathcal{G})$, and, upon receiving the last $\mathsf{Send}-\mathsf{2}$ query, it computes the values ${K}_{1},\cdots ,{K}_{n}$ and checks if a corresponding master key has already been issued previously. If this is the case, this master key will be assigned to the instance. Otherwise, the simulator chooses a session key ${\mathsf{sk}}_{i}^{{s}_{i}}\in {\{0,1\}}^{\ell}$ uniformly at random. At this point, all two party keys ${K}_{1},\cdots ,{K}_{n}$ are chosen uniformly at random and are unknown to the adversary. The adversary can only notice this last change if it has already queried the very same key string to the quantum random oracle $\widehat{\mathtt{H}}$. This event will happen with negligible probability. As a result, the output $\widehat{\mathtt{H}}$ is indistinguishable from a random ${\mathsf{sk}}_{i}^{{s}_{i}}$ with overwhelming probability. Thus, we have

$$|\mathsf{Adv}(\mathcal{A},{G}_{4})-\mathsf{Adv}(\mathcal{A},{G}_{3})|\le \mathrm{negl}(\ell ).$$

Now, clearly, in Game ${G}_{4}$, all session keys are chosen uniformly at random and the adversary has no advantage.
□

$$\mathsf{Adv}(\mathcal{A},{G}_{4})=0.$$

We present in this paper a post-quantum GAKE using Abdalla et al.’s compiler from [8] as design frame. We choose the `Kyber` suite [7] as main building block, not only because it is a good design fit for our compiled strategy, but also considering its promising security properties (as `Kyber` is one of the four remaining finalists for public key encryption in the Third Round of the NIST competition). More precisely, we evidence that a secure `2AKE` as needed for our compiled construction can be derived using the ${\mathrm{FO}}_{\mathrm{AKE}}$ transformation proposed in [9], by proving the encryption scheme $\mathtt{Kyber}.{\mathtt{CPA}}^{\prime}$ to be DS secure.

Our four-round instantiation can as a result be proven to provide post-quantum security guarantees under the Module-LWE assumption in the quantum random oracle model.

All authors contributed equally to this work, in terms of Conceptualization, Methodology, Formal Analysis, Investigation, Writing—Original Draft Preparation and Review and Editing. All authors have read and agreed to the published version of the manuscript.

This research was funded by NATO Science for Peace and Security Programme, grant number G5448 and by MINECO under Grants MTM2016-77213-R and PID2019-109379RB-I00.

The authors declare no conflict of interest.

As defined in [19], a PKE is said to be $(1-\delta )$-correct if
where the expectation is taken over $(pk,sk)\leftarrow \mathtt{KeyGen}\left(\right)$ and the probability is taken over the random space of $\mathtt{Enc}$.

$$\mathbf{E}\left[\underset{m\in \mathcal{M}}{max}\mathrm{Pr}\left[\mathtt{Dec}(sk,\mathtt{Enc}(pk,m\left)\right)=m\right]\right]>1-\delta ,$$

Following the proof of Theorem 1 in [7], it is not hard to prove the following theorem, which provides the value $\delta $ when dealing with $\mathtt{Kyber}.{\mathtt{CPA}}^{\prime}$.

Let k be a positive integer parameter. Let $\mathbf{s},\mathbf{e},\mathbf{r},{\mathbf{e}}_{1},{e}_{2}$ be random variables that have the same distribution as in Algorithms 1 and 2. In addition, let ${\mathbf{c}}_{u}\leftarrow {\psi}_{{d}_{u}}^{k}$, ${\mathbf{c}}_{v}\leftarrow {\psi}_{{d}_{v}}^{k}$ be distributed according to the distribution ψ defined as follows:

Let ${\psi}_{d}^{k}$ be the following distribution over R:

- Choose uniformly-random $\mathbf{y}\leftarrow {R}^{k}$
**return**$(y-{\mathsf{Descompress}}_{q}({\mathsf{Compress}}_{q}(\mathbf{y},d),d))\phantom{\rule{4pt}{0ex}}{\mathrm{mod}}^{\pm}\phantom{\rule{4pt}{0ex}}q$

Denote

$$\delta =\mathrm{Pr}\left[\parallel {\mathbf{e}}^{T}\mathbf{r}+{e}_{2}+{\mathbf{c}}_{v}-{\mathbf{s}}^{T}{\mathbf{e}}_{1}-{\mathbf{s}}^{T}{\mathbf{c}}_{u}{\parallel}_{\infty}\ge \lceil q/4\rfloor \right],$$

where, for $w={w}_{0}+{w}_{1}\phantom{\rule{0.166667em}{0ex}}X+\cdots +{w}_{n-1}\phantom{\rule{0.166667em}{0ex}}{X}^{n-1}\in R$:

$${\left|\right|w\left|\right|}_{\infty}=\underset{i}{max}\left|{w}_{i}\phantom{\rule{0.166667em}{0ex}}{\mathit{mod}}^{\pm}q\right|,$$

and, similarly, for $\mathbf{w}=({w}_{1},\dots ,{w}_{k})\in {R}^{k}$:

$${\left|\right|\mathbf{w}\left|\right|}_{\infty}=\underset{i}{max}\left|\right|{w}_{i}{\left|\right|}_{\infty}.$$

Then, the modified scheme $\mathsf{Kyber}.{\mathsf{CPA}}^{\prime}$ is $(1-\delta )$-correct.

We reproduce here the result given in [9] about the IND-StAA security of the ${\mathrm{FO}}_{\mathrm{AKE}}$ transformation. The following theorem states that the IND-StAA security of $\mathtt{AKE}={\mathrm{FO}}_{\mathrm{AKE}}(\mathtt{PKE},G,H)$, where $\mathtt{PKE}$ is a PKE scheme and $G,H$ are random oracles, reduces to the DS and IND-CPA security of $\mathtt{PKE}$. Note that some references to oracles appear in the statement; for details about these oracles and the formal definition of IND-StAA security, see [9].

([9]). Assume `PKE`=(`KG`,`Enc`,`Dec`) to be $(1-\delta )$-correct, and to come with a sampling algorithm $\overline{\mathsf{Enc}}$ such that it is ε-disjoint. Let N be the number of parties, and suppose that any attacker is granted access to an oracle REVEAL which reveals the respective session’s key (if already defined). Then, for any IND-StAA adversary $\mathcal{B}$ that establishes S sessions and issues at most ${q}_{R}$ (classical) queries to REVEAL, at most ${q}_{G}$ (quantum) queries to random oracle G, and at most ${q}_{H}$ (quantum) queries to random oracle H, there exist adversaries ${\mathcal{A}}_{\mathsf{DS}}$ and ${\mathcal{A}}_{\mathsf{CPA}}$ against `PKE` such that

$$\begin{array}{cc}\hfill \phantom{\rule{1.em}{0ex}}& {\mathsf{Adv}}_{\mathsf{AKE}}^{\mathsf{IND}-\mathsf{StAA}}\left(\mathcal{B}\right)\le 2\phantom{\rule{0.166667em}{0ex}}S\phantom{\rule{0.166667em}{0ex}}(S+3\phantom{\rule{0.166667em}{0ex}}N)\phantom{\rule{0.166667em}{0ex}}{\mathsf{Adv}}_{\mathsf{PKE}}^{\mathsf{DS}}\left({\mathcal{A}}_{\mathsf{DS}}\right)\hfill \\ \hfill \phantom{\rule{1.em}{0ex}}& +4\phantom{\rule{0.166667em}{0ex}}S\phantom{\rule{0.166667em}{0ex}}(S+3\phantom{\rule{0.166667em}{0ex}}N)\sqrt{({q}_{G}+2\phantom{\rule{0.166667em}{0ex}}{q}_{H}+3\phantom{\rule{0.166667em}{0ex}}S)\phantom{\rule{0.166667em}{0ex}}{\mathsf{Adv}}_{\mathsf{PKE}}^{\mathit{cpa}}\left({\mathcal{A}}_{\mathsf{CPA}}\right)+{\displaystyle \frac{4\phantom{\rule{0.166667em}{0ex}}{({q}_{G}+2\phantom{\rule{0.166667em}{0ex}}{q}_{H}+3\phantom{\rule{0.166667em}{0ex}}S)}^{2}}{\left|\mathcal{M}\right|}}}\hfill \\ \hfill \phantom{\rule{1.em}{0ex}}& +32\phantom{\rule{0.166667em}{0ex}}(S+3\phantom{\rule{0.166667em}{0ex}}N)\phantom{\rule{0.166667em}{0ex}}{({q}_{G}+2\phantom{\rule{0.166667em}{0ex}}{q}_{H}+3\phantom{\rule{0.166667em}{0ex}}S)}^{2}\phantom{\rule{0.166667em}{0ex}}(1-\delta )+4\phantom{\rule{0.166667em}{0ex}}S\phantom{\rule{0.166667em}{0ex}}(S+N)\phantom{\rule{0.166667em}{0ex}}{\epsilon}_{\mathit{dis}}\hfill \\ \hfill \phantom{\rule{1.em}{0ex}}& +{S}^{2}\phantom{\rule{0.166667em}{0ex}}(N+1)\phantom{\rule{0.166667em}{0ex}}\mu \left(\mathsf{KG}\right)\phantom{\rule{0.166667em}{0ex}}\mu \left(\mathsf{Enc}\right)+2\phantom{\rule{0.166667em}{0ex}}{S}^{2}+\mu \left(\mathsf{KG}\right),\hfill \end{array}$$

and the running times of ${\mathcal{A}}_{\mathsf{DS}}$ and ${\mathcal{A}}_{\mathsf{CPA}}$ is about that of $\mathcal{B}$. Here,

$$\mu \left(\mathsf{KG}\right)=\mathit{Pr}[(pk,sk)\leftarrow \mathsf{KG},\phantom{\rule{0.166667em}{0ex}}(p{k}^{\prime},s{k}^{\prime})\leftarrow \mathsf{KG}:\phantom{\rule{0.166667em}{0ex}}pk=p{k}^{\prime}]$$

and

$$\mu \left(\mathsf{Enc}\right)=\mathit{Pr}[(pk,sk)\leftarrow \mathsf{KG},\phantom{\rule{0.166667em}{0ex}}m,{m}^{\prime}\leftarrow \mathcal{M},\phantom{\rule{0.166667em}{0ex}}c\leftarrow \mathsf{Enc}(pk,m),\phantom{\rule{0.166667em}{0ex}}{c}^{\prime}\leftarrow \mathsf{Enc}(pk,{m}^{\prime}):\phantom{\rule{0.166667em}{0ex}}c={c}^{\prime}].$$

We reproduce here the result given in [9] about the IND-CCA security of the ${\mathrm{FO}}_{m}^{\overline{)\perp}}$ transformation. The following theorem states that the IND-CCA security of ${\mathrm{FO}}_{m}^{\overline{)\perp}}={\mathrm{FO}}^{\overline{)\perp}}(\mathtt{PKE},G,H)$, where $\mathtt{PKE}$ is a PKE scheme and $G,H$ are random oracles, reduces to the DS and IND-CPA security of $\mathtt{PKE}$. Note that some references to oracles appear in the statement; for details about these oracles (see [9]).

([9]). Assume `PKE`=(`KG`,`Enc`,`Dec`) to be $(1-\delta )$-correct, and to come with a sampling algorithm $\overline{\mathsf{Enc}}$ such that it is ${\epsilon}_{\mathit{dis}}$-disjoint. Suppose that any attacker is granted access to an oracle DECAPS. Then, for any (quantum) IND-CCA adversary $\mathcal{A}$ issuing at most ${q}_{D}$ (classical) queries to decapsulation oracle DECAPS, at most ${q}_{G}$ quantum queries to random oracle G, and at most ${q}_{H}$ quantum queries to random oracle H, there exist (quantum) adversaries ${\mathcal{B}}_{\mathsf{DS}}$ and ${\mathcal{A}}_{\mathsf{CCA}}$ against `PKE` such that

$$\begin{array}{cc}\hfill \phantom{\rule{1.em}{0ex}}& {\mathsf{Adv}}_{\mathsf{KEM}}^{\mathsf{IND}-\mathsf{CCA}}\left(\mathcal{A}\right)\le 8\xb7{(2{q}_{G}+{q}_{H}+{q}_{D}+4)}^{2}\xb7\delta +{\mathsf{Adv}}_{\mathsf{PKE}}^{\mathsf{DS}}\left({\mathcal{B}}_{\mathsf{DS}}\right)\hfill \\ \hfill \phantom{\rule{1.em}{0ex}}& +2\sqrt{({q}_{G}+{q}_{H})\xb7{\mathsf{Adv}}_{\mathsf{PKE}}^{\mathsf{IND}-\mathsf{CPA}}({\mathcal{B}}_{\mathsf{IND}}-\mathsf{CCA})+{\displaystyle \frac{4{({q}_{G}+{q}_{H})}^{2}}{\left|\mathcal{M}\right|}}}+{\epsilon}_{dis},\hfill \end{array}$$

and the running times of ${\mathcal{B}}_{\mathsf{DS}}$ and ${\mathcal{B}}_{\mathsf{IND}-\mathsf{CPA}}$ is about that of $\mathcal{A}$.

- Fujioka, A.; Takashima, K.; Yoneyama, K. One-Round Authenticated Group Key Exchange from Isogenies. ProvSec. Lect. Notes Comput. Sci.
**2019**, 11821, 330–338. [Google Scholar] - Apon, D.; Dachman-Soled, D.; Gong, H.; Katz, J. Constant-Round Group Key Exchange from the Ring-LWE Assumption. PQCrypto. Lect. Notes Comput. Sci.
**2019**, 11505, 189–205. [Google Scholar] - Katz, J.; Yung, M. Scalable Protocols for Authenticated Group Key Exchange. In Advances in Cryptology— CRYPTO 2003, 23rd Annual International Cryptology Conference, Santa Barbara, CA, USA, 17–21 August 2003, Proceedings; Boneh, D., Ed.; Springer: Berlin/Heidelberg, Germany, 2003; Volume 2729, pp. 110–125. [Google Scholar] [CrossRef]
- Choi, R.; Hong, D.; Kim, K. Constant-round Dynamic Group Key Exchange from RLWE Assumption. IACR Cryptol. ePrint Arch.
**2020**, 2020, 35. [Google Scholar] - Persichetti, E.; Steinwandt, R.; Corona, A.S. From Key Encapsulation to Authenticated Group Key Establishment—A Compiler for Post-Quantum Primitives †. Entropy
**2019**, 21, 1183. [Google Scholar] [CrossRef] - González Vasco, M.; Pérez del Pozo, A.; Steinwandt, R. Group Key Establishment in a Quantum-Future Scenario. Informatica
**2020**, 1–18. [Google Scholar] [CrossRef] - Bos, J.W.; Ducas, L.; Kiltz, E.; Lepoint, T.; Lyubashevsky, V.; Schanck, J.M.; Schwabe, P.; Seiler, G.; Stehlé, D. CRYSTALS—Kyber: A CCA-Secure Module-Lattice-Based KEM. In Proceedings of the 2018 IEEE European Symposium on Security and Privacy (EuroS&P), London, UK, 24–26 April 2018; pp. 353–367. [Google Scholar]
- Abdalla, M.; Bohli, J.; Vasco, M.I.G.; Steinwandt, R. (Password) Authenticated Key Establishment: From 2-Party to Group. TCC. Lect. Notes Comput. Sci.
**2007**, 4392, 499–514. [Google Scholar] - Hövelmanns, K.; Kiltz, E.; Schäge, S.; Unruh, D. Generic Authenticated Key Exchange in the Quantum Random Oracle Model. In Public-Key Cryptography—PKC 2020; Kiayias, A., Kohlweiss, M., Wallden, P., Zikas, V., Eds.; Springer International Publishing: Cham, Switzerland, 2020; pp. 389–422. [Google Scholar]
- Cramer, R.; Shoup, V. Design and Analysis of Practical Public-Key Encryption Schemes Secure against Adaptive Chosen Ciphertext Attack. SIAM J. Comput.
**2003**, 33, 167–226. [Google Scholar] [CrossRef] - David Jao, E.A. Supersingular Lsogeny Key Encapsulation. Submission to NIST Post-Quantum Project. 2017. Available online: https://sike.org/#nist-submission (accessed on 16 October 2020).
- Chailloux, A.; Naya-Plasencia, M.; Schrottenloher, A. An Efficient Quantum Collision Search Algorithm and Implications on Symmetric Cryptography. In Advances in Cryptology—ASIACRYPT 2017—23rd International Conference on the Theory and Applications of Cryptology and Information Security, Hong Kong, China, 3–7 December 2017; Takagi, T., Peyrin, T., Eds.; Springer: Berlin/Heidelberg, Germany, 2017; Volume 10625, pp. 211–240. [Google Scholar] [CrossRef]
- Zhandry, M. Secure Identity-Based Encryption in the Quantum Random Oracle Model. In Advances in Cryptology—CRYPTO 2012—32nd Annual Cryptology Conference, Santa Barbara, CA, USA, 19–23 August 2012; Safavi-Naini, R., Canetti, R., Eds.; Springer: Berlin/Heidelberg, Germany, 2012; Volume 7417, pp. 758–775. [Google Scholar] [CrossRef]
- Boneh, D.; Dagdelen, Ö.; Fischlin, M.; Lehmann, A.; Schaffner, C.; Zhandry, M. Random Oracles in a Quantum World. In Advances in Cryptology—ASIACRYPT 2011—17th International Conference on the Theory and Application of Cryptology and Information Security, Seoul, Korea, 4–8 December 2011; Lee, D.H., Wang, X., Eds.; Springer: Berlin/Heidelberg, Germany, 2011; Volume 7073, pp. 41–69. [Google Scholar] [CrossRef]
- Hövelmanns, K.; Kiltz, E.; Schäge, S.; Unruh, D. Generic Authenticated Key Exchange in the Quantum Random Oracle Model. IACR Cryptol. ePrint Arch.
**2018**, 2018, 928. [Google Scholar] - Bellare, M.; Pointcheval, D.; Rogaway, P. Authenticated Key Exchange Secure against Dictionary Attacks. In Advances in Cryptology—EUROCRYPT 2000, International Conference on the Theory and Application of Cryptographic Techniques, Bruges, Belgium, 14–18 May 2000; Preneel, B., Ed.; Springer: Berlin/Heidelberg, Germany, 2000; Volume 1807, pp. 139–155. [Google Scholar] [CrossRef]
- Bohli, J.; Vasco, M.I.G.; Steinwandt, R. Secure group key establishment revisited. Int. J. Inf. Sec.
**2007**, 6, 243–254. [Google Scholar] [CrossRef] - Nam, J.; Paik, J.; Won, D. A security weakness in Abdalla et al.’s generic construction of a group key exchange protocol. Inf. Sci.
**2011**, 181, 234–238. [Google Scholar] [CrossRef] - Hofheinz, D.; Hövelmanns, K.; Kiltz, E. A Modular Analysis of the Fujisaki-Okamoto Transformation. TCC (1). Lect. Notes Comput. Sci.
**2017**, 10677, 341–371. [Google Scholar]

Protocol | # Rounds | Avoids PQ-Sign. | # Broadcast Messages | # PtP Messages |
---|---|---|---|---|

n-UM [1] | 1 | Yes | n | 0 |

BC n-DH [1] | 1 | Yes | n | 0 |

Apon et al. [2] | 3 | Yes (but is unauth.) | $2n+1$ | 0 |

STAG [4] | 3 | No | $2n+1$ | 0 |

Pers. et al. [5] | 3 | No | n | $2n$ |

Gonz. et al. [6] | 2 | Yes | n | ${n}^{2}-n$ |

This work | 4 | Yes | $2n$ | $2n$ |

Protocol | Assumption Type | Model | FutQ/PostQ | Authent. |
---|---|---|---|---|

n-UM [1] | Isogeny | QROM | PostQ | Yes |

BC n-DH [1] | Isogeny | ROM | PostQ | Yes |

Apon et al. [2] | Lattice | ROM | PostQ | No |

STAG [4] | Lattice | ROM | PostQ | Yes |

Pers. et al. [5] | Compiler | No RO added | PostQ | Yes |

Gonz. et al. [6] | Compiler | No RO added | FutQ | Yes |

This work | Lattice | QROM | PostQ | Yes |

Notation | Representation |
---|---|

Bold lower-case | Vectors with coefficients in R or ${R}_{q}$. All vector will be column vectors by default. |

Regular font letter | Elements in R or ${R}_{q}$. |

Bold upper-case | Matrices. |

$s\leftarrow S$ | If S is a set, s is chosen uniformly at random from S. If S is a distribution, s is chosen according to such distribution S. |

$y\sim S:=\mathtt{Sam}\left(x\right)$ where Sam is an eXtendable Output Function (XOF) | Value y that is distributed according to distribution S (or uniformly over a set S). This is a deterministic procedure. |

$v\leftarrow {\beta}_{\eta}$, $\mathbf{v}\leftarrow {\beta}_{\eta}^{k}$ | $v\in R$ is generated from a distribution where each of its coefficients are generated from ${B}_{\eta}$. A k-dimensional vector of polynomials $\mathbf{v}\in {R}^{k}$ can be generated according to the distribution ${\beta}_{\eta}^{k}$. |

$\lceil \xb7\rfloor $ | $\lceil \xb7\rfloor $ is the rounding function i.e., $\lceil x\rfloor =\u230ax+{\displaystyle \frac{1}{2}}\u230b$ where $x\in \mathbb{Q}$ and $\lfloor \xb7\rfloor $ is the floor function. |

${r}^{\prime}=r\phantom{\rule{4pt}{0ex}}{\mathrm{mod}}^{\pm}\phantom{\rule{4pt}{0ex}}\alpha $ | For an even (respectively, odd) integer $\alpha $, ${r}^{\prime}=r\phantom{\rule{4pt}{0ex}}{\mathrm{mod}}^{\pm}\phantom{\rule{4pt}{0ex}}\alpha $ is the unique element ${r}^{\prime}$ in the range $-\frac{\alpha}{2}<r\le \frac{\alpha}{2}$ (respectively, $-\frac{\alpha -1}{2}<r\le \frac{\alpha +1}{2}$) such that ${r}^{\prime}=r\phantom{\rule{3.33333pt}{0ex}}mod\phantom{\rule{0.277778em}{0ex}}\alpha $. |

Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations. |

© 2020 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (http://creativecommons.org/licenses/by/4.0/).