Compiled Constructions towards Post-Quantum Group Key Exchange: A Design from Kyber

Abstract

A group authenticated key exchange (GAKE) protocol allows a set of parties belonging to a certain designated group to agree upon a common secret key through an insecure communication network. In the last few years, many new cryptographic tools have been specifically designed to thwart attacks from adversaries which may have access to (different kinds of) quantum computation resources. However, few constructions for group key exchange have been put forward. Here, we propose a four-round GAKE which can be proven secure under widely accepted assumptions in the Quantum Random Oracle Model. Specifically, we integrate several primitives from the so-called Kyber suite of post-quantum tools in a (slightly modified) compiler from Abdalla et al. (TCC 2007). More precisely, taking as a starting point an IND-CPA encryption scheme from the Kyber portfolio, we derive, using results from Hövelmanns et al. (PKC 2020), a two-party key exchange protocol and an IND-CCA encryption scheme and prove them fit as building blocks for our compiled construction. The resulting GAKE protocol is secure under the Module-LWE assumption, and furthermore achieves authentication without the use of (expensive) post-quantum signatures.

1. Introduction

The search for cryptographic primitives that will remain secure once quantum computing is a reality has been on going for over twenty years. Noticeably, in the last few years this search has gained greater attention from academia and industry, especially since the US National Institute of Standards and Technology (NIST) launched a competition towards standardizing quantum-resistant (also called post-quantum) public-key cryptographic algorithms in 2017. While this competition is focused on constructions for public key encryption, two party key establishment and digital signatures, research towards different post-quantum primitives has also been aroused as a side effect.

Group key establishment protocols (GKE) are fundamental cryptographic constructions. Indeed, for many real life applications of information technologies, the crucial starting point is establishing a “secure session”, i.e., setting confidential communication channels among users. GKE protocols allow a group of $n\ge$ 2 users, interacting through an insecure communication network, to establish a common known high entropy secret that can be used to secure their subsequent communication. Typically, once this secret has been agreed upon, tools from symmetric cryptography can be used to attain confidentiality, and thus the communication network is understood as secure for confidential transmissions within the group of honest users. Using a GKE in this setting clearly outperforms the use of two party solutions, as establishing different session keys for every pair of participants (e.g., using a two party key exchange) would force each participant to store a large number of keys. Moreover, every message intended for the whole group should be encrypted multiple times ($n-1$) with different keys, while GKE can be used in a broadcast fashion (as messages are processed the same way for each group member). There might, however, be no way of assessing origin and integrity of messages. In this case, when authenticated channels are not available, protocols pursuing this goal—GAKE protocols—get way more involved and often need to rely on an external public key infrastructure to be able to authenticate legitimate group members, frequently adding a significant cost to the constructions.

Related work. Several group key exchange protocols which can be considered to resist quantum attacks have been proposed so far. Fujioka et al. [1] presented two one-round authenticated protocols, whose security is based on a certain algebraic-geometric problem related to the problem of finding a so-called isogeny mapping between two supersingular elliptic curves with the same number of points.

Other protocols use lattice problems as a base. For instance, Apon et al. [2] constructed a three-round unauthenticated protocol proven secure under the so-called ring learning with errors (RLWE) assumption. This scheme may be transformed into an authenticated one by using the Katz and Yung compiler [3]. However, the resulting protocol has one additional round of communication and each message that is sent must be signed, adding a significant computation and communication overhead if a post-quantum signature scheme is employed. Using the same problem as a base, Choi et al. [4] built on [3] and proposed three group protocols: the first is unauthenticated, the second adds authentication, and the third is, in addition, dynamic. The second one, STAG, is a three-round authenticated protocol in which each user computes two signatures.

Finally, we have compilers which produce a quantum-resistant group authenticated key exchange (GAKE) from simpler post-quantum primitives. Persichetti et al. [5] presented a three-round protocol constructed from a key encapsulation mechanism (KEM) and a signature scheme; each user needs to compute only one signature. González Vasco et al. [6] introduced a two-round password GAKE protocol derived from a KEM and a message authentication code (MAC). However, in this construction, security holds in the so-called future-quantum scenario, where the adversary is assumed to have access to quantum computation only after the protocol execution is completed.

Our contribution. In this work, we take the so-called Kyber family [7] of post-quantum cryptographic tools and use it as a base for a GAKE design. More precisely, our construction is a compiled system using Abdalla et al.’s [8] as design frame. From the results of Hövelmanns et al. [9], we assess that both a suitable commitment scheme and a secure two-party AKE can be obtained from the encryption scheme Kyber.CPA${}^{\prime }$ (this result was hinted, yet not explicitly proven by Hövelmanns et al. [9]). As far as we are aware, our instantiation is the first group authenticated key exchange protocol which provides post-quantum security guarantees based solely on the so-called Module-LWE assumption, doing without (often unaffordably expensive) post-quantum signatures.

Our GAKE: overview. The workflow of our construction is depicted in Figure 1. Our construction relies on Abdalla et al.’s compiler [8] that requires a two-party AKE and a commitment scheme and we need both building blocks to fulfill post-quantum security. To achieve post-quantum security, we apply the Kyber family and its derived tools (see green rectangle in Figure 1).

Kyber [7] is a KEM based on lattices whose security relies on Module-LWE assumption (Definition 1), claimed to be post-quantum secure. Our GAKE inherits the Module-LWE assumption. The two-party AKE and the commitment scheme are derived from the initial IND-CPA PKE in [7] named Kyber.CPA${}^{\prime }$. The two-party AKE (named Kyber.2AKE) is the result of applying the transformation ${\mathrm{FO}}_{\mathrm{AKE}}$ [9] to Kyber.CPA${}^{\prime }$. Finally, a commitment scheme can be achieved from any IND-CCA PKE, as pointed out in [8]. In our construction, we turn Kyber.CPA${}^{\prime }$ into a KEM applying the ${\mathrm{FO}}_m^{\cancel{\perp }}$ transformation [9] obtaining ${\mathrm{Kyber}}^{\cancel{\perp }}$, which is transformed into an IND-CCA PKE (Kyber.PKE) as a result of [10].

Comparison with other schemes. We present two tables that summarize some features of other GAKE schemes with quantum-resistance and compare them with our proposal.

Table 1. Some efficiency parameters for GKE/GAKE protocols claimed to be quantum-resistant.

Protocol	# Rounds	Avoids PQ-Sign.	# Broadcast Messages	# PtP Messages
n-UM [1]	1	Yes	n	0
BC n-DH [1]	1	Yes	n	0
Apon et al. [2]	3	Yes (but is unauth.)	$2n+1$	0
STAG [4]	3	No	$2n+1$	0
Pers. et al. [5]	3	No	n	$2n$
Gonz. et al. [6]	2	Yes	n	$n^2-n$
This work	4	Yes	$2n$	$2n$

summarizes some parameters related to the performance of the schemes. The number of communication rounds is one of the most important parameters when dealing with GAKE protocols. In addition, for each scheme, we point out whether the use of post-quantum signatures is avoided, which is a nice feature, as this kind of signatures are usually expensive in terms of both computation and size. Note that the scheme in [2] does not use post-quantum signatures but is unauthenticated. Finally, we include the total number of messages sent throughout an execution involving n parties, pointing out whether messages are broadcasted or just sent point-to-point (PtP) (i.e., from one party to another).

Table 2. Security of GKE/GAKE protocols claimed to be quantum-resistant.

Protocol	Assumption Type	Model	FutQ/PostQ	Authent.
n-UM [1]	Isogeny	QROM	PostQ	Yes
BC n-DH [1]	Isogeny	ROM	PostQ	Yes
Apon et al. [2]	Lattice	ROM	PostQ	No
STAG [4]	Lattice	ROM	PostQ	Yes
Pers. et al. [5]	Compiler	No RO added	PostQ	Yes
Gonz. et al. [6]	Compiler	No RO added	FutQ	Yes
This work	Lattice	QROM	PostQ	Yes

is focused on security issues. In the first column, we include the type of assumption (isogeny/lattice) the security of the scheme is based on. In the second column, we state in which of the idealized models the security claim and corresponding proof hold: either in the Random Oracle Model (ROM) or the Quantum Random Oracle Model (QROM). The latter is stronger than the former because, as discussed in Section 2, it assumes a more powerful adversary. Next, it is specified if quantum resistant features hold in a future quantum (FutQ) or post-quantum (PostQ) scenario. The latter, where it is assumed that the adversary has access to quantum computation during protocol executions, is preferable to the former, where key secrecy is only guaranteed against adversaries that cannot make quantum computations during protocol executions but have access to this option at some point in the future. Finally, we indicate if the key exchange is authenticated. Note that the compilers [5,6] have a special treatment, as the assumption type and the model depend on the underlying post-quantum tools used to implement them.

Seeing the two comparison tables, it seems clear that the only scheme outperforming our construction is n-UM [1], which is based on the isogeny paradigm. However, it is fair to say that lattice-based constructions such as ours seem somewhat more promising in this field, considering the recent outcome of the Third Round of the NIST competition for standardizing post-quantum tools. While several lattice-based constructions made it to this last round, no isogeny-based scheme is in the final (and only one proposal, SIKE [11], is considered as alternative for replacing finalists that may be discarded in the last phase).

Paper Roadmap. We start with a brief outline of the preliminaries in Section 2, where we introduce Abdalla et al.’s compiler from [8] and comment on the basics of post-quantum security. Further, we explain in Section 3 how to derive building blocks for our construction (AKE and a commitment scheme) from the Kyber family. In particular, we use the results from [9] to prove that we can obtain both a suitable commitment scheme and a secure two-party AKE from the encryption scheme Kyber.CPA${}^{\prime }$. Our compiled construction is then described and proven secure in Section 4, where we also make explicit the security model used. We conclude this contribution with a brief conclusion.

2. Preliminaries

2.1. Abdalla et al.’s Compiler

Here, we describe a compiler constructed by Abdalla et al. in [8], which enables the derivation of a group authenticated key establishment protocol $\mathtt{GAKE}$ from an arbitrary two-party key establishment $\mathtt{2}\mathtt{AKE}$. The compiler does not rely on further authentication techniques than those used in $\mathtt{2}\mathtt{AKE}$, nor on further idealization assumptions. Moreover, if $\mathtt{2}\mathtt{AKE}$ requires r rounds of communication, then $\mathtt{GAKE}$ requires $r+2$ rounds.

Let $\mathcal{P}$ be the set of users that can participate in the protocol $\mathtt{GAKE}$. This set $\mathcal{P}$ is assumed to be of polynomial size. The set $\mathcal{G}=\{U_0,U_1,\cdots ,U_{n-1}\}\subset \mathcal{P}$ denotes the set of $n>2$ participants that wish to establish a common session key. Each protocol participant $U_i\in \mathcal{G}$, $i=0,\dots ,n-1$, may be involved in distinct, possibly parallel, executions of $\mathtt{GAKE}$.

Since $\mathtt{2}\mathtt{AKE}$ is an authenticated key establishment protocol, it is assumed that long-term secrets required for $\mathtt{2}\mathtt{AKE}$ have been established during a trusted authentication phase. One of the following three cases is assumed:

• Each user $U_i\in \mathcal{G}$ owns a pair $(p{k}_i,s{k}_i)$ consisting of a public key $p{k}_i$ and a secret key $s{k}_i$, and all needed public keys may be distributed to all protocol participants during the initialization phase.
• Each pair of users $U_i,U_j\in \mathcal{G}$, $i\ne j$, shares a high entropy symmetric key, or the complete set of participants $\mathcal{G}$ shares one common secret (different instances of a user may hold different long-term secrets).
• Each pair of users $U_i,U_j\in \mathcal{G}$, $i\ne j$, shares a low entropy password. In this case, we assume a publicly available dictionary $\mathcal{D}\subseteq {\{0,1\}}^{*},$ from which passwords are chosen uniformly at random.

The compiler uses the following cryptographic tools:

• A non-interactive non-malleable commitment scheme$\mathtt{C}$ that is perfectly binding and achieves non-malleability for multiple commitments.
• A collision-resistant pseudorandom function family$\mathtt{F}={\left\{F^{\ell }\right\}}_{\ell \in \mathbb{N}}$ with $F^{\ell }={\left\{F_{\eta }^{\ell }\right\}}_{\eta \in {\{0,1\}}^L}$ to be indexed by a set ${\{0,1\}}^L$ of polynomial size, and two publicly known values $v_0$ and $v_1$ such that no ppt adversary can find two different indices $\lambda \ne \mu \in {\{0,1\}}^L$ such that $F_{\lambda }^{\ell }\left(v_j\right)=F_{\mu }^{\ell }\left(v_j\right)$, $j=0,1$.
• A hash function$\mathtt{H}$ selected from a family of universal hash functions that maps the concatenation of bitstrings from ${\{0,1\}}^{kn}$ and the set of participants $\mathcal{G}$ onto ${\{0,1\}}^L$, where n is the number of participants in $\mathcal{G}$ and $k\in \mathbb{N}$.

With these ingredients, the compiler proceeds as depicted in Figure 2. Our proposed $\mathtt{GAKE}$ protocol uses a simplified version of the aforementioned compiler and builds on a post-quantum $\mathtt{2}\mathtt{AKE}$. We describe it in detail in Section 4.

2.2. Security in a Post-Quantum Setting

When proving a certain cryptographic construction secure, it is necessary to depict a precise security model making explicit claims and assumptions that can be formally proven and verified. This is, however, not always the case in the post-quantum scenario, as quantum adversaries are often modeled in a very different fashion. Most often, constructions are substantiated on computational assumptions that explicitly state that an adversary is assumed not to be able to efficiently complete a certain computational task (e.g., decoding a word with respect to a certain partially known code or solving certain approximation problems in lattices). However, the way this quantum adversary is assumed to interact with other system-related idealizations (e.g., the oracles modeling information leakage or misuse) is often disregarded, while it may play a central role in a security proof. A paradigmatic example of this situation is the case of hash functions, typically modeled as so-called random oracles.

Random oracles are classically used in cryptography to model idealized hash functions, which are deterministic algorithms that select, for each new query, an output chosen uniformly at random from a certain given range. It is assumed that all users and processes from a certain system are given access to the same random oracles, which means that, for security proofs, if the real cryptographic environment is simulated for an adversary, all random oracle queries must be consistently answered with values that are indistinguishable from random (uniform). In the quantum setting, queries to a random oracle can be done in superposition, which complicates significantly the translations of many classical proofs into this new scenario.

Following Hövelmanns et al. [9], in this work, we consider quantum adversaries that are given quantum access to the (offline) quantum random oracle involved in our design. More precisely, we need to make use of two basic properties of this so-called quantum-accessible random oracles:

• Collision-freeness. In [12], it is proven that the best quantum algorithm for finding a collision for a random function $H:{\{0,1\}}^n\mapsto {\{0,1\}}^n$ (i.e., a pair of distinct $x,x^{\prime }\in {\{0,1\}}^n$ such that $H\left(x\right)=H\left(x^{\prime }\right)$) is $\tilde{\mathcal{O}}\left(2^{\frac{n}{5}}\right)$. (Notation $\tilde{O}$ “wipes out” logarithmic factors in $\mathcal{O}$, namely, $f\left(n\right)\in \tilde{\mathcal{O}}\left(h\left(n\right)\right)\iff \exists k\in \mathbb{N}s.t.f\left(n\right)\in \mathcal{O}\left(h\left(n\right)lo{g}^k\left(h\left(n\right)\right)\right)$). The analogous classical bound is $\mathcal{O}\left(2^{\frac{n}{2}}\right).$ While being suboptimal in number of queries, this algorithm is the most efficient in terms of time complexity with small quantum memory. Thus, in the sequel, we may assume that (even for a quantum adversary) finding a collision pair for a quantum-accessible random oracle can only be done with negligible probability (this is used in Section 4.3.1).
• Pseudorandomness. Following again Hövelmanns et al. [9], we use the argument of Zhandry (see [13]) stating that no quantum algorithm, making at most q quantum queries to a quantum random oracle $\widehat{H}$ implementing a random function $\mathcal{H}:{\{0,1\}}^m\mapsto {\{0,1\}}^n$, can distinguish between $\widehat{H}$ and a random polynomial of degree $2q$ defined over the field ${\mathbb{F}}_{2^n}.$ As a result, if the input to a quantum random oracle contains enough entropy, then the probability of distinguishing its output from a value chosen uniformly at random is negligible. In other words, when the input is unknown and chosen uniformly at random, the fact that the random oracle can be queried in superposition is of no help in distinguishing the oracle’s output from a randomly chosen element. This is used in the quantum random oracle proof from Section 4.3.

We strongly suggest the interested reader consult [14] for a comprehensive introduction to the quantum random oracle model.

3. Post-Quantum Primitives: $\mathtt{2}\mathtt{AKE}$ and Commitment Scheme

In this section, we describe the post-quantum tools used in the construction of our $\mathtt{GAKE}$, namely a two-party authenticated key exchange (AKE) and a commitment scheme. The relations between these tools are summarized in Figure 3.

In the first subsection, we describe Kyber’s public key encryption (PKE) scheme and state its security properties that are of importance to the construction of the primitives mentioned above.

In the second subsection, we detail how the $\mathtt{2}\mathtt{AKE}$ is obtained from a generic construction proposed in [9], of two-message AKE provably secure in the quantum random oracle model (QROM) from PKE schemes that possess both Disjoint Simulatability (DS) (Definition 2) and IND-CPA security. In particular, we use a slight modification (called Kyber.CPA${}^{\prime }$) of the CPA-secure PKE scheme introduced in [7] as part of Kyber’s package submitted to NIST’s post-quantum standardization effort. We describe the ${\mathrm{FO}}_{\mathrm{AKE}}$ transformation which turns a secure PKE into a secure AKE. This subsection ends by proving that Kyber.CPA${}^{\prime }$ is DS secure and, therefore, it is possible to construct an AKE secure in the QROM by applying the ${\mathrm{FO}}_{\mathrm{AKE}}$ to it.

The third subsection is devoted to the construction of the post-quantum commitment scheme mentioned in Section 2. It must be a non-interactive non-malleable commitment scheme that is perfectly binding and achieves non-malleability for multiple commitments. As pointed out in [8], this can be directly constructed from a public key encryption scheme which achieves the well-known IND-CCA security notion. To this end, we use another transformation described in [9], specifically ${\mathrm{FO}}_m^{\cancel{\perp }}$, which turns an IND-CPA and DS PKE into an IND-CCA KEM. Then, we recall that it is straightforward to obtain an IND-CCA PKE from an IND-CCA KEM. Putting everything together, we obtain the desired commitment scheme from Kyber.CPA${}^{\prime }$, the same primitive we use to construct the two-party AKE.

3.1. Kyber’s IND-CPA PKE

In this subsection, we describe the CPA-secure PKE scheme Kyber.CPA introduced in [7] as part of the Cryptographic Suite for Algebraic Lattices (CRYSTALS), a package of cryptographic primitives submitted to NIST’s post-quantum standardization effort. In fact, what we really describe and work with is a slightly modified version, also proposed in [7], called Kyber.CPA${}^{\prime }$.

First, we introduce some definitions needed to understand how the PKE has been constructed and summarize in

Table 3. Notation used for Kyber.CPA${}^{\prime }$.

Notation	Representation
Bold lower-case	Vectors with coefficients in R or $R_q$. All vector will be column vectors by default.
Regular font letter	Elements in R or $R_q$.
Bold upper-case	Matrices.
$s\leftarrow S$	If S is a set, s is chosen uniformly at random from S. If S is a distribution, s is chosen according to such distribution S.
$y\sim S:=\mathtt{Sam}\left(x\right)$ where Sam is an eXtendable Output Function (XOF)	Value y that is distributed according to distribution S (or uniformly over a set S). This is a deterministic procedure.
$v\leftarrow {\beta }_{\eta }$, $\mathbf{v}\leftarrow {\beta }_{\eta }^k$	$v\in R$ is generated from a distribution where each of its coefficients are generated from $B_{\eta }$. A k-dimensional vector of polynomials $\mathbf{v}\in R^k$ can be generated according to the distribution ${\beta }_{\eta }^k$.
$\lceil ·\rfloor$	$\lceil ·\rfloor$ is the rounding function i.e., ${\displaystyle \lceil x\rfloor =⌊x+{\displaystyle \frac{1}{2}}⌋}$ where $x\in \mathbb{Q}$ and $\lfloor ·\rfloor$ is the floor function.
$r^{\prime }=r{\mathrm{mod}}^{\pm }\alpha$	For an even (respectively, odd) integer $\alpha$, $r^{\prime }=r{\mathrm{mod}}^{\pm }\alpha$ is the unique element $r^{\prime }$ in the range $-\frac{\alpha }{2}<r\le \frac{\alpha }{2}$ (respectively, $-\frac{\alpha -1}{2}<r\le \frac{\alpha +1}{2}$) such that $r^{\prime }=rmod\alpha$.

the notation used in the sequel. Then, we describe the key generation, encryption, and decryption algorithms used in Kyber.CPA${}^{\prime }$, as well as its CPA-security under the Module-LWE hardness assumption (Definition 1).

Denote by R the ring $\mathbb{Z}\left[X\right]/(X^n+1)$ and by $R_q$ the ring ${\mathbb{Z}}_q\left[X\right]/(X^n+1)$, where $n=2^{n^{\prime }-1}$ such that $X^n+1$ is the $2^{n^{\prime }}$th cyclotomic polynomial. As in [7], we fix the values for n, $n^{\prime }$ and q to 256, 9 and 7681.

For some positive integer $\eta$, define the centered binomial distribution $B_{\eta }$ as follows ([7]):

$$\mathrm{Sample}{\left\{(a_i,b_i)\right\}}_{i=1}^{\eta }\leftarrow {\left({\{0,1\}}^2\right)}^{\eta }$$

$${\displaystyle \mathrm{and}\mathrm{output}\sum _{i=1}^{\eta }(a_i-b_i).}$$

The security assumption underlying Kyber.CPA${}^{\prime }$ is based on the hardness of the Module-LWE problem, which generalizes the Learning with Errors (LWE) problem. Learning with errors (LWE) is the computational problem of inferring a linear n-ary function f over a finite ring from given (slightly incorrect) samples $y_i=f\left({\mathbf{x}}_i\right)$. Recall that Ring Learning with Errors (RLWE) is the variant of LWE specialized to polynomial rings over finite fields. Informally, Module-LWE can be seen as the result of replacing single ring elements in the RLWE problem with module elements over the same ring (thus, RLWE can be seen as Module-LWE with module rank 1).

Definition 1

(Module-LWE assumption [7]). The Module-LWE problem consists in distinguishing uniform samples $({\mathbf{a}}_i,b_i)\leftarrow R_q^k\times R_q$ from samples $({\mathbf{a}}_i,{\mathbf{a}}_i^T\mathbf{s}+e_i)\in R_q^k\times R_q$ where ${\mathbf{a}}_i\leftarrow R_q^k$ is uniform, $\mathbf{s}\leftarrow {\beta }_{\eta }^k$ common to all samples, and $e_i\leftarrow {\beta }_n$ is fresh for every sample. The advantage of an adversary $\mathcal{A}$ is defined as

$${\mathsf{Adv}}_{m,k,\eta }^{\mathit{mlwe}}\left(\mathcal{A}\right)=\left|\mathrm{Pr}\left[b^{\prime }=1:\begin{array}{c}\mathbf{A}\leftarrow R_q^{m\times k};\hfill \\ (\mathbf{s},\mathbf{e})\leftarrow {\beta }_{\eta }^k\times {\beta }_{\eta }^m;\hfill \\ \mathbf{b}=\mathbf{As}+\mathbf{e};\hfill \\ b^{\prime }=\mathcal{A}(\mathbf{A},\mathbf{b})\hfill \end{array}\right]-\mathrm{Pr}\left[b^{\prime }=1:\begin{array}{c}\mathbf{A}\leftarrow R_q^{m\times k};\hfill \\ \mathbf{b}\leftarrow R_q^m;\hfill \\ b^{\prime }\leftarrow \mathcal{A}(\mathbf{A},\mathbf{b})\hfill \end{array}\right]\right|.$$

The Module-LWE assumption states that the above advantage is negligible for any given adversary $\mathcal{A}$.

The authors of [7] defined a function ${\mathtt{Compress}}_q(x,d)$ that takes an element $x\in {\mathbb{Z}}_q$ and outputs an integer in $\{0,1,\dots ,2^d-1\}$, where $d<\lceil {log}_2\left(q\right)\rceil$. Furthermore, a function ${\mathtt{Decompress}}_q$ is defined such that

$$x^{\prime }={\mathtt{Decompress}}_q({\mathtt{Compress}}_q(x,d),d)$$

is an element close to x. More specifically,

$$|x^{\prime }-x{\mathrm{mod}}^{\pm }q|\le ⌈\frac{q}{2^{d+1}}⌋.$$

The functions satisfying these requirements are defined in [7] as:

$$\begin{array}{ccc}\hfill {\mathtt{Compress}}_q(x,d)& =\hfill & \lceil (2^d/q)·x\rfloor mod{2}^d,\hfill \\ \hfill {\mathtt{Decompress}}_q(x,d)& =\hfill & \lceil (q/2^d)·x\rfloor .\hfill \end{array}$$

Kyber’s PKE scheme Kyber.CPA${}^{\prime }$ = (KeyGen, Enc, Dec) is parameterized by the positive integers $k,d_u$, and $d_v$. The value of these parameters vary for different security levels. Moreover, $\mathcal{M}={\{0,1\}}^n$ is the message space and ciphertexts are of the form $(\mathbf{u},v)\in {\{0,1\}}^{nk{d}_u}\times {\{0,1\}}^{n{d}_v}$. The definition of the key generation, encryption, and decryption of Kyber.CPA${}^{\prime }$ is given in Algorithms 1–3 as defined in [7]. Unlike Kyber.CPA${}^{\prime }$, the unmodified PKE scheme Kyber.CPA compresses $\mathbf{t}$ on Line 4 of Algorithm 1 and, therefore, must decompress $\mathbf{t}$ in Algorithm 2.

Kyber.CPA${}^{\prime }$ was shown to be IND-CPA secure under the Module-LWE hardness assumption in [7]. This result is stated in the following theorem.

Theorem 1

([7]). For any adversary $\mathcal{A}$ against the CPA security ofKyber.CPA${}^{\prime }$, let define the advantage

$${\mathsf{Adv}}_{\mathsf{Kyber}.{\mathsf{CPA}}^{\prime }}^{\mathit{cpa}}\left(\mathcal{A}\right)=\left|\mathrm{Pr}\left[b=b^{\prime }:\begin{array}{c}(pk,sk)\leftarrow \mathsf{KeyGen}\left(\right);\hfill \\ (m_0,m_1,s)\leftarrow \mathcal{A}\left(pk\right);\hfill \\ b\leftarrow \{0,1\};c^{*}\leftarrow \mathsf{Enc}(pk,m_b);\hfill \\ b^{\prime }\leftarrow \mathcal{A}(s,c^{*})\hfill \end{array}\right]-\frac{1}{2}\right|.$$

Then, there exists an adversary $\mathcal{B}$ such that

$${\mathsf{Adv}}_{\mathsf{Kyber}.{\mathsf{CPA}}^{\prime }}^{\mathit{cpa}}\left(\mathcal{A}\right)\le 2{\mathsf{Adv}}_{k+1,k,\eta }^{\mathit{mlwe}}\left(\mathcal{B}\right).$$

Finally, it is worth pointing out that neither $\mathtt{Kyber}.\mathtt{CPA}$ nor $\mathtt{Kyber}.{\mathtt{CPA}}^{\prime }$ provides perfect correctness. This is discussed in [7], where a value for $\delta$, the probability of decryption error, is obtained for $\mathtt{Kyber}.\mathtt{CPA}$. This is easily adapted to $\mathtt{Kyber}.{\mathtt{CPA}}^{\prime }$; the details can be found in Appendix A.

Algorithm 1:Kyber.CPA${}^{\prime }$.KeyGen()

1  $\rho ,\sigma \stackrel{}{\leftarrow }{\{0,1\}}^n$ 2  $\mathbf{A}\sim R_q^{k\times k}:=\mathtt{Sam}\left(\rho \right)$ 3 $(\mathbf{s},\mathbf{e})\sim {\beta }_{\eta }^k\times {\beta }_{\eta }^k:=\mathtt{Sam}\left(\sigma \right)$ 4 $\mathbf{t}:=\mathbf{As}+\mathbf{e}$ 5 return $(pk:=(\mathbf{t},\rho ),sk:=\mathbf{s})$

Algorithm 2:Kyber.CPA${}^{\prime }$.Enc($pk=(\mathbf{t},\rho ),m\in \mathcal{M})$)

1 $r\stackrel{}{\leftarrow }{\{0,1\}}^n$ 2 $\mathbf{A}\sim R_q^{k\times k}:=\mathtt{Sam}\left(\rho \right)$ 3 $(\mathbf{r},{\mathbf{e}}_1,e_2)\sim {\beta }_{\eta }^k\times {\beta }_{\eta }^k\times {\beta }_{\eta }$ 4 $\mathbf{u}:={\mathtt{Compress}}_q({\mathbf{A}}^T\mathbf{r}+{\mathbf{e}}_1,d_u)$ 5 $v:={\mathtt{Compress}}_q({\mathbf{t}}^T\mathbf{r}+e_2+\lceil \frac{q}{2}\rfloor ·m,d_v)$ 6 return $c:=(\mathbf{u},v)$

Algorithm 3:Kyber.CPA${}^{\prime }$.Dec($sk=\mathbf{s},c=(\mathbf{u},v)$)

1 $\mathbf{u}:={\mathtt{Decompress}}_q(\mathbf{u},d_u)$ 2 $v:={\mathtt{Decompress}}_q(v,d_v)$ 3 return ${\mathtt{Compress}}_q(v-{\mathbf{s}}^T\mathbf{u},1)$

3.2. The ${\mathrm{FO}}_{\mathrm{AKE}}$ Transformation: From PKE to AKE

${\mathrm{FO}}_{\mathrm{AKE}}$ is a generic construction proposed in [9], which transforms an IND-CPA secure PKE scheme into an AKE protocol, provably secure in the QROM. The construction admits that the PKE scheme has non-perfect correctness, which makes it suitable for the Kyber.CPA${}^{\prime }$ scheme we have previously introduced. Another nice feature is that it avoids the use of (usually expensive) quantum-secure signature schemes. ${\mathrm{FO}}_{\mathrm{AKE}}$ can be seen as an extension of the Fujisaki–Okamoto transform (which turns IND-CPA encryption schemes into IND-CCA ones) for the AKE setting.

The resulting AKE after applying the ${\mathrm{FO}}_{\mathrm{AKE}}$ transformation is quite efficient in terms of communication. In [9], it is called a two-message protocol, meaning that it is a two-round AKE protocol where one party sends a message in the first round while the other party answers with another message in the second round. As an interesting additional contribution, the authors of [9] defined a security model and two security notions for two-message AKEs: key indistinguishability agains active attacks (IND-AA) and the weaker notion of indistinguishability against active attacks without state reveal in the test session (IND-StAA). We are interested in the second one, as the security of the AKE obtained by using the ${\mathrm{FO}}_{\mathrm{AKE}}$ transformation is proved in [9] under this slightly weaker model. Nevertheless, this is enough for our purposes because, as discussed in Section 5 of [15] (the extended version of [9]), IND-StAA implies security in the sense required in the compiler from [8].

A high level description of the IND-StAA model, as formulated in [9], is the following. It states that the session key remains indistinguishable from a random one even if:

• The attacker knows either the long-term secret key or the secret state information (but not both) of both parties involved in the test session, as long as it did not modify the message received by the test session.
• If the attacker modified the message received by the test session, as long as it obtained neither the long-term secret key of the test session’s peer nor the test session’s state.

The authors of the ${\mathrm{FO}}_{\mathrm{AKE}}$ transformation proved its IND-StAA security in the QROM as long as the PKE is IND-CPA, and it is possible to efficiently fake ciphertexts that are indistinguishable from proper encryptions, while the probability that the sampling algorithm hits a proper encryption is small. This last notion is called Disjoint Simulatability (DS) of ciphertexts, and is defined in [9] as follows.

Definition 2

(DS). Let $\mathsf{PKE}=(\mathsf{KG},\mathsf{Enc},\mathsf{Dec})$ be a PKE scheme with message space $\mathcal{M}$ and ciphertext space $\mathcal{C}$, coming with an additional ppt algorithm $\overline{\mathsf{Enc}}$. For quantum adversaries $\mathcal{A}$, we define the advantage against $\mathsf{PKE}$’s disjoint simulatability as

$${\mathsf{Adv}}_{\mathsf{PKE},\overline{\mathsf{Enc}}}^{\mathsf{DS}}\left(\mathcal{A}\right)=\left|\mathrm{Pr}\left[\begin{array}{c}pk\leftarrow \mathsf{KG},\hfill \\ m\leftarrow \mathcal{M},\hfill \\ c\leftarrow \mathsf{Enc}(pk,m)\hfill \end{array}:1\leftarrow \mathcal{A}(pk,c)\right]-\mathrm{Pr}\left[\begin{array}{c}pk\leftarrow \mathsf{KG},\hfill \\ c\leftarrow \overline{\mathsf{Enc}}\hfill \end{array}:1\leftarrow \mathcal{A}(pk,c)\right]\right|.$$

When there is no chance of confusion, we drop $\overline{\mathsf{Enc}}$ from the advantage’s subscript for convenience. We call $\mathsf{PKE}$ ${\epsilon }_{\mathrm{dis}}$-disjoint if for all $pk\in \mathit{supp}\left(\mathsf{KG}\right)$,

$$\mathit{Pr}[c\leftarrow \overline{\mathsf{Enc}}:c\in \mathsf{Enc}(pk,\mathcal{M};\mathcal{R})]\le {\epsilon }_{\mathit{dis}},$$

where $\mathcal{R}=\mathcal{R}\left(pk\right)$ is a finite randomness space defined by $pk$.

The authors of the ${\mathrm{FO}}_{\mathrm{AKE}}$ transformation suggested that many lattice-based schemes fulfill DS in a natural way as follows: fake encryptions could be sampled uniformly random. DS would follow from the LWE assumption, and since LWE samples are relatively sparse, uniform sampling should be disjoint.

The following theorem establishes that the DS security of $\mathtt{Kyber}.{\mathtt{CPA}}^{\prime }$ equipped with an additional algorithm $\overline{\mathtt{Enc}}$ reduces to its Module-LWE security.

Theorem 2

(DS security of $\mathtt{Kyber}.{\mathtt{CPA}}^{\prime }$). Let $\eta ,k,d_u$, and $d_v$ be positive integer parameters for $\mathsf{Kyber}.{\mathsf{CPA}}^{\prime }$. If $\mathsf{Kyber}.{\mathsf{CPA}}^{\prime }$ is equipped with a ppt algorithm $\overline{\mathsf{Enc}}$ which samples a uniform ciphertext when given a public key, then, for any adversary $\mathcal{A}$, there exists an adversary $\mathcal{B}$ such that

$${\mathsf{Adv}}_{\mathsf{Kyber}.{\mathsf{CPA}}^{\prime }}^{\mathsf{DS}}\left(\mathcal{A}\right)\le 2{\mathsf{Adv}}_{k+1,k,\eta }^{\mathit{mlwe}}\left(\mathcal{B}\right).$$

Furthermore, $\mathsf{Kyber}.{\mathsf{CPA}}^{\prime }$ is ${\epsilon }_{\mathit{dis}}$-disjoint with

$${\epsilon }_{\mathit{dis}}={\displaystyle \frac{1}{2^{n(d_{u}k+d_v-2)}}}.$$

Proof. 

Let $\mathcal{A}$ be an adversary attacking the DS security of $\mathtt{Kyber}.{\mathtt{CPA}}^{\prime }$. We obtain a bound for ${\mathsf{Adv}}_{\mathtt{Kyber}.{\mathtt{CPA}}^{\prime }}^{\mathtt{DS}}\left(\mathcal{A}\right)$ following the sequence of games in the proof of Theorem 2 in [7].

First, the value $\mathbf{t}:=\mathbf{As}+\mathbf{e}$ which is used in KeyGen is substituted by a uniform random value. It follows from the Module-LWE security of $\mathtt{Kyber}.{\mathtt{CPA}}^{\prime }$ that the value $\mathbf{t}$ and the uniform random value are indistinguishable from each other. Next, the values ${\mathbf{A}}^T\mathbf{r}+{\mathbf{e}}_1$ and ${\mathbf{t}}^T\mathbf{r}+e_2+\lceil \frac{q}{2}\rfloor ·m$ used in the generation of the challenge ciphertext are simultaneously substituted with uniform random values. Again, it follows from the Module-LWE security of $\mathtt{Kyber}.{\mathtt{CPA}}^{\prime }$ that ${\mathbf{A}}^T\mathbf{r}+{\mathbf{e}}_1$ and ${\mathbf{t}}^T\mathbf{r}+e_2+\lceil \frac{q}{2}\rfloor ·m$ are indistinguishable from the random values. As in [7], we deduce that there exists an adversary $\mathcal{B}$ with the same running time as that of $\mathcal{A}$ such that ${\mathsf{Adv}}_{\mathtt{Kyber}.{\mathtt{CPA}}^{\prime }}^{\mathtt{DS}}\left(\mathcal{A}\right)\le 2{\mathsf{Adv}}_{k+1,k,\eta }^{\mathit{mlwe}}\left(\mathcal{B}\right)$.

To prove the ${\epsilon }_{\mathrm{dis}}$-disjointness of $\mathtt{Kyber}.{\mathtt{CPA}}^{\prime }$ with ${\epsilon }_{\mathrm{dis}}=2^{n(2-d_{u}k-d_v)}$, we recall that $\mathcal{M}={\{0,1\}}^n$, $\mathcal{C}={\{0,1\}}^{nk{d}_u}\times {\{0,1\}}^{n{d}_v}$, and $\mathcal{R}={\{0,1\}}^n$ are the message, ciphertext and random spaces, respectively. Since $\left|\mathtt{Enc}(pk,\mathcal{M};\mathcal{R})\right|\le \left|\mathcal{M}\right|\left|\mathcal{R}\right|=2^{2n}$, we obtain

$$\begin{array}{cc}\mathrm{Pr}[c\leftarrow \overline{\mathtt{Enc}}:c\in \mathtt{Enc}(pk,\mathcal{M};\mathcal{R})]\hfill & {\displaystyle \le \underset{(pk,sk)\in \mathtt{KeyGen}\left(\mathcal{R}\right)}{max}{\displaystyle \frac{\left|\mathtt{Enc}\right(pk,\mathcal{M};\mathcal{R}\left)\right|}{\left|\mathcal{C}\right|}}}\hfill \\ \\ \hfill & \le {\displaystyle \frac{2^{2n}}{2^{n(d_{u}k+d_v)}}}\hfill \\ \\ \hfill & ={\displaystyle \frac{1}{2^{n(d_{u}k+d_v-2)}}},\hfill \end{array}$$

which is the desired result. □

Now that Theorems 1 and 2 guarantee that $\mathtt{Kyber}.{\mathtt{CPA}}^{\prime }$ satisfies the hypotheses of Theorem 3 in [9], we can use it to produce a two-party AKE which fulfills IND-StAA security in the QROM. The resulting scheme, which we denote by Kyber.2AKE, is depicted in Figure 4. Here, and are random oracles and ${}_R^{\prime }$, ${}_{L1}^{\prime }$, ${}_{L2}^{\prime }$, and ${}_{L3}^{\prime }$ are internal random oracles that cannot be accessed directly and could be implemented with a pseudorandom function. Note that this is not the same two-party AKE proposed in [7]. For reference, we include the precise statement of Theorem 3 [9] in Appendix B.

3.3. The Commitment Scheme

In this section, we describe how to obtain an IND-CCA PKE from an IND-CPA PKE. This process can be achieved in two steps:

• Apply the ${\mathrm{FO}}_m^{\cancel{\perp }}$ transformation [9] that converts an IND-CPA PKE into a IND-CCA KEM.
• Apply the transformation proposed in [10] to achieve an IND-CCA PKE from an IND-CCA KEM.

To achieve an IND-CCA secure KEM from Kyber.CPA${}^{\prime }$, we apply the ${\mathrm{FO}}_m^{\cancel{\perp }}$ transformation. This is analogous to the ${\mathrm{FO}}_{\mathrm{AKE}}$ transformation that transforms a PKE scheme that is both IND-CPA and DS secure into a CCA-secure KEM. As shown in [9], unlike similar transformations, ${\mathrm{FO}}_m^{\cancel{\perp }}$ is robust against correctness errors and its security reduction is tighter than the one that results from applying other known transformations. In cases where the PKE is not already DS, this requirement can be waived with negligible loss of efficiency. In the case of Kyber.CPA${}^{\prime }$, there is no loss of efficiency since it is IND-CPA secure and, as shown in Theorem 2, it is DS secure as well. The Algorithms 1, 4, and 5 show the KEM ${\mathtt{Kyber}}^{\cancel{\perp }}$ = (Kyber.CPA${}^{\prime }$.KeyGen, Encaps, Decaps) that results from applying the transformation ${\mathrm{FO}}_m^{\cancel{\perp }}$ to Kyber.CPA${}^{\prime }$. Here, and are random oracles and ${}_r$ is an internal random oracle that cannot be accessed directly and could be implemented with a pseudorandom function. For reference, we include the precise statement of Theorem 2 [9] in Appendix C.

Algorithm 4:${\mathtt{Kyber}}^{\cancel{\perp }}.\mathtt{Encaps}$($pk$)

1 $m\stackrel{\$}{\leftarrow }\mathcal{M}$ 2 $c:=\mathtt{Kyber}.{\mathtt{CPA}}^{\prime }.\mathtt{Enc}(pk,m;\left(m\right))$ 3 k := H(m) 4 return $(\mathtt{k},c)$

Algorithm 5:${\mathtt{Kyber}}^{\cancel{\perp }}.\mathtt{Decaps}$($sk,c$)

  Finally, an IND-CCA PKE is obtained after applying the transformation introduced in [10] to ${\mathtt{Kyber}}^{\cancel{\perp }}$ with a secure one-time symmetric key encapsulation (SKE or DEM). We call this scheme Kyber.PKE. The security of this transformation follows from Theorem 5 in [10]. As pointed out in [8], a commitment scheme with the required security properties can be obtained in a straightforward way from the IND-CCA PKE.

4. Our Post-Quantum Group Key Exchange

In this section, we present our compiled construction of GAKE. Informally, let us recall the setting we are considering. Our participants are honest entities which can be modeled as probabilistic polynomial time Turing machines (thus, have no access to quantum computing resources). These participants can only exchange messages through an insecure network, which is fully under adversarial control (adversaries may insert, delay, suppress or forward messages at will). Moreover, the adversarial computing capabilities are superior to those of participants, as we assume adversaries can preform quantum polynomial time computations and have quantum access to any hash function (modeled as a random oracle) involved. With this in mind, the goal pursued by our protocol is to guarantee that, whenever a participant has computed a session key through the network, this key is indistinguishable from a random value for those outside the intended group of participants involved in that concrete execution. Note that (as is standard in GKE proposals) we cannot expect to prove that the protocol will always terminate when executed by honest parties, we rather pursue formal assurance that, whenever the protocol indeed produces an output key for a participant, this key is secure for subsequent use.

Now, to make the text fully self-contained, we start by describing the main notations and formalism used in the sequel.

4.1. Security Model

Our security model is inherited from Abdalla et al. [8], which in turn builds upon the seminal work of Bellare et al. [16]. However, ours is a less generic scenario; while in [8] all the proofs are in the common reference string model, our proofs are in the (quantum) random oracle model. More precisely, we assume that all public keys and parameters needed for implementing $\mathtt{Kyber}.\mathtt{2}\mathtt{AKE}$ and $\mathtt{Kyber}.\mathtt{PKE}$ are publicly known (and certified), as well as the description of all involved hash functions, which are idealized as random oracles. Further, we will assume that the long term keys needed for authentication in $\mathtt{Kyber}.\mathtt{2}\mathtt{AKE}$ are generated and distributed to all potential protocol participants in a trusted initialization phase. As customary, we use variables to detail the information stored by users with respect to each protocol execution, and oracles to model adversarial action.

4.1.1. Protocol Instances

Each protocol participant $U_i\in \mathcal{U}$ ($i\in \mathbb{N}$) may execute a polynomial number of protocol instances in parallel. A single instance ${\mathsf{\Pi }}_i^{s_i}$ can be interpreted as a process executed by protocol participant $U_i$. Throughout, the notation ${\mathsf{\Pi }}_i^{s_i}$ is used to refer to instance $s_i$ of protocol participant $U_i\in \mathcal{U}$. To each instance, we assign seven variables:

${\mathsf{used}}_i^{s_i}$

indicates whether this instance is or has been used for a protocol run. The ${\mathsf{used}}_i^{s_i}$ flag can only be set through a protocol message received by the instance due to a call to the $\mathsf{Execute}$- or to the $\mathsf{Send}$-oracle (see below).

${\mathsf{state}}_i^{s_i}$

keeps the state information needed during the protocol execution as well as the long term keys needed for authentication.

${\mathsf{term}}_i^{s_i}$

shows if the execution has terminated.

${\mathsf{sid}}_i^{s_i}$

denotes a public session identifier that can serve as identifier for the session key ${\mathsf{sk}}_i^{s_i}.$ Note that, even though we do not construct session identifiers as session transcripts, the adversary is allowed to learn all session identifiers.

${\mathsf{pid}}_i^{s_i}$

stores the set of identities of those users that ${\mathsf{\Pi }}_i^{s_i}$ aims at establishing a key with—including $U_i$ himself.

${\mathsf{acc}}_i^{s_i}$

indicates if the protocol instance was successful, i. e., the user accepted the session key.

${\mathsf{sk}}_i^{s_i}$

stores the session key once it is accepted by ${\mathsf{\Pi }}_i^{s_i}.$ Before acceptance, it stores a distinguished null value.

We do not make explicit the initialization and evolution of all variables mentioned above, yet omissions are straightforward to understand from the context.

4.1.2. Communication Network

We assume arbitrary point-to-point connections among users to be available. The network is non-private and fully asynchronous: The adversary may delay, eavesdrop, insert, and delete messages at will.

4.1.3. Adversarial Capabilities

Following Hövelmanns et al. [15], we consider adversaries that can preform (quantum) polynomial time computations, and have classical access to all (online) oracles listed below. Furthermore, as explained in Section 2.2, our adversaries are given quantum access to any (offline) random oracles involved.

The capabilities of an adversary $\mathcal{A}$ are made explicit through access to oracles allowing $\mathcal{A}$ to communicate with protocol instances run by the users:

• $\mathsf{Send}(U_i,s_i,M)$ This sends message M to the instance ${\mathsf{\Pi }}_i^{s_i}$ and returns the reply generated by this instance. If $\mathcal{A}$ queries this oracle with an unused instance ${\mathsf{\Pi }}_i^{s_i}$ and $M\subseteq \mathcal{P}$ a set of identities of principals, the ${\mathsf{used}}_i^{s_i}$-flag is set, ${\mathsf{pid}}_i^{s_i}$ initialized with ${\mathsf{pid}}_i^{s_i}:=\left\{U_i\right\}\cup M$, and the initial protocol message of ${\mathsf{\Pi }}_i^{s_i}$ is returned.
• $\mathsf{Execute}\left(\{{\mathsf{\Pi }}_{u_1}^{s_{u_1}},\cdots ,{\mathsf{\Pi }}_{u_{\mu }}^{s_{u_{\mu }}}\}\right)$ This executes a complete protocol run among the specified unused instances of the respective users. The adversary obtains a transcript of all messages sent over the network. A query to the Executeoracle is supposed to reflect a passive eavesdropping.
• $\mathsf{Reveal}(U_i,s_i)$ This yields the value stored in ${\mathsf{sk}}_i^{s_i}$.
• $\mathsf{Test}(U_i,s_i)$ Let b be a bit chosen uniformly at random. Provided that the session key is defined (i. e., ${\mathsf{acc}}_i^{s_i}=\mathsf{true}$ and ${\mathsf{sk}}_i^{s_i}\ne \mathrm{null}$) and instance ${\mathsf{\Pi }}_i^{s_i}$ is fresh (see the definition of freshness below), $\mathcal{A}$ can execute this oracle query at any time when being activated. Then, the session key ${\mathsf{sk}}_i^{s_i}$ is returned if $b=0$ and a uniformly chosen random session key is returned if $b=1$. In this model, an arbitrary number of Testqueries is allowed for the adversary $\mathcal{A}$, but, once the $\mathsf{Test}$ oracle has returned a value for an instance ${\mathsf{\Pi }}_i^{s_i}$, it will return the same value for all instances partnered with ${\mathsf{\Pi }}_i^{s_i}$ (see the definition of partnering below).
• $\mathsf{Corrupt}\left(U_i\right)$ This returns all long-term secrets of user $U_i$—in our case, the private keys used for authentication in $\mathtt{Kyber}.\mathtt{2}\mathtt{AKE}$.

4.1.4. Correctness, Integrity and Secrecy

To define our correctness and security goals, we introduce partnering to express which instances are associated in a common protocol session.

Partnering. We refer to instances ${\mathsf{\Pi }}_i^{s_i}$ and ${\mathsf{\Pi }}_j^{s_j}$ as being partnered if ${\mathsf{pid}}_i^{s_i}={\mathsf{pid}}_j^{s_j}$, ${\mathsf{sid}}_i^{s_i}={\mathsf{sid}}_j^{s_j}$, ${\mathsf{sk}}_i^{s_i}={\mathsf{sk}}_j^{s_j}$ and ${\mathsf{acc}}_i^{s_i}={\mathsf{acc}}_j^{s_j}=\mathsf{true}$.

An instance ${\mathsf{\Pi }}_i^{s_i}$ is assumed to accept the session key constructed at the end of the corresponding protocol run if no deviation from the protocol specification has occurred. Moreover, without adversarial interference, all users involved in a certain session should come up with the same session key.

Definition 3.

We call a group key establishment protocol $\mathsf{P}$ correct, if in the presence of a passive adversary $\mathcal{A}$—i. e., $\mathcal{A}$ must neither use the Send nor the Corrupt oracle—the following holds: for all $i,j$ with both ${\mathsf{sid}}_i^{s_i}={\mathsf{sid}}_j^{s_j}$ and ${\mathsf{acc}}_i^{s_i}={\mathsf{acc}}_j^{s_j}=\mathsf{true}$, we have ${\mathsf{sk}}_i^{s_i}={\mathsf{sk}}_j^{s_j}\ne \mathrm{null}$ and ${\mathsf{pid}}_i^{s_i}={\mathsf{pid}}_j^{s_j}$.

Some sort of correctness should also be guaranteed even if adversaries actively participate in a concrete executions: the notion of integrity, introduced in [17], captures this idea.

Definition 4.

We say that a correct group key establishment protocol fulfills integrity if, with overwhelming probability, all instances of honest principals that have accepted with the same session identifier ${\mathtt{sid}}_j^{s_j}$ hold identical session keys ${\mathtt{sk}}_j^{s_j}$ and associated this key with the same principals ${\mathtt{pid}}_j^{s_j}$.

Next, for detailing the security definition, we have to specify under which conditions a $\mathsf{Test}$-query may be executed.

Definition 5.

A $\mathsf{Test}$-query should only be allowed to those instances holding a key that is not for trivial reasons known to the adversary. To this aim, an instance ${\mathsf{\Pi }}_i^{s_i}$ is called fresh if none of the following holds:

• For some $U_j\in {\mathsf{pid}}_i^{s_i}$, a query $\mathsf{Corrupt}\left(U_j\right)$ was executed before a query of the form $\mathsf{Send}(U_k,s_k,M)$ has taken place, for some message (or set of identities) M and some $U_k\in {\mathsf{pid}}_i^{s_i}$.
• The adversary earlier queried $\mathsf{Reveal}(U_j,s_j)$ with ${\mathsf{\Pi }}_i^{s_i}$ and ${\mathsf{\Pi }}_j^{s_j}$ being partnered.

The idea of this definition is that revealing a session key from an instance ${\mathsf{\Pi }}_i^{s_i}$ trivially yields the session key of all instances partnered with ${\mathsf{\Pi }}_i^{s_i}$, and hence this kind of “attack” will be excluded in the security definition.

For a secure group key establishment protocol, we have to impose a corresponding bound on the adversary’s advantage: The advantage ${\mathsf{Adv}}_{\mathcal{A}}(\ell )$ of a ppt adversary $\mathcal{A}$ in attacking protocol $\mathsf{P}$ is a function in the security parameter ℓ, defined as

$${\mathsf{Adv}}_{\mathcal{A}}:=|2·\mathsf{Succ}-1|.$$

Here, $\mathsf{Succ}$ is the probability that the adversary queries $\mathsf{Test}$ only on fresh instances and guesses correctly the bit b used by the $\mathsf{Test}$ oracle (without violating the freshness of those instances queried with $\mathsf{Test}):$

Definition 6.

We say that an authenticated group key establishment protocol $\mathsf{P}$ is secure if for every ppt adversary $\mathcal{A}$ the following inequality holds for some negligible function $\mathrm{negl}$:

$${\mathsf{Adv}}_{\mathcal{A}}(\ell )\le \mathrm{negl}(\ell ),$$

(1)

4.2. Our Construction

We aim at a full description of a GAKE protocol that can be proven secure against quantum adversaries, building on a post-quantum $\mathtt{2}\mathtt{AKE}$ and using the compiler described in Section 2.1. Our proposal is depicted in Figure 5. Note that in our compiled design we take as starting point a slightly modified version of the compiler from [8], in two ways:

• We simplify the session key and session identifier computation using two hash functions to extract them from the shared master key K. Indeed, as the $\mathtt{2}\mathtt{AKE}$ we use as building block is proven secure in the (quantum) random oracle model, it no longer makes sense to use the (somewhat complicated) key extraction procedure defined in [8] to dodge idealized hash functions. Thus, we forgo Tools 1 and 2 mentioned in Section 2.1 and use two hash functions $\widehat{\mathtt{H}}$ and $\widehat{\mathtt{F}}$ instead. Thus, at the final Computation phase, each user $U_i$ will set the session key as ${\mathtt{sk}}_i=\widehat{\mathtt{H}}\left(K\right)$ and the corresponding session identifier as ${\mathtt{sid}}_i=\widehat{\mathtt{F}}\left(K\right)$, where K is the master key shared by everyone involved in the execution.
• Further, we make an additional requirement on the compiled $\mathtt{2}\mathtt{AKE}$, needed for the security proof. Indeed, as pointed out by Nam in [18], an extra condition on the two party protocol used as a base must be imposed in Theorem 1 of [8]. Indeed, the underlying $\mathtt{2}\mathtt{AKE}$ should fulfill integrity in order to thwart a simple replay attack (in the proof of Theorem 1 of [8], it is actually assumed that integrity is fulfilled—see the argument related to Game 1). We thus slightly tune up the two-party $\mathtt{2}\mathtt{AKE}$ to make sure integrity is achieved.

4.3. Security Arguments and Proofs

To prove that our compiled version is secure, we build upon the security of our underlying tools. More precisely, we use the following results:

(i)

$\mathtt{Kyber}.\mathtt{2}\mathtt{AKE}$, as depicted in Figure 4, is secure in the sense of IND-StAA and can be modified to also attain integrity as in Definition 4. Note that, as explained in Section 5 of [15], IND-StAA implies security in the sense required in the original compiler from [8].

(ii)

The encryption scheme $\mathtt{Kyber}.\mathtt{PKE}$ yields a non-interactive commitment scheme that is both non-malleable for multiple commitments and perfectly binding. This comes straightforward as a result of this scheme being IND-CCA (see Section 3.3 and [15]).

4.3.1. A Variant of $\mathtt{Kyber}.\mathtt{2}\mathtt{AKE}$ Attaining Integrity

Informally, it is easy to modify in a standard way the construction $\mathtt{Kyber}.\mathtt{2}\mathtt{AKE}$ to attain integrity. The main idea is to add a second random oracle $\mathtt{F}$ which, at the point of key derivation, will be applied to the same input as $\mathtt{H}$ in order to derive a session identifier. Then, it is trivial to state that integrity of this modified $\mathtt{Kyber}.\mathtt{2}\mathtt{AKE}$ construction is attained both in the ROM and in the QROM, due to the collision resistance of the involved random oracles (see Section 2.2). Indeed, suppose that $\mathtt{k}={\mathtt{k}}^{\prime }$. Since $\mathtt{H}$ and $\mathtt{F}$ are random oracles, their collision resistance guarantees that, with overwhelming probability, both participants have the same partner identifiers and, therefore, use the same session key k. This argument is valid both in the classical and quantum-accessible random oracle model (see Section 2.2). In the sequel, we assume this modification is in place and thus $\mathtt{Kyber}.\mathtt{2}\mathtt{AKE}$ attains integrity.

4.3.2. Security of Our Proposed Group Protocol

Theorem 3.

In the random oracle model, the protocol presented in Figure 5 is a correct and secure authenticated group key establishment protocol fulfilling integrity, in the sense of Definitions 3, 6, and 4.

Proof. 

This proof is a (somewhat) straightforward adaptation of the security proof of Theorem 1 of [8], which we use as a main tool in our construction.

Correctness. In an honest execution of the protocol, it is easy to verify that all participants in the protocol will terminate by accepting and computing the same session identifier and session key.

Integrity. Owing to the collision-resistance of the random oracle $\widehat{\mathtt{F}}$ all oracles that accept with identical session identifiers also hold with overwhelming probability the same master key K and $\mathsf{pid}$ (which can be read from K) will therefore also derive the same session key $\widehat{\mathtt{H}}\left(K\right).$

Key secrecy. The proof of key secrecy will proceed in a sequence of games, starting with the real attack against the key secrecy of the group key exchange protocol and ending in a game in which the adversary’s advantage is 0, and for which we can bound the difference in the adversary’s advantage between any two consecutive games. Following standard notation, we denote by $\mathsf{Adv}(\mathcal{A},G_i)$ the advantage of the adversary $\mathcal{A}$ in Game i. Furthermore, for clarity, we classify the $\mathsf{Send}$ queries into three categories, depending on the stage of the protocol to which the query is associated, starting with $\mathsf{Send}-\mathsf{0}$ and ending with $\mathsf{Send}-\mathsf{2}$. $\mathsf{Send}-$t denotes the $\mathsf{Send}$ query associated with round t for $t=0,1,2$.

The first three games from this proof are exactly the same as those in the proof of Theorem 1 of [8]. We only summarize the reduction and refer the interested reader to the original paper for a detailed description.

  Game $\mathbf{0}$. This first game corresponds to a real attack, in which all the parameters, such as the public parameters in the common reference string and the long-term secrets associated with each user, are chosen as in the actual scheme. By definition, $\mathsf{Adv}(\mathcal{A},G_0)=\mathsf{Adv}\left(\mathcal{A}\right).$

 Game $\mathbf{1}$. In this game, for $i=1,\dots ,n$, we modify the simulation of the $\mathsf{Send}$ and $\mathsf{Execute}$ oracles so that, whenever an instance ${\mathsf{\Pi }}_i^{s_i}$ is still considered fresh at the end of Round 2, the keys ${\overleftarrow{K}}_i$ and ${\overrightarrow{K}}_i$ that it shares with instances ${\mathsf{\Pi }}_{i-1}^{s_{i-1}}$ and ${\mathsf{\Pi }}_{i+1}^{s_{i+1}}$ are replaced with random values from the appropriate set.

It is easy to see that the distance between this game and the previous one is bounded by the probability that the adversary breaks the security of any of the underlying $\mathsf{2}-\mathsf{AKE}$ protocols. As a result, it holds

$$|\mathsf{Adv}(\mathcal{A},G_1)-\mathsf{Adv}(\mathcal{A},G_0)|\le 2·{\mathsf{Adv}}_{\mathsf{2}-\mathsf{AKE}}(\ell ,2·q_{\mathrm{send}}),$$

where $q_{\mathrm{send}}$ represents the number of different protocol instances in $\mathsf{Send}$ queries.

 Game $\mathbf{2}$. In this game, we change the simulation of the $\mathsf{Send}$ oracle so that a fresh instance ${\mathsf{\Pi }}_i^{s_i}$ does not accept in Round 4 whenever one commitment $C_j$ for $j\ne i$ it receives in Round 3 was generated by the simulator but not generated by the respective instance ${\mathsf{\Pi }}_j^{s_j}$, $j\ne i$ in the same session.

The adversary $\mathcal{A}$ can detect the difference to Game $G_1$ if $\mathcal{A}$ replayed a commitment that should have led to acceptance in Round 4 in that game. Because the committed value $X_i$ is a random value independent of previous messages, the probability for this is negligible.

$$|\mathsf{Adv}(\mathcal{A},G_2)-\mathsf{Adv}(\mathcal{A},G_1)|\le \mathrm{negl}(\ell )$$

 Game $\mathbf{3}$. This game reproduces the modification also for adversary-generated commitments: The simulation of the $\mathsf{Send}$ oracle changes so that a fresh instance ${\mathsf{\Pi }}_i^{s_i}$ does not accept in Round 4 whenever one commitment $C_j$ for $j\ne i$ it receives in Round 3 was adversary-generated. The adversary’s advantage diverges only negligibly from the previous game:

$$|\mathsf{Adv}(\mathcal{A},G_3)-\mathsf{Adv}(\mathcal{A},G_2)|\le \mathrm{negl}(\ell )$$

 Game $\mathbf{4}$. Now, the simulations of the Execute and Send oracles are modified at the point of computing the session key. The simulator keeps a list of strings $(K_1,\cdots ,K_n,\mathcal{G})$. Once an instance receives the last $\mathsf{Send}-\mathsf{2}$ query, the simulator computes $K_1,\cdots ,K_n$ and checks if for the corresponding string $(K_1,\cdots ,K_n,\mathcal{G})$ a master key was already issued. If this is the case, it assigns the corresponding master key to the instance. If no such entry exists in the list, the simulator chooses a session key ${\mathsf{sk}}_i^{s_i}\in {\{0,1\}}^{\ell }$ uniformly at random. Note that, even if the messages from Round 4 are sent out, the master key is still containing sufficient entropy so that the random oracle output $\widehat{\mathtt{H}}$ is indistinguishable from a random ${\mathsf{sk}}_i^{s_i}$ with negligible probability only. As a result,

$$|\mathsf{Adv}(\mathcal{A},G_4)-\mathsf{Adv}(\mathcal{A},G_3)|\le \mathrm{negl}(\ell ).$$

Now, clearly, in Game $G_4$, all session keys are chosen uniformly at random and the adversary has no advantage.

$$\mathsf{Adv}(\mathcal{A},G_4)=0.$$

□

Theorem 4.

In the quantum random oracle model, the protocol presented in Figure 5 is a correct and secure authenticated group key establishment protocol fulfilling integrity, in the sense of Definitions 3, 6, and 4.

Proof. 

(sketch) The proof follows the exact reasoning of Theorem 3; we only need to stress that the argument from Game 4 is still valid when considering quantum-accessible random oracles. Indeed, in this last game, the simulations of the Execute and Send oracles are modified at the point of computing the session key. The simulator keeps a list of strings $(K_1,\cdots ,K_n,\mathcal{G})$, and, upon receiving the last $\mathsf{Send}-\mathsf{2}$ query, it computes the values $K_1,\cdots ,K_n$ and checks if a corresponding master key has already been issued previously. If this is the case, this master key will be assigned to the instance. Otherwise, the simulator chooses a session key ${\mathsf{sk}}_i^{s_i}\in {\{0,1\}}^{\ell }$ uniformly at random. At this point, all two party keys $K_1,\cdots ,K_n$ are chosen uniformly at random and are unknown to the adversary. The adversary can only notice this last change if it has already queried the very same key string to the quantum random oracle $\widehat{\mathtt{H}}$. This event will happen with negligible probability. As a result, the output $\widehat{\mathtt{H}}$ is indistinguishable from a random ${\mathsf{sk}}_i^{s_i}$ with overwhelming probability. Thus, we have

$$|\mathsf{Adv}(\mathcal{A},G_4)-\mathsf{Adv}(\mathcal{A},G_3)|\le \mathrm{negl}(\ell ).$$

Now, clearly, in Game $G_4$, all session keys are chosen uniformly at random and the adversary has no advantage.

$$\mathsf{Adv}(\mathcal{A},G_4)=0.$$

□

5. Conclusions

We present in this paper a post-quantum GAKE using Abdalla et al.’s compiler from [8] as design frame. We choose the Kyber suite [7] as main building block, not only because it is a good design fit for our compiled strategy, but also considering its promising security properties (as Kyber is one of the four remaining finalists for public key encryption in the Third Round of the NIST competition). More precisely, we evidence that a secure 2AKE as needed for our compiled construction can be derived using the ${\mathrm{FO}}_{\mathrm{AKE}}$ transformation proposed in [9], by proving the encryption scheme $\mathtt{Kyber}.{\mathtt{CPA}}^{\prime }$ to be DS secure.

Our four-round instantiation can as a result be proven to provide post-quantum security guarantees under the Module-LWE assumption in the quantum random oracle model.