Compiled Constructions towards Post-Quantum Group Key Exchange: A Design from KyberKyberKyber

: A group authenticated key exchange (GAKE) protocol allows a set of parties belonging to a certain designated group to agree upon a common secret key through an insecure communication network. In the last few years, many new cryptographic tools have been speciﬁcally designed to thwart attacks from adversaries which may have access to (different kinds of) quantum computation resources. However, few constructions for group key exchange have been put forward. Here, we propose a four-round GAKE which can be proven secure under widely accepted assumptions in the Quantum Random Oracle Model . Speciﬁcally, we integrate several primitives from the so-called Kyber suite of post-quantum tools in a (slightly modiﬁed) compiler from Abdalla et al. (TCC 2007). More precisely, taking as a starting point an IND-CPA encryption scheme from the Kyber portfolio, we derive, using results from Hövelmanns et al. (PKC 2020), a two-party key exchange protocol and an IND-CCA encryption scheme and prove them ﬁt as building blocks for our compiled construction. The resulting GAKE protocol is secure under the Module-LWE assumption, and furthermore achieves authentication without the use of (expensive) post-quantum signatures.


Introduction
The search for cryptographic primitives that will remain secure once quantum computing is a reality has been on going for over twenty years. Noticeably, in the last few years this search has gained greater attention from academia and industry, especially since the US National Institute of Standards and Technology (NIST) launched a competition towards standardizing quantum-resistant (also called post-quantum) public-key cryptographic algorithms in 2017. While this competition is focused on constructions for public key encryption, two party key establishment and digital signatures, research towards different post-quantum primitives has also been aroused as a side effect.
Group key establishment protocols (GKE) are fundamental cryptographic constructions. Indeed, for many real life applications of information technologies, the crucial starting point is establishing a "secure session", i.e., setting confidential communication channels among users. GKE protocols allow a group of n ≥ 2 users, interacting through an insecure communication network, to establish a common known high entropy secret that can be used to secure their subsequent communication. Typically, once this secret has been agreed upon, tools from symmetric cryptography can be used to attain confidentiality, Comparison with other schemes. We present two tables that summarize some features of other GAKE schemes with quantum-resistance and compare them with our proposal. Table 1 summarizes some parameters related to the performance of the schemes. The number of communication rounds is one of the most important parameters when dealing with GAKE protocols. In addition, for each scheme, we point out whether the use of post-quantum signatures is avoided, which is a nice feature, as this kind of signatures are usually expensive in terms of both computation and size. Note that the scheme in [2] does not use post-quantum signatures but is unauthenticated. Finally, we include the total number of messages sent throughout an execution involving n parties, pointing out whether messages are broadcasted or just sent point-to-point (PtP) (i.e., from one party to another). Table 1. Some efficiency parameters for GKE/GAKE protocols claimed to be quantum-resistant.

# Broadcast Messages # PtP Messages
n-UM [1] 1 Yes n 0 BC n-DH [1] 1 Yes n 0 Apon et al. [2] 3 Yes (but is unauth.) 2n + 1 0 STAG [4] 3 No 2n + 1 0 Pers. et al. [5] 3 No n 2n Gonz. et al. [6] 2 Yes n n 2 − n This work 4 Yes 2n 2n Table 2 is focused on security issues. In the first column, we include the type of assumption (isogeny/lattice) the security of the scheme is based on. In the second column, we state in which of the idealized models the security claim and corresponding proof hold: either in the Random Oracle Model (ROM) or the Quantum Random Oracle Model (QROM). The latter is stronger than the former because, as discussed in Section 2, it assumes a more powerful adversary. Next, it is specified if quantum resistant features hold in a future quantum (FutQ) or post-quantum (PostQ) scenario. The latter, where it is assumed that the adversary has access to quantum computation during protocol executions, is preferable to the former, where key secrecy is only guaranteed against adversaries that cannot make quantum computations during protocol executions but have access to this option at some point in the future. Finally, we indicate if the key exchange is authenticated. Note that the compilers [5,6] have a special treatment, as the assumption type and the model depend on the underlying post-quantum tools used to implement them. Table 2. Security of GKE/GAKE protocols claimed to be quantum-resistant.
n-UM [1] Isogeny QROM PostQ Yes BC n-DH [1] Isogeny ROM PostQ Yes Apon et al. [2] Lattice ROM PostQ No STAG [4] Lattice ROM PostQ Yes Pers. et al. [5] Compiler No RO added PostQ Yes Gonz. et al. [6] Compiler Seeing the two comparison tables, it seems clear that the only scheme outperforming our construction is n-UM [1], which is based on the isogeny paradigm. However, it is fair to say that lattice-based constructions such as ours seem somewhat more promising in this field, considering the recent outcome of the Third Round of the NIST competition for standardizing post-quantum tools. While several lattice-based constructions made it to this last round, no isogeny-based scheme is in the final (and only one proposal, SIKE [11], is considered as alternative for replacing finalists that may be discarded in the last phase).
Paper Roadmap. We start with a brief outline of the preliminaries in Section 2, where we introduce Abdalla et al.'s compiler from [8] and comment on the basics of post-quantum security. Further, we explain in Section 3 how to derive building blocks for our construction (AKE and a commitment scheme) from the Kyber family. In particular, we use the results from [9] to prove that we can obtain both a suitable commitment scheme and a secure two-party AKE from the encryption scheme Kyber.CPA . Our compiled construction is then described and proven secure in Section 4, where we also make explicit the security model used. We conclude this contribution with a brief conclusion.

Abdalla et al.'s Compiler
Here, we describe a compiler constructed by Abdalla et al. in [8], which enables the derivation of a group authenticated key establishment protocol GAKE from an arbitrary two-party key establishment 2AKE. The compiler does not rely on further authentication techniques than those used in 2AKE, nor on further idealization assumptions. Moreover, if 2AKE requires r rounds of communication, then GAKE requires r + 2 rounds.
Let P be the set of users that can participate in the protocol GAKE. This set P is assumed to be of polynomial size. The set G = {U 0 , U 1 , . . . , U n−1 } ⊂ P denotes the set of n > 2 participants that wish to establish a common session key. Each protocol participant U i ∈ G, i = 0, . . . , n − 1, may be involved in distinct, possibly parallel, executions of GAKE.
Since 2AKE is an authenticated key establishment protocol, it is assumed that long-term secrets required for 2AKE have been established during a trusted authentication phase. One of the following three cases is assumed: • Each user U i ∈ G owns a pair (pk i , sk i ) consisting of a public key pk i and a secret key sk i , and all needed public keys may be distributed to all protocol participants during the initialization phase. • Each pair of users U i , U j ∈ G, i = j, shares a high entropy symmetric key, or the complete set of participants G shares one common secret (different instances of a user may hold different long-term secrets).

•
Each pair of users U i , U j ∈ G, i = j, shares a low entropy password. In this case, we assume a publicly available dictionary D ⊆ {0, 1} * , from which passwords are chosen uniformly at random.
The compiler uses the following cryptographic tools: 1. A non-interactive non-malleable commitment scheme C that is perfectly binding and achieves non-malleability for multiple commitments.

A collision-resistant pseudorandom function family
indexed by a set {0, 1} L of polynomial size, and two publicly known values v 0 and v 1 such that no ppt adversary can find two different indices A hash function H selected from a family of universal hash functions that maps the concatenation of bitstrings from {0, 1} k n and the set of participants G onto {0, 1} L , where n is the number of participants in G and k ∈ N.
With these ingredients, the compiler proceeds as depicted in Figure 2. Our proposed GAKE protocol uses a simplified version of the aforementioned compiler and builds on a post-quantum 2AKE. We describe it in detail in Section 4.

Security in a Post-Quantum Setting
When proving a certain cryptographic construction secure, it is necessary to depict a precise security model making explicit claims and assumptions that can be formally proven and verified. This is, however, not always the case in the post-quantum scenario, as quantum adversaries are often modeled in a very different fashion. Most often, constructions are substantiated on computational assumptions that explicitly state that an adversary is assumed not to be able to efficiently complete a certain computational task (e.g., decoding a word with respect to a certain partially known code or solving certain approximation problems in lattices). However, the way this quantum adversary is assumed to interact with other system-related idealizations (e.g., the oracles modeling information leakage or misuse) is often disregarded, while it may play a central role in a security proof. A paradigmatic example of this situation is the case of hash functions, typically modeled as so-called random oracles.
Random oracles are classically used in cryptography to model idealized hash functions, which are deterministic algorithms that select, for each new query, an output chosen uniformly at random from a certain given range. It is assumed that all users and processes from a certain system are given access to the same random oracles, which means that, for security proofs, if the real cryptographic environment is simulated for an adversary, all random oracle queries must be consistently answered with values that are indistinguishable from random (uniform). In the quantum setting, queries to a random oracle can be done in superposition, which complicates significantly the translations of many classical proofs into this new scenario.
Round r + 1: and chooses a random r i to compute a commitment C i = C(i, X i , r i ).
Round r + 2: • Verification: Each U i checks that X 0 ⊕ X 1 ⊕ · · · ⊕ X n−1 = 0 and the correctness of the commitments. If any one of these checks fails, then U i terminates the protocol execution without computing a session key.
Then, U i defines a master key and sets the session key sk i = F H(K) (v 1 ) and the session identifier sid i = F H(K) (v 0 ), where ∈ N is the security parameter. Following Hövelmanns et al. [9], in this work, we consider quantum adversaries that are given quantum access to the (offline) quantum random oracle involved in our design. More precisely, we need to make use of two basic properties of this so-called quantum-accessible random oracles: • Collision-freeness. In [12], it is proven that the best quantum algorithm for finding a collision for a random function H : ). The analogous classical bound is O(2 n 2 ). While being suboptimal in number of queries, this algorithm is the most efficient in terms of time complexity with small quantum memory. Thus, in the sequel, we may assume that (even for a quantum adversary) finding a collision pair for a quantum-accessible random oracle can only be done with negligible probability (this is used in Section 4.3.1).
• Pseudorandomness. Following again Hövelmanns et al. [9], we use the argument of Zhandry (see [13]) stating that no quantum algorithm, making at most q quantum queries to a quantum random oracle H implementing a random function H : {0, 1} m → {0, 1} n , can distinguish between H and a random polynomial of degree 2q defined over the field F 2 n . As a result, if the input to a quantum random oracle contains enough entropy, then the probability of distinguishing its output from a value chosen uniformly at random is negligible. In other words, when the input is unknown and chosen uniformly at random, the fact that the random oracle can be queried in superposition is of no help in distinguishing the oracle's output from a randomly chosen element. This is used in the quantum random oracle proof from Section 4.3.
We strongly suggest the interested reader consult [14] for a comprehensive introduction to the quantum random oracle model.

Post-Quantum Primitives: 2AKE and Commitment Scheme
In this section, we describe the post-quantum tools used in the construction of our GAKE, namely a two-party authenticated key exchange (AKE) and a commitment scheme. The relations between these tools are summarized in Figure 3.
In the first subsection, we describe Kyber's public key encryption (PKE) scheme and state its security properties that are of importance to the construction of the primitives mentioned above.
In the second subsection, we detail how the 2AKE is obtained from a generic construction proposed in [9], of two-message AKE provably secure in the quantum random oracle model (QROM) from PKE schemes that possess both Disjoint Simulatability (DS) (Definition 2) and IND-CPA security. In particular, we use a slight modification (called Kyber.CPA ) of the CPA-secure PKE scheme introduced in [7] as part of Kyber's package submitted to NIST's post-quantum standardization effort. We describe the FO AKE transformation which turns a secure PKE into a secure AKE. This subsection ends by proving that Kyber.CPA is DS secure and, therefore, it is possible to construct an AKE secure in the QROM by applying the FO AKE to it.
The third subsection is devoted to the construction of the post-quantum commitment scheme mentioned in Section 2. It must be a non-interactive non-malleable commitment scheme that is perfectly binding and achieves non-malleability for multiple commitments. As pointed out in [8], this can be directly constructed from a public key encryption scheme which achieves the well-known IND-CCA security notion. To this end, we use another transformation described in [9], specifically FO ⊥ m , which turns an IND-CPA and DS PKE into an IND-CCA KEM. Then, we recall that it is straightforward to obtain an IND-CCA PKE from an IND-CCA KEM. Putting everything together, we obtain the desired commitment scheme from Kyber.CPA , the same primitive we use to construct the two-party AKE.  FO AKE [9] [10]

Kyber's IND-CPA PKE
In this subsection, we describe the CPA-secure PKE scheme Kyber.CPA introduced in [7] as part of the Cryptographic Suite for Algebraic Lattices (CRYSTALS), a package of cryptographic primitives submitted to NIST's post-quantum standardization effort. In fact, what we really describe and work with is a slightly modified version, also proposed in [7], called Kyber.CPA .
First, we introduce some definitions needed to understand how the PKE has been constructed and summarize in Table 3 the notation used in the sequel. Then, we describe the key generation, encryption, and decryption algorithms used in Kyber.CPA , as well as its CPA-security under the Module-LWE hardness assumption (Definition 1).
Denote by R the ring Z[X]/(X n + 1) and by R q the ring Z q [X]/(X n + 1), where n = 2 n −1 such that X n + 1 is the 2 n th cyclotomic polynomial. As in [7], we fix the values for n, n and q to 256, 9 and 7681.
For some positive integer η, define the centered binomial distribution B η as follows ( [7]):

Notation Representation
Bold lower-case Vectors with coefficients in R or R q . All vector will be column vectors by default.
Regular font letter Elements in R or R q .
Bold upper-case Matrices.
s ← S If S is a set, s is chosen uniformly at random from S. If S is a distribution, s is chosen according to such distribution S.
Value y that is distributed according to distribution S (or uniformly over a set S). This is a deterministic procedure.
· · is the rounding function i.e., x = x + 1 2 where x ∈ Q and · is the floor function.
For an even (respectively, odd) integer α, r = r mod ± α is the unique element r in the range The security assumption underlying Kyber.CPA is based on the hardness of the Module-LWE problem, which generalizes the Learning with Errors (LWE) problem. Learning with errors (LWE) is the computational problem of inferring a linear n-ary function f over a finite ring from given (slightly incorrect) samples y i = f (x i ). Recall that Ring Learning with Errors (RLWE) is the variant of LWE specialized to polynomial rings over finite fields. Informally, Module-LWE can be seen as the result of replacing single ring elements in the RLWE problem with module elements over the same ring (thus, RLWE can be seen as Module-LWE with module rank 1).

Definition 1 (Module-LWE assumption [7]). The Module-LWE problem consists in distinguishing uniform
η common to all samples, and e i ← β n is fresh for every sample. The advantage of an adversary A is defined as The Module-LWE assumption states that the above advantage is negligible for any given adversary A.
The authors of [7] defined a function Compress q (x, d) that takes an element x ∈ Z q and outputs is an element close to x. More specifically, The functions satisfying these requirements are defined in [7] as: The definition of the key generation, encryption, and decryption of Kyber.CPA is given in Algorithms 1-3 as defined in [7]. Unlike Kyber.CPA , the unmodified PKE scheme Kyber.CPA compresses t on Line 4 of Algorithm 1 and, therefore, must decompress t in Algorithm 2.
Kyber.CPA was shown to be IND-CPA secure under the Module-LWE hardness assumption in [7]. This result is stated in the following theorem.

Theorem 1 ([7]
). For any adversary A against the CPA security of Kyber.CPA , let define the advantage Then, there exists an adversary B such that Finally, it is worth pointing out that neither Kyber.CPA nor Kyber.CPA provides perfect correctness. This is discussed in [7], where a value for δ, the probability of decryption error, is obtained for Kyber.CPA. This is easily adapted to Kyber.CPA ; the details can be found in Appendix A.

The FO AKE Transformation: From PKE to AKE
FO AKE is a generic construction proposed in [9], which transforms an IND-CPA secure PKE scheme into an AKE protocol, provably secure in the QROM. The construction admits that the PKE scheme has non-perfect correctness, which makes it suitable for the Kyber.CPA scheme we have previously introduced. Another nice feature is that it avoids the use of (usually expensive) quantum-secure signature schemes. FO AKE can be seen as an extension of the Fujisaki-Okamoto transform (which turns IND-CPA encryption schemes into IND-CCA ones) for the AKE setting.
The resulting AKE after applying the FO AKE transformation is quite efficient in terms of communication. In [9], it is called a two-message protocol, meaning that it is a two-round AKE protocol where one party sends a message in the first round while the other party answers with another message in the second round. As an interesting additional contribution, the authors of [9] defined a security model and two security notions for two-message AKEs: key indistinguishability agains active attacks (IND-AA) and the weaker notion of indistinguishability against active attacks without state reveal in the test session (IND-StAA). We are interested in the second one, as the security of the AKE obtained by using the FO AKE transformation is proved in [9] under this slightly weaker model. Nevertheless, this is enough for our purposes because, as discussed in Section 5 of [15] (the extended version of [9]), IND-StAA implies security in the sense required in the compiler from [8].
A high level description of the IND-StAA model, as formulated in [9], is the following. It states that the session key remains indistinguishable from a random one even if: 1. The attacker knows either the long-term secret key or the secret state information (but not both) of both parties involved in the test session, as long as it did not modify the message received by the test session. 2. If the attacker modified the message received by the test session, as long as it obtained neither the long-term secret key of the test session's peer nor the test session's state.
The authors of the FO AKE transformation proved its IND-StAA security in the QROM as long as the PKE is IND-CPA, and it is possible to efficiently fake ciphertexts that are indistinguishable from proper encryptions, while the probability that the sampling algorithm hits a proper encryption is small. This last notion is called Disjoint Simulatability (DS) of ciphertexts, and is defined in [9] as follows.
Definition 2 (DS). Let PKE = (KG, Enc, Dec) be a PKE scheme with message space M and ciphertext space C, coming with an additional ppt algorithm Enc. For quantum adversaries A, we define the advantage against PKE's disjoint simulatability as When there is no chance of confusion, we drop Enc from the advantage's subscript for convenience. We call PKE ε dis -disjoint if for all pk ∈ supp(KG), where R = R(pk) is a finite randomness space defined by pk.
The authors of the FO AKE transformation suggested that many lattice-based schemes fulfill DS in a natural way as follows: fake encryptions could be sampled uniformly random. DS would follow from the LWE assumption, and since LWE samples are relatively sparse, uniform sampling should be disjoint.
The following theorem establishes that the DS security of Kyber.CPA equipped with an additional algorithm Enc reduces to its Module-LWE security.
Theorem 2 (DS security of Kyber.CPA ). Let η, k, d u , and d v be positive integer parameters for Kyber.CPA . If Kyber.CPA is equipped with a ppt algorithm Enc which samples a uniform ciphertext when given a public key, then, for any adversary A, there exists an adversary B such that Proof. Let A be an adversary attacking the DS security of Kyber.CPA . We obtain a bound for Adv DS Kyber.CPA (A) following the sequence of games in the proof of Theorem 2 in [7]. First, the value t := As + e which is used in KeyGen is substituted by a uniform random value. It follows from the Module-LWE security of Kyber.CPA that the value t and the uniform random value are indistinguishable from each other. Next, the values A T r + e 1 and t T r + e 2 + q 2 · m used in the generation of the challenge ciphertext are simultaneously substituted with uniform random values. Again, it follows from the Module-LWE security of Kyber.CPA that A T r + e 1 and t T r + e 2 + q 2 · m are indistinguishable from the random values. As in [7], we deduce that there exists an adversary B with the same running time as that of A such that Adv DS Kyber.CPA (A) ≤ 2 Adv mlwe k+1,k,η (B). To prove the ε dis -disjointness of Kyber.CPA with ε dis = 2 n (2−d u k−d v ) , we recall that M = {0, 1} n , C = {0, 1} n k d u × {0, 1} n d v , and R = {0, 1} n are the message, ciphertext and random spaces, respectively. Since |Enc(pk, M; R)| ≤ |M| |R| = 2 2 n , we obtain Pr[c ← Enc : c ∈ Enc(pk, M; R)] ≤ max (pk, sk)∈KeyGen(R) |Enc(pk, M; R)| |C| which is the desired result. Now that Theorems 1 and 2 guarantee that Kyber.CPA satisfies the hypotheses of Theorem 3 in [9], we can use it to produce a two-party AKE which fulfills IND-StAA security in the QROM. The resulting scheme, which we denote by Kyber.2AKE, is depicted in Figure 4. Here, G and H are random oracles and H R , H L1 , H L2 , and H L3 are internal random oracles that cannot be accessed directly and could be implemented with a pseudorandom function. Note that this is not the same two-party AKE proposed in [7]. For reference, we include the precise statement of Theorem 3 [9] in Appendix B.

The Commitment Scheme
In this section, we describe how to obtain an IND-CCA PKE from an IND-CPA PKE. This process can be achieved in two steps: To achieve an IND-CCA secure KEM from Kyber.CPA , we apply the FO ⊥ m transformation. This is analogous to the FO AKE transformation that transforms a PKE scheme that is both IND-CPA and DS secure into a CCA-secure KEM. As shown in [9], unlike similar transformations, FO ⊥ m is robust against correctness errors and its security reduction is tighter than the one that results from applying other known transformations. In cases where the PKE is not already DS, this requirement can be waived with negligible loss of efficiency. In the case of Kyber.CPA , there is no loss of efficiency since it is IND-CPA secure and, as shown in Theorem 2, it is DS secure as well. The Algorithms 1, 4, and 5 show the KEM Kyber ⊥ = (Kyber.CPA .KeyGen, Encaps, Decaps) that results from applying the transformation FO ⊥ m to Kyber.CPA . Here, G and H are random oracles and H r is an internal random oracle that cannot be accessed directly and could be implemented with a pseudorandom function. For reference, we include the precise statement of Theorem 2 [9] in Appendix C.  Finally, an IND-CCA PKE is obtained after applying the transformation introduced in [10] to Kyber ⊥ with a secure one-time symmetric key encapsulation (SKE or DEM). We call this scheme Kyber.PKE. The security of this transformation follows from Theorem 5 in [10]. As pointed out in [8], a commitment scheme with the required security properties can be obtained in a straightforward way from the IND-CCA PKE.

Our Post-Quantum Group Key Exchange
In this section, we present our compiled construction of GAKE. Informally, let us recall the setting we are considering. Our participants are honest entities which can be modeled as probabilistic polynomial time Turing machines (thus, have no access to quantum computing resources). These participants can only exchange messages through an insecure network, which is fully under adversarial control (adversaries may insert, delay, suppress or forward messages at will). Moreover, the adversarial computing capabilities are superior to those of participants, as we assume adversaries can preform quantum polynomial time computations and have quantum access to any hash function (modeled as a random oracle) involved. With this in mind, the goal pursued by our protocol is to guarantee that, whenever a participant has computed a session key through the network, this key is indistinguishable from a random value for those outside the intended group of participants involved in that concrete execution. Note that (as is standard in GKE proposals) we cannot expect to prove that the protocol will always terminate when executed by honest parties, we rather pursue formal assurance that, whenever the protocol indeed produces an output key for a participant, this key is secure for subsequent use. Now, to make the text fully self-contained, we start by describing the main notations and formalism used in the sequel.

Security Model
Our security model is inherited from Abdalla et al. [8], which in turn builds upon the seminal work of Bellare et al. [16]. However, ours is a less generic scenario; while in [8] all the proofs are in the common reference string model, our proofs are in the (quantum) random oracle model. More precisely, we assume that all public keys and parameters needed for implementing Kyber.2AKE and Kyber.PKE are publicly known (and certified), as well as the description of all involved hash functions, which are idealized as random oracles. Further, we will assume that the long term keys needed for authentication in Kyber.2AKE are generated and distributed to all potential protocol participants in a trusted initialization phase. As customary, we use variables to detail the information stored by users with respect to each protocol execution, and oracles to model adversarial action.

Protocol Instances
Each protocol participant U i ∈ U (i ∈ N) may execute a polynomial number of protocol instances in parallel. A single instance Π s i i can be interpreted as a process executed by protocol participant U i . Throughout, the notation Π s i i is used to refer to instance s i of protocol participant U i ∈ U . To each instance, we assign seven variables: We do not make explicit the initialization and evolution of all variables mentioned above, yet omissions are straightforward to understand from the context.

Communication Network
We assume arbitrary point-to-point connections among users to be available. The network is non-private and fully asynchronous: The adversary may delay, eavesdrop, insert, and delete messages at will.

Adversarial Capabilities
Following Hövelmanns et al. [15], we consider adversaries that can preform (quantum) polynomial time computations, and have classical access to all (online) oracles listed below. Furthermore, as explained in Section 2.2, our adversaries are given quantum access to any (offline) random oracles involved.
The capabilities of an adversary A are made explicit through access to oracles allowing A to communicate with protocol instances run by the users: Test(U i , s i ) Let b be a bit chosen uniformly at random. Provided that the session key is defined (i. e., acc s i i = true and sk s i i = NULL) and instance Π s i i is fresh (see the definition of freshness below), A can execute this oracle query at any time when being activated. Then, the session key sk s i i is returned if b = 0 and a uniformly chosen random session key is returned if b = 1. In this model, an arbitrary number of Testqueries is allowed for the adversary A, but, once the Test oracle has returned a value for an instance Π s i i , it will return the same value for all instances partnered with Π s i i (see the definition of partnering below). Corrupt(U i ) This returns all long-term secrets of user U i -in our case, the private keys used for authentication in Kyber.2AKE.

Correctness, Integrity and Secrecy
To define our correctness and security goals, we introduce partnering to express which instances are associated in a common protocol session.
Partnering. We refer to instances Π  Next, for detailing the security definition, we have to specify under which conditions a Test-query may be executed.

Definition 5.
A Test-query should only be allowed to those instances holding a key that is not for trivial reasons known to the adversary. To this aim, an instance Π s i i is called fresh if none of the following holds: • For some U j ∈ pid s i i , a query Corrupt(U j ) was executed before a query of the form Send(U k , s k , M) has taken place, for some message (or set of identities) M and some U k ∈ pid s i i .

•
The adversary earlier queried Reveal(U j , s j ) with Π s i i and Π s j j being partnered.
The idea of this definition is that revealing a session key from an instance Π s i i trivially yields the session key of all instances partnered with Π s i i , and hence this kind of "attack" will be excluded in the security definition.
For a secure group key establishment protocol, we have to impose a corresponding bound on the adversary's advantage: The advantage Adv A ( ) of a ppt adversary A in attacking protocol P is a function in the security parameter , defined as Here, Succ is the probability that the adversary queries Test only on fresh instances and guesses correctly the bit b used by the Test oracle (without violating the freshness of those instances queried with Test) : Definition 6. We say that an authenticated group key establishment protocol P is secure if for every ppt adversary A the following inequality holds for some negligible function negl:

Our Construction
We aim at a full description of a GAKE protocol that can be proven secure against quantum adversaries, building on a post-quantum 2AKE and using the compiler described in Section 2.1. Our proposal is depicted in Figure 5. Note that in our compiled design we take as starting point a slightly modified version of the compiler from [8], in two ways:

•
We simplify the session key and session identifier computation using two hash functions to extract them from the shared master key K. Indeed, as the 2AKE we use as building block is proven secure in the (quantum) random oracle model, it no longer makes sense to use the (somewhat complicated) key extraction procedure defined in [8] to dodge idealized hash functions. Thus, we forgo Tools 1 and 2 mentioned in Section 2.1 and use two hash functionsĤ andF instead. Thus, at the final Computation phase, each user U i will set the session key as sk i =Ĥ(K) and the corresponding session identifier as sid i =F(K), where K is the master key shared by everyone involved in the execution. • Further, we make an additional requirement on the compiled 2AKE, needed for the security proof. Indeed, as pointed out by Nam in [18], an extra condition on the two party protocol used as a base must be imposed in Theorem 1 of [8]. Indeed, the underlying 2AKE should fulfill integrity in order to thwart a simple replay attack (in the proof of Theorem 1 of [8], it is actually assumed that integrity is fulfilled-see the argument related to Game 1). We thus slightly tune up the two-party 2AKE to make sure integrity is achieved.

Security Arguments and Proofs
To prove that our compiled version is secure, we build upon the security of our underlying tools. More precisely, we use the following results: (i) Kyber.2AKE, as depicted in Figure 4, is secure in the sense of IND-StAA and can be modified to also attain integrity as in Definition 4. Note that, as explained in Section 5 of [15], IND-StAA implies security in the sense required in the original compiler from [8]. (ii) The encryption scheme Kyber.PKE yields a non-interactive commitment scheme that is both non-malleable for multiple commitments and perfectly binding. This comes straightforward as a result of this scheme being IND-CCA (see Section 3.3 and [15]).

A Variant of Kyber.2AKE Attaining Integrity
Informally, it is easy to modify in a standard way the construction Kyber.2AKE to attain integrity. The main idea is to add a second random oracle F which, at the point of key derivation, will be applied to the same input as H in order to derive a session identifier. Then, it is trivial to state that integrity of this modified Kyber.2AKE construction is attained both in the ROM and in the QROM, due to the collision resistance of the involved random oracles (see Section 2.2). Indeed, suppose that k = k . Since H and F are random oracles, their collision resistance guarantees that, with overwhelming probability, both participants have the same partner identifiers and, therefore, use the same session key k. This argument is valid both in the classical and quantum-accessible random oracle model (see Section 2.2). In the sequel, we assume this modification is in place and thus Kyber.2AKE attains integrity.
Round 3: and chooses a random r i to derive a commitment C i = Kyber.PKE(i, X i ; r i ), • Verification: Each U i checks that X 0 ⊕ X 1 ⊕ · · · ⊕ X n−1 = 0 and the correctness of the commitments.
If any one of these checks fails, U i terminates the protocol execution setting acc i := FALSE, otherwise it sets acc i := TRUE and pid i := G.
Then, U i defines a master key

Security of Our Proposed Group Protocol
Theorem 3. In the random oracle model, the protocol presented in Figure 5 is a correct and secure authenticated group key establishment protocol fulfilling integrity, in the sense of Definitions 3, 6, and 4.
Proof. This proof is a (somewhat) straightforward adaptation of the security proof of Theorem 1 of [8], which we use as a main tool in our construction.

Correctness.
In an honest execution of the protocol, it is easy to verify that all participants in the protocol will terminate by accepting and computing the same session identifier and session key.
Integrity. Owing to the collision-resistance of the random oracleF all oracles that accept with identical session identifiers also hold with overwhelming probability the same master key K and pid (which can be read from K) will therefore also derive the same session keyĤ(K).
Key secrecy. The proof of key secrecy will proceed in a sequence of games, starting with the real attack against the key secrecy of the group key exchange protocol and ending in a game in which the adversary's advantage is 0, and for which we can bound the difference in the adversary's advantage between any two consecutive games. Following standard notation, we denote by Adv(A, G i ) the advantage of the adversary A in Game i. Furthermore, for clarity, we classify the Send queries into three categories, depending on the stage of the protocol to which the query is associated, starting with Send-0 and ending with Send-2. Send-t denotes the Send query associated with round t for t = 0, 1, 2.
The first three games from this proof are exactly the same as those in the proof of Theorem 1 of [8]. We only summarize the reduction and refer the interested reader to the original paper for a detailed description.
Game 0. This first game corresponds to a real attack, in which all the parameters, such as the public parameters in the common reference string and the long-term secrets associated with each user, are chosen as in the actual scheme. By definition, Adv(A, G 0 ) = Adv(A). Game 1. In this game, for i = 1, . . . , n, we modify the simulation of the Send and Execute oracles so that, whenever an instance Π s i i is still considered fresh at the end of Round 2, the keys i+1 are replaced with random values from the appropriate set. It is easy to see that the distance between this game and the previous one is bounded by the probability that the adversary breaks the security of any of the underlying 2-AKE protocols. As a result, it holds where q send represents the number of different protocol instances in Send queries.

Game 2.
In this game, we change the simulation of the Send oracle so that a fresh instance Π s i i does not accept in Round 4 whenever one commitment C j for j = i it receives in Round 3 was generated by the simulator but not generated by the respective instance Π s j j , j = i in the same session. The adversary A can detect the difference to Game G 1 if A replayed a commitment that should have led to acceptance in Round 4 in that game. Because the committed value X i is a random value independent of previous messages, the probability for this is negligible.
This game reproduces the modification also for adversary-generated commitments: The simulation of the Send oracle changes so that a fresh instance Π s i i does not accept in Round 4 whenever one commitment C j for j = i it receives in Round 3 was adversary-generated. The adversary's advantage diverges only negligibly from the previous game: Adv(A, G 3 ) − Adv(A, G 2 ) ≤ negl( ) Game 4. Now, the simulations of the Execute and Send oracles are modified at the point of computing the session key. The simulator keeps a list of strings (K 1 , . . . , K n , G). Once an instance receives the last Send-2 query, the simulator computes K 1 , . . . , K n and checks if for the corresponding string (K 1 , . . . , K n , G) a master key was already issued. If this is the case, it assigns the corresponding master key to the instance. If no such entry exists in the list, the simulator chooses a session key sk s i i ∈ {0, 1} uniformly at random. Note that, even if the messages from Round 4 are sent out, the master key is still containing sufficient entropy so that the random oracle outputĤ is indistinguishable from a random sk s i i with negligible probability only. As a result, Now, clearly, in Game G 4 , all session keys are chosen uniformly at random and the adversary has no advantage.

Theorem 4.
In the quantum random oracle model, the protocol presented in Figure 5 is a correct and secure authenticated group key establishment protocol fulfilling integrity, in the sense of Definitions 3, 6, and 4.
Proof. (sketch) The proof follows the exact reasoning of Theorem 3; we only need to stress that the argument from Game 4 is still valid when considering quantum-accessible random oracles. Indeed, in this last game, the simulations of the Execute and Send oracles are modified at the point of computing the session key. The simulator keeps a list of strings (K 1 , . . . , K n , G), and, upon receiving the last Send-2 query, it computes the values K 1 , . . . , K n and checks if a corresponding master key has already been issued previously. If this is the case, this master key will be assigned to the instance. Otherwise, the simulator chooses a session key sk s i i ∈ {0, 1} uniformly at random. At this point, all two party keys K 1 , . . . , K n are chosen uniformly at random and are unknown to the adversary. The adversary can only notice this last change if it has already queried the very same key string to the quantum random oracleĤ. This event will happen with negligible probability. As a result, the outputĤ is indistinguishable from a random sk s i i with overwhelming probability. Thus, we have Now, clearly, in Game G 4 , all session keys are chosen uniformly at random and the adversary has no advantage.

Conclusions
We present in this paper a post-quantum GAKE using Abdalla et al.'s compiler from [8] as design frame. We choose the Kyber suite [7] as main building block, not only because it is a good design fit for our compiled strategy, but also considering its promising security properties (as Kyber is one of the four remaining finalists for public key encryption in the Third Round of the NIST competition). More precisely, we evidence that a secure 2AKE as needed for our compiled construction can be derived using the FO AKE transformation proposed in [9], by proving the encryption scheme Kyber.CPA to be DS secure.
Our four-round instantiation can as a result be proven to provide post-quantum security guarantees under the Module-LWE assumption in the quantum random oracle model.
where the expectation is taken over (pk, sk) ← KeyGen() and the probability is taken over the random space of Enc.
Following the proof of Theorem 1 in [7], it is not hard to prove the following theorem, which provides the value δ when dealing with Kyber.CPA .
Theorem A1. Let k be a positive integer parameter. Let s, e, r, e 1 , e 2 be random variables that have the same distribution as in Algorithms 1 and 2. In addition, let c u ← ψ k d u , c v ← ψ k d v be distributed according to the distribution ψ defined as follows: Let ψ k d be the following distribution over R: 1. Choose uniformly-random y ← R k 2. return (y − Descompress q (Compress q (y, d), d)) mod ± q Denote δ = Pr e T r + e 2 + c v − s T e 1 − s T c u ∞ ≥ q/4 , where, for w = w 0 + w 1 X + · · · + w n−1 X n−1 ∈ R: ||w|| ∞ = max i |w i mod ± q|, and, similarly, for w = (w 1 , . . . , w k ) ∈ R k : Then, the modified scheme Kyber.CPA is (1 − δ)-correct.

Appendix B. Transformation from IND-CPA PKE to Secure 2AKE
We reproduce here the result given in [9] about the IND-StAA security of the FO AKE transformation. The following theorem states that the IND-StAA security of AKE = FO AKE (PKE, G, H), where PKE is a PKE scheme and G, H are random oracles, reduces to the DS and IND-CPA security of PKE. Note that some references to oracles appear in the statement; for details about these oracles and the formal definition of IND-StAA security, see [9]. Theorem A2 ([9]). Assume PKE=(KG,Enc,Dec) to be (1 − δ)-correct, and to come with a sampling algorithm Enc such that it is ε-disjoint. Let N be the number of parties, and suppose that any attacker is granted access to an oracle REVEAL which reveals the respective session's key (if already defined). Then, for any IND-StAA adversary B that establishes S sessions and issues at most q R (classical) queries to REVEAL, at most q G (quantum) queries to random oracle G, and at most q H (quantum) queries to random oracle H, there exist adversaries A DS and A CPA against PKE such that

Appendix C. Transformation from IND-CPA PKE to IND-CCA KEM
We reproduce here the result given in [9] about the IND-CCA security of the FO ⊥ m transformation. The following theorem states that the IND-CCA security of FO ⊥ m = FO ⊥ (PKE, G, H), where PKE is a PKE scheme and G, H are random oracles, reduces to the DS and IND-CPA security of PKE. Note that some references to oracles appear in the statement; for details about these oracles (see [9]). Theorem A3 ([9]). Assume PKE=(KG,Enc,Dec) to be (1 − δ)-correct, and to come with a sampling algorithm Enc such that it is ε dis -disjoint. Suppose that any attacker is granted access to an oracle DECAPS. Then, for any (quantum) IND-CCA adversary A issuing at most q D (classical) queries to decapsulation oracle DECAPS, at most q G quantum queries to random oracle G, and at most q H quantum queries to random oracle H, there exist (quantum) adversaries B DS and A CCA against PKE such that