Post-Quantum Static-Static Key Agreement Using Multiple Protocol Instances

@inproceedings{Azarderakhsh2017PostQuantumSK,
  title={Post-Quantum Static-Static Key Agreement Using Multiple Protocol Instances},
  author={Reza Azarderakhsh and David Jao and Christopher Leonardi},
  booktitle={SAC},
  year={2017}
}
Some key agreement protocols leak information about secret keys if dishonest participants use specialized public keys. We formalize these protocols and attacks, and present a generic transformation that can be made to such key agreement protocols to resist such attacks. Simply put, each party generates k different keys, and two parties perform key agreement using all \(k^2\) combinations of their individual keys. We consider this transformation in the context of various post-quantum key… 
Post-quantum Asynchronous Deniable Key Exchange and the Signal Handshake
TLDR
This paper shows how to construct asynchronous deniable key exchange by combining KEMs and designated verifier signature (DVS) schemes, matching the characteristics of Signal, and yields a template for an efficient post-quantum realization of the Signal handshake with the same asynchronicity and security properties as the original Signal protocol.
Towards Post-Quantum Security for Signal's X3DH Handshake
TLDR
This paper introduces the notion of a split key encapsulation mechanism (split KEM) to translate the desired key-reusability of a DH-based protocol to a KEM-based flow and proposes split KEMs as a specific target for instantiation in future research.
Post-Quantum Signal Key Agreement with SIDH
TLDR
This paper defines a formal security model for the original Signal protocol, in the context of the standard eCK and CK+ type models, which it is called the Signal-adapted-CK model, and proposes a secure replacement based on SIDH, which achieves deniability without expensive machinery such as post-quantum ring signatures.
New Techniques for SIDH-based NIKE
TLDR
Two new techniques to reduce the cost of SIDH-based NIKE are presented, with various possible tradeoffs between key size and computational cost.
An Exposure Model for Supersingular Isogeny Diffie-Hellman Key Exchange
TLDR
This work proposes a random curve isomorphism that is performed just before the large-degree isogeny that is computationally inexpensive compared to the whole of SIDH and can still operate with the Kirkwood et al. validation model.
Torsion point attacks on “SIDH-like” cryptosystems
TLDR
Existing cryptanalysis approaches exploiting the isogeny, often called “torsion point information”, are surveyed, their current impact on SIKE and related algorithms are summarized, and some research directions that might lead to further impact are suggested.
EdSIDH: Supersingular Isogeny Diffie-Hellman Key Exchange on Edwards Curves
TLDR
This work proposes an implementation of supersingular isogeny Diffie-Hellman (SIDH) key exchange for complete Edwards curves and their complete addition formulae and provides security benefits against side-channel attacks.
A Note on a Static SIDH Protocol
TLDR
This short note will show how to break Protocol A in one oracle query per private key bit and O(1) local complexity and assume the readers to be familiar with the GPST attack on Supersingular Isogeny Diffie–Hellman (SIDH).
SHealS and HealS: Isogeny-Based PKEs from a Key Validation Method for SIDH
TLDR
A new countermeasure to the GPST adaptive attack on SIDH does not require key disclosure as in SIKE, nor multiple parallel instances as in k-SIDH, and it is proved that SHealS is IND-CPA secure relying on a new assumption the authors introduce and they conjecture its IND-CCA security.
SIDH Proof of Knowledge
TLDR
A modified sigma protocol is proposed fixing the issue with the De Feo–Jao–Plût scheme, and a modification of this scheme allows the torsion points in the public key to be verified too, leading to more efficient SIDH-based non-interactive key exchange (NIKE).
...
1
2
3
...

References

SHOWING 1-10 OF 25 REFERENCES
Key Compression for Isogeny-Based Cryptosystems
TLDR
This work presents a method for key compression in quantumresistant isogeny-based cryptosystems, which allows a reduction in and transmission costs of per-party public information by a factor of two, by associating a canonical choice of elliptic curve to each j-invariant, and representing elements on the curve as linear combinations with respect to a canonical choices of basis.
CRYSTALS - Kyber: A CCA-Secure Module-Lattice-Based KEM
TLDR
This paper introduces Kyber, a portfolio of post-quantum cryptographic primitives built around a key-encapsulation mechanism (KEM), based on hardness assumptions over module lattices, and introduces a CPA-secure public-key encryption scheme and eventually construct, in a black-box manner, CCA-secure encryption, key exchange, and authenticated-key-exchange schemes.
Frodo: Take off the Ring! Practical, Quantum-Secure Key Exchange from LWE
TLDR
Despite conventional wisdom that generic lattices might be too slow and unwieldy, it is demonstrated that LWE-based key exchange is quite practical: the authors' constant time implementation requires around 1.3ms computation time for each party; compared to the recent NewHope R-LWE scheme, communication sizes increase by a factor of 4.7x, but remain under 12 KiB in each direction.
Post-quantum Key Exchange - A New Hope
TLDR
New parameters and a better suited error distribution are proposed, the scheme's hardness against attacks by quantum computers is analyzed in a conservative way, a new and more efficient error-reconciliation mechanism is introduced, and a defense against backdoors and all-for-the-price-of-one attacks is proposed.
On the Security of Supersingular Isogeny Cryptosystems
TLDR
This work gives a very powerful active attack on the supersingular isogeny encryption scheme, and shows that the security of all schemes of this type depends on the difficulty of computing the endomorphism ring of asupersingular elliptic curve.
Towards Quantum-Resistant Cryptosystems from Supersingular Elliptic Curve Isogenies
TLDR
The main technical idea in this scheme is that the images of torsion bases under the isogeny are transmitted in order to allow the two parties to arrive at a common shared key despite the noncommutativity of the endomorphism ring.
Efficient Algorithms for Supersingular Isogeny Diffie-Hellman
We propose a new suite of algorithms that significantly improve the performance of supersingular isogeny Diffie-Hellman SIDH key exchange. Subsequently, we present a full-fledged implementation of
A Simple Provably Secure Key Exchange Scheme Based on the Learning with Errors Problem
  • Jintai Ding
  • Computer Science, Mathematics
    IACR Cryptol. ePrint Arch.
  • 2012
TLDR
This work uses the learning with errors (LWE) problem to build a new simple and provably secure key exchange scheme and extends the scheme to the ring learning with error problem, resulting in small key size and better efficiency.
Efficient Compression of SIDH Public Keys
TLDR
Given that the runtime of SIDH key exchange is currently its main drawback in relation to its lattice- and code-based post-quantum alternatives, an order of magnitude performance penalty for a factor of two improvement in bandwidth presents a trade-off that is unlikely to favor public-key compression in many scenarios.
IND-CCA Secure Hybrid Encryption from QC-MDPC Niederreiter
TLDR
This work presents an efficient implementation of QC- MDPC Niederreiter for ARM Cortex-M4 microcontrollers and the first implementation of Persichetti's IND-CCA hybrid encryption scheme from PQCrypto'13 instantiated with QC-MDPC NIEDerreitter for key encapsulation and AES-CBC/AES-CMAC for data encapsulation.
...
1
2
3
...