# Post-Quantum Static-Static Key Agreement Using Multiple Protocol Instances

@inproceedings{Azarderakhsh2017PostQuantumSK, title={Post-Quantum Static-Static Key Agreement Using Multiple Protocol Instances}, author={Reza Azarderakhsh and David Jao and Christopher Leonardi}, booktitle={SAC}, year={2017} }

Some key agreement protocols leak information about secret keys if dishonest participants use specialized public keys. We formalize these protocols and attacks, and present a generic transformation that can be made to such key agreement protocols to resist such attacks. Simply put, each party generates k different keys, and two parties perform key agreement using all \(k^2\) combinations of their individual keys. We consider this transformation in the context of various post-quantum key…

## 24 Citations

Post-quantum Asynchronous Deniable Key Exchange and the Signal Handshake

- Computer ScienceIACR Cryptol. ePrint Arch.
- 2021

This paper shows how to construct asynchronous deniable key exchange by combining KEMs and designated verifier signature (DVS) schemes, matching the characteristics of Signal, and yields a template for an efficient post-quantum realization of the Signal handshake with the same asynchronicity and security properties as the original Signal protocol.

Towards Post-Quantum Security for Signal's X3DH Handshake

- Computer Science, Mathematics
- 2020

This paper introduces the notion of a split key encapsulation mechanism (split KEM) to translate the desired key-reusability of a DH-based protocol to a KEM-based flow and proposes split KEMs as a specific target for instantiation in future research.

Post-Quantum Signal Key Agreement with SIDH

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2021

This paper defines a formal security model for the original Signal protocol, in the context of the standard eCK and CK+ type models, which it is called the Signal-adapted-CK model, and proposes a secure replacement based on SIDH, which achieves deniability without expensive machinery such as post-quantum ring signatures.

New Techniques for SIDH-based NIKE

- Computer Science, MathematicsJ. Math. Cryptol.
- 2020

Two new techniques to reduce the cost of SIDH-based NIKE are presented, with various possible tradeoffs between key size and computational cost.

An Exposure Model for Supersingular Isogeny Diffie-Hellman Key Exchange

- Computer Science, MathematicsCT-RSA
- 2018

This work proposes a random curve isomorphism that is performed just before the large-degree isogeny that is computationally inexpensive compared to the whole of SIDH and can still operate with the Kirkwood et al. validation model.

Torsion point attacks on “SIDH-like” cryptosystems

- Computer Science, Mathematics
- 2021

Existing cryptanalysis approaches exploiting the isogeny, often called “torsion point information”, are surveyed, their current impact on SIKE and related algorithms are summarized, and some research directions that might lead to further impact are suggested.

EdSIDH: Supersingular Isogeny Diffie-Hellman Key Exchange on Edwards Curves

- Computer Science, MathematicsSPACE
- 2018

This work proposes an implementation of supersingular isogeny Diffie-Hellman (SIDH) key exchange for complete Edwards curves and their complete addition formulae and provides security benefits against side-channel attacks.

A Note on a Static SIDH Protocol

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2019

This short note will show how to break Protocol A in one oracle query per private key bit and O(1) local complexity and assume the readers to be familiar with the GPST attack on Supersingular Isogeny Diffie–Hellman (SIDH).

SHealS and HealS: Isogeny-Based PKEs from a Key Validation Method for SIDH

- Computer Science, MathematicsASIACRYPT
- 2021

A new countermeasure to the GPST adaptive attack on SIDH does not require key disclosure as in SIKE, nor multiple parallel instances as in k-SIDH, and it is proved that SHealS is IND-CPA secure relying on a new assumption the authors introduce and they conjecture its IND-CCA security.

SIDH Proof of Knowledge

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2021

A modified sigma protocol is proposed fixing the issue with the De Feo–Jao–Plût scheme, and a modification of this scheme allows the torsion points in the public key to be verified too, leading to more efficient SIDH-based non-interactive key exchange (NIKE).

## References

SHOWING 1-10 OF 25 REFERENCES

Key Compression for Isogeny-Based Cryptosystems

- Computer Science, MathematicsAsiaPKC '16
- 2016

This work presents a method for key compression in quantumresistant isogeny-based cryptosystems, which allows a reduction in and transmission costs of per-party public information by a factor of two, by associating a canonical choice of elliptic curve to each j-invariant, and representing elements on the curve as linear combinations with respect to a canonical choices of basis.

CRYSTALS - Kyber: A CCA-Secure Module-Lattice-Based KEM

- Computer Science, Mathematics2018 IEEE European Symposium on Security and Privacy (EuroS&P)
- 2018

This paper introduces Kyber, a portfolio of post-quantum cryptographic primitives built around a key-encapsulation mechanism (KEM), based on hardness assumptions over module lattices, and introduces a CPA-secure public-key encryption scheme and eventually construct, in a black-box manner, CCA-secure encryption, key exchange, and authenticated-key-exchange schemes.

Frodo: Take off the Ring! Practical, Quantum-Secure Key Exchange from LWE

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2016

Despite conventional wisdom that generic lattices might be too slow and unwieldy, it is demonstrated that LWE-based key exchange is quite practical: the authors' constant time implementation requires around 1.3ms computation time for each party; compared to the recent NewHope R-LWE scheme, communication sizes increase by a factor of 4.7x, but remain under 12 KiB in each direction.

Post-quantum Key Exchange - A New Hope

- Computer Science, MathematicsUSENIX Security Symposium
- 2016

New parameters and a better suited error distribution are proposed, the scheme's hardness against attacks by quantum computers is analyzed in a conservative way, a new and more efficient error-reconciliation mechanism is introduced, and a defense against backdoors and all-for-the-price-of-one attacks is proposed.

On the Security of Supersingular Isogeny Cryptosystems

- Computer Science, MathematicsASIACRYPT
- 2016

This work gives a very powerful active attack on the supersingular isogeny encryption scheme, and shows that the security of all schemes of this type depends on the difficulty of computing the endomorphism ring of asupersingular elliptic curve.

Towards Quantum-Resistant Cryptosystems from Supersingular Elliptic Curve Isogenies

- Mathematics, Computer SciencePQCrypto
- 2011

The main technical idea in this scheme is that the images of torsion bases under the isogeny are transmitted in order to allow the two parties to arrive at a common shared key despite the noncommutativity of the endomorphism ring.

Efficient Algorithms for Supersingular Isogeny Diffie-Hellman

- Computer Science, MathematicsCRYPTO
- 2016

We propose a new suite of algorithms that significantly improve the performance of supersingular isogeny Diffie-Hellman SIDH key exchange. Subsequently, we present a full-fledged implementation of…

A Simple Provably Secure Key Exchange Scheme Based on the Learning with Errors Problem

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2012

This work uses the learning with errors (LWE) problem to build a new simple and provably secure key exchange scheme and extends the scheme to the ring learning with error problem, resulting in small key size and better efficiency.

Efficient Compression of SIDH Public Keys

- Computer ScienceEUROCRYPT
- 2017

Given that the runtime of SIDH key exchange is currently its main drawback in relation to its lattice- and code-based post-quantum alternatives, an order of magnitude performance penalty for a factor of two improvement in bandwidth presents a trade-off that is unlikely to favor public-key compression in many scenarios.

IND-CCA Secure Hybrid Encryption from QC-MDPC Niederreiter

- Computer SciencePQCrypto
- 2016

This work presents an efficient implementation of QC- MDPC Niederreiter for ARM Cortex-M4 microcontrollers and the first implementation of Persichetti's IND-CCA hybrid encryption scheme from PQCrypto'13 instantiated with QC-MDPC NIEDerreitter for key encapsulation and AES-CBC/AES-CMAC for data encapsulation.