(2020) Towards Post-Quantum Security for Signal's X3DH Handshake.
This is the latest version of this item.
|
Text
SplitKEM.pdf Download (479kB) | Preview |
Abstract
Modern key exchange protocols are usually based on the Diffie–Hellman (DH) primitive. The beauty of this primitive, among other things, is its potential reusage of key shares: DH shares can be either used a single time or in multiple runs. Since DH-based protocols are insecure against quantum adversaries, alternative solutions have to be found when moving to the post-quantum setting. However, most post-quantum candidates, including schemes based on lattices and even supersingular isogeny DH, are not known to be secure under key reuse. In particular, this means that they cannot be necessarily deployed as an immediate DH substitute in protocols. In this paper, we introduce the notion of a split key encapsulation mechanism (split KEM) to translate the desired key-reusability of a DH-based protocol to a KEM-based flow. We provide the relevant security notions of split KEMs and show how the formalism lends itself to lifting Signal’s X3DH handshake to the post-quantum KEM setting without additional message flows. Although the proposed framework conceptually solves the raised issues, instantiating it securely from post-quantum assumptions proved to be non-trivial. We give passively secure instantiations from (R)LWE, yet overcoming the above-mentioned insecurities under key reuse in the presence of active adversaries remains an open problem. Approaching one- sided key reuse, we provide a split KEM instantiation that allows such reuse based on the KEM introduced by Kiltz (PKC 2007), which may serve as a post-quantum blueprint if the underlying hardness assumption (gap hashed Diffie–Hellman) holds for the commutative group action of CSIDH (Asiacrypt 2018). The intention of this paper hence is to raise awareness of the challenges arising when moving to KEM-based key exchange protocols with key-reusability, and to propose split KEMs as a specific target for instantiation in future research.
Item Type: | Conference or Workshop Item (A Paper) (Paper) |
---|---|
Divisions: | Cas Cremers (CC) |
Conference: | SAC Selected Areas in Cryptography |
Depositing User: | Jacqueline Brendel |
Date Deposited: | 10 May 2021 21:09 |
Last Modified: | 10 May 2021 21:09 |
Primary Research Area: | NRA2: Reliable Security Guarantees |
URI: | https://publications.cispa.saarland/id/eprint/3419 |
Available Versions of this Item
- Towards Post-Quantum Security for Signal's X3DH Handshake. (deposited 10 May 2021 21:09) [Currently Displayed]
Actions
Actions (login required)
View Item |