An Efficient Authenticated Key Exchange from Random Self-reducibility on CSIDH

Kawashima, Tomoki; Takashima, Katsuyuki; Aikawa, Yusuke; Takagi, Tsuyoshi

doi:10.1007/978-3-030-68890-5_4

Cited by 14 publications

(6 citation statements)

References 15 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…However, very recently, a polynomial-time key recovery attack on SIDH [32] was found by Castryck and Decru, which implies that SIDH-based AKE is insecure now. On the other hand, CSIDH-based AKE schemes [33]- [35] are also proposed. Since the attack to SIDH is not applicable to CSIDH, CSIDH-based AKE schemes are still secure.…”

Section: Isogeny-based Akementioning

confidence: 99%

Post-Quantum Anonymous One-Sided Authenticated Key Exchange without Random Oracles

Ishibashi

YONEYAMA

2023

IEICE Trans. Fundamentals

View full text Add to dashboard Cite

Authenticated Key Exchange (AKE) is a cryptographic protocol to share a common session key among multiple parties. Usually, PKI-based AKE schemes are designed to guarantee secrecy of the session key and mutual authentication. However, in practice, there are many cases where mutual authentication is undesirable such as in anonymous networks like Tor and Riffle, or difficult to achieve due to the certificate management at the user level such as the Internet. Goldberg et al. formulated a model of anonymous one-sided AKE which guarantees the anonymity of the client by allowing only the client to authenticate the server, and proposed a concrete scheme. However, existing anonymous one-sided AKE schemes are only known to be secure in the random oracle model. In this paper, we propose generic constructions of anonymous one-sided AKE in the random oracle model and in the standard model, respectively. Our constructions allow us to construct the first post-quantum anonymous one-sided AKE scheme from isogenies in the standard model.

show abstract

Section: Isogeny-based Akementioning

confidence: 99%

Post-Quantum Anonymous One-Sided Authenticated Key Exchange without Random Oracles

Ishibashi

YONEYAMA

2023

IEICE Trans. Fundamentals

View full text Add to dashboard Cite

show abstract

“…One post-quantum option that avoids the problem with KEMs described above is to use CSIDH [20], a primitive based on supersingular isogenies that yields a commutative group action which enables non-interactive key exchange. CSIDH could be used to achieve implicit Alice-to-Bob authentication while maintaining asynchronicity and deniability; indeed several key exchange protocols from CSIDH have been proposed [27,54]. Unfortunately, there are several reasons CSIDH may not be a fully satisfactory solution: it is much more computationally expensive than most other forms of post-quantum cryptography; there is ongoing debate about the security of its concrete parameters [11,73]; and the decisional form of a related problem [21] is not hard.…”

Section: Options For Pq Asynchronous Dakementioning

confidence: 99%

Post-quantum Asynchronous Deniable Key Exchange and the Signal Handshake

Brendel

Fiedler

Günther

et al. 2022

Lecture Notes in Computer Science

View full text Add to dashboard Cite

The key exchange protocol that establishes initial shared secrets in the handshake of the Signal end-to-end encrypted messaging protocol has several important characteristics: (1) it runs asynchronously (without both parties needing to be simultaneously online), (2) it provides implicit mutual authentication while retaining deniability (transcripts cannot be used to prove either party participated in the protocol), and (3) it retains security even if some keys are compromised (forward secrecy and beyond). All of these properties emerge from clever use of the highly flexible Diffie-Hellman protocol.While quantum-resistant key encapsulation mechanisms (KEMs) can replace Diffie-Hellman key exchange in some settings, there is no KEM-based replacement for the Signal handshake that achieves all three aforementioned properties, in part due to the inherent asymmetry of KEM operations. In this paper, we show how to construct asynchronous deniable key exchange by combining KEMs and designated verifier signature (DVS) schemes. There are several candidates for post-quantum DVS schemes, either direct constructions or via ring signatures. This yields a template for an efficient post-quantum realization of the Signal handshake with the same asynchronicity and security properties as the original Signal protocol.

show abstract

“…While we know instantiations for most of the above assumptions with respect to a classical attacker, at this moment we do not know of a post-quantum secure instantiation of the DDH assumption. In the future, a candidate for post-quantum DDH could be the CSI-DDH [45] assumption, based on the CSIDH assumption [24]. Their concrete security is however the subject of discussions [13,16,20,54].…”

Section: Cryptographic Assumptions In Pq-bcmentioning

confidence: 99%

A Logic and an Interactive Prover for the Computational Post-Quantum Security of Protocols

Cremers

Fontaine

Jacomme

2022

2022 IEEE Symposium on Security and Privacy (SP)

View full text Add to dashboard Cite

We provide the first mechanized post-quantum sound security protocol proofs. We achieve this by developing PQ-BC, a computational first-order logic that is sound with respect to quantum attackers, and corresponding mechanization support in the form of the PQ-Squirrel prover.Our work builds on the classical BC logic [7] and its mechanization in the Squirrel [5] prover. Our development of PQ-BC requires making the BC logic sound for a single interactive quantum attacker. We implement the PQ-Squirrel prover by modifying Squirrel, relying on the soundness results of PQ-BC and enforcing a set of syntactic conditions; additionally, we provide new tactics for the logic that extend the tool's scope.Using PQ-Squirrel, we perform several case studies, thereby giving the first mechanical proofs of their computational post-quantum security. These include two generic constructions of KEM based key exchange, two sub-protocols from IKEv1 and IKEv2, and a proposed post-quantum variant of Signal's X3DH protocol. Additionally, we use PQ-Squirrel to prove that several classical Squirrel case studies are already post-quantum sound.

show abstract

An Efficient Authenticated Key Exchange from Random Self-reducibility on CSIDH

Cited by 14 publications

References 15 publications

Post-Quantum Anonymous One-Sided Authenticated Key Exchange without Random Oracles

Post-Quantum Anonymous One-Sided Authenticated Key Exchange without Random Oracles

Post-quantum Asynchronous Deniable Key Exchange and the Signal Handshake

A Logic and an Interactive Prover for the Computational Post-Quantum Security of Protocols

Contact Info

Product

Resources

About