Towards Post-Quantum Security for Signal’s X3DH Handshake

Brendel, Jacqueline; Fischlin, Marc; Günther, Felix; Janson, Christian; Stebila, Douglas

doi:10.1007/978-3-030-81652-0_16

Cited by 14 publications

(2 citation statements)

References 55 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Signal's X3DH handshake [MP16] is a notable example using this feature of NIKEs. Indeed, [Bre+20] shows that a naive replacement of the DH operations by KEMs does not work.…”

Section: Non-interactive Key Exchange In Protocolsmentioning

confidence: 99%

Optimizations and Practicality of High-Security CSIDH

Campos,

Chávez-Saab,

Chi-Domínguez

et al. 2024

IACR CiC

View full text Add to dashboard Cite

In this work, we assess the real-world practicality of CSIDH, an isogeny-based non-interactive key exchange. We provide the first thorough assessment of the practicality of CSIDH in higher parameter sizes for conservative estimates of quantum security, and with protection against physical attacks. This requires a three-fold analysis of CSIDH. First, we describe two approaches to efficient high-security CSIDH implementations, based on SQALE and CTIDH. Second, we optimize such high-security implementations, on a high level by improving several subroutines, and on a low level by improving the finite field arithmetic. Third, we benchmark the performance of high-security CSIDH. As a stand-alone primitive, our implementations outperform previous results by a factor up to 2.53×. As a real-world use case considering network protocols, we use CSIDH in TLS variants that allow early authentication through a NIKE. Although our instantiations of CSIDH have smaller communication requirements than post-quantum KEM and signature schemes, even our highly-optimized implementations result in too-large handshake latency (tens of seconds), showing that CSIDH is only practical in niche cases.

show abstract

“…Signal's X3DH handshake [MP16] is a notable example using this feature of NIKEs. Indeed, [Bre+20] shows that a naive replacement of the DH operations by KEMs does not work.…”

Section: Non-interactive Key Exchange In Protocolsmentioning

confidence: 99%

Optimizations and Practicality of High-Security CSIDH

Campos,

Chávez-Saab,

Chi-Domínguez

et al. 2024

IACR CiC

View full text Add to dashboard Cite

show abstract

“…Brendel, Fischlin, Günther, Janson, and Stebila [15] previously considered the question of building a post-quantum version of the Signal handshake, highlighting many of these problems. They proposed decomposing the three operations of a KEM into a 4operation "split KEM", and showed how a Signal-like handshake could be built from a split KEM meeting a suitably strong security notion.…”

Section: Options For Pq Asynchronous Dakementioning

confidence: 99%

Post-quantum Asynchronous Deniable Key Exchange and the Signal Handshake

Brendel

Fiedler

Günther

et al. 2022

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

The key exchange protocol that establishes initial shared secrets in the handshake of the Signal end-to-end encrypted messaging protocol has several important characteristics: (1) it runs asynchronously (without both parties needing to be simultaneously online), (2) it provides implicit mutual authentication while retaining deniability (transcripts cannot be used to prove either party participated in the protocol), and (3) it retains security even if some keys are compromised (forward secrecy and beyond). All of these properties emerge from clever use of the highly flexible Diffie-Hellman protocol.While quantum-resistant key encapsulation mechanisms (KEMs) can replace Diffie-Hellman key exchange in some settings, there is no KEM-based replacement for the Signal handshake that achieves all three aforementioned properties, in part due to the inherent asymmetry of KEM operations. In this paper, we show how to construct asynchronous deniable key exchange by combining KEMs and designated verifier signature (DVS) schemes. There are several candidates for post-quantum DVS schemes, either direct constructions or via ring signatures. This yields a template for an efficient post-quantum realization of the Signal handshake with the same asynchronicity and security properties as the original Signal protocol.

show abstract