Many a Mickle Makes a Muckle: A Framework for Provably Quantum-Secure Hybrid Key Exchange

Hybrid Authenticated Key Exchange (AKE) protocols combine keying material from different sources (post-quantum, classical, and quantum key distribution (QKD)) to build protocols that are resilient to catastrophic failures of the different components. These failures may be due to advances in quantum computing, implementation vulnerabilities, or our evolving understanding of the quantum (and even classical) security of supposedly quantum-secure primitives. This hybrid approach is a prime candidate for initial deployment of post-quantum-secure cryptographic primitives because it hedges against undiscovered weaknesses. We propose a general framework \(\mathsf {HAKE}\) for analysing the security of such hybrid AKE protocols. \(\mathsf {HAKE}\) extends the classical Bellare-Rogaway model for AKE security to encompass forward security, post-compromise security, fine-grained compromise of different cryptographic components, and more. We use the framework to provide a security analysis of a new hybrid AKE protocol named \(\mathsf {Muckle}\). This protocol operates in one round trip and leverages the pre-established symmetric keys that are inherent to current QKD designs to provide message authentication, avoiding the need to use expensive post-quantum signature schemes. We provide an implementation of our Muckle protocol, instantiating our generic construction with classical and post-quantum Diffie-Hellman-based algorithmic choices. Finally, we report on benchmarking exercises against our implementation, examining its performance in terms of clock cycles, elapsed wall-time, and additional latency in both LAN and WAN settings.

[1]  Fernando Virdia,et al.  Estimate all the {LWE, NTRU} schemes! , 2018, IACR Cryptol. ePrint Arch..

[2]  Douglas Stebila,et al.  Transitioning to a Quantum-Resistant Public Key Infrastructure , 2017, IACR Cryptol. ePrint Arch..

[3]  Marc Fischlin,et al.  Hybrid Key Encapsulation Mechanisms and Authenticated Key Exchange , 2019, IACR Cryptol. ePrint Arch..

[4]  Jin Li,et al.  Aggregate Proxy Signature and Verifiably Encrypted Proxy Signature , 2007, ProvSec.

[5]  Oscar Garcia-Morchon,et al.  Quantum-Safe Hybrid (QSH) Key Exchange for Transport Layer Security (TLS) version 1.3 , 2017 .

[6]  Mihir Bellare,et al.  Entity Authentication and Key Distribution , 1993, CRYPTO.

[7]  Cas J. F. Cremers,et al.  Beyond eCK: perfect forward secrecy under actor compromise and ephemeral-key reveal , 2012, ESORICS.

[8]  Hugo Krawczyk,et al.  Cryptographic Extraction and Key Derivation: The HKDF Scheme , 2010, IACR Cryptol. ePrint Arch..

[9]  Shay Gueron,et al.  Design issues for hybrid key exchange in TLS 1.3 , 2000 .

[10]  Gilles Brassard,et al.  Quantum cryptography: Public key distribution and coin tossing , 2014, Theor. Comput. Sci..

[11]  Dag Roar Hjelme,et al.  Large pulse attack as a method of conventional optical eavesdropping in quantum cryptography , 2001 .

[12]  Craig Costello,et al.  Efficient Algorithms for Supersingular Isogeny Diffie-Hellman , 2016, CRYPTO.

[13]  Craig Costello,et al.  Post-Quantum Key Exchange for the TLS Protocol from the Ring Learning with Errors Problem , 2015, 2015 IEEE Symposium on Security and Privacy.

[14]  Marc Fischlin,et al.  Breakdown Resilience of Key Exchange Protocols: NewHope, TLS 1.3, and Hybrids , 2019, ESORICS.

[15]  Erdem Alkim,et al.  Post-quantum Key Exchange - A New Hope , 2016, USENIX Security Symposium.

[16]  Daniel J. Bernstein Is the security of quantum cryptography guaranteed by the laws of physics? , 2018, ArXiv.

[17]  Douglas Stebila,et al.  A Transport Layer Security (TLS) Extension For Establishing An Additional Shared Secret , 2017 .

[18]  Junji Shikata,et al.  On the Security of Multiple Encryption or CCA-security+CCA-security=CCA-security? , 2004, Public Key Cryptography.

[19]  Daniel J. Bernstein,et al.  Curve25519: New Diffie-Hellman Speed Records , 2006, Public Key Cryptography.

[20]  Douglas Stebila,et al.  Quantum Key Distribution in the Classical Authenticated Key Exchange Framework , 2012, PQCrypto.

[21]  C. M. Natarajan,et al.  Chip-based quantum key distribution , 2015, Nature Communications.

[22]  V. Makarov,et al.  Quantum key distribution with distinguishable decoy states , 2017, Physical Review A.

[23]  Hugo Krawczyk,et al.  Keying Hash Functions for Message Authentication , 1996, CRYPTO.

[24]  Renato Renner,et al.  Security of quantum key distribution , 2005, Ausgezeichnete Informatikdissertationen.

[25]  Cas J. F. Cremers,et al.  On Post-compromise Security , 2016, 2016 IEEE 29th Computer Security Foundations Symposium (CSF).