--- tags: bibliography --- # Bibliography: Post‑Quantum Key Exchange --- 1. - **Erdem Alkim, Léo Ducas, Thomas Pöppelmann, Peter Schwabe. 2016.** *Post‑Quantum Key Exchange – A New Hope.* USENIX Security Symposium. [https://eprint.iacr.org/2015/1092](https://eprint.iacr.org/2015/1092) This is one of the protocols that were introduced before, This work was a better version BCNS (Ding ---> Peikert ----> BCNS ---> New hope) New hope has smaller q , better error distribution (using centered bionimial for faster sample to constant time), new reconsililation function with dimention 4 (reconsilation maps 4 coefficients to 1 key bit for noise tolarance) as well as protection for backdoor performance (there is a global parameter a, generate it using SHAKE-128(seed) to make it fresh per session). -the key generation is using Ring LWE so Bob and Alice have quantites close to ass' but not identical so we need a reconcilation function to convert 'close' plynomial coefficients to identical key bits. -Attacks that they worked on: Primal attack, Dual attack and All-for-the-price-of-one attacks. ********** 2. **Douglas Stebila, Michele Mosca. 2017.** *Post‑Quantum Key Exchange for the Internet and the Open Quantum Safe Project.* [https://eprint.iacr.org/2016/1017](https://eprint.iacr.org/2016/1017) They focused on CNS15 (Ring-LWE) and Frodo (LWE-without ring and it has larger comm size than Ring-LWE) NewHope: fastest PQ candidate (~0.1–0.2 ms sides), ~4 KB comm, high security. Frodo: ~1 ms speed, but large comm (~22 KB) Both BCNS15/Frodo are unauthenticated so they are secure only against passive adversaries. Mitigation for active setting: Use Fujisaki–Okamoto transform to get IND-CCA KEMs. Or sign ephemeral keyshares with classical (or PQ) signatures in a TLS-like fashion. Note: Reusing RLWE ephemeral shares is dangerous (Fluhrer attack) They integrate Post‑Quantum Key Exchange (BCNS15 and Frodo) into TLS so no new protocol. ********** 3.**Lattice-based Authenticated Key Exchange with Tight Security** -2 pass PQ KEX, They assume that initiator has the Responder's PK at first. -Initiator has 2 key pairs (ephemeral and long term) and responder only has long term pair. -Initiator runs a funtion 'init' which inputs the other party's PK. It also creates the state of each session only for initiator -Security is based on OW chCCA which is less stronger that IND-CCA2 and also they use 2 KEM pairs Published in CRYPTO23: https://eprint.iacr.org/2023/823.pdf *There is a similar version of this paper that was published in Springer2012 where the only diffrence was in [Strongly Secure Authenticated Key Exchange from Factoring Codes, and Lattices](https://eprint.iacr.org/2012/211.pdf), they implemented an IB AKE where KCG creates the msk and mpk and gives each party their keys, the rest is the same (Alice generates an ephemeral key pair as well and 2 Encaps are ID based meaning that she computes her ephemeral mask material and then runs IB‑KEM encapsulation under Bob’s identity)* ********** 4. **SWOOSH: Efficient Lattice-Based Non-Interactive Key Exchange** -MLWE non-interactive KEX and the assumption is QROM and as it is NI then they use lft and right parts for MLWE (each identity samples 2 independant secret vectors, noise vectors and so public key for left and right) they also have a random offset := H(ID1,pk1,ID2, pk2) -Deterministic rounding/reconcilation function that maps each coefficient to a bit -Authors’ fix: add a public random shift r derived deterministically from the two public keys via a random oracle — so that the final value behaves (for analysis) like a uniformly random element of Rq. Because the shift is computable by both parties (hash of public keys), no interaction is needed, but uniformity enables a rigorous bound on the probability that any coefficient falls within the "danger interval" that would flip a rounded bit. -This gives them semi-malicious correctness: even if adversary chooses both key pairs (from Gen’s support), the chance of causing a mismatch is negligibly small (in the QROM, considering adversary quantum queries). The precise SM-COR bound is in Theorem 5. -security parameter and assumptions: QROM --> passive security --> Active security using a compiler:augment each public key with a simulation-sound, online-extractable NIZK proof that the public key was formed honestly (i.e., is in the support of Gen). The compiler: Gen' runs the passive Gen, then creates a proof π; registration requires verifying π. With this and the passive scheme’s SM-COR property, they prove a CKS security theorem (Theorem 7) that reduces an active break to either: breaking the M-LWE assumption, breaking the NIZK (simulation-sound/extractability), or breaking the SM-COR/honest security of the passive scheme. ********** 5.**Authenticated Key Exchange from Ideal Lattices** Published in Eurocrypt2015 https://eprint.iacr.org/2014/589.pdf -2 pass based on RLWE (PQ version of HMQV) each party has 1 ephemeral 1 long term key pair -No KEM, BR security model which is weaker than eCK -in the first round Alice only sends her ephemeral PK and next round Bob sends his ephemeral PK and the hint function to reconcile. -they are assuming that both parties know about the long term PKs and ids while they never have exchanged between them -The protocol breaks under eCK model -Implicit auth like HMQV ********** 6. **Modular Design of KEM-Based Authenticated Key Exchange** Published in 2023, ACM (ACISP2023) https://eprint.iacr.org/2023/167.pdf -They have introduced a KEM‑based authenticator module (security from KEM IND‑CCA). a KEM‑based protocol module in the authenticated‑links model (security from KEM IND‑CPA) and then compose them to get several generic AKE protocols. These blocks are reusable. - the figure 8 in the paper which relates to our case: assuming Alice has Bob's pk. - Bob has 2 key pairs (ephemeral for FS) and the long term keys are for mutual authentication - the security proof is via SK-security in CK01 (if the Adversary gets any key pair then the test session is not allowed but in eCK if 1 pair get leak we still should have freshness test) - their final 3‑message KEM‑based AKE (Fig. 8) achieves Session‑Key security in the CK01 model, relying on IND‑CPA KEMs for confidentiality of key exchange and IND‑CCA KEM + MAC security for authenticated composition via the compiler. That’s the exact endpoint: no stronger than SK‑security, no tighter than CPA/CCA reductions, but composably provable in the CK01 framework. **********