Post-Quantum Signal Key Agreement from SIDH

Abstract

In the effort to transition cryptographic primitives and protocols to quantum-resistant alternatives, an interesting and useful challenge is found in the Signal protocol. The initial key agreement component of this protocol, called X3DH, has so far proved more subtle to replace—in part due to the unclear security model and properties the original protocol is designed for. This paper defines a formal security model for the original Signal protocol, in the context of the standard eCK and CK+ type models, which we call the Signal-adapted-CK model. We then propose a replacement for the Signal X3DH key exchange protocol based on SIDH, and provide a proof of security in the Signal-adapted-CK model, showing our protocol satisfies all security properties of the original Signal X3DH. We call this new protocol SI-X3DH. Our protocol shows that SIDH can be used to construct a secure X3DH replacement despite the existence of adaptive attacks against it. Unlike the generic constructions proposed in the literature, our protocol achieves deniability without expensive machinery such as post-quantum ring signatures. It also benefits from the small key sizes of SIDH, and its efficiency as a key-exchange protocol compared to other isogeny-based protocols such as CSIDH.

Appendices

A A Proofs of VCDH and HCDH Reductions

Theorem 2

Let \(\mathcal {B}\) be an adversary solving the VCDH problem with advantage \(\epsilon \) after making q queries to the oracle \(\mathcal {O}_{K_1, K_2}\). Then \(\mathcal {B}\) can be used to solve the SI-CDH problem with probability at least \(\epsilon /2q\).

Proof

Without loss of generality, we assume all q queries are made with distinct inputs. Let \((K_1, K_2)\) be an SI-CDH challenge instance. We define two different oracles \(\mathcal {O}^0\) and \(\mathcal {O}^1\). Oracle \(\mathcal {O}^0\) will return 0 regardless of the query made. To define oracle \(\mathcal {O}^1\), we select a random index \(0 \le \ell < q\) and let \(\mathcal {O}^2\) return 1 on the \(\ell \)-th unique query (and 0 on all other queries). We run the adversary \(\mathcal {B}\) in two settings, giving instance \((K_1, K_2, \mathcal {O}^i)\) to \(\mathcal {B}\) in setting \(i \in \{0,1\}\). Define \(\textsf{found}\) to be the event that \(\mathcal {B}\) makes a query to the oracle \(\mathcal {O}\) it is given with the correct j-invariant (the solution to the SI-CDH instance). We can consider the probability of \(\mathcal {B}\) succeeding against the VCDH problem as

$$\begin{aligned} \epsilon&= \Pr [ \, \mathcal {B}\text { wins} \mid \textsf{found}\text { occurs} \, ] \cdot \Pr [ \, \textsf{found}\text { occurs} \, ] \\&+ \ \Pr [\, \mathcal {B}\text { wins} \mid \textsf{found}\text { does not occur} \, ] \cdot \Pr [ \, \textsf{found}\text { does not occur} \,]. \end{aligned}$$

If \(\textsf{found}\) does not occur, then \(\mathcal {B}\) running in setting 0 (where oracle \(\mathcal {O}^0\) always returns 0) will be unable to distinguish the simulated oracle from the true one, and will win with advantage \(\epsilon \). Hence,

$$ \Pr [\, \mathcal {B}\text { wins in setting } 0 \, ] \ge \Pr [\, \mathcal {B}\text { wins} \mid \textsf{found}\text { does not occur} \, ]. $$

On the other hand, if \(\textsf{found}\) occurs, then we correctly simulated the oracle in setting 1 with probability 1/q (the probability that we guessed \(\ell \) correctly). Therefore,

$$ \Pr [\, \mathcal {B}\text { wins in setting } 1 \, ] \ge \frac{1}{q} \Pr [\, \mathcal {B}\text { wins} \mid \textsf{found}\text { occurs} \, ]. $$

We uniformly sample \(b \leftarrow \{0,1\}\) and return the solution from \(\mathcal {B}\) running in setting b to the SI-CDH challenger. Because \(0 \le \Pr [ \, \textsf{found}\text { occurs} \, ] \le 1\), we solve the SI-CDH instance with overall probability

$$\begin{aligned}\begin{gathered} \frac{1}{2}\Pr [\, \mathcal {B}\text { wins in setting } 0 \, ] + \frac{1}{2}\Pr [\, \mathcal {B}\text { wins in setting } 1 \, ]\\ \ge \frac{1}{2}\Pr [\, \mathcal {B}\text { wins} \mid \textsf{found}\text { does not occur} \, ] + \frac{1}{2q} \Pr [\, \mathcal {B}\text { wins} \mid \textsf{found}\text { occurs} \, ]\\ \ge \frac{1}{2q} \left( \Pr [\, \mathcal {B}\text { wins} \mid \textsf{found}\text { does not occur} \, ] + \Pr [\, \mathcal {B}\text { wins} \mid \textsf{found}\text { occurs} \, ] \right) \\ \ge \frac{1}{2q}\epsilon , \end{gathered}\end{aligned}$$

which is non-negligible if \(\epsilon \) is (since q must be polynomially-sized).

Theorem 3

Let \(\mathcal {B}\) be an adversary solving the HCDH problem with advantage \(\epsilon \) after making q queries to \(H_2\), modelled as a random oracle. Then \(\mathcal {B}\) can be used to solve the SI-CDH problem with probability at least \(\min (1/q, \epsilon )/2\).

Proof

We argue that the FO-like proof leaks no information because we obviously assume that \({\text {SIDH}}_{\textsf{pp}}(K_2, K_1)\) is unknown (since it is the answer to the SI-CDH problem) and s is random. Thus, if the SI-CDH problem is hard, then so too is this problem. We sketch a reduction in the random oracle model. Treat \(H_2\) as a random oracle. Let \(\mathcal {B}\) be an adversary making q queries to \(H_2\) and winning with advantage \(\epsilon \) against the HCDH problem. Obtain an SI-CDH challenge \((K_1, K_2)\). Choose \(\pi \) to be a random binary string, and provide \((K_1, K_2, \pi )\) to \(\mathcal {B}\).

In order to distinguish the simulated \(\pi \) from an honest FO-proof, \(\mathcal {B}\) must query \(H_2(j)\) for the correct j-invariant solution of the SI-CDH instance. Call this even \(\textsf{found}\), as above. If \(\textsf{found}\) occurs, we can return one of the q queries made to \(H_2\) and win with probability 1/q. Otherwise, the output of \(\mathcal {B}\) wins with advantage \(\epsilon \) despite \(\pi \) being uniformly random, by a simple hybrid argument. Thus, the reduction can simply return one of the q queries to \(H_2\) or the output of \(\mathcal {B}\) to the SI-CDH challenger with equal probability. We then have that \(\mathcal {B}\)’s advantage against the CDH problem is at least:

$$\begin{aligned}\begin{gathered} \frac{1}{2q}\Pr [ \, \textsf{found}\text { occurs} \, ] + \frac{\epsilon }{2} \Pr [ \, \textsf{found}\text { does not occur} \, ]\\ \ge \min \left( \frac{1}{2q}, \frac{\epsilon }{2} \right) . \end{gathered}\end{aligned}$$

which is non-negligible if \(\epsilon \) is, since q is polynomially-sized.

B B Proof of Theorem 1

Proof Sketch

We briefly outline the proof methodology. The proof is similar to the one given by [CGCD+20], refitted to our Signal-adapted-CK model and using the Verifiable and Honest SI-CDH assumptions from Sect. 3.1 instead of the standard DDH oracle in the gap assumption. Cases \(E_2, E_3\), and \(E_6\) require \(\textsf{IK}_A\) and \(\textsf{IK}_B\) not to be revealed, so we use that as the basis for security in those cases. Similarly, cases \(E_1\) and \(E_7\) will use the fact that \(\textsf{EK}_A\) and \(\textsf{IK}_B\) are not revealed, and case \(E_5\) relies on \(\textsf{EK}_A\) and \(\textsf{SK}_B\) not being revealed. Informally, the proof begins by forming a game in which the challenger guesses in advance which session will be tested, as well as the peer ID of that session. The challenger then simulates the game and inserts a VCDH or HCDH challenge into that predicted session, showing that an adversary winning the game can be used to successfully solve the respective hard problem. Once the cases are combined, this gives a proof of soundness of the SI-X3DH protocol.

Proof

It is clear that two parties following the protocol honestly will become partners. It is also clear that they will both successfully derive the same session key and enter an accept state, as an SIDH protocol has no failure probability if both parties are faithful. Thus the SI-X3DH protocol is correct.

To prove soundness, we will use a series of game hops. The proof will require splitting into cases following Table 2. Games 0 to 3 are common to all cases; we then break into a case-by-case proof. Without loss of generality, we assume participant A is the initiator and B is the responder—the test query is handled in the same way by the simulator regardless of whether it is called on the initiator or responder.

Game 0. This game equals the security experiment in Sect. 4.1. The advantage of the adversary in this game is \(\textsf{Adv}_{0}\). All queries to the random oracles (\(H_1, H_2, {\text {KDF}}\)) are simulated in an on-the-fly manner, and a table of (query, result) pairs is stored.

Game 1. We ensure all honestly generated SIDH keys are unique, or in other words, that there are no key collisions. If a key is generated that collides with any previously generated key, the challenger aborts and the adversary loses the game. With at most n parties, S sessions per party, m medium-term (semi-static) keys per party, we have at most \(n + nm + nS\) receiving (\(2^{e_1}\)-isogeny) keys, and at most \(n + nS\) sending (\(3^{e_2}\)-isogeny) keys. A collision among these keys is an instance of the generalised birthday problem, which we now briefly recall.

If M is the size of the domain from which \(N \le M\) objects are uniformly drawn, the generalised birthday problem shows that the probability of a collision between two objects is

$$\begin{aligned} p(N; M) = 1 - \prod _{k = 1}^{N-1} \left( 1 - \frac{k}{M}\right) . \end{aligned}$$

(2)

So,

$$\begin{aligned} \textsf{Adv}_{0} \le p(n + nm + nS; {|}{\mathcal {K}_2}{|}) + p(n + nS; {|}{\mathcal {K}_3}{|}) + \textsf{Adv}_{1}. \end{aligned}$$

To be explicit, the size of an \(\ell ^e\)-isogeny keyspace is

$$\begin{aligned} (\ell + 1) \cdot \ell ^{e-1}, \end{aligned}$$

(3)

so \({|}{\mathcal {K}_2}{|} = 3 \cdot 2^{e_1-1}\) and \({|}{\mathcal {K}_3}{|} = 4 \cdot 3^{e_2-1}\). Note that the difference between \(\textsf{Adv}_{0}\) and \(\textsf{Adv}_{1}\) is therefore negligible, since the numerator in the collision probability is polynomially-sized while the denominator is exponential.

Game 2. We guess in advance which session \(\varPi _u^i\) the adversary will call the Test query against, and abort if this guess is incorrect. Note that we abort with high probability—there is only a 1/nS chance of success—but the advantages still only differ by a polynomial factor.

$$\begin{aligned} \textsf{Adv}_{1} = nS \textsf{Adv}_{2}. \end{aligned}$$

Game 3. In this game, we guess in advance the index of the peer of the test session \(\varPi _u^i\)—we guess a \(v \in \{1, \ldots , n\}\) and abort if \(\varPi _u^i.\mathsf {peer\_id}\ne v\). The probability of guessing v correctly is 1/n, so

$$\begin{aligned} \textsf{Adv}_{2} \le n \textsf{Adv}_{3}. \end{aligned}$$

We now split into cases based on Table 2. The cases will be grouped by the approach we take to reduce each case to the VCDH and HCDH hard problems. Specifically, in each scenario, we consider which of the (three or four) SIDH exchanges is not compromised by any reveal queries (i.e., neither key involved is compromised), and embed the hard problem into that pair of keys. Firstly, we address the MEX events, where neither \(\textsf{IK}_A\) nor \(\textsf{IK}_B\) are revealed—cases \(E_2, E_3\), and \(E_6\). We then treat the KCI events, cases \(E_1\) and \(E_7\), where \(\textsf{EK}_A\) and \(\textsf{IK}_B\) remain unrevealed. Finally, we come to the wPFS event, \(E_5\), in which the adversary does not reveal either \(\textsf{EK}_A\) or \(\textsf{SK}_B\). We shall have, overall, that

$$\begin{aligned} \textsf{Adv}_{3} = \textsf{Adv}^{2,3,6}_{3} + \textsf{Adv}^{1,7}_{3} + \textsf{Adv}^{5}_{3}. \end{aligned}$$

1.1 A.1 B.1 Cases \(E_2, E_3, E_6\) (MEX)

As mentioned above, the three cases \(E_2, E_3\), and \(E_6\) all rely on \(\textsf{IK}_A\) and \(\textsf{IK}_B\) not being revealed—the adversary should thus be unable to compute \({\text {SIDH}}(\textsf{IK}_A, \textsf{IK}_B)\). This is the basis for the following part of the security proof.

Game 4. In this game, we abort if the adversary queries \(\textsf{dh}_1 = {\text {SIDH}}(\textsf{IK}_A, \textsf{IK}_B)\) as the first component of a call to the \({\text {KDF}}\) oracle. We call this event \(\textsf{abort}_4\).

Whenever \(\textsf{abort}_4\) occurs, we show that we can construct an algorithm \(\mathcal {B}\) that can solve the Verifiable SI-CDH problem (VCDH) in Definition 2. As per that problem, \(\mathcal {B}\) receives a triple \((K_1, K_2, \mathcal {O})\). \(\mathcal {B}\) will simulate Game 3, except that it replaces \(\textsf{IK}_u\) with \(K_2\) and \(\textsf{IK}_v\) with \(K_1\). It is guaranteed by freshness that \(\mathcal {B}\) will never have to output the corresponding (unknown) secret keys. However, these two keys may be used in other sessions, so \(\mathcal {B}\) must be able to behave in a consistent manner even when these keys are involved. Specifically, there are only two cases in which \(\mathcal {B}\) is unable to compute the session key:

1. 1.

   A non-tested session between the same users u, v where u is the initiator and v is the responder.

2. 2.

   A non-tested session between any user other than u, and v, where v is the responder.

In the first of these two cases, the simulator does not know \({\text {SIDH}}(K_2, K_1)\), which is needed for two reasons: \(\mathcal {B}\) needs it to compute the session key, but it is also the solution to the VCDH challenge. In the second case, the simulator does not know \({\text {SIDH}}(\textsf{EK}_E, K_1)\) for potentially malicious ephemeral key \(\textsf{EK}_E\), whose secret key is unknown to \(\mathcal {B}\). In all other situations, \(\mathcal {B}\) will know at least one of the secret keys involved in each \({\text {SIDH}}\) exchange because they were all generated by the challenger.

We begin with the first case. If a session key or ephemeral key reveal query is made on such a session, \(\mathcal {B}\) returns a random key. \(\mathcal {B}\) also maintains a list of these random keys it generated, and correspondingly the public keys which should have been used to compute each one. Then, to ensure that other \({\text {KDF}}\) queries made are consistent with these replaced keys, we do the following on receipt of a query \({\text {KDF}}(\textsf{dh}_1 \parallel \textsf{dh}_2 \parallel \textsf{dh}_3)\): \(\mathcal {B}\) will query \(\mathcal {O}(\textsf{dh}_1)\), and if 1 is returned, this is exactly the case where \(\textsf{abort}_4\) occurs—then \(\mathcal {B}\) can return \(\textsf{dh}_1\) as the answer to the VCDH challenge. Otherwise, \(\mathcal {B}\) samples a new random key to return as the \({\text {KDF}}\) response, and updates its list accordingly.

In the second case, we involve the FO-proof \(\pi _E\) also sent as part of the key exchange—a proof of honest generation for \(\textsf{EK}_E\). In such a session, \(\mathcal {B}\) will check through the output table of queries \(\mathcal {A}\) has made to oracle \(H_2\) (which can only have polynomially-many entries). Let \(\textsf{IK}_w\) be the identity key of the initiator. For each pair of entries \((h, h')\), we check whether \(H_1(\pi _E \oplus h \oplus h' \oplus H_2({\text {SIDH}}(\textsf{IK}_w, K_1)))\) is the secret key of \(\textsf{EK}_E\). The simulator can always compute \({\text {SIDH}}(\textsf{IK}_w, K_1)\) when \(w \ne u\) because it knows the private key for \(\textsf{IK}_w\). In order for \(\pi _E\) to be valid, it must have the form

$$ \pi _E = s_E \oplus H_2({\text {SIDH}}(\textsf{IK}_w, K_1)) \oplus H_2(\textsf{dh}_2) \oplus H_2(\textsf{dh}_3) $$

so the only way for the adversary to have honestly generated \(\pi _E\) is for it to have queried \(H_2\) on inputs \(\textsf{dh}_2, \textsf{dh}_3\). Therefore, searching through all pairs \((h, h')\) of queries will always result in recovery of \(s_E\) if \(\pi _E\) is valid, and if no such pair exists, the receiver would reject the FO-proof and fail the exchange. If such a pair is found, we can use the computed secret key \(s_E\) to also compute \({\text {SIDH}}(\textsf{EK}_E, K_1)\). \(\mathcal {B}\) can now use this j-invariant in a query to \({\text {KDF}}\) to compute a consistent session key. Thus, \(\textsf{Adv}(\textsf{abort}_4) = \textsf{Adv}^{\textrm{vcdh}}(\mathcal {B})\) and

$$\begin{aligned} \textsf{Adv}^{2,3,6}_{3} \le \textsf{Adv}^{\textrm{vcdh}}(\mathcal {B}) + \textsf{Adv}_{4}. \end{aligned}$$

Game 5. In this game, we replace the session key of the test session with a uniformly random key. Because Game 4 aborts whenever a \({\text {KDF}}\) oracle query is made involving \(\textsf{dh}_1\), we know in this game that the adversary never queried \({\text {KDF}}\) to get the true session key. Hence, the advantage of winning this game is

$$\begin{aligned} \textsf{Adv}_{4} = \textsf{Adv}_{5} = 0. \end{aligned}$$

Therefore, we have

$$\begin{aligned} \textsf{Adv}^{2,3,6}_{3} \le \textsf{Adv}_{\textrm{vcdh}}(\mathcal {B}). \end{aligned}$$

1.2 B.2 B.2 Cases \(E_1, E_7\)

These two cases rely on \(\textsf{EK}_A\) and \(\textsf{IK}_B\) not being revealed. Then \(\textsf{dh}_2 = {\text {SIDH}}(\textsf{EK}_A, \textsf{IK}_B)\) should be unknown to the adversary. The proof is very similar to the first cases above, but now relies on the Honest SI-CDH assumption from Definition 3. The main difference is that now, we must guess which of the signed semi-static keys will be used in the test session because we will need to modify the FO proof provided in the Honest SI-CDH assumption to get a correct FO proof for the SI-X3DH protocol.

Game \(4'\) . In this game, the challenger guesses the index \(j \in \{1, \ldots , m\}\), such that signed semi-static key \(\textsf{SK}_v^j\) is used in the test session, and aborts if this guess is wrong. Consequently,

$$\begin{aligned} \textsf{Adv}^{1,7}_{3} \le m \textsf{Adv}_{4'}. \end{aligned}$$

Game \(5'\) and \(6'\). In Game \(5'\), we abort if the adversary queries the \({\text {KDF}}\) oracle with second component \(\textsf{dh}_2\), equal to the test session’s \(\textsf{dh}_2\) component (derived from \(\textsf{EK}_u\) and \(\textsf{IK}_v\)). Once again, \(\mathcal {B}\) will simulate Game \(4'\). After receiving an HCDH instance triple \((K_1, K_2, \pi )\), \(\mathcal {B}\) will replace the ephemeral key of the test session with \(K_2\), and \(\textsf{IK}_v\) with \(K_1\). \(\mathcal {B}\) will then also replace the test session FO-proof with \(\pi _T := \pi \oplus H_2({\text {SIDH}}(K_2, \textsf{SK}_v^j)) \oplus H_2({\text {SIDH}}(\textsf{IK}_u, K_1))\). Recall from the definition of the HCDH problem, that \(\pi \) already includes the component \(H_2({\text {SIDH}}(K_2,K_1))\), as required, so \(\pi _T\) has the correct form.

There are two cases in which \(\mathcal {B}\) will not be able to compute valid session keys for non-tested sessions. The first is for a session where any user initiates with \(\textsf{EK}_E \not = \textsf{EK}_u\), and v is the responder. This is because \({\text {SIDH}}(\textsf{EK}_E, K_1)\) is unknown when the secret key of \(\textsf{EK}_E\) is unknown. The second case is a special case of the first, when \(\textsf{EK}_u\) is reused in an exchange with v as the responder. As above, at least one secret key is known in all other situations, so these are the only two \({\text {SIDH}}\) exchanges unable to be computed by \(\mathcal {B}\).

In the first case, \(\mathcal {B}\) will look up all pairs \((h, h')\) in the polynomial-length output table of queries \(\mathcal {A}\) has made to \(H_2\). Suppose \(\textsf{IK}_w\) is the identity key of the initiator, and \(\pi _E\) is the FO-proof sent along with the ephemeral key \(\textsf{EK}_E\). \(\mathcal {B}\) will check whether \(H_1(\pi _E \oplus h \oplus h' \oplus H_2({\text {SIDH}}(\textsf{IK}_w, K_1)))\) is the secret key of \(\textsf{EK}_E\). As above, \({\text {SIDH}}(\textsf{IK}_w, K_1)\) is known to \(\mathcal {B}\) since the secret key of \(\textsf{IK}_w\) is. Also as above, the only way for the adversary to have generated a valid proof \(\pi _E\) is if they had made queries \(H_2(\textsf{dh}_2)\) and \(H_2(\textsf{dh}_3)\)—otherwise, even if the adversary guessed the outputs of \(H_2\) correctly (with negligible probability), they would not be able to verify that the \(\pi _E\) they created was actually correct without making the required queries to \(H_2\) anyway. Hence, the only case the proof \(\pi _E\) is accepted is when a valid pair \((h,h')\) exists in the query list of \(H_2\), and if such a pair is found, we can use the secret key to compute the needed j-invariant \({\text {SIDH}}(\textsf{EK}_E, K_1)\). \(\mathcal {B}\) can now use this j-invariant in a query to \({\text {KDF}}\) to compute a consistent session key. If no pair is found, the receiver would reject the FO-proof and fail the exchange.

In the second case, we cannot compute the output of \({\text {KDF}}\) because \(\textsf{dh}_2 = {\text {SIDH}}(K_2, K_1)\) is unknown. So \(\mathcal {B}\) will return a random key and keep a table for consistency as in the previous cases. Whenever the adversary makes a query to the \({\text {KDF}}\) oracle, we check if \(H_1(\pi \oplus H_2(\textsf{dh}_2))\) corresponds to the secret key of \(K_2\), and if it does, \(\mathcal {B}\) has learned \(\textsf{dh}_2\) as the SI-CDH value of \(K_1\) and \(K_2\), this is also the case in which the game aborts. Note that the \(\pi \) used here is the one from the HCDH challenge, not from the exchange (\(\pi _E\)) or the test session (\(\pi _T\)). There is a negligible probability \(1/2^n\) that the adversary guessed the correct output of \(H_2\) without making a query of the form \(H_2(\textsf{dh}_2)\) (leading to an abort without recovering the answer to the HCDH challenge).

Game \(6'\) is identical to Game 5 in the previous section. We therefore have

$$\begin{aligned} \textsf{Adv}^{1,7}_{3} \le m (\textsf{Adv}^{\textrm{hcdh}}(\mathcal {B}) + 1/2^n). \end{aligned}$$

1.3 C.3 B.3 Case \(E_5\) (wPFS)

This case relies on \(\textsf{EK}_A\) and \(\textsf{SK}_B\) not being revealed (wPFS assumes that, in the future, these secrets are unrecoverable). Alternatively, this proof could be reduced to \(\textsf{EK}_A\) and \(\textsf{EK}_B\) which are both purely ephemeral. However, because \(\textsf{EK}_B\) is optional in the Signal protocol (to avoid key exhaustion DoS), we reduce to the former scenario. In this case, we must again guess which of the signed semi-static keys will be used in the test session.

Game \(4''\). In this game, the challenger guesses the index \(j \in \{1, \ldots , m\}\), such that signed semi-static key \(\textsf{SK}_v^j\) is used in the test session. The game aborts if this guess is wrong. Hence,

$$\begin{aligned} \textsf{Adv}^{5}_{3} \le n_m \textsf{Adv}_{4''}. \end{aligned}$$

Game \(5''\) and \(6''\). These proceed exactly as in Games \(5'\) and \(6'\) of cases \(E_1\) and \(E_7\) above, but with the HCDH challenge keys inserted into \(\textsf{EK}_u\) and \(\textsf{SK}_v^j\). Furthermore, exactly as in the previous subsections, \(\mathcal {B}\) knows the secret keys needed to compute the \({\text {SIDH}}\) values of all exchanges except in two cases: an exchange with v as the responder using semi-static key \(\textsf{SK}_v^j\) (because \(\textsf{EK}_E\) is unknown and potentially maliciously chosen), and the specific subcase where \(\textsf{EK}_E = \textsf{EK}_u\). This is essentially identical to cases \(E_1\) and \(E_7\). We conclude that

$$\begin{aligned} \textsf{Adv}^{5}_{3} \le m (\textsf{Adv}^{\textrm{hcdh}}(\mathcal {B}) + 1/2^n). \end{aligned}$$

Finally, bringing all the game hops and cases together, we have

$$\begin{aligned} \textsf{Adv}^\textrm{kie}_{n,m,S} \ \le \&p(n + nm + nS; {|}{\mathcal {K}_2}{|}) \nonumber \\&+ p(n + nS; {|}{\mathcal {K}_3}{|}) \\&+ {n}^2S \big [ \textsf{Adv}^{\textrm{vcdh}} + 2m \textsf{Adv}^{\textrm{hcdh}} + m/2^{n-1} \big ], \nonumber \end{aligned}$$

(4)

where n is the number of participants, m is the number of semi-static keys per participant, and S is the maximum number of sessions run per party.

Because the VCDH and HCDH problems are hard if the SI-CDH problem is (shown in Sect. 3.1), it directly follows that SI-X3DH is secure if the standard SI-CDH problem is hard.

1.4 D.4 B.4 Deniability Proof Sketch

We now briefly sketch a proof of the offline deniability of SI-X3DH, in an identical manner to [VGIK20]. Intuitively, for Bob to prove Alice’s involvement, he would have to provide a Diffie–Hellman value \({\text {DH}}(A, \cdot \,)\) which he could not possibly have generated himself—it must therefore have been generated by Alice. Because no DH values are exchanged between Alice and Bob in X3DH or SI-X3DH, and because the KDH, K2DH and/or EKDH assumptions hold, this is impossible. On top of this, because neither protocol uses a signature on session-specific information (unlike [HKKP21]), there is no loss of deniability there either. Proof of offline-deniability proceeds as an argument about simulatability, which we shall now sketch.

In the case of deniability for the initiator, given Alice’s public key \(\textsf{IK}_A\), the simulator \(\textsf{Sim}\) will generate \(x \leftarrow \mathcal {K}_3\) and compute \(\textsf{EK}_A\). \(\textsf{Sim}\) will then send this to Bob, who outputs keys \(\textsf{IK}_B, \textsf{SK}_B, \textsf{EK}_B\). The simulator can compute \(\textsf{dh}_2 = {\text {SIDH}}(\textsf{EK}_A, \textsf{IK}_B)\), \(\textsf{dh}_3 = {\text {SIDH}}(\textsf{EK}_A, \textsf{SK}_B)\), and \(\textsf{dh}_4 = {\text {SIDH}}(\textsf{EK}_A, \textsf{EK}_B)\) because x is known, but cannot compute \({\text {SIDH}}(\textsf{IK}_A, \textsf{IK}_B)\). Under the KDH-type assumptions, there must be an extractor \(\hat{\mathcal {B}}\) for Bob’s key \(\textsf{IK}_B\)—let us call it \(\hat{\mathcal {B}}\). If \(\hat{\mathcal {B}}\) outputs \(\hat{Z}\) then the shared key is \({\text {KDF}}(\hat{Z} \parallel \textsf{dh}_2 \parallel \textsf{dh}_3 \parallel \textsf{dh}_4)\)—the real shared key. On the other hand, if \(\hat{\mathcal {B}}\) outputs \(\bot \), then \(\textsf{Sim}\) chooses a session key at random. In either case, \(\textsf{Sim}\) also computes the FO-proof \(\pi \) using the session key it computed. In the second case, no PPT algorithm can compute \({\text {SIDH}}(\textsf{IK}_A, \textsf{IK}_B)\) without knowing \(\textsf{IK}_B\), so the random key is indistinguishable from the real key.

We come now to the case of deniability for the responder, given Bob’s public key \(\textsf{IK}_B\), and also a signed semi-static key \(\textsf{SK}_B, \textsf{Sig}_B(\textsf{SK}_B)\). The simulator will send these two public keys to Alice, who outputs a key \(\textsf{EK}_A\). Under the KDH-type assumptions, there exists an extractor \(\hat{\mathcal {A}}\) for Alice which will either output the required \({\text {SIDH}}\) values needed to compute the real key or will fail to output, in which case a random key will be indistinguishable from the real one as above. Thus, either way, assuming the KDH, K2DH and EKDH assumptions hold in the SIDH setting (which we claim they do), our SI-X3DH protocol is offline-deniable.

C C Standard Key Indistinguishability Definitions

Let \(\mathcal {K}\) denote the space of all possible session keys that could be derived in an exchange between two parties. We model n parties \(P_1, \ldots , P_n\) through oracles \(\varPi _i^j\), denoting the j-th session run by participant \(P_i\). We limit the number of sessions per party by \(1 \le j \le S\). Each oracle has access to the secret key of the corresponding party \(P_i\)’s fixed long-term identity key \(\textsf{IK}_i\), as well as the secrets for each of the m semi-static keys \(\textsf{SK}_i^1, \ldots , \textsf{SK}_i^m\). Each oracle also has the following local variables:

• \(\varPi _i^j.\textsf{rand}\): The fixed randomness of oracle i for its j-th session (where \(\varPi _i^j\) is deterministic based on this randomness).

• \(\varPi _i^j.\textsf{role}\in \{ \bot \texttt {, init, resp}\} \): The role of participant i in their j-th exchange.

• \(\varPi _i^j.\mathsf {sk\_id}\): The index \(\ell \) of the semi-static key \(\textsf{SK}_i^\ell \) that participant i uses in their exchange j.

• \(\varPi _i^j.\mathsf {peer\_id}\): The index k of the alleged peer \(P_k\) in the j-th exchange of oracle i.

• \(\varPi _i^j.\mathsf {peer\_sk\_id}\): The index \(\ell \) of the alleged peer’s semi-static key \(\textsf{SK}_\mathsf {peer\_id}^\ell \) used in the exchange.

• \(\varPi _i^j.\textsf{sid}\): The session ID, explained further below.

• \(\varPi _i^j.\textsf{status} \in \{ \bot \texttt {, accept, reject} \}\): Indicates whether the oracle has completed this session of the key exchange protocol and computed a session key from the exchange.

• \(\varPi _i^j.\mathsf {session\_key}\in \mathcal {K}\): The computed session key.

These values are all initialised to \(\bot \) at the start of the security experiment, except \(\textsf{rand}\), which is initialised with random coins for each oracle. The oracle status is set to \(\texttt {accept}\) or \(\texttt {reject}\) on the computation of \(\mathsf {session\_key}\).

The session ID is a feature of the security experiment, not the real protocol. We define the session ID to be a tuple where \(\mathcal {I},\mathcal {R}\) denote the initiator and responder respectively, \(\varPi \) is a protocol identifier, and \(\textsf{EK}_\mathcal {R}\) is optional (so may be null). We say two sessions with the same \(\textsf{sid}\) are matching. This is done to restrict the adversary from making queries against any session matching the test session for the game—to avoid trivialising security. For a session \(\varPi _i^j\) we also define a partner session to be any session \(\varPi _k^\ell \) for which \(\varPi _i^j.\mathsf {peer\_id}= k\) and \(\varPi _k^\ell .\mathsf {peer\_id}= i\), \(\varPi _i^j.\textsf{role}\not = \varPi _k^\ell .\textsf{role}\), and \(\varPi _i^j.\textsf{sid}= \varPi _k^\ell .\textsf{sid}\). We say any two such sessions are partners. Note that if two sessions are partners, they are also, by definition, matching.

Setup. The security game is played between challenger \(\mathcal {C}\) and a probabilistic polynomial-time (PPT) adversary \(\mathcal {A}\). \(\mathcal {C}\) will generate identity keys for the n participants, \(\textsf{IK}_1, \ldots , \textsf{IK}_n\), and for each participant i, generate m semi-static keys \(\textsf{SK}_i^1, \ldots , \textsf{SK}_i^m\). \(\mathcal {C}\) will finally choose a uniformly random secret bit \(b \leftarrow \{0,1\}\), and provide \(\mathcal {A}\) with access to the oracles \(\varPi _i^j\).

Game. Adversary \(\mathcal {A}\) can adaptively make the following queries in the game:

• Send\((i,j,\mu )\): Send an arbitrary message \(\mu \) to oracle \(\varPi _i^j\). The oracle will behave according to the key exchange protocol and update its status appropriately.

• RevealIK(i): Return the secret long-term key(s) of participant i. After this, participant i is corrupted. See Remark 2.

• RevealSK\((i, \ell )\): Return the \(\ell \)-th secret semi-static key of participant i. After this, \(\textsf{SK}_i^\ell \) is said to be revealed.

• RevealEK(i, j): Return the ephemeral key (i.e., the random coins) of the j-th session of participant i. After this, \(\textsf{EK}_i^j\) and \(\varPi _i^j.\textsf{rand}\) are said to be revealed.

• RevealSessionKey(i, j): Return \(\varPi _i^j.\mathsf {session\_key}\). After this, session \(\varPi _i^j\) is said to be revealed.

Test. At some point in the game, \(\mathcal {A}\) will issue a special \({\textbf {Test}}(i,j)\) query exactly once. \(\mathcal {C}\) will return \(K_b\) to the adversary, where \(K_0 := \varPi _i^j.\mathsf {session\_key}\) and \(K_1 \leftarrow \mathcal {K}\) (a random key from the keyspace). After this query is made, session \(\varPi _i^j\) is said to be tested. \(\mathcal {A}\) can continue to adaptively make queries to the above game functions after the Test query has been issued. Finally, \(\mathcal {A}\) outputs a bit \(b^* \in \{0,1\}\) as their guess. At this point, the tested session \(\varPi _i^j\) must be fresh. Freshness is defined in Definition 4, and the cases for freshness are also summarised in Table 2 for clarity. Let \(\textbf{fresh}(\textsf{session})\) return true if \(\textsf{session}\) is fresh, and false otherwise.

Definition 5 (Security)

Let \(\mathcal {A}\) be a PPT adversary. We define the advantage of \(\mathcal {A}\) in winning the above key indistinguishability experiment \(\textsf {kie}\) with n parties, m semi-static keys per party, and S sessions per party, as

$$ \textsf{Adv}^{\textrm{kie}}_{n,m,S}(\mathcal {A}) = \left| \Pr \, [ \, b = b^{*} \, \wedge \, \textbf{fresh}(\mathsf {test\_session}) \,] - \frac{1}{2} \right| . $$

An authenticated key exchange protocol \(\varPi \) is secure in the Signal-adapted-CK model if it is:

• Correct: Any two parties following the protocol honestly derive the same \(\textsf{sid}\), \(\mathsf {session\_key}\), and both arrive at an accept state.

• Sound: The advantage of any PPT adversary \(\mathcal {A}\) is \(\textsf{Adv}^{\textrm{kie}}_{n,m,S}(\mathcal {A}) \le \textsf{negl}\).

Remark 2

Note that, in SI-X3DH, each participant has two identity keys (a receiving key and a sending key). We assume both are revealed to the adversary when a \({\textbf {RevealIK}}\) query is made.