cispa_all_3419.pdf (467.92 kB)

Towards Post-Quantum Security for Signal's X3DH Handshake

Download (467.92 kB)
conference contribution
posted on 2023-11-29, 18:15 authored by Jacqueline Brendel, Marc Fischlin, Felix Günther, Christian Janson, Douglas Stebila
Modern key exchange protocols are usually based on the Diffie–Hellman (DH) primitive. The beauty of this primitive, among other things, is its potential reusage of key shares: DH shares can be either used a single time or in multiple runs. Since DH-based protocols are insecure against quantum adversaries, alternative solutions have to be found when moving to the post-quantum setting. However, most post-quantum candidates, including schemes based on lattices and even supersingular isogeny DH, are not known to be secure under key reuse. In particular, this means that they cannot be necessarily deployed as an immediate DH substitute in protocols. In this paper, we introduce the notion of a split key encapsulation mechanism (split KEM) to translate the desired key-reusability of a DH-based protocol to a KEM-based flow. We provide the relevant security notions of split KEMs and show how the formalism lends itself to lifting Signal’s X3DH handshake to the post-quantum KEM setting without additional message flows. Although the proposed framework conceptually solves the raised issues, instantiating it securely from post-quantum assumptions proved to be non-trivial. We give passively secure instantiations from (R)LWE, yet overcoming the above-mentioned insecurities under key reuse in the presence of active adversaries remains an open problem. Approaching one- sided key reuse, we provide a split KEM instantiation that allows such reuse based on the KEM introduced by Kiltz (PKC 2007), which may serve as a post-quantum blueprint if the underlying hardness assumption (gap hashed Diffie–Hellman) holds for the commutative group action of CSIDH (Asiacrypt 2018). The intention of this paper hence is to raise awareness of the challenges arising when moving to KEM-based key exchange protocols with key-reusability, and to propose split KEMs as a specific target for instantiation in future research.


Preferred Citation

Jacqueline Brendel, Marc Fischlin, Felix Günther, Christian Janson and Douglas Stebila. Towards Post-Quantum Security for Signal's X3DH Handshake. In: Selected Areas in Cryptography (SAC). 2020.

Primary Research Area

  • Reliable Security Guarantees

Name of Conference

Selected Areas in Cryptography (SAC)

Legacy Posted Date


Open Access Type

  • Unknown


@inproceedings{cispa_all_3419, title = "Towards Post-Quantum Security for Signal's X3DH Handshake", author = "Brendel, Jacqueline and Fischlin, Marc and Günther, Felix and Janson, Christian and Stebila, Douglas", booktitle="{Selected Areas in Cryptography (SAC)}", year="2020", }

Usage metrics


    No categories selected


    Ref. manager