From Key Encapsulation to Authenticated Group Key Establishment—A Compiler for Post-Quantum Primitives ^†

Abstract

Assuming the availability of an existentially unforgeable signature scheme and an (IND- CCA secure) key encapsulation mechanism, we present a generic construction for group key establishment. The construction is designed with existing proposals for post-quantum cryptography in mind. Applied with such existing proposals and assuming their security, we obtain a quantum-safe three-round protocol for authenticated group key establishment that requires only one signature per protocol participant.

1. Introduction

To enable confidential communication among a group of two or more users over an insecure network, cryptography provides group key establishment procotols. Dealing with a non-trusted communication infrastructure, the question of authenticating protocol participants naturally arises in this context as well. The resulting cryptographic protocols are commonly application-agnostic and focus only on the task of establishing a shared high-entropy secret among the legitimate users, not mandating any particular usage of that secret key in subsequent applications. The resulting task, authenticated group key establishment (AGKE), is fairly well-understood, even though there is a remarkable diversity in the details of security models in use. A standard technique to derive an AGKE solution is to apply some form of protocol compiler or generic framework to a passively secure solution. If a public-key infrastructure is available, signatures provide an adequate mechanism. This results commonly in protocols with a substantial number of signatures being computed, transmitted, and verified:

• In the Katz-Yung compiler [1], for each message sent in the original protocol, a signature has to be computed and transmitted (and verified). For instance, Apon et al. [2] propose the application of this compiler for their unauthenticated group key establishment solution.
• The compiler made by Bresson et al., C-AMA [3] requires a signature for each message in the original protocol, plus one more for each protocol participant (and according signature verifications).
• Bohli’s framework for robust group key agreement [4] targets two-round protocols, and in each round each participant sends a signed message (and verifies signatures by all other participants).

A popular AGKE building block is the traditional Diffie–Hellman two-party key exchange. This one-round protocol for two parties enables elegant two-round solutions for group key establishment—the Burmester–Desmedt protocol [5] offering a prominent design. Using a compiler (or a tailored design approach), deriving an AGKE solution with two or three rounds has by now become standard practice. Regrettably, owing to Shor’s algorithm for solving discrete logarithms [6], the traditional Diffie–Hellman protocol is no longer a viable building block for post-quantum AGKE. While the cryptanalytic threat of quantum computers should not be overstated (cf., e.g., [7,8]), in view of steady technological progress, it is, therefore, necessary to provide new solutions that will be robust in the post-quantum setting.

With the current status of quantum cryptanalysis, it is clear that mathematical tools relying on the hardness of factoring or computing discrete logarithms are no longer an option. Regrettably, no “silver bullet” is known that would allow a seamless replacement of today’s solutions with quantum-safe ones. In this scenario, the cost of integrating signatures in a protocol can differ quite a bit from the familiar setting. Specifically, for hash-based designs, arguably one of the most popular approaches for post-quantum signing, the size of signatures remains an issue. For instance, proposed instances of the SPHINCS${}^{+}$ design have signature lengths between 8080 and 49,216 bytes [9]. Taking this into account, a compiler by Tang and Mitchell [10] appears more attractive from today’s post-quantum perspective. Assuming the a priori availability of a unique session identifier that is distributed among the protocol participants, Tang and Mitchell present a compiler where each participant computes and transmits only one signature (and performs signature verifications).

Our Contribution

With the current state of the the art, key encapsulation mechanisms (KEMs) are a natural starting point for implementing key establishment solutions in a post-quantum setting. This is evident, for example, when looking at the ongoing NIST standardization effort [11], where the vast majority of candidates for public-key encryption and key exchange are indeed presented as KEMs. In this paper, we show how to derive a three-round AGKE using KEMs, where no participant signs more than one message. This is one round less than applying the Katz–Yung compiler to Apon et al.’s unauthenticated three-round protocol [2], and differing from the Katz–Yung-based construction, our approach requires only one signature per protocol participant. The signature scheme we use is assumed to be EUF-CMA secure, and the KEM we involve is assumed to be IND-CCA secure.

2. Preliminaries

Here and in the subsequent sections, the security parameter will be denoted by ℓ, and notions like polynomial time or negligible refer to that parameter.

2.1. Key Encapsulation Mechanism

A main technical tool in our construction are key encapsulation mechanisms (introduced by Shoup in [12]), which are a structure similar to public-key encryption schemes, with the main difference being that the goal is to encrypt (“encapsulate”) a randomly-generated symmetric key. A formal definition is as follows.

Definition 1 (Key Encapsulation Mechanism).

A key encapsulation mechanism (KEM) is a triple of polynomial time algorithms $(\mathtt{KeyGen},\mathtt{Encaps},\mathtt{Decaps})$ as follows:

KeyGen

is probabilistic. Given the security parameter ℓ, it generates a pair of public and secret keys $(pk,sk)$.

Encaps

is probabilistic. Given a public key $pk$, it generates a pair $(K,C)$ where $K\in {\{0,1\}}^{\ell }$ is a symmetric key and C is an encapsulation of this key under the public key $pk$.

Decaps

is deterministic. Given a secret key $sk$ and an encapsulation C, this algorithm outputs the symmetric key K or a special error symbol ⊥.

For our purposes, the KEM needs to be perfectly correct, i.e., we require that for all key pairs $(pk,sk)$ generated by KeyGen the following correctness condition holds: if $(K,C)$ is an output of $\mathtt{Encaps}(pk)$, then ${\mathtt{Decaps}}_{sk}(C)=K$.

The most relevant notion to capture the security of a KEM is that of indistinguishability under chosen-ciphertext attacks (also defined in [12]), which is once again similar to the usual one for PKEs, except that the adversary is now asked to distinguish between an honestly encapsulated key and a pseudorandom value. We provide a formal definition below.

Definition 2 (IND-CCA Security).

A KEM is IND-CCA secure if the advantage of any probabilistic polynomial time adversary $\mathcal{A}$ in the game described in Figure 1, as a function in the security parameter, is negligible. Here the advantage of an adversary $\mathcal{A}$ is defined as ${\mathrm{Adv}}_{\mathcal{A}}^{\mathrm{IND}-\mathrm{CCA}}(\ell )=|2·Pr[b=b^{\prime }]-1|$.

2.2. Signature Scheme

To formalize a signature scheme, we follow the usual approach.

Definition 3 (Signature).

A signature is a triple of polynomial time algorithms $(\mathtt{SigKeyGen},\mathtt{Sign},\mathtt{Verify})$ as follows:

• SigKeyGenis probabilistic. Given the security parameter ℓ, it generates a pair of public and secret keys $(vk,sigk)$.
• Signis probabilistic. Given a secret key $sigk$ and a message M it generates a signature σ.
• Verifyis deterministic. Given a public key $vk$, a signature σ, and a message M, this algorithm outputs 1 if the signature is valid and 0 otherwise.

We require that for all key pairs $(vk,sigk)$ generated bySigKeyGenand for all messages M the following correctness condition holds: If σ is an output of $\mathtt{Sign}(sigk,M)$, then ${\mathtt{Verify}}_{vk}(\sigma ,M)=1$.

The security notion usually required for signatures is existential unforgeability under chosen message attacks, and we capture it by the following definition.

Definition 4 (EUF-CMA security).

A signature scheme is EUF-CMA secure if the advantage of any probabilistic polynomial time adversary $\mathcal{A}$ in the game described in Figure 2 is negligible. Here the advantage of an adversary $\mathcal{A}$ is defined as the function ${\mathrm{Adv}}_{\mathcal{A}}^{\mathrm{EUF}-\mathrm{CMA}}(\ell )=Pr[{\mathrm{Succ}}_{\mathcal{A}}^{\mathrm{EUF}-\mathrm{CMA}}]$, where ${\mathrm{Succ}}_{\mathcal{A}}^{\mathrm{EUF}-\mathrm{CMA}}$ is the event that $\mathcal{A}$ wins.

3. Security Model and Security Goals

The security model we use follows the oracle-based approach to capture adversarial capabilities—this approach is also used by Katz and Yung [1], for instance, building on the work of Bresson et al., work [13].

3.1. Protocol Participants

Given a security parameter ℓ, we assume that the set of protocol participants $\mathcal{U}$ is polynomial in ℓ. We model each user $U\in \mathcal{U}$ as a probabilistic polynomial time algorithm which is allowed to execute a polynomial number of protocol instances ${\Pi }_U^s$ ($s\in \mathbb{N}$) concurrently. We assume user identities to be bitstrings of identical length ℓ and to keep notation simple, throughout we will use U referring to both the bitstring identifying a user U and the algorithm U itself. Let ${\Pi }_U^s$ be a protocol instance, the following seven variables are associated with it:

${\mathsf{pid}}_U^s$:

stores the identities of those users in $\mathcal{U}$ with which a key is to be established a particular instance aims at establishing a key with, including U (this ensures being partnered is thus a reflexive relation);

${\mathsf{sid}}_U^s$:

stores a session identifier, i.e., a non-secret public identifier for the session key ${\mathsf{sk}}_U^s$;

${\mathsf{sk}}_U^s$:

stores a distinguished null value and after a successful protocol run holds the session key;

${\mathsf{acc}}_U^s$:

is set to true if the session key stored in ${\mathsf{sk}}_U^s$ has been accepted;

${\mathsf{state}}_U^s$:

keeps state information needed while executing the protocol (e.g., the secret scalars used as ephemeral Diffie–Hellman keys);

${\mathsf{term}}_U^s$:

is set to true if this protocol execution has terminated;

${\mathsf{used}}_U^s$:

indicates if this instance is used, i.e., currently involved in a protocol execution.

3.2. Initialization

Before actual protocol executions take place, we allow an optional trusted initialization phase without adversarial interference. During this phase, for each user public and private key pairs $(p{k}_U,a{k}_U)$ can be generated and distributed accordingly. These private and public keys can include the ones corresponding to a KEM, a signature scheme, etc. The initialization phase can also be used to issue (possibly needed) further public parameters.

3.3. Adversarial Capabilities and Communication Network

The adversary $\mathcal{A}$ is represented as a probabilistic polynomial time algorithm with full control over the communication network. The network is, therefore, fully asynchronous, non-private, allowing arbitrary point-to-point connections among users. More specifically, we express the capabilities of the adversary through the following oracles:

$\mathsf{Send}(U,s,M):$

This oracle can be used in two ways.

• The adversary can initialize a protocol execution; sending the special message $M=\{U_{i_1},\dots ,U_{i_r}\}\subseteq \mathcal{U}$ to an unused instance ${\Pi }_U^s$ with $U\in M$ initializes a protocol run among $U_{i_1},\dots ,U_{i_r}$. After such a query, ${\Pi }_U^s$ sets ${\mathsf{pid}}_U^s:=\{U_{i_1},\dots ,U_{i_r}\}$, ${\mathsf{used}}_U^s:=$ true, and processes the first step of the protocol.
• The message M is sent to instance ${\Pi }_U^s$. The oracle returns the protocol message output by ${\Pi }_U^s$ after receiving M.

$\mathsf{Reveal}(U,s):$

returns the stored session key $s{k}_U^s$ if ${\mathsf{acc}}_U^s=$ true and a null value otherwise.

$\mathsf{Corrupt}(U):$

for a user $U\in \mathcal{U}$ this query returns U’s long-term secret key $a{k}_U$.

Notice that, unlike $\mathsf{Reveal}$, $\mathsf{Corrupt}$ refers to a user instead of to an individual protocol instance.

We consider an adversary to be active if it has access to all of the above oracles. To capture a passive adversary, we can replace access to $\mathsf{Send}$ oracle with access to an $\mathsf{Execute}$ oracle, which returns a complete protocol transcript among the specified unused instances. An active adversary can simulate this $\mathsf{Execute}$ oracle using $\mathsf{Send}$ in the natural way.

For technical reasons, we introduce one more oracle, $\mathsf{Test}$, and $\mathcal{A}$ must submit exactly one query of the form $\mathsf{Test}(U,s)$ with an instance ${\Pi }_U^s$ that has accepted a session key, i.e., with ${\mathsf{acc}}_U^s=$ true. In response to such a query, a bit $b\leftarrow \{0,1\}$ is sampled uniformly at random. For the case $b=1$, the established session key stored in ${\mathsf{sk}}_U^s$ is returned. For $b=0$ the output is a uniformly random element sampled from the space of session keys. The idea is that for a secure group key establishment protocol, no efficient adversary can distinguish between the cases $b=0$ and $b=1$. To turn this idea into a definition, we exclude trivial cases and focus on correct group key establishment protocols:

Definition 5 (Correctness).

A group key establishment is said to be correct if on honest delivery of all messages and all users being honest, a single protocol execution among users $U_0,\dots ,U_{n-1}$ involves n instances ${\Pi }_0^{s_0},\dots ,{\Pi }_{n-1}^{s_{n-1}}$ such that with overwhelming probability all of the following hold:

• all users accept, i.e., ${\mathsf{acc}}_0^{s_0}=\cdots ={\mathsf{acc}}_{n-1}^{s_{n-1}}=\mathrm{TRUE}$;
• all users obtain the same session identifier, i.e., ${\mathsf{sid}}_0^{s_0}=\cdots ={\mathsf{sid}}_{n-1}^{s_{n-1}}$;
• all users accept the same session key, i.e., ${\mathsf{sk}}_0^{s_0}=\cdots ={\mathsf{sk}}_{n-1}^{s_{n-1}}\ne \mathrm{NULL}$ associated with the same session identifier ${\mathsf{sid}}_0^{s_0}$;
• all communication partners are specified as desired communication partner, i.e., ${\mathsf{pid}}_0^{s_0}=\cdots ={\mathsf{pid}}_{n-1}^{s_{n-1}}=\{U_0,\dots ,U_{n-1}\}$.

Correctness refers to a scenario where no attack takes place; to formulate security guarantees we need to specify the circumstances under which a correct guess for the random bit used by the Test oracle constitutes a possible attack. For this we use the following notions of partnering and freshness.

Definition 6 (Partnering).

Two instances ${\Pi }_{U_i}^{s_i}$ and ${\Pi }_{U_j}^{s_j}$ are partnered if ${\mathsf{sid}}_{U_i}^{s_i}={\mathsf{sid}}_{U_j}^{s_j}$, ${\mathsf{pid}}_{U_i}^{s_i}={\mathsf{pid}}_{U_j}^{s_j}$, and ${\mathsf{acc}}_{U_i}^{s_i}={\mathsf{acc}}_{U_j}^{s_j}=$true.

Based on this notion, we can determine what a fresh instance is, i.e., an instance where the adversary does not know the session key for trivial reasons.

The following formulation allows an adversary $\mathcal{A}$ to reveal all secret keys without violating freshness, provided $\mathcal{A}$ does not send any “relevant” messages afterwards. Therefore, security in the sense of Definition 8 below implies forward secrecy:

Definition 7 (Freshness).

An instance ${\Pi }_i^{s_i}$ is called fresh if none of the following two conditions hold:

• For some $U_j\in {\mathsf{pid}}_i^{s_i}$ a $\mathsf{Corrupt}(U_j)$ query was executed before a query of the form $\mathsf{Send}(U_k,s_k,\ast )$ has taken place where $U_k\in {\mathsf{pid}}_i^{s_i}$.
• A query $\mathsf{Reveal}(U_j,s_j)$ with ${\Pi }_i^{s_i}$ and ${\Pi }_j^{s_j}$ being partnered occurred.

We write ${\mathsf{Succ}}_{\mathcal{A}}^{\mathsf{ke}}$ for the event that $\mathcal{A}$ queries $\mathsf{Test}$ with a fresh instance according to Definition 7 and outputs a correct guess for the $\mathsf{Test}$ oracle’s bit b.

Definition 8 (Semantic security).

A key establishment protocol is said to be semantically secure, if the advantage ${\mathrm{Adv}}_{\mathcal{A}}^{\mathrm{ke}}=|2·Pr[{\mathsf{Succ}}_{\mathcal{A}}^{\mathrm{ke}}]-1|$ is negligible for all probabilistic polynomial time algorithms $\mathcal{A}$.

To make explicit that adversaries are considered to be active, i.e., have access to the $\mathsf{Send}$ oracle, it is common to refer to a group key establishment protocol as authenticated. On the other hand, we speak of unauthenticated group key establishment if the adversaries are passive.

4. Proposed Construction

The proposed generic construction for designing an authenticated group key establishment for n users $U_0,\dots ,U_{n-1}$ is shown in Figure 3. It builds on an available key encapsulation mechanism and a signature scheme. The following theorem shows that the proposed construction offers a provable security guarantee, if the underlying primitives meet standard security requirements.

Theorem 1.

Assuming $\mathcal{S}$ is an EUF-CMA secure signature scheme and $\mathcal{E}$ is an IND-CCA secure KEM, the protocol from Figure 3 is correct and semantically secure.

Proof. 

We can easily verify the protocol correctness: if all the participants follow the protocol description and there is no active adversarial interference, then all checks will succeed and every participant will set the same $\mathsf{pid}$ and $\mathsf{sid}$. Moreover every participant will receive the correct ${\left\{X_j\right\}}_{j=0}^{n-1}$ and consequently they will be able to compute the same session key $K_0$.

To illustrate the security of our compiler, we use the “game hopping” technique, where we let the adversary $\mathcal{A}$ interact with a simulator $\mathcal{B}$. We denote by $\mathrm{Adv}(\mathcal{A},G_i)$ the advantage of the adversary in Game i. The security parameter is denoted by ℓ. Further, we denote by $q_e$ and $q_s$ the maximum number of queries made by the adversary to the $\mathsf{Execute}$ and $\mathsf{Send}$ oracles, respectively.

Game 0. This game is identical to the original attack game, with all the oracles being simulated as in the real protocol. Therefore,

$$\mathrm{Adv}(\mathcal{A},G_0)={\mathrm{Adv}}_{\mathcal{A}}^{\mathrm{ke}}(\ell ).$$

Game 1. Let $\mathsf{Forge}$ be the event that the adversary succeeds in forging an authenticated message $p{k}_0,\dots ,p{k}_{n-1},C_0,\dots ,C_{n-1},X_i,pi{d}_i,{\sigma }_i$ of at least one party $U_i$ without having queried $\mathsf{Corrupt}(U_i)$ and where all the values signed involved $p{k}_0,\dots ,p{k}_{n-1},C_0,\dots ,C_{n-1},X_i,pi{d}_i,{\sigma }_i$ were not output by a same $U_i$’s instance. Any time this event occurs, we abort and mark this as success for the adversary.

An adversary $\mathcal{A}$ that can achieve $\mathsf{Forge}$ can be used to construct an adversary ${\mathcal{A}}^{\prime }$ that forges a signature in the EUF-CMA game: the given public key is assigned randomly to $U_i$, one of the users; all other participants are initialized as the protocol indicates; afterwards all the queries in the security game are answered faithfully and when a signature by the chosen user is needed, the signing oracle of the EUF-CMA game is queried to produce it.

The probability of the adversary choosing $U_i$ when assigning the public key for the signature is at least $1/|\mathcal{U}|$, and with $|\mathcal{U}|$ being polynomial size, this is non-negligible:

$${\mathrm{Adv}}_{{\mathcal{A}}^{\prime }}^{\mathrm{EUF}-\mathrm{CMA}}\ge \frac{1}{|\mathcal{U}|}·Pr(\mathsf{Forge}),$$

which yields

$$|\mathrm{Adv}(\mathcal{A},G_0)-\mathrm{Adv}(\mathcal{A},G_1)|\le {\mathrm{poly}}_{\mathsf{Forge}}(\ell )·{\mathrm{Adv}}_{{\mathcal{A}}^{\prime }}^{\mathrm{EUF}-\mathrm{CMA}},$$

for a polynomial bound ${\mathrm{poly}}_{\mathsf{Forge}}$ on $|\mathcal{U}|$.

Game 2. This game is exactly as Game 1 except that a session t is chosen uniformly at random. If the $\mathsf{Test}$ query does not occur in the t-th session the game aborts, and we count it as win for the adversary. As the number of active protocol instances is polynomially bounded, we have

$$\mathrm{Adv}(\mathcal{A},G_1)\ge {\mathrm{poly}}_{\mathsf{Test}}(\ell )·\mathrm{Adv}(\mathcal{A},G_2),$$

for a polynomial bound ${\mathrm{poly}}_{\mathsf{Test}}$ on the number of protocol sessions activated.

Game 3. This game is identical to the previous game, except that the simulation of the $\mathsf{Send}$, $\mathsf{Execute}$ and $\mathsf{Test}$ oracles is modified as follows. The symmetric key $K_0$ output by $\mathtt{Encaps}(p{k}_0)$ in the $\mathsf{Test}$ instance ${\Pi }_0^t$ is replaced with a random key $K^{\ast }$ chosen from ${\{0,1\}}^{\ell }$.

In order to bound the difference in the advantages between Games 2 and 3, we will build, from an adversary $\mathcal{A}$ ble to distinguish between both games, an adversary $\mathcal{B}$ attacking the key encapsulation mechanism $\mathcal{E}$ such that

$$|\mathrm{Adv}(\mathcal{A},G_2)-\mathrm{Adv}(\mathcal{A},G_3)|\le 2·{\mathrm{Adv}}_{\mathcal{B}}^{\mathrm{IND}-\mathrm{CCA}}(\ell ),$$

where ${\mathrm{Adv}}_{\mathcal{B}}^{\mathrm{IND}-\mathrm{CCA}}(\ell )$ denotes the advantage of a probabilistic polynomial time adversary $\mathcal{B}$ attacking $\mathcal{KEM}$. To establish this bound, we assume that $\mathcal{B}$, which runs $\mathcal{A}$ as an auxiliary algorithm, can access a simulation of $\mathcal{KEM}$. Further, $\mathcal{B}$ executes the key generation algorithm of $\mathcal{S}$ for each user $U_i,$ thus obtaining a pair of keys $(v{k}_i,sig{k}_i)$ for the signature scheme. Adversary $\mathcal{B}$ also executes the key generation algorithm of $\mathcal{KEM}$ for user $U_0,$ and obtains the public key corresponding to users $U_1,\dots ,U_n$. Our adversary $\mathcal{B}$ obtains a challenge $(C^{\ast },K_0,K_1)$ as described in Definition 1, and we have to describe how $\mathcal{B}$ answers to $\mathcal{A}$’s queries:

• Whenever a query $\mathsf{Corrupt}(U_i)$ is made by $\mathcal{A}$, $\mathcal{B}$ generates the keys for the signature and returns $sig{k}_i$ as answer to $\mathcal{A}$.
• To answer a $\mathsf{Send}$ query for Round 2 involving $U_0$, $\mathcal{B}$ uses the challenge encapsulation $C^{\ast }$. The rest of the answers are generated as in a real execution of the protocol.
• To answer an $\mathsf{Execute}$ query by $\mathcal{A}$, our adversary $\mathcal{B}$ modifies the messages as described for the simulation of the $\mathsf{Send}$ oracle.
• A $\mathsf{Reveal}$ query by $\mathcal{A}$ is answered in a similar way as a $\mathsf{Send}$ or $\mathsf{Execute}$ query. Notice that a $\mathsf{Reveal}$ query cannot be made on t or any partnered instance. To answer any other $\mathsf{Reveal}$ query $\mathcal{B}$ uses the decapsulation oracle of its IND-CCA game.
• Finally, to answer a $\mathsf{Test}$ query, a bit $b^{\prime }$ is chosen by $\mathcal{B}$ when starting the simulation. $\mathcal{B}$ will return the key $K_{b^{\prime }}$ received from the KEM challenger to $\mathcal{A}$.

At some point $\mathcal{A}$ will output a bit $b^{″}$ as a guess for $b^{\prime }$ which will determine the output b of $\mathcal{B}$ for the KEM challenge. Specifically, $\mathcal{B}$ outputs $b=0$ if and only if $b^{\prime }=b^{″}$. Taking into account that the view of $\mathcal{A}$ is identical to Game 2, if the answers of $\mathcal{B}$’s simulation of $\mathsf{Test}$ are real keys and to Game 3 if the answers of $\mathcal{B}$’s simulation of $\mathsf{Test}$ are random ones, we obtain that $|\mathrm{Adv}(\mathcal{A},G_2)-\mathrm{Adv}(\mathcal{A},G_3)|$ is bounded by $2·{\mathrm{Adv}}_{\mathcal{B}}^{IND-CCA}$.

To conclude the proof, we can see that the advantage of the adversary in Game 3 equals 0, as the session keys are chosen uniformly at random in ${\{0,1\}}^{{\kappa }_{\ell }}$. Collecting all the advantages, we can see that ${\mathrm{Adv}}_{\mathcal{A}}^{\mathrm{ke}}$ is indeed negligible. □

4.1. Remark

We would like to point out that our scheme, as described above, meets precisely the security criteria described in Section 3. It would be possible to adjust our construction to capture additional security notions, for instance introducing contributory properties. In this case, only a minor modification becomes necessary. In fact, since all of $K_0,\dots ,K_{n-1}$ are available to each legitimate user, one could choose $K_0\oplus \cdots \oplus K_{n-1}$ as session key, rather than just $K_0$. The proof would then be amended accordingly, as follows: in Game 3, after replacing $K_0$ with $K^{\ast }$, produce a pseudorandom session key as $K^{\ast }\oplus \cdots \oplus K_{n-1}$. The pseudorandomness follows immediately from the fact that $K^{\ast }$ is chosen uniformly at random in ${\{0,1\}}^{\ell }$.

4.2. Instantiation

To instantiate the above AGKE construction, there are various natural options both for KEMs and signature schemes. Some possible candidates for quantum-safe KEMs include [14,15,16,17]. Moreover, examples for candidates of post-quantum signature schemes are offered by [9,18]. The particular choice of schemes can be made taking into account their efficiency or the assumption their security relies on. Different applications may have different preferences for prioritizing, e. g., public-key size over signature size.

5. Conclusions

The protocol compiler presented here offers a convenient approach to systematically design authenticated group-key establishment protocols in a post-quantum scenario. Keeping the number of signatures needed low (one per user), gives a protocol designer flexibility in the type of post-quantum signature signature scheme to be deployed. With three rounds, the round complexity that is achievable with currently available key encapsulation mechanisms appears quite attractive, too.