Security Analysis of Signal’s $$\textsf{PQXDH} $$ Handshake

Security Analysis of Signal’s $$\textsf{PQXDH} $$ Handshake

연구 분야: Analysis

학회: IACR International Conference on Public-Key Cryptography

Signal recently deployed a new handshake protocol named to protect against “harvest now, decrypt later” attacks of a future quantum computer. To this end, adds a post-quantum KEM to the Diffie–Hellman combinations of the prior handshake. In this work, we give a reductionist security analysis of Signal’s handshake in a game-based security model that captures the targeted “maximum-exposure” security against both classical and quantum adversaries, allowing fine-grained compromise of user’s long-term, semi-static, and ephemeral key material. We augment prior such models to capture not only the added KEM component but also the signing of public keys, which prior analyses did not capture but which adds an additional flavor of post-quantum security in . We then establish fully parameterized, concrete security bounds for the classical and post-quantum session key security of , and discuss how design choices in make a KEM binding property necessary and how a lack of domain separation reduces the achievable security. Our discussion of KEM binding and domain separation complements the concurrent tool-based analysis of by Bhargavan, Jacomme, Kiefer, and Schmidt (USENIX Security 2024), which pointed out a potential re-encapsulation attack if the KEM shared secret does not bind the public key. In contrast to the tool-based analysis, we analyze all protocol modes of and its “maximum-exposure” security. We further show that both (used in ) and the NIST standard (expected to replace ) satisfy a novel binding notion we introduce and rely on for our analysis, which may be of independent interest.