Keywords

1 Introduction

1.1 Background

It is well known that widely deployed cryptographic schemes (e.g., RSA and ECC) can be broken by using a large-scale quantum computer (Shor 1997). Hence, we should develop new cryptosystems based on quantum-resistant mathematical problems (called post-quantum cryptography (PQC)).

Group key exchange (GKE) is an important cryptographic primitive, and has been studied for a long time (since the seminal two-party Diffie–Hellman key exchange). In GKE, the number of rounds is a crucial measure for evaluating the efficiency and to obtain a constant-round GKE protocol is considered as a minimum desirable requirement. Traditionally, the Burmester and Desmedt (BD) KE protocol (Burmester and Desmedt 1994) has been widely known from its simplicity and small round complexity, just two rounds. Subsequently, Just and Vaudenay (JV) (1996) generalized the BD construction in which any two-party KE can be used for obtaining GKE. However, their description was sketchy and a rigorous security proof was not presented before (see Boyd and Mathuria 2003 also).

In the post-quantum setting, there exist two variants BD-type GKE protocols from lattices (Apon et al. 2019) and isogenies (Furukawa et al. 2018).Footnote 1 Apon et al. (2019) proposed a lattice-based BD-type GKE from the Ring-LWE (R-LWE) assumption (in the random oracle model), in which the authors elaborately adjusted the original security proof to their new post-quantum setting. However, since the underlying R-LWE assumption depends on the number of group members, n, the size of data also gets large depending on n. Furukawa et al. (2018) proposed an isogeny-based BD-type GKE protocol called SIBD. However, the security proof of SIBD (Theorem 4 in Furukawa et al. 2018) is imperfect, and several points remain unclear, for example, on how to simulate some public variables. Applying the JV-type compiler to a post-quantum two-party KE is also considered as a reasonable approach, however, we should give a rigorous treatment on its (post-quantum) security proof.

As a result, we lack a post-quantum constant-round GKE protocol with a rigorous and reasonable security proof. We next consider what are reasonable underlying assumptions. The size of a problem instance in the above R-LWE setting is linear in the number of group members, n. Traditionally, in pairing-based cryptography, such linear-sized assumptions are called “non-static”, “dynamic”, or “q-type”, which are not desirable from efficiency and security viewpoints. And, in a line of researches, we succeeded to replace q-type ones to static ones (e.g., Kowalczyk and Wee 2019; Okamoto and Takashima 2010; Takashima 2014) in paring cryptography. Hence, we have the following problem as our target:

Can we obtain (provably secure) post-quantum constant-round group key exchange from static assumptions ?

Recent cryptography research also considers tight security reduction (from a static assumption). In fact, the original BD GKE is proven tightly secure from the standard DDH assumption (Theorem 6). For obtaining tight security proof, it is not enough to employ a general form of the JV-type transformation which includes a general KDF function to a cyclic group \(\mathbb {G}\) (denoted KDF\(_{\mathbb {G}}\)). We need a construction without using (general) KDF\(_\mathbb {G}\) functions for tight security since KDF\(_\mathbb {G}\) breaks mathematical structures in the underlying two-party KE.

1.2 Our Contributions

We revisit previous post-quantum BD-type GKE schemes (Apon et al. 2019; Furukawa et al. 2018 and the JV compiler for GKE Boyd and Mathuria 2003; Just and Vaudenay 1996, and reformulate them under a provably secure generic compiler. We have two families of GKE protocols from static assumptions.

The first family of GKE protocols obtained from the general compiler is a constant-round GKE (from a two-party KE protocol) by using a secure KDF\(_\mathbb {G}\) (Theorem 3). As special cases, we have such GKE from static Ring-LWE (R-LWE), where “static” means that the parameter size in the R-LWE does not depend on the number of group members, n (Corollary 1) and the standard SI-DDH and CSI-DDH assumptions (Corollary 2). The first family has a limitation that they cannot have a tight security proof since a general KDF\(_\mathbb {G}\) is used.

The second family consists of two-round GKE protocols, which are proven secure from new isogeny assumptions, the first (resp. second) of which is based on the SIDH (resp. CSIDH) KE (Theorem 4 (resp. Theorem 5)). They are called SI-PBD and CSI-PBD GKEs, respectively. The underlying new static assumptions are obtained from indistinguishability between a random product value of supersingular invariants and a random value (in some appropriate finite field), which seem to have independent interests. They are called DSJP (Decisional Supersingular j-invariants Product) and DSMP (Decisional Supersingular Montgomery coefficients Product) assumptions, respectively. As the second family needs no KDF\(_\mathbb {G}\)’s, it may have some merits for approaching to tightly secure GKE. (However, we do not yet succeed it.)

Note that we have the Katz–Yung (KY) generic compiler from KE to authenticated KE (AKE) (Katz and Yung 2007), in which a signature scheme is required. Very interestingly, the first practical isogeny-based signature scheme, CSI-FiSh, was recently proposed (Beullens et al. 2019). Therefore, we have a practical authenticated GKE (AGKE) by applying the KY compiler to our isogeny-based GKE and CSI-FiSh, both of which are post-quantum from isogenies. (Refer to Bernstein et al. 2019; Peikert 2019 for recent estimates on post-quantum security of CSIDH and CSI-FiSh.) Since we have several lattice-based signatures, e.g., Ducas et al. (2018), Fouque et al. (2017), Akleylek et al. (2017), we also have lattice-based AGKE from our lattice GKE.

1.3 Key Techniques

Hereafter, the user indices are taken in a cycle: for example, \(h_{n+1}:=h_1\) and \(h_0:=h_n\). We first review the BD GKE protocol briefly. It is defined on a cyclic group \(\mathbb {G}\) of a prime order q and a generator \(g \in \mathbb {G}\) as follows:  

Round-1.:

Each user i generates \(a_i \,\leftarrow _R\,\mathbb {Z}/q\mathbb {Z}\), \(h_i := g^{a_i}\) and broadcasts \(h_i\).

Round-2.:

Each user i calculates \(J_{i-1,i} := (h_{i-1})^{a_i}\), \(J_{i,i+1} := (h_{i+1})^{a_i}\) and \(u_i := J_{i,i+1} \cdot J^{-1}_{i-1,i}\). User i broadcasts \(u_i\).

KeyComp.:

User i calculates \(K_i :=J_{i-1,i}^n \cdot u_i^{n-1} \cdot u_{i+1}^{n-2} \cdots u_{i-2}\). Then, \(K :=K_i = J_{1,2} \cdot J_{2,3} \cdots J_{n,1}\) is the shared key among the n users.

In the (tight) security proof of the BD key exchange protocol from DDH on \(\mathbb {G}\), we should simulate broadcast values \((h_i,u_i)_{i \in [n]}\) as well as embed the DDH challenge element into the challenge shared key K.

The SIBD protocol (Furukawa et al. 2018) is obtained from the above BD GKE by replacing \((h_i, J_i)\) with invariants of supersingular elliptic curves. Since the invariants are given by elements in finite fields, we also have

$$\begin{aligned} u_i := J_{i,i+1} \cdot J^{-1}_{i-1,i}, \ \ \ K :=K_i :=J_{i-1,i}^n \cdot u_i^{n-1} \cdot u_{i+1}^{n-2} \cdots u_{i-2}. \end{aligned}$$
(1)

We revisit the JV construction (Just and Vaudenay 1996), whose original description was sketchy and the security proof was not given there. Hence, we first give a security proof for JV carefully. Based on the proof, we present our isogeny-based GKE from newly proposed assumptions. Then, as is shown in the proof of Theorem 3, if \(J_{i-1,i}\)’s are uniformly and independently distributed in \(\mathbb {G}\), the n elements \(K, u_1, \ldots , u_{i-1}, u_{i+1}, \ldots , u_n\) are also uniformly and independently distributed in \(\mathbb {G}\) for \(i \in [n]\) (and \(u_i\) is given as \(u_i = (u_1 \cdots u_{i-1} \cdot u_{i+1} \cdots u_n)^{-1}\)). It means that if \(J_{i-1,i}\)’s are distributed uniformly and independently, the target shared key K is changed to a random one just by using an information-theoretic game transformation. This is a key lemma on the BD-type encoding (Lemma 6).

However, for the SIBD protocol (Furukawa et al. 2018), since \(J_{i-1,i}\) are given by supersingular j-invariants, we have an efficient algorithm for distinguishing between \(J_{i-1,i}\) and a uniformly random element in the finite field (see Sutherland 2012). Hence, for fixing the situation, we introduce new decisional assumptions called d-DSJP and d-DSMP ones. For simplicity, here we just show the 2-DSJP assumption, in which a product of two j-invariants, \(J^{(1)}_{i-1,i}\) and \(J^{(2)}_{i-1,i}\), that is, \(J^{(1)}_{i-1,i} \cdot J^{(2)}_{i-1,i}\), should be indistinguishable from a uniformly random variable. At present, we have no efficient algorithm for the problems, and considered them as plausible assumptions.

According to the above ideas, in Sect. 4.1, we give a JV-type generic transformation from KE to GKE based on the BD-type encoding of \((u_i)\) and K from \((J_{i-1,i})\) given in Eq. (1). We then consider the following two approaches for obtaining uniformly random \(J_{i-1,i}\)’s:

  1. 1.

    Using a secure KDF\(_\mathbb {G}\) function \(\varphi \) to obtain random \(J_{i-1,i} :=\varphi (\kappa _{i-1,i})\) where \(\kappa _{i-1,i}\)’s are shared keys by secure two-party KE: By this approach, we obtain a new GKE from the “static” R-LWE assumption (Sect. 4.2). We also obtain new GKE protocols from SI-DDH and CSI-DDH assumptions.

  2. 2.

    Using new assumptions on supersingular invariants: By using new DSJP and DSMP assumptions, the local outputs, \((J_{i-1,i})\) and \((M_{i-1,i})\), from two-party key exchange can be computationally changed to random ones, and we obtain new GKE from these post-quantum assumptions (Sects. 4.3 and 4.4) without KDF\(_\mathbb {G}\).

1.4 Organization

In Sect. 2, we introduce several preliminary facts: definition of group key exchange, supersingular invariants and underlying assumptions for SIDH and CSIDH. In Sect. 3, our new assumptions on supersingular invariants are presented. In Sect. 4, we propose new PQ GKE, i.e., lattice-based and isogeny-based GKE from static assumptions.

Notations. When A is a set (resp. a random variable), \(y \,\leftarrow _R\,A\) denotes that y is uniformly generated from A (resp. randomly generated from A according to its distribution). We denote the finite field of order q by \(\mathbb {F}_q\). We denote the set \(\{ 1,\ldots , n \}\) by [n].

2 Preliminaries

2.1 Group Key Exchange

We give definitions of group key exchange, its correctness and security.

Definition 1

(Group Key Exchange (GKE)) An algorithm \(\Pi :=\Pi _{r,n}(\lambda )\) is called as a \(r\)-round n-party key exchange protocol if it is composed of probabilistic polynomial-time algorithms , where \(\mathsf{Setup}\) takes a security parameter \(\lambda \) as input, and outputs public parameters \(\mathsf{params}_{\Pi }\), for each user i takes previous all public variables and his/her own secrets and outputs (broadcasts) the \(r'\)th his/her public values, and \(\mathsf{KeyComp}\) for each user i takes all public variables and his/her own secrets and outputs the shared secret value \(K_i\).

We call \(\Pi \) is correct if all (shared) keys \(K_1,\ldots , K_n\) are the same values, i.e., \(K :=K_1=\cdots =K_n\). The key space (or key set) is denoted by \(\mathbb {K}:=\mathbb {K}(\lambda )\) whose cardinality \(\# \mathbb {K}\) is exponentially large in \(\lambda \) (or has enough entropy).

For a GKE protocol \(\Pi \), we let \(\mathsf{Exec}_{\Pi }(\lambda )\) denote an execution of the protocol, resulting in a transcript \(\Psi \) of all messages sent during the course of that execution, along with the shared key K computed by the parties. We let \(\mathsf{Adv}_{\mathcal {A}}^{\Pi }(\lambda )\) denote the advantage of a polynomial-time quantum adversary \(\mathcal {A}\) in distinguishing between the following two distribution ensembles:

$$\begin{aligned}&\{ \ (\Psi , K) \ : \ (\Psi , K) \,\leftarrow _R\,\mathsf{Exec}_{\Pi }(\lambda ) \ \}_{\lambda \in \mathbb {N}} \ \ \ \ \mathrm {and} \\&\{ \ (\Psi , K') \ : \ (\Psi , K) \,\leftarrow _R\,\mathsf{Exec}_{\Pi }(\lambda ), \ K' \,\leftarrow _R\,\mathbb {K}\ \}_{\lambda \in \mathbb {N}}. \end{aligned}$$

Protocol \(\Pi \) is post-quantumly secure if \(\mathsf{Adv}_{\mathcal {A}}^{\Pi }(\lambda )\) is negligible in \(\lambda \) for any polynomial-time quantum \(\mathcal {A}\).

2.2 SIDH and CSIDH Key Exchange

In this section, we introduce two efficient Diffie–Hellman-type key exchange protocols using isogenies of supersingular elliptic curves: SIDH (Feo et al. 2014) and CSIDH (Castryck et al. 2018).

2.2.1 Supersingular Isogenies and Invariants

We summarize facts about elliptic curves. For details, see Washington (2008), for example.

Let p be a prime greater than 3 and \(\mathbb {F}_p\) be the finite field with p elements. Let \(\overline{\mathbb {F}}_p\) be its algebraic closure. Here, an elliptic curve E over \(\overline{\mathbb {F}}_p\) is given by the Montgomery normal form

$$\begin{aligned} E : \delta y^2=x^3+ mx^2+x \end{aligned}$$
(2)

for \(m\) and \(\delta \in \overline{\mathbb {F}}_p\), where the discriminant of the RHS of Eq. (2) and \(\delta \) are nonzero. We denote the point at infinity on E by \(O_E\). Elliptic curves are endowed with a unique algebraic group structure, with \(O_E\) as a neutral element. The j-invariant and Montgomery coefficient of E are given as \(j(E) :=\frac{256(m^2-3)^3}{m^2 - 4}, \ m(E) :=m\). Two elliptic curves over \(\overline{\mathbb {F}}_p\) are isomorphic if and only if they have the same j-invariant. For \(j \in \overline{\mathbb {F}}_p\), E(j) denotes an elliptic curve whose j-invariant is j. For \(N\in \mathbb {Z}_{> 0}\), the \(N\)-torsion points is \(E[N] :=\{ P \in E(\overline{\mathbb {F}}_p)\,|\, NP= O_{E} \} \).

Given two elliptic curves E and \(E^\prime \) over \(\overline{\mathbb {F}}_p\), a homomorphism \(\phi : E \rightarrow E^\prime \) is a morphism of algebraic curves that sends \(O_E\) to \(O_{E^\prime }\). A nonzero homomorphism is called an isogeny, and a separable isogeny with the cardinality \(\ell \) of the kernel is called \(\ell \)-isogeny. We consider only separable isogenies in this paper. We compute the \(\ell \)-isogeny by using Vélu’s formulas (Vélu 1971) for a small prime \(\ell = 2,3,\ldots \). For explicit formulas, see Jao et al. (2017) for SIDH and see Castryck et al. (2018) for CSIDH.

An elliptic curve E over \(\overline{\mathbb {F}}_p\) is called supersingular if there are no points of order p, i.e., \(E[p] = \{ O_E \}\). The j-invariants of supersingular elliptic curves lie in \(\mathbb {F}_{p^2}\). We define two sets as below, for SI-DDH and CSI-DDH assumptions.

(3)
$$\begin{aligned} \mathbb {M}_{p} :=\{ \mathrm {Montgomery \ coefficients \ of \ supersingular \ elliptic \ curves \ over \ } \mathbb {F}_{p} \}. \end{aligned}$$
(4)

2.2.2 SIDH Key Exchange and SI-DDH Assumption (Feo et al. 2014)

The detailed description of SIDH key exchange, i.e., \(\Pi :=\mathsf{SIDH}\), is given in Appendix 3.1. Here, we summarize necessary facts on SIDH for later sections. Public parameters are given as \(\mathsf{params}_\mathsf{SIDH} :=(p,E; P_A, Q_A, P_B, Q_B)\). All the messages during an execution are also given as transcript \(\Psi _{AB} :=(\mathsf{params}_\mathsf{SIDH}, E_A, \) \(\phi _A(P_B), \phi _A(Q_B), E_B, \phi _B(P_A), \phi _B(Q_A))\). Alice’s and Bob’s shared keys, i.e., \(K_A :=j(E_{AB})\) and \(K_B :=j(E_{BA})\), are equal, and the value is denoted by K.

Definition 2

(Supersingular Isogeny Decision Diffie–Hellman (SI-DDH) assumption Feo et al. 2014; Fujioka et al. 2018) Let \((\Psi _{AB}, j(E_{AB})) \! \,\leftarrow _R\,\! \mathsf{Exec}_\mathsf{SIDH}(\lambda )\), where \(\Psi _{AB} \! :=\left( \mathsf{params}_\mathsf{SIDH}, \right. \) \(\left. E_{A}, \phi _{A}(P_{B}), \phi _{A}(Q_{B}), E_{B}, \phi _{B}(P_{A}), \phi _{B}(Q_{A})\right) \). An SI-DDH problem instance is given as \((\Psi _{AB}, J_\beta )\), where

$$\begin{aligned} J_0 :=j(E_{AB}), \ \ \ \ \ \ \ \ \ J_1 \,\leftarrow _R\,\mathbb {J}_{p^2}, \end{aligned}$$
(5)

\(\beta \,\leftarrow _R\,\{0,1\}\), and \(\mathbb {J}_{p^2}\) is defined in Eq. (3). If \(| \, \Pr [{\mathcal {A}}(\Psi _{AB}, J_0)=1] - \Pr [{\mathcal {A}}( \Psi _{AB}, J_1)\) \(=1] \,| <\mathsf{negl}(\lambda )\) holds for any polynomial-time quantum algorithm \({\mathcal {A}}\), we say that the SI-DDH assumption holds.

Theorem 1

(Feo et al. 2014) The SIDH key exchange is post-quantumly secure under the SI-DDH assumption.

2.2.3 CSIDH Key Exchange and CSI-DDH Assumption (Castryck et al. 2018)

The detailed description of CSIDH key exchange, i.e., \(\Pi :=\mathsf{CSIDH}\), is given in Appendix 3.2. Here, we summarize necessary facts on CSIDH. Public parameters are given as \(\mathsf{params} :=(p,E)\). All the messages during a execution are also given as transcript \(\Psi _{AB} :=(\mathsf{params}_\mathsf{CSIDH}, [\mathfrak {a}]E, [\mathfrak {b}]E)\). Alice’s and Bob’s shared keys, i.e., \(K_A :=m([\mathfrak {a}][\mathfrak {b}]E)\) and \(K_B :=m([\mathfrak {b}][\mathfrak {a}]E)\), are equal, and the value is denoted by K.

Definition 3

(Commutative Supersingular Isogeny Decisional Diffie–Hellman (CSI-DDH) assumption) Let \((\Psi _{AB}, m([\mathfrak {a}][\mathfrak {b}]E)) \,\leftarrow _R\,\mathsf{Exec}_\mathsf{CSIDH}(\lambda )\) where \(\Psi _{AB} := \left( \mathsf{params}_\mathsf{CSIDH}, [\mathfrak {a}]E, [\mathfrak {b}]E \right) \). A CSI-DDH problem instance is given as \((\Psi _{AB}, M_\beta )\), where

$$\begin{aligned} M_0 :=m([\mathfrak {a}][\mathfrak {b}]E), \ \ \ \ \ \ \ \ M_1 \,\leftarrow _R\,\mathbb {M}_{p}, \end{aligned}$$

\(\beta \,\leftarrow _R\,\{0,1\}\), and \(\mathbb {M}_{p}\) is defined in Eq. (4). If \(| \, \Pr [{\mathcal {A}}(\Psi _{AB}, M_0)=1] - \Pr [{\mathcal {A}}( \Psi _{AB}, \) \(M_1)=1] \,| <\mathsf{negl}(\lambda )\) holds for any polynomial-time quantum algorithm \({\mathcal {A}}\), we say that the CSI-DDH assumption holds.

Theorem 2

(Castryck et al. 2018) The CSIDH key exchange is post-quantumly secure under the CSI-DDH assumption.

3 New Assumptions on Supersingular Invariants

3.1 New Assumptions on Supersingular j-Invariants

Definition 4

(Decisional Supersingular j-Invariants Product (d-DSJP) Assumption) Let \(\left( \Psi ^{(\mu )}_{AB}, j\left( E^{(\mu )}_{AB}\right) \right) _{\mu \in [d]}\) be transcripts of d-time executions of SIDH with the same \(\mathsf{params}_\mathsf{SIDH}\), where \( \Psi ^{(\mu )}_{AB} :=\left( \mathsf{params}_\mathsf{SIDH}, \left( E^{(\mu )}_{A}, \phi ^{(\mu )}_{A}(P_{B}), \phi ^{(\mu )}_{A}(Q_{B}), E^{(\mu )}_{B}, \right. \right. \) \(\left. \left. \phi ^{(\mu )}_{B}(P_{A}), \phi ^{(\mu )}_{B}(Q_{A}) \right) \right) \) and \(\Psi _{AB} :=\left( \Psi ^{(\mu )}_{AB} \right) _{\mu \in [d]}\). A d-DSJP problem instance is given as \((\Psi _{AB}, J_\beta )\), where

$$\begin{aligned} \textstyle J_0 :=\prod _{\mu =1}^d j\left( E^{(\mu )}_{AB} \right) , \ \ \ \ \ \ \ \ \ J_1 \,\leftarrow _R\,\mathbb {F}_{p^2} \end{aligned}$$
(6)

and \(\beta \,\leftarrow _R\,\{0,1\}\). For any adversary \({\mathcal {B}}\), the advantage of \({\mathcal {B}}\) is defined as \(:=| \, \Pr [{\mathcal {B}}(\Psi _{AB}, J_0)=1] - \Pr [{\mathcal {B}}( \Psi _{AB}, J_1)=1] \,|\), and the d-DSJP assumption holds if is negligible in \(\lambda \) for any polynomial-time quantum adversary \({\mathcal {B}}\).Footnote 2

3.1.1 Progressive Weakness Among d-DSJP Assumptions

The next lemma shows that the \((d+1)\)-DSJP assumption is weaker than the d-DSJP one. In other words, a security proof from the \((d+1)\)-DSJP assumption is considered better than that from the d-DSJP one.

Lemma 1

The d-DSJP assumption is reduced to the \((d+1)\)-DSJP assumption.

For any adversary \(\mathcal {A}\), there is a probabilistic machine \(\mathcal {B}\), whose running time is essentially the same as that of \(\mathcal {A}\), such that for any security parameter \(\lambda \),

Proof

\(\mathcal {B}\) receives a d-DSJP tuple \((\Psi _{AB}, J_\beta )\), where \(\Psi _{AB}\) is defined as in Definition 4. \(J_\beta \) is \(\prod _{\mu =1}^d j\left( E^{(\mu )}_{AB}\right) \) when \(\beta =0\) or a random element in \(\mathbb {F}_{p^2}\) when \(\beta =1\). \(\mathcal {B}\) generates a new SIDH public key pair \(\left( E^{(d+1)}_{A}, \phi ^{(d+1)}_{A}(P_{B}), \phi ^{(d+1)}_{A}(Q_{B}) \right) , \left( E^{(d+1)}_{B}, \phi ^{(d+1)}_{B}\right. \) \(\left. (P_{A}), \phi ^{(d+1)}_{B}(Q_{A}) \right) \) and SIDH shared key \(j\left( E^{(d+1)}_{AB} \right) \), then constructs a new tuple \(\Psi '_{AB} :=\left( \mathsf{params}, \left( \left( E^{(\mu )}_{A}, \right. \right. \right. \) \(\left. \left. \left. \phi ^{(\mu )}_{A}(P_{B}), \phi ^{(\mu )}_{A}(Q_{B})\right) , \left( E^{(\mu )}_{B}, \phi ^{(\mu )}_{B}(P_{A}), \phi ^{(\mu )}_{B}(Q_{A}) \right) \right) _{\mu \in [d+1]}\right) \), and \(J'_\beta \) \(:=J_\beta \cdot j\left( E^{(d+1)}_{AB} \right) \). \(\mathcal {B}\) gives a \((d+1)\)-DSJP tuple \((\Psi '_{AB}, J'_\beta )\) to \(\mathcal {A}\), and outputs \(\beta '\) when \(\mathcal {A}\) outputs \(\beta '\).   \(\square \)

In fact, we show the 1-DSJP problem is efficiently solved (Lemma 2 in Sect. 3.1.2) and the 2-DSJP problem has a specific approach for solving it via modular polynomials (Sect. 3.1.3).

3.1.2 Case \(d=1\): Relation Between SI-DDH and 1-DSJP Assumptions

While the value of \(J_0\) for SI-DDH in Eq. (5) is the same as that of the 1-DSJP assumption in Eq. (6), the other \(J_1\)’s in the two assumptions are distributed in different manners. Namely, the first (resp. the second) is the uniform distribution over \(\mathbb {J}_{p^2} (\subsetneq \mathbb {F}_{p^2})\) (resp. \(\mathbb {F}_{p^2}\)). As is shown below, the difference is important.

Lemma 2

The 1-DSJP problem can be solved in (deterministic) polynomial time except with a negligible error probability.

Proof

In the 1-DSJP problem, \(J_0\) (resp. \(J_1\)) is uniformly distributed in \(\mathbb {J}_{p^2}\) (resp. \(\mathbb {F}_{p^2}\)). Therefore, by applying supersingular identifying algorithm, e.g., Sutherland (2012), we can solve the problem.   \(\square \)

From the above fact, the direct assumption, decisional (1, 1)-SI-PBD assumption in Definition 6 picks up the target key \(\kappa _1\) (\(\beta =1\) instance) from a uniform distribution in \(\mathbb {J}_{p^2}\) instead of \(\mathbb {F}_{p^2}\).

3.1.3 Case \(d=2\): An Approach for 2-DSJP via Modular Polynomials

Lemma 1 shows the 2-DSJP assumption is the strongest among the d-DSJP assumptions for \(d \ge 2\). In fact, we have some possible approaches for solving the problem as indicated below. But, the attack is not yet effective at present.

Here, we introduce modular polynomials \(\Phi _N(X,Y) :=\sum c_{ik} X^i Y^k\), which satisfy that \(\Phi _N(j,j')=0\) for two j-invariants j and \(j'\) such that there exists an \(N\)-isogeny between the associated elliptic curves E(j) and \(E({j'})\). From the above defining property, it holds that \(\Phi _N(X,Y)\) are symmetric polynomials w.r.t. X and Y. Hence, if we set \(S :=X+Y\) and \(T :=XY\), \(\Phi _N(X,Y)\) are given as \(\Phi _N(X,Y) = \Xi _N(S,T) :=\sum \gamma _{ik} S^i T^k\) for a two-variable polynomial \(\Xi _N\).

The output \(J_0\) of the 2-DSJP problem is given by the product of two supersingular j-invariants, i.e., \(\tau :=j\left( E^{(1)}\right) j\left( E^{(2)}\right) \). We substitute \(T :=\tau \) into \(\Xi _N(S,T)\), which we obtain a one-variable polynomial equation \(\Xi _N(S,\tau ) = 0\). If \(E^{(1)}\) and \(E^{(2)}\) are \(N\)-isogenous, then \(\sigma :=j\left( E^{(1)}\right) + j\left( E^{(2)}\right) \) satisfies the equation, i.e., \(\Xi _N(\sigma ,\tau ) = 0\).

Based on this fact, we obtain a possible cryptanalysis for the 2-DSJP problem given as below. The input of the algorithm is a 2-DSJP instance \((\Psi _{AB}, J_\beta )\).

  1. 1.

    Set a set of (small) integers \(\mathbb {I}:=\{ N_1, \ldots , N_t \}\).

  2. 2.

    For each \(N\in \mathbb {I}\), solve a one-variable polynomial equation \(\xi _N(S) :=\Xi _N(S,J_\beta ) = 0\), and the set of zero points of \(\xi _N\) in \(\mathbb {F}_{p^2}\) is denoted by \({\mathcal {Z}} \subset \mathbb {F}_{p^2}\). For each \(z \in {\mathcal {Z}}\), solve the quadratic equation \(W^2 - zW + J_\beta = 0\).

    1. a.

      If the roots \(w_1 \not \in \mathbb {F}_{p^2}\) or \(w_2 \not \in \mathbb {F}_{p^2}\), quit this loop.

    2. b.

      Check whether both of \(w_1\) and \(w_2\) are supersingular j-invariants or not. If yes, output \(\beta ' :=0\).

  3. 3.

    Output \(\beta ' :=1\).

The degree of isogenous curves \(E^{(1)}\) and \(E^{(2)}\) above is usually large, therefore, if the security parameter \(\lambda \) is set large, the attack is ineffective. But, the above scenario shows some possible approach to this problem using a specific property on modular polynomials when \(d = 2\).

3.2 New Assumptions on Supersingular Montgomery Coefficients

Definition 5

(Decisional Supersingular Montgomery Coefficients Product (d-DSMP) Assumption) Let \(\left( \Psi ^{(\mu )}_{AB}, m\left( E^{(\mu )}_{AB} \right) \right) _{\mu \in [d]}\) be transcripts of d-time executions of CSIDH with the same \(\mathsf{params}_\mathsf{CSIDH}\), where \(\Psi ^{(\mu )}_{AB} :=\left( \mathsf{params}_\mathsf{CSIDH},\right. \left. \left( E^{(\mu )}_{A}, E^{(\mu )}_{B} \right) \right) \) and \(\Psi _{AB} :=\left( \Psi ^{(\mu )}_{AB} \right) _{\mu \in [d]}\), where \(E^{(\mu )}_{A} :=\left[ \mathfrak {a}^{(\mu )} \right] E, E^{(\mu )}_{B} :=\left[ \mathfrak {b}^{(\mu )} \right] E\) and \(E^{(\mu )}_{AB} :=\left[ \mathfrak {a}^{(\mu )} \right] \left[ \mathfrak {b}^{(\mu )} \right] E\). A d-DSMP problem instance is given as \((\Psi _{AB}, M_\beta )\), where

$$\begin{aligned} \textstyle M_0 :=\prod _{\mu =1}^d m\left( E^{(\mu )}_{AB} \right) , \ \ \ \ \ \ \ \ \ M_1 \,\leftarrow _R\,\mathbb {F}_{p}, \end{aligned}$$

and \(\beta \,\leftarrow _R\,\{0,1\}\). For any adversary \({\mathcal {B}}\), the advantage of \({\mathcal {B}}\) is defined as \(:=| \, \Pr [{\mathcal {B}}(\Psi _{AB}, M_0)=1] - \Pr [{\mathcal {B}}( \Psi _{AB}, M_1)=1] \,|\), and the d-DSMP assumption holds if is negligible in \(\lambda \) for any polynomial-time quantum adversary \({\mathcal {B}}\).

For the DSMP assumptions, we have similar results for the DSJP. In particular, we have the following lemmas.

Lemma 3

The d-DSMP assumption is reduced to the \((d+1)\)-DSMP assumption.

Lemma 4

The 1-DSMP problem can be solved in (deterministic) polynomial time except with a negligible error probability.

4 Proposed Post-Quantum Group Key Exchange (GKE)

4.1 A Generic JV-Type Compiler for GKE from Two-Party KE (Just and Vaudenay 1996)

We describe a generic BD-type GKE compiler from a two-party KE protocol \(\Pi \), and the obtained GKE protocol is denoted as \(\Pi ^\mathsf{BD}\). Such a generic compiler was first proposed by Just and Vaudenay (1996), Boyd and Mathuria (2003), but, no formal proof was attached yet. By describing the security proof carefully, we also give a security proof for our proposal in Sects. 4.3 and 4.4, and we found a condition for the compiler to work correctly. The number of group members is assumed to be \(n \ge 3\). Assume that we have two-party key exchange \(\Pi \) with shared keyspace \(\mathbb {K}\). We need a map \(\varphi : \mathbb {K}\rightarrow \mathbb {G}\) (called \(\mathbb {G}\)-embedding map), where \(\mathbb {G}\) is a cyclic group of order q in the BD-type Encoding (BDEnc) as indicated below. We assume that \(\gcd (n,q)=1\) for the number of group members n and the cyclic group order q. (Note that we do not assume the intractability of discrete log in \(\mathbb {G}\).)  

Exec-\(\Pi \).:

Each user i runs the protocol \(\Pi \) with users \(i-1\) and \(i+1\), respectively, and obtains keys \(\kappa _{i-1,i}\) and \(\kappa _{i,i+1}\).

BDEnc.:

User i sets \(J_{i-1,i} :=\varphi (\kappa _{i-1,i})\) and \(J_{i,i+1} :=\varphi (\kappa _{i,i+1})\), and broadcasts \(u_i :=J_{i,i+1} \cdot J_{i-1,i}^{-1} \in \mathbb {G}\).

KeyComp.:

User i calculates \(K_i :=J_{i-1,i}^n \cdot u_i^{n-1} \cdot u_{i+1}^{n-2} \cdots u_{i-2}\). Then, \(K :=K_i = J_{1,2} \cdot J_{2,3} \cdots J_{n,1}\) is the shared key among the n users.

The correctness is shown as the same as the original BD key exchange. The security depends on the map \(\varphi \). Below, we show that it is proven secure assuming that \(\varphi \) is a secure KDF (see Appendix 2 for its definition) and the underlying protocol \(\Pi \) is secure.

Theorem 3

The GKE protocol \(\Pi ^\mathsf{BD}\) is (post-quantumly) secure if \(\Pi \) is (post-quantumly) secure, \(\varphi \) is a (post-quantumly) secure KDF and \(\gcd (n,q)=1\) where q is the order of \(\mathbb {G}\).

For any (quantum) adversary \(\mathcal {A}\), there exist (quantum) machines \(\mathcal {B}_l\) and \(\mathcal {C}_l\), whose running times are essentially the same as that of \(\mathcal {A}\), such that \({\mathsf{Adv}}_{\mathcal {A}}^{\Pi ^\mathsf{BD}}(\lambda ) \le \sum _{l\in [2n]} \left( {\mathsf{Adv}}_{\mathcal {B}_l}^{\Pi }(\lambda ) + {\mathsf{Adv}}_{\mathcal {C}_l}^\mathsf{KDF}(\lambda ) \right) + \varepsilon (\lambda )\), where \(\varepsilon (\lambda )\) is a negligible function in \(\lambda \).

Proof

The view of \(\mathcal {A}\) consists of \((u_1,\ldots ,u_n, K)\). To prove Theorem 3, we consider the following \(2n + 2\) games. An underlined part indicates a variable that is changed in a game from the previous one.

Game 0: Original game, which is the same as the first case in Definition 1. The values of \(J_{i-1,i}, u_{i}, K\) are given as \(J_{i-1,i} :=\varphi (\kappa _{i-1,i})\),

$$\begin{aligned} u_{i} :=J_{i,i+1} \cdot J_{i-1,i}^{-1} \ \text {for} \ i \in [n], \ \ \ K :=J_{1,2} \cdot J_{2,3} \cdots J_{n-1,n} \cdot J_{n,1}, \end{aligned}$$
(7)

where \(\kappa _{i-1,i}\) is a shared key by running \(\Pi \) between users \(i-1\) and i.

Game \(l\) (\(l\in [n]\)): The \(l\)th output of \(\varphi \) is \(\underline{J_{l-1,l} \,\leftarrow _R\,\mathbb {G}}\) (for both of users \(l-1\) and \(l\)), all the other \(J_{i-1,i}\)’s for \(i \ne l\) are generated as in Game \(l-1\), and the view of \(\mathcal {A}\), i.e., \((u_1,\ldots ,u_n, K)\), are generated as in Eq. (7) from all the \(J_{i-1,i}\)’s for \(i \in [n]\).

Game \(n+1\): Same as Game n except that the shared key is \(\underline{K \,\leftarrow _R\,\mathbb {G}}\), and all the other variables are generated as in Game n. Note that K is independent of all the other variables.

Game \(n+1+l\) (\(l\in [n]\)): The \(l\)th output of \(\varphi \) is \(\underline{J_{l-1,l} :=\varphi (\kappa _{l-1,l})}\) (for both of users \(l-1\) and \(l\)), all the other \(J_{i-1,i}\)’s for \(i \ne l\) are generated as in Game \(n + l\), and \((u_1,\ldots ,u_n)\) are generated as in Eq. (7) from all the \(J_{i-1,i}\)’s for \(i \in [n]\) and \(K \,\leftarrow _R\,\mathbb {G}\). Here, note that Game \(2n+1\) is the same as the second case in Definition 1.

Let \(\mathsf{Adv}_\mathcal {A}^{(l)}(\lambda )\) be the advantage of \({\mathcal {A}}\) in Game \(l\), respectively.

We will show three lemmas (Lemmas 57) that evaluate the gaps between pairs of the advantages in Game 0, \(\ldots \), Game \(2n+1\). From these lemmas, we obtain \(\mathsf{Adv}^{\Pi ^\mathsf{BD}}_{\mathcal {A}}(\lambda ) \le \sum _{l\in [2n+1]} \left| \mathsf{Adv}_\mathcal {A}^{(l-1)}(\lambda ) - \mathsf{Adv}_\mathcal {A}^{(l)}(\lambda ) \right| \le \sum _{l\in [2n]} \left( {\mathsf{Adv}}_{\mathcal {B}_l}^{\Pi }(\lambda ) + {\mathsf{Adv}}_{\mathcal {C}_l}^\mathsf{KDF}(\lambda ) \right) \) \(+ \varepsilon (\lambda )\) where \(\varepsilon (\lambda ) :=\sum _{l\in [2n]} \varepsilon _l(\lambda )\) is a negligible function. This completes the proof of Theorem 3.   \(\square \)

Lemma 5

For any (quantum) adversary \(\mathcal {A}\), there exist (quantum) machines \(\mathcal {B}_l\) and \(\mathcal {C}_l\), whose running times are essentially the same as that of \(\mathcal {A}\), such that \( |\mathsf{Adv}_\mathcal {A}^{(l-1)}(\lambda ) - \mathsf{Adv}_\mathcal {A}^{(l)}(\lambda ) | \le \mathsf{Adv}_{\mathcal {B}_l}^{\Pi }(\lambda ) + \mathsf{Adv}_{\mathcal {C}_l}^\mathsf{KDF}(\lambda ) + \varepsilon _l(\lambda ) \) for \(l\in [n]\), where \(\varepsilon _l(\lambda )\) are negligible functions.

Proof

For the proof, we define an intermediate game, i.e., Game \(l-1/2\), between Games \(l-1\) and \(l\). In Game \(l-1/2\), \(\underline{\kappa _{l-1,l} \,\leftarrow _R\,\mathbb {K}}\) and \(J_{l-1,l} :=\varphi (\kappa _{l-1,l})\), and the rest of variables are all generated in the same manner as in Game \(l-1\).

By the definition of two-party KE, the difference of the advantages of Games \(l-1\) and \(l-1/2\) is bounded by the advantage against the KE protocol \(\Pi \), i.e., \(\mathsf{Adv}_{\mathcal {B}_l}^{\Pi }(\lambda )\) (except with negligible probability). Since the keyspace \(\mathbb {K}\) has enough entropy, by the definition of KDF, the difference of the advantages of Games \(l-1/2\) and \(l\) is bounded by the advantage against \(\mathsf{KDF}\), i.e., \(\mathsf{Adv}_{\mathcal {C}_l}^\mathsf{KDF}(\lambda )\) (except with negligible probability). This completes the proof of Lemma 5.   \(\square \)

Lemma 6

(\(\mathsf{BDEnc}\) Information-Theoretic Security) For any (quantum) adversary \(\mathcal {A}\), for any security parameter \(\lambda \), \(\mathsf{Adv}_\mathcal {A}^{(n+1)}(\lambda ) = \mathsf{Adv}_\mathcal {A}^{(n)}(\lambda )\).

Proof

We can set \(J_{i-1,i} :=g^{\alpha _{i-1}}\) for \(i \in [n]\), where \(g \in \mathbb {G}\) is a generator and \(\alpha _i \,\leftarrow _R\,\mathbb {Z}/q \mathbb {Z}\) (which are independent from each other). Then, \(u_i :=J_{i,i+1} \cdot J_{i-1,i}^{-1} = g^{\alpha _{i} - \alpha _{i-1}}\). First, we see that n elements \(( \ \alpha _1, \ \alpha _2 - \alpha _1, \ \alpha _3 - \alpha _2, \ldots , \alpha _n - \alpha _{n-1} \ )\) are uniformly and independently distributed. Since \(\alpha _1 + \cdots + \alpha _n = n \alpha _1 + (n-1) (\alpha _2 - \alpha _1) + (n-2) (\alpha _3 - \alpha _2) + \cdots + (\alpha _n - \alpha _{n-1})\) and n mod q has an inverse element (from the assumption \(\gcd (n,q)=1\)), n elements \( ( \ \alpha _1 + \cdots + \alpha _n, \ \alpha _2 - \alpha _1, \ \alpha _3 - \alpha _2, \ldots , \alpha _n - \alpha _{n-1} \ ) \) are also uniformly and independently distributed. Since \(K = g^{\alpha _1 + \cdots + \alpha _n}\), K is independent of all the other variables, i.e., \(h_i, u_i\). This completes the proof of Lemma 6.   \(\square \)

Lemma 7

For any (quantum) adversary \(\mathcal {A}\), there exists (quantum) machines \(\mathcal {B}_{n+l}\) and \(\mathcal {C}_{n+l}\), whose running times are essentially the same as that of \(\mathcal {A}\), such that for any security parameter \(\lambda \), \( |\mathsf{Adv}_\mathcal {A}^{(n+l)}(\lambda ) - \mathsf{Adv}_\mathcal {A}^{(n+l+1)}(\lambda ) | \le \mathsf{Adv}_{\mathcal {B}_{n+l}}^{\Pi }(\lambda ) + \mathsf{Adv}_{\mathcal {C}_{n+l}}^\mathsf{KDF}(\lambda ) + \varepsilon _{n+l}(\lambda ) \) for \(l\in [n]\), where \(\varepsilon _{n+l}(\lambda )\) are negligible functions.

Lemma 7 is proven in a similar manner to Lemma 5.

4.2 Constant-Round GKE from Static Standard Assumptions

We instantiate the above generic GKE by Apon et al.’s ring LWE based GKE (Apon et al. 2019) by using a two-party KE \(\Pi \) and some SHA-2 (or SHA-3) based KDF \(\varphi \), whose range is \(\mathbb {G}:=\mathbb {F}^*\) for some finite field \(\mathbb {F}\). Therefore, we have the following corollary.

Corollary 1

There exists a post-quantum constant-round GKE from two-party KE \(\Pi \) in Apon et al. (2019) and some standard KDF function \(\varphi \) under the static ring LWE assumption.

Apon et al.’s original GKE is based on the “non-static” or “dynamic” R-LWE assumption. That is, the noise size depends on the number of group members n, then the scheme itself gets to large sizes.

Corollary 2

There exists a post-quantum constant-round GKE from two-party KE SIDH (resp. CSIDH) and some standard KDF function \(\varphi \) under the SI-DDH (resp. CSI-DDH) assumption.

4.3 Two-Round Product-BD (PBD) GKE from d-DSJP Assumption

We modify the SIBD Group Key Exchange proposed in Furukawa et al. (2018) to a provably secure one, called Supersingular Isogeny Product-BD ((nd)-SI-PBD) protocol for n-parties. In other words, our general (nd)-SI-PBD protocol is obtained via our generic compiler (in Sect. 4.1) from two-party (2, d)-SI-PBD protocol, where a \(\mathbb {G}\)-embedding map \(\varphi \) is given by the identity map \(\varphi :=\mathsf{id}_{\mathbb {G}}: \mathbb {G}\rightarrow \mathbb {G}\).

4.3.1 Construction

We consider n-party key exchange. Each user is indexed by \(1, 2, \dots , n\), where n is supposed to be even for simplicity. Note that we can easily obtain the protocol for odd n. The user indices are taken in a cycle: so \(R_{n+1}:=R_1\) and \(R_0:=R_n\). We introduce the map \(\iota (i):= i \bmod 2\) and we will simply write \(\iota \) instead of writing \(\iota (i)\).  

Setup.:

Takes a security parameter \(\lambda \) and the number of users n. The algorithm outputs \(\mathsf{params}_\mathsf{SIDH} := (p(=f \ell _0^{e_0} \ell _1^{e_1} \pm 1), E, \{P_{0},Q_{0}\}, \{P_{1},Q_{1}\})\) for SIDH.

Round-1.:

Takes the user index i and \(\mathsf{params}\) as input. User i randomly chooses \(k^{(\mu )}_{i}\in \mathbb {Z}/\ell ^{e_{\iota }}_{\iota }\mathbb {Z}\) and computes \(R^{(\mu )}_{i}:=P_{\iota }+k^{(\mu )}_{i}Q_{\iota }\). User i then computes the isogeny \(\phi ^{(\mu )}_{i}\) and elliptic curve \(E^{(\mu )}_{i} :=E/\langle R^{(\mu )}_{i} \rangle \) such that \(\phi ^{(\mu )}_{i}: E \rightarrow E^{(\mu )}_{i}\), where \(\ker (\phi ^{(\mu )}_{i}){=}\langle R^{(\mu )}_{i} \rangle \). The user i then sets \(\mathsf{pk}^{1}_{i}{=}\left( E^{(\mu )}_{i}, \phi ^{(\mu )}_{i}(P_{1-\iota }), \phi ^{(\mu )}_{i}(Q_{1-\iota }) \right) _{\mu \in [d]}\) and \(\mathsf{sk}^{1}_{i} :=\left( k^{(\mu )}_{i} \right) _{\mu \in [d]}\). Finally, the user i broadcasts \(\mathsf{pk}^{1}_{i}\) to the other users.

Round-2.:

Takes the user index \(i, \mathsf{params}_\mathsf{SIDH}, \left( \mathsf{pk}^{1}_{i-1}, \mathsf{pk}^{1}_{i+1}\right) \), and \(\mathsf{sk}^{1}_{i}\). User i executes SIDH key exchange with users \(i-1\) and \(i+1\) to obtain elliptic curves \(E^{(\mu )}_{i-1,i}\) and \(E^{(\mu )}_{i,i+1}\), respectively, and then computes

$$\begin{aligned} \textstyle J_{i-1,i} :=\prod _{\mu =1}^d j\left( E^{(\mu )}_{i-1,i} \right) \ \text { and } \ J_{i,i+1} :=\prod _{\mu =1}^d j \left( E^{(\mu )}_{i,i+1} \right) . \end{aligned}$$

The user then computes \(u_{i} :=J_{i,i+1} \cdot J_{i-1,i}^{-1}\) and set \(\mathsf{pk}^{2}_{i} :=u_{i}\). Finally, the user i broadcasts \(\mathsf{pk}^{2}_{i}\) to the other users.

KeyComp.:

User i collects \(\left( \mathsf{pk}^{2}_{i'} \right) _{i' \in [n]}\) and \(\mathsf{sk}^{1}_{i}\) and computes \( K_{i} :=J_{i-1,i}^{n} \cdot u^{n-1}_{i}\cdot u^{n-2}_{i+1}\cdot \cdots \cdot u_{i-3}^2 \cdot u_{i-2}. \)

We can easily verify that \(K_{i} = J_{1,2} \cdot J_{2,3} \cdots J_{n-1,n} \cdot J_{n,1}\) holds for any i.

4.3.2 Warm-Up: Security from a Nonstatic Assumption

We rephrase security of the (nd)-SI-PBD protocol based on Definition 1 as a form of the following assumption (see Lemma 8).

Definition 6

(Decisional SI-PBD ((n,d)-SI-PBD) Assumption) Let , where \(J_{i-1,i} :=\prod _{\mu =1}^d j \left( E^{(\mu )}_{i-1,i} \right) , J_{i,i+1} :=\prod _{\mu =1}^d j \left( E^{(\mu )}_{i,i+1} \right) \), \(u_i :=J_{i,i+1} \cdot J_{i-1,i}^{-1}\), \(\Psi _{n,d} :=\left( \mathsf{params}_\mathsf{SIDH}, \left( \left( E^{(\mu )}_{i}, \phi ^{(\mu )}_{i}\left( P_{1-\iota } \right) , \phi ^{(\mu )}_{i}\left( Q_{1-\iota } \right) \right) , u_i \right) _{i \in [n], \mu \in [d]} \right) \), and \(K \!\! :=\!\! \prod _{i=1}^n \! J_{i,i+1}\). An (nd)-SI-PBD problem instance is given as \((\Psi _{n,d}, \kappa _\beta )\), where

$$\begin{aligned} \kappa _0 :=K, \ \ \ \ \ \ \ \ \kappa _1 \,\leftarrow _R\,\mathbb {F}_{p^2}, \end{aligned}$$

and \(\beta \,\leftarrow _R\,\{0,1\}\). For any quantum algorithm \({\mathcal {B}}\), the advantage of \({\mathcal {B}}\) is defined as , and the (nd)-SI-PBD assumption holds if is negligible in \(\lambda \) for any polynomial-time quantum adversary \({\mathcal {B}}\).

Remark 1

We have better security proofs when \(d \ge 2\) for the (nd)-SI-PBD GKE (Theorem 4). However, the above gives only security proofs for the \(d=1\) case, which is based on nonstatic assumptions. Note that since \(n \ge 3\) and the key K is a n-time product of j-invariants, then we have no efficient distinguishing algorithm between \(\kappa _0\) and \(\kappa _1\).

Lemma 8

The (nd)-SI-PBD key exchange among n-parties is post-quantumly secure under the (nd)-SI-PBD assumption.

Proof

Lemma 8 is trivially obtained from Definitions 1 and 6.   \(\square \)

If the (nd)-SI-PBD problem is quantum resistantly hard, the SI-PBD key exchange among n-parties is also quantum resistant. Therefore, we should investigate the post-quantum security of the (nd)-SI-PBD assumption in the next section.

Moreover, as is shown in Lemma 1 for the d-DSJP assumptions, the family of (nd)-SI-PBD assumptions also has natural sequential reductions among them.

Lemma 9

The (nd)-SI-PBD assumption is reduced to the \((n,d+1)\)-SI-PBD assumption.

For any adversary \(\mathcal {A}\), there is a (quantum) machine \(\mathcal {B}\), whose running time is essentially the same as that of \(\mathcal {A}\), such that for any security parameter \(\lambda \), .

Proof

The proof of Lemma 9 is similarly given to that of Lemma 1.   \(\square \)

Lemma 9 shows that \((n,d+1)\)-SI-PBD group key exchange is more secure than (nd)-SI-PBD one while the former is less efficient than the latter in terms of data sizes and execution times.

4.3.3 Security from d-DSJP Assumption for \(d \ge 2\)

Theorem 4

The (nd)-SI-PBD key exchange among n-parties is post-quantumly secure under the d-DSJP assumption when \(d \ge 2\) and \(\gcd (n,p^2-1)=1\). (Note that \(p^2-1\) is the order of cyclic group \(\mathbb {G}:=\mathbb {F}_{p^2}^*\).)

For any quantum adversary \(\mathcal {A}\), there exist quantum machines \(\mathcal {B}_l\), whose running times are essentially the same as that of \(\mathcal {A}\), such that when \(d \ge 2\).

Proof

The view of \(\mathcal {A}\) consists of \((u_1,\ldots ,u_n, K)\). To prove Theorem 4, we consider the following \(2n + 2\) games. An underlined part indicates a variable that is changed in a game from the previous one.

Game 0: Original game. That is, the values of \(J_{i-1,i}, u_{i}, K\) are given as \(J_{i-1,i} :=\prod _{\mu =1}^d j\left( E^{(\mu )}_{i-1,i} \right) \),

$$\begin{aligned} u_{i} :=J_{i,i+1} \cdot J_{i-1,i}^{-1} \ \text {for} \ i \in [n], \ \ \ K :=J_{1,2} \cdot J_{2,3} \cdots J_{n-1,n} \cdot J_{n,1}. \end{aligned}$$
(8)

Game \(l\) (\(l\in [n]\)): The \(l\)th output of \(\varphi \) is: \(\underline{J_{l-1,l} \,\leftarrow _R\,\mathbb {F}_{p^2}}\) (for both of users \(l-1\) and \(l\)), all the other \(J_{i-1,i}\)’s for \(i \ne l\) are generated as in Game \(l-1\), and the view of \(\mathcal {A}\), i.e., \((u_1,\ldots ,u_n, K)\), are generated as in Eq. (8) from all the \(J_{i-1,i}\)’s for \(i \in [n]\).

Game \(n+1\): Same as Game n except that the shared key is \(\underline{K \,\leftarrow _R\,\mathbb {F}_{p^2}}\), and all the other variables are generated as in Game n. Note that K is independent of all the other variables.

Game \(n+1+l\) (\(l\in [n]\)): The \(l\)th output of \(\varphi \) is: \(\underline{J_{l-1,l} :=\prod _{\mu =1}^d j\left( E^{(\mu )}_{l-1,l}\right) }\) (for both of users \(l-1\) and \(l\)), all the other \(J_{i-1,i}\)’s for \(i \ne l\) are generated as in Game \(n + l\), \((u_1,\ldots ,u_n)\), are generated as in Eq. (8) from all the \(J_{i-1,i}\)’s for \(i \in [n]\) and \(K \,\leftarrow _R\,\mathbb {F}_{p^2}\). Here, note that Game \(2n+1\) is the same as the \(\beta =1\) case in Definition 6.

Let \(\mathsf{Adv}_\mathcal {A}^{(l)}(\lambda )\) be the advantage of \({\mathcal {A}}\) in Game i, respectively.

We will show three lemmas (Lemmas 1012) that evaluate the gaps between pairs of the advantages in Game 0, \(\ldots \), Game \(2n+1\). From these lemmas, we obtain . This completes the proof of Theorem 4.   \(\square \)

Lemma 10

For any quantum adversary \(\mathcal {A}\), there exists a quantum machine \(\mathcal {B}_l\), whose running time is essentially the same as that of \(\mathcal {A}\), such that for any security parameter \(\lambda \), for \(l\in [n]\).

Proof

\(\mathcal {B}\) is given a d-DSJP instance \((\Psi _{AB}, J_\beta )\), where

\(\Psi _{AB} :=\left( \mathsf{params}, \left( \left( E^{(\mu )}_{A}, \phi ^{(\mu )}_{A}(P_{B}), \phi ^{(\mu )}_{A}(Q_{B})\right) , \left( E^{(\mu )}_{B}, \phi ^{(\mu )}_{B}(P_{A}),\phi ^{(\mu )}_{B}(Q_{A})\right) \right) _{\mu \in [d]} \right) \).

\(\mathcal {B}\) (implicitly) sets user \(l-1\) A and user \(l\) B, and their public keys \( \left( E^{(\mu )}_{l-1}, \right. \) \(\left. \phi ^{(\mu )}_{l-1}(P_\iota ), \phi ^{(\mu )}_{l-1}(Q_\iota ) \right) _{\mu \in [d]} :=\left( E^{(\mu )}_{A}, \phi ^{(\mu )}_{A}(P_{B}), \phi ^{(\mu )}_{A}(Q_{B}) \right) _{\mu \in [d]} \) and \( \left( E^{(\mu )}_{l}, \phi ^{(\mu )}_{l}(P_{\iota -1}), \right. \) \(\left. \phi ^{(\mu )}_{l}(Q_{\iota -1}) \right) _{\mu \in [d]} :=\left( E^{(\mu )}_{B}, \phi ^{(\mu )}_{B}(P_{A}),\phi ^{(\mu )}_{B}(Q_{A}) \right) _{\mu \in [d]}, \) respectively.

\(\mathcal {B}\) generates randomly \(J_{i-1,i} \,\leftarrow _R\,\mathbb {F}_{p^2}\) for \(i < l\), and sets \((l-1)\)th j-invariants product as \(J_{l-1,l} :=J_{\beta }\). \(\mathcal {B}\) generates secret keys \(k^{(\mu )}_i \,\leftarrow _R\,\mathbb {Z}/\ell ^{e_{\tau }}_{\tau }\mathbb {Z}\) for all \(i \in [n] \setminus \{ l-1,l\}\) where \(\tau :=i \mod n\), and then his/her own public keys \(\left( E^{(\mu )}_i, \phi ^{(\mu )}_i(P_{\tau -1}), \phi ^{(\mu )}_t(Q_{\tau -1})\right) _{\mu \in [d]}\). Since \(\mathcal {B}\) has all secret keys except for users \(l-1,l\), he can compute all correct j-invariant products \(J_{i-1,i}\) for \(i > l\).

Using \(J_{i-1,i}\) for \(i \in [n]\) as defined above, \(\mathcal {B}\) computes \(u_i :=J_{i,i+1} \cdot J_{i-1,i}^{-1}\) and \(K :=\prod _{i \in [n]} J_{i-1,i}\), and then sends \(\mathcal {A}\) the public keys, \((u_i)_{i \in [n]}\), and the challenge value K.

If \(\mathcal {A}\) outputs \(\beta '\), then \(\mathcal {B}\) also outputs \(\beta '\). We easily see that the distribution generated by \(\mathcal {B}\) is that in Game \(l-1\) when \(\beta =0\) and that in Game i when \(\beta =1\).

This completes the proof of Lemma 10.   \(\square \)

Lemma 11

For any (quantum) adversary \(\mathcal {A}\), for any security parameter \(\lambda \),

\(\mathsf{Adv}_\mathcal {A}^{(n+1)}(\lambda ) = \mathsf{Adv}_\mathcal {A}^{(n)}(\lambda )\).

Proof

The proof of Lemma 11 is the same as that of Lemma 6 (\(\mathsf{BDEnc}\) Information Theoretic Security Lemma).   \(\square \)

Lemma 12

For any quantum adversary \(\mathcal {A}\), there exists a quantum machine \(\mathcal {B}:=\mathcal {B}_{n+l}\), whose running time is essentially the same as that of \(\mathcal {A}\), such that for any security parameter \(\lambda \), for \(l\in [n]\).

Lemma 12 is proven in a similar manner to Lemma 10.

4.4 Two-Round PBD GKE from d-DSMP Assumption

 

Setup.:

Takes a security parameter \(\lambda \) and the number of users n. The algorithm outputs \(\mathsf{params}_\mathsf{CSIDH} :=(p (=4 \cdot \ell _1 \cdots \ell _s - 1), E)\).

Round-1.:

Takes the user index i and \(\mathsf{params}_\mathsf{CSIDH}\) as input. User i randomly chooses \(\mathbf {e}_i^{(\mu )} :=\left( e^{(\mu )}_{i,1},\ldots ,e^{(\mu )}_{i,s} \right) \) and defines \(\left[ \mathfrak {a}_i^{(\mu )} \right] :=\left[ \mathfrak {l}_1^{e^{(\mu )}_{i,1}} \cdots \mathfrak {l}_s^{e^{(\mu )}_{i,s}} \right] \). User i then computes elliptic curve \(E_i^{(\mu )} :=\left[ \mathfrak {a}_i^{(\mu )} \right] E\) and sets \(\mathsf{pk}^{1}_{i} :=\left( E_i^{(\mu )} \right) _{\mu \in [d]} :=\left( \left[ \mathfrak {a}^{(\mu )}\right] E\right) _{\mu \in [d]}\) and \(\mathsf{sk}^{1}_{i} :=\left( \mathbf {e}^{(\mu )} \right) _{\mu \in [d]}\). Finally, the user i broadcast \(\mathsf{pk}^{1}_{i}\) to the other users.

Round-2.:

Takes the user index \(i, \mathsf{params}_\mathsf{CSIDH}, \left( \mathsf{pk}^{1}_{i-1}, \mathsf{pk}^{1}_{i+1} \right) \), and \(\mathsf{sk}^{1}_{i}\). User i executes CSIDH key exchange with users \(i-1\) and \(i+1\) to obtain elliptic curves \(E^{(\mu )}_{i-1,i}\) and \(E^{(\mu )}_{i,i+1}\), respectively, and then computes

$$\begin{aligned} \textstyle M_{i-1,i} :=\prod _{\mu =1}^d m\left( E^{(\mu )}_{i-1,i} \right) \ \text { and } \ M_{i,i+1} :=\prod _{\mu =1}^d m\left( E^{(\mu )}_{i,i+1} \right) . \end{aligned}$$

The user then computes \(u_{i} :=M_{i,i+1} \cdot M_{i-1,i}^{-1}\) and set \(\mathsf{pk}^{2}_{i} :=u_{i}\). Finally, the user i broadcasts \(\mathsf{pk}^{2}_{i}\) to the other users.

KeyComp.:

User i collects \(\left( \mathsf{pk}^{2}_{i'} \right) _{i' \in [n]}\) and \(\mathsf{sk}^{1}_{i}\) and computes \(K_{i} :=M_{i-1,i}^{n} \cdot u^{n-1}_{i}\cdot u^{n-2}_{i+1}\cdot \cdots \cdot u_{i-3}^2 \cdot u_{i-2}\).

We can easily verify that \(K_{i} = M_{1,2} \cdot M_{2,3} \cdots M_{n-1,n} \cdot M_{n,1}\) holds for any i. We have the following lemma and theorem as in the case of the SI-PBD key exchange. The (nd)-CSI-PBD assumption is defined in Definition 7 in Appendix 4.

Lemma 13

The (nd)-CSI-PBD key exchange among n-parties is secure under the (nd)-CSI-PBD assumption.

Theorem 5

The (nd)-CSI-PBD key exchange among n-parties is post-quantumly secure under the d-DSMP assumption when \(d \ge 2\) and \(\gcd (n,p-1)=1\). (Note that \(p-1\) is the order of cyclic group \(\mathbb {G}:=\mathbb {F}_{p}^*\).)

For any quantum adversary \(\mathcal {A}\), there exist quantum machines \(\mathcal {B}_i\), whose running times are essentially the same as that of \(\mathcal {A}\), such that for any security parameter \(\lambda \), .