Strongly Secure Authenticated Key Exchange from Supersingular Isogenies

  • Xiu Xu
  • Haiyang XueEmail author
  • Kunpeng Wang
  • Man Ho Au
  • Song Tian
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11921)


This paper aims to address the open problem, namely, to find new techniques to design and prove security of supersingular isogeny-based authenticated key exchange (AKE) protocols against the widest possible adversarial attacks, raised by Galbraith in 2018. Concretely, we present two AKEs based on a double-key PKE in the supersingular isogeny setting secure in the sense of CK\(^+\), one of the strongest security models for AKE. Our contributions are summarised as follows. Firstly, we propose a strong OW-CPA secure PKE, \(\mathsf {2PKE_{sidh}}\), based on SI-DDH assumption. By applying modified Fujisaki-Okamoto transformation, we obtain a [OW-CCA, OW-CPA] secure KEM, \(\mathsf {2KEM_{sidh}}\). Secondly, we propose a two-pass AKE, \(\mathsf {SIAKE}_2\), based on SI-DDH assumption, using \(\mathsf {2KEM_{sidh}}\) as a building block. Thirdly, we present a modified version of \(\mathsf {2KEM_{sidh}}\) that is secure against leakage under the 1-Oracle SI-DH assumption. Using the modified \(\mathsf {2KEM_{sidh}}\) as a building block, we then propose a three-pass AKE, \(\mathsf {SIAKE}_3\), based on 1-Oracle SI-DH assumption. Finally, we prove that both \(\mathsf {SIAKE}_2\) and \(\mathsf {SIAKE}_3\) are CK\(^+\) secure in the random oracle model and supports arbitrary registration. We also provide an implementation to illustrate the efficiency of our schemes. Our schemes compare favourably against existing isogeny-based AKEs. To the best of our knowledge, they are the first of its kind to offer security against arbitrary registration, wPFS, KCI, and MEX simultaneously. Regarding efficiency, our schemes outperform existing schemes in terms of bandwidth as well as CPU cycle count.


Authenticated key exchange Key encapsulation mechanism Supersingular elliptic curve isogeny Post quantum 



Haiyang Xue is supported by the National Natural Science Foundation of China (No. 61602473, No. 61672019), and the National Cryptography Development Fund MMJJ20170116. Xiu Xu is supported by the National Natural Science Foundation of China (No.61872442). Man Ho Au is supported by the Research Grant Council of Hong Kong (Grant No. 25206317). Song Tian is supported by the National Natural Science Foundation of China (No. 61802401).


  1. 1.
    Abdalla, M., Bellare, M., Rogaway, P.: The oracle Diffie-Hellman assumptions and an analysis of DHIES. In: Naccache, D. (ed.) CT-RSA 2001. LNCS, vol. 2020, pp. 143–158. Springer, Heidelberg (2001). Scholar
  2. 2.
    Boyd, C., Cliff, Y., Gonzalez Nieto, J., Paterson, K.G.: Efficient one-round key exchange in the standard model. In: Mu, Y., Susilo, W., Seberry, J. (eds.) ACISP 2008. LNCS, vol. 5107, pp. 69–83. Springer, Heidelberg (2008). Scholar
  3. 3.
    Bos, J., et al.: CRYSTALS - Kyber: a CCA-secure module-lattice-based KEM. In: 2018 IEEE Symposium on Security and Privacy, pp. 353–367 (2018)Google Scholar
  4. 4.
    Bellare, M., Rogaway, P.: Entity authentication and key distribution. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 232–249. Springer, Heidelberg (1994). Scholar
  5. 5.
    Costello, C., Jao, D., Longa, P., Naehrig, M., Renes, J., Urbanik, D.: Efficient compression of SIDH public keys. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10210, pp. 679–706. Springer, Cham (2017). Scholar
  6. 6.
    Canetti, R., Krawczyk, H.: Analysis of key-exchange protocols and their use for building secure channels. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 453–474. Springer, Heidelberg (2001). Scholar
  7. 7.
    Costello, C., Longa, P., Naehrig, M.: Efficient algorithms for supersingular isogeny Diffie-Hellman. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9814, pp. 572–601. Springer, Heidelberg (2016). Scholar
  8. 8.
    De Feo, L., Jao, D., Plût, J.: Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies. J. Math. Cryptology 8(3), 209–247 (2014)MathSciNetzbMATHGoogle Scholar
  9. 9.
    Eisenträger, K., Hallgren, S., Lauter, K., Morrison, T., Petit, C.: Supersingular isogeny graphs and endomorphism rings: reductions and solutions. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10822, pp. 329–368. Springer, Cham (2018). Scholar
  10. 10.
    Faz-Hernádnez, A., López, J., Ochoa-Jimenez, E., Rodríguez-Henríquez, F.: A faster software implementation of the supersingular isogeny Diffie-Hellman key exchange protocol. IEEE Trans. Comput. 67(11), 1622–1636 (2018)MathSciNetCrossRefGoogle Scholar
  11. 11.
    Fujisaki, E., Okamoto, T.: Secure integration of asymmetric and symmetric encryption schemes. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 537–554. Springer, Heidelberg (1999). Scholar
  12. 12.
    Fujioka, A., Suzuki, K., Xagawa, K., Yoneyama, K.: Strongly secure authenticated key exchange from factoring, codes, and lattices. In: Fischlin, M., Buchmann, J., Manulis, M. (eds.) PKC 2012. LNCS, vol. 7293, pp. 467–484. Springer, Heidelberg (2012). Scholar
  13. 13.
    Fujioka, A., Suzuki, K., Xagawa, K., Yoneyama, K.: Practical and post-quantum authenticated key exchange from one-way secure key encapsulation mechanism. In: AsiaCCS 2013, pp. 83–94 (2013)Google Scholar
  14. 14.
    Fujioka, A., Takashima, K., Terada, S., Yoneyama, K.: Supersingular isogeny Diffie–Hellman authenticated key exchange. In: Lee, K. (ed.) ICISC 2018. LNCS, vol. 11396, pp. 177–195. Springer, Cham (2019). Scholar
  15. 15.
    Galbraith, S.D.: Authenticated key exchange for SIDH. IACR Cryptology ePrint Archive 2018/266Google Scholar
  16. 16.
    Galbraith, S.D., Petit, C., Silva, J.: Identification protocols and signature schemes based on supersingular isogeny problems. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10624, pp. 3–33. Springer, Cham (2017). Scholar
  17. 17.
    Galbraith, S.D., Petit, C., Shani, B., Ti, Y.B.: On the security of supersingular isogeny cryptosystems. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10031, pp. 63–91. Springer, Heidelberg (2016). Scholar
  18. 18.
    Guilhem, C.D.S., Smart, N.P., Warinschi, B.: Generic forward-secure key agreement without signatures. In: Nguyen, P., Zhou, J. (eds.) ISC 2017. LNCS, vol. 10599, pp. 114–133. Springer, Cham (2017). Scholar
  19. 19.
    Galbraith, S.D., Vercauteren, F.: Computational problems in supersingular elliptic curve isogenies. IACR Cryptology ePrint Archive 2017/774Google Scholar
  20. 20.
    Jao, D., Azarderakhsh, R., Campagna, M., et al.: Supersingular Isogeny Key Encapsulation.
  21. 21.
    Jeong, I.R., Katz, J., Lee, D.H.: One-round protocols for two-party authenticated key exchange. In: Jakobsson, M., Yung, M., Zhou, J. (eds.) ACNS 2004. LNCS, vol. 3089, pp. 220–232. Springer, Heidelberg (2004). Scholar
  22. 22.
    Krawczyk, H.: HMQV: a high-performance secure Diffie-Hellman protocol. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 546–566. Springer, Heidelberg (2005). Scholar
  23. 23.
    Koziel, B., Azarderakhsh, R., Mozaffari-Kermani, M.: A high-performance and scalable hardware architecture for isogeny-based cryptography. IEEE Trans. Comput. 67, 1594–1609 (2018)MathSciNetCrossRefGoogle Scholar
  24. 24.
    Kirkwood, D., Lackey, B.C., McVey, J., Motley, M., Solinas, J.A., Tuller, D.: Failure is not an option: standardization issues for post-quantum key agreement. In: Workshop on Cybersecurity in a Post-Quantum World (2015)Google Scholar
  25. 25.
    LeGrow, J.: Post-quantum security of authenticated key establishment protocols. Master’s thesis, University of Waterloo (2016)Google Scholar
  26. 26.
    Longa, P.: A note on post-quantum authenticated key exchange from supersingular isogenies. IACR Cryptology ePrint Archive 2018/267Google Scholar
  27. 27.
    LaMacchia, B., Lauter, K., Mityagin, A.: Stronger security of authenticated key exchange. In: Susilo, W., Liu, J.K., Mu, Y. (eds.) ProvSec 2007. LNCS, vol. 4784, pp. 1–16. Springer, Heidelberg (2007). Scholar
  28. 28.
    Menezes, A., Qu, M., Vanstone, S.: Some new key agreement protocols providing mutual implicit authentication. In: Selected Areas in Cryptography (1995)Google Scholar
  29. 29.
    Matsumoto, T., Takashima, Y., Imai, H.: On seeking smart public-key-distribution systems. IEICE Trans. (1976–1990) 69(2), 99–106 (1986)Google Scholar
  30. 30.
    Okamoto, T.: Authenticated key exchange and key encapsulation in the standard model. In: Kurosawa, K. (ed.) ASIACRYPT 2007. LNCS, vol. 4833, pp. 474–484. Springer, Heidelberg (2007). Scholar
  31. 31.
    Sun, X., Tian, H., Wang, Y.: Toward quantum-resistant strong designated verifier signature from isogenies. In: INCoS 2012, pp. 292–296 (2012)Google Scholar
  32. 32.
    Urbanik, D., Jao, D.: SoK: the problem landscape of SIDH. IACR Cryptology ePrint Archive 2018/336Google Scholar
  33. 33.
    Xu, X., Xue, H., Wang, K., Liang, B., Au, H., Tian, S.: Strongly secure authenticated key exchange from supersingular isogenies, IACR Cryptology ePrint Archive 2018/760Google Scholar
  34. 34.
    Xue, H., Lu, X., Li, B., Liang, B., He, J.: Understanding and constructing AKE via double-key key encapsulation mechanism. In: Peyrin, T., Galbraith, S. (eds.) ASIACRYPT 2018. LNCS, vol. 11273, pp. 158–189. Springer, Cham (2018). Scholar
  35. 35.
    Yoo, Y., Azarderakhsh, R., Jalali, A., Jao, D., Soukharev, V.: A post-quantum digital signature scheme based on supersingular isogenies. In: Kiayias, A. (ed.) FC 2017. LNCS, vol. 10322, pp. 163–181. Springer, Cham (2017). Scholar

Copyright information

© International Association for Cryptologic Research 2019

Authors and Affiliations

  • Xiu Xu
    • 1
    • 2
    • 4
  • Haiyang Xue
    • 1
    • 2
    • 3
    Email author
  • Kunpeng Wang
    • 1
    • 2
    • 4
  • Man Ho Au
    • 3
  • Song Tian
    • 1
    • 2
  1. 1.State Key Laboratory of Information Security, Institute of Information EngineeringChinese Academy of SciencesBeijingChina
  2. 2.Data Assurance and Communications Security Research CenterBeijingChina
  3. 3.The Hong Kong Polytechnic UniversityHung HomHong Kong
  4. 4.School of Cyber SecurityUniversity of Chinese Academy of SciencesBeijingChina

Personalised recommendations