Post-Quantum Constant-Round Group Key Exchange from Static Assumptions

We revisit a generic compiler from a two-party key exchange (KE) protocol to a group KE (GKE) one by Just and Vaudenay. We then give two families of GKE protocols from static assumptions, which are obtained from the general compiler. The ﬁrst family of the GKE protocols is a constant-round GKE by using secure key derivation functions (KDFs). As special cases, we have such GKE from static Ring-LWE (R-LWE), where “static” means that the parameter size in the R-LWE does not depend on the number of group members, n , and also from the standard SI-DDH and CSI-DDH assumptions. The second family consists of two-round GKE protocols from isogenies, which are proven secure from new isogeny assumptions, the ﬁrst (resp.second) of which is based on the SIDH (resp.CSIDH) two-party KE. The underlying new static assumptions are based on indistinguishability between a product value of supersingular invariants and a random value.


Background
It is well known that widely deployed cryptographic schemes (e.g., RSA and ECC) can be broken by using a large-scale quantum computer (Shor 1997). Hence, we should develop new cryptosystems based on quantum-resistant mathematical problems (called post-quantum cryptography (PQC)).
Group key exchange (GKE) is an important cryptographic primitive, and has been studied for a long time (since the seminal two-party Diffie-Hellman key exchange). In GKE, the number of rounds is a crucial measure for evaluating the efficiency and to obtain a constant-round GKE protocol is considered as a minimum desirable require-ment. Traditionally, the Burmester and Desmedt (BD) KE protocol (Burmester and Desmedt 1994) has been widely known from its simplicity and small round complexity, just two rounds. Subsequently, Just and Vaudenay (JV) (1996) generalized the BD construction in which any two-party KE can be used for obtaining GKE. However, their description was sketchy and a rigorous security proof was not presented before (see Boyd and Mathuria 2003 also).
In the post-quantum setting, there exist two variants BD-type GKE protocols from lattices (Apon et al. 2019) and isogenies (Furukawa et al. 2018). 1 Apon et al. (2019) proposed a lattice-based BD-type GKE from the Ring-LWE (R-LWE) assumption (in the random oracle model), in which the authors elaborately adjusted the original security proof to their new post-quantum setting. However, since the underlying R-LWE assumption depends on the number of group members, n, the size of data also gets large depending on n. Furukawa et al. (2018) proposed an isogeny-based BDtype GKE protocol called SIBD. However, the security proof of SIBD (Theorem 4 in Furukawa et al. 2018) is imperfect, and several points remain unclear, for example, on how to simulate some public variables. Applying the JV-type compiler to a postquantum two-party KE is also considered as a reasonable approach, however, we should give a rigorous treatment on its (post-quantum) security proof.
As a result, we lack a post-quantum constant-round GKE protocol with a rigorous and reasonable security proof. We next consider what are reasonable underlying assumptions. The size of a problem instance in the above R-LWE setting is linear in the number of group members, n. Traditionally, in pairing-based cryptography, such linear-sized assumptions are called "non-static", "dynamic", or "q-type", which are not desirable from efficiency and security viewpoints. And, in a line of researches, we succeeded to replace q-type ones to static ones (e.g., Kowalczyk and Wee 2019;Okamoto and Takashima 2010;Takashima 2014) in paring cryptography. Hence, we have the following problem as our target: Can we obtain (provably secure) post-quantum constant-round group key exchange from static assumptions ?
Recent cryptography research also considers tight security reduction (from a static assumption). In fact, the original BD GKE is proven tightly secure from the standard DDH assumption (Theorem 6). For obtaining tight security proof, it is not enough to employ a general form of the JV-type transformation which includes a general KDF function to a cyclic group G (denoted KDF G ). We need a construction without using (general) KDF G functions for tight security since KDF G breaks mathematical structures in the underlying two-party KE.

Our Contributions
We revisit previous post-quantum BD-type GKE schemes (Apon et al. 2019;Furukawa et al. 2018 and the JV compiler for GKE Boyd and Mathuria 2003;Just and Vaudenay 1996, and reformulate them under a provably secure generic compiler. We have two families of GKE protocols from static assumptions. The first family of GKE protocols obtained from the general compiler is a constantround GKE (from a two-party KE protocol) by using a secure KDF G (Theorem 3). As special cases, we have such GKE from static Ring-LWE (R-LWE), where "static" means that the parameter size in the R-LWE does not depend on the number of group members, n (Corollary 1) and the standard SI-DDH and CSI-DDH assumptions (Corollary 2). The first family has a limitation that they cannot have a tight security proof since a general KDF G is used.
The second family consists of two-round GKE protocols, which are proven secure from new isogeny assumptions, the first (resp. second) of which is based on the SIDH (resp. CSIDH) KE (Theorem 4 (resp. Theorem 5)). They are called SI-PBD and CSI-PBD GKEs, respectively. The underlying new static assumptions are obtained from indistinguishability between a random product value of supersingular invariants and a random value (in some appropriate finite field), which seem to have independent interests. They are called DSJP (Decisional Supersingular j-invariants Product) and DSMP (Decisional Supersingular Montgomery coefficients Product) assumptions, respectively. As the second family needs no KDF G 's, it may have some merits for approaching to tightly secure GKE. (However, we do not yet succeed it.) Note that we have the Katz-Yung (KY) generic compiler from KE to authenticated KE (AKE) (Katz and Yung 2007), in which a signature scheme is required. Very interestingly, the first practical isogeny-based signature scheme, CSI-FiSh, was recently proposed (Beullens et al. 2019). Therefore, we have a practical authenticated GKE (AGKE) by applying the KY compiler to our isogeny-based GKE and CSI-FiSh, both of which are post-quantum from isogenies. (Refer to Bernstein et al. 2019; Peikert 2019 for recent estimates on post-quantum security of CSIDH and CSI-FiSh.) Since we have several lattice-based signatures, e.g., Ducas et al. (2018), Fouque et al. (2017), Akleylek et al. (2017), we also have lattice-based AGKE from our lattice GKE.
In the (tight) security proof of the BD key exchange protocol from DDH on G, we should simulate broadcast values (h i , u i ) i∈ [n] as well as embed the DDH challenge element into the challenge shared key K .
The SIBD protocol (Furukawa et al. 2018) is obtained from the above BD GKE by replacing (h i , J i ) with invariants of supersingular elliptic curves. Since the invariants are given by elements in finite fields, we also have We revisit the JV construction (Just and Vaudenay 1996), whose original description was sketchy and the security proof was not given there. Hence, we first give a security proof for JV carefully. Based on the proof, we present our isogeny-based GKE from newly proposed assumptions. Then, as is shown in the proof of Theorem 3, if J i−1,i 's are uniformly and independently distributed in G, the n elements K , u 1 , . . . , u i−1 , u i+1 , . . . , u n are also uniformly and independently distributed in G for i ∈ [n] (and u i is given as u i = (u 1 · · · u i−1 · u i+1 · · · u n ) −1 ). It means that if J i−1,i 's are distributed uniformly and independently, the target shared key K is changed to a random one just by using an information-theoretic game transformation. This is a key lemma on the BD-type encoding (Lemma 6). However, for the SIBD protocol (Furukawa et al. 2018), since J i−1,i are given by supersingular j-invariants, we have an efficient algorithm for distinguishing between J i−1,i and a uniformly random element in the finite field (see Sutherland 2012). Hence, for fixing the situation, we introduce new decisional assumptions called d-DSJP and d-DSMP ones. For simplicity, here we just show the 2-DSJP assumption, in which a product of two j-invariants, J (1) i−1,i and J (2) i−1,i , that is, J (1) i−1,i · J (2) i−1,i , should be indistinguishable from a uniformly random variable. At present, we have no efficient algorithm for the problems, and considered them as plausible assumptions.
According to the above ideas, in Sect. 4.1, we give a JV-type generic transformation from KE to GKE based on the BD-type encoding of (u i ) and K from (J i−1,i ) given in Eq. (1). We then consider the following two approaches for obtaining uniformly random J i−1,i 's: 1. Using a secure KDF G function ϕ to obtain random J i−1,i := ϕ(κ i−1,i ) where κ i−1,i 's are shared keys by secure two-party KE: By this approach, we obtain a new GKE from the "static" R-LWE assumption (Sect. 4.2). We also obtain new GKE protocols from SI-DDH and CSI-DDH assumptions. 2. Using new assumptions on supersingular invariants: By using new DSJP and DSMP assumptions, the local outputs, (J i−1,i ) and (M i−1,i ), from two-party key exchange can be computationally changed to random ones, and we obtain new GKE from these post-quantum assumptions (Sects. 4.3 and 4.4) without KDF G .

Organization
In Sect. 2, we introduce several preliminary facts: definition of group key exchange, supersingular invariants and underlying assumptions for SIDH and CSIDH. In Sect. 3, our new assumptions on supersingular invariants are presented. In Sect. 4, we propose new PQ GKE, i.e., lattice-based and isogeny-based GKE from static assumptions.

Notations. When
A is a set (resp. a random variable), y ← R A denotes that y is uniformly generated from A (resp. randomly generated from A according to its distribution). We denote the finite field of order q by F q . We denote the set {1, . . . , n} by [n].

Group Key Exchange
We give definitions of group key exchange, its correctness and security.
Definition 1 (Group Key Exchange (GKE)) An algorithm := r,n (λ) is called as a r -round n-party key exchange protocol if it is composed of probabilistic polynomialtime algorithms (Setup, (Round-r ) r r =1 , KeyComp), where Setup takes a security parameter λ as input, and outputs public parameters params , Round-r for each user i takes previous all public variables and his/her own secrets and outputs (broadcasts) the r th his/her public values, and KeyComp for each user i takes all public variables and his/her own secrets and outputs the shared secret value K i .
We call is correct if all (shared) keys K 1 , . . . , K n are the same values, i.e., K := K 1 = · · · = K n . The key space (or key set) is denoted by K := K(λ) whose cardinality #K is exponentially large in λ (or has enough entropy).
For a GKE protocol , we let Exec (λ) denote an execution of the protocol, resulting in a transcript of all messages sent during the course of that execution, along with the shared key K computed by the parties. We let Adv A (λ) denote the advantage of a polynomial-time quantum adversary A in distinguishing between the following two distribution ensembles: Protocol is post-quantumly secure if Adv A (λ) is negligible in λ for any polynomialtime quantum A.

Supersingular Isogenies and Invariants
We summarize facts about elliptic curves. For details, see Washington (2008), for example.
Let p be a prime greater than 3 and F p be the finite field with p elements. Let F p be its algebraic closure. Here, an elliptic curve E over F p is given by the Montgomery normal form for m and δ ∈ F p , where the discriminant of the RHS of Eq. (2) Given two elliptic curves E and E over F p , a homomorphism φ : E → E is a morphism of algebraic curves that sends O E to O E . A nonzero homomorphism is called an isogeny, and a separable isogeny with the cardinality of the kernel is called -isogeny. We consider only separable isogenies in this paper. We compute the -isogeny by using Vélu's formulas (Vélu 1971) for a small prime = 2, 3, . . .. For explicit formulas, see Jao et al. (2017) for SIDH and see Castryck et al. (2018) for CSIDH.
An elliptic curve E over F p is called supersingular if there are no points of order p, i.e., E[ p] = {O E }. The j-invariants of supersingular elliptic curves lie in F p 2 . We define two sets as below, for SI-DDH and CSI-DDH assumptions.

SIDH Key Exchange and SI-DDH Assumption (Feo et al. 2014)
The detailed description of SIDH key exchange, i.e., := SIDH, is given in Appendix 3.1. Here, we summarize necessary facts on SIDH for later sections. Public parameters are given as params SIDH := ( p, E; P A , Q A , P B , Q B ). All the messages during an execution are also given as transcript AB ). Alice's and Bob's shared keys, i.e., K A := j (E AB ) and K B := j (E B A ), are equal, and the value is denoted by K . Feo et al. 2014;Fujioka et al. 2018

Definition 2 (Supersingular Isogeny Decision Diffie-Hellman (SI-DDH) assumption
holds for any polynomial-time quantum algorithm A, we say that the SI-DDH assumption holds.
Theorem 1 (Feo et al. 2014) The SIDH key exchange is post-quantumly secure under the SI-DDH assumption.

CSIDH Key Exchange and CSI-DDH Assumption (Castryck et al. 2018)
The detailed description of CSIDH key exchange, i.e., := CSIDH, is given in Appendix 3.2. Here, we summarize necessary facts on CSIDH. Public parameters are given as params := ( p, E). All the messages during a execution are also given as , are equal, and the value is denoted by K .

Definition 3 (Commutative Supersingular Isogeny Decisional Diffie-Hellman
holds for any polynomial-time quantum algorithm A, we say that the CSI-DDH assumption holds. Theorem 2 (Castryck et al. 2018) The CSIDH key exchange is post-quantumly secure under the CSI-DDH assumption.

New Assumptions on Supersingular j -Invariants
be transcripts of d-time executions of SIDH with the same

Progressive Weakness Among d-DSJP Assumptions
The next lemma shows that the (d + 1)-DSJP assumption is weaker than the d-DSJP one. In other words, a security proof from the (d + 1)-DSJP assumption is considered better than that from the d-DSJP one.

Lemma 1 The d-DSJP assumption is reduced to the
For any adversary A, there is a probabilistic machine B, whose running time is essentially the same as that of A, such that for any security parameter λ, AB when β = 0 or a random element in F p 2 when β = 1. B generates a new SIDH public key pair E (d+1)

then constructs a new tuple
In fact, we show the 1-DSJP problem is efficiently solved (Lemma 2 in Sect. 3.1.2) and the 2-DSJP problem has a specific approach for solving it via modular polynomials (Sect. 3.1.3).

Case d = 1: Relation Between SI-DDH and 1-DSJP Assumptions
While the value of J 0 for SI-DDH in Eq. (5) is the same as that of the 1-DSJP assumption in Eq. (6), the other J 1 's in the two assumptions are distributed in different manners. Namely, the first (resp. the second) is the uniform distribution over J p 2 ( F p 2 ) (resp. F p 2 ). As is shown below, the difference is important.

Lemma 2 The 1-DSJP problem can be solved in (deterministic) polynomial time except with a negligible error probability.
Proof In the 1-DSJP problem, J 0 (resp. J 1 ) is uniformly distributed in J p 2 (resp. F p 2 ). Therefore, by applying supersingular identifying algorithm, e.g., Sutherland (2012), we can solve the problem.
From the above fact, the direct assumption, decisional (1, 1)-SI-PBD assumption in Definition 6 picks up the target key κ 1 (β = 1 instance) from a uniform distribution in J p 2 instead of F p 2 .

Case d = 2: An Approach for 2-DSJP via Modular Polynomials
Lemma 1 shows the 2-DSJP assumption is the strongest among the d-DSJP assumptions for d ≥ 2. In fact, we have some possible approaches for solving the problem as indicated below. But, the attack is not yet effective at present.
Here, we introduce modular polynomials N (X, Y ) := c ik X i Y k , which satisfy that N ( j, j ) = 0 for two j-invariants j and j such that there exists an N -isogeny between the associated elliptic curves E( j) and E( j ). From the above defining property, it holds that N (X, Y ) are symmetric polynomials w.r.t. X and Y . Hence, if we set S := X + Y and T := XY , N (X, Y ) are given as N (X, Y ) = N (S, T ) := γ ik S i T k for a two-variable polynomial N . The output J 0 of the 2-DSJP problem is given by the product of two supersingular j-invariants, i.e., τ := j E (1) j E (2) . We substitute T := τ into N (S, T ), which we obtain a one-variable polynomial equation N (S, τ ) = 0. If E (1) and E (2) are Nisogenous, then σ := j E (1) + j E (2) satisfies the equation, i.e., N (σ, τ ) = 0.
Based on this fact, we obtain a possible cryptanalysis for the 2-DSJP problem given as below. The input of the algorithm is a 2-DSJP instance ( AB , J β ).
a. If the roots w 1 / ∈ F p 2 or w 2 / ∈ F p 2 , quit this loop. b. Check whether both of w 1 and w 2 are supersingular j-invariants or not. If yes, output β := 0.
The degree of isogenous curves E (1) and E (2) above is usually large, therefore, if the security parameter λ is set large, the attack is ineffective. But, the above scenario shows some possible approach to this problem using a specific property on modular polynomials when d = 2.  For the DSMP assumptions, we have similar results for the DSJP. In particular, we have the following lemmas.

Lemma 3 The d-DSMP assumption is reduced to the (d + 1)-DSMP assumption.
Lemma 4 The 1-DSMP problem can be solved in (deterministic) polynomial time except with a negligible error probability.

A Generic JV-Type Compiler for GKE from Two-Party KE (Just and Vaudenay 1996)
We describe a generic BD-type GKE compiler from a two-party KE protocol , and the obtained GKE protocol is denoted as BD . Such a generic compiler was first proposed by Just and Vaudenay (1996), Boyd and Mathuria (2003), but, no formal proof was attached yet. By describing the security proof carefully, we also give a security proof for our proposal in Sects. 4.3 and 4.4, and we found a condition for the compiler to work correctly. The number of group members is assumed to be n ≥ 3. Assume that we have two-party key exchange with shared keyspace K. We need a map ϕ : K → G (called G-embedding map), where G is a cyclic group of order q in the BD-type Encoding (BDEnc) as indicated below. We assume that gcd(n, q) = 1 for the number of group members n and the cyclic group order q. (Note that we do not assume the intractability of discrete log in G.) Exec-. Each user i runs the protocol with users i − 1 and i + 1, respectively, and obtains keys κ i−1,i and κ i,i+1 .
The correctness is shown as the same as the original BD key exchange. The security depends on the map ϕ. Below, we show that it is proven secure assuming that ϕ is a secure KDF (see Appendix 2 for its definition) and the underlying protocol is secure.

Theorem 3 The GKE protocol BD is (post-quantumly) secure if
is (postquantumly) secure, ϕ is a (post-quantumly) secure KDF and gcd(n, q) = 1 where q is the order of G.
For any (quantum) adversary A, there exist (quantum) machines B l and C l , whose running times are essentially the same as that of A, such that Adv Proof The view of A consists of (u 1 , . . . , u n , K ). To prove Theorem 3, we consider the following 2n + 2 games. An underlined part indicates a variable that is changed in a game from the previous one.
Game 0: Original game, which is the same as the first case in Definition 1. The values of J i−1,i , u i , K are given as J i−1,i := ϕ(κ i−1,i ), , K := J 1,2 · J 2,3 · · · J n−1,n · J n,1 , where κ i−1,i is a shared key by running between users i − 1 and i. Game n + 1: Same as Game n except that the shared key is K ← R G, and all the other variables are generated as in Game n. Note that K is independent of all the other variables.
Game n + 1 + l (l ∈ [n]): The lth output of ϕ is J l−1,l := ϕ(κ l−1,l ) (for both of users l − 1 and l), all the other J i−1,i 's for i = l are generated as in Game n + l, and (u 1 , . . . , u n ) are generated as in Eq. (7) from all the J i−1,i 's for i ∈ [n] and K ← R G.
Here, note that Game 2n + 1 is the same as the second case in Definition 1.
Let Adv (l) A (λ) be the advantage of A in Game l, respectively. We will show three lemmas (Lemmas 5-7) that evaluate the gaps between pairs of the advantages in Game 0, . . ., Game 2n + 1. From these lemmas, we obtain Adv is a negligible function. This completes the proof of Theorem 3.

Lemma 5 For any (quantum) adversary A, there exist (quantum) machines B l and
C l , whose running times are essentially the same as that of A, such that |Adv (l−1) Proof For the proof, we define an intermediate game, i.e., Game l − 1/2, between Games l − 1 and l. In Game l − 1/2, κ l−1,l ← R K and J l−1,l := ϕ(κ l−1,l ), and the rest of variables are all generated in the same manner as in Game l − 1.
By the definition of two-party KE, the difference of the advantages of Games l − 1 and l − 1/2 is bounded by the advantage against the KE protocol , i.e., Adv B l (λ) (except with negligible probability). Since the keyspace K has enough entropy, by the definition of KDF, the difference of the advantages of Games l − 1/2 and l is bounded by the advantage against KDF, i.e., Adv KDF C l (λ) (except with negligible probability). This completes the proof of Lemma 5.
Lemma 7 For any (quantum) adversary A, there exists (quantum) machines B n+l and C n+l , whose running times are essentially the same as that of A, such that for any security parameter λ, |Adv (n+l) Lemma 7 is proven in a similar manner to Lemma 5.

Constant-Round GKE from Static Standard Assumptions
We instantiate the above generic GKE by Apon et al.'s ring LWE based GKE (Apon et al. 2019) by using a two-party KE and some SHA-2 (or SHA-3) based KDF ϕ, whose range is G := F * for some finite field F. Therefore, we have the following corollary.

Corollary 1 There exists a post-quantum constant-round GKE from two-party KE
in Apon et al. (2019) and some standard KDF function ϕ under the static ring LWE assumption.
Apon et al.'s original GKE is based on the "non-static" or "dynamic" R-LWE assumption. That is, the noise size depends on the number of group members n, then the scheme itself gets to large sizes.

Two-Round Product-BD (PBD) GKE from d-DSJP Assumption
We modify the SIBD Group Key Exchange proposed in Furukawa et al. (2018) to a provably secure one, called Supersingular Isogeny Product-BD ((n, d)-SI-PBD) protocol for n-parties. In other words, our general (n, d)-SI-PBD protocol is obtained via our generic compiler (in Sect. 4.1) from two-party (2, d)-SI-PBD protocol, where a G-embedding map ϕ is given by the identity map ϕ := id G : G → G.

Construction
We consider n-party key exchange. Each user is indexed by 1, 2, . . . , n, where n is supposed to be even for simplicity. Note that we can easily obtain the protocol for odd n. The user indices are taken in a cycle: so R n+1 := R 1 and R 0 := R n . We introduce the map ι(i) := i mod 2 and we will simply write ι instead of writing ι(i).
Setup. Takes and sk 1 i := k (μ) i μ∈ [d] . Finally, the user i broadcasts pk 1 i to the other users. Round-2. Takes the user index i, params SIDH , pk 1 i−1 , pk 1 i+1 , and sk 1 i . User i executes SIDH key exchange with users i − 1 and i + 1 to obtain elliptic curves E (μ) i−1,i and E (μ) i,i+1 , respectively, and then computes The user then computes u i := J i,i+1 · J −1 i−1,i and set pk 2 i := u i . Finally, the user i broadcasts pk 2 i to the other users. KeyComp. User i collects pk 2 i i ∈[n] and sk 1 i and computes K i := J n i−1,i · u n−1 i · u n−2 i+1 · · · · · u 2 i−3 · u i−2 .

Warm-Up: Security from a Nonstatic Assumption
We rephrase security of the (n, d)-SI-PBD protocol based on Definition 1 as a form of the following assumption (see Lemma 8). μ∈[d] , and K:= n i=1 J i,i+1 . An (n, d)-SI-PBD problem instance is given as ( n,d , κ β ), where Remark 1 We have better security proofs when d ≥ 2 for the (n, d)-SI-PBD GKE (Theorem 4). However, the above gives only security proofs for the d = 1 case, which is based on nonstatic assumptions. Note that since n ≥ 3 and the key K is a n-time product of j-invariants, then we have no efficient distinguishing algorithm between κ 0 and κ 1 .

Lemma 8 The (n, d)-SI-PBD key exchange among n-parties is post-quantumly secure under the (n, d)-SI-PBD assumption.
Proof Lemma 8 is trivially obtained from Definitions 1 and 6.
If the (n, d)-SI-PBD problem is quantum resistantly hard, the SI-PBD key exchange among n-parties is also quantum resistant. Therefore, we should investigate the post-quantum security of the (n, d)-SI-PBD assumption in the next section.
Moreover, as is shown in Lemma 1 for the d-DSJP assumptions, the family of (n, d)-SI-PBD assumptions also has natural sequential reductions among them.
For any adversary A, there is a (quantum) machine B, whose running time is essentially the same as that of A, such that for any security parameter λ, Proof The proof of Lemma 9 is similarly given to that of Lemma 1.
Lemma 9 shows that (n, d + 1)-SI-PBD group key exchange is more secure than (n, d)-SI-PBD one while the former is less efficient than the latter in terms of data sizes and execution times.

Security from d-DSJP Assumption for d ≥ 2
Theorem 4 The (n, d)-SI-PBD key exchange among n-parties is post-quantumly secure under the d-DSJP assumption when d ≥ 2 and gcd(n, p 2 − 1) = 1. (Note that p 2 − 1 is the order of cyclic group G := F * p 2 .) For any quantum adversary A, there exist quantum machines B l , whose running times are essentially the same as that of A, such that Adv (n,d)-SI-PBD Proof The view of A consists of (u 1 , . . . , u n , K ). To prove Theorem 4, we consider the following 2n + 2 games. An underlined part indicates a variable that is changed in a game from the previous one.
, K := J 1,2 · J 2,3 · · · J n−1,n · J n,1 . Game n + 1: Same as Game n except that the shared key is K ← R F p 2 , and all the other variables are generated as in Game n. Note that K is independent of all the other variables.
Game n + 1 + l (l ∈ [n]): The lth output of ϕ is: J l−1,l := d μ=1 j E (μ) l−1,l (for both of users l − 1 and l), all the other J i−1,i 's for i = l are generated as in Game n + l, (u 1 , . . . , u n ), are generated as in Eq. (8) from all the J i−1,i 's for i ∈ [n] and K ← R F p 2 . Here, note that Game 2n + 1 is the same as the β = 1 case in Definition 6.

Let Adv (l)
A (λ) be the advantage of A in Game i, respectively. We will show three lemmas (Lemmas 10-12) that evaluate the gaps between pairs of the advantages in Game 0, . . ., Game 2n + 1. From these lemmas, we obtain Adv (n,d)-SI-PBD This completes the proof of Theorem 4.

Lemma 10
For any quantum adversary A, there exists a quantum machine B l , whose running time is essentially the same as that of A, such that for any security parameter λ, |Adv (l−1) μ∈ [d] .
B (implicitly) sets user l − 1 A and user l B, and their public keys E μ∈ [d] and E (μ) μ∈ [d] , respectively.
B generates randomly J i−1,i ← R F p 2 for i < l, and sets (l − 1)th j-invariants product as J l−1,l := J β . B generates secret keys k (μ) i ← R Z/ e τ τ Z for all i ∈ [n] \ {l − 1, l} where τ := i mod n, and then his/her own public keys E μ∈ [d] . Since B has all secret keys except for users l − 1, l, he can compute all correct j-invariant products J i−1,i for i > l.
Using J i−1,i for i ∈ [n] as defined above, B computes u i := J i,i+1 · J −1 i−1,i and K := i∈[n] J i−1,i , and then sends A the public keys, (u i ) i∈ [n] , and the challenge value K .
If A outputs β , then B also outputs β . We easily see that the distribution generated by B is that in Game l − 1 when β = 0 and that in Game i when β = 1.
This completes the proof of Lemma 10.

Lemma 11
For any (quantum) adversary A, for any security parameter λ, . Proof The proof of Lemma 11 is the same as that of Lemma 6 (BDEnc Information Theoretic Security Lemma).

Lemma 12
For any quantum adversary A, there exists a quantum machine B := B n+l , whose running time is essentially the same as that of A, such that for any security parameter λ, |Adv (n+l) Lemma 12 is proven in a similar manner to Lemma 10.
The user then computes u i := M i,i+1 · M −1 i−1,i and set pk 2 i := u i . Finally, the user i broadcasts pk 2 i to the other users. KeyComp. Useri collects pk 2 i i ∈[n] and sk 1 i and computes K i := M n i−1,i · u n−1 i · u n−2 i+1 · · · · · u 2 i−3 · u i−2 .
We can easily verify that K i = M 1,2 · M 2,3 · · · M n−1,n · M n,1 holds for any i. We have the following lemma and theorem as in the case of the SI-PBD key exchange. The (n, d)-CSI-PBD assumption is defined in Definition 7 in Appendix 4.

Lemma 13
The (n, d)-CSI-PBD key exchange among n-parties is secure under the (n, d)-CSI-PBD assumption.
Theorem 5 The (n, d)-CSI-PBD key exchange among n-parties is post-quantumly secure under the d-DSMP assumption when d ≥ 2 and gcd(n, p − 1) = 1. (Note that p − 1 is the order of cyclic group G := F * p .) For any quantum adversary A, there exist quantum machines B i , whose running times are essentially the same as that of A, such that for any security parameter λ, Hence, K A = K B holds; therefore, SIDH is correct. The SI-DDH assumption is defined in Definition 2.
Theorem 1 (Feo et al. 2014) The SIDH key exchange is post-quantumly secure under the SI-DDH assumption.
Define [a] = l e 1 1 · · · l e s s ∈ cl(O), where l i = ( i , π p − 1), l −1 i = ( i , π p + 1), and η is the smallest integer which satisfies that 2η + 1 ≥ s √ #cl(O). One calculates the action of [a] on E and the Montgomery coefficient m ∈ F p of [a]E : y 2 = x 3 + mx 2 + x. Let the integer vector (e 1 , . . . , e s ) (or [a]) be the secret key, and m ∈ F p be the public key. KeyComp. Alice (resp. Bob) has her (resp. his) secret key, By commutativity of cl(O) and the uniqueness of the Montgomery coefficient, it holds that K A = K B ; therefore, CSIDH is correct. The CSI-DDH assumption is defined in Definition 3.
Open Access This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made. The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.