Bundled Authenticated Key Exchange: A Concrete Treatment of (Post-Quantum) Signal's Handshake Protocol

Keitaro Hashimoto; Shuichi Katsumata; Thom Wiggers

Paper 2025/040

Bundled Authenticated Key Exchange: A Concrete Treatment of (Post-Quantum) Signal's Handshake Protocol

Keitaro Hashimoto

, National Institute of Advanced Industrial Science and Technology

Shuichi Katsumata

, PQShield, National Institute of Advanced Industrial Science and Technology

Thom Wiggers

, PQShield

Abstract

The Signal protocol relies on a special handshake protocol, formerly X3DH and now PQXDH, to set up secure conversations. Prior analyses of these protocols (or proposals for post-quantum alternatives) have all used highly tailored models to the individual protocols and generally made ad-hoc adaptations to "standard" AKE definitions, making the concrete security attained unclear and hard to compare between similar protocols. Indeed, we observe that some natural Signal handshake protocols cannot be handled by these tailored models. In this work, we introduce Bundled Authenticated Key Exchange (BAKE), a concrete treatment of the Signal handshake protocol. We formally model prekey bundles and states, enabling us to define various levels of security in a unified model. We analyze Signal's classically secure X3DH and harvest-now-decrypt-later-secure PQXDH, and show that they do not achieve what we call optimal security (as is documented). Next, we introduce RingXKEM, a fully post-quantum Signal handshake protocol achieving optimal security; as RingXKEM shares states among many prekey bundles, it could not have been captured by prior models. Lastly, we provide a security and efficiency comparison of X3DH, PQXDH, and RingXKEM.

Note: Extended version with full appendices

Metadata

Available format(s): PDF
Category: Cryptographic protocols
Publication info: Published elsewhere. Major revision. USENIX Security 2025
Keywords: signal post-quantum key indistinguishability key exchange
Contact author(s): keitaro hashimoto @ aist go jp
shuichi katsumata @ pqshield com
thom @ thomwiggers nl
History: 2025-01-13: approved; 2025-01-10: received; See all versions
Short URL: https://ia.cr/2025/040
License: CC BY

BibTeX

@misc{cryptoeprint:2025/040,
      author = {Keitaro Hashimoto and Shuichi Katsumata and Thom Wiggers},
      title = {Bundled Authenticated Key Exchange: A Concrete Treatment of (Post-Quantum) Signal's Handshake Protocol},
      howpublished = {Cryptology {ePrint} Archive, Paper 2025/040},
      year = {2025},
      url = {https://eprint.iacr.org/2025/040}
}