Password authenticated key exchange-based on Kyber for mobile devices

Introduction

The security of conventional public-key cryptosystems (PKC) changed with the post-quantum concept that emerged with ongoing processes for developing quantum computers and the proposal of the Shor algorithm. The traditional PKCs such as key exchange (KE)/KEM and digital signature schemes will be insecure in the presence of large-scale quantum computers with Shor algorithm (Peikert, 2016). NIST started a process to set the post-quantum secure standard for PKC in 2016 (NIST, 2022a). In 2022, lattice-based Kyber was determined as the standard in the KEM category. For digital signature usage, lattice-based Crystals-Dilithium, Falcon, and hash-based SPHINCS+ were selected as the standard (NIST, 2022b). Although the standards were determined to be ready PQC era, it is still necessary to design and determine cryptosystems that can be used for particular goals and application areas.

One of the PKC primitives used for specific purposes is the PAKE scheme that provide a high-entropy shared key generated using low-entropy password-based authentication. Due to the easy-to-use structure, PAKE schemes do not require special hardware to store high entropy keys (Bellare, Pointcheval & Rogaway, 2000). The hardness assumptions of these schemes are also based on discrete logarithm and factorization problems like other PKCs. The first PAKE, encrypted key exchange, was proposed by Bellovin and Merritt in 1992 (Bellovin & Merritt, 1992) and many PAKE proposals, including new theoretical models, were presented in the following years (Bellovin & Merritt, 1993; Jablon, 1996; Wu, 1998; Hao & Ryan, 2011; Shin & Kobara, 2012). In addition, Internet Engineering Task Force (IETF), The Institute of Electrical and Electronics Engineers (IEEE), and the International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) conducted studies on the standardization of PAKE protocols (Hao & van Oorschot, 2022). The most recent standardization initiative for PAKE schemes was the process initiated by the IETF in 2019. In this call, completed in March 2020, OPAQUE and CPace schemes were declared as the PAKE standard for today’s usage (Hao, 2021). Although the industry has started to prototype PAKE protocols in real applications with these processes, the adaptation of post-quantum secure algorithms is necessary for future security.

With the development of wireless communication technologies, the increasing use of mobile devices has brought the security of these devices into focus. There is a need for post-quantum secure PKCs such as KEM, authenticated key exchange, and PAKE that consider resource limitations for mobile devices (Dabra, Bala & Kumari, 2020). Lattice-based cryptosystems stand out with their strong proof of security, worst-case hardness, efficiency, and post-quantum security features. Up-to-date literature shows that there have not been many lattice-based PAKEs for mobile device security. In Dabra, Bala & Kumari (2020), an anonymous ring learning with errors (RLWE)-based two-party PAKE was designed for the post-quantum security of the mobile environment. The security analysis of this scheme, which includes a four-phase approach, was done by considering real-or-random (RoR) assumptions. An improved version of Dabra, Bala & Kumari (2020) with a practical randomized KE approach is proposed in Ding, Cheng & Qin (2022) to capture signal leakage attack resistance. In Islam & Basu (2021), a four-phase RLWE-based PAKE was constructed for two mobile devices-one server communication model. The security-related examinations were done by following ROM definitions. In Seyhan & Akleylek (2024), we also built a four-phase PAKE to achieve reusable key and anonymity features for mobile device-server communication model. In the security analysis, we followed RoR assumptions to prove the semantic security. According to the up-to-date studies, many other PAKEs with lattice primitives such as Ding et al. (2017), Gao et al. (2017), Liu et al. (2019), Seyhan & Akleylek (2023) and Ren, Gu & Wang (2023) were designed using traditional PAK model to capture explicit authentication and PFS. The provided proposals can be suitable for post-quantum key agreement requirements, but none of them has been focused on the PAKE version of the NIST standard. We know that the security of Kyber has been deeply studied and it was designed with efficient structures. Therefore, proposing a PAKE version of this algorithm and providing reference implementations will come to the fore in post-quantum secure PAKE literature.

Preliminaries

The notation is provided in Table 1.

Basic definitions

In the proposed PAKE, the shared key is obtained by using Kyber PKE and KEM functions/components and the password-based authentication is added by following PAK design idea.

Kyber PKE and KEM functions are recalled in Table 2. To obtain detailed information, we refer to Avanzi et al. (2019).

Table 2:

Kyber KEM and PKE structures.

(Avanzi et al., 2019).

DOI: 10.7717/peerjcs.1960/table-2

In Table 2, KYBER.CCAKEM uses KYBER.CPAPKE functions to obtain key agreements based on the MLWE problem. Since the main security of Kyber and the proposed PAKE version are based on the hardnesses of MLWE, the key generation is done by following the MLWE assumption.

Definition 1

Definition 1 (MLWE (Bos et al., 2018)) Let k ∈ ℤ⁺, $a_i{\leftarrow }^r{\mathit{R}}_q^k$, $s{\leftarrow }^r{b}_{\eta }^k$, and e_i←^rb_η. MLWE distribution is obtained as follow. $D_{k,\eta }^{\text{MLWE}}:\left(a_i,b_i=a_i^{T}s+e_i\right)\in {\mathit{R}}_q^k\times {\mathit{R}}_q$

The hardness of MLWE is defined by decisional-MLWE (d-MLWE). Let m independent (a_i, b_i) instances are given ($A\in {\mathit{R}}_q^{m\times k},b\in {\mathit{R}}_q^m$). d-MLWE is a problem that decides whether these samples belong to MLWE ($D_{m,k,\eta }^{\text{MLWE}}:\left(A,b=As+e\right)$, where $s{\leftarrow }^r{b}_{\eta }^k$ and $e_i{\leftarrow }^r{b}_{\eta }^m$) or uniform distribution ($U\left({\mathit{R}}_q^{m\times k}\right)\times U\left({\mathit{R}}_q^m\right)$).

Let A be an adversary. The advantage (Adv) of A to solve d-MLWE problem is determined by ${\displaystyle {\text{Adv}}_{m,k,\eta }^{\text{MLWE}}\left(\mathbf{A}\right)=\left|\right.\text{Pr}\left[b^{\prime }=1:b^{\prime }\leftarrow \mathbf{A}\left(\left(A,b\right)\in D_{m,k,\eta }^{\text{MLWE}}\right)\right]-\text{Pr}\left[b^{\prime }=1:b^{\prime }\leftarrow \mathbf{A}\left(\left(A,b\right)\in U\left({\mathit{R}}_q^{m\times k}\right)\times U\left({\mathit{R}}_q^m\right)\right)\right]\left|\right.}$

In Table 2, the computations of pk and ct are done by discarding low-order bits that don’t affect the accuracy of decryption to achieve reconciliation and reduced parameters. The reconciliation functions of Kyber are recalled in Definition 2 (Bos et al., 2018).

Definition 2

Definition 2 (Compress and Decompress Functions (Bos et al., 2018)) Let a ∈ ℤ_q and d < ⌈log₂(q)⌉.

• b =Compress _q(a, d): For a ∈ ℤ_q, the output of Compress is defined by $b=\lceil \frac{2^d}{q}\cdot a\rfloor {\mathrm{}mod}^{+}{2}^d$.

• b′ =Decompress _q(b, d): For b ∈ {0, …, 2^d − 1}, the output of Decompress is determined by $b^{\prime }=\lceil \frac{q}{2^d}\cdot b\rfloor$, where b′ is an element which is relatively close to b.

The distribution |b′ − bmod^±q| ≤B _q = ⌈q/(2^d+1)⌋ is nearly uniform over the integers of maximum magnitude B_q. Note that Definition 2 is defined over ℤ_q. In Kyber, since $a\in {\mathit{R}}_q^k$, for each coefficient of a is evaluated under these functions.

Remark 1

In Kyber (Bos et al., 2018), the reconciliation is provided by using the Compress and Decompress functions. So, ${\psi }_d^k$ is defined to satisfy the correctness. The output of distribution ${\psi }_d^k$ is generated in the following way.

1. A y←^rR^k is chosen.

2. return (y −Decompress _q((Compress_q(y, d)), d)) mod^±q.

Although the main operations of Kyber are performed in the NTT domain, all polynomials are sent in the normal domain. For the transformation of polynomials to be used in the protocol flow, encode and decode operations are done (Bos et al., 2018; Avanzi et al., 2019).

Definition 3

Definition 3 (Decode_ℓ): Let B^32ℓ be a byte array. Then the output of Decode_ℓ is defined by f = f₀ + f₁X + f₂X² + ⋯ + f₂₅₅X²⁵⁵, where f_i ∈ {0, …, 2^ℓ − 1}. In other words, it deserializes a 32ℓ bytes array into a polynomial with B^32ℓ → R_q.

Note that Encode_ℓ is determined as the reverse of Decode_ℓ.

The correctness of Kyber.PAKE is analyzed by using the correctness assumptions of KYBER.CCAKEM and KYBER.CPAPKE. The main theorems of these schemes are recalled in Theorems 1 and 2, respectively.

Theorem 1

Let k ∈ ℤ⁺, $\left\{s,e,r,e_1\right\}\leftarrow b_{\eta }^k$, e₂←b_η, $c_t\leftarrow {\psi }_{d_t}^k$, $c_u\leftarrow {\psi }_{d_u}^k$, c_v←ψ_dv, and $\delta =Pr\left[\left|\right|e^{T}r+c_t^{T}r-s^T{e}_1-s^T{c}_u+e_2+c_v|{|}_{\infty }\ge \lceil q/4\rfloor \right]$. Then, KYBER.CPAPKE scheme runs with (1 − δ)correctness probability (Bos et al., 2018).

Theorem 2

Let G be a random oracle (RO) and KYBER.CPAPKE is correct with (1 − δ) probability. KYBER.CCAKEM also runs with (1 − δ)correctness probability (Bos et al., 2018).

The security evaluations of Kyber.PAKE is presented based on the ROM assumptions of Kyber.

Definition 4

Definition 4 (ROM Security of Kyber KEM (Avanzi et al., 2019)) Let XOF, H, and G be the ROs, n_ro be the maximum number of A’s queries to ROs, and B–C be the adversaries who have roughly the same run-time as A. The adventage(Adv) of A over Kyber KEM in the ROM is defined by Eq. (1)

(1)${\displaystyle {\mathrm{Adv}}_{\mathrm{KyberKEM}}^{\mathrm{CCA}}\left(\mathbf{A}\right)=2{\mathrm{Adv}}_{k+1,k,\eta }^{\mathrm{MLWE}}\left(B\right)+{\mathrm{Adv}}_{\mathrm{PRF}}^{\mathrm{prf}}\left(C\right)+4n_{ro}\delta }$

Proposed Kyber.PAKE Scheme

The password-authenticated version of Kyber KEM (Avanzi et al., 2019) is obtained with the combination of KYBER.CCAKEM.KeyGen, KYBER.CCAKEM.Enc, and KYBER.CCAKEM.Dec structures, given in Table 2, and MLWE-based one-phase PAK idea. The proposed Kyber.PAKE runs between client (C) and server (S) and contains four main sub-processes (C₀, S₀, C₁, S₁). The constructed scheme is detailed in Fig. 1.

Let’s clarify the design step of the proposed Kyber.PAKE for each sub-processes.

• Phase C₀: The key pairs (pk, sk) are computed according to Kyber’s MLWE-based key generation procedures with the help of KYBER.CCAKEM.KeyGen() and KYBER.CPAPKE.KeyGen() functions, defined in Table 2. After the computation of raw pk, the client generates and sends the encapsulated pk (m = pk + γ_C).

• Phase S₀: On the server side, there is no public key computation like client side and the server retrieves raw pk (pk = m + γ_S) using the password-related term. The key component of the server (K) is determined with the usage of the encapsulation procedure of Kyber. The server computes (ct, K) =Kyber.CCAKEM.Enc(pk) and sends K to provide authentication check in the client side.

• Phase C₁: The client retrieves sent values by using decode function and solves the K^′′ with help of Kyber’s decapsulation K^′′ =Kyber.CCAKEM.Dec(ct, sk), where K is equal to K^′′. By making authentication checks, the final password-authenticated shared key $ss{k}_1=H_3\left(\stackrel{{{\rm Y}}_{C0}}{\overbrace{\left(\text{cid}\left|\right|\text{sid}\left|\right|m\left|\right|\left(-{\gamma }_C\right)\right)}}\left|\right|pk\left|\right|K^{\prime \prime }\right)$ is generated.

• Phase S₁: The server makes comparision to ensure the authentication and generates ssk₂ = H₃(cid||sid||m||γ_S||pk||K)^Υ_S0.

In the proposed PAKE, Compress, and Decompress functions, defined in Definition 2, are used to solve the reconciliation problem as a part of Kyber.CCAKEM.Enc and Kyber.CCAKEM.Dec procedures and K = K^′′ equality is obtained.

Let’s deeply analyze the relationship between these two terms to show which conditions the proposed scheme will run correctly.

• In Fig. 1, if K = K^′′ is satisfied for (ct, K) =Kyber.CCAKEM.Enc(pk) and K^′′ =Kyber.CCAKEM.Dec(ct, sk), the correctness of Kyber.PAKE is also captured.

• In the Kyber.PAKE, pk is retrieved by using the password component. In the S₀ phase, if pk = m + γ_S is correctly solved with the help of m, there is no changes on the correctness of Kyber.

• Let’s prove the correctness of Kyber.PAKE based on Theorems 1 and 2.

Security Analysis

In the security analysis, MLWE-based PAK components are used to show that A’s probability of obtaining information about the session key with an online dictionary attack is negligible. In the adapted security model, A can make the following client-action (CA) and server-action (SA) queries.

• CA₀: A does CA₀ action to instruct the unused ${\prod }_C^i$ instance to transfer the related components to S.

• SA₁: A does SA₁ action to transfer the messages to unused ${\prod }_S^j$ instance.

• CA₁: A does CA₁ action to transfer the related message to ${\prod }_C^i$ instance that waits the related components of the scheme.

• SA₂: A does SA₂ action to transfer the messages to unused ${\prod }_S^j$ instance that waits the final components of the scheme.

According to the MLWE-based PAKE security analysis, A can take on the role a ${\prod }_C^i$, a ${\prod }_S^j$, and partner ${\prod }_C^i-{\prod }_S^j$ instances by using the some actions and special events. In the examinations, we modified the password guess events regarding MLWE and Kyber structures and presented them in Table 3 as the constructed Kyber.PAKE relies on the hardness assumption of MLWE and uses the Kyber components.

Table 3:

Special cases of security analysis.

DOI: 10.7717/peerjcs.1960/table-3

The Kyber.PAKE’s proof of security is conducted by showing that A is unable to obtain the new ssk with a non-negligible advantage than the online dictionary attack. The advantage of A is given in Theorem 3.

S0: It is the original Kyber.PAKE scheme.

S1: Let m or pk be chosen randomly by honest participants. If these values already appeared in the previous schemes, S1 halts and A fails.

Let ${ϵ}_1=\frac{O\left(\left(n_e+n_s\right)\left(n_e+n_s+n_o\right)\right)}{q^{nk}}$.

• Let E1 be an event defined for m = m₁ = m₂ = m₃ = m₄ in the following cases.

  • By making CA₀ or execute, m₁ is obtained.

  • m₂ is generated by a previous CA₀ or execute.

  • m₃ is used as an input of previous SA₁.

  • m₄ is utilized in a previous query H_l∈{2,3}(⋅).

• Let E2 be an event determined for pk = pk₁ = pk₂ = pk₃ = pk₄ in the following cases.

  • By making SA₁ or execute, pk₁ is generated.

  • pk₂ is obtained by a previous SA₁ or execute.

  • pk₃ is utilized as an input of previous CA₁.

  • pk₄ is used in a previous query H_l∈{2,3}(⋅).

Considering the events E1 and E2, it is necessary to examine whether m and pk are previously or newly generated. In these events, the actions CA ₀ and SA ₁ are related to send and H_l∈{2,3}(⋅) queries are associated with RO queries. The previously generated m or pk can be obtained by making send, execute, and RO queries. So, the probability of m or pk occurring in the previous session is $\frac{\left(n_e+n_s+n_o\right)}{\left|{\mathit{R}}_q^k\right|}$. Since new m or pk can be generated with send and execute, the maximum number of queries is (n_e + n_s). Therefore, the probability that E happens is ${ϵ}_1=\frac{O\left(\left(n_e+n_s\right)\left(n_e+n_s+n_o\right)\right)}{q^{nk}}$.

S2: Unlike S1, send and execute are replied without answering any RO queries. Afterward, if the RO query is made, the answers are generated as consistently as possible with send and execute. The possible queries and answers in S2 are given in Algorithm 1 .

Let ${ϵ}_2=\frac{O\left(n_s\right)}{2^{\kappa }}+\frac{O\left(n_o\right)}{\left|{\mathit{R}}_q^k\right|}$.

• Since A does not make any H₁(pw_C), where −γ_S = H₁(pw_C), the maximum number of H_l(⋅) queries A can make is $\frac{O\left(n_o\right)}{\left|{\mathit{R}}_q^k\right|}$.

• A makes send(C, i, K′) or send(S, j, K^′′′) queries using the actions CA₀, CA₁, SA₁, and SA₂ in Algorithm 1 . Neither of these queries is the output of an H₂(⋅) query that would be a correct password guess. Therefore, the maximum probability that A can abort the samples is $\frac{O\left(n_s\right)}{2^{\kappa }}$.

So, Claim 3 is satisfied.

S3: Unlike S2, the consistency is not controlled against the query execute when an H_l∈{2,3} is queried. In other words, the event Textexecpw(C, i, S, j, pw_C) is not checked. So, the scheme responds with a random output rather than maintaining consistency with the query execute. Let ${ϵ}_3={\text{Adv}}_{\text{Kyber KEM}}^{\text{CCA}}\left(\mathbf{A}\right)+{\text{Adv}}_{{\mathit{R}}_q^k}^{\text{d-MLWE}}\left(T^{\prime },n_o\right)$, where T′ = O(T + (n_o + n_s + n_e)T_exp).

• In the query execute, m = α + (As₁ + e₁) and pk = φ + m + γ_S is set, where $s_1{\leftarrow }^r{\beta }_q^k$ and e₁←^rβ_q. Then, ct←^rD_ct is chosen.

• Then, A makes query H_l∈{2,3}(⋅), where m and pk were obtained by query execute. With query H₁(pw_C), −γ_S = As_h + e_h is determined, where $s_h{\leftarrow }^r{\beta }_q^k$ and e_h←^rβ_q. Under these changes, the simulator computes (ct′, K′) = Kyber.CCAKEM.Enc(pk). Then, the obtained (ct′, K′) is added on the possible values’s list.

Since the advantage of A in Kyber KEM, given in Definition 4, is ${\text{Adv}}_{\text{Kyber KEM}}^{\text{CCA}}\left(\mathbf{A}\right)$ and the probability of d-MLWE being resolved is ${\text{Adv}}_{{\mathit{R}}_q^k}^{\text{d-MLWE}}\left(T^{\prime },n_o\right)$, Claim 3 is satisfied.

S4: Unlike S3, S4 halts when a correct password guess is made against a ${\prod }_S^j$ or ${\prod }_C^i$ instance before any query corrupt. In other words, the event Correctpw happens. Then, A automatically succeeds.

• In an action CA₁ to ${\prod }_C^i$, if corrupt is not queried after Testpw!(C, i, S, pw_C), S4 halts and A succeeds.

• In a query H_l∈{2,3}(⋅), if corrupt is not queried after Testpw*(S, j, C, pw_C), S4 halts and A succeeds.

Claim 5 is satisfied as these changes will only increase the win probability of A.

S5: Unlike S4, S5 halts when A guesses a password against the partner instances ${\prod }_S^j$ and ${\prod }_C^i$. In other words, the event Pairedpwguess happens. Then, A fails.

Since the ROM security of Kyber KEM, given in Definition 4, is ${\text{Adv}}_{\text{Kyber KEM}}^{\text{CCA}}\left(\mathbf{A}\right)$ and the probability of d-MLWE being solved with send queries is $4n_s{\text{Adv}}_{{\mathit{R}}_q^d}^{\text{d-MLWE}}\left(\mathbf{A}\right)$, Claim 5 is satisfied.

 
_______________________ 
Algorithm 1 S2 Queries and Answers____________________________________________________ 
     ⋅  In an execute(C,i,S,j) query, m = As + e, where s ←r bkη and ei ←r bη, 
       pk ←r  Dpk, ct ←r  Dct, {K,K′′′} ←r  {0,1}k, and {sskj 
2  = sski 
1} ←r 
        {0,1}k. 
     ⋅  In a CA0 action to ∏i 
    C, m = As + e, where s ←r bk 
η and ei ←r b 
η. 
     ⋅  In a SA1  action to ∏j 
    S,  pk ←r  D 
pk,  ct ←r  D 
ct,  K  ←r  {0,1}k,  and 
       {K′,sskj 
2}←r {0,1}k. 
     ⋅  In a CA1 action to ∏i 
    C: 
          – As a result of this query, if a Testpw!(C,i,S,pwC) happens, then K′′′ 
        and sski1 are set to the associated value of Testpw(C,i,S,pwC,2) and 
              Testpw(C,i,S,pwC,3). 
          – If ∏i 
    C has a partner ∏j 
    S, sskj 
2 = sski 
1. Then, K′′′ ←r {0,1}k. 
          – If not, ∏i 
    C aborts. 
     ⋅  As a result of an SA2 action, if one of the following conditions is satisfied, 
       it terminates. If not, ∏j 
    S aborts. 
          – If an Testpw!(S,j,C,pwC) happens, or ∏j 
    S has a partner ∏i 
    C. 
     ⋅  As a result of an Hl∈{2,3}(C,S,m,γS,pk,K), if one of the following condi- 
       tions is met, the output is determined by considering the associated value 
       of the event. If not, the output is randomly chosen from {0,1}k. 
          – If a Testpw(S,j,C,pwC,l) or a Testexecpw(C,i,S,j,pwC) happens._    

 
_______________________________________________________________________________________________________ 
Algorithm 2 S5 Changes_____________________________________________________________________ 
     ⋅  For the d-th send(C,i′,S) query to ∏i′  
  C, m = α is set. 
     ⋅  In a send(S,j,< C,m,seed >), pk = φ + m + γS is computed. 
     ⋅  In a send(C,i′,< pk,ct,K >), if there is no partner for ∏i′ 
  C, the output is 
       0 and S5 halts. 
     ⋅  Let  ∏j 
     S  and  ∏i′ 
   C  be  partner  after  its  send(S,j,<  C,m,seed  >)  in  a 
       send(S,j,K′) query to ∏j 
    S.  If the instances have no partnership after 
       this query and Correctpw is not tested, ∏j 
    S aborts. 
     ⋅  Then, A makes Hl∈{2,3}(⋅) query, where m and pk were obtained with ∏i′ 
  C. 
       The output of H1(pwC) query is defined by −γS = Ash +eh, where sh ←r 
        bkη and eh ←r bη. Under these changes, the simulator computes (ct′,K′) = 
       Kyber.CCAKEM.Enc(pk).  Then, the obtained (ct′,K′) is added to the 
       possible values list._______________________________________________________________________ 

S6: Unlike S5, in S6, there is an internal password oracle that can know all passwords for a given client/server pair and test the correctness of the provided password.

• All passwords are generated during initialization and special passwords can be tested in the following way. If pw = pw_C, the output of testpw(C, pw) is True. Otherwise, the output is False.

• All corrupt(U) is accepted and answered.

In S6, Testpw(C, i, S, pw) for ${\prod }_C^i$, Testpw(S, j, C, pw) for ${\prod }_S^j$, and Testpw(C, pw) for password oracle queries are checked whether Correctpw occurs. So, S5 and S6 can be completely indistinguishable. Claim 6 is satisfied.

In S6, A has two ways to gain a non-negligible advantage against Kyber.PAKE.

• Online dictionary attack: CDF-Zipf model, given in Definition 8, limits the probability of Correctpw event in the proposed Kyber.PAKE since Correctpw event is A’s successful obtaining of the password through online dictionary attacks. In other words, $Pr\left[\text{Correctpw}\right]=C^{\prime }\cdot n_{\text{op}}^f+\text{negl}\left(\kappa \right)$.

• A test query: Let ${\prod }_U^i$ be a fresh instance. Then, A makes a query test(U, i) to ${\prod }_U^i$. Since the view of A is completely independent of $ss{k}_U^i$, $\text{Pr}\left[{\text{Suc}}_{\text{Kyber.PAKE}}^{S6}\left(\mathbf{A}\right)|\neg \text{Correctpw}\right]=1/2$.

By considering these two options, Eq. (6) is obtained. (6)${\displaystyle \text{Pr}\left[{\text{Suc}}_{\text{Kyber.PAKE}}^{S6}\left(\mathbf{A}\right)\right]\le \stackrel{C^{\prime }\cdot n_{\text{op}}^f}{\overbrace{\text{Pr}\left[\text{Correctpw}\right]}}+\stackrel{1/2}{\overbrace{\text{Pr}\left[{\text{Suc}}_{\text{Kyber.PAKE}}^{S6}\left(\mathbf{A}\right)|\neg \text{Correctpw}\right]}}\stackrel{1-C^{\prime }\cdot n_{\text{op}}^f}{\overbrace{Pr\left[\neg \text{Correctpw}\right]}}\le 1/2\left(1+C^{\prime }\cdot n_{\text{op}}^f\right)}$

According to Eq. (2), ${\text{Adv}}_{\text{PAKE}}^{S6}\left(\mathbf{A}\right)=2\text{Pr}\left[{\text{Suc}}_{\text{Kyber.PAKE}}^{S6}\left(\mathbf{A}\right)\right]-1\le C^{\prime }\cdot n_{\text{op}}^f$. If Eq. (2) is rewritten by considering Claims (2)–(7), Eq. (7) is obtained. (7)${\displaystyle {\text{Adv}}_{\text{Kyber.PAKE}}^{\mathbf{S}}\left(\mathbf{A}\right)\le 2|Pr\left[{\text{Suc}}_{\text{Kyber.PAKE}}^{S0}\right]-\frac{1}{2}|=2|Pr\left[{\text{Adv}}_{\text{Kyber.PAKE}}^{S0}\right]-Pr\left[{\text{Adv}}_{\text{Kyber.PAKE}}^{S6}\right]|=2\left(\right.\stackrel{\le \frac{\left(n_e+n_s\right)\left(n_e+n_s+n_o\right)}{q^{nk}}}{\overbrace{|Pr\left[{\text{Adv}}_{\text{Kyber.PAKE}}^{S0}\right]-Pr\left[{\text{Adv}}_{\text{Kyber.PAKE}}^{S1}\right]|}}+\stackrel{\le \frac{n_o}{q^{nk}}+\frac{n_s}{2^{\kappa }}}{\overbrace{|Pr\left[{\text{Adv}}_{\text{Kyber.PAKE}}^{S1}\right]-Pr\left[{\text{Adv}}_{\text{Kyber.PAKE}}^{S2}\right]|}}+\stackrel{{\text{Adv}}_{\text{Kyber KEM}}^{\text{CCA}}\left(\mathbf{A}\right)+{\text{Adv}}_{{\mathit{R}}_q^k}^{\text{d-MLWE}}\left(\mathbf{A}\right)}{\overbrace{|Pr\left[{\text{Adv}}_{\text{Kyber.PAKE}}^{S2}\right]-Pr\left[{\text{Adv}}_{\text{Kyber.PAKE}}^{S3=S4}\right]|}}+\stackrel{4n_s{\text{Adv}}_{{\mathit{R}}_q^k}^{\text{d-MLWE}}\left(\mathbf{A}\right)+{\text{Adv}}_{\text{Kyber KEM}}^{\text{CCA}}\left(\mathbf{A}\right)}{\overbrace{|Pr\left[{\text{Adv}}_{\text{Kyber.PAKE}}^{S4}\right]-Pr\left[{\text{Adv}}_{\text{Kyber.PAKE}}^{S5}\right]|}}+\stackrel{1/2\left(1+C^{\prime }\cdot n_{\text{op}}^f\right)}{\overbrace{|Pr\left[{\text{Adv}}_{\text{Kyber.PAKE}}^{S5}\right]-Pr\left[{\text{Adv}}_{\text{Kyber.PAKE}}^{S6}\right]|}}\left)\right.}$ Since ${\text{Adv}}_{\text{Kyber.PAKE}}^{\mathbf{S}}\left(\mathbf{A}\right)\le C^{\prime }\cdot n_{\text{op}}^f+O\left(\right.\frac{\left(n_e+n_s\right)\left(n_e+n_s+n_o\right)+n_o}{q^{nk}}+\frac{n_s}{2^{\kappa }}+{\text{Adv}}_{\text{Kyber KEM}}^{\text{CCA}}\left(\mathbf{A}\right)+n_s{\text{Adv}}_{{\mathit{R}}_q^k}^{\text{d-MLWE}}\left(\mathbf{A}\right)\left)\right.$, Theorem 3 is hold.

Reference Implementation and Comparison Results

In this section, the reference implementation of Kyber.PAKE is presented in terms of cost, CPU cycle, running time, and memory usage. In addition, detailed comparisons with literature proposals based on performance evaluations are also provided.

The implementation of Kyber.PAKE is written in C (Dursun, 2023a) based on Kyber KEM’s reference C codes and PAK design components. The performance results are obtained by using a computer with a 2.5 GHz dual-core Intel Core i5 processor and 8 GB RAM. The obtained performance evaluation is compared with MLWE.PAKE scheme (Ren, Gu & Wang, 2023) since it is the only MLWE-based PAKE in the literature. For these two schemes, the parameter sets are recalled in Table 4.

To obtain comparisons in terms of running time, MLWE.PAKE and our implementation are run 1,000 times. Based on the main processes or functions, the CPU cycles are determined for 128-bit security level and presented in Table 5. It can be seen from Table 5, the proposed Kyber.PAKE scheme needs fewer average and media CPU cycles due to the small size of the parameter set and its efficient/simple structure components.

Table 6 gives the average run time results, which is constructed by considering common components, scheme phases, hash functions, and reconciliation structures. Due to its parameter set, Kyber.PAKE provides better results in generating pk (A) with GenMatrix() and hash functions. Since KEM structures such as encapsulation and decapsulation, which have additional components for security, are used in Kyber.PAKE, it requires more runtime than MLWE.PAKE in terms of reconciliation. Considering the total times on the client and server sides, MLWE.PAKE is better on the client side. One of the reasons is that in MLWE.PAKE, key generation takes place on both the client and server sides, while it is only made on the client side of Kyber.PAKE. Different design approaches, reconciliation functions, and parameter sets also affect.

The computational cost evaluation of lattice-based two-party PAKEs that were constructed by following the one-phase idea is also provided with Table 7. Even if the selected schemes were designed under the same approach, the main securities were captured with different hard problems. So, message size-based evaluation is just presented in Table 7.

In Table 7, the provided results are obtained in the following way. It can be seen in Kyber.PAKE’s protocol flow, {seed, cid, m_bytes, K^′′′} are transferred to the server. On the server side, {pk, ct, K} components are sent to the client. According to the selection or computations of these values, it is known that {seed, cid, K, K^′′′} are fixed 32-byte and {m_bytes, pk_bytes} = k⋅384, where k is determined differently for each security levels.

Let’s show how the message sizes of Kyber.PAKE is computed for 128 −bit security level.

• Client to Server: seed + cid + m_bytes + K^′′′ = 32 + 32 + (2⋅384) + 32 = 864 bytes.

• Server to Client: pk_bytes + ct_bytes + K = (2⋅384) + 768 + 32 = 1,568 bytes.

Using the Kyber.PAKE C codes (Dursun, 2023a), Java codes (Dursun, 2023b) are also written to demonstrate the usability of the proposed scheme on mobile devices. In the implementation, a computer with a 2.5 GHz dual-core Intel Core i5 processor and 8 GB RAM is used as the server. Samsung Galaxy A51 (8 Cores) with 4x 2.3 GHz ARM Cortex-A73 main processor and 4x 1.7 GHz ARM Cortex-A53 co-processor with 2.3 GHz CPU frequency device is utilized as the client. Kyber.PAKE mobile results in terms of runtime, memory, and CPU usage are given in Table 8, which is obtained by running all the phases of the client and server 1,000 times.

The mobile device compatibility of Kyber.PAKE is also analyzed regarding energy, memory, and CPU usage. For 128-bit security, each sub-processes of Kyber.PAKE is examined with the Android Profiler tool of Android Studio and given in Fig. 2. As a case scenario, the energy consumption metric is also detailed in Fig. 3.

Figures 2 and 3 show that although the proposed PAKE does not contain any optimization or improvement techniques, it has relatively low resource usage. So, we can say that constructed Kyber.PAKE will be preferred to obtain the post-quantum secure mobile environment.

Conclusion and Future Directions

In this article, a two-party PAKE version of Kyber KEM is constructed to provide a proposal for post-quantum PAKE requirements by adapting the standard algorithms for different purposes and usage areas. Kyber.PAKE is obtained by adjusting the traditional PAK design idea to the MLWE problem and Kyber KEM functions. In the password-authenticated shared key generation, it is shown that explicit authentication and PFS properties are captured. The security of Kyber.PAKE is analyzed by considering dictionary attack resistance under the ROM assumptions. In these examinations, the CDF-Zipf model is also added to determine more realistic security proofs by considering the real-world distribution of the passwords. The reference implementation results show that the Kyber.PAKE scheme can be one of the best choices in post-quantum era security in terms of run-time, memory, and CPU usage. The mobile device usage of the proposed PAKE is also analyzed by providing reference Java implementation. As far as we know, the constructed Kyber.PAKE is the first PAKE adaptation of the NIST PQC KEM standard with mobile environment compatibility. As a future direction, the security examination of Kyber.PAKE will be extended by defining quantum random oracle model assumptions and the resource-limited device usage will be provided by making arithmetic optimizations and improvements.

Supplemental Information