{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,9,9]],"date-time":"2025-09-09T21:39:34Z","timestamp":1757453974962,"version":"3.41.2"},"publisher-location":"Cham","reference-count":78,"publisher":"Springer International Publishing","isbn-type":[{"type":"print","value":"9783030816513"},{"type":"electronic","value":"9783030816520"}],"license":[{"start":{"date-parts":[[2021,1,1]],"date-time":"2021-01-01T00:00:00Z","timestamp":1609459200000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.springer.com\/tdm"},{"start":{"date-parts":[[2021,1,1]],"date-time":"2021-01-01T00:00:00Z","timestamp":1609459200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.springer.com\/tdm"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2021]]},"DOI":"10.1007\/978-3-030-81652-0_16","type":"book-chapter","created":{"date-parts":[[2021,7,20]],"date-time":"2021-07-20T06:26:19Z","timestamp":1626762379000},"page":"404-430","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":20,"title":["Towards Post-Quantum Security for Signal\u2019s X3DH Handshake"],"prefix":"10.1007","author":[{"given":"Jacqueline","family":"Brendel","sequence":"first","affiliation":[]},{"given":"Marc","family":"Fischlin","sequence":"additional","affiliation":[]},{"given":"Felix","family":"G\u00fcnther","sequence":"additional","affiliation":[]},{"given":"Christian","family":"Janson","sequence":"additional","affiliation":[]},{"given":"Douglas","family":"Stebila","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2021,7,21]]},"reference":[{"key":"16_CR1","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"143","DOI":"10.1007\/3-540-45353-9_12","volume-title":"Topics in Cryptology \u2014 CT-RSA 2001","author":"M Abdalla","year":"2001","unstructured":"Abdalla, M., Bellare, M., Rogaway, P.: The oracle Diffie-Hellman assumptions and an analysis of DHIES. In: Naccache, D. (ed.) CT-RSA 2001. LNCS, vol. 2020, pp. 143\u2013158. Springer, Heidelberg (2001). https:\/\/doi.org\/10.1007\/3-540-45353-9_12"},{"key":"16_CR2","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"129","DOI":"10.1007\/978-3-030-17653-2_5","volume-title":"Advances in Cryptology \u2013 EUROCRYPT 2019","author":"J Alwen","year":"2019","unstructured":"Alwen, J., Coretti, S., Dodis, Y.: The double ratchet: security notions, proofs, and modularization for the signal protocol. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019, Part I. LNCS, vol. 11476, pp. 129\u2013158. Springer, Cham (2019). https:\/\/doi.org\/10.1007\/978-3-030-17653-2_5"},{"key":"16_CR3","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"45","DOI":"10.1007\/978-3-319-72565-9_3","volume-title":"Selected Areas in Cryptography \u2013 SAC 2017","author":"R Azarderakhsh","year":"2018","unstructured":"Azarderakhsh, R., Jao, D., Leonardi, C.: Post-quantum static-static key agreement using multiple protocol instances. In: Adams, C., Camenisch, J. (eds.) SAC 2017. LNCS, vol. 10719, pp. 45\u201363. Springer, Cham (2018). https:\/\/doi.org\/10.1007\/978-3-319-72565-9_3"},{"key":"16_CR4","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"195","DOI":"10.1007\/978-3-030-51938-4_10","volume-title":"Progress in Cryptology - AFRICACRYPT 2020","author":"A Basso","year":"2020","unstructured":"Basso, A., Kutas, P., Merz, S.-P., Petit, C., Weitk\u00e4mper, C.: On adaptive attacks against Jao-Urbanik\u2019s isogeny-based protocol. In: Nitaj, A., Youssef, A. (eds.) AFRICACRYPT 2020. LNCS, vol. 12174, pp. 195\u2013213. Springer, Cham (2020). https:\/\/doi.org\/10.1007\/978-3-030-51938-4_10"},{"key":"16_CR5","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"272","DOI":"10.1007\/978-3-030-12612-4_14","volume-title":"Topics in Cryptology \u2013 CT-RSA 2019","author":"A Bauer","year":"2019","unstructured":"Bauer, A., Gilbert, H., Renault, G., Rossi, M.: Assessment of the key-reuse resilience of NewHope. In: Matsui, M. (ed.) CT-RSA 2019. LNCS, vol. 11405, pp. 272\u2013292. Springer, Cham (2019). https:\/\/doi.org\/10.1007\/978-3-030-12612-4_14"},{"key":"16_CR6","doi-asserted-by":"crossref","unstructured":"Bergsma, F., Dowling, B., Kohlar, F., Schwenk, J., Stebila, D.: Multi-ciphersuite security of the Secure Shell (SSH) protocol. In: Ahn, G.J., Yung, M., Li, N. (eds.) ACM CCS 2014, pp. 369\u2013381. ACM Press, November 2014","DOI":"10.1145\/2660267.2660286"},{"key":"16_CR7","doi-asserted-by":"crossref","unstructured":"Boneh, D., et al.: Multiparty non-interactive key exchange and more from isogenies on elliptic curves. J. Math. Cryptol. 14(1), 5\u201314 (2020). https:\/\/www.degruyter.com\/view\/journals\/jmc\/14\/1\/article-p5.xml","DOI":"10.1515\/jmc-2015-0047"},{"key":"16_CR8","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"493","DOI":"10.1007\/978-3-030-45724-2_17","volume-title":"Advances in Cryptology \u2013 EUROCRYPT 2020","author":"X Bonnetain","year":"2020","unstructured":"Bonnetain, X., Schrottenloher, A.: Quantum security analysis of CSIDH. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020, Part II. LNCS, vol. 12106, pp. 493\u2013522. Springer, Cham (2020). https:\/\/doi.org\/10.1007\/978-3-030-45724-2_17"},{"key":"16_CR9","doi-asserted-by":"crossref","unstructured":"Bos, J.W., et al.: Frodo: take off the ring! Practical, quantum-secure key exchange from LWE. In: Weippl, E.R., Katzenbeisser, S., Kruegel, C., Myers, A.C., Halevi, S. (eds.) ACM CCS 2016, pp. 1006\u20131018. ACM Press, October 2016","DOI":"10.1145\/2976749.2978425"},{"key":"16_CR10","doi-asserted-by":"crossref","unstructured":"Bos, J.W., Costello, C., Naehrig, M., Stebila, D.: Post-quantum key exchange for the TLS protocol from the ring learning with errors problem. In: 2015 IEEE Symposium on Security and Privacy, pp. 553\u2013570. IEEE Computer Society Press, May 2015","DOI":"10.1109\/SP.2015.40"},{"key":"16_CR11","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"651","DOI":"10.1007\/978-3-319-63697-9_22","volume-title":"Advances in Cryptology \u2013 CRYPTO 2017","author":"J Brendel","year":"2017","unstructured":"Brendel, J., Fischlin, M., G\u00fcnther, F., Janson, C.: PRF-ODH: relations, instantiations, and impossibility results. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017, Part III. LNCS, vol. 10403, pp. 651\u2013681. Springer, Cham (2017). https:\/\/doi.org\/10.1007\/978-3-319-63697-9_22"},{"key":"16_CR12","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"395","DOI":"10.1007\/978-3-030-03332-3_15","volume-title":"Advances in Cryptology \u2013 ASIACRYPT 2018","author":"W Castryck","year":"2018","unstructured":"Castryck, W., Lange, T., Martindale, C., Panny, L., Renes, J.: CSIDH: an efficient post-quantum commutative group action. In: Peyrin, T., Galbraith, S. (eds.) ASIACRYPT 2018, Part III. LNCS, vol. 11274, pp. 395\u2013427. Springer, Cham (2018). https:\/\/doi.org\/10.1007\/978-3-030-03332-3_15"},{"key":"16_CR13","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"92","DOI":"10.1007\/978-3-030-56880-1_4","volume-title":"Advances in Cryptology \u2013 CRYPTO 2020","author":"W Castryck","year":"2020","unstructured":"Castryck, W., Sot\u00e1kov\u00e1, J., Vercauteren, F.: Breaking the decisional Diffie-Hellman problem for class group actions using genus theory. In: Micciancio, D., Ristenpart, T. (eds.) CRYPTO 2020, Part II. LNCS, vol. 12171, pp. 92\u2013120. Springer, Cham (2020). https:\/\/doi.org\/10.1007\/978-3-030-56880-1_4"},{"key":"16_CR14","doi-asserted-by":"crossref","unstructured":"Cohn-Gordon, K., Cremers, C.J.F., Dowling, B., Garratt, L., Stebila, D.: A formal security analysis of the signal messaging protocol. In: IEEE European Symposium on Security and Privacy, EuroS&P 2017, pp. 451\u2013466 (2017)","DOI":"10.1109\/EuroSP.2017.27"},{"key":"16_CR15","doi-asserted-by":"publisher","first-page":"1914","DOI":"10.1007\/s00145-020-09360-1","volume":"33","author":"K Cohn-Gordon","year":"2020","unstructured":"Cohn-Gordon, K., Cremers, C.J.F., Dowling, B., Garratt, L., Stebila, D.: A formal security analysis of key establishment in the Signal messaging protocol. J. Cryptol. 33, 1914\u20131983 (2020)","journal-title":"J. Cryptol."},{"issue":"1","key":"16_CR16","doi-asserted-by":"publisher","first-page":"167","DOI":"10.1137\/S0097539702403773","volume":"33","author":"R Cramer","year":"2004","unstructured":"Cramer, R., Shoup, V.: Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack. SIAM J. Comput. 33(1), 167\u2013226 (2004)","journal-title":"SIAM J. Comput."},{"key":"16_CR17","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"734","DOI":"10.1007\/978-3-642-33167-1_42","volume-title":"Computer Security \u2013 ESORICS 2012","author":"C Cremers","year":"2012","unstructured":"Cremers, C., Feltz, M.: Beyond eCK: perfect forward secrecy under actor compromise and ephemeral-key reveal. In: Foresti, S., Yung, M., Martinelli, F. (eds.) ESORICS 2012. LNCS, vol. 7459, pp. 734\u2013751. Springer, Heidelberg (2012). https:\/\/doi.org\/10.1007\/978-3-642-33167-1_42"},{"key":"16_CR18","unstructured":"Crockett, E., Paquin, C., Stebila, D.: Prototyping post-quantum and hybrid key exchange and authentication in TLS and SSH. In: NIST 2nd Post-Quantum Cryptography Standardization Conference 2019, August 2019"},{"key":"16_CR19","unstructured":"David Jao, R.A., et al.: Supersingular isogeny key encapsulation, April 2019. https:\/\/sike.org\/"},{"key":"16_CR20","doi-asserted-by":"crossref","unstructured":"Dierks, T., Rescorla, E.: The Transport Layer Security (TLS) Protocol Version 1.2. RFC 5246 (Proposed Standard), August 2008. https:\/\/www.rfc-editor.org\/rfc\/rfc5246.txt","DOI":"10.17487\/rfc5246"},{"issue":"6","key":"16_CR21","doi-asserted-by":"publisher","first-page":"644","DOI":"10.1109\/TIT.1976.1055638","volume":"22","author":"W Diffie","year":"1976","unstructured":"Diffie, W., Hellman, M.E.: New directions in cryptography. IEEE Trans. Inf. Theory 22(6), 644\u2013654 (1976)","journal-title":"IEEE Trans. Inf. Theory"},{"key":"16_CR22","doi-asserted-by":"crossref","unstructured":"Ding, J., Alsayigh, S., Saraswathy, R.V., Fluhrer, S., Lin, X.: Leakage of signal function with reused keys in RLWE key exchange. In: 2017 IEEE International Conference on Communications (ICC), pp. 1\u20136 (2017)","DOI":"10.1109\/ICC.2017.7996806"},{"key":"16_CR23","unstructured":"Ding, J., Branco, P., Schmitt, K.: Key exchange and authenticated key exchange with reusable keys based on RLWE assumption. Cryptology ePrint Archive, Report 2019\/665 (2019). https:\/\/eprint.iacr.org\/2019\/665"},{"key":"16_CR24","unstructured":"Ding, J., Cheng, C., Qin, Y.: A simple key reuse attack on LWE and ring LWE encryption schemes as key encapsulation mechanisms (KEMs). Cryptology ePrint Archive, Report 2019\/271 (2019). https:\/\/eprint.iacr.org\/2019\/271"},{"key":"16_CR25","unstructured":"Ding, J., Deaton, J., Schmidt, K., Vishakha, Zhang, Z.: A simple and practical key reuse attack on NTRU cryptosystem. Cryptology ePrint Archive, Report 2019\/1022 (2019). https:\/\/eprint.iacr.org\/2019\/1022"},{"key":"16_CR26","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"467","DOI":"10.1007\/978-3-319-93638-3_27","volume-title":"Information Security and Privacy","author":"J Ding","year":"2018","unstructured":"Ding, J., Fluhrer, S., Rv, S.: Complete attack on RLWE key exchange with reused keys, without signal leakage. In: Susilo, W., Yang, G. (eds.) ACISP 2018. LNCS, vol. 10946, pp. 467\u2013486. Springer, Cham (2018). https:\/\/doi.org\/10.1007\/978-3-319-93638-3_27"},{"key":"16_CR27","unstructured":"Ding, J., Xie, X., Lin, X.: A simple provably secure key exchange scheme based on the learning with errors problem. Cryptology ePrint Archive, Report 2012\/688 (2012). http:\/\/eprint.iacr.org\/2012\/688"},{"key":"16_CR28","unstructured":"Dobson, S., Galbraith, S.D., LeGrow, J., Ti, Y.B., Zobernig, L.: An adaptive attack on 2-SIDH. Cryptology ePrint Archive, Report 2019\/890 (2019). https:\/\/eprint.iacr.org\/2019\/890"},{"key":"16_CR29","unstructured":"Dobson, S., Li, T., Zobernig, L.: A note on a static SIDH protocol. Cryptology ePrint Archive, Report 2019\/1244 (2019). https:\/\/eprint.iacr.org\/2019\/1244"},{"key":"16_CR30","doi-asserted-by":"crossref","unstructured":"Dowling, B., Fischlin, M., G\u00fcnther, F., Stebila, D.: A cryptographic analysis of the TLS 1.3 handshake protocol candidates. In: Ray, I., Li, N., Kruegel, C. (eds.) ACM CCS 2015, pp. 1197\u20131210. ACM Press, October 2015","DOI":"10.1145\/2810103.2813653"},{"key":"16_CR31","doi-asserted-by":"crossref","unstructured":"Dowling, B., Fischlin, M., G\u00fcnther, F., Stebila, D.: A cryptographic analysis of the TLS 1.3 handshake protocol. J. Cryptol. (2020)","DOI":"10.1007\/s00145-021-09384-1"},{"key":"16_CR32","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"33","DOI":"10.1007\/978-3-030-20951-3_3","volume-title":"Cyber Security Cryptography and Machine Learning","author":"N Drucker","year":"2019","unstructured":"Drucker, N., Gueron, S.: Continuous key agreement with reduced bandwidth. In: Dolev, S., Hendler, D., Lodha, S., Yung, M. (eds.) CSCML 2019. LNCS, vol. 11527, pp. 33\u201346. Springer, Cham (2019). https:\/\/doi.org\/10.1007\/978-3-030-20951-3_3"},{"key":"16_CR33","unstructured":"Duits, I.: The post-quantum signal protocol: secure chat in a quantum world. Master\u2019s thesis, University of Twente, February 2019. http:\/\/essay.utwente.nl\/77239\/"},{"key":"16_CR34","doi-asserted-by":"crossref","unstructured":"Fischlin, M., G\u00fcnther, F.: Multi-stage key exchange and the case of Google\u2019s QUIC protocol. In: Ahn, G.J., Yung, M., Li, N. (eds.) ACM CCS 2014, pp. 1193\u20131204. ACM Press, November 2014","DOI":"10.1145\/2660267.2660308"},{"key":"16_CR35","unstructured":"Fluhrer, S.: Cryptanalysis of ring-LWE based key exchange with key share reuse. Cryptology ePrint Archive, Report 2016\/085 (2016). http:\/\/eprint.iacr.org\/2016\/085"},{"key":"16_CR36","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"537","DOI":"10.1007\/3-540-48405-1_34","volume-title":"Advances in Cryptology \u2014 CRYPTO\u2019 99","author":"E Fujisaki","year":"1999","unstructured":"Fujisaki, E., Okamoto, T.: Secure integration of asymmetric and symmetric encryption schemes. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 537\u2013554. Springer, Heidelberg (1999). https:\/\/doi.org\/10.1007\/3-540-48405-1_34"},{"issue":"1","key":"16_CR37","doi-asserted-by":"publisher","first-page":"80","DOI":"10.1007\/s00145-011-9114-1","volume":"26","author":"E Fujisaki","year":"2013","unstructured":"Fujisaki, E., Okamoto, T.: Secure integration of asymmetric and symmetric encryption schemes. J. Cryptol. 26(1), 80\u2013101 (2013)","journal-title":"J. Cryptol."},{"key":"16_CR38","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"63","DOI":"10.1007\/978-3-662-53887-6_3","volume-title":"Advances in Cryptology \u2013 ASIACRYPT 2016","author":"SD Galbraith","year":"2016","unstructured":"Galbraith, S.D., Petit, C., Shani, B., Ti, Y.B.: On the security of supersingular isogeny cryptosystems. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016, Part I. LNCS, vol. 10031, pp. 63\u201391. Springer, Heidelberg (2016). https:\/\/doi.org\/10.1007\/978-3-662-53887-6_3"},{"issue":"11","key":"16_CR39","doi-asserted-by":"publisher","first-page":"1584","DOI":"10.1109\/TC.2018.2808527","volume":"67","author":"X Gao","year":"2018","unstructured":"Gao, X., Ding, J., Li, L., Liu, J.: Practical randomized RLWE-based key exchange against signal leakage attack. IEEE Trans. Comput. 67(11), 1584\u20131593 (2018)","journal-title":"IEEE Trans. Comput."},{"key":"16_CR40","doi-asserted-by":"crossref","unstructured":"Greuet, A., Montoya, S., Renault, G.: Attack on LAC key exchange in misuse situation. Cryptology ePrint Archive, Report 2020\/063 (2020). https:\/\/eprint.iacr.org\/2020\/063","DOI":"10.1007\/978-3-030-65411-5_27"},{"key":"16_CR41","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"341","DOI":"10.1007\/978-3-319-70500-2_12","volume-title":"Theory of Cryptography","author":"D Hofheinz","year":"2017","unstructured":"Hofheinz, D., H\u00f6velmanns, K., Kiltz, E.: A modular analysis of the Fujisaki-Okamoto transformation. In: Kalai, Y., Reyzin, L. (eds.) TCC 2017, Part I. LNCS, vol. 10677, pp. 341\u2013371. Springer, Cham (2017). https:\/\/doi.org\/10.1007\/978-3-319-70500-2_12"},{"key":"16_CR42","unstructured":"H\u00fclsing, A., Ning, K.C., Schwabe, P., Weber, F., Zimmermann, P.R.: Post-quantum wireguard. Cryptology ePrint Archive, Report 2020\/379 (2020). https:\/\/eprint.iacr.org\/2020\/379"},{"key":"16_CR43","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"273","DOI":"10.1007\/978-3-642-32009-5_17","volume-title":"Advances in Cryptology \u2013 CRYPTO 2012","author":"T Jager","year":"2012","unstructured":"Jager, T., Kohlar, F., Sch\u00e4ge, S., Schwenk, J.: On the security of TLS-DHE in the standard model. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 273\u2013293. Springer, Heidelberg (2012). https:\/\/doi.org\/10.1007\/978-3-642-32009-5_17"},{"key":"16_CR44","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"19","DOI":"10.1007\/978-3-642-25405-5_2","volume-title":"Post-Quantum Cryptography","author":"D Jao","year":"2011","unstructured":"Jao, D., De Feo, L.: Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies. In: Yang, B.-Y. (ed.) PQCrypto 2011. LNCS, vol. 7071, pp. 19\u201334. Springer, Heidelberg (2011). https:\/\/doi.org\/10.1007\/978-3-642-25405-5_2"},{"key":"16_CR45","unstructured":"Katsumata, S., Kwiatkowski, K., Pintore, F., Prest, T.: Scalable ciphertext compression techniques for post-quantum KEMs and their applications. In: ASIACRYPT 2020 (2020, to appear). Available as Cryptology ePrint Archive, Report 2020\/1107. https:\/\/eprint.iacr.org\/2020\/1107"},{"key":"16_CR46","unstructured":"Kawashima, T., Takashima, K., Aikawa, Y., Takagi, T.: An efficient authenticated key exchange from random self-reducibility on CSIDH. Cryptology ePrint Archive, Report 2020\/1178 (2020). https:\/\/eprint.iacr.org\/2020\/1178"},{"key":"16_CR47","unstructured":"Kayacan, S.: A note on the static-static key agreement protocol from supersingular isogenies. Cryptology ePrint Archive, Report 2019\/815 (2019). https:\/\/eprint.iacr.org\/2019\/815"},{"key":"16_CR48","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"282","DOI":"10.1007\/978-3-540-71677-8_19","volume-title":"Public Key Cryptography \u2013 PKC 2007","author":"E Kiltz","year":"2007","unstructured":"Kiltz, E.: Chosen-ciphertext secure key-encapsulation based on gap hashed Diffie-Hellman. In: Okamoto, T., Wang, X. (eds.) PKC 2007. LNCS, vol. 4450, pp. 282\u2013297. Springer, Heidelberg (2007). https:\/\/doi.org\/10.1007\/978-3-540-71677-8_19"},{"key":"16_CR49","unstructured":"de Kock, B., Gj\u00f8steen, K., Veroni, M.: Practical isogeny-based key-exchange with optimal tightness. In: SAC 2020 (2020, to appear). Available as Cryptology ePrint Archive, Report 2020\/1165. https:\/\/eprint.iacr.org\/2020\/1165"},{"key":"16_CR50","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"546","DOI":"10.1007\/11535218_33","volume-title":"Advances in Cryptology \u2013 CRYPTO 2005","author":"H Krawczyk","year":"2005","unstructured":"Krawczyk, H.: HMQV: a high-performance secure Diffie-Hellman protocol. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 546\u2013566. Springer, Heidelberg (2005). https:\/\/doi.org\/10.1007\/11535218_33"},{"key":"16_CR51","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"429","DOI":"10.1007\/978-3-642-40041-4_24","volume-title":"Advances in Cryptology \u2013 CRYPTO 2013","author":"H Krawczyk","year":"2013","unstructured":"Krawczyk, H., Paterson, K.G., Wee, H.: On the security of the TLS protocol: a systematic analysis. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part I. LNCS, vol. 8042, pp. 429\u2013448. Springer, Heidelberg (2013). https:\/\/doi.org\/10.1007\/978-3-642-40041-4_24"},{"key":"16_CR52","doi-asserted-by":"crossref","unstructured":"Krawczyk, H., Wee, H.: The OPTLS protocol and TLS 1.3. In: 2016 IEEE European Symposium on Security and Privacy, EuroS&P 2016, pp. 81\u201396. IEEE, Saarbr\u00fccken, 21\u201324 March 2016","DOI":"10.1109\/EuroSP.2016.18"},{"key":"16_CR53","unstructured":"Kwiatkowski, K., Valenta, L.: The TLS Post-Quantum Experiment. The Cloudflare Blog, October 2019. https:\/\/blog.cloudflare.com\/the-tls-post-quantum-experiment\/"},{"key":"16_CR54","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1007\/978-3-540-75670-5_1","volume-title":"Provable Security","author":"B LaMacchia","year":"2007","unstructured":"LaMacchia, B., Lauter, K., Mityagin, A.: Stronger security of authenticated key exchange. In: Susilo, W., Liu, J.K., Mu, Y. (eds.) ProvSec 2007. LNCS, vol. 4784, pp. 1\u201316. Springer, Heidelberg (2007). https:\/\/doi.org\/10.1007\/978-3-540-75670-5_1"},{"key":"16_CR55","unstructured":"Langley, A.: CECPQ1 results. Imperial Violet, Blog, November 2016. https:\/\/www.imperialviolet.org\/2016\/11\/28\/cecpq1.html"},{"key":"16_CR56","unstructured":"Langley, A.: CECPQ2. Imperial Violet, Blog, December 2018. https:\/\/www.imperialviolet.org\/2018\/12\/12\/cecpq2.html"},{"key":"16_CR57","unstructured":"Langley, A., Chang, W.T.: QUIC Crypto, December 2016. https:\/\/docs.google.com\/document\/d\/1g5nIXAIkN_Y-7XJW5K45IblHd_L2f5LTaDUDwvZ5L6g\/. Revision 06 Dec 2016"},{"key":"16_CR58","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"319","DOI":"10.1007\/978-3-642-19074-2_21","volume-title":"Topics in Cryptology \u2013 CT-RSA 2011","author":"R Lindner","year":"2011","unstructured":"Lindner, R., Peikert, C.: Better key sizes (and attacks) for LWE-based encryption. In: Kiayias, A. (ed.) CT-RSA 2011. LNCS, vol. 6558, pp. 319\u2013339. Springer, Heidelberg (2011). https:\/\/doi.org\/10.1007\/978-3-642-19074-2_21"},{"key":"16_CR59","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"163","DOI":"10.1007\/978-3-030-12146-4_11","volume-title":"Information Security and Cryptology \u2013 ICISC 2018","author":"C Liu","year":"2019","unstructured":"Liu, C., Zheng, Z., Zou, G.: Key reuse attack on NewHope key exchange protocol. In: Lee, K. (ed.) ICISC 2018. LNCS, vol. 11396, pp. 163\u2013176. Springer, Cham (2019). https:\/\/doi.org\/10.1007\/978-3-030-12146-4_11"},{"key":"16_CR60","unstructured":"Marlinspike, M., Perrin, T.: The X3DH key agreement protocol, November 2016. https:\/\/signal.org\/docs\/specifications\/x3dh\/"},{"key":"16_CR61","unstructured":"National Institute of Standards and Technology (NIST): Post-quantum cryptography, 19 August 2015. https:\/\/csrc.nist.gov\/projects\/post-quantum-cryptography"},{"key":"16_CR62","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"505","DOI":"10.1007\/978-3-030-55304-3_26","volume-title":"Information Security and Privacy","author":"S Okada","year":"2020","unstructured":"Okada, S., Wang, Y., Takagi, T.: Improving key mismatch attack on NewHope with fewer queries. In: Liu, J.K., Cui, H. (eds.) ACISP 2020. LNCS, vol. 12248, pp. 505\u2013524. Springer, Cham (2020). https:\/\/doi.org\/10.1007\/978-3-030-55304-3_26"},{"key":"16_CR63","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"104","DOI":"10.1007\/3-540-44586-2_8","volume-title":"Public Key Cryptography","author":"T Okamoto","year":"2001","unstructured":"Okamoto, T., Pointcheval, D.: The gap-problems: a new class of problems for the security of cryptographic schemes. In: Kim, K. (ed.) PKC 2001. LNCS, vol. 1992, pp. 104\u2013118. Springer, Heidelberg (2001). https:\/\/doi.org\/10.1007\/3-540-44586-2_8"},{"key":"16_CR64","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"197","DOI":"10.1007\/978-3-319-11659-4_12","volume-title":"Post-Quantum Cryptography","author":"C Peikert","year":"2014","unstructured":"Peikert, C.: Lattice cryptography for the internet. In: Mosca, M. (ed.) PQCrypto 2014. LNCS, vol. 8772, pp. 197\u2013219. Springer, Cham (2014). https:\/\/doi.org\/10.1007\/978-3-319-11659-4_12"},{"key":"16_CR65","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"463","DOI":"10.1007\/978-3-030-45724-2_16","volume-title":"Advances in Cryptology \u2013 EUROCRYPT 2020","author":"C Peikert","year":"2020","unstructured":"Peikert, C.: He Gives C-Sieves on the CSIDH. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020, Part II. LNCS, vol. 12106, pp. 463\u2013492. Springer, Cham (2020). https:\/\/doi.org\/10.1007\/978-3-030-45724-2_16"},{"key":"16_CR66","unstructured":"Perrin, T.: The Noise protocol framework. https:\/\/noiseprotocol.org\/"},{"key":"16_CR67","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"504","DOI":"10.1007\/978-3-030-29962-0_24","volume-title":"Computer Security \u2013 ESORICS 2019","author":"Y Qin","year":"2019","unstructured":"Qin, Y., Cheng, C., Ding, J.: A complete and optimized key mismatch attack on NIST candidate NewHope. In: Sako, K., Schneider, S., Ryan, P.Y.A. (eds.) ESORICS 2019, Part II. LNCS, vol. 11736, pp. 504\u2013520. Springer, Cham (2019). https:\/\/doi.org\/10.1007\/978-3-030-29962-0_24"},{"key":"16_CR68","unstructured":"QUIC, a multiplexed stream transport over UDP. https:\/\/www.chromium.org\/quic"},{"key":"16_CR69","doi-asserted-by":"crossref","unstructured":"Rescorla, E.: The Transport Layer Security (TLS) Protocol Version 1.3. RFC 8446 (Proposed Standard), August 2018. https:\/\/www.rfc-editor.org\/rfc\/rfc8446.txt","DOI":"10.17487\/RFC8446"},{"key":"16_CR70","doi-asserted-by":"crossref","unstructured":"Schwabe, P., Stebila, D., Wiggers, T.: Post-quantum TLS without handshake signatures. Cryptology ePrint Archive, Report 2020\/534 (2020). https:\/\/eprint.iacr.org\/2020\/534","DOI":"10.1145\/3372297.3423350"},{"key":"16_CR71","unstructured":"Shoup, V.: A Proposal for an ISO Standard for Public Key Encryption (version 2.1), December 2001. https:\/\/www.shoup.net\/papers\/iso-2_1.pdf"},{"key":"16_CR72","unstructured":"Signal protocol: Technical documentation. https:\/\/whispersystems.org\/docs\/"},{"key":"16_CR73","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"14","DOI":"10.1007\/978-3-319-69453-5_2","volume-title":"Selected Areas in Cryptography \u2013 SAC 2016","author":"D Stebila","year":"2017","unstructured":"Stebila, D., Mosca, M.: Post-quantum key exchange for the internet and the open quantum safe project. In: Avanzi, R., Heys, H. (eds.) SAC 2016. LNCS, vol. 10532, pp. 14\u201337. Springer, Cham (2017). https:\/\/doi.org\/10.1007\/978-3-319-69453-5_2"},{"key":"16_CR74","doi-asserted-by":"crossref","unstructured":"Urbanik, D., Jao, D.: New techniques for SIDH-based NIKE. J. Math. Cryptol. 14(1), 120\u2013128 (2020). https:\/\/www.degruyter.com\/view\/journals\/jmc\/14\/1\/article-p120.xml","DOI":"10.1515\/jmc-2015-0056"},{"issue":"3","key":"16_CR75","doi-asserted-by":"publisher","first-page":"329","DOI":"10.1007\/s10623-007-9159-1","volume":"46","author":"B Ustaoglu","year":"2008","unstructured":"Ustaoglu, B.: Obtaining a secure and efficient key agreement protocol from (H)MQV and NAXOS. Des. Codes Crypt. 46(3), 329\u2013342 (2008)","journal-title":"Des. Codes Crypt."},{"key":"16_CR76","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"158","DOI":"10.1007\/978-3-030-03329-3_6","volume-title":"Advances in Cryptology \u2013 ASIACRYPT 2018","author":"H Xue","year":"2018","unstructured":"Xue, H., Lu, X., Li, B., Liang, B., He, J.: Understanding and constructing AKE via double-key key encapsulation mechanism. In: Peyrin, T., Galbraith, S. (eds.) ASIACRYPT 2018, Part II. LNCS, vol. 11273, pp. 158\u2013189. Springer, Cham (2018). https:\/\/doi.org\/10.1007\/978-3-030-03329-3_6"},{"key":"16_CR77","doi-asserted-by":"crossref","unstructured":"Yao, A.C.C., Zhao, Y.: OAKE: a new family of implicitly authenticated Diffie-Hellman protocols. In: Sadeghi, A.R., Gligor, V.D., Yung, M. (eds.) ACM CCS 2013, pp. 1113\u20131128. ACM Press, November 2013","DOI":"10.1145\/2508859.2516695"},{"key":"16_CR78","doi-asserted-by":"crossref","unstructured":"Ylonen, T., Lonvick, C.: The Secure Shell (SSH) Transport Layer Protocol. RFC 4253 (Proposed Standard), January 2005. https:\/\/www.rfc-editor.org\/rfc\/rfc4253.txt","DOI":"10.17487\/rfc4253"}],"container-title":["Lecture Notes in Computer Science","Selected Areas in Cryptography"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/978-3-030-81652-0_16","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,7,19]],"date-time":"2025-07-19T22:02:59Z","timestamp":1752962579000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/978-3-030-81652-0_16"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2021]]},"ISBN":["9783030816513","9783030816520"],"references-count":78,"URL":"https:\/\/doi.org\/10.1007\/978-3-030-81652-0_16","relation":{},"ISSN":["0302-9743","1611-3349"],"issn-type":[{"type":"print","value":"0302-9743"},{"type":"electronic","value":"1611-3349"}],"subject":[],"published":{"date-parts":[[2021]]},"assertion":[{"value":"21 July 2021","order":1,"name":"first_online","label":"First Online","group":{"name":"ChapterHistory","label":"Chapter History"}},{"value":"SAC","order":1,"name":"conference_acronym","label":"Conference Acronym","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"International Conference on Selected Areas in Cryptography","order":2,"name":"conference_name","label":"Conference Name","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"2020","order":5,"name":"conference_year","label":"Conference Year","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"21 October 2020","order":7,"name":"conference_start_date","label":"Conference Start Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"23 October 2020","order":8,"name":"conference_end_date","label":"Conference End Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"27","order":9,"name":"conference_number","label":"Conference Number","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"sacrypt2020","order":10,"name":"conference_id","label":"Conference ID","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"https:\/\/sac2020.ca\/","order":11,"name":"conference_url","label":"Conference URL","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Double-blind","order":1,"name":"type","label":"Type","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"iChair","order":2,"name":"conference_management_system","label":"Conference Management System","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"52","order":3,"name":"number_of_submissions_sent_for_review","label":"Number of Submissions Sent for Review","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"27","order":4,"name":"number_of_full_papers_accepted","label":"Number of Full Papers Accepted","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"0","order":5,"name":"number_of_short_papers_accepted","label":"Number of Short Papers Accepted","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"52% - The value is computed by the equation \"Number of Full Papers Accepted \/ Number of Submissions Sent for Review * 100\" and then rounded to a whole number.","order":6,"name":"acceptance_rate_of_full_papers","label":"Acceptance Rate of Full Papers","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"3-5","order":7,"name":"average_number_of_reviews_per_paper","label":"Average Number of Reviews per Paper","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"6-8","order":8,"name":"average_number_of_papers_per_reviewer","label":"Average Number of Papers per Reviewer","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"Yes","order":9,"name":"external_reviewers_involved","label":"External Reviewers Involved","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}}]}}