| Internet-Draft | PQuAKE | April 2025 |
| Blumenthal, et al. | Expires 24 October 2025 | [Page] |
This document defines the Post-Quantum Authenticated Key Exchange (PQuAKE) protocol that addresses the needs of bandwidth- and/or power-constrained environments, while maintaining strong security guarantees. It accomplishes that by minimizing the number of bits that need to be exchanged and by utilizing an implicit peer authentication approach similar to Menezes-Qu-Vanstone (MQV) design. This protocol is suitable for integration into protocols that establish dynamic secure sessions, such as Extensible Authentication Protocol (EAP), Internet Key Exchange Version 2 (IKEv2), or Secure COmmunications Interoperability Protocol (SCIP). This protocol has proofs in the verifiers Verifpal and CryptoVerif for security properties such as secrecy of the session key, mutual authentication, identity hiding with a preshared secret, and forward secrecy of the session key. The authors are in the process of publishing the proofs.¶
This note is to be removed before publishing as an RFC.¶
The latest revision of this draft can be found at https://mouse07410.github.io/pquake-draft/draft-uri-lake-pquake.html. Status information for this document may be found at https://datatracker.ietf.org/doc/draft-uri-lake-pquake/.¶
Discussion of this document takes place on the Lightweight Authenticated Key Exchange Working Group mailing list (mailto:lake@ietf.org), which is archived at https://mailarchive.ietf.org/arch/browse/lake/. Subscribe at https://www.ietf.org/mailman/listinfo/lake/.¶
Source for this draft and an issue tracker can be found at https://github.com/mouse07410/pquake-draft.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 24 October 2025.¶
Copyright (c) 2025 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
The primary goal of PQuAKE is to minimize the communication overhead of Post-Quantum (PQ) public-key cryptography during a key exchange. Bandwidth or power limited devices may not realistically use alternative PQ key exchanges such as the TLS handshake protocol to derive a shared symmetric key, as PQ digital signatures and keys are drastically larger. This protocol minimizes the communication overhead by reducing the number of signatures transmitted by each party to one offline-generated certificate signature. It is designed to be an add-on to such protocols as EAP [EAP], IKEv2, and others. Since computing a PQ digital signature typically is more expensive than performing a PQ KEM, there is a benefit of reduced computational costs.¶
The overall idea of the implicit authentication of the peers comes from the MQV protocol.¶
Both parties MAY have a pre-shared symmetric secret key, usually distributed among all the members of the given network or Community of Interest (COI). Adding a pre-shared symmetric key to the key derivation ensures confidentiality of the peers' identities (certificates) against active attackers that do not have that pre-shared key.¶
The protocol maintains the following security guarantees:¶
The secure channel between the Initiator and Responder is mutually authenticated¶
Key freshness, aka a new key is generated for this channel, and it hasn't been reused or stale;¶
If two parties properly follow the protocol, both parties will compute the same shared keys that are known only to them;¶
Perfect Forward Secrecy, aka after the channel is closed, there is no way for an adversary to break security properties associated with the shared key established via this protocol;¶
Security against replay attacks;¶
Confidentiality of peers' identities against passive adversary;¶
Confidentiality of peers' identities against active adversary (aka, Man-In-The-Middle) when both peers utilize long-term pre-shared key.¶
This protocol has proofs in the verifiers Verifpal and CryptoVerif for security properties such as secrecy of the session key, mutual authentication, identity hiding with a preshared secret, and forward secrecy of the session key. The authors are in the process of publishing the proofs.¶
It is important to note that PQuAKE does not replace protocols like the TLS record protocol, only the handshake protocol. Other protocols such as IKEv2, SCIP, or EAP may integrate PQuAKE into their key exchange phase.¶
The building blocks of this protocol SHALL have the following security properties:¶
While this protocol has been formally proven to work with any KEM, MAC, and symmetric cipher that exhibit the above properties -- interoperability requires that a Mandatory-To-Implement (MTI) set of algorithms is specified for the Version 1 of the protocol:¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
The PQuAKE protocol consists of four steps. Within each step, the exchanges can happen asynchronously, but one step (aka, all of the exchanges of that step) MUST conclude before the peers can proceed to the next one. If any step results in an error, the protocol SHOULD abort. That includes receiving an out-of-order or corrupted message, or not receiving an expected message within the deployer-configured time interval. However, the protocol SHOULD only abort at the end of the protocol if the peer's identity does not match an out-of-band verification, and an implicit KEM without aborts SHOULD be used. Ideally, the protocol SHOULD only abort after the key confirmation step if the reason for aborting is related to the identities of the two parties.¶
Currently, no notification to the other party, such as information about an abnormal completion and/or giving details of the error, is included in the protocol.¶
The four steps are the following:¶
Establish an ephemeral symmetric key via hello messages and exchange encrypted certificates (one MUST use an encryption scheme with IND-CCA2 security and an implicit KEM with IND-CCA2 security and IK-CCA2 security).¶
Encapsulate shared secrets and exchange the ciphertexts.¶
Decapsulate shared secrets, derive key confirmation keys and a session key.¶
Perform Key Confirmation.¶
Note that both peers take full transcripts (chain-hashes) of all the messages they send and receive, and include the resulting hash outputs among the inputs of the Key Derivation Function (KDF) that gets invoked to generate shared secrets (first for encrypting certificates, and the next time - to provide the shared secret that is the purpose of this protocol).¶
While both parties have to share their certificates or identities for authentication, we assume the identities of each party shall remain confidential to those outside of this exchange. They encrypt their certificates with a shared symmetric ephemeral key that they generate via a ephemeral KEM. This key is used to encrypt the certificate and is an input to the KDF when generating the shared key. The final KDF that provides the negotiated shared secret, will also include this symmetric key in its input.¶
Instead of generating a signature over the handshake transcript like TLS, PQuAKE performs an implicit authentication of the handshake. It does this by making the protocol's session key dependent on not only a series of KEM calculated shared secrets but also dependent on the hashes of the sent and received messages. Since only their corresponding party, who they have authenticated, can know those secrets, deriving the same session key implicitly authenticates each other while creating a shared secret.¶
Initiator Responder
-------------------------------------------------------------------
Establish confidential link and exchange certificates
-----------------------------------------------------
(sk_e, pk_e) <- KEM.keygen()
{ pk_e } -->
(ct_e, ss_e) <- KEM.encap(pk_e)
<-- { ct_e }
ss_e <- KEM.decap(ct_e, sk_e)
k_hid <- kdf_1(ss_pre, ss_e || "HID")
k_hid <- kdf(ss_pre, ss_e || "HID")
e_cert_i <- Enc(k_hid, cert_i) e_cert_r <- Enc(k_hid, cert_r)
{ e_cert_i } --> <-- { e_cert_r }
Encapsulate and send shared secrets
-----------------------------------
cert_r <- Dec(k_hid, e_cert_r) cert_i <- Dec(k_hid, e_cert_i)
if cert_r is not valid, abort if cert_i is not valid, abort
(ct_i, ss_i) <- KEM.encap(pk_r) (ct_r, ss_r) <- KEM.encap(pk_i)
{ ct_i } --> <-- { ct_r }
Decapsulate shared secrets and derive session keys
--------------------------------------------------
ss_r <- KEM.decap(sk_i, ct_r) ss_i <- KEM.decap(sk_r, ct_i)
send_hash <- H(hf, pk_e, e_cert_i, ct_i)
send_hash <- H(hf, ct_e, e_cert_r, ct_r)
recv_hash <- H(hf, ct_e, e_cert_r, ct_r)
recv_hash <- H(hf, pk_e, e_cert_i, ct_i)
S <- ss_e||ss_i||ss_r||send_hash||recv_hash
S <- ss_e||ss_i||ss_r||recv_hash||send_hash
k_C_i, k_C_r, ... <- kdf_2(hf2, S)
k_C_i, k_C_r, ... <- kdf_2(hf2, S)
Key Confirmation
----------------
{ HMAC(k_C_i, recv_hash || send_hash) } -->
<-- { HMAC(k_C_r, send_hash || recv_hash) }
¶
During this step, both nodes establish a shared ephemeral key via a KEM, then use it to encrypt certificates before transmitting them.¶
The initiator generates an ephemeral key and transmits the encapsulated secret. The responder MUST decapsulate the ciphertext. Both parties MUST derive a shared ephemeral key from the encapsulated secret and the pre-shared secret if it is present. Both parties MUST encrypt and transmit their certificates. Both parties MUST validate the certificate's signature. If the verification of a signature fails, the protocol MUST abort. Implementors need to be careful to avoid aborting based off the other node's identity until the end of the protocol to maintain identity hiding of the peer. Note that key encapsulation mechanism SHOULD be IND-CCA2 and IK-CCA2 secure and SHOULD NOT abort (it SHOULD be an implicit KEM).¶
The ciphertexts are decapsulated by both parties. At this point, both sides have all the shared secrets required to derive a set of session keys.¶
Key confirmation is done by calculating an HMAC of the chain-hash of all the sent and received messages correspondingly, using the appropriate Key Confirmation key derived in step 3. The initiator MUST use the key K~ir~, and the responder MUST use the key K~ri~.¶
We make no assumptions about the underlying transport that carries PQuAKE messages, because no error - whether maliciously introduced or accidental - in any of its messages can impact correctness of the protocol itself. We consider two kinds of errors:¶
a. Corruption of a message - will result in protocol failure (abort)¶
b. Failure to receive a message within expected time interval, aka timeout - will result in protocol failure (abort).¶
Handling the protocol timeout (how long to wait until declaring failure to receive) is the responsibility of the implementation deployer. The implementer SHOULD make this value configurable.¶
Note: the more the underlying transport does to detect or mitigate line errors (aka, non-malicious errors), the likelier the protocol is to successfully complete. Ideally, the transport would offer at least the capabilities of UDP.¶
We do not include explicit checksums because it is practically impossible for the protocol to succeed if any message would arrive corrupted, either maliciously, or by a random error.¶
A message of the protocol is formatted as follows:¶
0 1 2 3 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Version | Type | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Data ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+¶
Version: 8 bits¶
The version field indicates the format of the initiator hello message. This document describes version 1.¶
Type: 8 bits¶
This field indicates the current step of the protocol.¶
Length: 16 bits¶
Length is the length of the data, measured in octets. This field allows the length of the data to be up to 65535 octets.¶
Data: variable¶
This field changes based on the current step of the protocol.¶
The Initiator generates an ephemeral KEM key-pair
(sk_e, pk_e) = KEM.keygen()
and sends the public key pk_e
to its intended recipient (the Responder).
The Responder performs encapsulation
(ct_e, ss_e) = KEM.encap(pk_e)
and sends the
ciphertext ct_e to the Initiator.¶
An Initiator Hello message is formatted as follows:¶
0 1 2 3 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Version | Type | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Ephemeral Public Key ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+¶
Version: 8 bits¶
The version field indicates the format of the initiator hello message. This document describes version 1.¶
Type: 1¶
This field indicates the state of the protocol.¶
Length: 16 bits¶
Length is the length of the ephemeral public key, measured in octets. This field allows the length of a ephemeral public key to be up to 65535 octets.¶
Ephemeral Public Key: variable¶
This field SHOULD be unique for each protocol execution.¶
A Responder Hello message is formatted as follows:¶
0 1 2 3 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Version | Type | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Encapsulated Secret ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+¶
Type: 2¶
Encapsulated Secret: variable¶
The size of this field depends on the key encapsulation mechanism used.¶
A Certificate Exchange message is formatted as follows:¶
0 1 2 3 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Version | Type | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Initial Vector | Encrypted Certificate ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Authentication Tag | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+¶
Type: 3 for initiator, 4 for responder¶
Initial Vector: 96 bits¶
Encrypted Certificate: variable¶
Authentication Tag: 128 bits¶
The certificate encrypted with the derived key k_hid.¶
For now, we use standard X.509 certificate [X.509] with OIDs specifying ML-KEM and ML-DSA correspondingly. Future extensions may use different certificate formats.¶
An Encapsulation message is formatted as follows:¶
0 1 2 3 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Version | Type | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Encapsulated Secret ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+¶
Type: 5 for initiator, 6 for responder¶
Encapsulated Secret: variable¶
The size of this field depends on the key encapsulation mechanism used.¶
A Key Confirmation message is formatted as follows:¶
0 1 2 3 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Version | Type | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Key Confirmation Value ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+¶
Type: 7 for initiator, 8 for responder¶
Key Confirmation Value: 384 bits (output size of SHA384)¶
This field is the computed HMAC value of the exchange transcript.¶
Integration into IKEv2 [IKEV2] results in a hybrid Post-Quantum Key Exchange.¶
During the IKE_INIT phase, the peers establish ephemeral shared
secret key via ECDHE (Ephemeral Diffie-Hellman key exchange),
and signal that they will use PQuAKE in the IKE_INTERMEDIATE phase.¶
Messages exchanged during IKE_INTERMEDIATE phase,
perform the actual key exchange.¶
Instead of explicit signatures during IKE_AUTH phase,
both peers exchange Key Confirmation messages here.¶
The first pair of messages negotiate cryptographic algorithms, exchange nonces, and do an elliptic curve Diffie-Hellman exchange in order to maintain compatibility with standard IKEv2. The initiator indicates its support for Intermediate Exchange by including a notification of type INTERMEDIATE_EXCHANGE_SUPPORTED in the IKE_SA_INIT request message. If the responder also supports this exchange, it includes this notification in the response message.¶
The IKE_SA_INIT exchange is as follows:¶
Initiator Responder
---------------------------------------------------------------
HDR, SAi1, KEi, Ni,
N(PQUAKE_SUPPORTED),
N(INTERMEDIATE_EXCHANGE_SUPPORTED) --->
HDR, SAr1, KEr, Nr,
N(PQUAKE_SUPPORTED),
<--- N(INTERMEDIATE_EXCHANGE_SUPPORTED)
¶
If both peers indicated their support for the Intermediate Exchange, the initiator may proceed with the PQuAKE key exchange.¶
Initiator Responder
---------------------------------------------------------------
HDR, SK { PQUAKE_INITIATOR_HELLO } -->
<-- HDR, SK { PQUAKE_RESPONDER_HELLO }
HDR, SK { PQUAKE_CERT_EXCHANGE_I } -->
<-- HDR, SK { PQUAKE_CERT_EXCHANGE_R }
HDR, SK { PQUAKE_KEY_ENCAP_I } -->
<-- HDR, SK { PQUAKE_KEY_ENCAP_R }
¶
This is a security protocol, and it holds the properties described in (TODO reference) in the presence of passive or active attacker on the network.¶
One potential concern is the confidentiality of the peers' identities carried in their certificates. An active attacker can learn their identities during the certificate exchange step. Using a pre-shared secret will prevent disclosure of these certificates, keeping peers identities confidential. Since there are costs associated with out-of-band distribution of that secret, it would be typically shared among the Community of Interest (CoI). In that case, this protocol would protect peers identities against active attackers outside of this Community of Interest, but not against an active attacker that is a member of CoI.¶
This document defines a new Notify Message Type in the "IKEv2 Notify Message Types - Status Types" registry:¶
<TBA> PQUAKE_SUPPORTED¶
The authors want to thank Roger Khazan (MIT/LL), Adam Margetts (MIT/LL) for reviewing this work and giving helpful suggestions.¶