Towards Generalized Difﬁe-Hellman-esque Key Agreement via Generic

Split KEM Construction

Brian Goncalves

and Atefeh Mashatan

Cybersecurity Research Lab, Toronto Metropolitan University, Victoria Street, Toronto, Canada

Keywords:

Public-Key Cryptography, Provable Security, Key Agreement, Signal Protocol, Key Encapsulation.

Abstract:

The Difﬁe-Hellman (DH) problem is a cornerstone of countless key agreement schemes. One of these schemes

is the popular instant messaging protocol, Signal. The Signal protocol relies on a subprotocol based on the

DH-problem in order to create a secure session key. Unfortunately, as the threat of robust quantum computers

continues to loom over traditionally hard problems such as the DH problem, quantum-resistant replacements

for these schemes must be created. One candidate for a drop-in DH-style replacement is a special type of

key encapsulation mechanism (KEM) called a split KEM, which maintains the same message ﬂow of DH

key agreement schemes. In this work, we present an efﬁcient combiner to construct a split from a public

key encryption scheme, a signature algorithm, and a special type of pseudorandom function (PRF), called a

constrained PRF. Constrained PRFs can produce PRF keys with limited domains, and by selecting the domain

to be a single point, the master secret key can be reused. We then use the remaining schemes to transport the

constrained key and point and ensure the authenticity of the source of the ciphertext. We then prove that our

construction reaches the split KEM formulation of traditional IND-CCA-security with a tight reduction.

1 INTRODUCTION

The Difﬁe-Hellman (DH) problem (Difﬁe and Hell-

man, 2006) has been a foundational tool that has been

widely used in key agreement schemes (Krawczyk,

2005; Lauter and Mityagin, 2006; Boyd et al., 2008;

Okamoto, 2007; Dierks and Rescorla, 2008; Rescorla,

2018). Tragically, despite the versatility and elegance

of the DH problem, the underlying hardness is known

to be weak against the period-ﬁnding algorithm for

quantum computers developed by Peter Shor (Shor,

1994). As such, countless protocols that rely on

DH-related assumptions require quantum-resistant re-

placements.

Among such protocols that must be replaced is

the asynchronous messaging protocol Signal (sig, ),

which is used notably in the eponymous messaging

app, as well as WhatsApp (Inc., 2016). The Signal

protocol relies on its Extended Triple Difﬁe-Hellman

(X3DH) key agreement step (Marlinspike and Per-

rin, 2016). The X3DH protocol allows Alice to up-

load her long-term as well as semistatic (and op-

tional ephemeral) DH public keys to a server so that

https://orcid.org/0000-0002-8850-2173

https://orcid.org/0000-0001-9448-9123

Bob may download them and asynchronously com-

pute a session key before sending Alice the necessary

ephemeral DH public key to compute the same ses-

sion key herself once she is back online.

In (Brendel et al., 2020), Brendel et al. attempted

to ﬁnd a suitable post-quantum replacement for the

X3DH protocol. As part of their efforts, they analyzed

a theoretical key encapsulation mechanism (KEM)

based replacement for the X3DH protocol, where Al-

ice and Bob exchange KEM ciphertexts instead of DH

keys. However, this construction was unable to accu-

rately replicate the X3DH protocol for two reasons.

First, their KEM-based construction could not

generate keying material that was analogous to the

keying material generated from Alice’s long-term DH

key and Bob’s semistatic DH key that is present in

the standard X3DH protocol. In the KEM-based con-

struction, the various keys produced from encapsulat-

ing can be thought of as being produced from Bob’s

public keys (long-term, semi-static, and ephemeral)

and Alice’s ephemeral key (in the form of the ran-

dom coins used during encapsulation). Thus, it can-

not fully replicate the X3DH key agreement protocol.

Secondly, and more problematically, in order to be

able to properly replicate the keys made in the proto-

col, a new message ﬂow from Bob to Alice must be

594

Goncalves, B. and Mashatan, A.

Towards Generalized Difﬁe-Hellman-esque Key Agreement via Generic Split KEM Construction.

DOI: 10.5220/0012454400003648

Paper published under CC license (CC BY-NC-ND 4.0)

In Proceedings of the 10th International Conference on Information Systems Security and Privacy (ICISSP 2024), pages 594-608

ISBN: 978-989-758-683-5; ISSN: 2184-4356

introduced, which undermines the asynchronicity of

the Signal protocol.

To address these issues, Brendel, Fiedler, Günther,

Janson, and Stebila (Brendel et al., 2020) presented

a new type of KEM that mirrors the message ﬂows

of DH key agreement, which they call a split KEM,

and detailed how it can be used for DH-based key

exchange, such as X3DH. The idea of a split KEM

is that encapsulation (resp. decapsulation) is com-

puted with the encapsulator’s private key (resp. public

key) and the decapsulator’s public key (resp. private

key). Furthermore, Brendel et al. adapted the stan-

dard KEM deﬁnition of security and deﬁned the secu-

rity notions of lr-IND-CCA, where l and r denote how

many queries an adversary can make to an encapsula-

tion and decapsulation oracle, respectively. This use

of oracles for encapsulation is due to the requirement

of a private key during encapsulation.

Brendel et al. concluded their work by present-

ing a pair of split KEMs. The ﬁrst construction pre-

sented was built from the Ring Learning With Errors

(RLWE) problem and was proven to obtain the lowest

level of security deﬁned in their work. Their second

construction for a split KEM was built from the clas-

sically hard Gap Hashed Difﬁe-Hellman (Gap DH)

problem introduced by Kiltz as a basis for a traditional

KEM (Kiltz, 2007). Unlike their ﬁrst construction,

Brendel et al. were able to prove that their second

split KEM obtains fully adaptive, IND-CCA-security.

Despite being unable to construct an adaptively se-

cure split KEM from problems that are thought to

be hard for quantum computers to efﬁciently solve,

Brendel et al. speculated that such a construction may

come from the (quantum hard) commutative supersin-

gular Isogeny Difﬁe-Hellman (CSIDH) setting (Cas-

tryck et al., 2018), but note that the intractability of

commutative SIDH and similar interactive problems

is unknown.

1.1 Our Contributions

In this paper, we take an alternative approach to the

construction of split KEMs, that of black-box com-

biners. As such, we present a construction for a

split KEM built from a public key encryption (PKE)

scheme, a digital signature algorithm (DS), a special

class of pseudorandom functions (PRF), called a con-

strained PRF (cPRF), and a key derivation function

(KDF). We then prove the IND-CCA-security of our

construction with a tight reduction. Moreover, we as-

sume that the adversary in the main security proof

is quantum-computing capable, so that our construc-

tion can be instantiated with quantum-resistant prim-

itives in order to translate Difﬁe-Hellman-esque key

agreement to the post-quantum setting by way of split

KEMs. Additionally, a beneﬁt of our approach to

constructing split KEMs is that it will remain secure

should any speciﬁc choice for the inputs be discov-

ered to be insecure.

Constrained PRFs

were introduced indepen-

dently by Boneh and Waters (Boneh and Waters,

2013), Kiayias, Papadopoulos, Triandopoulos, and

Zacharias (Kiayias et al., 2013), and Boyle, Gold-

wasser, and Ivan (Boyle et al., 2014), cPRFs are PRFs

that allow for a special “constrained” key to be com-

puted from the master secret key that allows (con-

strained) PRF evaluations on some restricted subset of

the domain. Since their introduction, numerous works

have been published (Hofheinz et al., 2019; Brak-

erski and Vaikuntanathan, 2015; Attrapadung et al.,

2018; Boneh et al., 2017) showing how to construct

cPRFS, including post-quantum assumptions such as

the Learning With Errors (LWE) problem (Peikert and

Shiehian, 2018; Canetti and Chen, 2017). In our con-

struction, we make use of this additional functional-

ity so that the encapsulator is able to compute con-

strained keys over singleton sets of uniformly random

points in the domain of the cPRF and give both the

constrained key and the point to the decapsulator in

order to produce the ﬁnal key.

In more detail, our construction relies on the en-

capsulator being able to use a constrained PRF in or-

der to generate KDF keying material from their own

secret key and send it to the decapsulator via public-

key encryption. The ﬁnal key is then computed with

the KDF evaluating the ciphertext and its contents.

In doing this, we solve the issue of the KEM-based

replacement in computed,(Brendel et al., 2020), Al-

ice’s long-term secret keys contributing to producing

keying material when paired with any of Bob’s keys.

Thus, the full X3DH protocol can now be recreated

using our split KEM construction.

1.2 Related Work

As previously discussed, Brendel et al. constructed

two split KEMs directly from two well-known hard

problems, RLWE and Gap DH (Brendel et al., 2020).

However, neither construction was able to fully re-

alize both the goals of full IND-CCA-security and

quantum-resistance. The RLWE construction was

limited to the weakest security level deﬁned for split

KEMs. Meanwhile, the Gap DH construction failed

to address the issue of quantum vulnerability of the

traditional DH scheme that necessitates its eventual

Kiayias et al. named these PRFs “Delegated PRFs”,

while Boyle, Goldwasser and Ivan used the term “Func-

tional PRFs”

Towards Generalized Difﬁe-Hellman-esque Key Agreement via Generic Split KEM Construction

595

abandonment.

In a subsequent work, Brendel, Fiedler, Günther,

Janson, and Stebila present a construction for a de-

niable asynchronous key exchange (DAKE), called

“Signal in a Post-Quantum Regime” or SPQR, that

matches the characteristics of the Signal protocol in-

cluding the correct combinations of static, semistatic,

and ephemeral keys (Brendel et al., 2021). Their key

exchange protocol is built from a designated veriﬁer

signature (DVS) scheme, twisted PRF, and a KEM

used multiple times to generate the required keying

material. The use of the DVS is to ensure that only

Bob can verify the signature that Alice generates on

the transcript. While our construction shares similar-

ities with this protocol, we note that one limitation in

directly replacing X3DH with SPQR is that, in prac-

tice, Signal has the semistatic keys signed under the

user’s long-term key, which is not possible with the

use of a DVS. In order to address this, the authors note

that additional long-term signing may be needed. Ad-

ditionally, DVS schemes are more expensive than tra-

ditional signature schemes such as the one used in our

construction. Finally, as mentioned in (Hashimoto

et al., 2022), there is an attack that breaks the deni-

ability of the base DAKE used to build SPQR, despite

Brendel et al. proving a different version of deniabil-

ity.

Hashimoto, Katsumata, Kwiatkowski, and Prest

(Hashimoto et al., 2022) approached the problem of

ﬁnding a X3DH replacement by constructing a new

1-round authenticated key exchange (AKE) protocol

where the ﬁrst message is “receiver oblivious”, that is

it can be generated independently by Alice. They call

1-round AKEs with this property Signal Conform-

ing AKEs (SC-AKEs). They were able to success-

fully construct a secure Signal Conforming AKE built

from a digital signature, a PRF, and a pair of standard

KEMs (one IND-CCA and the other IND-CPA) whose

public keys and ciphertexts contain sufﬁcient entropy.

However, their construction does not immediately ad-

dress the ﬁrst issue of Bindel et al.’s KEM-based con-

struction, as there is no immediate analog to the key

material corresponding to the semistatic key of Bob

and the long-term key of Alice. As such, we believe

that split KEMs act as a more direct replacement for

the DH key agreement in X3DH than the SC-AKE

they present.

Dobson and Galbraith proposed a SIDH-based

key exchange replacement for X3DH, called SI-

X3DH (Dobson and Galbraith, 2022). The core idea

of their construction was that while standard SIDH

key exchange are not secure against adaptive attacks,

by using a Proof of Knowledge to verify the honesty

of long-term SIDH public keys that adaptive security

can be obtained. However, since then, there has been

an efﬁcient key recovery attack, so this construction

is no longer secure to use as a potential replacement

for DH key agreement (Castryck and Decru, 2023).

1.3 Overview

We organize this work as follows. In Section 2, we

present the notation used throughout the remainder

of the paper, along with the necessary deﬁnitions for

the assumptions of our main result. In Section 3, we

present our split KEM combiner and proof of secu-

rity. We then conclude this paper in Section 4, where

we discuss future directions and possibilities of con-

structing further split KEMs.

2 PRELIMINARIES

In this section, we cover the preliminaries used in this

work. We begin with the notation used, followed by

an introduction to PKEs, DSs, KDFs, cPRFS, and

split KEMs, including their deﬁnitions and relevant

security notions.

2.1 Notation

By y ← A(x) we denote an algorithm A (either classi-

cal or quantum), which runs on input (classical) x and

output (classical) y. When A has access to an oracle,

B, we write this as A(x)

B(·)

. If A is an algorithm that

uses some randomness in its execution on input x and

we wish to specify what the randomness is, say r, we

denote it as A(x;r). We refer to speciﬁc subroutines

within A(·) as A.Subroutine. We consider all adver-

saries as algorithms (either classical or quantum) that

are probabilistic polynomial-time (PPT) on their in-

put length. We adopt the convention that PPT will be

used in the case where the adversary is a classical al-

gorithm, and QPT for when they are a quantum PPT

algorithm.

We write x ←

S to denote that x was outputted by

S probabilistically, where if S is some algorithm, then

x was selected according to some internal distribution,

and if S is some space, such as {0,1}

, then we implic-

itly mean that x is sampled uniformly at random.

We say that a function g mapping nonnegative in-

tegers to nonnegative reals is called negligible, if for

all positive numbers c, there exists an integer λ

0 such that for all λ > λ

ICISSP 2024 - 10th International Conference on Information Systems Security and Privacy

596

2.2 Public-Key Encryption

We continue this section by reviewing two of the most

basic public-key cryptosystems, PKEs and DSs. Be-

ginning with PKEs, we present formal deﬁnitions of

the cryptosystem and the necessary security deﬁni-

tions.

Deﬁnition 2.1 (Public-Key Encryption). We say a

triple of algorithms K = (KeyGen,Enc,Dec) form a

Public-Key Encryption (PKE), if:

• KeyGen(1

): The key generation algorithm is a

probabilistic algorithm which, on input 1

(n ∈

N), outputs a related pair (ek,dk), of public en-

cryption and secret decryption keys.

• Enc(ek,m): The encryption algorithm is a proba-

bilistic algorithm that takes as input a public key

ek, and a plaintext message m and produces a ci-

phertext c.

• Dec(dk,c): The decryption algorithm is a deter-

ministic algorithm that takes as input a secret key

dk, and ciphertext c, and returns a plaintext mes-

sage m, or a special designated rejection symbol

⊥.

Deﬁnition 2.2 (Correctness of PKEs). We say that

a PKE, Π, is ε-correct, if ∀n ∈ N:

Dec(dk, c) ̸= m :

(ek,dk)←KeyGen(1

c←Enc(ek,m)

≤ ε. (1)

We say that a PKE, Π, is perfectly correct if ε = 0.

We now formally deﬁne what we mean by

IND-CCA-security for PKEs.

Deﬁnition 2.3 (IND-CCA Security for PKEs). We

say that a PKE, Π, is IND-CCA if, for all adversaries

A, we have that:

Adv

IND-CCA

Π,A

(n) =





Expt

IND-CCA

Π,A

(n) −





(2)

is a negligible function in n ∈ N, where

Expt

IND-CCA

Π,A

(n) is deﬁned in Figure 1.

Expt

IND-CCA

Π,A

(n):

1. (ek,dk) ←

Π.KeyGen(1

)

2. m

,st ← A

Π.Dec(dk,·)

(ek)

3. b ←

{0,1}

4. c

∗

← Π.Enc(ek,m

)

5. b

′

← A

K .Dec(dk,·̸=c

∗

)

(ek, st, c

∗

)

6. return [b = b

′

]

Figure 1: The IND-CCA security experiments for PKEs.

An additional property that we need PKEs to have

later in this work is that they are well-spread, which

we deﬁne below.

Deﬁnition 2.4 (γ-spread PKE (Fujisaki and Okamoto,

2013)). Let Π=(KeyGen,Enc, Dec) be a PKE

scheme. We say Π is γ-spread if for every ek gener-

ated by KeyGen(1

) and every message m in the mes-

sage space of Enc it holds that

max

c∈{0,1}

∗

Pr[c = Enc(ek,m;r) : r ←

Coin] ≤ 2

−γ

, (3)

where Coin denotes the space in which the ran-

domness of Enc is sampled.

We say that Π is well-spread if γ = ω(log(n).

2.3 Digital Signature Algorithms

Next, we recall the formal deﬁnitions of digital signa-

ture algorithms and what it means for a signature to

have strong existential unforgeability under chosen-

message attacks.

Deﬁnition 2.5 (Digital Signature Algorithms). We

say a triple of algorithms Σ=(KeyGen, Sign, Vfy)

form a digital signature algorithm (DS) scheme, if:

• KeyGen(1

): The key generation algorithm is a

probabilistic algorithm which on input 1

(n ∈ N)

outputs a related pair, (vk, sk), of public veriﬁca-

tion and secret signing keys;

• Sign(sk,m): The signing algorithm is a proba-

bilistic algorithm that takes two inputs, a secret

signing key sk and a plaintext message m, from a

designated message space M

, and outputs a sig-

nature σ;

• Vfy(vk,m, σ): The veriﬁcation algorithm is a de-

terministic algorithm that takes as input a public

veriﬁcation key vk, a plaintext message m and a

signature σ, and returns either a 0 if rejected, or a

1 if accepted.

Deﬁnition 2.6 (Correctness of DSs). We say that a

digital signature scheme, Σ, is ε-correct, if for all m ∈

, we have:

Vfy(vk,m, σ) ̸= 1 :

(vk,sk)←KeyGen(1

σ←Sign(sk,m)

≤ ε. (4)

We say that a DS, Σ, is perfectly correct if ε = 0.

When working with signature algorithms, the

most common notion of security is that of existen-

tial unforgeability under chosen-message attacks, de-

noted as EUF-CMA. The EUF-CMA-security prop-

erty means that an adversary cannot produce a valid

signature on a message not previously signed. How-

ever, EUF-CMA-security does not protect against new

Towards Generalized Difﬁe-Hellman-esque Key Agreement via Generic Split KEM Construction

597

signatures on old messages, which in the case of our

split KEM may result in adversaries replaying the

same PKE ciphertext with different signatures and

win the security game with probability 1. Thus, this

property is insufﬁcient for our split KEM combiner.

To prevent this type of attack, we require our

DS to have the property of strong existential un-

forgeability under chosen message attacks, denoted as

SUF-CMA-security. Informally, this property means

that it should be infeasible for an adversary to pro-

duce a valid message-signature pair that they have

not previously seen, including the case of repeat mes-

sages, which is what our split KEM construction re-

quires. Although SUF-CMA-security is a stronger

property than is typically considered for digital signa-

tures, there exist several works that provide methods

on how to build them from weaker signature schemes

(Huang et al., 2007; Steinfeld et al., 2006; Huang

et al., 2008; Wang and Tanaka, 2015). We formally

deﬁne SUF-CMA-security below.

Deﬁnition 2.7 (SUF-CMA Security for DSs). We

say that a DS, Σ, is SUF-CMA-secure if, for all ad-

versaries A, we have that:

Adv

SUF-CMA

Σ,A

(n) = Pr



Expt

SUF-CMA

Σ,A

(n) → 1



, (5)

is a negligible function in n, where Expt

SUF-CMA

Σ,A

(n) is

deﬁned in Figure 2.

Expt

SUF-CMA

Σ,A

(n):

1. (vk,sk) ←

Σ.KeyGen(1

),L =

2. (m

∗

,σ

∗

) ← A

Sign

∗

(sk,·)

(vk)

3. Return [(m

∗

,σ

∗

) /∈ L] ∧ [Vfy(vk,m

∗

,σ

∗

) = 1]

4. Else 0

Sign

∗

(sk,m)

1. σ ← Sign

∗

(sk, m), L ∪ (m, σ)

2. return (m,σ)

Figure 2: The SUF-CMA security experiments for DSs.

2.4 Key Derivation Function

In this subsection, we review key derivation functions

(KDF). Intuitively, KDFs allow users to compute a

cryptographic key after input is provided and are used

in countless protocols and schemes as the ﬁnal step in

key agreement. The primary security requirement of

KDFs is that their output be indistinguishable from a

uniformly random string of equal length. We formal-

ize the deﬁnition of KDFs and their security below.

Deﬁnition 2.8. KDF (Chuah et al., 2013) A key

derivation function is deﬁned as a function KDF :

Ξ × Salt × Context × N → {0, 1}

, where

• ξ is a source keying material, which is chosen

from the space of all possible source keying ma-

terials Ξ. With the outputted ξ is some form (such

as its distribution) of the auxiliary data a, which is

publicly known.

• n is a positive integer that indicates the number of

bits produced by KDF.

• s is a salt, which is a public random string chosen

from the salt space Salt. This input is optional.

• t is a context string chosen from a context space

Context.

• K is the derived l-bit cryptographic key.

Deﬁnition 2.9 (KDF Security (Chuah et al., 2013)).

Let n be the security parameter. Let Ξ × Salt ×

Context × N → {0,1}

be a key-derivation function

with input source keying material ξ ← Ξ, l ∈ N the

output length, s ∈ Salt, and t ∈ Context. We say that

KDF is KDF-IND-secure if, for all adversaries A,

Adv

KDF-IND

KDF,A

(n) =





Expt

KDF-IND

KDF,A

(n)



−



(6)

is negligible as a function of n, where Expt

KDF-IND

KDF

(A)

is deﬁned below in Figure 3.

Expt

KDF-IND

KDF,A

(n):

1. (ξ,a) ←

Π.KeyGen(1

),L ←

0,s ←

Salt

2. t

∗

,st ← A

KDF(ξ,s,·,·)

(a,s)

3. k

← KDF(ξ, s,t

∗

),k

←

{0,1}

∗

4. b ←

{0,1}

5. b

′

← A

KDF(ξ,s,·,·)

(a,s,k

,st)

6. return [b = b

′

] ∧ [(t

∗

) /∈ L]

KDF(ξ,s,t,l):

1. L ∪ (t, l)

2. return KDF(ξ,s,t,l)

Figure 3: The IND-CCA security experiments for PKEs.

2.5 Constrained PRFs

We next review the formal deﬁnitions associated with

cPRFs. Constrained PRFs are brieﬂy a type of PRF

that allows third parties to use special limited keys to

evaluate the PRF as if they had the master secret key.

These limited keys are produced by the holder of the

master secret key through a constraining algorithm.

To do this, a circuit representation of the set, along

the master secret key, are used as input for the con-

straining algorithm. We will use the convention that

a circuit f is satisﬁed by, or authorizes, the input x if

f (x) = 1.

ICISSP 2024 - 10th International Conference on Information Systems Security and Privacy

598

Deﬁnition 2.10. A constrained PRF P is a tuple of

algorithms (Setup, Eval, Con, cEval) over domain X,

range Y , and some circuit class C deﬁned as follows

(Boneh and Waters, 2013): having the following in-

terfaces (where the domain may depend on the secu-

rity parameter)

• Setup(1

): given the security parameter n outputs

a master secret key msk.

• Eval(msk,x): given the master secret key msk and

an input x ∈ X, it outputs some y ∈ Y .

• Con(msk, f ): given the master secret key and a

circuit f ∈ C outputs a constrained key τ

• cEval(τ

,x), given a constrained key τ

and an in-

put x ∈ X, outputs some y ∈ Y .

A crucial concept for cPRFS is that of correctness.

As previously described, the aim of cPRFs is to allow

a third party to perform PRF evaluations as if they

had the master secret key and to allow them and the

keyholder to output the same value. This property is

captured in the idea of correctness, which we formally

deﬁne next.

Deﬁnition 2.11. A constrained PRF, P is correct if ∀

n ∈ N, msk ← Setup(1

), for every circuit f ∈ C and

input x ∈ X for which f (x) = 1, the following holds

with overwhelming probability,

P .cEval(P .Con(msk, f ),x) = P .Eval(msk,x).

Now, we describe the main security concept for

cPRFs. As the name implies, a cPRF should produce

outputs that, like a standard PRF, are indistinguish-

able from random. However, because cPRFs have

the additional functionality of producing constrained

keys, these keys should not leak or provide any addi-

tional information to an adversary attempting to dis-

tinguish the outputs from random. In more detail, we

want it to be infeasible for an adversary to distinguish

a PRF evaluation at a point of their choice x

∗

, from a

randomly chosen sample in the range, while also be-

ing allowed to obtain constrained keys for circuits of

their choice. However, to prevent trivial wins, we do

not allow the adversary to select an x

∗

that satisﬁes

any of the circuits queried, nor allow queries to the

Con oracle which can be satisﬁed by x

∗

Deﬁnition 2.12. A constrained PRF, P , with domain

X is said to be pseudorandom if for all adversary A,

and family of circuits C, we have that

Adv

rndm

P ,A

(n) :=



Expt

rndm

P ,A

(n) = 1

−



, (7)

is a negligible function in n, where Expt

rndm

P ,A

(n) is de-

ﬁned in Figure 4 (Boneh and Waters, 2013).

Expt

rndm

P ,A

(n):

1. msk ←

P .Setup(1

),L

0,L

2. x

∗

,st ← A

P .Con

(msk,·),O

P .Eval

(msk,·)

)

3. y

← P .Eval(msk, x

∗

)

4. y

←

5. b ←

{0,1}

6. b

′

← A

P .Con(msk,·)

P .Eval(msk,·)

,st)

7. return [b = b

′

] ∧ [x

∗

/∈ L

] ∧ [∀ f ∈ L

, f (x

∗

) = 0]

P .Con

(msk, f ):

1. L

∪ { f }

2. return P .Con(msk, f )

P .Eval

(msk, x):

1. L

∪ {x}

2. return P .Eval(msk, x)

Figure 4: The pseudorandomness experiment for con-

strained PRF, P .

2.6 Split KEMs

Finally, we conclude this section by providing the def-

initions of split KEMs presented by Brendel et al.

(Brendel et al., 2020).

We note here that Brendel et al. presented two for-

mulations of split KEMs, symmetric and asymmetric

split KEMs. In the symmetric setting, the key genera-

tion process is identical for both the encapsulator and

the decapsulator. Traditional DH-based schemes are

an archetypical example of such symmetric KEMs.

Another example of such a symmetric split KEM is

the LWE-based split KEM deﬁned by Brendel et al.

in (Brendel et al., 2020). Intuitively, then, asymmetric

split KEMs have different key generation processes

for the different roles. Once again, Brendel et al. pre-

sented an example of such a split KEM based on the

work of Kiltz (Kiltz, 2007). A natural question that

may be asked is whether it is possible to convert one

type of split KEM into the other, to which the answer

is yes. Brendel et al. provided a description of how

this can be done. For the conversion of asymmetric

split KEMs to symmetric split KEMs, key generation

is deﬁned to simply run both the encapsulator and de-

capsulator key generation algorithms and use the ap-

propriate key depending on their role in a session. To

see the reverse, the symmetric key generation algo-

rithm is changed so that it is done with ﬁxed roles for

the encapsulators and decapsulators.

For the remainder of this work, when we say split

KEM, we will refer to asymmetric split KEMs, which

we deﬁne next.

Deﬁnition 2.13. A split KEM K

consists of four al-

gorithms DKeyGen, EKeyGen, sEncap, and sDecap,

Towards Generalized Difﬁe-Hellman-esque Key Agreement via Generic Split KEM Construction

599

where EKeyGen and sEncap are executed by the en-

capsulator, and DKeyGen and sDecap by the decap-

sulator (Brendel et al., 2020).

• split KEM key generation: for decapsula-

tor and encapsulator, respectively: (D,d) ←

DKeyGen(1

) and (E,e) ← EKeyGen(1

) are

probabilistic algorithms that output a pair of keys,

consisting of a public key (denoted with capital

letters) and a secret key (denoted by lowercase let-

ters, respectively).

• split KEM encapsulation: (c,k) ← sEncap(e,D)

is a probabilistic algorithm executed by the encap-

sulator. It takes as input e, the secret key of the

encapsulator, and D, the public key of the decap-

sulator. The algorithm sEncap then outputs the

shared secret k along with its encapsulation c.

• split KEM decapsulation: K/⊥ ←

sDecap(d, E,c) is a deterministic algorithm

executed by the decapsulator. On input a cipher-

text c, the secret key of the decapsulator d, and

the public key of the encapsulator E, it outputs

the decapsulation k of c or ⊥, if the operation

fails.

Next, we state the security deﬁnition for split

KEMs, lr-IND-CCA-security. Naturally, this deﬁ-

nition is analogous to that of IND-CCA-security of

traditional KEMs, where the adversary aims to dis-

tinguish whether a uniformly random key was given

or not. The key difference is that in the IND-CCA-

experiment for traditional KEMs, the adversary is

given the public key so that they may produce cipher-

texts themselves, as well as an oracle programmed

with the secret key to decrypt ciphertexts. Split

KEMs, however, require secret keys for both en-

capsulation and decapsulation. Consequently, in the

lr-IND-CCA-security experiment, the adversary is

given both public keys and two oracles, one for en-

capsulation and one for decapsulation.

Deﬁnition 2.14. Let K

(EKeyGen,DKeyGen, sEncap,sDecap) be a split

KEM with key space K. Let l ∈ {n,s,m} (n means

no queries, s means a single, m means polynomially

many) and r ∈ {n,m}. We say that K

provides

lr-indistinguishability under chosen-ciphertext at-

tacks, or, for short, K

is lr-IND-CCA-secure, if for

all adversaries A, the advantage Adv

lr-IND-CCA

(n) in

winning the experiment Expt

lr-IND-CCA

(n) as depicted

in Figure 5 deﬁned as

Adv

lr-IND-CCA

(n) :=



Expt

lr-IND-CCA

(n) = 1

−



(8)

is negligible in n.

Expt

lr−IND-CCA

(n):

1. n

← 0

2. (D,d) ← DKeyGen(1

)

3. (E,e) ← EKeyGen(1

)

4. c

∗

← sEncap(e,D)

5. k

∗

←

6. b ←

{0,1}

7. b

′

← A

(·),O

(·,·)

(E,D, c

∗

)

8. return [b = b

′

]

′

,c):

1. if n

≥ l, return ⊥

2. else n

+ = 1

3. if (E

′

,c) = (E,c

∗

return ⊥

4. k ← sDecap(d, E

′

,c)

′

1. if n

≥ r,

return ⊥

2. else n

+ = 1

3. (c,k) ← sEncap(e,D

′

)

4. if (D

′

,c) = (D,c

∗

) ,

return ⊥

5. else (c,k)

Figure 5: The lr − IND-CCA security experiments for split

KEMs.

Notably, nn-IND-CCA and mm-IND-CCA-

security pair with the traditional notions of IND-CPA

and IND-CCA-security.

Finally, we include the deﬁnition of correctness

for (asymmetric) split KEMs for completeness.

Deﬁnition 2.15 (Correctness of Asymmetric Split

KEMs). We say that an asymmetric split KEM, K

is ε-correct, if:

Pr[sDecap(d,E, c) ̸= k :

(E,e)←EKeyGen,

(D,d)←DKeyGen,

(c,k)←sEncap(e,D)

] ≤ ε. (9)

We say a split KEM, K

, is perfectly correct, if ε = 0.

2.6.1 The Trivial Split KEM

One natural question that arises when considering

split KEMs is whether standard KEMs or public-key

encryption (PKE) algorithms can be used to construct

a split KEM without additional algorithms. As noted

in the introduction, Brendel et al. attempted to re-

place the DH values with KEM ciphertexts (Brendel

et al., 2020). This attempt can be formalized as the

split KEM in Figure 6, where K is a KEM.

Once again, the issue with this construction be-

comes apparent in the context of the X3DH proto-

col. As the encapsulator’s keys are simply deﬁned

to be 0, it cannot produce meaningful keying material

that replicates the original protocol. In particular, the

keying material computed from the long-term DH of

Alice and the semistatic DH key of Bob is missing.

ICISSP 2024 - 10th International Conference on Information Systems Security and Privacy

600

S.EKeyGen(1

1. E = 0,e = 0

S.DKeyGen(1

1. K.KeyGen(1

) → (ek,dk)

2. D = ek,d = (ek,dk)

S.sEncap(e,D):

1. If e ̸= 0 return ⊥

2. Else K.Encap(ek) → c,k

3. Return (c,k)

S.sDecap(d,E, c):

1. If E ̸= 0, ⊥ = k

′

2. Else, K.Decap(dk,c) = k

′

3. Return k

′

Figure 6: The trivial split KEM, S.

In this construction, the randomness the encapsulator

uses acts in place of an ephemeral DH key, let alone

the long-term key of Alice.

The second issue comes as a result of the ﬁrst. In

order to correct this lack of keying material, a (stan-

dard) KEM ciphertext from Bob to Alice is needed.

However, this causes the asynchronicity property of

the X3DH protocol to fail, as both Alice and Bob need

to be online simultaneously in order to compute the

session key. As a result, while a trivial split KEM can

be deﬁned, it does not address the issues that Brendel

et al. found with (standard) KEM only replacements

for X3DH.

3 SPLIT KEM COMBINER

In this section, we present the main result of this

paper, a mm-IND-CCA split KEM, and a high-level

comparison with past works. We ﬁrst introduce our

new construction and then prove mm-IND-CCA secu-

rity.

3.1 Construction

We now present our split KEM, denoted by S, in Fig.

7. We let Π denote a IND-CCA PKE, Σ a SUF-CMA

digital signature scheme, and P be a cPRF. We note

here that we use the notation id

to represent the cir-

cuit that is 1 when evaluated on x and 0 everywhere

else.

3.2 Constrained PRF for Singleton Sets

Before we proceed to the security proof for our con-

struction, we note that a constrained PRF, P , suit-

able for our construction can be obtained from a PRF.

We provide a brief description here and the full de-

tails in the Appendix. Given a PRF, P, with mas-

ter secret key msk we deﬁne P .Eval on input x as

P.Eval(P.Eval(msk,x),x), and the constrained key for

the point x is deﬁned as τ

= P.Eval(msk, x). Clearly,

K.EKeyGen(1

1. P .Setup(1

) → msk

2. Σ.KeyGen(1

) → vk,sk

3. E = vk,e = (vk, sk,msk)

K.DKeyGen(1

1. Π.KeyGen(1

) →

(ek, dk)

2. D = ek,d = (ek,dk)

K.sEncap(e,D):

1. x ←

2. P .Con(msk,id

) → τ

Π.Enc(ek, vk∥x∥τ

) →

4. Σ.Sign(sk,vk∥c) → σ

5. P .Eval(msk,x) → κ

KDF(κ,

0,x∥c∥σ,n) →

7. return ((c,σ),k)

K.sDecap(d, E = vk,(c,σ)):

1. Σ.Vfy(vk, vk∥c, σ) → b

• If b = 0, return ⊥

• If b = 1 then

Π.Dec(dk,c) →

′

∥x

′

∥τ

′

• If vk ̸= vk

′

, return ⊥

• Else P .cEval(τ

′

) → κ

′

• Return

KDF(κ

′

0,x

′

∥c∥σ,n)

Figure 7: Our mm − IND-CCA-secure split KEM, S.

given τ

and x, anyone can derive P .Eval(msk, x).

Thus, it is possible to avoid the complicated tools

necessary to construct robust constrained PRFs such

as NC

circuits (Canetti and Chen, 2017) or indistin-

guishability obfuscation (Davidson et al., 2020) when

implementing our split KEM K.

3.3 Security Proof

Theorem 3.1. Suppose that P is a constrained PRF

(cPRF), that Π is a well-spread, IND-CCA-secure

PKE, that KDF is a KDF-IND-secure KDF, and that

Σ is an SUF-CMA-secure DS against efﬁcient QPT

adversaries, then the split KEM described in Fig.

7 is a mm-IND-CCA-secure split KEM against efﬁ-

cient QPT adversaries. More precisely, for any ef-

ﬁcient QPT adversary A, against the split-KEM K,

that makes q

sEncap

sEncap queries, there exist efﬁcient

QPT adversaries B

, such that

Adv

mm-IND-CCA

K,A

(n) ≤

sEncap

+Adv

rndm

P ,B

(n)+Adv

IND-CCA

Π,B

(n)

+Adv

SUF-CMA

Σ,B

(n)+Adv

KDF-IND

KDF,B

(n)

(10)

Proof. We will prove our main result by performing

a series of game hops. The aim is to decouple the

ciphertext and key A receives from each other, and

thus leave the adversary with no better option than to

ﬂip its own coin to guess b.

Game 0. We begin by considering the original se-

curity experiment in Fig. 8 as G

. Thus, we have

Adv

K,A

(n) =



Expt

mm-IND-CCA

K,A

(n) = 1

−



(11)

Towards Generalized Difﬁe-Hellman-esque Key Agreement via Generic Split KEM Construction

601

Expt

mn-IND-CCA

K,A

(n):

1. n

← 0

2. Π.KeyGen(1

) → (ek,dk)

3. D

∗

= ek,d

∗

= dk

4. P .Setup(1

) → msk

5. Σ.KeyGen(1

) → sk,vk

6. E

∗

= vk,e

∗

= (vk,sk,msk)

7. x

∗

←

8. P .Con(msk,id

∗

) → τ

∗

9. Π.Enc(ek,E

∗

∥x

∗

∥τ

∗

) →

∗

10. Σ.Sign(sk,E

∗

∥c) → σ

∗

11. P .Eval(msk,x

∗

) → κ

∗

12.

KDF(κ

∗

0,x

∗

∥c

∗

∥σ

∗

,n) →

∗

13. k

∗

←

14. b ←

{0,1}

15. b

′

←

(·),O

(·,·)

∗

,(c

∗

,σ

∗

),k

∗

)

16. return b = b

′

,(c,σ)):

1. if n

≥ l return ⊥

2. else n

+ = 1

3. if (E

′

,(c,σ) =

∗

,(c

∗

,σ

∗

))

return ⊥

4. k ←

sDecap(d

∗

′

,(c,σ)

′

1. if n

≥ r return ⊥

2. else n

+ = 1

3. ((c,σ),k) ←

sEncap(e

∗

′

)

4. if (D

′

,(c,σ))

= (D

∗

,(c

∗

,σ

∗

)) re-

turn ⊥

5. else ((c,σ),k)

Figure 8: Game 0.

Game 1. The ﬁrst Game, G

, is identical to the

original experiment, except that we abort the game if

the challenge ciphertext c

∗

is outputted by the encap-

sulation oracle. By assumption Π is well-spread and

so the probability of this abort condition occurring is

bounded by

sEncap

. Thus, we have that

Adv

K,A

(n) ≤ Adv

K,A

(n) +

sEncap

. (12)

Game 2. In the next Game, G

Fig. 9, we will

modify the decapsulation oracle so that it will return

⊥ on any query involving c

∗

. We claim that this

change cannot meaningfully be noticed by the adver-

sary unless they are able to undermine the SUF-CMA-

security of Σ.

Claim 1.

Adv

K,A

(n) ≤ Adv

K,A

(n) + Adv

SUF-CMA

Σ,B

(n) (13)

Claim 1. To prove our claim, we will consider the

structure of queries containing c

∗

and how they are

handled in G

1. (E

∗

,(c

∗

,σ

∗

)). This query is prohibited in G

;

therefore, in both games, ⊥ is returned.

2. (E ̸= E

∗

,(c

∗

,σ

∗

)). In this query, the veriﬁcation

key submitted is different from the challenge ver-

iﬁcation key encrypted within c

∗

. In G

, such a

query would result in the signature veriﬁcation al-

gorithm returning 0, thus returning ⊥.

Expt

mn-IND-CCA

K,A

(n):

1. n

← 0

2. Π.KeyGen(1

) → (ek,dk)

3. D

∗

= ek,d

∗

= dk

4. P .Setup(1

) → msk

5. Σ.KeyGen(1

) → sk,vk

6. E

∗

= vk,e

∗

= (vk,sk,msk)

7. x

∗

←

8. P .Con(msk,id

∗

) → τ

∗

9. Π.Enc(ek,E

∗

∥x

∗

∥τ

∗

) →

∗

10. Σ.Sign(sk,E

∗

∥c) → σ

∗

11. P .Eval(msk,x

∗

) → κ

∗

12. KDF(κ

∗

0,x

∗

∥c

∗

∥σ

∗

,n) →

∗

13. k

∗

←

14. b ←

{0,1}

15. b

′

←

(·),O

(·,·)

∗

,(c

∗

,σ

∗

),k

∗

)

16. return b = b

′

,c):

1. if n

≥ l return ⊥

2. else n

+ = 1

3. if c = c

∗

,return ⊥

4. k ←

sDecap(d

∗

′

,(c,σ))

′

1. if n

≥ r return ⊥

2. else n

+ = 1

3. ((c,σ),k) ←

sEncap(e

∗

′

)

4. if c = c

∗

,return ⊥

5. else ((c,σ),k)

Figure 9: Game 2.

3. (E ̸= E

∗

,(c

∗

,σ ̸= σ

∗

)). In this query, both the

veriﬁcation key and the signature differ from the

challenge values. Regardless, if the signature ver-

iﬁes in G

, the oracle will then check if E = E

∗

which by assumption they are not, and thus the

oracle will return ⊥.

4. (E

∗

,(c

∗

,σ ̸= σ

∗

)). In this query, only the signa-

ture is different from the challenge. In G

, this

query does not return ⊥ if the signature can be

correctly veriﬁed with E

∗

, while in G

it will al-

ways result in rejection.

Next, we show that the probability that a query

described in 4 is bounded above by the probability

that an SUF-CMA adversary, B

, is able to win the

SUF-CMA experiment using A.

To see this, suppose that B

is an SUF-CMA-

attacker of Σ, as described in Fig. 2. After be-

ing given the veriﬁcation key, E

∗

= vk

∗

, by its chal-

lenger, as well as the signing oracle, B

then runs

Π.KeyGen(1

) and P .Setup(1

) to obtain (D

∗

ek, dk) and msk, respectively.

Next, B

then randomly selects x

∗

from the do-

main of P , computes the constrained key τ

∗

, before

encrypting vk

∗

,τ

∗

with its encryption key ek, to

create c

∗

. It then computes the real key k

∗

as in Fig-

ure 7, selects k

∗

at random, and ﬂips a bit b before

sending E

∗

,(c

∗

,σ

∗

),k

∗

to A, where σ

∗

is created

by submitting E

∗

∥c

∗

to its oracle.

Equipped with keys and the signing oracle, B

can

ICISSP 2024 - 10th International Conference on Information Systems Security and Privacy

602

simply impersonate the A’ oracles. By maintaining

its own list of signatures created by its oracle, if given

a decryption query as described in 4, which is veriﬁed

by the challenge key E

∗

and contains a signature it did

not record, B

then submits this query as its answer to

the SUF-CMA-experiment and wins.

By the assumption that Σ is SUF-CMA secure, this

can happen only with negligible probability, and thus

our claim holds.

Game 3. In the next Game G

, Fig. 10, we

will modify the sEncap algorithm to replace the con-

strained key τ

∗

with a string of 1s of equal length dur-

ing encryption. We claim that this replacement cannot

non-negligibly change the probability of A winning.

Before we prove this claim formally, we provide an

informal explanation. By assumption, we have that Π

is IND-CCA-secure. If this change results in A being

more likely to win the experiment, then an attacker

against Π’s IND-CCA-security can simulate A and

estimate its probability of winning to decide which

message was encrypted. Now we provide the formal

details.

Expt

mn-IND-CCA

K,A

(n):

1. n

← 0

2. Π.KeyGen(1

) → (ek,dk)

3. D

∗

= ek,d

∗

= dk

4. P .Setup(1

) → msk

5. Σ.KeyGen(1

) → sk,vk

6. E

∗

= vk,e

∗

= (vk,sk,msk)

7. x

∗

←

8. P .Con(msk,id

∗

) → τ

∗

Π.Enc(ek, E

∗

∥x

∗

∥1

|τ

∗

) → c

∗

10. Σ.Sign(sk,E

∗

∥c) → σ

∗

11. P .Eval(msk,x

∗

) → κ

∗

12. KDF(κ

∗

0,x

∗

∥c

∗

∥σ

∗

,n) → k

∗

13. k

∗

←

14. b ←

{0,1}

15. b

′

←

(·),O

(·,·)

∗

,(c

∗

,σ

∗

),k

∗

)

16. return b = b

′

,c,σ):

1. if n

≥ l return ⊥

2. else n

+ = 1

3. if c = c

∗

,return ⊥

4. k ←

sDecap(d

∗

′

,c)

′

1. if n

≥ r return ⊥

2. else n

+ = 1

3. ((c,σ),k) ←

sEncap(e

∗

′

)

4. if c = c

∗

,return ⊥

5. else ((c,σ),k)

Figure 10: Game 3.

Claim 2.

Adv

K,A

(n) ≤ Adv

K,A

(n) + Adv

IND-CCA

Π,B

(n). (14)

Claim 2. Suppose that B

is an IND-CCA-attacker of

Π, as described in Fig. 1. After being given the

public key D

∗

= ek by the challenger, B

ﬁrst runs

Σ.KeyGen(1

) and P .Setup(1

) to obtain (sk,vk =

∗

) and, msk, respectively. Next, B

chooses x

∗

uni-

formly at random from the domain of P , and com-

putes P .Con(msk,id

∗

) → τ

∗

. Afterwards, B

sub-

mits E

∗

∥x

∗

∥τ

∗

and E

∗

∥x

∗

∥1

∗

as its two challenge

messages to the challenger, and receives c

∗

back.

Next, B

signs E

∗

∥c

∗

to create the signature σ

∗

, com-

putes the real key k

∗

as in Figure 7, selects k

∗

uni-

formly at random. Finally, B

ﬂips a bit b ← {0, 1}

and forwards (E

∗

,(c

∗

,σ

∗

),k

∗

) to A.

Before B

submits the challenge messages, they

are able to perfectly simulate the oracles of A with

the aid of the decryption oracle. Furthermore, after B

submits its messages, its decryption oracle is changed

so that it will reject c

∗

. However, by G

all queries

involving c

∗

will return ⊥, and therefore B

does not

need to query its oracle on c

∗

to be able to answer

queries involving c

∗

. Thus, B

can still perfectly sim-

ulate the oracles A using its secret keys and oracle.

At this point, depending on which message is cho-

sen by the IND-CCA-challenger, B

’s simulation will

correspond to either G

or G

. If the change made

between games results in a non-negligible change in

A’s probability of winning, by estimating this prob-

ability, B

can distinguish which message was cho-

sen and win the IND-CCA-experiment. Thus, we con-

clude that

Adv

K,A

(n) ≤ Adv

K,A

(n) + Adv

IND-CCA

Π,B

(n). (15)

Game 4. In the next Game G

, Figure 11, we mod-

ify the sEncap algorithm to replace P .Eval(msk, x

∗

)

with a uniformly random κ

′

. We claim that if this

change results in A being able to win G

with some

non-negligible probability, then they can be used by

another adversary, B

, to win the Expt

rndm

P ,B

with the

same probability.

Claim 3.

Adv

K,A

(n) ≤ Adv

K,A

(n) + Adv

rndm

P ,B

(n) (16)

Claim 3. To see this, consider B

in the Expt

rndm

P ,B

(n)

experiment described in Fig. 4.

After the experiment begins and B

is given

and its oracles, they run Π.KeyGen(1

) and

Σ.KeyGen(1

) to obtain (D

∗

= ek, dk) and (E

∗

vk, sk), respectively.

To create the challenge input for A, B

does the

following: selects x

∗

uniformly at random and sub-

mits it to the experiment challenger to receive y

which is either y

← P .Eval(msk,x

∗

) or y

←

Y , de-

pending on the bit chosen by the challenger. Next,

uses D

∗

to create the ciphertext c

∗

of the fol-

lowing message E

∗

∥x

∗

∥1

, where l is the length

Towards Generalized Difﬁe-Hellman-esque Key Agreement via Generic Split KEM Construction

603

Expt

mn-IND-CCA

K,A

(n):

1. n

← 0

2. Π.KeyGen(1

) → (ek,dk)

3. D

∗

= ek,d

∗

= dk

4. P .Setup(1

) → msk

5. Σ.KeyGen(1

) → sk,vk

6. E

∗

= vk,e

∗

= (vk,sk,msk)

7. x

∗

←

8. P .Con(msk,id

∗

) → τ

∗

Π.Enc(ek, E

∗

∥x

∗

∥1

|τ

∗

) → c

∗

10. Σ.Sign(sk,E

∗

∥c) → σ

∗

11. ξ ←

12. KDF(ξ,

0,x

∗

∥c

∗

∥σ

∗

,n) → k

∗

13. k

∗

←

14. b ←

{0,1}

15. b

′

←

(·),O

(·,·)

∗

,(c

∗

,σ

∗

),k

∗

)

16. return b = b

′

,c,σ):

1. if n

≥ l return ⊥

2. else n

+ = 1

3. if c = c

∗

,return ⊥

4. k ←

sDecap(d

∗

′

,c)

′

1. if n

≥ r return ⊥

2. else n

+ = 1

3. ((c,σ),k) ←

sEncap(e

∗

′

)

4. if c = c

∗

,return ⊥

5. else ((c,σ),k)

Figure 11: Game 4.

of constrained key computed from x

∗

. Subse-

quently, B

sk to sign E

∗

∥c

∗

obtaining σ

∗

. Fi-

nally, B

computes KDF(y

0,x

∗

∥c

∗

∥σ

∗

,n) and sub-

mits (E

∗

,(c

∗

,σ

∗

),y

) to A.

In order to answer an encapsulation query D

′

, B

does the following: they chose x

′

uniformly at random

and not equal to x

∗

. Next, it queries both the Con and

Eval oracles on x

′

to obtain τ

′

and ξ

′

, respectively.

They then encrypt E

∗

∥x

′

∥τ

′

to produce c and then

creates the signature σ for the message E

∗

∥c. Lastly,

computes the key as k

′

= KDF(ξ

′

0,x

′

∥c∥σ,n). Fi-

nally, B

returns c,σ, k

′

to A.

When A makes a decryption query (E

′

,c, σ), B

ﬁrst checks if the signature is valid on E

′

∥c. If it

is not, they reject and return ⊥. Otherwise, B

de-

crypts the ciphertext c using its decryption key dk to

recover the message E

′′

∥x

′

∥τ

′

, and conﬁrms if E

′

′′

. If not, they return ⊥, and otherwise computes

P .cEval(τ

′

) = ξ

′

and returns KDF(ξ

′

0,x

′

∥c∥σ,n).

We note that B

handles decryption queries with

∗

by simply rejecting and returning ⊥ as in Game

. This ensures that they avoid having to query their

own oracles on x

∗

and lose their experiment.

Eventually, A submits its guess bit b

′

which B

forwards to its own challenger. If B

’s challenger’s

bit was 0, then B

received the true evaluation of x

∗

and A was given the real key as part of the input

∗

,(c

∗

,σ

∗

),y

). Thus, B

was simulating G

A. Similarly, if the bit was 1 then B

, and consequen-

tially A, were given a random key, and so B

was

simulating G

to A. Thus, if the change from G

results in a signiﬁcant increase in A’s probabil-

ity of winning, then B

can win its experiment with

the same probability. However, by assumption P is a

pseudorandom constrained PRF, and thus, the differ-

ence must be negligible.

Finally, we will show that A’s of winning in G

at most negligible, and if not implies an attack on the

KDF-IND-security of KDF.

Claim 4.

Adv

K,A

(n) ≤ Adv

KDF-IND

P ,B

(n) (17)

Claim 4. To see this, consider B

in the

Expt

KDF-IND

P ,B

(n) experiment described in Fig.

After the KDF-IND experiment has begun, B is

given (a,s), and access to the KDF oracle, they then

run Σ.KeyGen(1

), Π.KeyGen(1

), and P .Setup(1

)

to receive (E

∗

= vk, sk), (D

∗

= ek, dk) and msk, re-

spectively. From there, they sample a uniformly ran-

dom x

∗

, and compute P .Con(msk,id

∗

) to obtain τ

∗

and record the length. Next, they generate the ci-

phertext c

∗

= Π.Enc(ek, E

∗

∥x

∗

∥1

|τ

∗

) and the signa-

ture σ

∗

= Σ.Sign(sk,E

∗

∥c). Finally, B

submits as

its challenge (x

∗

∥c

∗

∥σ

∗

,n), receives k

∗

and sends A

∗

,(c

∗

,σ

∗

),k

∗

In order to answer A’s encapsulation queries, B

does the following: selects an x

′

≠= x

∗

, and then us-

ing the keys it generated computes τ

′

, the ciphertext

c = Π.Enc(ek, E

∗

∥x

′

∥τ

′

), and signature σ for E

∗

∥c.

Lastly, B

queries its oracle on (x

∗

∥c∥σ,n) to get k

and outputs ((c,σ), k) to A.

Decapsulation queries are handled by B

as fol-

lows. Any queries involving c

∗

have ⊥ returned ac-

cording to the change made in G

. For all other

queries (E,(c,σ)), B

ﬁrst veriﬁes the signature σ for

the message E∥c using E. If this fails, B

aborts and

returns ⊥. Otherwise, B

continues and uses the de-

cryption key dk it possesses to decrypt c to recover

′

∥x

′

∥τ

′

. Next, B

conﬁrms that E = E

′

and aborts

if not. If E = E

′

then B

computes P .cEval(τ

′

) = κ,

then computes and returns KDF(κ,

0,x

′

∥c∥σ,n).

Eventually, A will output a guess b and B

will

copy this guess. Thus, when A wins its experiment,

will also win their experiment. Therefore, we have

Adv

K,A

(n) ≤ Adv

KDF-IND

P ,B

(n). (18)

Thus, our claim holds, and our proof is concluded.

ICISSP 2024 - 10th International Conference on Information Systems Security and Privacy

604

3.4 Discussion and Limitations

When split KEMs were origially introduced by Bren-

del et al. as an option to replace DH key agreement

with a quantum-resistant alternative, they constructed

a split KEM directly from the RLWE problem (Bren-

del et al., 2020). Although their construction is ele-

gant in design, it was only shown to be nn-IND-CCA

secure. Thus, while our main result does require a

more involved construction with several input primi-

tives, we realize full mm-IND-CCA-security. Further-

more, as a generic construction, it allows for plug-

and-play implementations, rather than being limited

to a single hard problem that may eventually be efﬁ-

ciently solved.

Brendel, Fiedler, Günther, Janson, and Stebila fol-

lowed up their work on split KEMs with the deniable

asynchronous key exchange protocol SPQR (Brendel

et al., 2021). As stated in the introduction, our con-

struction shares similiarites with SPQR, with two key

differences. First, SPQR possess a deniablility prop-

erty, whereas, we do not prove such a property for our

construction. The second key distinction is their use

of a designated veriﬁer signature (DVS) scheme. By

using a DVS their scheme does not allow for the sign-

ing of semistatic keys, which is present in the Signal

protocol, as siging requires a speciﬁc partners public

key. Our construction relies on the use of a standard

DS, and so the signing of semistatic keys can be per-

formed without the use of an additional DS being de-

ployed which would be needed for SPQR.

Compared to SC-AKE of Hashimoto, Katsumata,

Kwiatkowski, and Prest, our construction requires

stronger assumptions on the ingredients inputs. We

require an IND-CCA-secure PKE and a SUF-CMA

DS, where SC-AKE needs an IND-CCA-secure KEM

and an EUF-CMA DS. However, despite having re-

laxed assumptions, SC-AKE does not clearly address

the problem of a KEM-based replacement for Sig-

nal, as shown by Bindel et al. (Brendel et al., 2020).

There is a lack of keying material produced from the

semistatic key of Bob and the long-term key of Alice.

Split KEMs were created to ensure that this key mate-

rial is produced and, as such, our construction is able

to replicate this part of the Signal protocol.

4 CONCLUSION AND FUTURE

WORK

The Difﬁe-Hellman problem is an extremely

widespread and efﬁcient tool to construct key

agreement schemes that must be replaced with a

post-quantum scheme. One such scheme that is put at

risk by quantum attacks is the X3DH subprotocol of

the Signal protocol, which relies on the intractability

of the Difﬁe-Hellman problem. Crucially, the X3DH

step allows for asynchronous key generation between

parties.

Although there have been several works that have

presented replacements for the X3DH protocol from

the point of view of AKEs, an alternative option is

the use of the relatively novel cryptosystem of split

KEMs. These types of KEMs present a generic way

to replicate the message ﬂows of DH-based key agree-

ment schemes. In particular, they can be used to ex-

actly mirror the X3DH protocol, by producing keying

material that is parallel to those used in the traditional

protocol, something that standard KEMs cannot do

without breaking the desirable asynchronicity prop-

erty of X3DH.

In this work, we present a split KEM combiner

from a PKE, a signature algorithm, and a constrained

PRF to create a fully adaptive mm −IND-CCA-secure

split KEM. We leverage the ability of the constrained

PRF to produce restricted domain keys from the mas-

ter secret key so that a third party may evaluate the

limited domain as if they held the master secret key.

In our split KEM, the encapsulator computes a con-

strained key, whose domain is a single, randomly cho-

sen point. This key and point pair are then sent to

the decapsulator using the PKE, while the signature

is placed on the ciphertext to verify that there has

not been any interference by an attacker. We then

prove the lr-IND-CCA-security of our split KEM with

a tight reduction in the standard model. Notably, due

to our construction constraining to singleton set do-

mains, we are able to convert standard PRFs into suit-

able constrained PRFs directly.

As we were able to achieve fully adaptive mm −

IND-CCA-security, our split KEM presents a viable

solution to replace the current DH-based key agree-

ment. Furthermore, as our construction is a generic

black-box construction, it will remain an evergreen

method to ensure that DH-like communication is pos-

sible with suitable cryptographic primitives in the fu-

ture.

4.1 Future Work

We leave it as an open question whether a strongly se-

cure split KEM can be directly constructed from post-

quantum assumptions, such as LWE. Another ques-

tion inspired directly from our result is whether there

can be any relaxation of our assumptions, in partic-

ular, the need for an IND-CCA-secure PKE. Further-

more, there is still an open question as to how to con-

struct additional split KEMs via black-box combiners.

Towards Generalized Difﬁe-Hellman-esque Key Agreement via Generic Split KEM Construction

605

As for future work, the most signiﬁcant limitation

of our work is that we have restricted ourselves to split

KEMs, which do not have the same history of study

and familiarity as AKEs. Thus, we plan to investi-

gate how to transform our construction into an ap-

propriate type of AKE, such as a Signal-Conforming

AKE. Moreover, we will investigate whether there are

any possible efﬁciency gains from translating our split

KEM into an appropriate AKE. This would include

things such as lowering the bandwidth of communi-

cation by removing any redundancies introduced by

a generic conversion from split KEM to SC-AKE or

deniable AKE. Another important direction for the fu-

ture of split KEMs is to deﬁne the notion of deni-

ability. The Signal protocol possesses the property

that transcripts between Alice and Bob cannot con-

ﬁrm with certainty that either truly participated, as the

DH shares are used for authentication as opposed to

signatures. As our construction relies on the use of

traditional signatures, it intuitively cannot be a deni-

able scheme. Thus, in contexts where deniability is

vital, how to construct a split KEM with this property

is an open problem.

REFERENCES

Signal protocol. Technical documentation.

Attrapadung, N., Matsuda, T., Nishimaki, R., Yamada, S.,

and Yamakawa, T. (2018). Constrained prfs for nc

in traditional groups. In Shacham, H. and Boldyreva,

A., editors, Advances in Cryptology – CRYPTO 2018,

pages 543–574, Cham. Springer International Pub-

lishing.

Boneh, D., Lewi, K., and Wu, D. J. (2017). Constraining

pseudorandom functions privately. In Fehr, S., editor,

Public-Key Cryptography – PKC 2017, pages 494–

524, Berlin, Heidelberg. Springer Berlin Heidelberg.

Boneh, D. and Waters, B. (2013). Constrained pseudo-

random functions and their applications. In Sako, K.

and Sarkar, P., editors, Advances in Cryptology - ASI-

ACRYPT 2013, pages 280–300, Berlin, Heidelberg.

Springer Berlin Heidelberg.

Boyd, C., Cliff, Y., Gonzalez Nieto, J., and Paterson, K. G.

(2008). Efﬁcient one-round key exchange in the stan-

dard model. In Mu, Y., Susilo, W., and Seberry, J.,

editors, Information Security and Privacy, pages 69–

83, Berlin, Heidelberg. Springer Berlin Heidelberg.

Boyle, E., Goldwasser, S., and Ivan, I. (2014). Func-

tional signatures and pseudorandom functions. In

Krawczyk, H., editor, Public-Key Cryptography –

PKC 2014, pages 501–519, Berlin, Heidelberg.

Springer Berlin Heidelberg.

Brakerski, Z. and Vaikuntanathan, V. (2015). Constrained

key-homomorphic prfs from standard lattice assump-

tions. In Dodis, Y. and Nielsen, J. B., editors, The-

ory of Cryptography, pages 1–30, Berlin, Heidelberg.

Springer Berlin Heidelberg.

Brendel, J., Fiedler, R., Günther, F., Janson, C., and Stebila,

D. (2021). Post-quantum asynchronous deniable key

exchange and the signal handshake. In IACR Cryptol-

ogy ePrint Archive.

Brendel, J., Fischlin, M., Günther, F., Janson, C., and

Stebila, D. (2020). Towards post-quantum secu-

rity for Signal’s X3DH handshake. In Jr., M. J. J.,

Dunkelman, O., and O’Flynn, C., editors, Proc.

27th Conference on Selected Areas in Cryptography

(SAC) 2020, LNCS. Springer. To appear. Cryptol-

ogy ePrint Archive, Report 2019/1356. http://eprint.

iacr.org/2019/1356.

Canetti, R. and Chen, Y. (2017). Constraint-hiding con-

strained prfs for nc

from lwe. In Coron, J.-S. and

Nielsen, J. B., editors, Advances in Cryptology – EU-

ROCRYPT 2017, pages 446–476, Cham. Springer In-

ternational Publishing.

Castryck, W. and Decru, T. (2023). An efﬁcient key recov-

ery attack on sidh. In Hazay, C. and Stam, M., editors,

Advances in Cryptology – EUROCRYPT 2023, pages

423–447, Cham. Springer Nature Switzerland.

Castryck, W., Lange, T., Martindale, C., Panny, L., and

Renes, J. (2018). Csidh: An efﬁcient post-quantum

commutative group action. In Peyrin, T. and Gal-

braith, S., editors, Advances in Cryptology – ASI-

ACRYPT 2018, pages 395–427, Cham. Springer In-

ternational Publishing.

Chuah, C. W., Dawson, E., and Simpson, L. (2013). Key

derivation function: The sckdf scheme. In Janczewski,

L. J., Wolfe, H. B., and Shenoi, S., editors, Secu-

rity and Privacy Protection in Information Processing

Systems, pages 125–138, Berlin, Heidelberg. Springer

Berlin Heidelberg.

Davidson, A., Katsumata, S., Nishimaki, R., Yamada,

S., and Yamakawa, T. (2020). Adaptively secure

constrained pseudorandom functions in the standard

model. In Micciancio, D. and Ristenpart, T., editors,

Advances in Cryptology – CRYPTO 2020, pages 559–

589, Cham. Springer International Publishing.

Dierks, T. and Rescorla, E. (2008). The Transport Layer

Security (TLS) Protocol Version 1.2. RFC 5246 (Pro-

posed Standard). Updated by RFCs 5746, 5878, 6176.

Difﬁe, W. and Hellman, M. (2006). New directions in cryp-

tography. IEEE Trans. Inf. Theor., 22(6):644–654.

Dobson, S. and Galbraith, S. D. (2022). Post-quantum sig-

nal key agreement from sidh. In Cheon, J. H. and

Johansson, T., editors, Post-Quantum Cryptography,

pages 422–450, Cham. Springer International Pub-

lishing.

Fujisaki, E. and Okamoto, T. (2013). Secure integration of

asymmetric and symmetric encryption schemes. Jour-

nal of Cryptology, 26(1):80–101.

Hashimoto, K., Katsumata, S., Kwiatkowski, K., and Prest,

T. (2022). An efﬁcient and generic construction for

signal’s handshake (x3dh): Post-quantum, state leak-

age secure, and deniable. Journal of Cryptology,

35(3).

ICISSP 2024 - 10th International Conference on Information Systems Security and Privacy

606

Hofheinz, D., Kamath, A., Koppula, V., and Waters, B.

(2019). Adaptively secure constrained pseudorandom

functions. In Goldberg, I. and Moore, T., editors, Fi-

nancial Cryptography and Data Security, pages 357–

376, Cham. Springer International Publishing.

Huang, Q., Wong, D. S., Li, J., and Zhao, Y.-M. (2008).

Generic transformation from weakly to strongly un-

forgeable signatures. Journal of Computer Science

and Technology, 23(2):240–252.

Huang, Q., Wong, D. S., and Zhao, Y. (2007). Generic

transformation to strongly unforgeable signatures. In

Katz, J. and Yung, M., editors, Applied Cryptogra-

phy and Network Security, pages 1–17, Berlin, Hei-

delberg. Springer Berlin Heidelberg.

Inc., W. (2016). Whatsapp encryption overview technical

white paper.

Kiayias, A., Papadopoulos, S., Triandopoulos, N., and

Zacharias, T. (2013). Delegatable pseudorandom

functions and applications. In Proceedings of the 2013

ACM SIGSAC Conference on Computer & Communi-

cations Security, CCS ’13, page 669–684, New York,

NY, USA. Association for Computing Machinery.

Kiltz, E. (2007). Chosen-ciphertext secure key-

encapsulation based on gap hashed difﬁe-hellman. In

Okamoto, T. and Wang, X., editors, Public Key Cryp-

tography – PKC 2007, pages 282–297, Berlin, Hei-

delberg. Springer Berlin Heidelberg.

Krawczyk, H. (2005). Hmqv: A high-performance secure

difﬁe-hellman protocol. In Shoup, V., editor, Ad-

vances in Cryptology – CRYPTO 2005, pages 546–

566, Berlin, Heidelberg. Springer Berlin Heidelberg.

Lauter, K. and Mityagin, A. (2006). Security analysis of

kea authenticated key exchange protocol. In Yung, M.,

Dodis, Y., Kiayias, A., and Malkin, T., editors, Pub-

lic Key Cryptography - PKC 2006, pages 378–394,

Berlin, Heidelberg. Springer Berlin Heidelberg.

Marlinspike, M. and Perrin, T. (2016). The x3dh key agree-

ment protocol. Open Whisper Systems, 283:10.

Okamoto, T. (2007). Authenticated key exchange and key

encapsulation in the standard model. In Kurosawa, K.,

editor, Advances in Cryptology – ASIACRYPT 2007,

pages 474–484, Berlin, Heidelberg. Springer Berlin

Heidelberg.

Peikert, C. and Shiehian, S. (2018). Privately constrain-

ing and programming prfs, the LWE way. In Abdalla,

M. and Dahab, R., editors, Public-Key Cryptography

- PKC 2018 - 21st IACR International Conference on

Practice and Theory of Public-Key Cryptography, Rio

de Janeiro, Brazil, March 25-29, 2018, Proceedings,

Part II, volume 10770 of Lecture Notes in Computer

Science, pages 675–701. Springer.

Rescorla, E. (2018). The Transport Layer Security (TLS)

Protocol Version 1.3. RFC 8446.

Shor, P. W. (1994). Algorithms for Quantum Computation:

Discrete Logarithms and Factoring. In Proceedings of

the 35th Annual Symposium on Foundations of Com-

puter Science, SFCS ’94, pages 124–134, Washing-

ton, DC, USA. IEEE Computer Society.

Steinfeld, R., Pieprzyk, J., and Wang, H. (2006). How to

strengthen any weakly unforgeable signature into a

strongly unforgeable signature. In Abe, M., editor,

Topics in Cryptology – CT-RSA 2007, pages 357–371,

Berlin, Heidelberg. Springer Berlin Heidelberg.

Wang, Y. and Tanaka, K. (2015). Generic transformation to

strongly existentially unforgeable signature schemes

with continuous leakage resiliency. In Foo, E. and

Stebila, D., editors, Information Security and Privacy,

pages 213–229, Cham. Springer International Pub-

lishing.

APPENDIX

In this Appendix, we show how to construct a cPRF

for the class of circuits of indicator functions for sin-

gleton sets, from a standard PRF. We provide both the

deﬁnition of a (standard) PRF, the relevant security

deﬁnition before presenting our construction, and the

proof of security.

Deﬁnition 4.1. A PRF P is a pair of algorithms

(Setup, Eval) over domain X , range Y ,

• Setup(1

): given the security parameter n outputs

a master secret key msk.

• Eval(msk,x): given the master secret key msk and

an input x ∈ X, outputs some y ∈ Y .

Deﬁnition 4.2. A PRF, P, with domain and range X

is said to be pseudorandom if for all adversary A we

have that

Adv

rndm

P,A

(n) :=



Expt

rndm

P,A

(n) = 1

−



, (19)

is a negligible function in n, where Expt

rndm

P,A

(n) is de-

ﬁned in Figure 12(Boneh and Waters, 2013).

Expt

rndm

P,A

(n):

1. msk ←

P .Setup(1

),L =

2. x

∗

st ← A

P.Eval

(msk,·)

)

3. y

← P.Eval(msk,x

∗

),y

←

4. b ←

{0,1}

5. b

′

← A

P.Eval(msk,·)

,st)

6. return [b = b

′

] ∧ [x

∗

/∈ L]

P.Eval

(msk, x):

1. L ∪ {x}

2. return P.Eval(msk,x)

Figure 12: The pseudorandomness experiment for PRF, P.

We now present a construction for a constrained

PRF, P, which is suitable for our split KEM construc-

tion from the standard PRF P = (Setup, Eval) below.

Towards Generalized Difﬁe-Hellman-esque Key Agreement via Generic Split KEM Construction

607

We denote the constraining function for the singleton

set, {x}, as f

, where f

′

) = 1 if and only if x

′

= x

and 0 otherwise, and denote the corresponding con-

strained key as τ

P .Setup(1

1. P.Setup(1

) → msk

2. return msk

P .Eval(msk,x):

1. y ← P.Eval(P.Eval(msk,x), x)

2. return y

P .Con(msk, f

1. P.Eval(msk, x) → τ

2. return τ

P .cEval(τ

1. P.Eval(τ

,x) → y

′

2. return y

′

Figure 13: A constrained PRF, P , for singleton sets from a

standard PRF, P.

Theorem 4.1. Let P be a pseudorandom PRF with

domain and range X, and whose Setup algorithm out-

puts master secret keys that are statistically close to

uniformly at random, then the construction, P , in Fig-

ure 13 is a correct pseudorandom constrained PRF

over the circuit class of indicator functions for single-

ton sets.

Proof. We begin with the correctness of P . We will

slightly abuse the notation so that x will denote both

itself and f

the indicator function for the set {x}, for

x ∈ X . By the deﬁnition of Con, τ

= P.Eval(msk,x),

so we see that by construction P .Eval(msk,x) and

P .cEval(τ

,x) agree on all x

′

∈ X such that f

′

) = 1.

We now prove that P is pseudorandom via a series

of game hops. We consider Game 0 as the security

experiment Expt

rndm

P ,A

(n) from Figure 4. That is,

Adv

P ,A

(n) =



Expt

rndm

P ,A

(n) = 1

−



. (20)

We note that by the deﬁnition of the security ex-

periment, the P adversary cannot query any potential

challenge value x

∗

to either of its oracles without en-

suring that they cannot win.

In Game 1, we modify the experiment to replace

all instances of P.Eval(msk, x

∗

) with a uniformly ran-

dom value r

∗

∈ X. To see that this cannot change

A’s probability of winning the experiment, let B

an adversary in the pseudo-randomness experiment of

P. Once B

is given oracle access to, O

P.Eval

(msk, ·)

it can simulate both of the A

′

s oracles straightfor-

wardly. Given an Eval query, x, from A, B

queries

P.Eval

(msk, x) to get y, before computing and return-

ing P.Eval(y, x) → z itself. Queries made by A to

the Con oracle are handled with a single query to

P.Eval

(msk, ·). Once A submits a x

∗

, B

submits this

as its own challenge in its experiment. Then, y

given to B

who then computes P.Eval(y

∗

) → z

selects a z

uniformly at random, before giving A one

of z

or z

at random. We note here that in the case

where A is given z

, if B

was given, y

then it is

simulating Game 0 to A and Game 1 otherwise.

If the change made in Game 1 results in A being

able to win its experiment with a non-negligible prob-

ability, then B

can win in its experiment as follows:

simulate A’s probability of winning and then guess-

ing b

′

= 0 if the probability is negligible, and 1 other-

wise. Note that this method of attack works only half

of the times, as B

must have given A z

uniformly

at random. Thus, B

must run this entire process at

least twice to account for this fact. By assumption

that P is a pseudorandom PRF, this attack must only

succeed with a negligible probability, so the differ-

ence in probabilities of A winning between Game 0

and Game 1 is negligible. Thus, we have

Adv

P ,A

(n) ≤ Adv

P ,A

(n) + 2 · Adv

rndm

P,B

(n). (21)

In Game 2, we now replace P.Eval(r

∗

) with

a uniformly random s

∗

. By similar arguments as in

Game 1 we will show that this change cannot mean-

ingfully impact A’s chances of winning in the con-

strained PRF experiment without creating a contra-

diction.

Let B

be an adversary in the pseudorandom ex-

periment of P. Once B

is given oracle access, it can

simulate A’s oracles as previously described in Game

1. When A submits its challenge x

∗

, B

then copies

this challenge. By assumption, on P, its master se-

cret keys are close to uniformly at random so B

does

not need to pick an r

∗

itself. Next, B

receives y

and

passes it to A. In particular, if B

was given the true

evaluation, then it simulates Game 1 to A and other-

wise Game 2. When A submits its guess bit b

′

, B

copies its answer. Since we are considering the cir-

cuit class of indicator functions for singleton sets, no

query of A requires B

to try to perform evaluations

related, x

∗

and so it can continue to perfectly simulate

the necessary oracles to A. Should this change result

in a non-negligible change to A’s probability of suc-

cess, then B

is also able to win the PRF pseudoran-

dom experiment with the same probability. However,

this contradicts our assumptions on P, so we can con-

clude that the difference in the probabilities of A win-

ning in Games 1 and 2 must be negligible. Moreover,

in Game 2 A receives a random value independent of

the bit chosen by the experiment, and consequently

has 0 advantage in Game 2. Thus, we have

Adv

P ,A

(n) ≤ Adv

P ,A

(n) + Adv

rndm

P,B

(n), (22)

which concludes our proof.

ICISSP 2024 - 10th International Conference on Information Systems Security and Privacy

608