On the Security of Opportunistic Re-Keying
Stefan Lucks
1
, David Schatz
2
and Guenter Schaefer
2
1
Bauhaus-Universität Weimar, Germany
2
Technische Universität Ilmenau, Germany
Keywords:
Opportunistic Re-Keying, KDF Chains, Quantum-Resistance.
Abstract:
Asymmetric cryptography is a cornerstone for security in modern IT infrastructures like virtual private net-
works (VPNs). Unfortunately, the security of currently deployed schemes is threatened by the ongoing re-
search in quantum computing. And while quantum-resistant alternatives exist, known as post-quantum cryp-
tography (PQC), analyses regarding their (implementation) security are not as mature, yet. Consequently,
solely relying on PQC might be susceptible to “store now, decrypt later” attacks. Instead, many researchers
suggest using “hybrid” key exchanges, e.g., combining classical asymmetric cryptography, PQC, and symmet-
ric alternatives like quantum key distribution (QKD) and multipath key reinforcement (MKR). In this article,
we formalize the idea of “opportunistic re-keying”, where a session key is continuously updated using input
key material that might be known or even chosen by an attacker. Assuming that at least one input key material
is not known to the attacker, we prove the security of the construction in the random oracle model. I.e., when
an ideal random function is used for combining the current internal state and new input to generate the next
session key and state. Further, we suggest two concrete parameter sets for the construction, corresponding to
the security categories 3 and 5 of the NIST standardization process for PQC.
1 INTRODUCTION
Upon existence of sufficiently large quantum com-
puters, “classical” asymmetric cryptography like the
RSA cryptosystem and the Diffie-Hellman key ex-
change will become insecure (Shor, 1997; Proos and
Zalka, 2003). And while such quantum computers do
not exist yet, attackers can store encrypted traffic now,
in the hope to break the underlying Diffie-Hellman
exchange at a later point in time (“store now, de-
crypt later”). Consequently, a transition to quantum-
resistant alternatives for the exchange of (symmetric)
key material is required as soon as possible. Note that
while quantum computers may also achieve a signifi-
cant advantage for brute-force attacks on symmetric
cryptography by using Grover’s algorithm (Grover,
1996) (halving the effective key size), it was shown
that brute-force attacks cannot be more efficient (Ben-
nett et al., 1997). Hence, symmetric cryptography
will remain secure as long as keys are large enough
(≥ 256bit) and the used algorithms do not show any
inherent weaknesses.
One apparently straightforward solution to real-
ize a quantum-resistant key exchange is a transition
to post-quantum cryptography (PQC) as a drop-in
replacement. The security of PQC key encapsula-
tion mechanisms (KEMs) relies on mathematical as-
sumptions which are supposed to hold even with re-
spect to quantum computers. However, the underly-
ing problems, especially for the more efficient can-
didates (e.g., the ones based on structured lattices),
are not studied as well as their “classical” counter-
parts yet. Similar, the thorough analysis of KEM im-
plementations (e.g., regarding side channel attacks) is
still an ongoing process. For this reason, and to imple-
ment cryptographic agility in general, many security
agencies around the world suggest to only use PQC
in addition to classical asymmetric cryptography for
the time being (“hybrid” approaches, e.g., suggested
in (Ehlen et al., 2022)).
Schatz et al. recently proposed to go one step
further and also integrate orthogonal approaches for
the exchange of key material whenever applica-
ble (Schatz et al., 2023; Schatz et al., 2024), which
has the advantage of being quantum-resistant even
if currently deployed KEMs turn out to be insecure.
Such orthogonal approaches include pre-shared keys
(PSKs), quantum key distribution (QKD), and mul-
tipath key reinforcement (MKR). Furthermore, they
argue to maximize the achievable security by com-
bining all key materials ever available into one active
session key instead of only relying on subsets of key
materials at a time. To avoid storing all key materi-
als ever collected, they suggest to iteratively combine
Lucks, S., Schatz, D. and Schaefer, G.
On the Security of Opportunistic Re-Keying.
DOI: 10.5220/0013458000003979
In Proceedings of the 22nd International Conference on Security and Cr yptography (SECRYPT 2025), pages 329-338
ISBN: 978-989-758-760-3; ISSN: 2184-7711
Copyright © 2025 by Paper published under CC license (CC BY-NC-ND 4.0)
329
them by using a KDF chain. I.e., the current session
key and new input key material is combined by using
a key derivation function (KDF). A simple synchro-
nization protocol can further detect any mismatch of
key material at the two involved parties so that the
KDF chains stay in sync. At first sight, such a con-
struction seems to guarantee that the current session
key is hidden from attackers as long as they do not
know all the inputs. However, this intuition was not
formally proven yet.
In this article, we formally model the described
construction and prove its security in the random or-
acle model (ROM). I.e., under the assumption that the
used KDF behaves like a random oracle, the probabil-
ity that an attacker is able to disclose the session key
is negligible, even if he is able to freely control all
but one input to the chain. As the underlying function
strictly speaking does not have to be a KDF, we pre-
fer the term opportunistic re-keying instead of KDF
chain in our article. This term is inspired by the core
idea to opportunistically use any available key mate-
rial to refresh (re-key) the current session key, even if
the security of the incorporated key material can not
be assessed.
The remaining article is structured as follows: In
section 2, we recapitulate various approaches for the
exchange of key material and argue that in practice,
none of them can guarantee to always distribute key
material in a way that cannot be compromised by at-
tackers in the long run. We proceed by introducing
a model of opportunistic re-keying as well as an in-
formal threat model and corresponding security ob-
jectives in section 3. Related work regarding the se-
curity analysis of similar constructions is discussed
in section 4. Subsequently, we define the underlying
security game in section 5 and perform our security
analysis in section 6. In section 7, we propose a con-
crete option for the underlying function together with
two parameter sets, before we conclude our article in
section 8.
2 PRELIMINARIES: EXCHANGE
OF KEY MATERIAL
This section recapitulates various quantum-resistant
options for exchanging key material between two
communication partners. Especially, we focus on
possible attacks that leak full or partial knowledge of
the exchanged key material, or even can manipulate
the key material to the attackers favor.
2.1 Asymmetric Cryptography: Key
Encapsulation Mechanisms
A key exchange based on a (PQC) KEM starts with
the probabilistic generation of a key pair (pk, sk) by
one of the communication partners. We call this entity
the initiator. The public key pk is sent to the remote
partner (the responder), whereas the secret key sk is
kept by the initiator. Using the public key as input,
the responder uses a probabilistic encapsulation algo-
rithm which outputs a shared secret s and a cipher-
text c (think: the shared secret in an encapsulated
form). The ciphertext is sent back to the initiator, who
is then (usually) able to decapsulate the same shared
secret s based on the knowledge of his secret key sk.
Note that some KEMs inherently have a (very small)
chance for a decapsulation failure (European Union
Agency for Cybersecurity, 2021), which would have
to be dealt with accordingly. But for brevity, we will
ignore this possibility for the rest of the article.
General Security Discussion for KEMs. Regard-
ing the security of KEMs, the following aspects have
to be considered: First, just like the Diffie-Hellman
key exchange, KEMs are susceptible to man-in-the-
middle attacks if no further entity authentication of
initiator and responder is performed. One natural so-
lution to achieve entity authentication in this context
is to use PQC signature schemes. Second, the security
of the currently most promising KEMs are based on
hard problems in structured or unstructured lattices,
or in coding theory (e.g., see (Ehlen et al., 2022; Eu-
ropean Union Agency for Cybersecurity, 2021) for an
overview). In contrast to the Diffie-Hellman key ex-
change, where the security is based on the discrete
logarithm problem, it is currently assumed that these
problems are intractable by both classical and quan-
tum computers. However, the field of security analy-
sis of KEMs and especially their implementations is
not at the same level of maturity as security analy-
sis of the Diffie-Hellman key exchange (Ehlen et al.,
2022). Consequently, it might be possible that (quan-
tum or even classical) attackers are able to recon-
struct s now or at some later point in time after observ-
ing and storing the KEM exchange. This uncertainty
especially prevails for the more efficient candidates,
namely the ones based on structured lattices.
Entropy vs. Pseudo-Entropy. The functional re-
quirement for a KEM is that at the end, the legit
parties agree on a joint secret s of, say, h bit. The
security goal of a KEM is that it is infeasible for
a computationally bounded adversary, given all data
sent between the legit parties, to distinguish s from
SECRYPT 2025 - 22nd International Conference on Security and Cryptography
330
a h-bit value u chosen uniformly at random. In the
information-theoretical sense, the entropy of s is zero,
while the min-entropy of u would be h bit. One pos-
sible approach to formalize the security provided to
the legit parties by agreeing on the secret s would be
the HILL pseudoentropy (Håstad et al., 1999). The
HILL pseudoentropy is a complex and powerful for-
malism to apply an information-theory-like approach
to computational security. Arguably, though, in our
case there is a simpler approach: We do not need a
formalism which would allow us to describe interme-
diate security levels between entirely secure and com-
pletely broken. Either, the KEM at hand fully meets
its security goal, or the KEM just fails. If it fails,
it might still provide some nontrivial level of secu-
rity. E.g., the adversary might be able to distinguish s
from u, but not to recover s from the data available.
But in this case, we just assume the secret s to be
compromised (known to or even chosen by the adver-
sary). On the other hand, if the KEM fully meets its
security goal, we can replace s by u, while the (com-
putationally bounded) adversary will fail to notice this
replacement. I.e., if the KEM is secure, we can just
assume a joint random value u with h bits of min-
entropy.
2.2 Quantum Key Distribution
With QKD, key material is exchanged by transmit-
ting qubits instead of classical bits, e.g., in the form of
(single) photons. The security of QKD relies on the
laws of quantum physics, especially the no-cloning
theorem (Wootters and Zurek, 1982). I.e., eavesdrop-
ping a qubit in transition always introduces a signif-
icant chance that the genuine receiver can detect the
eavesdropping. However, while there are QKD pro-
tocols that are provably secure, e.g., the BB84 pro-
tocol (Bennett and Brassard, 2014), security analyses
of QKD implementations are not mature yet (Ehlen
et al., 2022). Consequently, attackers might be able
to infer key material exchanged via QKD, e.g., by
utilizing side-channel attacks. Furthermore, attackers
might even be able to manipulate QKD keys at will.
That is because in the current state of development,
the entropy source is implemented in co-located de-
vices, and not on the actual communication devices.
E.g., attackers might be able to compromise two QKD
devices and pass the same “fake” QKD key material
to co-located communication devices.
Note that there are further caveats for the practi-
cal deployment of QKD, such as the requirement for
an additional, authenticated classical channel, a lim-
ited physical reach, and high costs for deployment and
operation. However, these are not in the focus here,
and we therefore assume for the study of opportunis-
tic re-keying presented in this article that QKD might
already be able to achieve a plausible security gain
between some communication partners in a network.
2.3 Out-of-Band Key Distribution
Instead of exchanging key material in-band via the
same (or in the case of QKD co-located) channels as
the actual communication, one can distribute key ma-
terial between communication endpoints out-of-band.
Some options are:
• Group Keys: While easy to manage, using the
same group key for all communication relation-
ships does not provide true end-to-end security:
A group key is compromised as soon as at least
one group member is compromised.
• Trusted third party (TTP): Key material could be
distributed via a TTP, where the communication
between the actual endpoints and the TTP is se-
cured by individual PSKs. However, a TTP repre-
sents a single point of failure regarding both avail-
ability and security of fresh key material.
• Probabilistic Key Distribution: Here (e.g., in (Es-
chenauer and Gligor, 2002)), the idea is to equip
each endpoint with a random subset of a larger key
material pool out-of-band, and use in-band com-
munication only to determine mutually known
key material. However, this leads to key mate-
rial being known to more than two endpoints at a
time, which is not acceptable in many scenarios.
• Human Key Carriers: A very secure, but also very
cumbersome way is to distribute pairwise PSKs
using human key carriers. Yet, this does not scale
to larger networks with many communication re-
lationships, especially if key material shall also
regularly be refreshed.
• “Automatically Deployed” Key Carriers: In the
context of virtual private networks (VPNs), one
could use mobile VPN clients as “automatically
deployed” key carriers between VPN gateways,
e.g., when moving during business trips (Schatz
et al., 2023; Schatz et al., 2024).
All in all, when using out-of-band key distribu-
tion, one can not rule out that some PSKs might get
known to attackers, e.g., because they managed to
compromise the (human or physical) key carrier.
2.4 Multipath Key Reinforcement
Another option for a key exchange that does not rely
on asymmetric cryptography is MKR, which has orig-
inally been proposed in the context of wireless sensor
On the Security of Opportunistic Re-Keying
331
networks (Deng and Han, 2008), and more recently in
the context of QKD networks (Rass and König, 2011)
and VPNs (Schatz et al., 2023; Schatz et al., 2024).
With MKR, different key material is sent via multi-
ple paths (e.g., inside a VPN overlay topology) and
combined at the endpoints. As long as attackers do
not manage to compromise all these paths and a suit-
able combination function is used, the resulting key
may be expected to be unknown to attackers. In the
context of this article, one can argue that it suffices
to restrict each individual MKR exchange to a sin-
gle (random) path, and instead shift the combination
of key materials from different paths to the construc-
tion for opportunistic re-keying. However, we have
to expect that some key materials will get known to
attackers, e.g., because they managed to compromise
an intermediate VPN node on the path.
2.5 Lessons Learned
In summary, there are many promising approaches to
exchange key material in a quantum-resistant manner.
Further, the different approaches exhibit quite orthog-
onal attack vectors to compromise individual key ma-
terials. Consequently, combining multiple approaches
via opportunistic re-keying is a natural way to drasti-
cally increase the costs of a successful attack. How-
ever, to be able to support any kind of key exchange
method, our review also revealed that opportunistic
re-keying must be robust with regard to input key ma-
terial that is known or even manipulated by attackers.
3 THE MODEL OF
OPPORTUNISTIC RE-KEYING
Opportunistic re-keying is the approach to gather sev-
eral input keys via different channels and employ-
ing different techniques, none of which being fully
trusted, and apply some transformation to generate
one secret session key, which can be used as a “master
key” for subsequent communication. We will imple-
ment this as a continuous process: Each time a new
input key arrives, the internal state is updated and a
fresh session key is generated. Whenever parties need
to communicate securely, they will use the most re-
cent session key.
3.1 Notation
By Pr[A], we denote the probability of an event A
to occur, and A is the event of A to not occur,
thus Pr[A] + Pr[A] = 1. If Pr[A] > 0 we define the con-
ditional probability of event B if A occurs by Pr[B|A].
r
0
r
1
s
1
r
2
f
s
2
f ...
k
1
k
2
Figure 1: Opportunistic re-keying dynamically combines
input key materials s
j
,1 ≤ j ≤ i to one session key k
i
. The
proposed scheme realizes this by iteratively combining an
internal state r
j
with the next available key material s
j+1
to derive the next state r
j+1
and the next session key k
j+1
,
calling a function f .
If S is a finite set, we write s ←
$
S for choosing s
uniformly at random from S. If D
S
is a distribution
over a set S, Pr
D
S
[s] is the probability to sample s un-
der D
S
. If for all s ∈ S it holds that Pr
D
s
[s] ≤ 2
−h
,
then the min-entropy of D
S
is at least h. For s ∈ S
we write s ←
h
S to indicate s being sampled to some
distribution with min-entropy h.
As inspired by the abstract construction in (Schatz
et al., 2023) and (Schatz et al., 2024) and depicted in
Figure 1, opportunistic re-keying may be summarized
as follows: Two communication partners (Alice and
Bob) receive an identical sequence of input key ma-
terials s
1
,...,s
i
. As discussed in section 2, each indi-
vidual key material s
j
,1 ≤ j ≤ i is either determined
by Alice, Bob, or an external key source. For this, we
assume that each entropy source that is not controlled
by attackers shows at least h bit of min-entropy. Fur-
thermore, Alice and Bob share a joint initial state r
0
,
e.g., a group key. Starting from this, opportunistic
re-keying produces a sequence of session keys k
i
and
states r
i
both as a function of the initial state and all
respective input key materials s
j
,1 ≤ j ≤ i.
To allow for an efficient dynamic generation of
new session keys without having to store all individ-
ual s
j
, this function is realized iteratively as follows:
(r
j+1
,k
j+1
) ← f (r
j
,s
j+1
) (1)
I.e., a function f is used to combine the current
state r
j
and the next input key material s
j+1
to
generate the next state r
j+1
and the next session
key k
j+1
. For the remaining article, we assume κ bit
session keys and internal states of size ρ bit. We do
not fix the size of the input key material, i.e., for-
mally s
i
∈ {0,1}
∗
. Still, we require at least h bit
of min-entropy for input keys below, which im-
plies |s
i
| ≥ h. Thus, the function f has the following
signature:
f : {0,1}
ρ
×{0, 1}
∗
→ {0,1}
ρ
×{0, 1}
κ
(2)
Note that the original proposal in (Schatz et al.,
2023) and (Schatz et al., 2024) does not distinguish
SECRYPT 2025 - 22nd International Conference on Security and Cryptography
332
between an internal state and the session key. In-
stead, they suggest to persistently store a derivation
of the session key (“recovery key”) to reduce the risk
of leaking old session keys. The construction pro-
posed and studied in this article, in contrast, enables a
straightforward way to persist the current state, which
is required when either Alice or Bob had to reboot
their device and want to “recover” the level of security
previously achieved via their pairwise key and state
sequence.
3.2 Informal Introduction of Threat
Model and Security Properties
To provide an intuition for the reader, we first infor-
mally introduce the threat model of opportunistic re-
keying. A formal model will be provided in section 5.
For ease of reading, we prefer to personalize the ad-
versary and refer to her as “Eve”. We care about two
security notions: resilience and forward security.
Resilience. We allow Eve to taint input keys and to
compromise states:
• Eve can either learn the input key s
j
(→ sections
2.3 and 2.4) or even choose s
j
(→ sections 2.1
and 2.2). We assume her to choose s
j
, as this rep-
resents the stronger attack capability. We refer to
this as tainting.
Untainted input keys s
i
are randomly generated
strings with h bits of min-entropy.
1
• Furthermore, for any j of her choice, Eve can
read the state r
j
. We refer to this as a “com-
promise”. As special case, we assume the ini-
tial state r
0
to always be compromised. Other-
wise, Alice and Bob would start the communica-
tion with a joint secret key unknown to the adver-
sary, which would, kind of, eliminate the need for
opportunistic re-keying.
Note that Eve “knows” any compromised state,
but a state may also be “known” to her even if
she did not compromise that state. Namely, if the
state r
i−1
is known (compromised or otherwise)
and if the matching input key s
i
is tainted, then
the state r
i
derived from r
i−1
and s
i
is “known”, as
Eve can compute it on her own.
The purpose of opportunistic re-keying (or, of re-
keying in general) is to generate secure keys, even
1
Usually, secret keys transmitted by some key exchange
mechanism are required to be uniformly distributed. As op-
portunistic re-keying has to deal with many different and
unspecified techniques to transmit secret input keys, we re-
lax this requirement.
when many (but not all) of the external inputs are
tainted and many (but not all) of the internal states
are compromised:
• We refer to a session key k
j
as secure, if it is in-
feasible for Eve to distinguish k
j
from a uniform
random string of the same size. In that case, it is
obviously safe for Alice and Bob to employ k
j
for
symmetric encryption and authentication.
• For every α ≥ 1 and β ≥ α, we require the session
key k
β
to be secure if
– Eve did neither taint s
α
,
– nor did she read any of the states r
α
, . . . , r
β−1
.
An opportunistic re-keying scheme that fulfills this
property is resilient.
Forward Security. Another common requirement
for key generation schemes is forward security (also
known as backtracking resistance, e.g., in (Barker and
Kelsey, 2015)): If a session key k
j
is considered se-
cure at some point of time, then subsequent compro-
mises (or tainting events) of data generated jointly
with k
j
, or generated or used later, must not enable
the adversary to break the security of k
j
. So the fol-
lowing data might be compromised or tainted, with-
out endangering the security of k
j
:
• r
j
, which is generated jointly with k
j
, and
• r
j+1
,s
j+1
,r
j+2
,s
j+2
,. . ., which are all
used/generated after generating k
j
.
Resilience Implies Forward Security. Assume the
scheme is not forward secure. I.e., the security of k
j
can be broken by compromising or tainting one or
more of the values r
j
, r
j+1
, s
j+1
, r
j+2
, s
j+2
, . . . , but
none of the other values. As those “other values” are
s
j
,r
j−1
,s
j−1
,r
j−2
,s
j−2
,. . ., this very scheme is not
resilient, either. Below, we will thus formalize and
prove resilience. We do not need any separate argu-
ment to prove forward security.
3.3 Random Oracles
For complex cryptographic systems, it is common to
analyze the security of a cryptosystem in the random
oracle model, i.e., to assume an underlying function
to behave like an ideal random function. Below, we
will make this assumption. Namely, we will treat the
function
f : {0,1}
ρ
×{0, 1}
∗
→ {0,1}
ρ
×{0, 1}
κ
as a random oracle. The idea, depicted in Algo-
rithm 1, is to initially assume an undefined f and to
keep track of pairs (x, f (x)). If, for a given x, no such
pair is in the list, f (x) is chosen uniformly at random.
On the Security of Opportunistic Re-Keying
333
Algorithm 1: Defining f as a random oracle. T holds a
map from {0,1}
ρ
×{0,1}
∗
to {0,1}
ρ
×{0,1}
κ
. Initially,
T is empty.
1 T ← {};
2 function f (x,y)
3 if (x,y) ̸∈ T then
4 T [x,y] ←
$
{0,1}
ρ+κ
5 return T [x,y]
4 RE-KEYING: RELATED WORK
Our approach is based on using a symmetric primi-
tive to derive a sequence of secret internal keys and/or
states. Each key/state is only used once. Re-keying is
a common approach in symmetric cryptography, for
a lot of different purposes. Some examples are the
following:
• PBKDEF2 (Password-Based Key-DErivation
Function 2) takes a password as the initial
secret key, and iterates a symmetric primitive
to eventually generate a pseudorandom output
(Turan et al., 2010). The purpose of re-keying is
to slow down attacks which attempt to exploit a
low entropy of the initial password.
• Like opportunistic re-keying, the double ratchet
algorithm is about providing pseudorandom ses-
sion keys (Perrin and Marlinspike, 2016). It com-
bines two “ratchets”, one based on symmetric
cryptography, and a second one on asymmetric
cryptography. Firstly, double-ratcheting provides
forward security: in the case of a compromise,
previous keys are safe. Secondly, it ensures plau-
sible deniability: If keys are only used once, and
then immediately replaced by a new key, authors
of encrypted or authenticated documents can eas-
ily deny their authorship.
• Forward security has also been the purpose of
re-keying in the Bellare-Yee PRG (pseudoran-
dom generator) (Bellare and Yee, 2003): Let
F : {0, 1}
n
→ {0,1}
n
× {0,1}
n
be a PRG. To
generate a stream of ℓ pseudorandom n-bit val-
ues X
1
,X
2
,. . .X
ℓ
, one starts with an initial se-
cret K
0
∈ {0,1}
n
and then iterates the operation
(K
i
,X
i
) ← F(K
i−1
), for i ∈ {1,... , ℓ}. If, say, K
j
has been compromised, then K
0
, . . . , K
j−1
and, by
extension, the pseudorandom values X
1
, . . . , X
j−1
remain safe.
• Other authors proposed the Bellare-Yee generator
for its leakage-resilience (Standaert et al., 2010).
Assume that some information about K
j
leaks
(1) when F(K
j−1
) is called to compute K
j
and
(2) when F(K
j
) is called. If this amount of leak-
age does not suffice to actually find K
j
, the adver-
sary will not find K
j
at all, because the genera-
tor advances to K
j+1
. The proof from (Standaert
et al., 2010) is in some variant of the random or-
acle model. In the standard model the Bellare-
Yee generator is insecure against “future compu-
tation attacks” (Dziembowski and Pietrzak, 2008;
Pietrzak, 2009). Such attacks are considered im-
possible in any practical setting. But, it seems to
be difficult to make any standard-model assump-
tions on F to prove resistance against future com-
putation attacks.
• The Pietrzak-PRG has been proven leakage-
resilient in the standard model (Pietrzak,
2009), though with poor concrete se-
curity bounds. It employs a function
F : {0,1}
k
×{0, 1}
n
→ {0,1}
k
×{0, 1}
n
as
the underlying primitive. Given a random
initial value X
0
∈ {0,1}
n
and a secret key pair
(K
0
,K
1
) ∈ {0,1}
k
× {0, 1}
k
, it computes a se-
quence of pseudorandom outputs X
0
, X
1
, . . . , X
ℓ+1
by iteratively calling (K
i+1
,X
i
) ← F(K
i−1
,X
i−1
),
for i = 1,2,.. .
• Finally, the XDRBG significantly resembles our
construction (Kelsey et al., 2024). Like our con-
struction, the XDRBG derives its new internal
state from the current internal state and from some
additional input. In the case of the XDRBG, the
additional input is a random seed from some en-
tropy source, in our case, it is a key sent via some
key exchange mechanism. Both the XDRBG and
our construction require the additional input to
provide a certain amount of min-entropy. The pur-
pose of the XDRBG is to provide pseudorandom
session keys from random sources, typically from
physical random sources such as a Zener Diode or
a Geiger counter, the purpose of opportunistic re-
keying is to provide pseudorandom session keys
from the output of some out-of-band distributed
keys of unknown trustworthiness.
5 THE OPPORTUNISTIC
RE-KEYING GAME
In subsection 3.2, we informally introduced the no-
tion of resilience in the presence of an adversary Eve,
who is allowed to taint ingoing data and to compro-
mise internal states. To properly formalize this set-
ting, we define the opportunistic re-keying game, see
Algorithm 2. This algorithm assumes a total of R
SECRYPT 2025 - 22nd International Conference on Security and Cryptography
334
Algorithm 2: Opportunistic Re-Keying Game: The adver-
sary, whom we personalize as “Eve”, is interacting with a
challenger. The initial state is r
0
= X
0
and compromised.
The game runs for R steps. In each step, Eve can either
taint the input key, or make an untainted step. Regardless
of tainting the input key or not, she can also compromise
the outgoing state. Each of the input keys s
1
,s
2
,.. ., s
R
, if
not tainted, is distributed according to a distribution with
min-entropy at least h. To keep track of compromised and
known states, arrays C[0],. .. ,C[R] and K[0],.. ., K[R] are
maintained. C[i] = 1 indicates compromised, and K[i] = 1
indicates known. The array T [1], ... ,T [R] is used similar-
ily: T[i] = 1 indicates tainted. At the end, Eve tries to guess
the secret bit b.
1 function Challenger(X
0
,R, h)
/* Start the game: Randomly choose secret
bit b and set the initial state */
2 b ←
$
{0,1};
3 r
0
← X
0
;
/* r
0
is compromised and known */
4 send r
0
to Eve; C[0] ← 1; K[0] ← 1;
/* Perform R steps of the game */
5 for step i ∈ {1,. . .,R} do
6 if Eve taints s
i
by Y
i
then
7 s
i
←Y
i
; T [i] ← 1; /* Tainted */
8 else /* Eve makes an untainted step */
9 s
i
←
h
{0,1}
∗
; T [i] ← 0;
10 (r
i
,k
i
) ← f (r
i−1
,s
i
);
11 if Eve compromises state r
i
then
/* Compromised and known */
12 send r
i
to Eve; C[i] ← 1; K[i] ← 1;
13 else
14 C[i] ← 0; /* Uncompromised . . . */
15 if K[i −1] = 1 and T [i] = 1 then
16 K[i] ← 1; /* . . . but known */
17 else
18 K[i] ← 0; /* . . . and unknown */
19 if (K[i −1] = 0 or T [i] = 0) and b = 0
then
20 Z ←
$
{0,1}
κ
;
21 send Z to Eve;
22 else
23 send k
i
to Eve;
/* Finish the game */
24 Receive b
∗
from Eve;
25 Eve wins ⇐⇒ b
∗
= b;
steps to be performed. Essentially, R is the “data com-
plexity”, i.e., the adversary will not observe more than
R session keys. The algorithm represents Eve’s capa-
bilities to taint and compromise:
• Eve can choose to taint an input key (cf. line 7).
The algorithm keeps track of which input key
has been tainted via the array T [1], ..., T [R];
here T [i] = 1 indicates tainted and T [i] = 0 indi-
cates untainted.
• Eve can compromise states (cf. line 12); this
time, the array C[0],.. .,C[R] is used to keep track
of which state has been compromised. C[i] = 1
indicates a compromised r
i
, C[i] = 0 an uncom-
promised r
i
.
Every compromised state is known to the adversary,
but even if r
i
is not compromised, it may be known
to the adversary. Namely, if r
i−1
is known and s
i
is tainted, Eve can compute r
i
on her own. Thus,
we assume r
i
to be known to the adversary, indicated
by K[i] = 1. For this purpose, the algorithm employs
the array K[1],. ..,K[R], cf. lines 4, 12, 16, and 18.
If Eve can compute r
i
on her own, she can also
compute the matching session key k
i
. An opportunis-
tic re-keying scheme is resilient, if Eve cannot distin-
guish the remaining outputs – i.e., the outputs she can-
not compute on her own – from uniformly distributed
random values. The algorithm matches this as fol-
lows:
1. Initially, in line 2, the challenger randomly
chooses a secret bit b.
2. During the steps of the game, whenever Eve can-
not compute the session key k
i
on her own
2
, the
challenger replaces k
i
by a random value – but
only if b = 0, as done in line 20. If Eve can com-
pute the session key on her own, or if b = 1, the
challenger sends the proper session key to Eve, cf.
line 23.
3. Finally, in line 24, Eve attempts to guess b.
It is trivial for Eve to succeed with probability
1
2
:
Flip a fair coin and output a random bit as the guess
for b. An opportunistic re-keying scheme is resilient,
if Eve’s probability does not exceed the probabil-
ity
1
2
+ ε for some small ε.
Eve is allowed to query the random oracle f on her
own. Assume Eve to make up to Q oracle-queries. In
the random oracle model, one usually considers this
value Q as the “query complexity”, indicating a lower
bound for the actual run-time of an attack. Below,
we will provide an upper bound for ε, which depends
on Q and on the data complexity R – and on the pa-
rameters h and ρ.
2
This is the case when r
i−1
is unknown to her, or when
she did not taint s
i
, cf. line 19.
On the Security of Opportunistic Re-Keying
335
6 SECURITY ANALYSIS OF
OPPORTUNISTIC RE-KEYING
Theorem 1. Let Eve be an adversary who runs func-
tion CHALLENGER(X
0
,R, h) from Algorithm 2. She
iterates the main loop of the algorithm for R times.
The min-entropy for each non-tainted input key s
i
is
at least h bit, h ≤ ρ. If Eve makes up to Q queries to
the random oracle on her own, her probability to win
the game in Algorithm 2 is Pr[Eve wins] ≤
1
2
+ ε with
ε ≤
R
2
2
ρ+1
+
Q
2
h
+
QR
2
ρ
. (3)
Proof. For the proof, reconsider line 10 of Algo-
rithm 2, which invokes the random oracle f (·,·) and
computes r
i
and k
i
as follows: (r
i
,k
i
) ← f (r
i−1
,s
i
).
By the definition of f (·,·) in Algorithm 1, r
i
and k
i
are
uniformly distributed random values, and, if no other
call to f with exactly the same input parameters r
i−1
and s
i
is made, r
i
and k
i
are independent from all other
values chosen or computed when running the game.
In this case, ε = 0, since Eve cannot distinguish the
uniform random value k
i
from the uniform random
value Z chosen in line 20 of the algorithm. Hence,
Eve can only win with any probability exceeding
1
2
,
if, for some i, another call for f (x, y) is made during
the course of the game, with x = r
i−1
and y = s
i
. This
means
ε ≤ Pr[BAD1] + Pr[BAD2|BAD1]
for the following two “bad events”:
B AD1: ∃i, j, 1 ≤ i < j ≤ R: r
i
= r
j
;
B AD2: there exists an unknown x = r
i−1
or an un-
tainted y = s
i
, such that Eve queries the random
oracle for f (x, y).
Informally, BAD1 covers the case that the game might
accidentally cycle, and BAD2 covers the case that Eve
manages to guess x = r
i−1
or y = s
j
and asks the ran-
dom oracle for f (x, y). Regarding BAD2, however,
guessing x and y and asking for f (x, y) is pointless for
Eve except when these x and y are used to generate a
value k
i
which is either sent back to Eve or replaced
by a random Z in line 20. This is the case when r
i−1
is unknown to Eve, or when Eve did not taint s
i
, cf.
footnote 2 and line 19.
To bound Pr[BAD1], observe that the game es-
sentially chooses random r
1
, r
2
, . . . , until eventu-
ally BAD1 occurs or until the game terminates. So
Pr[BAD1] is a “birthday bound”:
Pr[BAD1] ≤
R
∑
i=1
i
2
ρ
≤
R
2
2
ρ+1
. (4)
For Pr[BAD2|BAD1], we distinguish two cases:
1. BAD1 and (s
i
is untainted),
2. BAD1 and (s
i
is tainted) and (r
i
is unknown).
In the first case, even if Eve chooses a known r
i−1
,
she has to guess a unique s
i
, which is a ran-
dom value with h bit of min-entropy. From BAD1
we know r
i−1
̸= r
j−1
, for i ̸= j, thus, querying
for f (r
j−1
,s
i
) will not trigger the event BAD2. Thus,
for each single query to the f -oracle made by Eve, the
event BAD2 occurs with a probability ≤ 2
−h
.
In the second case, there are R values s
1
, . . . , s
R
,
and, if tainted, they can all be the same. So Eve may
not have to guess a unique r
i−1
: there are at most R
unknown states r
i−1
, such that Eve might query for
f (r
i−1
,s
i
). As each unknown r
i−1
is a random ρ bit
value, the probability for this event to occur is ≤
R
2
ρ
.
In total, Eve queries the random oracle Q times,
so
Pr[BAD2|BAD1] ≤ Q ·
1
2
h
+
R
2
ρ
. (5)
The claimed result in Equation 3 is the sum of the
bounds from Equation 4 and Equation 5.
Post-Quantum Security. Our result can be inter-
preted as follows: If the amount of data observed
by Eve is not too large, i.e., if R ≪ 2
ρ/2
, then the
first term of Equation 3 is negligible. If, further-
more, R ≪ 2
ρ−h
, the third term of the same equation
is also negligible. In this case, to succeed with signif-
icant probability, Eve needs to find a preimage with
min-entropy at least h bit. A classical adversary needs
to make at least Q ≈ 2
h
queries to the random oracle.
A quantum oracle, running Grover’s algorithm, needs
to make at least about
√
2
h
queries.
Multi-Party Security. To rephrase our result, as-
sume a pair (A,B) of communicating parties and as-
sume the number R
(A,B)
of keys generated by A and B
to communicate is not too large. Given about n
2
/2
pairs in an n-party network, it is straightforward to
conclude that Eve, if she cares about breaking any
connection between any two parties, rather than trying
to break into a specific connection, cannot improve
her performance by more than a factor n
2
/2.
Actually, the factor n
2
/2 is too optimistic, from
Eve’s point of view. Require an initial choice of dis-
joint random initial states r
0
for each of the communi-
cating pairs of parties. Recall the proof of Theorem 1
and define the event BAD1 to include cross-pair state
collisions. I.e., BAD1 also occurs if the internal state
of two different connections happens to be the same.
Thus, we (re-)define the data complexity R to be the
sum of all steps performed by all pairs of parties. As
before, assume R to be not too large, i.e., R ≪ 2
ρ/2
SECRYPT 2025 - 22nd International Conference on Security and Cryptography
336
Table 1: Proposed parameter sets for instantiations of the
opportunistic re-keying scheme from Figure 1. As elabo-
rated in the text, P1 is the “normal” security level, which
matches NIST category 3 security (National Institute of
Standards and Technology, 2016) in typical application sce-
narios (100 re-keying events per second, and observation
time 16 months), while P2 is a very conservative choice
matching NIST category 5 security, even in a network with
one million re-keying events per second and the attack run-
ning for about 37 000 years.
P1 P2
Data complexity log
2
(R) 32 60
State size ρ 256 512
Min-entropy h 192 256
Query complexity log
2
(Q) 192 256
NIST category 3 5
and R ≪ 2
ρ−h
. In this case, a quantum adversary Eve
still needs to make about
√
2
h
queries to break into
any of the about n
2
/2 connections.
Avoiding the Random Oracle Model. For the
analysis above, we did model f as a random oracle.
This is a common approach in cryptography, but many
researchers prefer standard model proofs over proofs
in the random oracle model.
So, is it possible to prove the construction from
Figure 1 secure in the standard model? In our ran-
dom oracle proof, we actually assume that, given
(r
j
,k
j
) = f (r
j−1
,s
j
) and either r
j−1
or s
j
, it is in-
feasible to find the remaining input value (i.e., ei-
ther s
j
or r
j−1
). If we restrict the signature of f to
f : {0,1}
ρ
×{0,1}
h
→ {0,1}
ρ
×{0,1}
κ
and assume
the input keys to be uniform random h-bit values, then
this is precisely the requirement for f to be a dual
PRF (Bellare and Lysyanskaya, 2015). Thus, it may
indeed be possible to prove the security of our con-
struction without relying on the random oracle model.
But we believe the disadvantages of such an approach
would outweigh the sole advantage of getting rid of
the random oracle. The disadvantages would include
(1) a more complex and less intuitive security proof,
(2) the restriction for the untainted input keys to be
uniformly distributed fixed-size values, and (3) the re-
liance on a new and not yet well-understood security
notion, namely on the security of a dual PRF.
7 CONCRETE PROPOSALS
For the sake of concreteness, we propose two sets of
parameters, see Table 1. Parameter set P1 should suf-
fice for most applications. P2 is very conservative,
and we recommend it for high-security applications.
Comments on Parameter Set P1. If we assume a
network with 100 re-keying events per second, this
makes 100∗60 ∗60∗24 ∗365 ≈2
31.55
such events per
year. To collect R = 2
32
such events, Eve has to ob-
serve the network for about 16 months without miss-
ing any of the events. The min-entropy h = 192 means
that on a classical computer, she needs to perform
about 2
192
calls of the function f (·,·). On a quantum
computer, she needs about 2
96
iterations of Grover’s
algorithm. Thus, parameter set P1 matches category 3
security from NIST.
Comments on Parameter Set P2. Maybe we need
an even higher security, we assume more re-keying
events per second in our network, or we assume
Eve to be a lot more patient with observing the net-
work. So assuming a very fast network performing
one million re-keying events per second, the num-
ber of re-keying events per year is 1000 000 ∗60 ∗
60 ∗24 ∗365 ≈ 2
44.84
. To collect R = 2
60
re-keying
events, Eve needs to observe the network for about
2
60−44.8
≈ 37000 years. The min-entropy h = 256
means that we maintain category 5 security in the
NIST classification (attack time about 2
256
classical
operations, or about 2
128
Grover iterations).
Instantiation Based on SHAKE-256. For a con-
crete instantiation, we propose the SHAKE-256 XOF
(eXtended Output Function), which has been derived
from SHA-3 (Kelsey et al., 2016). A XOF essentially
takes any number of input bits (as much as provided)
and generates as many output bits as required.
In our case, we need a function f : {0,1}
ρ
×
{0,1}
∗
→ {0,1}
ρ
×{0,1}
κ
for whatever choice of ρ
and κ we propose. For parameter set P1, we sug-
gest ρ = 256 ≥ h = κ = 192, for parameter set P2
ρ = 512 ≥ h = κ = 256. Regarding the performance
of SHAKE-256 for parameter set P2, an implementa-
tion in Rust
3
requires ≈19000 instructions (≈850 ns)
per invocation on an AMD Ryzen 7 5700G processor.
8 CONCLUSIONS
Opportunistic re-keying is a future-proof way to pro-
vide quantum-resistant session keys for symmetric
encryption in IT infrastructures, such as VPNs. Com-
pared to independently using (the same or differ-
ent) key exchange mechanisms for individual session
keys, opportunistic re-keying has two key advantages:
3
Using the sha3 crate, v0.10.8, for the implementa-
tion. Instruction count provided by the iai crate, v0.1.1.
On the Security of Opportunistic Re-Keying
337
1. It allows an early adoption of new key exchange
mechanisms, even if analysis of their (implemen-
tation) security is not mature, yet, such as the
more efficient PQC candidates and QKD.
2. It allows using mechanisms that have an inherent
chance of sometimes generating a key that gets
known to attackers, such as keys exchanged via
mobile devices during business trips, MKR, and
probabilistic key management.
Further, the sheer amount of different deployed key
exchange mechanisms and their frequency of execu-
tion may drastically increase the overall effort for at-
tackers to compromise the current session key.
ACKNOWLEDGEMENTS
This research is partially funded by dtec.bw – Digital-
ization and Technology Research Center of the Bun-
deswehr [project MuQuaNet]. dtec.bw is funded by
the European Union - NextGenerationEU.
REFERENCES
Barker, E. B. and Kelsey, J. M. (2015). Recommendation
for Random Number Generation Using Deterministic
Random Bit Generators. Technical Report NIST SP
800-90Ar1, National Institute of Standards and Tech-
nology.
Bellare, M. and Lysyanskaya, A. (2015). Symmetric and
dual PRFs from standard assumptions: A generic val-
idation of an HMAC assumption. Cryptology ePrint
Archive. https://eprint.iacr.org/2015/1198.
Bellare, M. and Yee, B. S. (2003). Forward-security in
private-key cryptography. In Topics in Cryptology -
CT-RSA, volume 2612 of LNCS, pages 1–18. Springer.
Bennett, C. H., Bernstein, E., Brassard, G., and Vazirani, U.
(1997). Strengths and Weaknesses of Quantum Com-
puting. SIAM J. Comput., 26(5):1510–1523.
Bennett, C. H. and Brassard, G. (2014). Quantum cryptog-
raphy: Public key distribution and coin tossing. The-
oretical Computer Science, 560:7–11.
Deng, J. and Han, Y. (2008). Multipath Key Establishment
for Wireless Sensor Networks Using Just-Enough Re-
dundancy Transmission. IEEE TDSC, 5(3):177–190.
Dziembowski, S. and Pietrzak, K. (2008). Leakage-resilient
cryptography. In 49th Annual IEEE FOCS, pages
293–302. IEEE Computer Society.
Ehlen, S., Hagemeier, H., Hemmert, T., Kousidis, S.,
Lochter, M., Reinhardt, S., and Wunderer, T. (2022).
Quantum-safe cryptography – fundamentals, current
developments and recommendations. Technical
report, Federal Office for Information Security
(BSI). https://www.bsi.bund.de/SharedDocs/
Downloads/EN/BSI/Publications/Brochure/
quantum-safe-cryptography.html?nn=916626.
Eschenauer, L. and Gligor, V. D. (2002). A key-
management scheme for distributed sensor networks.
In Proceedings of the 9th ACM CCS, pages 41–47.
European Union Agency for Cybersecurity (2021). Post-
Quantum Cryptography: Current state and quantum
mitigation. Technical report, Publications Office of
the European Union.
Grover, L. K. (1996). A fast quantum mechanical algorithm
for database search. In Proceedings of the 28th ACM
STOC, pages 212–219.
Håstad, J., Impagliazzo, R., Levin, L. A., and Luby, M.
(1999). A pseudorandom generator from any one-way
function. SIAM J. Comput., 28(4):1364–1396.
Kelsey, J., Chang, S., and Perlner, R. (2016). SHA-3 derived
functions: cSHAKE, KMAC, TupleHash and Paral-
lelHash. Technical report, National Institute of Stan-
dards & Technology.
Kelsey, J., Lucks, S., and Müller, S. (2024). XDRBG: A
Proposed Deterministic Random Bit Generator Based
on Any XOF. IACR Transactions on Symmetric Cryp-
tology, 2024(1):5–34.
National Institute of Standards and Technology (2016).
Submission requirements and evaluation criteria for
the post-quantum cryptography standardization pro-
cess.
Perrin, T. and Marlinspike, M. (2016). The Double Ratchet
Algorithm. Technical Report Revision 1. https://
signal.org/docs/specifications/doubleratchet.
Pietrzak, K. (2009). A leakage-resilient mode of operation.
In Proceedings of EUROCRYPT 2009, volume 5479
of LNCS, pages 462–482. Springer.
Proos, J. and Zalka, C. (2003). Shor’s discrete logarithm
quantum algorithm for elliptic curves. Quantum In-
formation and Computation, 3(4):317–344.
Rass, S. and König, S. (2011). Indirect eavesdropping in
quantum networks. In Proceedings of the 5th ICQNM,
pages 83–88.
Schatz, D., Altheide, F., Koerfgen, H., Rossberg, M., and
Schaefer, G. (2023). Virtual Private Networks in the
Quantum Era: A Security in Depth Approach. In Pro-
ceedings of SECRYPT 2023, pages 486–494.
Schatz, D., Altheide, F., Schaefer, G., and Martius, K.
(2024). Quantensichere VPN-Infrastrukturen. In Pro-
ceedings of the 20th German IT Security Congress.
Shor, P. W. (1997). Polynomial-Time Algorithms for Prime
Factorization and Discrete Logarithms on a Quantum
Computer. SIAM J. Comput., 26(5):1484–1509.
Standaert, F., Pereira, O., Yu, Y., Quisquater, J., Yung,
M., and Oswald, E. (2010). Leakage resilient cryp-
tography in practice. In Towards Hardware-Intrinsic
Security - Foundations and Practice, pages 99–134.
Springer.
Turan, M. S., Barker, E., Burr, W., and Chen, L. (2010).
Recommendation for password-based key derivation.
part 1: Storage applications. Technical report, Na-
tional Institute of Standards & Technology.
Wootters, W. K. and Zurek, W. H. (1982). A single quantum
cannot be cloned. Nature, 299(5886):802–803.
SECRYPT 2025 - 22nd International Conference on Security and Cryptography
338
