Efficient Continuous Key Agreement With Reduced Bandwidth From a Decomposable KEM

Continuous Key Agreement (CKA) is a two-party protocol used in double-ratchet protocols such as signal. It enables continuous and synchronous key distribution that generates a fresh key to encrypt each transaction in messenger apps. It guarantees forward secrecy and post-compromise security. In recent years, the post-quantum versions of the double-ratchet protocol and CKA have been intensively studied. In Eurocrypt 2019, Alwen et al. suggest a generic construction of CKA based on the Key Encapsulation Mechanism (KEM), achieving the post-quantum CKA from post-quantum KEMs. They also mention that the bandwidth can be reduced by half using ElGamal KEM. In this paper, we generalize this idea by defining a new primitive called Decomposable Key Encapsulation Mechanism (DKEM) and instantiate it with the promising lattice-based schemes such as $\mathsf {CRYSTALS{-}KYBER}$ and $\mathsf {SABER}$ . Using DKEM instantiated with $\mathsf {CRYSTALS{-}KYBER}$ (resp. $\mathsf {SABER}$ ) and security category 1 parameters, our CKA achieves 51% (resp. 48%) reduced bandwidths compared to the generic construction from KEM. We also implement our CKA on both Intel Xeon E5-1650 v3 and ARMv8 Cortex-A72 processors, respectively, and show that the performance of sender algorithm is improved from 79.29 to 96.94% (resp. from 74.64 to 91.04%) when instantiated with $\mathsf {CRYSTALS{-}KYBER}$ (resp. $\mathsf {SABER}$ ).