Authenticated Key Exchange (AKE) between any two entities is one of the most important security protocols available for securing our digital networks and infrastructures. In PQCrypto 2023, Bruckner, Ramacher and Striecks proposed a novel hybrid AKE (HAKE) protocol, dubbed Muckle+, that is particularly useful in large quantum-safe networks consisting of a large number of nodes. Their protocol is hybrid in the sense that it allows key material from conventional and post-quantum primitives, as well as from quantum key distribution, to be incorporated into a single end-to-end shared key. To achieve the desired authentication properties, Muckle+ utilizes post-quantum digital signatures. However, available instantiations of such signatures schemes are not yet efficient enough compared to their post-quantum key-encapsulation mechanism (KEM) counterparts, particularly in large networks with potentially several connections in a short period of time. To mitigate this gap, we propose Muckle# that pushes the efficiency boundaries of currently known HAKE constructions. Muckle# uses post-quantum key-encapsulating mechanisms for implicit authentication inspired by recent works done in the area of Transport Layer Security (TLS) protocols, particularly, in KEMTLS (CCS'20). We port those ideas to the HAKE framework and develop novel proof techniques on the way. Due to our novel KEM-based approach, the resulting protocol has a slightly different message flow compared to prior work that we carefully align with the HAKE framework and which makes our changes to the Muckle+ non-trivial.

翻译：任意两个实体之间的认证密钥交换（AKE）是保障数字网络与基础设施安全的最重要协议之一。在PQCrypto 2023会议上，Bruckner、Ramacher与Striecks提出了一种新型混合AKE（HAKE）协议Muckle+，该协议特别适用于包含大量节点的大规模量子安全网络。该协议的混合性体现在其允许将经典密码学原语、后量子密码学原语以及量子密钥分发的密钥材料融合为单一端到端共享密钥。为实现目标认证特性，Muckle+采用了后量子数字签名方案。然而，与后量子密钥封装机制（KEM）相比，现有签名方案的实现效率仍显不足，尤其是在需要短时间内建立大量连接的大规模网络中。为弥补这一缺陷，我们提出Muckle#协议，该协议突破了当前已知HAKE构造的效率边界。Muckle#采用后量子密钥封装机制实现隐式认证，其设计灵感来源于传输层安全（TLS）协议领域的最新研究成果，特别是CCS'20会议上提出的KEMTLS方案。我们将这些思想移植到HAKE框架中，并在此过程中发展了新颖的证明技术。由于采用了创新的基于KEM的认证方式，新协议的通信流程与既有方案存在细微差异，我们通过精心调整使其与HAKE框架保持兼容，这些改进使得Muckle#相较于Muckle+具有实质性的创新。