To cope with the potential of cryptanalytically-relevant quantum computers, two lines of research are actively pursued: quantum cryptography aims at leveraging results from quantum physics to establish security guarantees, and post-quantum cryptography makes use of purely classical constructions built from hardness assumptions that take into account quantum cryptanalysis.1¹

Throughout, the word classical will always mean “not making use of quantum technologies”.

While large-scale QKD networks remain unavailable, non-trivial local QKD infrastructures have been implemented. An incomplete list of examples are testbeds in the Chicago area in the U.S. (see Wu et al., 2021), in the Madrid area in Spain (see Cid et al., 2021), and in the Berlin area in Germany (see Braun and Geitz, 2021). However, existing communication networks are not easy to combine/integrate with these quantum infrastructures, and the security guarantees for the complete network provided by establishing pairwise QKD keys are limited without other cryptographic solutions (most notably, for authentication, but also for refreshing keys or synchronizing multiple nodes). Toward this goal, connecting local QKD network infrastructures remains an active research topic (see Brauer et al., 2024).

On the post-quantum side, there is a lot of recent work on the design, implementation, and verification of two-party key exchange protocols, mostly built from generic transformations applied to encryption schemes or KEMs. An overview of existing solutions is offered by Alagic et al. (2022), which summarizes the results of the third evaluation round of the NIST process toward standardizing post-quantum cryptographic solutions. In the group setting, GAKE proposals can already be found in the literature, for instance by Apon et al. (2019), Escribano Pablos et al. (2020), or Escribano Pablos et al. (2022), although these types of constructions have not been intensively analysed and little is known for instance, about implementation-dependent attacks.

From a pragmatic perspective, it is desirable to be able to leverage both existing quantum and post-quantum infrastructures, a scenario that is not well understood yet.

Our contribution. We present a construction and security analysis for a flexible quantum-safe GAKE that leverages available “local” solutions for (group) key establishment, e.g. post-quantum KEMs or QKD-based designs. Depending on the guarantees provided by the contributing local solutions, the resulting GAKE offers information-theoretic or computational guarantees. It is possible to use our design with classical primitives, QKD connections, or in a hybrid network.

We follow a well-established technique of defining a compiler, i.e. a metaprotocol using one or more GAKEs as embedded subroutines, which can be proven secure provided that a certain level of security is achieved by the basic building blocks involved. The flexibility of our design appears to be very useful with the current state-of-the art, as some quantum and post-quantum designs are still under cryptanalytic exploration.

To be able to capture a hybrid classical/quantum communication infrastructure, we build on a versatile security model proposed by Mosca et al. (2013), introducing some small adaptations. We believe this model to be of interest for exploring (group) key establishment over hybrid classical-quantum networks, independent of our specific GAKE construction.

Paper Roadmap. We begin this work with a brief overview of the related literature in Section 2, followed by an introduction to the security model we propose to evaluate our construction in Section 3. Section 4 provides a detailed description of our proposal, starting with an outline of the rationale behind the construction, and concluding with a formal security analysis in the final subsection. Given the various choices available for concrete implementation in our design, we discuss different options in Section 5. We conclude with a brief summary of the paper’s main contributions and suggest potential directions for future research in the Conclusion section.

In the literature, several works can be found exploring different ways of establishing secure keying material through the combination of quantum and classical technologies (see the summarizing Table 1 below).

A number of research contributions look at different ways to derive (two-party) cryptographic keys by combining keys established through different implementations of quantum, post-quantum, or traditional key exchange protocols (see, for instance, Dowling et al., 2020; Bruckner et al., 2023). This hybrid approach differs from ours, as it assumes that each party has access to all involved key sources, while in our scenario nodes have potentially different capabilities, e.g. we may have only few (or no) QKD connections available.

Also, in the last few years, several authors have explored the combination of classical and quantum resources in order to build secure networks, considering the QKD nodes to be the main source of keying material. For instance, in Viksna et al. (2023), Kozlovics et al. (2023), parties use QKD as a service to obtain secure keying material, which is accessed through (classical, post-quantum) TLS links. There, it is however assumed that there exist perfectly secure direct links between users and devices establishing QKD keys, which is a strong assumption. In Geitz et al. (2023), a high-level key management system is described through which all network nodes may access keying material (coming from a QKD, a post-quantum key exchange protocol, or a combination of those). Different protocols within these systems have been implemented in the OpenQKD testbed in Berlin. Similarly, in James et al. (2023), the authors explore different options for building a secure Key Management System in order to scale up from link-to-link quantum key generation to large key distribution networks.

While all these approaches are in a way related to ours, their main goal is to establish two-party keys taking advantage of QKD installations and reinforcing them through PQC. Thus, they could in principle be implemented with “only” two actors involved in the key generation (through a QKD execution). We aim at a contributory scenario, i.e. a general protocol solution where n ⩾ 2 users leverage classical and/or quantum techniques in order to (jointly) generate keying material from both sources to establish a secure key for the whole group.

In this section, we present a novel security model to enable a formal analysis of our proposal. While established models exist in the literature for group key establishment in the classical setting, we are not aware of any prior definition that formalizes the interaction between classical and quantum entities.

As a starting point, we base our work on a proposal by Mosca et al. (2013) and make some small changes to better capture some subtleties of special relevance to the group setting. For the special case of a two-party Authenticated Key Establishment (AKE), our model specializes to Mosca et al.’s. This “downward compatibility” enables us to compile a GAKE from existing popular two-party QKD (or classical key exchange) protocols that are already known to be secure in Mosca et al.’s framework.

Parties. We follow the formalization in Mosca et al. (2013) based on classical and quantum Turing machines, but make some tweaks to better align with classical group key exchange models (see, e.g. Bohli et al., 2007). By P ‾ we denote a finite set of potential protocol participants, each of them labelled by a public identifier. Each party can be seen as a dual entity consisting of an interactive Turning machine that communicates through a classical tape ( e ) with a coupled quantum Turing machine. Parties communicate through an input-output classical communication channel ( c )—established between their “classical” parts. In turn, the quantum Turing machines from each party communicate through a quantum chanel ( q ). The classical Turing machine has also access to a randomness source (through a specific tape denoted r).

All classical information held by a specific party is stored in its memory, consisting of a collection of value pairs of the form ( x , X ) where x is assumed to be private and X to be public—often referred to as a label of the secret value x. Remark 1.

Our compiler does not require potential protocol participants to have access to quantum computational capabilities. Similarly, our protocol allows for a scenario where only some (possibly no) potential participants have the capability to execute a QKD protocol.

Each protocol participant P ∈ P ‾ may execute several sessions in parallel. We will refer to a session of P with the notation Π P ψ , where Ψ is a unique protocol session identifier.2²

To better align with the use of the term session identifier in other classical group key exchange models, we slightly deviate from the terminology in Mosca et al. (2013) here and refer to Ψ as protocol session identifier; a session identifier will be a value sid obtained as output from a protocol.

We assume that a session Π P ψ must accept the session key constructed at the end of the corresponding protocol session if no deviation from the protocol specification occurs, resulting in a non-⊥ value of sk P ψ . In the sequel, sessions and session variables may be written without sub- or superscripts, if the context renders them unnecessary. The state P ψ variable mentioned above is merely a convenient notation to refer to multiple locally stored values. Otherwise, our terminology follows by and large Mosca et al. (2013) with the following generalizations: •

In the model of Mosca et al., each session has associated a pid value to store the identifier of the (one) peer with whom the session is executed. We allow the pid to be an unordered non-empty sequence of peer identifiers instead. The authentication vector u now captures the information used to identify all peers included in the pid of the session. Further, as noted above, we will denote by pid ¯ the set of all identities involved in the execution (namely, those in pid and that from party P itself).

For 2-party key exchange protocols as discussed in Mosca et al. (2013), which do not define an explicit session identifier, this specializes to correctness as used in Mosca et al. (2013). However, for our purposes, the ability to specify a separate session identifier will be convenient: we want to use existing, e.g. 2-party, protocols as building blocks of a protocol involving a larger number of participants. Here, the separation of v from the session identifier frees us from the problem of having to make “local” v-values of a 2-party protocol available to other protocol participants, just to ensure correctness of the overall protocol.

Communication. Following Mosca et al. (2013), the classical Turing machine will have two incoming-outgoing classical communication channels (e and c). Communication through these channels is modelled through oracle queries:3³

In Mosca et al. (2013), oracle queries are called activations, following the Turing-machine modelling terminology.

For further details on these oracle queries, we refer to Mosca et al. (2013).

Adversarial model. To a large extent, the communication network is controlled by the adversary (following the typical modelling in classical group key exchange). We assume arbitrary point-to-point connections among users to be available, involving for each party the aforementioned classical (c) and quantum (q) channels. With respect to these channels, the network is non-private and fully asynchronous: The adversary may delay, eavesdrop, insert, and delete messages at will, only limited—with regard to the q-channel—by the laws of quantum mechanics. However, the adversary has no control over the communication between the classical and quantum subcomponents of a party, which takes place over the e-channel; neither will he have access to any information concerning the randomness obtained through the r-channel. In addition to the SendC and SendQ oracles, the adversary may also issue the following two types of queries to parties: •

RevealNext; this query allows the adversary to get the public tag X of a freshly generated memory entry ( x , X ) by the addressed party.

Security. As customary, a special Test oracle is introduced in order to model a real attack and be able to define security: •

Test ( P , ψ ), when called by the adversary, will return ⊥ if a corresponding session key sk P ψ has not been established. Otherwise, the oracle selects uniformly at random a bit b ← $ { 0 , 1 } and will output sk P ψ if b = 1 and a randomly selected bitstring (of the same length as sk P ψ ) if b = 0. The adversary may call this oracle only once.

Note that all authentication-related private values may be revealed after protocol completion (the above definition only ensures there will be at least one private value the adversary ignores at all times, which is linked to the vector v). This definition of freshness is geared towards including forward security in the model; leakage of authentication keys should not endanger previously established session keys.

Now, the definition of security must establish a corresponding bound on the adversary’s advantage when querying the Test oracle. Let λ ∈ N be a fixed security parameter. The advantage Adv A ( λ ) of an adversary A in attacking the given protocol is a function in the security parameter λ, defined as Adv A : = | 2 · Succ A − 1 | . Here, Succ A is the probability that the adversary queries Test on a fresh instance and guesses correctly the bit b used by the Test oracle.

In the above definition, following Mosca et al. (2013), the classical running time of adversaries is assumed to be bounded, and so are the quantum runtime and the quantum memory. We consider here only the case of a polynomially bounded adversary, which is common in classical group key establishment models. However, in connection with quantum key distribution it makes sense to consider so-called long-term security, introduced by Müller-Quade and Unruh (2010), capturing the feature of a protocol that it will remain secure even if all hardness assumptions made no longer hold after the execution has finished. Following Mosca et al. (2013), we capture this as follows: Definition 4.

A protocol is long-term secure if, for any unbounded quantum Turing machine M acting on a classical and quantum transcript produced by a bounded adversary A, the advantage of M in guessing the bit b chosen by the Test oracle is negligible in the security parameter.

In this section, we give a detailed description of our proposal. We start by sketching the main idea behind our design and then give the details of the protocol steps. We then state and prove the main result (Theorem 1) stating the security of our construction.

Let P ⊆ P ‾ be the set of parties that seek to establish a common key in a concrete execution, and let P = P ( 0 ) ⊎ ⋯ ⊎ P ( n − 1 ) be a partition of P into non-empty subsets or “clusters”—an important special case is the partition where each P ( i ) contains only a single party. For each P ( i ) , we fix a cluster leader P ˆ ( i ) ∈ P ( i ) , and assume that •

for each i = 0 , … , n − 1, a secure GAKE ( i ) solution among the parties from cluster i is available, which we denote by GAKE ( i ) . We write ( c sk P ( i ) , c pid P ( i ) , cv P ( i ) , cu P ( i ) , c sid P ( i ) ) for the output vector of a party P of an execution of GAKE ( i ) ;

We have provided a general compiled protocol that can be constructed using various concrete cryptographic tools, following the principles of cryptoagility, which aims for modular designs that can be easily updated if any of the underlying tools need to be replaced. In this section, we offer guidance on how to make appropriate choices for the building blocks of our protocol.

There are many candidates in the literature for deriving the 2- AKE and GAKE constructions needed for our design. Prominent two-party quantum-key distribution protocols as analysed by Mosca et al. (2013) offer QKD building blocks, which we can now combine to GAKE solutions in a flexible manner.

For post-quantum cryptography, one can try to leverage known techniques to build 2-party authenticated key-exchange protocols from simpler cryptographic primitives, e.g. from a given Key Encapsulation Mechanism (KEM) (cf., for instance, Hövelmanns et al. (2020)). A high-level description of such a 2-AKE construction is shown in Fig. 5. At this, both parties have a pair of long-term authentication keys. In the figure, P i initiates the key exchange by executing an initiation algorithm Init and sending a message M to P j , which through a key derivation algorithm De r r e s p computes the key K ′ and a message M ′ . Upon receipt of M ′ , the receiver P i is able to obtain the key K with a respective key derivation algorithm De r i n i t .

If the key exchange is successful, K = K ′ . In the quantum random oracle model, many such constructions (e.g. derived from Kyber, McEliece, or NTRU) are proven to be secure in a suitable sense. Moreover, as the key derivation algorithms involved are not deterministic, it is often the case that (some flavour of) forward security is attained – thus paving the way for long-term security in our setting. To this aim, often the Init algorithm involves a fresh key generation for a KEM, so that there will be an encapsulated key involved in the final output key that cannot be retrieved from the static long term keys of the involved participants.

For the classical group setting, solutions building on these two-party designs are available and may be implemented from different code- or lattice-based cryptographic building blocks (see Escribano Pablos et al., 2020, 2022). It is a natural topic for follow-up research to try to establish general statements that enable an automatic lifting of security guarantees in one of the popular classical security frameworks for 2 - AKE or GAKE protocols to security guarantees in our model.

In this paper, we have proposed the first (to our knowledge) construction of a group key establishment protocol including entities that may have access to quantum or classical technologies. In particular, we integrate clusters of users that may obtain keying material through quantum technologies (i.e. may execute QKD protocols in pairs) and clusters (of n ⩾ 2 entities) that are able to establish secure keys through post-quantum protocols. All keying material can be combined to establish a group key shared by all involved entities.

Our construction is proven secure in a formal model including adversaries that have access to quantum resources, thus attaining a very high security level. The security model introduced in this paper is based on Mosca et al. (2013), one of the few works exploring formal models of security for hybrid scenarios. We believe that this work is a step forward towards these kinds of formalization efforts, which are needed in order to derive sound security proofs in any scenario where quantum/classical technologies are combined.

Furthermore, we believe our construction could be adapted to support diverse network infrastructures. In particular, refining it to function effectively in scenarios with communication constraints would be especially valuable (e.g. to prevent aborts if some leaders from an initially designated cluster fail to complete the protocol). Exploring such a dynamic adaptation of our construction would be a promising avenue for future research.