Table of Contents
Fetching ...

An Efficient Hybrid Key Exchange Mechanism

Benjamin D. Kim, Vipindev Adat Vasudevan, Alejandro Cohen, Rafael G. L. D'Oliveira, Thomas Stahlbuhk, Muriel Médard

TL;DR

CHOKE addresses the quantum-threat challenge for key exchange by combining multiple KEMs with an individually secure code, enabling the parallel transmission of $n$ session keys at the cost of a single encapsulation. The core idea is to encode the $n$ keys into linear combinations via a public generator matrix $G$, encapsulate each combination with its own KEM, and recover the keys via $K=G^{-1}X$ after decapsulation. The scheme achieves an $n$-fold reduction in computation and communication relative to serial or combiner hybrids, while preserving computational security for each key as long as at least one underlying KEM remains secure; when some KEMs are broken, only linear combinations leak. The work also provides a simulation-based security proof framework, analyzes information rates and complexity, and discusses practical considerations such as related-key attacks and CCA properties, highlighting CHOKE’s potential for scalable, post-quantum key exchange. Overall, CHOKE offers a principled, efficient pathway to multi-key hybrid KEMs grounded in code-based, individually secure constructions with robust security guarantees under partial compromise.

Abstract

We present \textsc{CHOKE}, a novel code-based hybrid key-encapsulation mechanism (KEM) designed to securely and efficiently transmit multiple session keys simultaneously. By encoding $n$ independent session keys with an individually secure linear code and encapsulating each resulting coded symbol using a separate KEM, \textsc{CHOKE} achieves computational individual security -- each key remains secure as long as at least one underlying KEM remains unbroken. Compared to traditional serial or combiner-based hybrid schemes, \textsc{CHOKE} reduces computational and communication costs by an $n$-fold factor. Furthermore, we show that the communication cost of our construction is optimal under the requirement that each KEM must be used at least once.

An Efficient Hybrid Key Exchange Mechanism

TL;DR

CHOKE addresses the quantum-threat challenge for key exchange by combining multiple KEMs with an individually secure code, enabling the parallel transmission of session keys at the cost of a single encapsulation. The core idea is to encode the keys into linear combinations via a public generator matrix , encapsulate each combination with its own KEM, and recover the keys via after decapsulation. The scheme achieves an -fold reduction in computation and communication relative to serial or combiner hybrids, while preserving computational security for each key as long as at least one underlying KEM remains secure; when some KEMs are broken, only linear combinations leak. The work also provides a simulation-based security proof framework, analyzes information rates and complexity, and discusses practical considerations such as related-key attacks and CCA properties, highlighting CHOKE’s potential for scalable, post-quantum key exchange. Overall, CHOKE offers a principled, efficient pathway to multi-key hybrid KEMs grounded in code-based, individually secure constructions with robust security guarantees under partial compromise.

Abstract

We present \textsc{CHOKE}, a novel code-based hybrid key-encapsulation mechanism (KEM) designed to securely and efficiently transmit multiple session keys simultaneously. By encoding independent session keys with an individually secure linear code and encapsulating each resulting coded symbol using a separate KEM, \textsc{CHOKE} achieves computational individual security -- each key remains secure as long as at least one underlying KEM remains unbroken. Compared to traditional serial or combiner-based hybrid schemes, \textsc{CHOKE} reduces computational and communication costs by an -fold factor. Furthermore, we show that the communication cost of our construction is optimal under the requirement that each KEM must be used at least once.
Paper Structure (30 sections, 7 theorems, 33 equations, 3 figures, 2 tables, 2 algorithms)

This paper contains 30 sections, 7 theorems, 33 equations, 3 figures, 2 tables, 2 algorithms.

Key Result

Theorem 1

Let $\mathsf{KEM}_1,\dots,\mathsf{KEM}_n$ be the mechanisms used in the protocol, and denote by $E_i$ and $D_i$ the computational cost of calling $\mathsf{KEM.enc}_i$ and $\mathsf{KEM.dec}_i$, respectively. Then, the computational cost at Alice and Bob is $\sum_{i=1}^{n} E_i$ and $\sum_{i=1}^{n} D_i

Figures (3)

  • Figure 1: KEMs schemes - series circuit on top (see Example 1) vs. proposed coded-based hybrid parallel circuit on bottom (see Example 3).
  • Figure 2: Visual comparison of operations needed for the three schemes presented in the Introduction to transport two keys. The left side represents the operations and time at Alice (sender), while the right represented the operations needed at the Bob (Receiver). The size of each block represents the operations cost and time, although not to scale. We see that even in this simple example, the number of encapsulation/decapsulation operations is reduced by 50$\%$ for CHOKE compared to the other two hybrid KEM schemes. When we generalize to a variable $n$ secret keys with $n$ different KEMs, CHOKE only requires $n$ KEM encapsulation/decapsulation operations while the other two require $n^2$.
  • Figure 3: Visual comparison of operations needed for the three schemes presented in the Introduction to transport two keys. The left side represents the operations and time at Alice (sender), while the right represented the operations needed at the Bob (Receiver). The size of each block represents the operations cost and time, although not to scale. We see that even in this simple example, the number of encapsulation/decapsulation operations is reduced by 50$\%$ for CHOKE compared to the other two hybrid KEM schemes. When we generalize to a variable $n$ secret keys with $n$ different KEMs, CHOKE only requires $n$ KEM encapsulation/decapsulation operations while the other two require $n^2$.

Theorems & Definitions (20)

  • Example 1
  • Example 2
  • Example 3
  • Definition 1: Negligible function
  • Definition 2: Probabilistic polynomial‐time (PPT)
  • Definition 3: Key Encapsulation Mechanism (KEM)
  • Definition 4: IND‑CPA via real vs. ideal
  • Definition 5: Individual security
  • Theorem 1: Computational cost of CHOKE
  • proof
  • ...and 10 more