Post-Quantum Cryptography-Based Bidirectional Authentication Key Exchange Protocol and Industry Applications: A Case Study of Instant Messaging

Abel C. H. Chen; Austin B. Y. Lin; Chin-Chen Chang; Ching-Chun Chang; Chin-Ling Chen; James W. H. Tung

arxiv: 2604.08612 · v1 · submitted 2026-04-09 · 💻 cs.CR · cs.NI

Post-Quantum Cryptography-Based Bidirectional Authentication Key Exchange Protocol and Industry Applications: A Case Study of Instant Messaging

Abel C. H. Chen , James W. H. Tung , Austin B. Y. Lin , Chin-Ling Chen , Ching-Chun Chang , Chin-Chen Chang This is my paper

Pith reviewed 2026-05-10 18:32 UTC · model grok-4.3

classification 💻 cs.CR cs.NI

keywords post-quantum cryptographybidirectional authenticationkey exchange protocoldual-usage certificatesML-KEMinstant messagingdigital signature algorithmkey encapsulation mechanism

0 comments

The pith

A protocol pairs post-quantum signatures with key encapsulation inside dual-usage certificates to let two parties authenticate each other and agree on a shared secret.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper develops a post-quantum key exchange that adds bidirectional authentication to ML-KEM by means of special certificates. These dual-usage certificates hold both a digital signature public key and a key-encapsulation public key in one structure, offered in composite, catalyst, and chameleon variants. The construction lets the same certificate support signing for authentication and encryption for secret negotiation. Experiments measure how the three certificate types change message lengths and computation times. The protocol is then shown working inside an instant-messaging application to illustrate a concrete industry use.

Core claim

Dual-usage certificates that store a PQC-based DSA public key together with a PQC-based KEM public key enable a bidirectional authentication key exchange protocol whose messages negotiate a shared secret key while satisfying mutual authentication and encryption requirements; the authors validate this by comparing key-exchange lengths and runtimes across composite, catalyst, and chameleon certificate schemes.

What carries the argument

Dual-usage certificates that embed both a PQC digital-signature public key and a PQC key-encapsulation public key to carry authentication and secret negotiation in a single exchange.

If this is right

Instant messaging services can adopt the protocol to protect conversations against quantum computers.
Different certificate variants produce measurable differences in message size and computation time.
The same certificate structure meets both authentication and encryption needs without separate key pairs.
Performance numbers from the experiments indicate feasibility for real-time messaging workloads.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

The dual-usage pattern could be reused in other protocols that already employ certificates, easing migration to post-quantum cryptography.
If the catalyst or chameleon variants reduce update costs, they might be preferable for long-lived sessions such as persistent chat connections.
Direct comparison of the three variants on the same hardware would let implementers choose the best trade-off for their latency or bandwidth constraints.

Load-bearing premise

Embedding both signature and key-encapsulation keys inside one certificate does not create new vulnerabilities or weaken the security of either underlying post-quantum primitive.

What would settle it

An attack that forges one party's authentication or recovers the negotiated secret from the exchanged messages would show the protocol fails to deliver the claimed security.

Figures

Figures reproduced from arXiv: 2604.08612 by Abel C. H. Chen, Austin B. Y. Lin, Chin-Chen Chang, Ching-Chun Chang, Chin-Ling Chen, James W. H. Tung.

**Figure 1.** Figure 1: The proposed post-quantum cryptography-based bidirectional authentication key exchange protocol. Alice Bob Preliminary Setup • Alice possesses the PQC-based DSA key pair {uA, UA}, the PQC-based KEM key pair {vA, VA}, and a hybrid certificate QA including the PQCbased DSA public key UA and the PQC-based KEM public key VA . • Bob possesses the PQC-based DSA key pair {uB , UB}, the PQC-based KEM key pair {vB… view at source ↗

read the original abstract

This study aims to enhance the bidirectional authentication capability of ML-KEM (Module-Lattice-Based Key-Encapsulation Mechanism) by proposing the post-quantum cryptography-based (PQC-based) bidirectional authentication key exchange protocol. Furthermore, it introduces dual-usage certificates combining PQC-based DSA (Digital Signature Algorithm) and PQC-based KEM, which include composite schemes, catalyst schemes, and chameleon schemes. These dual-usage certificates utilize the PQC-based DSA public key and PQC-based KEM public key within the certificate to meet the requirements for bidirectional authentication and encryption, enabling the negotiation of a shared secret key. During the experimental phase, the study validates and compares key exchange message lengths and computation times under different certificate configurations. Finally, instant messaging is presented as an industry application to demonstrate the practical implementation of the proposed protocol.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Desk Editor's Note private letter to a colleague

The paper wraps existing ML-KEM and PQC signatures into three new dual-usage certificate schemes for bidirectional authentication in messaging, but rests its security claims only on performance numbers.

read the letter

The core new element here is the definition of composite, catalyst, and chameleon dual-usage certificates that pack a PQC signature public key and an ML-KEM public key into one structure. The protocol then uses these to handle mutual authentication and shared-key negotiation in one flow, with an instant-messaging case study to show how it might fit into practice. That framing is not in the earlier PQC literature the abstract cites, so the specific construction counts as fresh engineering work. The experiments are straightforward and useful: they measure message lengths and run times across the three certificate variants under realistic conditions, which gives implementers concrete sizing data they can use right away. The paper stays grounded in standard ML-KEM and ML-DSA primitives rather than inventing new hardness assumptions, which keeps the scope manageable. The main gap is the missing security analysis. There is no threat model, no game-based definition of what the protocol is supposed to achieve, and no reduction that shows the certificate compositions do not create new attack vectors such as key-reuse or binding failures. The experimental section reports only efficiency metrics, so it cannot speak to whether the dual-usage idea preserves the security of the underlying primitives. That leaves the central claim—that these certificates enable secure bidirectional authentication—unsupported by formal argument. The work is aimed at protocol engineers and messaging-platform teams that need concrete templates for post-quantum migration. A cryptographer reading it will want the security section filled in before treating the constructions as reliable. I would send the paper to peer review. The applied focus and the new certificate variants are substantial enough to justify referee time, even though the authors will almost certainly be asked to add a security model and proof sketch.

Referee Report

1 major / 1 minor

Summary. The paper proposes a post-quantum cryptography-based bidirectional authentication key exchange protocol using ML-KEM. It introduces dual-usage certificates (composite, catalyst, and chameleon schemes) that combine PQC-based DSA and KEM public keys within a single certificate to enable bidirectional authentication and shared secret key negotiation. The manuscript includes an experimental evaluation comparing key exchange message lengths and computation times across different certificate configurations and demonstrates the protocol via a case study in instant messaging.

Significance. If the security properties hold, the dual-usage certificate approach could reduce overhead in post-quantum authenticated key exchange by allowing one certificate to support both signing and key encapsulation, which is relevant for resource-constrained applications. The performance comparisons and instant-messaging case study provide concrete data on practical trade-offs and deployment feasibility. The work builds on standard PQC primitives (ML-KEM, ML-DSA) and supplies reproducible timing and size measurements.

major comments (1)

The central claim that the composite/catalyst/chameleon dual-usage certificates achieve secure bidirectional authentication and key exchange without introducing vulnerabilities or weakening the underlying PQC primitives lacks any supporting formal analysis. No threat model, security definitions, game-based proofs, or reductions to the hardness of ML-KEM/ML-DSA are supplied; the experimental section reports only message lengths and computation times. This omission is load-bearing because the security of the certificate constructions (e.g., binding of DSA and KEM keys, resistance to key-reuse or impersonation) cannot be assessed from performance data alone.

minor comments (1)

The abstract states that the protocol 'validates and compares' message lengths and times but does not identify the baseline schemes or the precise experimental setup (number of runs, hardware, etc.).

Simulated Author's Rebuttal

1 responses · 0 unresolved

We thank the referee for the constructive review and for highlighting the importance of formal security analysis. We address the single major comment below and will incorporate the requested material in the revised manuscript.

read point-by-point responses

Referee: The central claim that the composite/catalyst/chameleon dual-usage certificates achieve secure bidirectional authentication and key exchange without introducing vulnerabilities or weakening the underlying PQC primitives lacks any supporting formal analysis. No threat model, security definitions, game-based proofs, or reductions to the hardness of ML-KEM/ML-DSA are supplied; the experimental section reports only message lengths and computation times. This omission is load-bearing because the security of the certificate constructions (e.g., binding of DSA and KEM keys, resistance to key-reuse or impersonation) cannot be assessed from performance data alone.

Authors: We agree that the current manuscript does not contain a formal security analysis, threat model, or game-based proofs, and that performance measurements alone cannot establish the security properties of the certificate constructions. In the revised version we will add a dedicated security section that (i) defines a threat model appropriate to bidirectional authenticated key exchange using ML-KEM and ML-DSA, (ii) states the target security notions (mutual authentication, session-key secrecy, forward secrecy, and resistance to impersonation and key-reuse attacks), (iii) provides game-based definitions, and (iv) supplies reductions showing that the composite, catalyst, and chameleon dual-usage schemes preserve the hardness assumptions of the underlying primitives and do not introduce new vulnerabilities through improper key binding. This addition will directly address the referee’s concern. revision: yes

Circularity Check

0 steps flagged

No circularity: protocol proposal relies on standard PQC primitives without self-referential reductions

full rationale

The manuscript proposes a bidirectional authentication key exchange protocol using ML-KEM and introduces dual-usage certificates (composite, catalyst, chameleon) that combine PQC DSA and KEM keys. Experimental validation is confined to performance metrics such as message lengths and computation times under different certificate configurations. No equations, game-based proofs, reductions to hardness assumptions, or fitted parameters are described that would reduce any claimed security property to the protocol's own inputs by construction. Security is implicitly grounded in the underlying ML-KEM/ML-DSA primitives rather than any self-definitional or self-citation load-bearing step. This is a standard design-and-benchmark paper with no detectable circularity patterns.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 1 invented entities

The central claim rests on the security of standard PQC primitives (ML-KEM, PQC DSA) and the correctness of the newly defined certificate schemes; no free parameters or invented physical entities are described.

axioms (1)

domain assumption Security of ML-KEM and PQC-based DSA as defined by NIST standards
The protocol inherits its security from these established post-quantum primitives.

invented entities (1)

Dual-usage certificates (composite, catalyst, chameleon schemes) no independent evidence
purpose: Combine PQC DSA public key and PQC KEM public key in one certificate to support both authentication and key encapsulation
These are introduced by the paper as the mechanism enabling bidirectional authentication.

pith-pipeline@v0.9.0 · 5472 in / 1286 out tokens · 69394 ms · 2026-05-10T18:32:51.657101+00:00 · methodology

discussion (0)

Reference graph

Works this paper leans on

6 extracted references · 6 canonical work pages

[1]

title Post-quantum cryptography standards: FIPS 203, 204, 205

National Institute of Standards and Technology, "Module -Lattice-Based Key-Encapsulation Mechanism Standard," in F ederal Information Processing Standards Publication , FIPS 20 3, pp. 1 -47, 202 4, doi: 10.6028/NIST.FIPS.203

work page doi:10.6028/nist.fips.203
[2]

Module-Lattice-Based Digital Signature Standard (ML-DSA),

National Institute of Standards and Technology, "Module -Lattice-Based Digital Signature Standard," in Federal Information Processing Standards Publication, FIPS 204, pp. 1-55, 2024, doi: 10.6028/NIST.FIPS.204

work page doi:10.6028/nist.fips.204 2024
[3]

Stateless Hash-Based Digital Signature Standard (SLH-DSA),

National Institute of Standards and Technology, "Stateless Hash -Based Digital Signature Standard," in IETF Internet-Drafts, FIPS 205, pp. 1 -51, 2024, doi: 10.6028/NIST.FIPS.205

work page doi:10.6028/nist.fips.205 2024
[4]

Composite ML- DSA For use in X.509 Public Key Infrastructure and CMS,

M. Ounsworth, J. Gray, M. Pala, J. Klaußner, S. Fluhrer, "Composite ML- DSA For use in X.509 Public Key Infrastructure and CMS," in IETF Internet-Drafts, pp. 1 -67, 202 4, https://datatracker.ietf.org/doc/draft-ietf- lamps-pq-composite-sigs/

work page
[5]

Multiple Public -Key Algorithm X.509 Certificates,

A. Truskovsky, D. V. Geest, S. Fluhrer, P. Kampanakis, M. Ounsworth, Serge Mister, "Multiple Public -Key Algorithm X.509 Certificates," in IETF Internet-Drafts, pp. 1 -22, 202 4, https://datatracker.ietf.org/doc/draft-truskovsky-lamps-pq-hybrid-x509/

work page
[6]

A Mechanism for Encoding Differences in Paired Certificates,

C. Bonnell, J. Gray, D. Hook, T . Okubo, M. Ounsworth, "A Mechanism for Encoding Differences in Paired Certificates," in IETF Internet-Drafts, pp. 1 -55, 202 4, https://datatracker.ietf.org/doc/draft-bonnell-lamps- chameleon-certs/

work page

[1] [1]

title Post-quantum cryptography standards: FIPS 203, 204, 205

National Institute of Standards and Technology, "Module -Lattice-Based Key-Encapsulation Mechanism Standard," in F ederal Information Processing Standards Publication , FIPS 20 3, pp. 1 -47, 202 4, doi: 10.6028/NIST.FIPS.203

work page doi:10.6028/nist.fips.203

[2] [2]

Module-Lattice-Based Digital Signature Standard (ML-DSA),

National Institute of Standards and Technology, "Module -Lattice-Based Digital Signature Standard," in Federal Information Processing Standards Publication, FIPS 204, pp. 1-55, 2024, doi: 10.6028/NIST.FIPS.204

work page doi:10.6028/nist.fips.204 2024

[3] [3]

Stateless Hash-Based Digital Signature Standard (SLH-DSA),

National Institute of Standards and Technology, "Stateless Hash -Based Digital Signature Standard," in IETF Internet-Drafts, FIPS 205, pp. 1 -51, 2024, doi: 10.6028/NIST.FIPS.205

work page doi:10.6028/nist.fips.205 2024

[4] [4]

Composite ML- DSA For use in X.509 Public Key Infrastructure and CMS,

M. Ounsworth, J. Gray, M. Pala, J. Klaußner, S. Fluhrer, "Composite ML- DSA For use in X.509 Public Key Infrastructure and CMS," in IETF Internet-Drafts, pp. 1 -67, 202 4, https://datatracker.ietf.org/doc/draft-ietf- lamps-pq-composite-sigs/

work page

[5] [5]

Multiple Public -Key Algorithm X.509 Certificates,

A. Truskovsky, D. V. Geest, S. Fluhrer, P. Kampanakis, M. Ounsworth, Serge Mister, "Multiple Public -Key Algorithm X.509 Certificates," in IETF Internet-Drafts, pp. 1 -22, 202 4, https://datatracker.ietf.org/doc/draft-truskovsky-lamps-pq-hybrid-x509/

work page

[6] [6]

A Mechanism for Encoding Differences in Paired Certificates,

C. Bonnell, J. Gray, D. Hook, T . Okubo, M. Ounsworth, "A Mechanism for Encoding Differences in Paired Certificates," in IETF Internet-Drafts, pp. 1 -55, 202 4, https://datatracker.ietf.org/doc/draft-bonnell-lamps- chameleon-certs/

work page