Password authenticated key exchange-based on Kyber for mobile devices

In this article, a password-authenticated key exchange (PAKE) version of the National Institute of Standards and Technology (NIST) post-quantum cryptography (PQC) public-key encryption and key-establishment standard is constructed. We mainly focused on how the PAKE version of PQC standard Kyber with mobile compatibility can be obtained by using simple structured password components. In the design process, the conventional password-based authenticated key exchange (PAK) approach is updated under the module learning with errors (MLWE) assumptions to add password-based authentication. Thanks to the following PAK model, the proposed Kyber.PAKE provides explicit authentication and perfect forward secrecy (PFS). The resistance analysis against the password dictionary attack of Kyber.PAKE is examined by using random oracle model (ROM) assumptions. In the security analysis, the cumulative distribution function (CDF) Zipf (CDF-Zipf) model is also followed to provide realistic security examinations. According to the implementation results, Kyber.PAKE presents better run-time than lattice-based PAKE schemes with similar features, even if it contains complex key encapsulation mechanism (KEM) components. The comparison results show that the proposed PAKE scheme will come to the fore for the future security of mobile environments and other areas.


INTRODUCTION
The security of conventional public-key cryptosystems (PKC) changed with the postquantum concept that emerged with ongoing processes for developing quantum computers and the proposal of the Shor algorithm.The traditional PKCs such as key exchange (KE)/KEM and digital signature schemes will be insecure in the presence of large-scale quantum computers with Shor algorithm (Peikert, 2016).NIST started a process to set the post-quantum secure standard for PKC in 2016 (NIST, 2022a).In 2022, lattice-based Kyber was determined as the standard in the KEM category.For digital signature usage, lattice-based Crystals-Dilithium, Falcon, and hash-based SPHINCS+ were selected as the standard (NIST, 2022b).Although the standards were determined to be ready PQC era, it is still necessary to design and determine cryptosystems that can be used for particular goals and application areas.
One of the PKC primitives used for specific purposes is the PAKE scheme that provide a high-entropy shared key generated using low-entropy password-based authentication.Due to the easy-to-use structure, PAKE schemes do not require special hardware to store high entropy keys (Bellare, Pointcheval & Rogaway, 2000).The hardness assumptions of these schemes are also based on discrete logarithm and factorization problems like other PKCs.The first PAKE, encrypted key exchange, was proposed by Bellovin and Merritt in 1992 (Bellovin & Merritt, 1992) and many PAKE proposals, including new theoretical models, were presented in the following years (Bellovin & Merritt, 1993;Jablon, 1996;Wu, 1998;Hao & Ryan, 2011;Shin & Kobara, 2012).In addition, Internet Engineering Task Force (IETF), The Institute of Electrical and Electronics Engineers (IEEE), and the International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) conducted studies on the standardization of PAKE protocols (Hao & van Oorschot, 2022).The most recent standardization initiative for PAKE schemes was the process initiated by the IETF in 2019.In this call, completed in March 2020, OPAQUE and CPace schemes were declared as the PAKE standard for today's usage (Hao, 2021).
Although the industry has started to prototype PAKE protocols in real applications with these processes, the adaptation of post-quantum secure algorithms is necessary for future security.
With the development of wireless communication technologies, the increasing use of mobile devices has brought the security of these devices into focus.There is a need for postquantum secure PKCs such as KEM, authenticated key exchange, and PAKE that consider resource limitations for mobile devices (Dabra, Bala & Kumari, 2020).Lattice-based cryptosystems stand out with their strong proof of security, worst-case hardness, efficiency, and post-quantum security features.Up-to-date literature shows that there have not been many lattice-based PAKEs for mobile device security.In Dabra, Bala & Kumari (2020), an anonymous ring learning with errors (RLWE)-based two-party PAKE was designed for the post-quantum security of the mobile environment.The security analysis of this scheme, which includes a four-phase approach, was done by considering real-or-random (RoR) assumptions.An improved version of Dabra, Bala & Kumari (2020) with a practical randomized KE approach is proposed in Ding, Cheng & Qin (2022) to capture signal leakage attack resistance.In Islam & Basu (2021), a four-phase RLWE-based PAKE was constructed for two mobile devices-one server communication model.The security-related examinations were done by following ROM definitions.In Seyhan & Akleylek (2024), we also built a four-phase PAKE to achieve reusable key and anonymity features for mobile device-server communication model.In the security analysis, we followed RoR assumptions to prove the semantic security.According to the up-to-date studies, many other PAKEs with lattice primitives such as Ding et al. (2017), Gao et al. (2017), Liu et al. (2019), Seyhan & Akleylek (2023) and Ren, Gu & Wang (2023) were designed using traditional PAK model to capture explicit authentication and PFS.The provided proposals can be suitable for post-quantum key agreement requirements, but none of them has been focused on the PAKE version of the NIST standard.We know that the security of Kyber has been deeply studied and it was designed with efficient structures.Therefore, proposing a PAKE version of this algorithm and providing reference implementations will come to the fore in post-quantum secure PAKE literature.

Motivation and contribution
PAKE protocols are commonly used for credential recovery, wireless fidelity communication, device pairing, end-to-end (E2E) secure channel applications, and Kerberos-like usage areas as a part of secure communication in daily life.It is known that ensuring today's and post-quantum security of PAKE schemes is one of the main open problem regarding security in the future (Ott & Peikert, 2019;Hao & van Oorschot, 2022).Although the strongest candidates can be built with NIST algorithms, PAKE versions of these schemes have not been constructed yet.To propose a solution for this open problem, we used well-defined Kyber KEM structures to construct password-based authentication.We mainly aimed to solve the post-quantum authenticated key-sharing requirement of traditional computing power and mobile devices by providing a PAKE version of the PQC standard Kyber scheme.The contributions of Kyber.PAKE proposal to the literature are listed as follows.
• A novel two-party Kyber.PAKE is constructed to meet the post-quantum secure PAKE requirement for general purposes and mobile networks based on NIST PQC KEM standard.The conventional PAK design suite (MacKenzie, 2002) is adapted to MLWE problem since the main security of Kyber is based on MLWE.
• KEM structures and MLWE-based PAK design idea are used simultaneously to construct the PAKE version of Kyber.So, the proposed Kyber.PAKE provides explicit authentication and PFS without using a trusted third party, public key infrastructure, and signature.
• The security of Kyber.PAKE is deeply analyzed by making some assumptions about whether an adversary can obtain the shared key with an online dictionary attack or not.
In the analysis, the advantage of the adversary is shown to be negligible in the ROM by following the Bellare-Pointcheval-Rogaway (BPR) (Bellare, Pointcheval & Rogaway, 2000) and CDF-Zip models (Wang et al., 2017).Since CDF-Zipf characterizes password distribution, theoretical security analysis is performed by better covering the real-world power of the adversary.
• The implementation of the Kyber.PAKE is written in C (Dursun, 2023a) and Java (Dursun, 2023b).The experimental results are presented in terms of cost, central process unit (CPU) cycle, and run-time.Based on Java implementation, the mobile device performance are also provided by considering running time, energy, memory, and CPU usages.
• Reference results show that the proposed Kyber.PAKE is one of the best choices to meet authenticated key generation requirement of post-quantum era with the usage of simple structure PAKE design and KEM with strong security.

Outline
In 'Preliminaries', the mathematical background is summarized.In 'Proposed Kyber.PAKE Scheme', the general working steps and correctness of the constructed Kyber.PAKE are pw C : Client's password.a← r χ : a is randomly chosen from the distribution χ .
defined.In 'Security Analysis', the detailed security examinations against dictionary attacks is presented.The implementation results and comparison with current literature are provided in 'Reference Implementation and Comparison Results'.In the last part, 'Conclusion and Future Directions', the future directions and conclusion are figured out.

PRELIMINARIES
The notation is provided in Table 1.

Basic definitions
In the proposed PAKE, the shared key is obtained by using Kyber PKE and KEM functions/components and the password-based authentication is added by following PAK design idea.Kyber PKE and KEM functions are recalled in Table 2. To obtain detailed information, we refer to Avanzi et al. (2019).
In Table 2, KYBER.CCAKEM uses KYBER.CPAPKE functions to obtain key agreements based on the MLWE problem.Since the main security of Kyber and the proposed PAKE  (Avanzi et al., 2019).
version are based on the hardnesses of MLWE, the key generation is done by following the MLWE assumption. ) × U (R m q )).Let A be an adversary.The advantage (Adv) of A to solve d-MLWE problem is determined by

Definition 1 (MLWE (Bos et al., 2018))
In Table 2, the computations of pk and ct are done by discarding low-order bits that don't affect the accuracy of decryption to achieve reconciliation and reduced parameters.The reconciliation functions of Kyber are recalled in Definition 2 (Bos et al., 2018).
• b =Compress q (a,d): For a ∈ Z q , the output of Compress is defined by b , where b is an element which is relatively close to b.
The distribution |b − b mod ± q| ≤B q = q/(2 d+1 ) is nearly uniform over the integers of maximum magnitude B q .Note that Definition 2 is defined over Z q .In Kyber, since a ∈ R k q , for each coefficient of a is evaluated under these functions.
Remark 1 In Kyber (Bos et al., 2018), the reconciliation is provided by using the Compress and Decompress functions.So, ψ k d is defined to satisfy the correctness.The output of distribution ψ k d is generated in the following way.
Although the main operations of Kyber are performed in the NTT domain, all polynomials are sent in the normal domain.For the transformation of polynomials to be used in the protocol flow, encode and decode operations are done (Bos et al., 2018;Avanzi et al., 2019).
Definition 3 (Decode ): Let B 32 be a byte array.Then the output of Decode is defined by In other words, it deserializes a 32 bytes array into a polynomial with B 32 → R q .
Note that Encode is determined as the reverse of Decode .
The correctness of Kyber.PAKE is analyzed by using the correctness assumptions of KYBER.CCAKEM and KYBER.CPAPKE.The main theorems of these schemes are recalled in Theorems 1 and 2, respectively.
The security evaluations of Kyber.PAKE is presented based on the ROM assumptions of Kyber.

Definition 4 (ROM Security of Kyber KEM (Avanzi et al., 2019)) Let XOF, H, and G be the ROs, n ro be the maximum number of A's queries to ROs, and B-C be the adversaries who have roughly the same run-time as A.
The adventage(Adv) of A over Kyber KEM in the ROM is defined by Eq. ( 1)

Security model
In this section, special terms and basic primitives of the used security model are detailed.
In the construction of Kyber.PAKE, password-related primitives are added to provide main authentication by adapting traditional PAK (MacKenzie, 2002) design to the MLWE problem.In the analysis, the resistance against password dictionary attacks is investigated with the help of BPR (Bellare, Pointcheval & Rogaway, 2000) definitions.
• DS denotes password space which is constructed according to Zipf's rule (Wang et al., 2017).
• Each C has pw C ← r DS and related S holds the hash of pw C .
• A is designed as a probabilistic algorithm, which can control the entire network and provide input for the participant's instances.
• By using the RO queries, A can launch the attacks.
• Let S be a scheme and i V be ith V instance that can only be used once.A's special query band is defined as follows.
-execute(C,i,S,j): S occurs between i C and j S .The outputs of executed S are sent to A.
Then, according to S, the computations of the scheme are done by i V .The outputs are sent to A. -reveal(V ,i): Let i V be an accepted and has its own ssk.As a result of this query, ssk is sent to A.
Otherwise, ssk is chosen uniformly at random from ssk space and is returned to A.
• p-id and s-id are the id's of the parties and a session, respectively.
• n e , n s , n r , n c , and n o represent the maximum number of A's execute, send, reveal, corrupt, and RO queries, respectively.
• T exp represents the generation time of the MLWE samples.
According to the BPR model, each user can run the scheme multiple times with different partners.

Definition 5 (Instance Partnership (Bellare, Pointcheval & Rogaway, 2000)) Let i
U and j V have(p-id i , s-id i , ssk i ) and (p-id j , s-id j , ssk j ), respectively.If the following conditions are satisfied i U and j V are considered as partner instances.
• U ∈ C and V ∈ S, or V ∈ C and U ∈ S.
• ssk i = ssk j , p-id i =V, and p-id j =U.
• s-id i =s-id j = s-id, where this value is not null.
• A third oracle other than i U and j V should not have the same s-id.W is defined as a fresh instance that provide forward secrecy.
By using definitions and query band, the advantage of A in the PAKE scheme is examined.

Definition 7 (Advantage of an A (Bellare, Pointcheval & Rogaway, 2000; MacKenzie, 2002))
Let i V be a fresh instance, S be the PAKE scheme, and Suc S PAKE be an event that A makes a b = test(V ,i) query.For b that was selected in the test query, if b = b, the advantage of A is defined by Eq. ( 2) If the security analysis show that Eq. ( 2) is negligible, then the constructed PAKE is said to be secure under the ROM assumptions.
In the traditional PAK suit, the main advantage of the adversary is determined by considering that the password and uniform distribution have the same properties.Since this idea does not cover the real power of the adversary, CDF-Zipf is used to characterize the password distribution.

Definition 8 (CDF-Zipf Model (Wang et al., 2017))
Let DS be the password dictionary size and n op be the maximum number of A's online password guess attempts.In the traditional approach, the propability of A's correct password guess is defined by n op DS + negl(κ).According to the recent studies (Wang et al., 2017), this evaluation underestimate A's power in realworld applications since the passwords of users generally follows CDF distribution.So, CDF-Zipf is followed to give more real-world-based results in terms of password distribution.

Let C and f be CDF constants. The probability of A's correct password guess in CDF-Zipf model is determined by
(3) Note that CDF constants are determined according to the usage area by using linear regression.

PROPOSED KYBER.PAKE SCHEME
The password-authenticated version of Kyber KEM (Avanzi et al., 2019) is obtained with the combination of KYBER.CCAKEM.KeyGen, KYBER.CCAKEM.Enc, and KYBER.CCAKEM.Dec structures, given in Table 2, and MLWE-based one-phase PAK idea.The proposed Kyber.PAKE runs between client (C) and server (S) and contains four main sub-processes (C 0 , S 0 , C 1 , S 1 ).The constructed scheme is detailed in Fig. 1.Let's clarify the design step of the proposed Kyber.PAKE for each sub-processes.• Phase C 0 : The key pairs (pk,sk) are computed according to Kyber's MLWEbased key generation procedures with the help of KYBER.CCAKEM.KeyGen() and KYBER.CPAPKE.KeyGen() functions, defined in Table 2.After the computation of raw pk, the client generates and sends the encapsulated pk (m = pk + γ C ).
• Phase S 0 : On the server side, there is no public key computation like client side and the server retrieves raw pk (pk = m + γ S ) using the password-related term.The key component of the server (K ) is determined with the usage of the encapsulation procedure of Kyber.The server computes (ct ,K ) =Kyber.CCAKEM.Enc(pk) and sends K to provide authentication check in the client side.
• Phase C 1 : The client retrieves sent values by using decode function and solves the K with help of Kyber's decapsulation K =Kyber.CCAKEM.Dec(ct ,sk), where K is equal to K .By making authentication checks, the final password-authenticated shared key • Phase S 1 : The server makes comparision to ensure the authentication and generates In the proposed PAKE, Compress, and Decompress functions, defined in Definition 2, are used to solve the reconciliation problem as a part of Kyber.CCAKEM.Enc and Kyber.CCAKEM.Dec procedures and K = K equality is obtained.
Let's deeply analyze the relationship between these two terms to show which conditions the proposed scheme will run correctly.
• In Fig. 1, if K = K is satisfied for (ct ,K ) =Kyber.CCAKEM.Enc(pk) and K =Kyber.CCAKEM.Dec(ct ,sk), the correctness of Kyber.PAKE is also captured.• In the Kyber.PAKE, pk is retrieved by using the password component.In the S 0 phase, if pk = m+γ S is correctly solved with the help of m, there is no changes on the correctness of Kyber.
• Let's prove the correctness of Kyber.PAKE based on Theorems 1 and 2.
Since there is no component to change the idea of Remark 1 in Bos et al. (2018) , then the correctness of Kyber.PAKE is satisfied with (1 − δ) probability.

SECURITY ANALYSIS
In the security analysis, MLWE-based PAK components are used to show that A's probability of obtaining information about the session key with an online dictionary attack is negligible.In the adapted security model, A can make the following client-action (CA) and server-action (SA) queries.
• CA 0 : A does CA 0 action to instruct the unused i C instance to transfer the related components to S.
• SA 1 : A does SA 1 action to transfer the messages to unused • CA 1 : A does CA 1 action to transfer the related message to i C instance that waits the related components of the scheme.
• SA 2 : A does SA 2 action to transfer the messages to unused j S instance that waits the final components of the scheme.
According to the MLWE-based PAKE security analysis, A can take on the role a i C , a j S , and partner i C − j S instances by using the some actions and special events.In the examinations, we modified the password guess events regarding MLWE and Kyber structures and presented them in Table 3 as the constructed Kyber.PAKE relies on the hardness assumption of MLWE and uses the Kyber components.
The Kyber.PAKE's proof of security is conducted by showing that A is unable to obtain the new ssk with a non-negligible advantage than the online dictionary attack.The advantage of A is given in Theorem 3. Theorem 3 Let the proposed Kyber.PAKE scheme in Fig. 1 be represented by S, the password dictionary's size be presented with DS, |R k q | = q nk , and the running time of A be T .For T = O(T + (n o + n s + n e )T exp ), the advantage of A over the Kyber.PAKE scheme is given in Eq. ( 5).
Proof 3 Following PAK security analysis (MacKenzie, 2002), schemes {S = S0,S1,...,S6} are used to prove Theorem 3. In each scheme, A gains a different feature to make an online dictionary attack.Finally, he/she can create a password guess in the S6.The security of the proposed scheme is examined by proving that the advantage of A obtaining the session key of a fresh instance will be smaller than an online dictionary attack.

S0:
It is the original Kyber.PAKE scheme.S1: Let m or pk be chosen randomly by honest participants.If these values already appeared in the previous schemes, S1 halts and A fails.
Let 1 = O((n e +n s )(n e +n s +n o )) . Claim 2 For any A, Adv S0 Kyber.PAKE (A) ≤ Adv S1 Kyber.PAKE (A) + 1 Proof 2 Let's define E1 and E2 to describe the random selection of m and pk.For E = E1 E2, if the event E occurs, then S1 is equal to S0.
• Let E1 be an event defined for m = m 1 = m 2 = m 3 = m 4 in the following cases.
-By making CA 0 or execute, m 1 is obtained.
m 2 is generated by a previous CA 0 or execute.
m 3 is used as an input of previous SA 1 .
• Let E2 be an event determined for pk = pk 1 = pk 2 = pk 3 = pk 4 in the following cases.
-By making SA 1 or execute, pk 1 is generated.pk 2 is obtained by a previous SA 1 or execute.
pk 3 is utilized as an input of previous CA 1 .
pk 4 is used in a previous query H l∈{2,3} (•).Considering the events E1 and E2, it is necessary to examine whether m and pk are previously or newly generated.In these events, the actions CA 0 and SA 1 are related to send and H l∈{2,3} (•) queries are associated with RO queries.The previously generated m or pk can be obtained by making send, execute, and RO queries.So, the probability of m or pk occurring in the previous session is (n e +n s +n o ) . Since new m or pk can be generated with send and execute, the maximum number of queries is (n e + n s ).Therefore, the probability that E happens is 1 = O((n e +n s )(n e +n s +n o )) q nk .S2: Unlike S1, send and execute are replied without answering any RO queries.Afterward, if the RO query is made, the answers are generated as consistently as possible with send and execute.The possible queries and answers in S2 are given in Algorithm 1. Let In S2, since m and pk are new due to S1, H l∈{2,3} (•) is also new.Therefore, the main condition for distinguishing S1 and S2 is that A queries H l (•) for l ∈ {2,3}.In Algorithm 1, there are two possible cases.
• Since A does not make any H 1 (pw C ), where −γ S = H 1 (pw C ), the maximum number of • A makes send(C,i,K ) or send(S,j,K ) queries using the actions CA 0 , CA 1 , SA 1 , and SA 2 in Algorithm 1.Neither of these queries is the output of an H 2 (•) query that would be a correct password guess.Therefore, the maximum probability that A can abort the samples is O(n s ) 2 κ .So, Claim 3 is satisfied.S3: Unlike S2, the consistency is not controlled against the query execute when an H l∈{2,3} is queried.In other words, the event Textexecpw(C,i,S,j,pw C ) is not checked.So, the scheme responds with a random output rather than maintaining consistency with the query execute.Let 3 = Adv CCA Kyber KEM (A) where Claim 4 For any A, Adv S2 Kyber.PAKE (A) ≤ Adv S3 Kyber.PAKE (A) + 3 Proof 4 Let E3 be the occurrence of the event Correctpwexec in S3.If E3 happens, S2 and S3 are distinguishable.In Table 3, if Correctpwexec occurs, the event Testexecpw(C,i,S,j,pw) occurs with two consequences.Given (A,α,ϕ,ct ), • In the query execute, m = α + (As 1 + e 1 ) and pk = ϕ + m + γ S is set, where s 1 ← r β k q and e 1 ← r β q .Then, ct ← r D ct is chosen.
With query H 1 (pw C ), −γ S = As h +e h is determined, where s h ← r β k q and e h ← r β q .Under these changes, the simulator computes (ct ,K ) = Kyber.CCAKEM.Enc(pk).Then, the obtained (ct ,K ) is added on the possible values's list.• In an action CA 1 to i C , if corrupt is not queried after Testpw!(C,i,S,pw C ), S4 halts and A succeeds.
Claim 5 is satisfied as these changes will only increase the win probability of A. S5: Unlike S4, S5 halts when A guesses a password against the partner instances j S and i C .In other words, the event Pairedpwguess happens.Then, A fails.Claim 6 For any A, Adv CCA Kyber KEM (A) Proof 6 For some {C,i,S,j}, if Pairedpwguess occurs, a Testpw(C,i,S,j,pw C ) also occurs.In this event, there is a partnership between i C and j S .Let d← r {1,2,...,n s } be chosen and (A,α,ϕ,ct ) is given.In S5, Algorithm 2 changes are simulated by A.
Since the ROM security of Kyber KEM, given in Definition 4, is Adv CCA Kyber KEM (A) and the probability of d-MLWE being solved with send queries is 4n s Adv d-MLWE R d q (A), Claim 5 is satisfied.
S6: Unlike S5, in S6, there is an internal password oracle that can know all passwords for a given client/server pair and test the correctness of the provided password.Claim 7 For any A, Adv S5 Kyber.PAKE (A) = Adv S6 Kyber.PAKE (A) Proof 7 Using the password oracle, • All passwords are generated during initialization and special passwords can be tested in the following way.If pw = pw C , the output of testpw(C,pw) is True.Otherwise, the output is False.
• All corrupt(U ) is accepted and answered.
In S6, Testpw(C,i,S,pw) for i C , Testpw(S,j,C,pw) for j S , and Testpw(C,pw) for password oracle queries are checked whether Correctpw occurs.So, S5 and S6 can be completely indistinguishable.Claim 6 is satisfied.
In S6, A has two ways to gain a non-negligible advantage against Kyber.PAKE.
• Online dictionary attack: CDF-Zipf model, given in Definition 8, limits the probability of Correctpw event in the proposed Kyber.PAKE since Correctpw event is A's successful obtaining of the password through online dictionary attacks.In other words, Algorithm 1 S2 Queries and Answers • In an execute(C,i,S,j) query, m = As + e, where s ← r b k η and e i ← r b η , pk ← r D pk , ct ← r D ct , {K ,K } ← r {0,1} k , and {ssk -As a result of this query, if a Testpw!(C,i,S,pw C ) happens, then K and ssk i 1 are set to the associated value of Testpw(C,i,S,pw C ,2) and Testpw(C,i,S,pw C ,3).
• As a result of an SA 2 action, if one of the following conditions is satisfied, it terminates.
If not, j S aborts.-If an Testpw!(S,j,C,pw C ) happens, or j S has a partner i C .
• As a result of an H l∈{2,3} (C,S,m,γ S ,pk,K ), if one of the following conditions is met, the output is determined by considering the associated value of the event.If not, the output is randomly chosen from {0,1} k .
-If a Testpw(S,j,C,pw C ,l) or a Testexecpw(C,i,S,j,pw C ) happens.

Algorithm 2 S5 Changes
• For the d-th send(C,i ,S) query to i C , m = α is set.• In a send(S,j,< C,m,seed >), pk = ϕ + m + γ S is computed.
• In a send(C,i ,< pk,ct ,K >), if there is no partner for i C , the output is 0 and S5 halts.• Let j S and i C be partner after its send(S,j,< C,m,seed >) in a send(S,j,K ) query to j S .If the instances have no partnership after this query and Correctpw is not tested, j S aborts.
• Then, A makes H l∈{2,3} (•) query, where m and pk were obtained with i C .The output of H 1 (pw C ) query is defined by −γ S = As h + e h , where s h ← r b k η and e h ← r b η .Under these changes, the simulator computes (ct ,K ) = Kyber.CCAKEM.Enc(pk).Then, the obtained (ct ,K ) is added to the possible values list.
• A test query: Let i U be a fresh instance.Then, A makes a query test(U ,i) to i U .Since the view of A is completely independent of ssk i U , Pr[Suc S6 Kyber.PAKE (A)|¬Correctpw] = 1/2.By considering these two options, Eq. ( 6) is obtained.2) is rewritten by considering Claims ( 2)-( 7), Eq. ( 7) is obtained.Notes.
Bold values indicate cases where the proposed scheme provides better results than the compared ones in terms of the analyzed metrics.
Table 6 gives the average run time results, which is constructed by considering common components, scheme phases, hash functions, and reconciliation structures.Due to its parameter set, Kyber.PAKE provides better results in generating pk (A) with GenMatrix() and hash functions.Since KEM structures such as encapsulation and decapsulation, which have additional components for security, are used in Kyber.PAKE, it requires more runtime than MLWE.PAKE in terms of reconciliation.Considering the total times on the client and server sides, MLWE.PAKE is better on the client side.One of the reasons is that in MLWE.PAKE, key generation takes place on both the client and server sides, while it is only made on the client side of Kyber.PAKE.Different design approaches, reconciliation functions, and parameter sets also affect.
The computational cost evaluation of lattice-based two-party PAKEs that were constructed by following the one-phase idea is also provided with Table 7.Even if the selected schemes were designed under the same approach, the main securities were captured with different hard problems.So, message size-based evaluation is just presented in Table 7.
In Table 7, the provided results are obtained in the following way.It can be seen in Kyber.PAKE's protocol flow, {seed,cid,m bytes ,K } are transferred to the server.On the server side, {pk,ct ,K } components are sent to the client.According to the selection or computations of these values, it is known that {seed,cid,K ,K } are fixed 32-byte and {m bytes ,pk bytes } = k • 384, where k is determined differently for each security levels.
Let's show how the message sizes of Kyber.PAKE is computed for 128−bit security level.

Notes.
Bold values indicate cases where the proposed scheme provides better results than the compared ones in terms of the analyzed metrics.Remark 2 The comparisons in Tables 5 and 6 are conducted by assuming that (Ren, Gu & Wang, 2023) presents approximately the same security levels.Note that Kyber.PAKE will provide better results when the parameters are changed to achieve the same security levels.
Using the Kyber.PAKE C codes (Dursun, 2023a), Java codes (Dursun, 2023b) are also written to demonstrate the usability of the proposed scheme on mobile devices.In the implementation, a computer with a 2.5 GHz dual-core Intel Core i5 processor and 8 GB RAM is used as the server.Samsung Galaxy A51 (8 Cores) with 4x 2.3 GHz ARM Cortex-A73 main processor and 4x 1.7 GHz ARM Cortex-A53 co-processor with 2.3 GHz CPU frequency device is utilized as the client.Kyber.PAKE mobile results in terms of runtime, memory, and CPU usage are given in Table 8, which is obtained by running all the phases of the client and server 1,000 times.The mobile device compatibility of Kyber.PAKE is also analyzed regarding energy, memory, and CPU usage.For 128-bit security, each sub-processes of Kyber.PAKE is examined with the Android Profiler tool of Android Studio and given in Fig. 2. As a case scenario, the energy consumption metric is also detailed in Fig. 3.
Figures 2 and 3 show that although the proposed PAKE does not contain any optimization or improvement techniques, it has relatively low resource usage.So, we can say that constructed Kyber.PAKE will be preferred to obtain the post-quantum secure mobile environment.Remark 3 Note that two other lattice-based PAKE schemes (Dabra, Bala & Kumari, 2020;Ding, Cheng & Qin, 2022;Seyhan & Akleylek, 2024) for two-party mobile device security were proposed using different approaches, hardness, and additional properties.When we checked the proposals, no source code was given, and the results were not provided for all metrics, such as memory, CPU, and energy usage.Therefore, we compared MLWE-based PAKEs in terms of running times and presented a computational cost examination for all two-party PAK PAKEs.

CONCLUSION AND FUTURE DIRECTIONS
In this article, a two-party PAKE version of Kyber KEM is constructed to provide a proposal for post-quantum PAKE requirements by adapting the standard algorithms for different purposes and usage areas.Kyber.PAKE is obtained by adjusting the traditional PAK design idea to the MLWE problem and Kyber KEM functions.In the passwordauthenticated shared key generation, it is shown that explicit authentication and PFS properties are captured.The security of Kyber.PAKE is analyzed by considering dictionary attack resistance under the ROM assumptions.In these examinations, the CDF-Zipf model is also added to determine more realistic security proofs by considering the realworld distribution of the passwords.The reference implementation results show that the Kyber.PAKE scheme can be one of the best choices in post-quantum era security in terms of run-time, memory, and CPU usage.The mobile device usage of the proposed PAKE is also analyzed by providing reference Java implementation.As far as we know, the constructed Kyber.PAKE is the first PAKE adaptation of the NIST PQC KEM standard with mobile environment compatibility.As a future direction, the security examination of Kyber.PAKE will be extended by defining quantum random oracle model assumptions and the resource-limited device usage will be provided by making arithmetic optimizations and improvements.
of MLWE is defined by decisional-MLWE (d-MLWE).Let m independent (a i ,b i ) instances are given (A ∈ R m×k q ,b ∈ R m q ).d-MLWE is a problem that decides whether these samples belong to MLWE (D MLWE m,k,η : (A,b = As + e), where s← r b k η and e i ← r b m η ) or uniform distribution (U (R m×k q
Since the advantage of A in Kyber KEM, given in Definition 4, is Adv CCA Kyber KEM (A) and the probability of d-MLWE being resolved is Adv d-MLWE R k q (T ,n o ), Claim 3 is satisfied.S4: Unlike S3, S4 halts when a correct password guess is made against a j S or i C instance before any query corrupt.In other words, the event Correctpw happens.Then, A automatically succeeds.Claim 5 For any A, Adv S3 Kyber.PAKE (A) ≤ Adv S4 Kyber.PAKE (A) Proof 5 If the event Correctpw occurs,

Table 2 Kyber KEM and PKE structures.
In the security analysis, the instance freshness provides PFS.

Table 4
Parameter set.

Table 7 A comparison for message sizes of lattice-based PAK PAKE schemes.
Bold values indicate cases where the proposed scheme provides better results than the compared ones in terms of the analyzed metrics.

Table 8 Implementation results of Kyber.PAKE on mobile device.
In microseconds.Bold values indicate cases where the proposed scheme provides better results than the compared ones in terms of the analyzed metrics. *