HPQKE: Hybrid Post-Quantum Key Exchange Protocol for SSH Transport Layer From CSIDH

Secure Shell (SSH) is a robust cryptographic network protocol designed to establish a secure and encrypted connection over potentially insecure networks, which is typically used for remote login and command-line execution on remote systems. As its core foundation, SSH Transport Layer Protocol relies on the classic (Elliptic Curve) Diffie-Hellman ((EC)DH) key exchange protocol to achieve session key establishment, whose security is essentially based on the (EC) discrete logarithm problem ((EC)DLP). However, the classic (EC)DLP problem could be broken using sufficiently powerful quantum computers when it comes to the post-quantum era, which implies that the traditional SSH protocol will be insecure against the quantum computer attacks. To this end, this paper presents a hybrid post-quantum alternative for the SSH Transport Layer Protocol, called as HPQKE, which combines the supersingular isogeny based post-quantum CSIDH (Commutative Supersingular Isogeny Diffie-Hellman) and the classic ECDH key exchange protocols together. The security of each individual key exchange protocol within the presented HPQKE operates independently, ensuring that the overall security of the HPQKE remains at least as robust as the most secure key exchange protocol employed during its key exchange processes. Moreover, we formally prove that if the used MAC scheme is EUF-CMA secure, then (1) HPQKE is a post-quantum secure key exchange protocol if the CSIDH based Gap Computational Diffie-Hellman (CSI-GDH) security assumption holds, and (2) HPQKE is a classically secure key exchange protocol if the traditional GDH security assumption holds. In addition, we provide a prototype implementation for the HPQKE in a real network environment, and the corresponding experimental results intuitively demonstrate its practical feasibility.