protocols in order to oppose potential attacks from quantum computers. Research on quantum computers, which exploits quantum mechanical phenomena to solve hard mathematical problems that are intractable for traditional computers, has increased signi cantly in recent years.

problem, the discrete logarithm problem, and the elliptic-curve discrete logarithm problem) can be e ciently solved by a su ciently large quantum computer. Meanwhile, many important milestones in the construction of quantum computer hardware have been achieved with the involvement of many giants, such as Intel, IBM, and Google. That makes practical quantum computers closer and closer to reality. Therefore, research on building new post-quantum cryptographic protocols and security veri cation of those post-quantum cryptosystems has got extensive attention from cryptography and security research groups in recent years.

is known as one of the most widely used cryptographic protocols. The hybrid terminology in the name of the proposed protocol refers to the hybrid key exchange mode used in the protocol: one is a conventional key exchange algorithm, i.e., Elliptic Curve Di e-Hellman (ECDH), and the other is a post-quantum key encapsulation mechanism (KEM), which can be one of Kyber [ 3 ],

classical adversary and at least as secure as the selected post-quantum KEM (PQ KEM) against a quantum adversary.

Maude-NPA is a powerful formal veri cation tool for analyzing cryptographic protocols that uses a backward narrowing reachability analysis modulo an equational theory and the Dolev-Yao strand space model [ 6, 7 ], which gives intruders capable of intercepting, modifying, and injecting messages to impersonate other protocol principals. Narrowing is a generalization of term rewriting that allows logical variables in terms and replaces pattern matching by uni cation and so Maude-NPA supports a symbolic execution. The backward narrowing reachability analysis starts from a nal insecure pattern that represents insecure states, a so-called attack pattern, to check whether it is reachable from an initial state, which has no further backward steps.

otherwise, the attack cannot. The advantage of Maude-NPA is that it supports protocols with an unbounded session model and di erent equational theories as other modern analyzers, such as Tamarin [ 8 ], and especially it is fully automatic. This paper focuses on presenting the formal speci cation of the Hybrid Post-Quantum TLS protocol in Maude-NPA, which is the rst step toward conducting a security formal analysis of the protocol.

related to Maude and Maude-NPA. Then, Section 3 describes in detail messages exchanged in the Hybrid PQ TLS protocol. Section 4 is the main content of the paper, where we present how to formally specify the protocol in Maude-NPA. After that, Section 5 mentions some related work, and nally, Section 6 summarizes our paper. The full speci cation of the protocol in

A functional module M speci es an order-sorted equational logic theory (⌃ , E ) with the syntax: fmod M is (⌃ , E ) endfm, where ⌃ is an order-sorted signature and E is the collection of equations in the functional module. (⌃ , E ) may contain a set of declarations as follows: • importations of previously de ned modules (protecting . . . or extending . . . or including . . .) • declarations of sorts (sort s . or sorts s s0 .) • subsort declarations (subsort s < s0 .) • declarations of function symbols (op f : s1 . . . sn ! s [att1 . . . attk] . ) • declarations of variables (vars v v0 .) • unconditional equations (eq t = t0 .) • conditional equations (ceq t = t0 if cond .) where s, s1, . . . , sn are sort names, v, v0 are variable names, t, t0 are terms, cond is a conjunction of equations (e.g., t = t0), and att1, . . . attk are equational attributes. Equations are used as equational rules to perform the simpli cation in which instances of the lefthand side pattern that match subterms of a subject term are replaced by the corresponding instances of the righthand side. The process is called term rewriting and the result of simplifying a term is called its normal form.

A system module R speci es a rewrite theory (⌃ , E , R) with the syntax: mod R is (⌃ , E , R) endm, where ⌃ and E are the same as those in an equational theory and R is the collection of rewrite rules in the system module. (⌃ , E , R) may contain all possible declarations in (⌃ , E ) and rewrite rules in R as follows: • unconditional rewrite rules (rl [label] : u => v .) • conditional rewrite rules (crl [label] : u => v if cond .) where label is the name of a rewrite rule, u, v are terms, and cond is a conjunction of equations and/or rewrites (e.g., t => t0). Rewrite rules are also computed by rewriting from left to right modulo the equations in the system module and regarded as local transition rules, making many possible state transitions from a given state in a concurrent system. Narrowing is a generalization of term rewriting that allows logical variables in terms and replaces pattern matching by uni cation. Let us use a classical example in the Maude community to describe how narrowing works. The formal de nition of narrowing can be found in [ 11 ]. The following system module speci es a concurrent machine to buy cakes (c) and apples (a) with dollars ($) and quarters (q). We suppose that a cake costs a dollar (see the rewrite rule labeled as buy-c below) while an apple costs three quarters (the rewrite rule buy-a). The machine only allows buying cakes and apples with dollars. However, the machine can change four quarters into a dollar (the rewrite rule change). mod NARROWING-VENDING-MACHINE is sorts Coin Item Marking Money State . subsort Coin < Money . op empty : -> Money . op __ : Money Money -> Money [assoc comm id: empty] . subsort Money Item < Marking . op __ : Marking Marking -> Marking [assoc comm id: empty] . op <_> : Marking -> State . ops $ q : -> Coin . ops c a : -> Item . var M : Marking . rl [buy-a] : < M $ > => < M a q > [narrowing] . rl [buy-c] : < M $ > => < M c > [narrowing] .

eq [change] : q q q q M = $ M [variant] . endm where the __ operator is associative and commutative and has an identity element empty, the <_> operator speci es the machine state, and narrowing and variant attributes are specially used for narrowing and variant-based equational uni cation algorithms [ 12 ]. Let us consider a term < M1 > as an initial state that only contains a variable of the sort Money. There would be several traces from the initial state by using narrowing. At each narrowing step, we must choose which subterm of the subject term, which rewrite rule of the speci cation, and which instantiation on the variables of the subterm and the left-hand side of the rewrite rule (or which uni er (or substitution) of the subterm and the left-hand side of the rewrite rule) are going to be considered. Note that only rewrite rules with a narrowing attribute are considered and only equations with a variant attribute are used to decide the uni cation problem modulo the equations. Each narrowing step applied to a given state produces a new branch in the reachability tree. For example, for each rewrite rule of the machine, there is only one uni er that makes the initial state equal to the left-hand side of the rewrite rule. Therefore, we can only obtain the following two narrowing steps, generating only two successor states from the initial state, by performing narrowing just by one step as follows: < M1 > < M1 > 1, buy-a < a q M2 > 10, buy-c < c M2’ > where M2 and M2’ are variables of the sort Money and the substitutions are 1 = {M1 7! $ M2, M 7! M2} and 10 = {M1 7! $ M2’, M 7! M2’} with the rewrite rules buy-a and buy-c, respectively.

numbers in the ClientHello and ServerHello messages signed by the server’s long-term private key. In the case when client authentication is requested, the server sends a CertificateRequest message, which is optional. A ServerHelloDone message is then sent to the client to signal the completion of the hello-message phase on the server side.

ClientKeyExchange message, which consists of the client’s ECDHE public key and the KEM ciphertext. Before that, if the server has sent a CertificateRequest message, the client must send their certi cate (a Certificate message) rst. Similarly, if the server has requested client authentication, the client will then send a CertificateVerify message, whose content is a digital signature over all handshake messages exchanged so far signed by the client’s long-term private key. After that, a ChangeCipherSpec message (which belongs to the change cipher spec protocol) is sent to notify that all subsequent messages will be encrypted by the newly negotiated keys. Finally, the client sends a Finished message, whose content is a hash of all handshake messages encrypted by a handshake key just negotiated.

message is correct. If so, the server sends their own ChangeCipherSpec and Finished messages.

section rst presents strands notation, and how we can use them to model protocol execution via a simple example. Comprehension of this concept is an essential step to understanding how we can specify the protocol in Maude-NPA later.

op n : Name Fresh -> Nonce [frozen] . where the frozen attribute is attached following the Maude-NPA convention, which is necessary to tell Maude not to attempt to apply rewrites at the arguments of this operator. Suppose that

op pk : Name Msg -> Msg [frozen] . op sk : Name Msg -> Msg [frozen] .

protocol execution from the A side is then de ned as follows: :: r :: [ nil | +(pk(B, A ; n(A,r))), -(pk(A, n(A,r) ; N)), +(pk(B, N)), nil ] The strand says that initially, A generates a nonce based on the fresh r and sends it to B together with A’s ID encrypted by B’s public key. When A receives another message whose content is their nonce sent in the rst message and another nonce N encrypted under A’s public key (which can be checked by using their secret key to decrypt the received ciphertext), A replies to B the new nonce N encrypted under B’s public key. Note that :: r :: denotes the fresh r is generated in the strand and all messages are put after the vertical bar following the Maude-NPA convention because the vertical bar is irrelevant when specifying the protocol execution. Note also that ; is the in x operator of messages concatenation, which is declared as follows: op _;_ : Msg Msg -> Msg [frozen] .

de ned as follows: :: r :: [ nil | -(pk(B, A ; N)), +(pk(A, N ; n(B,r))), -(pk(B, n(B,r))), nil ]

an intruder strand is limited to be in form of a sequence of negative messages (possibly empty) followed by one positive message combining all previous variables under a function symbol. For example, to specify the intruder capability in concatenating two arbitrary messages, we de ne the following strand: :: nil :: [ nil | -(M1), -(M2), +(M1 ; M2), nil ] where M1 and M2 are variables of the sort Msg. The strand says that if the messages M1 and M2 are available to the intruder, then the intruder can produce the message M1 ; M2.

KeyGen() and (c, k)

Pr[Decaps(c, sk) 6= k]  ✏

always correctly return the same shared key k. Idealizing assumptions like that are typically necessary when conducting security analysis in the symbolic model. Furthermore, because a

omitting such Decaps-failure cases. For example, with Kyber, that failure probability is below 2 140 [ 3 ], i.e., Kyber is ✏-correct with ✏ < 2 140.

op pqSk : Name Fresh -> PqSk [frozen] .

the sort Name is not strictly necessary, but it is convenient for identifying the owner of a key.

op decap : Cipher PqSk -> PqKey [frozen] .

Unlike Decaps, it is a bit tricky to specify the KeyGen and Encaps procedures because they are probabilistic algorithms. For each of the two procedures, we add an argument of the sort PqSk to make them become deterministic procedures. With the Encaps procedures, we declare two separate Maude operators: encapCipher and encapKey that return the ciphertext c and the key k, respectively. We declare the following operators: op pqPk : PqSk -> PqPk [frozen] . op encapCipher : PqPk PqSk -> Cipher [frozen] . op encapKey : PqPk PqSk -> PqKey [frozen] .

The rst operator models the KeyGen procedure, while the two others model the Encaps procedure. The algebraic properties of KEMs are then speci ed as follows: op $pqKey : PqSk PqSk -> PqKey [frozen] . eq encapKey(pqPk(S:PqSk), S2:PqSk) = $pqKey(S:PqSk, S2:PqSk) [variant] . eq decap(encapCipher(pqPk(S:PqSk),S2:PqSk), S:PqSk)

= $pqKey(S:PqSk, S2:PqSk) [variant] . where the variant attribute denotes that the two equations are not regular Maude equations used for simpli cation, but are equations used for variant-based equational uni cation [ 12 ]. Here we introduce one more operator, namely $pqKey, which is necessary for specifying the rewritings of encapKey and decap (Encaps and Decaps steps) on proper arguments resulting in the same key. The rst equation can be straightforwardly comprehended. The second equation states that given an encapsulation en and a secret key sk, a principal can perform Decaps(en, sk) to get the proper shared key only if en is the result of Encaps when taking as input the public key associated with the secret key sk. 4.2.2. ECDH and key calculation specification

sort Scalar Point ECKey . subsort Point < ECKey .

op p : -> Point . op sk : Name Fresh -> Scalar [frozen] . op gen : Point Scalar -> Point [frozen] . op _*_ : Scalar Scalar -> Scalar [frozen assoc comm] . The constant p denotes a point generator on the curve, which is publicly known by everyone including the intruder. The operator sk takes as inputs a principal name and a fresh, and outputs a scalar, which serves as a secret key. The operator gen takes as inputs a point and a (secret) scalar and returns as output another point. In particular, when the rst argument is a point generator, the operator outputs a public key, which is used to send to the other peer; and when the rst argument is a public key received from the opposite peer, the operator outputs a shared key. The last operator is the associative-commutative multiplication operation on scalars, thanks to the Maude attributes assoc and comm. The algebraic property of ECDH is then speci ed as follows:

Sorts PreMasterSecret and MasterSecret are introduced to represent premaster secrets and master secrets in the protocol key calculation. We then model their calculations with the following operators: op pms : ECKey PqKey -> PreMasterSecret [frozen] . op ms : PreMasterSecret Rand Rand Point Cipher -> MasterSecret [frozen] . where the sort Rand represents random numbers generated by clients and servers. A pre-master secret is the concatenation of an ECDH shared secret and a PQ KEM shared secret. Whereas, a master secret is computed by the pseudorandom function (PRF) from a pre-master secret and a seed, which is the combination of the two random numbers in the ClientHello and ServerHello messages and the ECDH public key & PQ encapsulation in the ClientKeyExchange message sent in that session. 4.2.3. Honest principal specification We use three operators rd, sess, and cert that serve as functions to produce random numbers, session IDs, and digital certi cates, respectively. We also de ne operators sig and enc re ecting the signature and encryption functions. All of them are as follows: op rd : Name Fresh -> Rand [frozen] . op sess : Name Fresh -> Session [frozen] . op cert : Name -> Cert [frozen] . op sig : Name Msg -> Msg [frozen] . op enc : MasterSecret Msg -> Msg [frozen] .

With a server S, a message M, and a master-secret MS, enc(MS,M) denotes the ciphertext obtained by encrypting M by MS, while sig(S,M) denotes the signature over message M signed by the longterm private key of server S. By using a name as an argument of the signature algorithm instead of explicit private key encryption (for example, sig(priKey(S),M)), we implicitly associate a long-term private key with its owner’s name. For the sake of simplicity and for reducing the size of the state space, cert(S) is used to denote the digital certi cate of the server S, while in fact, the certi cate must contain information about the trusted certi cate authority and the public key of S. By using that simpli cation form, we explicitly associate a certi cate with its owner’s name and ignore the case when the intruder tries to fake a certi cate.

Finished message from a client’s side is speci ed as follows: :: r1,r2,r3 :: [ nil | +(ch ; rd(C,r1)), -(sh ; N ; SS), -(sc ; cert(S)), -(ske ; PK1 ; PK2 ; sig(S, PK1 ; PK2 ; rd(C,r1) ; N)), +(cke ; gen(p,sk(C,r2)) ; encapCipher(PK2, pqSk(C,r3))), +(cf ; enc(ms(pms(gen(PK1,sk(C,r2)), encapKey(PK2, pqSk(C,r3))),

rd(C,r1), N, gen(p,sk(C,r2)), encapCipher(PK2, pqSk(C,r3))), (ch ; rd(C,r1)) ++ (sh ; N ; SS) ++ (sc ; cert(S)) ++ (ske ; PK1 ; PK2 ; sig(S, PK1 ; PK2 ; rd(C,r1) ; N)) ++ (cke ; gen(p,sk(C,r2)) ; encapCipher(PK2, pqSk(C,r3)))) where ch, sh, sc, ske, cke, and cf are constants of the sort Msg, which are acronyms of ClientHello, ServerHello, Server Certificate, ServerKeyExchange, ClientKeyExchange, and client’s Finished. The ++ operator denotes message concatenation. The strand says that the client starts a new connection by sending a ClientHello message with a random number denoted by rd(C,r1). When the client receives back a ServerHello message, a valid server Certificate message, and a valid ServerKeyExchange message with ECDH and PQ public keys by means of

key exchange and the encapsulation computed with PK2 as one of the inputs. Together with that message, the client also sends a Finished message, whose content is derived by encrypting the concatenation of all messages exchanged so far (denoted by ++) under the master secret key.

the master secret as the symmetric key for encryption of the Finished message, but actually in the protocol design, such a symmetric key is computed by the PRF function from the master secret and the two random numbers in the ClientHello and ServerHello messages. In addition, we also suppose that client authentication is not requested, we eliminate ServerHelloDone &

version, cipher suites, and PQ KEMs parameters are excluded. Note also that the use of ++ is unnecessary. For example, based on the de nition of _++_, (ch ; rd(C,r1)) ++ (sh ; N ; SS) is rewritten to (ch ; rd(C,r1) ; sh ; N ; SS), so we can exclude the use of ++. However, we de ne and keep on using it because we want to show each message separately so that readers can easily follow.

Finished message by the following strand: :: r1,r2,r3,r4 :: [ nil | -(ch ; N), +(sh ; rd(S,r1) ; sess(S,r2)), +(sc ; cert(S)), +(ske ; gen(p,sk(S,r3)) ; pqPk(pqSk(S,r4)) ;

sig(S, gen(p,sk(S,r3)) ; pqPk(pqSk(S,r4)) ; N ; rd(S,r1))), -(cke ; PK1 ; CP), -(cf ; enc(ms(pms(gen(PK1,sk(S,r3)), decap(CP, pqSk(S,r4))),

N, rd(S,r1), PK1, CP), (ch ; N) ++ (sh ; rd(S,r1) ; sess(S,r2)) ++ (sc ; cert(S)) ++ (ske ; gen(p,sk(S,r3)) ; pqPk(pqSk(S,r4)) ;

sig(S, gen(p,sk(S,r3)) ; pqPk(pqSk(S,r4)) ; N ; rd(S,r1))) ++ (cke ; PK1 ; CP)) where CP is a variable of the sort Cipher. Note that in both strands, we exclude the appearance of the server’s Finished message because they are too long to show all. Readers can nd the complete speci cation from the webpage provided in Section 1. 4.2.4. Intruder capabilities Maude-NPA uses the standard Dolev-Yao intruder model [ 6 ], that is the intruder can, for example, intercept and glean information from any message in the network; fake, synthesize, and send messages based on the gleaned information. Similar to the capability in concatenation messages presented in Section 4.1, we specify the deconcatenation message capability for the intruder as follows: :: nil :: [ nil | -(M1 ; M2), +(M1), nil ] & :: nil :: [ nil | -(M1 ; M2), +(M2), nil ] &

:: r :: [ nil | +(rd(i,r)), nil ] & :: r :: [ nil | +(sk(i,r)), nil ] &

:: nil :: [ nil | -(PK2), -(SK), +(encapCipher(PK2,SK)), nil ] & :: nil :: [ nil | -(PK2), -(SK), +(encapKey(PK2,SK)), nil ] & :: nil :: [ nil | -(CP), -(SK), +(decap(CP,SK)), nil ] &

With ECDH, an important assumption we suppose is that the intruder can break the key exchange security by utilizing the power of quantum computation. That is, if the intruder knows the two ECDH public keys exchanged between a client and a server, then the intruder can derive the shared secret key. This is done by the following strand: :: nil :: [ nil | -(gen(p,K1)), -(gen(p,K2)), +(gen(p,K1 * K2)), nil ] where K1 and K2 are variables of Scalar.

WireGuard) protocol [ 14 ]. This is a quantum-resistant version of the WireGuard protocol [ 15 ], which is a lightweight and high-performance VPN protocol. The veri cation con rms that the protocol enjoys the desired security properties inherited from the WireGuard protocol and also resists attacks using a large-scale quantum computer. The veri cation used the Tamarin prover [ 8 ], which is known as one of the state-of-the-art formal veri cation tools for symbolic analysis of cryptographic protocols. Similar to Maude-NPA, they have rst symbolically modeled the primitives, messages, etc. used in the protocol as function symbols and terms, and then speci ed the desired security properties. However, unlike Maude-NPA, several commonly used primitives are pre-de ned as built-in functions in Tamarin, such as the Di e-Hellman key exchange algorithm, symmetric and asymmetric encryption, hashing, and digital signatures, while Maude-NPA leaves all of these de nitions to human users. To prove the protocol enjoys the desired properties, they also introduced some auxiliary lemmas, which are also needed to prove. Conjecturing lemmas, however, is one of the most intellectual tasks in formal veri cation, which is not a new issue in the theorem proving eld.

Using some additional lemmas to complete veri cation in Tamarin is called the interactive mode, distinguishing it from the fully automated mode. This way of veri cation is useful when the tool fails to prove properties in the fully automated mode or the time taken is too long. Tamarin operates based on multiset rewriting and its veri cation algorithm is based on constraint solving. Similar to Maude-NPA, the tool can handle an unbounded number of sessions (executions) of protocols. Once the tool terminates, it returns either proof of security correctness or an attack. A Tamarin speci cation is essentially a state machine where each state is a multiset of facts. Transitions between states are de ned by rules. Rules specify the protocol execution, the behavior of honest parties as well as the capabilities of the intruder. A security property is modeled as a trace property, and then Tamarin checks the satis ability and/or the validity of the property. If it is the validity checking, Tamarin rst converts it to checking the satis ability of the negated formula formalizing the property. Constraint solving is then used to perform an exhaustive, symbolic search for executions with the trace until a satisfying trace is found or no more rewrite rules can be applied. Roughly speaking, the negation of the formula formalizing the validity property in Tamarin corresponds to the attack pattern in Maude-NPA, and the satisfying trace, if found, in Tamarin corresponds to the initial state, if found, in Maude-NPA.

Cremers et al. [ 16 ] have presented a comprehensive security analysis of TLS 1.3 [ 17 ], precisely, the TLS 1.3 draft 21 release candidate. They used the Tamarin tool to verify the claimed security requirements, which were stated in the draft, with respect to a Dolev-Yao intruder. Their analysis considers all the possible interactions of the available handshake modes in TLS 1.3, such as pre-shared key (PSK) based resumption and zero round trip time (0-RTT), which are new mechanisms only available from version 1.3. Similar to the work in [ 14 ], to complete the security veri cation, they have conjectured a number of auxiliary lemmas, with some manual interaction in the Tamarin interactive mode.

which is the rst step toward conducting a security analysis of the protocol with Maude-NPA.

execute experiments to check the satis ability of the secrecy property and the authentication property. In addition to the original Maude-NPA, we are also going to use a parallel version of Maude-NPA [ 11 ] for the experiments to make the best use of multicore architectures, for which we strongly believe that a better running performance than the original one in terms of veri cation time will be obtained.

analysis by formal methods is necessary to verify and construct secure post-quantum cryptosystems. Security veri cation by Maude-NPA is fully automated, that is no manual e ort is required once the formal speci cation and the attack pattern are provided, but it may take a quite long time if the state space of the system under veri cation is huge (i.e., state explosion).

of post-quantum cryptographic protocols using some interactive approaches that take less time but often require some manual human user e ort. CafeOBJ/proof score approach [ 18, 19 ] is a promising way, for which we plan to use it to tackle the formal veri cation of the Hybrid PQ