Post-Quantum Extended Diffie–Hellman

In cryptography, Post-Quantum Extended Diffie–Hellman is a Kyber-based post-quantum key exchange method based on Diffie–Hellman key exchange. It has been a key part of the Signal Protocol, a popular end-to-end encryption protocol, since 2023.
PQXDH is a variant of the X3DH protocol that uses both the quantum-resistant Kyber protocol as well as the classical elliptic curve X25519 protocol. This ensures that an attacker must break both of the encryption protocols to gain access to sensitive data. The protocol is designed for asynchronous communication where the clients exchange public keys through a server to derive a secure shared key which they can use to encrypt sensitive data without needing to constantly sync new keys with each other.
In October 2023, the protocol underwent formal verification which managed to "prove all the desired security properties of the protocol" for its second revision. However, PQXDH relies entirely on elliptic curve cryptography for authentication.

Description

PQXDH combines elliptic-curve cryptography with a post-quantum key encapsulation mechanism to derive a shared secret between two parties. In practice, Kyber is used as the PQ-KEM. PQXDH only requires a single message to be sent.
Before the message is sent, the receiver must have published several public keys to the server: a long-term identity ECC key, a session ECC pre-key, a series of one-time ECC pre-keys, and a series of one-time PQ-KEM pre-keys. Each of the receiver's session and one-time keys must be signed using the receiver's identity key. The sender should also have published a long-term identity ECC key.
To send a message, the sender retrieves the receiver's identity and session keys, one of the receiver's one-time ECC keys, and one of the receiver's one-time PQ-KEM keys from the server. The server then deletes the one-time keys so they cannot be reused. The sender then performs the following computations :
verify that the signatures on SPK_B, OPK_B, and PQPK_B are valid using IK_B
generate an ephemeral ECC key EK_A
sign EK_A using IK_A
generate a ciphertext CT and a shared secret SS using PQPK_B
DH₁ := DH
DH₂ := DH
DH₃ := DH
DH₄ := DH
SK := KDF
encrypt the message using SK
The sender then sends the message, along with, and information to identify which one-time keys were used, to the receiver. The receiver can then use, along with their private keys, to decrypt the message:
verify that the signature on EK_A is valid using IK_A
decode the shared secret SS from CT using PQPK_B
DH₁ := DH
DH₂ := DH
DH₃ := DH
DH₄ := DH
SK := KDF
decrypt the message using SK
The shared key may be used to encrypt further messages.