SeraphVPN. Protecting you from today's threats and tomorrow's quantum attacks.

3. Security Properties

PALISADE provides security properties that remain intact in the presence of large-scale, fault-tolerant quantum adversaries, assuming the standard hardness assumptions of the post-quantum cryptographic primitives on which it relies.

Specifically, PALISADE provides:

Post-Quantum Confidentiality

Confidentiality and forward secrecy against passive and active adversaries, including those equipped with quantum computers, achieved through ephemeral post-quantum key encapsulation and symmetric authenticated encryption.

Post-Quantum Authentication

Mutual endpoint authentication based on post-quantum digital signatures providing existential unforgeability under chosen-message attack (SUF-CMA) against quantum adversaries.

Replay Protection

Resistance to packet and handshake replay through explicit epoch separation, sequence numbers, and nonce construction rules.

Transcript Binding and Downgrade Resistance

Cryptographic binding of negotiated parameters and handshake messages into key derivation and authentication, preventing downgrade and misbinding attacks.

3.1 Security Assumptions

These properties hold under the following standard assumptions:

ML-KEM-768 provides IND-CCA2 security in the QROM (Quantum Random Oracle Model)
Dilithium-3 provides SUF-CMA security in the QROM
HKDF-SHA3-256 provides pseudorandomness suitable for key derivation under quantum adversaries
ChaCha20-Poly1305 provides authenticated encryption with associated data (AEAD) security.

Note: If any of these primitives are broken, the corresponding security properties of PALISADE may no longer hold. Mechanisms for cryptographic agility and algorithm replacement are discussed in Section 16.

3.2 Transcript Binding and Authentication

PALISADE cryptographically binds all authentication and key derivation to a deterministic handshake transcript. This ensures that session keys and authentication decisions are uniquely bound to the exact protocol messages exchanged during the handshake.

For full handshakes, the transcript consists of the canonical encodings of the ClientHello and ServerHello messages, concatenated in order. A transcript hash is computed as:

transcript_hash = SHA3-256( encode(ClientHello) || encode(ServerHello) )

Digital signatures generated during the handshake sign the transcript hash rather than the raw messages. The transcript hash is also incorporated into the key schedule during handshake secret derivation. Any modification to handshake parameters—including algorithm selection, nonces, public keys, certificates, or extensions—results in a different transcript hash and therefore different derived keys.

This design provides the following security properties:

Handshake Integrity: Prevents modification or substitution of handshake messages without detection.
Downgrade Resistance: Cryptographically binds negotiated algorithms and parameters into the derived keys.
Key-Handshake Binding: Ensures that session keys cannot be reused across different handshakes or contexts.
Interoperability Safety: Deterministic transcript computation guarantees that independent implementations compute identical hashes for identical handshakes.

The exact canonical encoding rules used for transcript computation are defined in Appendix D (Deterministic Serialization). The use of SHA-3-256 is mandatory for all transcript hash computations.

← 2. Terminology Table of Contents 4. Protocol Overview →

PALISADE Protocol Specification Draft 00

INFORMATIONAL