Symmetric Key Distribution Protocol (SKDP)
Symmetric-only authenticated channel establishment with hierarchical derivation and explicit key confirmation
SKDP is a fully symmetric key establishment and secure messaging framework designed for environments that cannot justify the cost, complexity, or long-term exposure of certificate infrastructure and public-key exchange. It derives all trust from a hierarchical symmetric key model, Keccak-based derivation and authentication, and a deterministic three-stage handshake that produces independent transmit and receive channels.
Within the QRCS stack, SKDP occupies the role of a symmetric counterpart to certificate- and KEM-based secure channel systems. Its replacement case is strongest where operators need large-scale provisioning, deterministic behavior, explicit governance of trust anchors, and post-quantum readiness derived from symmetric primitives alone rather than from migration to a new public-key regime.
A single root derivation hierarchy produces server and device keys deterministically, allowing controlled provisioning without certificate issuance or online trust services.
The six-message handshake binds transcript hashes, ephemeral tokens, and packet headers before the channel is raised into duplex authenticated encryption.
Each packet carries a flag, payload length, sequence number, and UTC timestamp. The serialized header is bound into KMAC or AEAD associated data.
Each direction uses separately derived symmetric state, preventing send/receive key reuse and making the established session a genuinely duplex construction rather than a shared-stream tunnel.
Executive Summary
The strategic and acquisition-oriented overview of SKDP, positioning it as a symmetric alternative to PKI-dependent secure channel and key distribution systems.
Open Executive SummaryFormal Analysis
Game-based treatment of authenticated key establishment, key indistinguishability, replay resistance, authenticity, and explicit key confirmation under an active network adversary.
Open Formal AnalysisTechnical Specification
Engineering description of the SKDP packet format, long-term key hierarchy, connect, exchange,establish sequences, state structures, and implementation-facing operating rules.
Open Technical SpecificationSKDP is a replacement-class symmetric alternative to both legacy PSK systems and certificate-driven channel establishment
The protocol is built from the proposition that strong symmetric cryptography, disciplined derivation, and strict state validation can replace both static pre-shared-key tunnels and public-key channel setup in a large class of real systems.
Why the model is materially different
SKDP does not merely remove certificates from a conventional secure channel. It replaces the trust and derivation model entirely. Long-term secrets are structured hierarchically, session entropy is contributed through ephemeral token exchange, and the final channel is raised only after explicit verification that both endpoints possess the same derived state.
| Dimension | Traditional PSK / PKI systems | SKDP |
|---|---|---|
| Trust basis | Static shared key or certificate chain | Hierarchical symmetric derivation |
| Runtime key exchange | Static PSK reuse or public-key operations | Authenticated token exchange |
| Certificate lifecycle | Often required | Eliminated |
| Directional keys | Sometimes shared schedule | Independently derived RX / TX state |
| PQ exposure | Depends on asymmetric profile | Symmetric-only security basis |
High-level technical rationale
SKDP replaces long-lived session secrets with fresh device and server token material generated during every connection. Those tokens are never transported in the clear. Instead, they are protected through cSHAKE-derived pad material and KMAC authentication during the exchange phase, then expanded into two independent cipher states for protected traffic.
- The handshake is small enough for embedded or latency-sensitive environments, but still includes transcript binding and explicit key confirmation.
- The long-term hierarchy supports compartmentalization: compromise of one device key need not expose the full deployment.
- The protocol gains post-quantum durability by avoiding public-key cryptography entirely rather than by replacing one public-key family with another.
- Deterministic derivation enables auditability and reproducibility of key material across controlled provisioning environments.
- Directional key separation enforces strict independence between transmit and receive paths, reducing cross-channel leakage risk.
- Replay protection integrates sequence monotonicity and bounded time validation to eliminate ambiguity in message acceptance.
The protocol couples a three-tier key hierarchy to a three-stage authenticated session establishment sequence
The engineering model is compact but disciplined. Long-term root material determines which endpoints may derive session state, while the live handshake adds freshness, transcript dependence, and explicit verification before any application traffic is accepted.
Master key
The master derivation key anchors the deployment and is used to derive server-specific keys through cSHAKE with identity and configuration separation.
| Role | Offline or highly protected root secret |
|---|---|
| Function | Derives server branches without per-device storage |
Server key
The server derivation key identifies a logical service group and allows reconstruction of device-specific long-term secrets when a client initiates a session.
| Role | Per-service derivation anchor |
|---|---|
| Scope | Compartmentalizes devices by server branch |
Device key
The device derivation key is provisioned to the client and combined with transcript material to protect and recover the ephemeral token sent during the exchange phase.
| Role | Client-held long-term secret |
|---|---|
| Scope | Unique to the endpoint identity string |
Session tokens
Fresh device and server token keys are generated per handshake and expanded into directional channel key and nonce material for the established duplex session.
| Role | Ephemeral entropy for session isolation |
|---|---|
| Result | Independent transmit and receive cipher state |
Transcript hashes, pad-and-MAC exchange protection, and AEAD establishment produce the final duplex channel
The formal and engineering descriptions align on a key point: SKDP is not a generic “PSK mode.” It is a specific staged construction in which each message contributes authenticated state to the next stage.
Handshake flow
C → S : CR = KIDC ∥ CFGC ∥ STOKC
S → C : CS = KIDS ∥ CFGS ∥ STOKS
C → S : XR = PadMAC(<Header>, DTK)
S → C : XS = PadMAC(<Header>, STK)
C → S : ER = AEAD.Enc(KC, <Header>, STH)
S → C : ES = AEAD.Enc(KS, <Header>, H(STH))
The connect phase establishes the transcript hashes dsh and ssh. The exchange phase authenticates and transports the two ephemeral token keys. The establish phase confirms that both peers derived the same final directional state before the session flag is raised.
Each phase is bound to the evolving transcript through domain-separated derivation and authenticated headers, ensuring that no step can be replayed, reordered, or substituted without detection. This structured progression forces both parties to converge on identical cryptographic state while continuously validating identity, freshness, and context.
By the conclusion of the establish phase, the protocol has transitioned from shared long-term derivation material to fully independent session keys with explicit directional separation. At this point, all subsequent traffic is carried under authenticated encryption, and the handshake state is no longer required, minimizing exposure and simplifying secure teardown.
Key schedule and protective layers
| Hashing | SHA3 computes transcript-dependent hashes over connect request and response bodies. |
|---|---|
| Derivation | cSHAKE expands long-term derivation keys and token material with domain-separated context. |
| Exchange auth | KMAC authenticates ciphertext plus serialized packet header during token exchange. |
| Data channel | RCS or AES-GCM protects establish and message traffic with the header bound as associated data. |
| Key confirmation | The client accepts only if the decrypted establish response equals the locally recomputed hash of the stored verification token. |
SKDP is deliberately strict about packet state, freshness, and transition order
The implementation model described in both the specification and the formal analysis is narrow by design. A session progresses through explicit states and aborts on authentication, sequencing, timing, or message-type failures rather than attempting permissive recovery.
Packet semantics
Each packet begins with a compact 21-byte header containing a one-byte flag, four-byte payload length, eight-byte sequence number, and eight-byte UTC timestamp. That header is always serialized in a deterministic format and carried into the authentication layer.
The practical consequence is that replay, tampering, and reordering are not separate concerns deferred to higher layers. They are part of the packet acceptance rule itself. A packet with the wrong flag, wrong sequence value, expired timestamp, or invalid authentication result is rejected before any valid state transition can occur.
| Header | Flag, length, sequence, UTC time |
|---|---|
| Freshness | Timestamp window plus exact sequence matching |
| Acceptance rule | State, header, and cryptographic validation must all align |
Why the duplex model matters
SKDP derives separate channel state for each direction. The client uses the device token path to initialize one channel and the server token path to initialize the opposite direction. This avoids the common simplification in older symmetric systems where both directions inherit too much from a single schedule.
The resulting session therefore has a cleaner security boundary. Even though it is entirely symmetric, it still exhibits directional separation, explicit state progression, and a confirmation phase that proves both peers derived matching channel material before any protected application stream is treated as valid.
This boundary is reinforced by strict separation between handshake state and data plane operation. Once the session is established, no handshake artifacts are reused, and all subsequent processing is driven exclusively by the derived session keys and validated header semantics. This limits the attack surface to the active channel and prevents cross-phase leakage or ambiguity in protocol state.
In operational terms, the model simplifies reasoning about compromise and recovery. Session keys can be rotated or invalidated without impacting the underlying derivation hierarchy, and the absence of asymmetric dependencies removes certificate validation edge cases. The result is a channel model that is both easier to audit and more predictable under failure, while still meeting modern expectations for authenticated key establishment.
The formal treatment positions SKDP as symmetric authenticated key establishment under an active network adversary
The formal analysis does not describe SKDP as an ad hoc secure tunnel. It models a powerful adversary that can read, modify, delay, replay, reorder, and fabricate packets, while honest parties enforce strict state and time constraints.
Proved or targeted properties
- Authenticated key exchange, with unique partner sessions for honest completed executions.
- Key indistinguishability for the derived channel keys under standard assumptions on the underlying primitives.
- Replay resistance through the combined use of authenticated headers, exact sequence checks, and bounded time windows.
- Explicit key confirmation through establish-token hashing and response verification.
- Ciphertext integrity and protected header semantics once the duplex channel is active.
Security posture in context
SKDP’s long-term exposure is fundamentally different from that of certificate- or KEM-based channels. Because it avoids public-key cryptography, its future security depends on the strength of symmetric primitives, the integrity of the derivation hierarchy, and proper lifecycle handling of device and server keys.
That is precisely why the protocol is attractive in long-lifecycle and sovereign deployments. Instead of waiting for the long-term stability of one post-quantum public-key family, the operator can anchor the channel in Keccak-based derivation, KMAC authentication, and authenticated symmetric encryption alone.
Where SKDP is strongest
SKDP is particularly well aligned with payment and transaction networks, embedded fleets, industrial control systems, constrained device ecosystems, secure service meshes, and government-operated infrastructures where deterministic provisioning and independence from PKI are operational advantages rather than limitations.
In these environments, devices are typically enrolled under a single administrative authority and operate over long lifecycles with tightly controlled update channels. SKDP aligns with this model by enabling pre-derived trust relationships that can be activated on demand without requiring online certificate validation, reducing both latency and operational dependencies.
The protocol also supports high-scale deployments where key management must be predictable and auditable. Hierarchical derivation allows operators to segment infrastructure by domain, region, or function, while still maintaining a unified root of trust. This enables targeted revocation and controlled rollout strategies without requiring global rekeying events.
From an architectural standpoint, SKDP integrates cleanly into systems that prioritize deterministic behavior and bounded resource usage. Its symmetric-only design avoids the computational variability of asymmetric operations, making performance characteristics stable across heterogeneous environments ranging from low-power devices to high-throughput service endpoints.
Deployment fit
Its strongest replacement case is in systems where device identities are provisioned under a common authority, runtime negotiation is unnecessary, and operators prefer scalable symmetric trust structures to certificate issuance and revocation workflows.
| Role in stack | Symmetric authenticated channel and key distribution substrate |
|---|---|
| Primary buyers | Financial networks, industrial and IoT platforms, government, defense, embedded vendors |
| Replacement case | Legacy PSK tunnels, DUKPT-adjacent secure messaging patterns, and PKI-dependent channels where asymmetric complexity is undesirable |