A Verification-Table-Free Post-Quantum Authenticated Key Agreement Scheme via ML-DSA-Based Subliminal Message Recovery

In user–server authentication environments, persistent server-side verification tables, such as password verifiers, shared authentication records, or per-user secret tables, may become a critical point of failure once leaked. To address this problem in the post-quantum setting, this paper proposes an ML-DSA-specific verification-table-free authenticated key agreement (AKA) scheme based on the NIST-standardized Module-Lattice-Based Digital Signature Algorithm (ML-DSA). The main contribution is a protocol-level use of the signer-recoverable masking vector in ML-DSA as an on-demand reconstruction mechanism for user-related authentication material. This enables the server to reconstruct the required user-related authentication material from its own signature and long-term secret key. This architecture reduces the exposure associated with centralized verification-table leakage, but it should be understood as a storage-relocation tradeoff rather than a storage-free design, because each user must retain the issued signature and the corresponding hash-derived authentication value. By combining the recovered value with identity information through a quantum-resistant one-way hash function, the server can authenticate the user and establish a session key. Its security is analyzed within a Canetti–Krawczyk-style adversarial model and further discussed in the random-oracle setting through a sequence-of-games argument. The analysis supports session-key indistinguishability under the stated freshness and exposure assumptions, while explicitly excluding full forward secrecy under compromise of the server’s long-term ML-DSA secret key. In addition, an operation-level comparison is provided to clarify computational, storage, and communication tradeoffs relative to representative post-quantum AKA schemes. Since the present work does not include implementation-level benchmarking, the performance discussion should be interpreted as analytical rather than empirical validation. The proposed scheme is therefore most suitable for account-login-oriented applications in which reducing centralized verification-table leakage is a primary design objective and where user-side credential storage can be securely managed.