This work addresses the dual requirements of mutual authentication and key agreement in post-quantum secure environments, particularly for applications such as instant messaging. The authors propose a mutual authentication key exchange protocol based on ML-KEM, integrating post-quantum digital signatures (PQC-DSA) with a key encapsulation mechanism (KEM). To unify PQC public keys and enable efficient bidirectional authentication and key negotiation, they introduce three novel dual-use X.509 certificate types—composite, catalytic, and chameleon. Experimental evaluation demonstrates that the proposed scheme achieves practical performance while significantly reducing communication overhead. Furthermore, its post-quantum security and deployment feasibility are validated in real-world instant messaging scenarios.

This study aims to enhance the bidirectional authentication capability of ML-KEM (Module-Lattice-Based Key-Encapsulation Mechanism) by proposing the post-quantum cryptography-based (PQC-based) bidirectional authentication key exchange protocol. Furthermore, it introduces dual-usage certificates combining PQC-based DSA (Digital Signature Algorithm) and PQC-based KEM, which include composite schemes, catalyst schemes, and chameleon schemes. These dual-usage certificates utilize the PQC-based DSA public key and PQC-based KEM public key within the certificate to meet the requirements for bidirectional authentication and encryption, enabling the negotiation of a shared secret key. During the experimental phase, the study validates and compares key exchange message lengths and computation times under different certificate configurations. Finally, instant messaging is presented as an industry application to demonstrate the practical implementation of the proposed protocol.