I was going through the official documentation of pqxdh and A Formal Analysis of the iMessage PQ3 Messaging Protocol for PQ3.
The distinct difference I noticed is that pqxdh is not secure against active adversaries while PQ3 is. Is there a clear explanation or documentation about why PQ3 provides post-compromise security against active adversaries?
I think that this is more a question of modelling assumptions. If we look at the pqxdh specification section 4.8, we see a description of an active quantum attacker's possible approach:
PQXDH is not designed to provide protection against active quantum attackers. An active attacker with access to a quantum computer capable of computing discrete logarithms in curve can compute DH(PK1, PK2) and Sig(PK, M, Z) for all elliptic curve keys PK1, PK2, and PK. This allows an attacker to impersonate Alice by using the quantum computer to compute the secret key corresponding to PKA then continuing with the protocol. A malicious server with access to such a quantum computer could impersonate Bob by generating new key pairs PQSPK’B and PQOPK’B, computing the secret key corresponding to PKB, then using PKB to sign the newly generated post-quantum KEM keys and delivering these attacker-generated keys in place of Bob’s post-quantum KEM key when Alice requests a prekey bundle.
Conversely in the PQ3 analysis section 2.2 we can read
We assume that the adversary does not yet possess a quantum computer. The adversary anticipates developments in quantum computing and thus stores all messages sent. Therefore, they may be able break cryptographic primitives later, should sufficiently powerful quantum computers become available (also called “harvest now, decrypt later”). The only limitation we place on this adversary is that they cannot decapsulate secrets that were encapsulated with a post-quantum secure KEM like Kyber. But all other mechanisms, like (elliptic-curve) Diffie-Hellman, can be broken at that point.
The adversary described in the pqxdh explicitly does have a quantum computer at the time of the communication and so the two security models are distinct.
