Key Exchange Protocols

Saravanan Vijayakumaran

Department of Electrical Engineering, IIT Bombay

October 23, 2024

The Setting

• Alice and Bob start with a security parameter 1^n
• They run a probabilistic protocol \Pi using independent random bits
• At the end of \Pi, they output keys k_A, k_B \in \{0,1\}^n
• Correctness requirement: k_A = k_B

Defining Security of Key-Exchange Protocols

• How can we define security of a key-exchange protocol?

• Intuitively, a key-exchange protocol is secure if an adversary cannot distinguish between

  • the key output by the protocol and
  • a uniform bitstring of same length

The Key-Exchange Experiment

• The key-exchange experiment \textsf{KE}_{\mathcal{A},\Pi}^{\textsf{eav}}(n):

  1. Two parties holding 1^n execute protocol \Pi. This results in a

     • transcript \textsf{trans} containing all the messages sent by the parties, and
     • a key k output by each of the parties.

  2. A uniform bit b \in \{0,1\} is chosen.

     • If b = 0, set \hat{k} \coloneqq k
     • If b=1, then choose uniform \hat{k} \in \{0,1\}^n.

  3. \mathcal{A} is given \textsf{trans} and \hat{k}, and outputs a bit b'

  4. The output of the experiment is defined to be 1 if b=b', and other 0 otherwise.

Security Definition

• \mathcal{A} is given \textsf{trans} to capture the fact that \mathcal{A} eavesdrops on the entire execution of the protocol
• \mathcal{A} is given \hat{k} only to define security
• Definition: A key-exchange protocol \Pi is secure in the presence of an eavesdropper if for all PPT adversaries \mathcal{A} there is a negligible function \textsf{negl} such that \Pr \left[\textsf{KE}^{\textsf{eav}}_{\mathcal{A},\Pi}(n) = 1 \right] \le \frac{1}{2} + \textsf{negl}(n).

Diffie-Hellman Key-Exchange Protocol

Diffie-Hellman Key-Exchange Protocol

Assumptions Required to Prove Security of the DH Protocol

• Diffie and Hellman did not prove the security of their protocol
• Minimal requirement is that the DLP be hard in the group
• However, it is not sufficient for DLP to be hard
• We will require the DDH assumption

• We want to exclude situations where an adversary may not be able to compute g^{xy}, but may extract some information about it

Security of the DH Protocol

• We modify the security definition a little

  • We require that the shared key to be indistinguishable from a uniform group element

• Let \widehat{KE}_{\mathcal{A}, \Pi}^{\textsf{eav}} denote the modified experiment

• Theorem: If the DDH problem is hard relative to \mathcal{G}, then the Diffie-Hellman key-exchange protocol \Pi is secure in the presence of an eavesdropper

Key-Derivation Function

• The DH protocol gives a key that is indistinguishable from a uniform group element
• Private-key cryptography requires a key indistinguishable from a uniform bit-string
• The solution is to hash the DH key using a cryptographic hash function

Active Adversaries

• Passive adversaries only eavesdrop
• Active adversaries can send messages to both parties
• The Diffie-Hellman protocol is insecure against man-in-the-middle attacks
• MitM attacks are avoided using certificates and public-key infrastructure

Further reading

• Section 11.3 of Katz & Lindell