# Questions tagged as ['key-exchange']

Key exchange protocols allow two parties to produce a secret session key over a public channel.
Score: 2
*-LWE equivalent of Diffie-Hellman $g^{x^2}$ vulnerability

In Is Diffie-Hellman less secure when A and B select the same random number? , the possibility of Diffie-Hellman key exchange producing identical peer keys and the vulnerability of it against passive attackes was brought up, again - as a duplicate.

But is there a equivalent in *-LWE family of lattice-based key exchanges? My question being, without considering CCA-hardening such as Fujisaki-Okamoto t ...

Score: 0
Encrypted data sharing in decentralised system

Alice encrypts file using her public key and upload it to decentralised file store (some service). Bob buys access to the file. Is it possible to share decrypted file with Bob without having Alice's key? Decentralised file store doesn't store any private keys, but it knows that Bob has access to the file (e. g. from smart contract).

Score: 1
Is Diffie-Hellman less secure when A and B select the same random number?

I understand that it is feasibly impossible for A and B to select the same random number, given the large input space, but what if it does happen? Does it effect the security of the key exchange? Can an attacker determine that the same keys were chosen?

Score: 3
How to interpret my professor's statement about "seed" and "symmetric-key encryption"?

In the cryptography course, the professor said that:

these days for symmetric key encryption, instead of sending out the key, Alice sends the seed to Bob, and then based on that Bob can get the key.

I didn't actually understand the role of the seed, besides, if Bob can generate the key based on the seed so Eve can do the same, right?

Score: 0
Simple Key Exchange, One Server

I am trying to better understand how TLS works. I understand in the normal use case you need various random values generated and used in the key exchange, to prevent some MITM reusing a previous transmission to spoof the server or the client.

However, let us assume some degenerate case where there is a single server whose single public key is already known by its clients as well as various adver ...

Score: 0
Are all public key a result of computing g^k mod p

I just read through the text book definition of Diffie–Hellman key exchange. And from what i understand, the public key that is shared based on the protocol is calculated from:

g^k mod p

where g is a generator in the multiplicative group, and p is a large prime and k is the private key.

My question is, are all public/private key generated to have this relationship? Or this way of generating the pu ...

Score: 1
X3DH and key exchange between Alice identity key and Bob pre signed key (DH1)

I'm getting familiar with Signal key exchange phase and as far as I understand all 3 exchanges between Alice ephemeral key and all of Bob keys from the bundle, I have some thoughts about key exchange between Alice identity key and Bob pre signed key.

I'm aware this is to authenticate Alice and confirm she has identity private key but could this exchange be replaced with one of:

1. Alice identity key &l ...
Score: 2
SSL/TLS Forward secrecy with 2 KEM public keys

As we know, NIST PQC project is at its 3rd round, with draft standard expected to arrive in the next (few) year(s).

An unfortunate fact is that, we're not seeing many signature schemes general-purpose enough (in the sense that, the size of some of their cryptograms may be large). However, the lattice-based PKC/KEM algorithms have favorable cryptogram sizes.

In SSL/TLS, the forward secrecy feature is ...

Score: 0
Fast key exchange algorithm in hardware with small key size

Which asymmetric algorithm will be best only for key exchange to set up communication using symmetric cryptographic algorithm. Comparison should be in term of speed, key length and their hardware implementation on FPGA?

Score: 1
Combining Post-Quantum and Classical KEM

I came across this paper "Hybrid Key Encapsulation Mechanisms", were three methods are defined that allow a secure combination of a classical key encapsulation with a post-quantum key encapsulation.

In terms of security and performance all three of them seem to be equally good.

For the second method, called "DualPRF Combiner", it is written:

OurdualPRFcombiner is inspired by the key derivation in ...

Score: 4
Secret sharing such that all shareholders obtain access to the secret (one shareholder can't just run off with the shares)

Say, using something like Shamir's polynomial scheme, you split a secret $$x$$ among $$n$$ people (each given a "share" of the secret) such that you need all $$n$$ shares to recover the secret. How can one ensure that all $$n$$ participants will have access to the secret. E.g. with two people, Bob and Alice, Alice could tell Bob her share, and Bob could just take that and open the secret without disclosing  ...

Score: 6
A source of randomness that anyone can independently, conveniently and robustly access?

Does there exist a source of randomness that anyone in the world can independently, conveniently and robustly access? For example, the 10th decimal place of the temperature in Mexico City is sufficiently random. But it's inconvenient for Bob to access independently, and it can't be measured robustly anyways.

The source of randomness must also be secure, in that no one party controls it (or access ...

Score: 1
Verifying result of (EC-)Diffie-Hellman

I received a public key by JSON.

For the example, I have 4 keys: 2 public keys and 2 private keys.

public A : co2D0pNxZJIeQ4RZlCRJYBDzNXSLluETdztid0M+HGzN1uGJ4JWZsenjWgRrmkLh3yqHQqzOBMl/wHVH97A6+g==

private A : TXxii5Ka8LMvuc9arHu63qTmNKxGlgti+wpR3YhBGew=

public B : nUblC+OKdl94iBiWk0941wmYBiMt7C90CjOJPI2BPr8K7xGuC1XsR5DtwFCoM3Iew2BjBG+5SqrYwAPTJF7gdA==

private B : sm6V7+hChvkFSeLNoR+5tItiX8gH5tT47 ...
Score: 3
XDH vs DH and ECDSA vs EDDSA

I am new to security area. I came across mutiple words I can't understand and there is little infomration I can get from google.

1. What is XDH/XEC, is the X means 'enhanced'? Are they just have a different way of generating key pair?
2. According to RFC8422 ECDHE_ECDSA supports the EdDSA as well, does this means EdDSA is just a different set of curves?
Score: 3
Why is an ephemeral key required to prove possession of a static private key in Key-Establishment Schemes

In the NIST 800-56A rev3 "Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography" in section 5.6.2.2.3.2 "Recipient Obtains Assurance [of the Static Private Key] Directly from the Claimed Owner (i.e., the Other Party)" it requires 2 conditions to be met during a key-agreement transaction for the "Public Key Recipient" to prove that the other party possesses the co ...

Score: 1
How to calculate a common encryption key between sender and receiver

In the picture below, for the text underlined in red color: 7X(MOD 11) = 72(MOD 11) =49(MOD 11)

My questions are:

(1) obviously there is no equal relationship between 72(MOD 11) and 49 (MOD 11), and where does 49 come from?

(2) X and Y are picked up randomly, are 7 and 7 in 7X and 11 in MOD 11 also picked up randomly, or is it some algorithm？ there is no any explanation in the textbook I have

(3) in the ...

Score: 1
What can I use for key exchange?

I am trying to send AES keys from one computer to another, but I need to provide some form of attestation of the key's provenance. How should I go about doing this?

Score: 1
CK vs BR Key Exchange Security Models

I'm writing a paper on Authenticated Key Exchange Protocols. I've read Bellare and Rogway's seminal paper on the subject and I think I understand BR Model and I'm now reading Cenetti and Krawczyk's paper which aims to improve on it. I'm confused as to how the CK model is an improvement of the BR. As mentioned in the appendix of the CK paper, the BR paper phrases their analysis in terms of oracles. They m ...

Score: 0
What are the explicit usage of different keys derived from SKEYSEED in IKE?

We have seven different keys derived from DH key and nonces via PRF in IKEv2 as skd, skai, skar, skei, sker, skpi, skpr. Why different keys are generated for initator and responder for encryption? What are the explicit usage of different keys derived from SKEYSEED in IKE?

For example, ska and skp are defined as "a key to the integrity protection algorithm for authenticating the component messages ...

Score: 0
Why pre-shared key is not involved to key derivation in IKEv2?

In IKEv1 (RFC 2409), preshared secret is involved to key derivation where IKEv2 (RFC 7296) use it for only authentication. When we consider post-quantum security, this property makes IKEv1 suitable if preshared key has sufficient entropy. Therefore post-quantum extension of IKEv2 proposed in (RFC 8784) which is basicly adding an additional secret that is shared between the initiator and the responde ...

Score: 3
SIDH: What if the two kernel generators are chosen in the same torsion group?

In SIDH, either party chooses its secret point $$R_A = [m_A]P_A+[n_A]Q_A \in E[\ell_A^{e_A}]$$, $$R_B = [m_B]P_B+[n_B]Q_B \in E[\ell_B^{e_B}]$$ from two different sets $$E[\ell_A^{e_A}]$$ and $$E[\ell_B^{e_B}]$$. What is the issue if the two points are chosen from the same set ($$E[\ell_A^{e_A}]$$ or $$E[\ell_B^{e_B}]$$)?

Score: 0
When is a PQ key-exchange algorithm suitable for use with long-term static keys?

I took a look at Cloudflare Circl because I'm curious which Post-Quantum algorithms are implemented in Go, which could be used to exchange a key.

I read this comment that SIDH is only good for ephemeral key exchange, in contrast to CSIDH.

Question 1:
Therefore, I wonder, what characteristics must a Post-Quantum algorithm have to be suitable to create a long-term static key for key exchange (like RSA  ...

Score: 0
Can Merkle signatures be leveraged for key exchange?

A Merkle signature scheme is post-quantum-suitable as it relies only on the security of a one-way function. However, this construction seems to only be capable of authentication, and not confidentiality.

Is there any cryptographic protocol enabling key exchange via a Merkle scheme -- that is, without relying on weaker assumptions that might be broken by future cryptographers with a quantum compute ...

Score: 1
Under which conditions certificate is required for IKEv2?

In IKEv2 document, there are expressions as [CERT,] or [CERTREQ,] in the parts of IKE_SA_INIT or IKE_AUTH exchanges. In this notation brackets indicates that it is optional. I didn't see expressions as CERT or CERTREQ without brackets in document. Is certificate always optional in IKEv2? Under what conditions it is useful? Is it related with preferred authentication method of IKEv2?