ELE2742 / ENG1467 - PUC-Rio, 2019.

Lecture 3: Key Exchange Protocol

DATE
Lecturer: Yi-Fan Tseng Scribe: Yi-Fan Tseng

1 The Key Distribution Problem

Image that we are living in a city with high crime rate. Anything will be stolen if they are not
properly secured. For example, packages will be opened by couriers if they are not locked. One
day, Alice wants to send to Bob a valuable watch as a gift. To prevent the watch from being stolen,
she

1. first puts the watch in a box;

2. then locks the box;

3. finally sends the box to Bob.

After receiving the locked box from Alice, however, Bob needs the key to Alice’s lock to open the
box. The problem is how Alice to give the key to Bob.

Solution 1. A straightforward solution is that, Alice meets Bob at some time and give the key
directly to Bob. Nevertheless, it would be meaningless to send the locked box if Alice is able to
meet Bob.

Solution 2. Another method is that Alice sends the key to Bob. In order to prevent the key from
being stolen, Alice needs to find another box and then lock the key in this box with another lock.
However, it would be meaningless since Bob is still unable to open the new box due to the lack of
the key to the new box.

It is the key distribution problem in classical cryptography. In a war, when a commander wants
to send a message to another commander, the message should be encrypted to prevent it from being
eavesdropped. However, how to share the key for encrypting the message. How to securely deliver
the key hence becomes an important issue in communication.

In 1976, Diffie and Hellman [1] in their pioneering paper proposed a new idea to solve the key
distribution problem. Consider the aforementioned scenario. Alice performs the same as we just
mentioned. After receiving the locked box, Bob performs as follows.

1. Bob locks the box with his own lock.

1
 2. Bob then sends the “doubly locked” box back to Alice.
After Alice receives the box, she unlocks her lock, and sends the box to Bob again. Note that, now
the box is locked with only Bob’s lock, and thus Bob is able to obtain the gift by unlocking the box
with his own key.

The operation of locking a box can be viewed as a function in mathematics. To choose a lock
can be analogue to choose a function. Therefore, the aforementioned scenario can be rewritten as
follows. Alice and Bob choose their own functions FA and FB with restrictions that
1. given FA (x) or FB (x), it is hard to find x (a lock should be hard to open without the corre-
sponding key);
2. FB−1 (FA−1 (FB (FA (x)))) = x, which is equivalent to FB (FA (x)) = FA (FB (x)).
The solution proposed by Diffie and Hellman is the famous Diffie-Hellman Key Exchange
Protocol.

2 Diffie-Hellman Key Exchange Protocol

2.1 Deffie-Hellman Key Exchange Protocol
The Diffie-Hellman key exchange (DHKE) protocol is performed as follows.

Alice and Bob first setup the system parameter together.

1. Choose a large prime p such that p − 1 has a prime factor q.
2. Let G is a subgroup of Z∗p . Find the generator g of G. Such G exists since |Z∗p | = p − 1 and
q|p − 1.
After deciding the system parameter (G, g, p), Alice and Bob choose their own secret xA and xB
from Z∗q , and compute yA = g xA mod p and yB = g xB mod p. Next, Alice sends yA to Bob, and
Bob sends yB to Alice. Finally, Alice computes kA = yBxA mod p and Bob computes kB = yAxB
mod p.

Alice Bob
$ $
− Z∗q
xA ← xB ←− Z∗q
yA = g xA mod p y B = g xB mod p
yA
←−−−−−−−−−−−→
yB

kA = yBxA mod p kB = yAxB mod p

Correctness.
xA xB
kA = yB (mod p) = (g xB )xA (mod p) = g xA xB (mod p) = (g xA )xB (mod p) = yA (mod p) = kB

2
 Alice Bob
Common paint

+ +
Secret colours
= =

Public transport

(assume
that mixture separation
is expensive)

+ +

Secret colours
= =

Common secret

Figure 1: Diffie-Hellman Key Exchange Protocol (Wiki)

Fig 1 shows an illustration for Diffie-Hellman key exchange protocol.

2.2 Security Analysis

We then give the security analysis for the DHKE protocol. Assume that there is an attacker Eve
who eavesdrops the communications and wants to establish the shared key kA (or kB ). From
eavesdropping the communication, Eve can obtain yA and yB . Note that Eve needs xA (resp. xB )
to recover kA (resp. kB ). However, it is hard to recover xA given g, yA , p, since it is equivalent to
solve the discrete log problem. The case of recovering xB is similar. Besides, with only yA and
yB , Eve can only compute yA ∗ yB = g xA +xB or yA /yB = g xA −xB .

3
2.3 Vulnerability
Though the DHKE protocol allows two parties to construct a shared key via a public channel, it
is vulnerable to the man-in-the-middle attacks (MITM). Intuitively speaking, MITM is an attack
where the attacker secretly relays and possibly alters the communications between two parties
who believe that they are directly communicating with each other. In the scenario shown above,
Eve may choose her (yE , xE ), and act as a man in the middle to perform the DHKE protocol to
Alice and Bob separately. Thus Alice would think that she is communicating to Bob, and Bob
would think that he is communicating to Alice, but they are actually communicating with Eve.
Finally, Eve is able to establish shared keys with both Alice and Bob. Therefore, Eve can obtain
the massage transmitted between Alice and Bob. To solve the problem, we can adopt the following
solutions.
• Authentication

• Time Stamp

• Certificate

3 One Round, 3-Party Key Exchange Protocol

In 2004, Joux [2] proposed a key exchange protocol allowing three parties to agree on a shared key
in one round. It can be regarded as an extension of the DHKE protocol using pairings.

Let e : G × G → GT be a bilinear map, where G, GT are multiplicative groups of prime order

p, and g be a generator of G. Figure 2 shows the details of Joux’s scheme.

Correctness.

KA = e(yB , yC )xA = e(g xB , g xC )xA = e(g, g)xA xB xC

KB = e(yA , yC )xB = e(g xA , g xC )xB = e(g, g)xA xB xC
KC = e(yA , yB )xC = e(g xA , g xB )xC = e(g, g)xA xB xC
The security analysis is similar to the DHKE protocol.

References
[1] W. Diffie and M. Hellman. New directions in cryptography. IEEE Trans. Inf. Theor.,
22(6):644–654, Sept. 2006.

[2] A. Joux. A one round protocol for tripartite Diffie–Hellman. Journal of Cryptology, 17(4):263–
276, Sep 2004.

4
Alice Bob Carol

Figure 2: Joux’s Key Exchange Protocol