Key-agreement protocol

In cryptography, a key-agreement protocol is a protocol whereby two (or more) parties generate a cryptographic key as a function of information provided by each honest party so that no party can predetermine the resulting value.^[1] In particular, all honest participants influence the outcome. A key-agreement protocol is a specialisation of a key-exchange protocol.^[2]

At the end of the agreement, all parties share the same key. A key-agreement protocol precludes undesired third parties from forcing a key choice on the agreeing parties. A secure key agreement can ensure confidentiality and data integrity^[3] in communications systems, ranging from simple messaging applications to complex banking transactions.

Secure agreement is defined relative to a security model, for example the Universal Model.^[2] More generally, when evaluating protocols, it is important to state security goals and the security model.^[4] For example, it may be required for the session key to be authenticated. A protocol can be evaluated for success only in the context of its goals and attack model.^[5] An example of an adversarial model is the Dolev-Yao model.

In many key exchange systems, one party generates the key, and sends that key to the other party;^[6] the other party has no influence on the key.

^ Menezes, A.; Oorschot, P. van; Vanstone, S. (1997). Handbook of Applied Cryptography (5th ed.). CRC Press. ISBN 0-8493-8523-7.
^ ^a ^b Canetti, Ran; Krawczyk, Hugo (6 May 2001). "Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels". Proceedings of the International Conference on the Theory and Application of Cryptographic Techniques: Advances in Cryptology. Springer-Verlag: 453–474. ISBN 978-3-540-42070-5.
^ Bellare, Mihir; Canetti, Ran; Krawczyk, Hugo (23 May 1998). "A modular approach to the design and analysis of authentication and key exchange protocols (Extended abstract)". Proceedings of the thirtieth annual ACM symposium on Theory of computing - STOC '98. Association for Computing Machinery. pp. 419–428. doi:10.1145/276698.276854. ISBN 0-89791-962-9.
^ Gollmann, D. (6 May 1996). "What do we mean by entity authentication?". Proceedings 1996 IEEE Symposium on Security and Privacy. IEEE Computer Society. pp. 46–54. doi:10.1109/SECPRI.1996.502668. ISBN 978-0-8186-7417-4.
^ Katz, Jonathan; Lindell, Yehuda (2021). Introduction to modern cryptography (Third ed.). Boca Raton London New York: CRC Press Taylor & Francis Group. p. 49. ISBN 978-0815354369.
^ Cite error: The named reference :0 was invoked but never defined (see the help page).

[1] Menezes, A.; Oorschot, P. van; Vanstone, S. (1997). Handbook of Applied Cryptography (5th ed.). CRC Press. ISBN 0-8493-8523-7.

[Canetti2001-2] Canetti, Ran; Krawczyk, Hugo (6 May 2001). "Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels". Proceedings of the International Conference on the Theory and Application of Cryptographic Techniques: Advances in Cryptology. Springer-Verlag: 453–474. ISBN 978-3-540-42070-5.

[3] Bellare, Mihir; Canetti, Ran; Krawczyk, Hugo (23 May 1998). "A modular approach to the design and analysis of authentication and key exchange protocols (Extended abstract)". Proceedings of the thirtieth annual ACM symposium on Theory of computing - STOC '98. Association for Computing Machinery. pp. 419–428. doi:10.1145/276698.276854. ISBN 0-89791-962-9.

[4] Gollmann, D. (6 May 1996). "What do we mean by entity authentication?". Proceedings 1996 IEEE Symposium on Security and Privacy. IEEE Computer Society. pp. 46–54. doi:10.1109/SECPRI.1996.502668. ISBN 978-0-8186-7417-4.

[5] Katz, Jonathan; Lindell, Yehuda (2021). Introduction to modern cryptography (Third ed.). Boca Raton London New York: CRC Press Taylor & Francis Group. p. 49. ISBN 978-0815354369.

[:0-6] Cite error: The named reference :0 was invoked but never defined (see the help page).

[1]

[2]

[3]

[4]

[5]

[6]