Fact-checked by Grok 2 weeks ago

Key-agreement protocol

A key-agreement protocol is a cryptographic mechanism that enables two or more parties to collaboratively derive a key over an insecure , with each participant contributing to the process to ensure mutual influence and security. Unlike key-transport methods, where one party generates and securely delivers the key to others, key-agreement protocols emphasize joint computation, often relying on computationally hard problems such as the to prevent eavesdroppers from deducing the key. This approach can provide properties like perfect forward secrecy when using ephemeral keys, where compromise of long-term keys does not reveal past session keys, and resistance to man-in-the-middle attacks when combined with . The foundational key-agreement protocol, Diffie-Hellman (DH), was introduced in 1976 by and as part of their seminal work on , allowing parties to establish a without prior shared secrets or trusted intermediaries. DH operates in a , where parties exchange public values derived from private exponents and a common base, yielding the shared key as g^{xy} \mod p for private values x and y, base g, and prime p, with security based on the computational Diffie-Hellman assumption. Subsequent variants, such as Elliptic Curve Diffie-Hellman (ECDH), enhance efficiency by using groups for smaller key sizes and equivalent security, widely adopted in modern systems. These protocols underpin secure communications in protocols like TLS and , facilitating encrypted sessions in applications from web browsing to VPNs. Key-agreement protocols are standardized by bodies like NIST and IETF to ensure interoperability and security. NIST's SP 800-56A specifies pair-wise key-establishment schemes using , including basic and augmented DH variants with requirements for key confirmation and . Similarly, IETF 2631 defines the DH key-agreement method for use in protocols like , emphasizing secure parameter generation and key derivation functions. Emerging challenges include resistance to , prompting post-quantum alternatives like lattice-based schemes, including the ML-KEM standardized by NIST in 2024. Overall, these protocols remain critical for achieving and in distributed systems, evolving to address new threats while maintaining core principles of collaborative key derivation.

Fundamentals

Definition and Objectives

A key-agreement protocol is a cryptographic procedure that enables two or more parties to derive a key over an insecure , without relying on any pre-established shared secrets, such that the resulting key is a of contributions from all participants and no single party can unilaterally determine its value. This process ensures that the shared key can subsequently be used for , such as symmetric , while protecting against unauthorized access during the exchange. The primary objectives of key-agreement protocols include maintaining the of the derived key, providing resistance to by adversaries who may intercept messages, and achieving computational efficiency to support practical deployment in resource-constrained environments. is achieved by ensuring the remains unknown to non-participants, even after observing the protocol messages, while resistance to leverages the computational hardness of underlying problems like the . Efficiency focuses on minimizing the number of message exchanges and computational operations, often through automated mechanisms that reduce the need for manual . Key-agreement protocols were first formalized in 1976 by and in their seminal paper introducing , establishing them as a foundational primitive for secure key establishment. In the basic two-party model, parties such as exchange public information—typically involving ephemeral or static key pairs—over the channel to jointly compute the shared key K, which is then used to derive further keying material. This differs from key-transport protocols, where one party generates the key and securely transmits it to the other, potentially allowing the sender to predetermine the key value. The Diffie-Hellman exchange serves as the classic example of such a protocol.

Security Properties

Key-agreement protocols must satisfy several core security properties to protect against various threats, ensuring that the derived shared key remains confidential and usable only by the intended parties. These properties are formally defined in security models such as the Bellare-Rogaway framework, which captures the adversary's capabilities in establishing session keys while providing guarantees. Central to these is the assurance that the protocol withstands both passive and active adversaries, with security reductions to well-established computational problems. Key confirmation provides assurance to each party that the other possesses the same shared key, distinguishing between implicit confirmation—where acceptance of the protocol implies key possession—and explicit confirmation, which involves additional messages to verify key ownership. This property prevents scenarios where one party believes a key has been established while the other does not, enhancing protocol reliability. In the Bellare-Rogaway model, key confirmation is integrated into authenticated key exchange to ensure mutual assurance of key possession. Forward secrecy, often termed perfect forward secrecy (PFS) when fully realized, ensures that compromise of long-term private keys does not enable decryption of prior session keys, as each session key is derived independently using ephemeral secrets. This property limits the impact of key compromises to future sessions only, a critical feature in protocols relying on ephemeral Diffie-Hellman exchanges. PFS is achieved when the protocol generates unique, non-reusable session keys per execution, even under long-term key exposure. Resistance to known-key attacks requires that the security of a remains intact even if an adversary learns some prior session keys, preventing cascading compromises across multiple sessions. This is essential in multi-session environments, where partial key exposure should not undermine unrelated , and is typically enforced by ensuring session independence through fresh . Protocols vulnerable to such attacks may allow an adversary to impersonate parties or predict future keys based on leaked ones. Adversarial models distinguish between passive adversaries, who only eavesdrop on communications without altering them, and active adversaries capable of man-in-the-middle attacks, including message modification or injection. Unauthenticated key-agreement protocols are secure against passive eavesdroppers but vulnerable to active attacks, where an adversary can impersonate parties and establish separate keys with each. Stronger security against active adversaries requires mechanisms to bind keys to legitimate parties. Security of key-agreement protocols relies on computational assumptions, such as the intractability of the problem in cyclic groups, where computing g^{ab} from g^a and g^b (the computational Diffie-Hellman problem) is hard without the exponents. These assumptions underpin the confidentiality of derived keys against polynomial-time adversaries. Key security is often measured by the computational indistinguishability of the from a random key to an adversary interacting with sessions, as defined in models like the Bellare-Rogaway framework. Perfect (PFS) complements this by ensuring resistance to recovery of past s following compromise of long-term keys. These properties ensure the protocol's keys support secure without predictable patterns.

Unauthenticated Protocols

Diffie-Hellman Exchange

The Diffie–Hellman key exchange is a foundational unauthenticated protocol for establishing a shared secret key between two parties over an insecure channel, relying on the computational difficulty of the discrete logarithm problem in finite fields. Invented in 1976 by Whitfield Diffie and Martin E. Hellman, it introduced the concept of public-key cryptography for key agreement without requiring prior shared secrets. The protocol operates in a multiplicative group modulo a large prime p, where p serves as the modulus and g is a generator (primitive root) of the multiplicative group \mathbb{Z}_p^*, ensuring that powers of g generate all nonzero elements modulo p. These public parameters p and g are agreed upon in advance and can be reused across multiple exchanges, though modern implementations often select fresh ephemeral values for enhanced security. In the protocol, Alice selects a random private exponent a \in \{1, \dots, p-2\} and computes her public value A = g^a \mod p, which she sends to Bob. Independently, Bob chooses a private exponent b \in \{1, \dots, p-2\} and computes B = g^b \mod p, sending it to Alice. Alice then derives the shared key K = B^a \mod p = (g^b)^a \mod p = g^{ab} \mod p, while Bob computes K = A^b \mod p = (g^a)^b \mod p = g^{ab} \mod p. Thus, both parties arrive at the same secret K = g^{ab} \mod p without ever transmitting it directly. \begin{align*} A &= g^a \mod p, \\ B &= g^b \mod p, \\ K &= g^{ab} \mod p. \end{align*} The security of the Diffie–Hellman exchange rests on the hardness of the problem: given p, g, and A = g^a \mod p, it is computationally infeasible for an eavesdropper to recover a or compute K without solving for the exponent. This assumption holds in sufficiently large prime-order subgroups, where no efficient algorithm exists for the problem despite extensive study. However, the protocol is vulnerable to man-in-the-middle attacks, as an active adversary can impersonate one party to the other, establishing separate keys with each and relaying messages undetected, since no mechanism authenticates the public values A and B. The basic form provides perfect , as the ephemeral private exponents a and b are discarded after the exchange, ensuring that compromise of one session's key does not affect past sessions even if long-term secrets (none of which exist here) are later revealed.

Elliptic Curve Variants

Elliptic curve Diffie-Hellman (ECDH) adapts the classical Diffie-Hellman key agreement protocol to the algebraic structure of elliptic curves over finite fields, enabling two parties to compute a shared secret through point multiplication operations. In this setup, an elliptic curve E is defined over a finite field \mathbb{F}_p, with a base point G of prime order n. Alice selects a private scalar a \in [1, n-1] and computes her public point A = a \cdot G, while Bob selects b \in [1, n-1] and computes B = b \cdot G. They exchange A and B over an insecure channel, allowing Alice to derive the shared point K = a \cdot B = a \cdot (b \cdot G) and Bob to compute K = b \cdot A = b \cdot (a \cdot G). The resulting K serves as the basis for the symmetric key, typically hashed to a fixed-length value for use in symmetric encryption. This approach provides security equivalent to the classical Diffie-Hellman protocol but with significantly smaller parameters, reducing computational and bandwidth demands. For instance, a 256-bit offers approximately 128 bits of security, comparable to a 3072-bit in classical Diffie-Hellman, achieving about a 10-fold reduction in while maintaining resistance to the problem on the group. efforts have focused on secure selections to mitigate potential weaknesses. The National Institute of Standards and Technology (NIST) recommends curves such as P-256, defined over a 256-bit prime field with specific parameters ensuring high and resistance to known attacks. Independently, , designed for high-speed Diffie-Hellman, uses a form over a 255-bit prime field, prioritizing constant-time implementations to enhance security. ECDH saw widespread adoption in the 2000s, particularly in secure communication protocols like (TLS), where it enabled efficient ephemeral key exchanges. This integration, formalized in standards such as RFC 4492, supported elliptic curve cipher suites for faster handshakes without compromising security. Despite these benefits, ECDH implementations face trade-offs related to side-channel vulnerabilities inherent in . Operations like point doubling and addition can leak information through timing variations, power consumption, or electromagnetic emissions, potentially allowing attackers to recover private scalars via techniques such as power analysis. Mitigations, including constant-time algorithms and blinding, are essential but add computational overhead.

Authenticated Protocols

Public-Key Integration

Public-key integration enhances unauthenticated key-agreement protocols, such as the , by incorporating long-term public keys to provide and prevent impersonation or man-in-the-middle attacks. In this approach, parties sign their ephemeral Diffie-Hellman public values—typically denoted as A = g^a \mod p for initiator and B = g^b \mod p for responder —using their respective long-term private keys, with verification performed against certified public keys via schemes like or ECDSA. This mechanism ensures that the ephemeral values originate from the claimed identities, binding the session to authenticated entities. A prominent example is an authenticated construction using ephemeral Diffie-Hellman keys, where are generated for each session to maintain , while long-term public keys handle through signatures on the ephemeral components. The Station-to-Station () protocol, proposed by Diffie, van Oorschot, and in 1992, implements this by having parties exchange signed and encrypted ephemeral values: Alice sends her ephemeral public key, Bob responds with his signed ephemeral key encrypted under the , and Alice confirms with her signature. This three-pass design achieves mutual entity and explicit key confirmation, as the final encryption under the derived key verifies both and possession. These protocols deliver strong security guarantees, including —ensuring each party verifies the other's identity—and key confirmation, where protocol completion implicitly or explicitly proves shared key knowledge, resisting active adversaries under standard computational assumptions like the Diffie-Hellman problem. However, they rely on a (PKI) to certify long-term keys, introducing dependency on trusted certification authorities, and remain vulnerable to compromise of long-term private keys, potentially exposing past authenticated sessions unless is enforced via ephemerals. Some variants incorporate implicit authentication through zero-knowledge proofs, allowing parties to demonstrate possession of private keys without revealing them, thus enhancing privacy in the step.

Password-Based Methods

Password-authenticated key exchange (PAKE) protocols enable two parties to agree on a shared cryptographic key using only a low-entropy shared , while providing and resistance to offline attacks. These attacks are mitigated because an adversary cannot verify password guesses without actively participating in the protocol, limiting them to at most one guess per execution. Unlike public-key methods that rely on high-entropy keys or certificates, PAKE is designed for scenarios where users share weak secrets like human-memorable . One seminal PAKE protocol is the Simple Password Exponential Key Exchange (SPEKE), proposed by David P. Jablon in 1996. SPEKE operates in a Diffie-Hellman-like manner but augments the standard exchange by hashing the shared password to derive the generator (base) of the group, ensuring the password influences the public values in a way that prevents offline attacks. Specifically, the password S is mapped to a base via a function f(S), such as f(S) = H(S)^{(p-1)/q} \mod p where p is a safe prime and q is its large prime factor; Alice then computes her public value as Q_A = f(S)^{r_A} \mod p using a random exponent r_A, and similarly for Bob, allowing them to derive the shared key K = Q_B^{r_A} \mod p = Q_A^{r_B} \mod p. Authentication follows via encrypted nonces or hashes of K. This password-derived blinding of the base secures the exchange against eavesdroppers who cannot isolate the exponents without the password. IEEE Std 1363.2-2008 standardizes SPEKE variants, including balanced and augmented forms for discrete logarithm and elliptic curve domains. Another widely adopted PAKE is the Secure Remote Password (SRP) protocol, introduced by Thomas Wu in 1998. SRP provides a zero-knowledge proof that the client knows the password without revealing it to the server, even under eavesdropping or active attacks. The server stores a verifier derived from the password and a unique salt, computed as V = g^x \mod N where x = H(\text{salt}, \text{password}), g is a generator, N is a large safe prime, and H is a hash function; the password itself is never stored or transmitted. The protocol augments Diffie-Hellman by incorporating password-derived blinding factors: the client blinds its ephemeral public value with the password hash, and the server uses the verifier raised to a multiplier, yielding a shared secret S from which the session key is hashed. This design ensures forward secrecy and resistance to server compromise without enabling offline dictionary attacks on captured verifiers. SRP is standardized in IEEE Std 1363.2-2008 across multiple variants (e.g., SRP3, SRP5, SRP6) and in IETF RFC 5054 for integration with Transport Layer Security (TLS) authentication. In general, PAKE protocols like and SRP enhance Diffie-Hellman security by incorporating password-derived blinding factors into the or base selection, binding the to the low-entropy password while maintaining computational efficiency. This augmentation ensures that passive attackers gain no advantage in password recovery, as the blinding obscures the problem. However, PAKE remains vulnerable to online brute-force attacks, where an adversary can attempt multiple guesses by repeatedly initiating sessions; mitigation requires server-side or account lockouts.

Hybrid Constructions

Hybrid key-agreement protocols integrate multiple , such as symmetric encryption, asymmetric key exchange, and , to achieve robust security while accommodating diverse authentication scenarios. This layering allows protocols to leverage the strengths of each component—for instance, using Diffie-Hellman (DH) for generation alongside blinding to prevent server-side storage of plaintext credentials. A prominent example is the OPAQUE protocol, an asymmetric password-authenticated key exchange (PAKE) that employs blind password authentication during registration and pairs it with a DH-based , such as the 3DH mechanism, to derive session keys without exposing passwords to the server. In practice, the TLS 1.3 handshake exemplifies this approach by combining ephemeral Elliptic Curve Diffie-Hellman (ECDHE) for forward-secure key agreement with or ECDSA signatures for authentication, enabling secure channel establishment over the . These constructions offer benefits like balanced computational and enhanced properties, including resistance to certain scenarios; for example, they can provide post- by allowing key refreshment without full re-authentication, reducing the impact of long-term secret exposure. Developments in the , such as the Signal Protocol's , further advanced hybrid designs for messaging applications by merging an asymmetric DH for initial key agreement and with a symmetric chain for ongoing message encryption, ensuring both and protection against key reuse. Hybrid PAKE protocols like J-PAKE illustrate this integration by "juggling" multiple modular exponentiations over a shared to simulate zero-knowledge proofs, enabling authenticated without public-key infrastructure while relying on DH assumptions for . However, these protocols introduce trade-offs, including heightened implementation complexity that can amplify the risk of flaws, such as improper derivation or side-channel vulnerabilities, necessitating rigorous auditing and modular design.

Advanced Topics

Post-Quantum Approaches

The advent of large-scale quantum computers poses a significant threat to classical key-agreement protocols such as Diffie-Hellman (DH) and its elliptic curve variant (ECDH), as can solve the underlying problem in polynomial time. This vulnerability, recognized since the algorithm's proposal in 1994, necessitates the development of (PQC) to ensure long-term security for key establishment. Lattice-based cryptography offers a prominent approach for post-quantum key agreement, with CRYSTALS-Kyber emerging as a leading candidate due to its reliance on the hardness of the learning-with-errors (LWE) problem over module lattices. Kyber functions as an IND-CCA2-secure key encapsulation mechanism (KEM), where one party generates a public key and the other encapsulates a shared secret using it, deriving the symmetric key from the decapsulated value. This process replaces the multiplicative group operations of classical protocols with linear algebra over structured lattices, providing resistance to quantum attacks while maintaining efficiency. A simplified representation of the core computation in Kyber involves the shared key derivation from matrix-vector multiplication in a polynomial ring modulo q, as in the public key generation where the public key component is \mathbf{t} = \mathbf{A} \cdot \mathbf{s} + \mathbf{e}, with \mathbf{A} a public matrix, \mathbf{s} the secret vector, and \mathbf{e} a small error vector. For authenticated post-quantum key agreement, hash-based signatures such as XMSS (eXtended Merkle Signature Scheme) or LMS (Leighton-Micali Signature) can integrate with lattice-based KEMs to provide entity authentication without relying on vulnerable public-key primitives. These schemes leverage the , using tree structures to enable multiple signatures from a single pair, though they are stateful and require careful to avoid reuse (as in XMSS). Standardization efforts, led by the National Institute of Standards and Technology (NIST) project, culminated in 2024 with the finalization of FIPS 203, specifying ML-KEM (based on ) as the primary mechanism for general and key encapsulation. This standard supports parameter sets such as ML-KEM-512 (128-bit security), ML-KEM-768 (192-bit security), and ML-KEM-1024 (256-bit security), facilitating migration to quantum-resistant protocols. Despite these advances, post-quantum key-agreement protocols face challenges including significantly larger key and sizes—Kyber public keys can exceed 1 KB compared to under 100 bytes for ECDH—and increased computational overhead from operations, which may impact performance in resource-constrained environments. Ongoing optimizations aim to mitigate these issues, but deployment requires careful consideration of and in protocols like TLS.

Forward Secrecy Enhancements

Forward secrecy enhancements in key-agreement protocols focus on techniques that protect past session keys from exposure even if long-term secrets are later compromised, extending beyond basic ephemeral exchanges to dynamic key evolution and additional security properties. Ephemeral keys form the foundation of these enhancements by generating fresh key material for each session, ensuring independence from persistent secrets. In the (TLS) protocol version 1.3, the Diffie-Hellman Ephemeral (DHE) mode—often implemented with elliptic curves as ECDHE—performs an initial ephemeral key exchange to derive session keys, mandating this approach for all cipher suites to guarantee perfect against retroactive decryption. This per-session generation prevents attackers who obtain a server's long-term private key from decrypting prior traffic, a vulnerability inherent in non-ephemeral methods like key transport. Ratcheting mechanisms build on ephemeral keys by iteratively updating shared secrets during extended communications, providing both forward secrecy and resilience to compromises. The Double Ratchet algorithm, developed for the Signal messaging protocol in 2016, achieves this through two intertwined processes: a symmetric-key ratchet that discards prior keys after deriving new ones for each message, ensuring forward secrecy, and a Diffie-Hellman ratchet that periodically refreshes the root secret via ephemeral exchanges for post-compromise security. A single-ratchet construction suffices for forward secrecy by linearly advancing keys in one direction, but the double-ratchet variant—combining symmetric and asymmetric steps—enables recovery from leaks, limiting damage to a bounded number of messages until the next update. Deniability complements these secrecy properties by allowing parties to plausibly deny participation in a key agreement, even to third parties with access to transcripts. The Extended Triple Diffie-Hellman (X3DH) protocol, used in Signal for initial key establishment, provides cryptographic deniability through unsigned ephemeral Diffie-Hellman exchanges and prekey bundles, where one party (e.g., an offline user) publishes public keys without direct interaction, avoiding signatures or proofs that could authenticate the agreement. This design ensures via multiple Diffie-Hellman contributions while hiding evidence of from eavesdroppers. Post-quantum considerations adapt ratcheting for quantum threats by hybridizing classical ephemeral exchanges with lattice-based primitives. The Post-Quantum Extended Diffie-Hellman (PQXDH) protocol extends X3DH by incorporating the CRYSTALS-Kyber key encapsulation mechanism (KEM) alongside classical elliptic curve Diffie-Hellman, generating a shared secret resistant to quantum attacks while preserving forward secrecy in subsequent ratchets. Deployed in Signal since 2023, this hybrid approach combines Kyber's post-quantum security with classical efficiency, enabling secure key evolution in ratcheting without full replacement of legacy components. Building on PQXDH, Signal introduced SPQR (Signal Post-Quantum Ratchets) on October 2, 2025, which integrates post-quantum hybrid key exchanges into the Double Ratchet algorithm's steps, providing quantum-resistant forward secrecy and post-compromise security throughout extended sessions. These enhancements introduce limitations, notably a between secrecy properties and key confirmation. Explicit confirmation of the shared key—via authenticated messages—can undermine deniability by providing verifiable proof of the agreement, so protocols like Double Ratchet and X3DH omit it, relying instead on implicit verification through message decryption success, which preserves unforgeability but risks undetected man-in-the-middle attacks if not carefully managed.

References

  1. [1]
    [PDF] Key Establishment Protocols - Introduction to Cryptography CS 355
    – key transport: one party creates, and securely transfers it to the other(s). – key agreement: key establishment technique in which a shared secret is derived ...
  2. [2]
    [PDF] Lecture 8, Public-Key Cryptography and Key Agreement
    Mar 16, 2018 · This time, we start by defining public key encryption schemes formally and key-agreement mechanisms. 2 Defining Public Key Encryption.
  3. [3]
    [PDF] New Directions in Cryptography - Stanford Electrical Engineering
    DIFFIE. AND. HELLMAN: NEW. DIRECTIONS. IN CRYPTOGRAPHY. 653 of possible keys. Though the problem is far too difficult to be laid to rest by such simple methods ...
  4. [4]
    RFC 2631 - Diffie-Hellman Key Agreement Method - IETF Datatracker
    Diffie-Hellman is a key agreement algorithm used by two parties to agree on a shared secret. An algorithm for converting the shared secret into an arbitrary ...
  5. [5]
    [PDF] Recommendation for Key Management: Part 1 - General
    May 5, 2020 · NIST is responsible for developing information security standards and guidelines, including minimum requirements for federal information systems ...
  6. [6]
    [PDF] Recommendation for Pair-Wise Key-Establishment Schemes Using ...
    Apr 3, 2018 · NIST SP 800-56A REV. 3. RECOMMENDATION FOR PAIR-WISE KEY ... [SP 800-133] Special Publication 800-133, Recommendation for Cryptogrsphic Key.
  7. [7]
    [PDF] Overview of Key Agreement Protocols - Cryptology ePrint Archive
    Diffie-Hellman (DH) proposed the first two-party single-round key agreement protocol in their seminal paper [37] that enables the users to compute a common key ...
  8. [8]
    [PDF] Key Agreement Protocols and their Security Analysis⋆
    Sep 9, 1997 · Abstract. This paper proposes new protocols for two goals: authenticated key agreement and authen- ticated key agreement with key ...
  9. [9]
    [PDF] Diffie-Hellman Key Exchange and the Discrete Log Problem
    The Diffie-Hellman Key Exchange provides one way to accomplish this. Its security is based on the difficulty in solving the discrete log problem. Daileda.
  10. [10]
    [PDF] Diffie-Hellman and Discrete Log - Introduction to Cryptography CS 355
    • Security of the Diffie-Hellman key establishment protocol based on the CDH problem. • Computational Diffie-Hellman (CDH). – Given a multiplicative group (G ...
  11. [11]
    [PDF] NIST.SP.800-186.pdf
    P-256. The elliptic curve P-256 is a Weierstrass curve Wa,b defined over the prime field GF(p) that has order h⋅n, where h = 1, and n is a prime number. The ...
  12. [12]
    [PDF] Curve25519: new Diffie-Hellman speed records
    Feb 9, 2006 · Abstract. This paper explains the design and implementation of a high- security elliptic-curve-Diffie-Hellman function achieving record- ...
  13. [13]
    RFC 4492 - Elliptic Curve Cryptography (ECC) Cipher Suites for ...
    This document describes new key exchange algorithms based on Elliptic Curve Cryptography (ECC) for the Transport Layer Security (TLS) protocol.Missing: adoption | Show results with:adoption
  14. [14]
    [PDF] Key Establishment - Centre For Applied Cryptographic Research
    The protocol provides protection from passive adver- saries only; it does not provide authentication. It thus solves the same problem as basic. Handbook of ...
  15. [15]
    Authentication and authenticated key exchanges | Designs, Codes ...
    A simple, efficient protocol referred to as the station-to-station (STS) ... Van Oorschot & Michael J. Wiener. Authors. Whitfield Diffie. View author ...Missing: 1986 | Show results with:1986
  16. [16]
    [PDF] A Zero-Knowledge Identification and Key Agreement Protocol
    Abstract. In this paper, we propose a zero-knowledge authenticated key agreement protocol with key confirmation (AKC) in asymmetric setting.
  17. [17]
    RFC 8125: Requirements for Password-Authenticated Key Agreement (PAKE) Schemes
    ### Definition and Key Properties of PAKE
  18. [18]
    Strong password-only authenticated key exchange
    Abstract. A new simple password exponential key exchange method (SPEKE) is described. It belongs to an exclusive class of methods which provide authentication ...Missing: original | Show results with:original
  19. [19]
    [PDF] The Secure Remote Password Protocol
    This paper presents a new password authentication and key-exchange protocol suitable for authenticating users and exchanging keys over an untrusted network.
  20. [20]
    RFC 5054 - Using the Secure Remote Password (SRP) Protocol for ...
    This memo presents a technique for using the Secure Remote Password protocol as an authentication method for the Transport Layer Security protocol.
  21. [21]
    RFC 9807 - The OPAQUE Augmented Password-Authenticated Key ...
    Jul 24, 2025 · 3DH Protocol This section describes the authenticated key exchange protocol for OPAQUE using 3DH, a 3-message AKE that satisfies the forward ...
  22. [22]
    RFC 8446 - The Transport Layer Security (TLS) Protocol Version 1.3
    RFC 8446 specifies TLS 1.3, which allows secure client/server communication over the internet, preventing eavesdropping, tampering, and forgery.
  23. [23]
    Signal >> Specifications >> The Double Ratchet Algorithm
    The Double Ratchet algorithm is used by two parties to exchange encrypted messages based on a shared secret key. Typically the parties will use some key ...Missing: developments | Show results with:developments
  24. [24]
    J-PAKE: Password-Authenticated Key Exchange by Juggling
    This document specifies a PAKE protocol called Password-Authenticated Key Exchange by Juggling (J-PAKE), which was designed by Feng Hao and Peter Ryan in 2008.Missing: hybrid | Show results with:hybrid<|separator|>
  25. [25]
    Using Shor's Algorithm to Break RSA vs DH/DSA VS ECC
    Aug 24, 2021 · Shor's quantum algorithm, in particular, provides a large theoretical speedup to the brute-forcing capabilities of attackers targeting many ...
  26. [26]
    Kyber - CRYSTALS
    Dec 23, 2020 · Kyber is an IND-CCA2-secure key encapsulation mechanism ... Kyber is one of the finalists in the NIST post-quantum cryptography project.
  27. [27]
    CRYSTALS - Kyber: A CCA-Secure Module-Lattice-Based KEM
    Kyber is a post-quantum key-encapsulation mechanism (KEM) based on module lattices, part of the CRYSTALS suite, and a successor to NEWHOPE KEM.
  28. [28]
    [PDF] Recommendation for Stateful Hash-Based Signature Schemes
    This recommendation specifies two algorithms that can be used to generate a digital signature, both of which are stateful hash-based signature schemes: the ...
  29. [29]
    [PDF] Module-Lattice-Based Key-Encapsulation Mechanism Standard
    Aug 13, 2024 · NIST's announced selection of the PQC key-encapsulation mechanism CRYSTALS-KYBER. NIST and the licensing parties share a desire, in the ...
  30. [30]
    NIST Releases First 3 Finalized Post-Quantum Encryption Standards
    Aug 13, 2024 · The standard is based on the CRYSTALS-Kyber algorithm, which has been renamed ML-KEM, short for Module-Lattice-Based Key-Encapsulation Mechanism ...
  31. [31]
    FIPS 203, Module-Lattice-Based Key-Encapsulation Mechanism ...
    This standard specifies a key-encapsulation mechanism called ML-KEM. The security of ML-KEM is related to the computational difficulty of the Module Learning ...Missing: finalized | Show results with:finalized
  32. [32]
    Post-quantum cryptography Algorithm's standardization and ...
    Most quantum-safe algorithms need more CPU cycles, higher runtime memory, and a large key size. The objective of the paper is to analyze the feasibility of the ...6.3. Hash-Based Cryptography · 6.4. Isogeny Based... · 6.5. Lattice-Based...<|control11|><|separator|>
  33. [33]
    State of the post-quantum Internet in 2025 - The Cloudflare Blog
    Oct 28, 2025 · ML-KEM is the only post-quantum key agreement standardised now, and despite some occasional difficulty with its larger key sizes, it's mostly a ...The Quantum Threat · Quantum Numerology · Adoption Of Pqc In Protocol...
  34. [34]
    RFC 7919 - Negotiated Finite Field Diffie-Hellman Ephemeral ...
    ... Ephemeral (DHE) key exchange mode that provides forward secrecy for the connection. The client offers a cipher suite in the ClientHello that includes DHE ...
  35. [35]
    [PDF] The Double Ratchet Algorithm - Signal
    The Double Ratchet algorithm is used by two parties to exchange encrypted messages based on a shared secret key. Typically the parties will use some.
  36. [36]
    [PDF] The X3DH Key Agreement Protocol - Signal
    Nov 4, 2016 · X3DH provides forward secrecy and cryptographic deniability. X3DH is designed for asynchronous settings where one user (“Bob”) is offline but ...
  37. [37]
    Signal >> Specifications >> The PQXDH Key Agreement Protocol
    Jan 23, 2024 · PQXDH establishes a shared secret key between two parties who mutually authenticate each other based on public keys.
  38. [38]
    [PDF] On the Cryptographic Deniability of the Signal Protocol
    May 16, 2021 · As mentioned above it uses the Extended Triple Diffie-Hellman (X3DH) key agreement protocol. [35] (built on the 3DH AKE [34]) followed by a ...