Implementation challenges of Diffie-Hellman Key Exchange

In practice, we don’t use the shared secret, we use a hash of the shared secret, and the identity of the parties involved (to avoid collisions between different parties).

Authenticated Key Exchange (AKE)

As in TLS Interactive protocol between two parties. Always an initiator and a responder. Public key authentication only proves we’re talking to someone with a specific public key, but not anything about that public key. For that, we need entity authentication (e.g. PKI such as certs).

Requirements of Key Exchange

• Key agreement
• Key confidentiality (indistinguishable from random)
• Neighbours keys being compromised does not compromise my keys
• Deniability - authenticate but prevent people from proving you were involved

Forward secrecy

If the server is compromised in the future, it shouldn’t expose past communications

Post Compromise Security

If the server is compromised, it exposes past and present communications, but some action can be taken to repair future security.