[slides](https://drive.google.com/file/d/16FRUTmP-1G98LiX6KMX5tLp4Luqyku_D/view?usp=sharing) ### Working notes Tema: [[Authenticated Key Exchange]] - Part 1: Passively secure key exchange (15 min) - Introducing key exchange - Example: Diffie–Hellman - Introducing provable security and reductions - Passive security aka session key indistinguishability (SKIND): given transcript of KE, can A distinguish real vs random shared secret? - Reduces to DDH (easy to see, do handwavey proof sketch). - Show man-in-the-middle attack -> need to upgrade our notion of security to *active* security - Historical curiosity: Kerberos? - Part 2: Actively secure key exchange (20 min) - define active security - mention: tight security, multi-user generalisation? - mention main challenge: "the commitment problem"? (essentially have to guess which session the adversary will *test* rather than corrupt) - additional security goal: forward secrecy - forward secrecy = "the guarantee that compromising a long-term secret will not enable an attacker to obtain session keys that are used" - mention: more efficient protocols through *implicit* authentication? - basic idea: the output now includes two tags: (K, t1, t2). If Bob sends Alice t1 at the end of the protocol, then Alice can know that it must have been Bob—and vice versa. - Part 3: Real-world constructions (10 min) - Signed Diffie–Hellman (fra Magnus thesis) - PQ: Signed CSIDH ... and no others! - KEM to the rescue: - Sig/KEM construction as a generalization of signed DH (Gjøsteen, Ex. 10.6, thm. 10.19) - Can be instantiated with Can be instantiated with e.g. (Hashed) ElGamal, RSA-KEM, Kyber - thus get AKE based on DL, factoring, and lattices., RSA-KEM, Kyber - KEM: RSA-KEM - PQ-KEM: Kyber - Finally: KEM/KEM construction - Interestingly, for PQ, the KEM/KEM construction is more efficient (in comm. size) than the more standard Sig/KEM construction. - Bonus: KEM-based constructions automatically provide perfect forward secrecy? (Where did I read this?) Status: Godkjent. Errata: - Fullførte på 37 minutter, som er 8 minutter kortere enn forespeilet, selv om jeg snakket så sakte jeg kunne. - Det er **Kyber** som er selektert PQ KEM, *ikke* **Falcon**. - *vk* er public; skulle stått *sk*. - I spørsmål om hvordan dette passer inn i TLS ("I don't remember sharing any keys!" - Martijn, pretending to be a bachelor's student), så skulle svaret vært at TLS handshake er one-side authenticated, nemlig at serveren autentiserer seg til deg. Hvis du skal autentisere deg til serveren, så krever det helt andre systemer (nemlig de som inngår i innlogging). Kristian sin bok, further errata: - siste setning av Def. 10.2: "instancs" - p.340: "Optimistic secure seems worthwhile in some anonymity use cases"