[slides](https://drive.google.com/file/d/16FRUTmP-1G98LiX6KMX5tLp4Luqyku_D/view?usp=sharing)
### Working notes
Tema: [[Authenticated Key Exchange]]
- Part 1: Passively secure key exchange (15 min)
- Introducing key exchange
- Example: Diffie–Hellman
- Introducing provable security and reductions
- Passive security aka session key indistinguishability (SKIND): given transcript of KE, can A distinguish real vs random shared secret?
- Reduces to DDH (easy to see, do handwavey proof sketch).
- Show man-in-the-middle attack -> need to upgrade our notion of security to *active* security
- Historical curiosity: Kerberos?
- Part 2: Actively secure key exchange (20 min)
- define active security
- mention: tight security, multi-user generalisation?
- mention main challenge: "the commitment problem"? (essentially have to guess which session the adversary will *test* rather than corrupt)
- additional security goal: forward secrecy
- forward secrecy = "the guarantee that compromising a long-term secret will not enable an attacker to obtain session keys that are used"
- mention: more efficient protocols through *implicit* authentication?
- basic idea: the output now includes two tags: (K, t1, t2). If Bob sends Alice t1 at the end of the protocol, then Alice can know that it must have been Bob—and vice versa.
- Part 3: Real-world constructions (10 min)
- Signed Diffie–Hellman (fra Magnus thesis)
- PQ: Signed CSIDH ... and no others!
- KEM to the rescue:
- Sig/KEM construction as a generalization of signed DH (Gjøsteen, Ex. 10.6, thm. 10.19)
- Can be instantiated with Can be instantiated with e.g. (Hashed) ElGamal, RSA-KEM, Kyber
- thus get AKE based on DL, factoring, and lattices., RSA-KEM, Kyber
- KEM: RSA-KEM
- PQ-KEM: Kyber
- Finally: KEM/KEM construction
- Interestingly, for PQ, the KEM/KEM construction is more efficient (in comm. size) than the more standard Sig/KEM construction.
- Bonus: KEM-based constructions automatically provide perfect forward secrecy? (Where did I read this?)
Status: Godkjent. Errata:
- Fullførte på 37 minutter, som er 8 minutter kortere enn forespeilet, selv om jeg snakket så sakte jeg kunne.
- Det er **Kyber** som er selektert PQ KEM, *ikke* **Falcon**.
- *vk* er public; skulle stått *sk*.
- I spørsmål om hvordan dette passer inn i TLS ("I don't remember sharing any keys!" - Martijn, pretending to be a bachelor's student), så skulle svaret vært at TLS handshake er one-side authenticated, nemlig at serveren autentiserer seg til deg. Hvis du skal autentisere deg til serveren, så krever det helt andre systemer (nemlig de som inngår i innlogging).
Kristian sin bok, further errata:
- siste setning av Def. 10.2: "instancs"
- p.340: "Optimistic secure seems worthwhile in some anonymity use cases"