Key Agreement

A modern, efficient variant of Diffie-Hellman that uses elliptic curve cryptography (ECC). It provides the same security level as traditional DH but with much smaller key sizes.

• Efficiency: A 256-bit ECDH key offers security comparable to a 3072-bit RSA key.
• Blockchain Use: Widely used in wallet-to-wallet communication, secure messaging protocols (like the Signal Protocol), and establishing encrypted peer-to-peer connections in nodes.

A property of key agreement protocols where the compromise of a long-term private key does not compromise past session keys. Each session uses a unique, ephemeral key pair.

• Ephemeral Keys: Protocols like ECDHE (Elliptic Curve Diffie-Hellman Ephemeral) generate temporary keys for each session, which are discarded afterward.
• Importance: Ensures that even if a server's or node's master key is breached, previously recorded encrypted communications cannot be decrypted.

Protocols that not only establish a shared secret but also authenticate the identities of the participating parties, preventing man-in-the-middle (MITM) attacks.

• Methods: Authentication can be achieved through pre-shared secrets, digital signatures, or public key certificates.
• Examples: MQTT-SN, Signal Protocol, and TLS with client certificates use AKA to ensure parties are who they claim to be before deriving a session key.

A cryptographic function used after key agreement to derive one or more strong secret keys from the initial shared secret. The raw output of a DH exchange is not directly suitable as a key.

• Purpose: Expands the key material, adds entropy, and ensures the derived keys are cryptographically strong and format-compatible.
• Common KDFs: HKDF (HMAC-based KDF) and PBKDF2 are standard functions used to create encryption keys, MAC keys, and IVs from the master secret.

An evolution of the classic Diffie-Hellman protocol that uses elliptic curve cryptography (ECC) to achieve equivalent security with much smaller key sizes.

• Efficiency: Provides the same security strength as traditional DH but with keys 1/10th the size (e.g., a 256-bit ECC key ≈ 3072-bit RSA key).
• Blockchain Critical: The standard for key agreement in wallet-to-wallet interactions and secure session establishment in many blockchain protocols.
• Example: Used in Ethereum, Bitcoin (for BIP32 hierarchical deterministic wallets), and the Noise Protocol Framework.

Password-Authenticated Key Exchange (PAKE) protocols allow two parties to establish a secure key using only a shared, low-entropy password, without exposing it to offline attacks.

• SPAKE2: A simple, efficient PAKE used in modern standards like TLS 1.3 (as the pwd mode) and Apple's iCloud Keychain syncing.
• Security Goal: Resists offline dictionary attacks; an attacker intercepting the protocol exchange cannot efficiently guess the password.
• Use Case: Ideal for secure device pairing (e.g., Bluetooth, WiFi) and web authentication where a password is the only pre-shared secret.

A new class of key agreement protocols designed to be secure against attacks from both classical and quantum computers, which threaten current DH and ECDH schemes.

• NIST Standards: Algorithms like Kyber (a lattice-based Key Encapsulation Mechanism or KEM) have been selected for standardization.
• Mechanism: Instead of directly establishing a shared secret, one party encapsulates a secret in a ciphertext for the other to decapsulate.
• Blockchain Imperative: Critical for the long-term security of blockchain keys and signatures; integration into protocols is an active area of R&D.

In ZK-Rollups like zkSync and StarkNet, key agreement is essential for generating zero-knowledge proofs. Provers and verifiers must agree on cryptographic keys to securely and efficiently generate proofs of valid state transitions, enabling scalable, private transactions.

• Mechanism: Protocols like Elliptic Curve Diffie-Hellman (ECDH) are used to establish shared secrets for secure communication channels between rollup sequencers and provers.

Privacy-preserving blockchains like Aztec and Zcash use key agreement to enable private transactions. Users generate shared secrets to create stealth addresses and encrypt transaction notes, ensuring only the intended recipient can decrypt and spend the funds.

• Core Protocol: Elliptic Curve Diffie-Hellman (ECDH) is used to derive a shared secret between sender and receiver, which then encrypts transaction data on the ledger.

In DAO voting and governance systems, key agreement protocols enable private voting mechanisms like zk-SNARKs-based voting. Members can prove they are eligible voters and have cast a specific vote without revealing their identity or choice, using cryptographic keys agreed upon during setup.

• Use Case: MACI (Minimal Anti-Collusion Infrastructure) uses key agreement and zero-knowledge proofs to ensure voter privacy and coercion-resistance in decentralized governance.

The primary threat to key agreement is a Man-in-the-Middle (MitM) attack, where an adversary intercepts and relays messages between two parties, establishing separate keys with each. Prevention relies on authentication mechanisms, such as:

• Digital signatures from trusted certificates (e.g., in TLS).
• Pre-shared secrets or out-of-band verification (e.g., comparing public key fingerprints). Without authentication, protocols like Diffie-Hellman (DH) are vulnerable to this attack.

The security of a key agreement scheme depends on the underlying cryptographic primitives. Key considerations include:

• Key size and algorithm choice: Using weak elliptic curves (e.g., secp112r1) or small prime moduli in DH can allow brute-force attacks.
• Forward Secrecy (FS): A property where session keys are not compromised even if a party's long-term private key is later exposed. Protocols like Ephemeral Diffie-Hellman (DHE or ECDHE) provide FS by generating temporary key pairs for each session.

Even a theoretically sound protocol can be broken by faulty implementation. Common pitfalls are:

• Poor randomness: Using predictable or insufficiently random numbers for nonces or ephemeral keys can lead to key compromise.
• Side-channel attacks: Timing analysis, power consumption monitoring, or electromagnetic leaks can reveal secret key material during computation.
• Protocol downgrade attacks: Adversaries may force parties to use a weaker, legacy version of the protocol.

Failing to properly validate received public parameters can lead to severe attacks. Essential checks include:

• Subgroup validation: In Diffie-Hellman, ensuring a public key belongs to the correct prime-order subgroup to prevent small subgroup attacks.
• Point validation: For Elliptic Curve Cryptography, verifying that a received point is a valid point on the curve.
• Identity binding: Ensuring the derived shared secret is explicitly bound to the identities of both communicating parties to prevent unknown key-share attacks.

Operational security is as critical as cryptographic strength. Key risks include:

• Key storage and lifecycle management: Secure storage of long-term private keys (in HSMs), secure key generation, and established procedures for key rotation and revocation.
• Protocol agility: The ability to update cryptographic algorithms in response to newly discovered vulnerabilities without overhauling entire systems.
• Denial-of-Service (DoS): Some key agreement protocols involve computationally expensive operations (e.g., pairing computations in identity-based cryptography) that can be exploited for DoS.

A modern approach to public-key cryptography based on the algebraic structure of elliptic curves over finite fields. It enables more efficient key agreement protocols like ECDH (Elliptic Curve Diffie-Hellman).

• Advantages: Provides equivalent security to traditional methods like RSA but with significantly smaller key sizes (e.g., 256-bit ECC ≈ 3072-bit RSA). This leads to faster computations and reduced bandwidth.
• Use Case: The basis for keys in Bitcoin (secp256k1 curve) and Ethereum, making blockchain transactions and wallet security feasible.

A modern cryptographic primitive that formalizes the process of securely establishing a shared secret. A KEM is a key component of post-quantum cryptography algorithms.

• Process: One party generates a ciphertext (the encapsulation) containing an encrypted symmetric key. The other party decapsulates it to recover the key.
• Difference from DH: Unlike Diffie-Hellman, KEMs often involve a single flow of communication from the encapsulator to the decapsulator, simplifying certain protocol designs.

A property of key agreement protocols where the compromise of long-term secret keys does not compromise past session keys.

• Mechanism: Achieved by using ephemeral (temporary) key pairs for each session, as in Ephemeral Diffie-Hellman (DHE) or ECDHE. The shared secret is derived from these short-lived keys.
• Critical Importance: Protects past communications even if a server's or user's main private key is leaked later. A standard security requirement for modern TLS connections.

A critical security threat that key agreement protocols must defend against. In a MITM attack, an adversary secretly intercepts and relays messages between two parties who believe they are communicating directly.

• Vulnerability: Basic Diffie-Hellman is susceptible without authentication. The attacker can establish separate keys with each victim.
• Defense: Requires combining key exchange with an authentication mechanism, such as digital signatures (as in TLS) or pre-shared keys, to verify the identity of the communicating parties.