Cryptography safeguards our daily digital communications. According to the Kerckhoff principle, the descriptions of our cryptographic algorithms are publicly known, and their security is solely based on the secrecy of keys. Key exchange protocols are one of the most critical tools to ensure secure distribution of cryptographic keys. It allows two honest parties to agree on the same key by exchanging messages over a public, insecure network. With this key, the two parties can establish a secure communication channel. Hence, key exchange protocols are crucial for the security of countless real-world protocols and applications, including the Transport Layer Security protocol, secure messaging, and cloud storage. Nearly half a century after the invention of the Diffie–Hellman protocol, a significant gap remains between the theoretical and practical aspects of key exchange protocols. Some are formally analyzed only in small-scale, idealized settings, leaving their security without robust support. Some aim to achieve robust security, which, however, can be at the cost of efficiency. Moreover, existing work presents an incomplete view of robustness. For instance, memory consumption of a security reduction is often neglected. Recent cryptanalysis has shown that a reduction with higher memory consumption will lead to less meaningful security guarantees, if the underlying problem is memory-sensitive (e.g., the Learning-With-Errors problem). Our proposal is to construct new foundations for key exchange protocols with robust security. We have three concrete objectives: Firstly, we will narrow the gap between robustness and efficiency by improving the efficiency of existing tightly secure key exchange protocols. Here tight security means that a protocol has the same level of security regardless of how large an application scale is. Secondly, we will complete our understanding of robust key exchange by proposing memory-efficient security proofs. We will not only analyze memory consumption of existing proofs, but also design new protocols with memory-efficient proofs. Finally, we will strengthen the robustness of key exchange protocols by constructing protocols that are secure even when the (central) public-key infrastructures are not fully trustworthy.

DFG Programme Research Grants