Editing Key-agreement protocol (section)

{{Short description|Protocol for agreeing on a cryptographic key}}
{{More citations needed|date=March 2024}}
In cryptography, a '''key-agreement protocol''' is a protocol whereby two (or more) parties generate a cryptographic [[Key (cryptography)|key]] as a function of information provided by each honest party so that no party can predetermine the resulting value.<ref>{{cite book|last1=Menezes|first1=A.|last2=Oorschot|first2=P. van|last3=Vanstone|first3=S.|title=Handbook of Applied Cryptography|year=1997|publisher=CRC Press|isbn=0-8493-8523-7|edition=5th|url-access=registration|url=https://archive.org/details/handbookofapplie0000mene}}</ref>
In particular, all honest participants influence the outcome. A key-agreement protocol is a specialisation of a key-exchange protocol.<ref name="Canetti2001">{{cite journal |last1=Canetti |first1=Ran |last2=Krawczyk |first2=Hugo |title=Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels |journal=Proceedings of the International Conference on the Theory and Application of Cryptographic Techniques: Advances in Cryptology |date=6 May 2001 |pages=453–474 |url=https://dl.acm.org/doi/abs/10.5555/647086.715688 |publisher=Springer-Verlag|isbn=978-3-540-42070-5 }}</ref>

At the completion of the protocol, all parties share the same key. A key-agreement protocol precludes undesired third parties from forcing a key choice on the agreeing parties. A secure key agreement can ensure [[confidentiality]] and [[data integrity]]<ref>{{cite book |last1=Bellare |first1=Mihir |last2=Canetti |first2=Ran |last3=Krawczyk |first3=Hugo |chapter=A modular approach to the design and analysis of authentication and key exchange protocols (Extended abstract) |title=Proceedings of the thirtieth annual ACM symposium on Theory of computing - STOC '98 |date=23 May 1998 |pages=419–428 |doi=10.1145/276698.276854 |chapter-url=https://doi.org/10.1145/276698.276854 |publisher=Association for Computing Machinery|isbn=0-89791-962-9 }}</ref> in communications systems, ranging from simple messaging applications to complex banking transactions.

Secure agreement is defined relative to a security model, for example the Universal Model.<ref name="Canetti2001"/> More generally, when evaluating protocols, it is important to state security goals and the security model.<ref>{{cite book |last1=Gollmann |first1=D. |chapter=What do we mean by entity authentication? |title=Proceedings 1996 IEEE Symposium on Security and Privacy |date=6 May 1996 |pages=46–54 |chapter-url=https://dl.acm.org/doi/10.5555/525080.884256 |publisher=IEEE Computer Society|doi=10.1109/SECPRI.1996.502668 |isbn=978-0-8186-7417-4 }}</ref> For example, it may be required for the session key to be [[Authenticated Key Exchange|authenticated]]. A protocol can be evaluated for success only in the context of its goals and attack model.<ref>{{cite book |last1=Katz |first1=Jonathan |last2=Lindell |first2=Yehuda |title=Introduction to modern cryptography |date=2021 |publisher=CRC Press Taylor & Francis Group |location=Boca Raton London New York |isbn=978-0815354369 |page=49 |edition=Third}}</ref> An example of an adversarial model is the [[Dolev–Yao model]]. 

In many key exchange systems, one party generates the key, and sends that key to the other party;<ref name=":0" /> the other party has no influence on the key.