Editing Diffie–Hellman key exchange (section)

== Ephemeral and/or static keys ==
The used keys can either be ephemeral or static (long term) key, but could even be mixed, so called semi-static DH. These variants have different properties and hence different use cases. An overview over many variants and some also discussions can for example be found in NIST SP 800-56A.<ref>{{cite report |url=https://csrc.nist.gov/Pubs/sp/800/56/a/r3/Final |title=Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography |last1=Barker |first1=Elaine |last2=Chen |first2=Lily |date=2018-04-16 |publisher=National Institute of Standards and Technology |issue=NIST Special Publication (SP) 800-56A Rev. 3 |language=en |last3=Roginsky |first3=Allen |last4=Vassilev |first4=Apostol |last5=Davis |first5=Richard}}</ref> A basic list:
# ephemeral, ephemeral: Usually used for key agreement. Provides [[forward secrecy]], but no [[Authentication|authenticity]].
# static, static: Would generate a long term shared secret. Does not provide forward secrecy, but implicit authenticity. Since the keys are static it would for example not protect against [[Replay attack|replay-attacks]].
# ephemeral, static: For example, used in [[ElGamal encryption]] or [[Integrated Encryption Scheme|Integrated Encryption Scheme (IES)]]. If used in key agreement it could provide implicit one-sided authenticity (the ephemeral side could verify the authenticity of the static side). No forward secrecy is provided.

It is possible to use ephemeral and static keys in one key agreement to provide more security as for example shown in NIST SP 800-56A, but it is also possible to combine those in a single DH key exchange, which is then called triple DH (3-DH).

=== Triple Diffie–Hellman (3-DH) ===
In 1997 a kind of triple DH was proposed by Simon Blake-Wilson, Don Johnson, Alfred Menezes in 1997,<ref>{{citation|last1=Blake-Wilson|first1=Simon|chapter=Key Agreement Protocols and their Security Analysis|year=1997|last2=Johnson|first2=Don|last3=Menezes|first3=Alfred|title=Crytography and Coding |series=Lecture Notes in Computer Science |volume=1355 |pages=30–45 |citeseerx=10.1.1.25.387|doi=10.1007/BFb0024447|isbn=978-3-540-63927-5 }}</ref> which was improved by C. Kudla and K. G. Paterson in 2005<ref>{{cite book|last1=Kudla|first1=Caroline|last2=Paterson|first2=Kenneth G.|title=Advances in Cryptology - ASIACRYPT 2005 |chapter=Modular Security Proofs for Key Agreement Protocols |year=2005|editor-last=Roy|editor-first=Bimal|series=Lecture Notes in Computer Science|volume=3788 |language=en|location=Berlin, Heidelberg|publisher=Springer|pages=549–565|doi=10.1007/11593447_30|isbn=978-3-540-32267-2 |doi-access=free|url=https://iacr.org/archive/asiacrypt2005/546/546.pdf}}</ref> and shown to be secure.

The long term secret keys of Alice and Bob are denoted by ''a'' and ''b'' respectively, with public keys ''A'' and ''B'', as well as the ephemeral key pairs (''x'', ''X'') and (''y'', ''Y''). Then protocol is:
{| class="wikitable"
|+ Triple Diffie–Hellman (3-DH) protocol
! Alice (<math>A = g^a</math>)
!
! Bob (<math>B = g^b</math>)
|-
| <math>X = g^x</math>
| <math>X \rightarrow {}</math>
|
|-
|
| <math>{} \leftarrow Y</math>
| <math>Y = g^y</math>
|-
| <math>K = \operatorname{KDF}\left( Y^x,\, B^x,\, Y^a,\, X,\, Y,\, A,\, B \right)</math>
|
| <math>K = \operatorname{KDF}\left( X^y,\, X^b,\, A^y,\, X,\, Y,\, A,\, B \right)</math>
|}
The long term public keys need to be transferred somehow. That can be done beforehand in a separate, trusted channel, or the public keys can be encrypted using some partial key agreement to preserve anonymity. For more of such details as well as other improvements like [[Side-channel attack|side channel protection]] or explicit [[Key (cryptography)|key confirmation]], as well as early messages and additional password authentication, see e.g. US patent "Advanced modular handshake for key agreement and optional authentication".<ref>{{cite patent|number=US11025421B2|title=Advanced modular handshake for key agreement and optional authentication|gdate=2021-06-01|invent1=Fay|inventor1-first=Bjorn|url=https://patents.google.com/patent/US11025421B2/en?oq=11025421}}</ref>

=== Extended Triple Diffie–Hellman (X3DH) ===
X3DH was initially proposed as part of the [[Double Ratchet Algorithm]] used in the [[Signal Protocol]]. The protocol offers forward secrecy and cryptographic deniability. It operates on an elliptic curve.<ref name=x3dh>{{cite web |title=Specifications >> The X3DH Key Agreement Protocol |url=https://www.signal.org/docs/specifications/x3dh/ |website=Signal Messenger |language=en}}</ref>

The protocol uses five public keys. Alice has an identity key IK<sub>A</sub> and an ephemeral key EK<sub>A</sub>. Bob has an identity key IK<sub>B</sub>, a signed prekey SPK<sub>B</sub>, and a one-time prekey OPK<sub>B</sub>.<ref name=x3dh/> Bob first publishes his three keys to a server, which Alice downloads and verifies the signature on. Alice then initiates the exchange to Bob.<ref name=x3dh/> The OPK is optional.<ref name=x3dh/>