Key Exchange

In TLS, the first step towards obtaining TLS session keys is to compute a shared secret between the client and the server by running the ECDH protocol. The resulting shared secret in TLS terms is called the pre-master secret PMS.

With TLSNotary, at the end of the key exchange, the Server gets the PMS as usual. The Prover and the Verifier, jointly operating as the TLS client, compute additive shares of the PMS. This prevents either party from unilaterally sending or receiving messages with the Server. Subsequently, the authenticity and integrity of the messages are guaranteed to both the Prover and Verifier, while also keeping the plaintext hidden from the Verifier.

The 3-party ECDH protocol between the Server the Prover and the Verifier works as follows:

Server sends its public key $Q_{b}$ to Prover, and Prover forwards it to Verifier
Prover picks a random private key share $d_{c}$ and computes a public key share $Q_{c} = d_{c} * G$
Verifier picks a random private key share $d_{n}$ and computes a public key share $Q_{n} = d_{n} * G$
Verifier sends $Q_{n}$ to Prover who computes $Q_{a} = Q_{c} + Q_{n}$ and sends $Q_{a}$ to Server
Prover computes an EC point $(x_{p}, y_{p}) = d_{c} * Q_{b}$
Verifier computes an EC point $(x_{q}, y_{q}) = d_{n} * Q_{b}$
Addition of points $(x_{p}, y_{p})$ and $(x_{q}, y_{q})$ results in the coordinate $x_{r}$ , which is PMS. (The coordinate $y_{r}$ is not used in TLS)

Using the notation from here, our goal is to compute $x_{r} = (\frac{y _{q} - y _{p}}{x _{q} - x _{p}})^{2} - x_{p} - x_{q}$ in such a way that

Neither party learns the other party's $x$ value
Neither party learns $x_{r}$ , only their respective shares of $x_{r}$ .

We will use two maliciously secure protocols described on p.25 in the paper Eﬃcient Secure Two-Party Exponentiation:

A2M protocol, which converts additive shares into multiplicative shares, i.e. given shares a and b such that a + b = c, it converts them into shares d and e such that d * e = c
M2A protocol, which converts multiplicative shares into additive shares

We apply A2M to $y_{q} + (- y_{p})$ to get $A_{q} * A_{p}$ and also we apply A2M to $x_{q} + (- x_{p})$ to get $B_{q} * B_{p}$ . Then the above can be rewritten as:

$x_{r} = (\frac{A _{q}}{B _{q}})^{2} * (\frac{A _{p}}{B _{p}})^{2} - x_{p} - x_{q}$

Then the first party locally computes the first factor and gets $C_{q}$ , the second party locally computes the second factor and gets $C_{p}$ . Then we can again rewrite as:

$x_{r} = C_{q} * C_{p} - x_{p} - x_{q}$

Now we apply M2A to $C_{q} * C_{p}$ to get $D_{q} + D_{p}$ , which leads us to two final terms each of which is the share of $x_{r}$ of the respective party:

$x_{r} = (D_{q} - x_{q}) + (D_{p} - x_{p})$

tlsn-docs

Key Exchange