Key Exchange

In TLS, the first step towards obtaining TLS session keys is to compute a shared secret between the client and the server by running the ECDH protocol. The resulting shared secret in TLS terms is called the pre-master secret PMS.

Using the notation from Wikipedia, below is the 3-party ECDH protocol between the Server the Requester and the Notary, enabling the Requester and the Notary to arrive at shares of PMS.

  1. Server sends its public key to Requester, and Requester forwards it to Notary
  2. Requester picks a random private key share and computes a public key share
  3. Notary picks a random private key share and computes a public key share
  4. Notary sends to Requester who computes and sends to Server
  5. Requester computes an EC point
  6. Notary computes an EC point
  7. Addition of points and results in the coordinate , which is PMS. (The coordinate is not used in TLS)

Using the notation from here, our goal is to compute in such a way that

  1. Neither party learns the other party's value
  2. Neither party learns , only their respective shares of .

We will use two maliciously secure protocols described on p.25 in the paper Efficient Secure Two-Party Exponentiation:

  • A2M protocol, which converts additive shares into multiplicative shares, i.e. given shares a and b such that a + b = c, it converts them into shares d and e such that d * e = c
  • M2A protocol, which converts multiplicative shares into additive shares

We apply A2M to to get and also we apply A2M to to get . Then the above can be rewritten as:

Then the first party locally computes the first factor and gets , the second party locally computes the second factor and gets . Then we can again rewrite as:

Now we apply M2A to to get , which leads us to two final terms each of which is the share of of the respective party: