# DHKE
:::{note} The Diffeâ€“Hellman key-exchange protocol
:label: dhke
- Common input: The security parameter $1^n$
1. Alice runs $\mathcal{G}\left(1^n\right)$ to obtain ( $\mathbb{G}, q, g$ ).
2. Alice chooses a uniform $x \in \mathbb{Z}_q$, and computes $h_A:=g^x$.
3. Alice sends ( $\mathbb{G}, q, g, h_A$ ) to Bob.
4. Bob receives ( $\mathbb{G}, q, g, h_A$ ). He chooses a uniform $y \in \mathbb{Z}_q$, and computes $h_B:=g^y$. Bob sends $h_B$ to Alice and outputs the key $k_B:=h_A^y$.
5. Alice receives $h_B$ and outputs the key $k_A:=h_B^x$.
:::

:::{attention}
If [the decisional Diffie-Hellman problem](#ddh) is hard relative to $\mathcal{G}$, then [the Diffie-Hellman key-exchange protocol $\Pi$](#dhke) is [secure in the presence of an eavesdropper](#ke-eav) (with respect to [the modified experiment $\widehat{\mathrm{KE}}_{\mathcal{A}, \Pi}^{\mathrm{eav}}$](#ke-exp) ).
:::

:::{danger} PROOF 
:class: dropdown

Let $\mathcal{A}$ be a PPT adversary. Since $\operatorname{Pr}[b=0]=\operatorname{Pr}[b=1]=1 / 2$, we have

$$
\begin{aligned}
\operatorname{Pr} & {\left[\widehat{\mathrm{KE}}_{\mathcal{A}, \Pi}^{\text {eav }}(n)=1\right] } \\
& =\frac{1}{2} \cdot \operatorname{Pr}\left[\widehat{\mathrm{KE}}_{\mathcal{A}, \Pi}^{\text {eav }}(n)=1 \mid b=0\right]+\frac{1}{2} \cdot \operatorname{Pr}\left[\widehat{\mathrm{KE}}_{\mathcal{A}, \Pi}^{\text {eav }}(n)=1 \mid b=1\right]
\end{aligned}
$$

In experiment $\widehat{\mathrm{KE}}_{\mathcal{A}, \Pi}^{\text {eav }}(n)$ the adversary $\mathcal{A}$ receives $\left(\mathbb{G}, q, g, h_A, h_B, \hat{k}\right)$, where $\left(\mathbb{G}, q, g, h_A, h_B\right)$ represents the transcript of the protocol execution, and $\hat{k}$ is either the actual key computed by the parties (if $b=0$ ) or a uniform group element (if $b=1$ ). Distinguishing between these two cases is exactly equivalent to solving the decisional Diffie-Hellman problem. That is

$$
\begin{aligned}
& \operatorname{Pr}\left[\widehat{\mathrm{KE}}_{\mathcal{A}, \Pi}^{\text {eav }}(n)=1\right] \\
& =\frac{1}{2} \cdot \operatorname{Pr}\left[\widehat{\mathrm{KE}}_{\mathcal{A}, \Pi}^{\text {eav }}(n)=1 \mid b=0\right]+\frac{1}{2} \cdot \operatorname{Pr}\left[\widehat{\mathrm{KE}}_{\mathcal{A}, \Pi}^{\text {eav }}(n)=1 \mid b=1\right] \\
& =\frac{1}{2} \cdot \operatorname{Pr}\left[\mathcal{A}\left(\mathbb{G}, q, g, g^x, g^y, g^{x y}\right)=0\right]+\frac{1}{2} \cdot \operatorname{Pr}\left[\mathcal{A}\left(\mathbb{G}, q, g, g^x, g^y, g^z\right)=1\right] \\
& =\frac{1}{2} \cdot\left(1-\operatorname{Pr}\left[\mathcal{A}\left(\mathbb{G}, q, g, g^x, g^y, g^{x y}\right)=1\right]\right)+\frac{1}{2} \cdot \operatorname{Pr}\left[\mathcal{A}\left(\mathbb{G}, q, g, g^x, g^y, g^z\right)=1\right] \\
& =\frac{1}{2}+\frac{1}{2} \cdot\left(\operatorname{Pr}\left[\mathcal{A}\left(\mathbb{G}, q, g, g^x, g^y, g^z\right)=1\right]-\operatorname{Pr}\left[\mathcal{A}\left(\mathbb{G}, q, g, g^x, g^y, g^{x y}\right)=1\right]\right) \\
& \leq \frac{1}{2}+\frac{1}{2} \cdot\left|\operatorname{Pr}\left[\mathcal{A}\left(\mathbb{G}, q, g, g^x, g^y, g^z\right)=1\right]-\operatorname{Pr}\left[\mathcal{A}\left(\mathbb{G}, q, g, g^x, g^y, g^{x y}\right)=1\right]\right|
\end{aligned}
$$

where the probabilities are all taken over ( $\mathbb{G}, q, g$ ) output by $\mathcal{G}\left(1^n\right)$, and uniform choice of $x, y, z \in \mathbb{Z}_q$. (Note that since $g$ is a generator, $g^z$ is a uniform element of $\mathbb{G}$ when $z$ is uniformly distributed in $\mathbb{Z}_q$.) If the decisional DiffieHellman assumption is hard relative to $\mathcal{G}$, that exactly means that there is a negligible function negl for which

$$
\left|\operatorname{Pr}\left[\mathcal{A}\left(\mathbb{G}, q, g, g^x, g^y, g^z\right)=1\right]-\operatorname{Pr}\left[\mathcal{A}\left(\mathbb{G}, q, g, g^x, g^y, g^{x y}\right)=1\right]\right| \leq \operatorname{negl}(n)
$$

We conclude that

$$
\operatorname{Pr}\left[\widehat{\mathrm{KE}}_{\mathcal{A}, \Pi}^{\mathrm{eav}}(n)=1\right] \leq \frac{1}{2}+\frac{1}{2} \cdot \operatorname{negl}(n),
$$

completing the proof.
:::