Towards Threshold Key Exchange Protocols

TL;DR

This paper explores implementing threshold key exchange protocols, demonstrating practical schemes for Diffie-Hellman and ECDSA within existing protocols like WireGuard and TLS, aiming to enhance security and usability.

Contribution

It introduces practical threshold Diffie-Hellman schemes integrated into WireGuard and proposes ideas for threshold TLS, highlighting challenges and potential benefits.

Findings

Threshold DH schemes with dealerless key generation and refresh.

Implementation of threshold DH in WireGuard demonstrating efficiency.

Measurement of TLS key exchanges using threshold ECDSA.

Abstract

Threshold schemes exist for many cryptographic primitives like signatures, key derivation functions, and ciphers. At the same time, practical key exchange protocols based on Diffie-Hellman (DH) or ECDSA primitives are not designed or implemented in a threshold setting. In this paper, we implement popular key exchange protocols in a threshold manner and show that this approach can be used in practice. First, we introduce two basic threshold DH key agreement schemes that provide enhanced security features in comparison with the classic DH primitive: dealerless distributed key generation, threshold shared key computation, and private key shares refreshing. We implemented the proposed DH schemes within WireGuard protocol to demonstrate its effectiveness, efficiency, and usability in practice. The open question is the security of the proposed schemes and their instantiation from the elliptic curves used in key agreement protocols: NIST curves, Russian GOST curves, and Curve25519. Second, we propose an idea of implementing TLS in a threshold setting that can be used instead of Keyless SSL/TLS technology, and provide the measurements of TLS key exchanges based on threshold ECDSA. Even if we don't provide any formal definitions, security analysis, and mathematical proofs, we believe that the ideas and mechanisms suggested in this paper can be interesting and useful. The main intention of the paper is to start discussions and raise awareness of the challenges and problems arising when moving to threshold key exchange protocols.