Authentication and Forward Secrecy in Diffie-Hellman key exchanges

In its most basic form, DH can be used with each party’s long-lived static key material to derive a shared secret, which will always be the same at every instantiation of the algorithm. This static-static DH key agreement provides authentication of both entities, but doesn’t provide forward secrecy, as the shared secret never changes.

A way to generate different secrets on each iteration of the key exchange, is to replace both static keys with ephemeral keys randomly generated by each peer. This ephemeral-ephemeral scheme provides a fresh shared secret on every instantiation of the exchange, thus providing forward secrecy. However, it does not provide authentication of either sender or recipient, as ephemeral keys are not tied to the static keys that represent the identity of the peers.

Another variation is to replace one of the static keys with an ephemeral key. In the ephemeral-static variant the sender generates an ephemeral key pair, performs a DH key agreement between this key pair and the recipient’s public key, and forwards the ephemeral public key alongside the message payload [2]. The Hybrid Public Key Encryption (RFC 9180) is an example implementation of this variant [3].

The introduction of the ephemeral key pair provides forward secrecy against the compromise of the sender’s keys, but not for the recipient’s, as their static key is still used. On the other hand, authentication is achieved for the recipient, but not for the sender who cannot be identified by an ephemeral key alone.

Complementary properties can be obtained if a static-ephemeral scheme is used. In this variant the recipient generates and ephemeral key pair and shares its public part with the sender. The sender can then perform the DH exchange using this material and their own static keys.

The table Properties of Diffie-Hellman variants summarises the properties of these four Diffie-Hellman variants.

The National Institute of Standards and Technology (NIST) publishes recommendations for pairwise key establishment (SP800-56A) where schemes are classified based on the number of ephemeral and static keys used, and their security properties are analysed.

For example, in their classification a C(1e,2s) scheme uses an ephemeral key pair from one party and static key pairs from both parties, whereas in a C(1e,1s) one party contributes an ephemeral key pair and the other party an static one.

A popular example of the combination of DH variants is the Extended Triple Diffie-Hellman (X3DH) protocol used by Signal, which makes use of a minimum of three Diffie-Hellman handshakes to perform secure key agreements.

A comprehensive study of the security properties of the combination of different Diffie-Hellman variants was published by Trevor Perrin as the Noise Protocol Framework, a framework to define cryptographic protocols where a variety of so called handshake patterns are evaluated with a strong focus on forward secrecy.