I haven't seen anyone ask how these things differ, so I'm just posting this question now. Are there any differences between the three things in the title? If so, how do they differ? What algorithms are examples of each?
Asked
Active
Viewed 247 times
1 Answers
3
To me, key establishment is the most generic term. It simply indicates that a key is established somehow between two or more parties. This establishment could be performed by using either symmetric or asymmetric cryptography. For example, Kerberos and Needham-Schroeder use symmetric cryptography to establish keys.
Key agreement is a form of key establishment in which each party contributes to the established key. In practice, key agreement and key exchange are often used interchangeably.
Key exchange is more specific. It means the parties agree on a key, usually by using an asymmetric algorithm. It is commonly associated with Diffie-Hellman (DH), including Elliptic Curve based Diffie-Hellman (ECDH), which in turn also includes key agreement using the Edwards curves X25519 and X448.
The conspicuously missing term is key transport which is for instance performed when a key is wrapped (i.e. encrypted) by an RSA public key by one party and then recovered by the receiving party using the private key.
Another example of key transport is when a key is established using a Key Encapsulation Mechanism or KEM, usually after running the encapsulated secret value through a key derivation function. This has become especially important since NIST has only standardized a single post-quantum key establishment mechanism: ML-KEM, also known as CRYSTALS-Kyber.
Here we get in a bit of a pickle. In this answer on the site it is successfully argued that Kyber actually also uses the bytes of the public key for the the calculation of the key. So in that sense it also qualifies to be key agreement as the resulting key depends on information of both parties. Here we have to remember that these terms often drive a line between algorithms even if there is none.
Note that these terms are all about establishing keys between two parties in a way that requires communication between the parties. Usually algorithms that perform key derivation or, for instance, a ratchet are not thought to be key establishment algorithms as they can be executed by a single party. However, both key derivation and ratcheting are often used as part of a key establishment protocol - for instance in a double-ratchet protocol which depends on Diffie-Hellman.
Cryptographers often don't even agree on the differences of a secret vs a private key. I'd always considered a secret key to be something that can be shared, while a private key is normally used by one party as part of a public / private key pair. But there are entire books that flip the usage of those terms.
So whatever you do, it always pays to look at the context or, indeed, the definitions where available. Language is fickle.
Maarten Bodewes
- 96,351
- 14
- 169
- 323