Towards Threshold Key Exchange Protocols

Threshold schemes exist for many cryptographic primitives like signatures, key derivation functions, and ciphers. At the same time, practical key exchange protocols based on Diffie-Hellman (DH) or ECDSA primitives are not designed or implemented in a threshold setting. In this paper, we implement popular key exchange protocols in a threshold manner and show that this approach can be used in practice. First, we introduce two basic threshold DH key agreement schemes that provide enhanced security features in comparison with the classic DH primitive: dealerless distributed key generation, threshold shared key computation, and private key shares refreshing. We implemented the proposed DH schemes within WireGuard protocol to demonstrate its effectiveness, efficiency, and usability in practice. The open question is the security of the proposed schemes and their instantiation from the elliptic curves used in key agreement protocols: NIST curves, Russian GOST curves, and Curve25519. Second, we propose an idea of implementing TLS in a threshold setting that can be used instead of Keyless SSL/TLS technology, and provide the measurements of TLS key exchanges based on threshold ECDSA. Even if we don't provide any formal definitions, security analysis, and mathematical proofs, we believe that the ideas and mechanisms suggested in this paper can be interesting and useful. The main intention of the paper is to start discussions and raise awareness of the challenges and problems arising when moving to threshold key exchange protocols.