On the cryptographic properties of “Limonnik-3” AKE scheme

We study the “Limonnik-3” authenticated key exchange protocol which is a part of Standardization recommendations R 1323565.1.004-2017 “Authenticated key agreement schemes based on public keys”, officially adopted in Russia in 2017, alongside with the “Echinacea” family of protocols. The protocol uses standardized cryptographic solutions, but does not require digital signature as a primitive, allows two parties to use distinct elliptic curves. The paper describes the protocol the “Limonnik-3”, studies its design rationale, basic requirements used at the stage of protocol design, its cryptographic properties and efficiency. Provided that proposed in the paper parameters and algorithms are used, security against known classes of attacks, including secret key recovery, reduced to the elliptic curve discrete logarithm problem, KCI- and UKS-attacks, is demonstrated. A formal security proof in a modified Canetti-Krawczyk model is deduced, provided that the gap decision Diffie-Hellman problem, connected to the discrete logarithm in the group of points of an elliptic curve, is computationally hard. Automated verification of the protocols shows its security and absence of possible vectors of attack. A brief overview of post-quantum prospectives of the protocol is given. Thus, the paper shows that “Limonnik-3” is a robust and secure cryptographic solution, which satisfies all of the requirements that apply to the modern key exchange protocols.