Introduction

There is one essential security property for key exchange protocols - an adversary should be unable to obtain the same final key as the two legitimate parties. Nevertheless, we still need to define our threat models, i.e. the capabilities of the adversary and how powerful they are.

The adversary $\textit{Eve}$ can observe all communication between the legitimate parties Alice and Bob.
Copy

The aforementioned security definition assumes a passive adversary, i.e. an adversary who can observe the communication between the