\section{Problem 3}
\subparagraph{Syntax}
A protocol $\ke = (\gen_A, \gen_B, \msg_A, \msg_B, \fin_A, \fin_B)$ is specified by six \ppt algorithms:

\begin{table}[h]
\centering
\begin{tabular}{llll}
\toprule
Party & Algorithm & Input & Output \\
\midrule
Alice & $\gen_A(1^n)$ & security parameter & secret state $\sigma_A$ \\
Bob   & $\gen_B(1^n)$ & security parameter & secret state $\sigma_B$ \\
Alice & $\msg_A(\sigma_A)$ & — & first message $m_A$ \\
Bob   & $\msg_B(\sigma_B)$ & — & first message $m_B$ \\
Alice & $\fin_A(\sigma_A, m_B)$ & — & session key $k_A \in \{0,1\}^\ell$ \\
Bob   & $\fin_B(\sigma_B, m_A)$ & — & session key $k_B \in \{0,1\}^\ell$ \\
\bottomrule
\end{tabular}
\end{table}

Protocol flow (one round):

\begin{align*}
\sigma_A \leftarrow \gen_A(1^n);\ 
m_A \leftarrow \msg_A(\sigma_A)
\quad &\xrightarrow{m_A} \quad
\sigma_B \leftarrow \gen_B(1^n);\ 
m_B \leftarrow \msg_B(\sigma_B) \\
k_A \leftarrow \fin_A(\sigma_A, m_B);\ 
k_B \leftarrow \fin_B(\sigma_B, m_A)
\quad &\xleftarrow{m_B} \quad
\end{align*}

\subparagraph{Correctness}
There exists a negligible function $\varepsilon(\cdot)$ such that for all $n$:
\[
\Pr[k_A = k_B] \geq 1 - \varepsilon(n),
\]
where the probability is over all internal randomness of the six algorithms.

\subparagraph{Security (semantic secrecy against a passive eavesdropper)}
Consider the following experiment for an adversary $\mathcal{A}$:
\begin{enumerate}
  \item Run the honest protocol to obtain $m_A, m_B, k_A$ (with $k_A = k_B$ except with negligible probability)
  \item Flip a fair coin $b \in \{0,1\}$:
    \begin{itemize}
      \item If $b = 0$ set $K = k_A$ (the real key)
      \item If $b = 1$ choose $K \xleftarrow{\$} \{0,1\}^\ell$ (uniform random)
    \end{itemize}
  \item Give $(m_A, m_B, K)$ to $\mathcal{A}$ and output its guess $b'$
\end{enumerate}

Define the advantage:
\[
\adv_{\ke}^{\pass}(\mathcal{A}, n) = \left| \Pr[b' = b] - \frac{1}{2} \right|.
\]

The protocol is (passively) secure if for every non-uniform \ppt adversary $\mathcal{A}$ there exists a negligible function $\varepsilon(\cdot)$ such that:
\[
\adv_{\ke}^{\pass}(\mathcal{A}, n) \leq \varepsilon(n).
\]

\subparagraph{Why the Definition Is Reasonable}
\begin{itemize}
  \item Correctness guarantees Alice and Bob end with the same key
  \item The indistinguishability experiment formalises the intuition that an eavesdropper who sees \textbf{all} public traffic learns essentially nothing about the key: the transcript $(m_A, m_B)$ is computationally independent of the resulting key
  \item This captures the main goal of a key-exchange—creating a shared secret over an unauthenticated public channel—while remaining simple enough to fit in a course-work setting
\end{itemize}