Group key exchange protocols withstanding ephemeral-key reveals

When a group key exchange protocol is executed, the session key is typically extracted from two types of secrets: long-term keys (for authentication) and freshly generated (often random) values. The leakage of this latter so-called ephemeral keys has been extensively analysed in the 2-party case, yet very few works are concerned with it in the group setting. The authors provide a generic group key exchange construction that is strongly secure, meaning that the attacker is allowed to learn both long-term and ephemeral keys (but not both from the same participant, as this would trivially disclose the session key). Their design can be seen as a compiler, in the sense that it builds on a 2-party key exchange protocol which is strongly secure and transforms it into a strongly secure group key exchange protocol by adding only one extra round of communication. When applied to an existing 2-party protocol from Bergsma et al., the result is a 2-round group key exchange protocol which is strongly secure in the standard model, thus yielding the first construction with this property.

[1]  Atsushi Fujioka,et al.  Strongly Secure Authenticated Key Exchange from Factoring, Codes, and Lattices , 2012, Public Key Cryptography.

[2]  Cas J. F. Cremers,et al.  One-round Strongly Secure Key Exchange with Perfect Forward Secrecy and Deniability , 2011, IACR Cryptol. ePrint Arch..

[3]  Mark Manulis,et al.  Modeling Leakage of Ephemeral Secrets in Tripartite/Group Key Exchange , 2013, IEICE Trans. Fundam. Electron. Commun. Comput. Sci..

[4]  Yvo Desmedt,et al.  Efficient and Secure Conference-Key Distribution , 1996, Security Protocols Workshop.

[5]  Colin Boyd,et al.  Modeling Key Compromise Impersonation Attacks on Group Key Exchange Protocols , 2009, Public Key Cryptography.

[6]  Jan Camenisch,et al.  A Signature Scheme with Efficient Protocols , 2002, SCN.

[7]  Ronald Cramer,et al.  Signature schemes based on the strong RSA assumption , 2000, TSEC.

[8]  Moti Yung,et al.  Secure protocol transformation via “expansion”: from two-party to groups , 1999, CCS '99.

[9]  David Pointcheval,et al.  Password-Based Authenticated Key Exchange in the Three-Party Setting , 2005, Public Key Cryptography.

[10]  Brent Waters,et al.  Realizing Hash-and-Sign Signatures under Standard Assumptions , 2009, EUROCRYPT.

[11]  Yehuda Lindell,et al.  Introduction to Modern Cryptography (Chapman & Hall/Crc Cryptography and Network Security Series) , 2007 .

[12]  Jörg Schwenk,et al.  On Security Models and Compilers for Group Key Exchange Protocols , 2007, IWSEC.

[13]  Marc Fischlin The Cramer-Shoup Strong-RSASignature Scheme Revisited , 2003, Public Key Cryptography.

[14]  Jonathan Katz,et al.  Modeling insider attacks on group key-exchange protocols , 2005, CCS '05.

[15]  Shai Halevi,et al.  Secure Hash-and-Sign Signatures Without the Random Oracle , 1999, EUROCRYPT.

[16]  Atsushi Fujioka,et al.  Sufficient Condition for Ephemeral Key-Leakage Resilient Tripartite Key Exchange , 2012, ACISP.

[17]  Jacques Stern,et al.  Twin signatures: an alternative to the hash-and-sign paradigm , 2001, CCS '01.

[18]  Jan Camenisch,et al.  Signature Schemes and Anonymous Credentials from Bilinear Maps , 2004, CRYPTO.

[19]  Tibor Jager,et al.  One-Round Key Exchange with Strong Security: An Efficient and Generic Construction in the Standard Model , 2015, Public Key Cryptography.

[20]  Emmanuel Bresson,et al.  Securing group key exchange against strong corruptions , 2008, ASIACCS '08.

[21]  Rainer Steinwandt,et al.  Secure group key establishment revisited , 2007, International Journal of Information Security.

[22]  Eike Kiltz,et al.  Programmable Hash Functions and Their Applications , 2008, CRYPTO.

[23]  Paul C. van Oorschot,et al.  Authentication and authenticated key exchanges , 1992, Des. Codes Cryptogr..

[24]  Mihir Bellare,et al.  Authenticated Key Exchange Secure against Dictionary Attacks , 2000, EUROCRYPT.

[25]  Sven Schäge,et al.  Twin Signature Schemes, Revisited , 2009, ProvSec.

[26]  Colin Boyd,et al.  Generic One Round Group Key Exchange in the Standard Model , 2009, ICISC.

[27]  Yvo Desmedt,et al.  A Secure and Efficient Conference Key Distribution System (Extended Abstract) , 1994, EUROCRYPT.

[28]  Dan Boneh,et al.  Short Signatures Without Random Oracles and the SDH Assumption in Bilinear Groups , 2008, Journal of Cryptology.

[29]  Hugo Krawczyk,et al.  HMQV: A High-Performance Secure Diffie-Hellman Protocol , 2005, CRYPTO.

[30]  Sven Schäge,et al.  Strong Security from Probabilistic Signature Schemes , 2012, Public Key Cryptography.

[31]  Brent Waters,et al.  Short and Stateless Signatures from the RSA Assumption , 2009, CRYPTO.

[32]  Jonathan Katz,et al.  Scalable Protocols for Authenticated Group Key Exchange , 2003, CRYPTO.

[33]  María Isabel González Vasco,et al.  (Password) Authenticated Key Establishment: From 2-Party to Group , 2007, TCC.

[34]  Cheng Chen,et al.  Group Key Exchange Resilient to Leakage of Ephemeral Secret Keys with Strong Contributiveness , 2012, EuroPKI.

[35]  Moni Naor,et al.  Universal one-way hash functions and their cryptographic applications , 1989, STOC '89.

[36]  Mihir Bellare,et al.  Entity Authentication and Key Distribution , 1993, CRYPTO.

[37]  Dawu Gu,et al.  Stronger security model of group key agreement , 2011, ASIACCS '11.

[38]  Sen-Shan Huang,et al.  Enhancement on strongly secure group key agreement , 2015, Secur. Commun. Networks.

[39]  Emmanuel Bresson,et al.  Fully Robust Tree-Diffie-Hellman Group Key Exchange , 2009, CANS.

[40]  Kristin E. Lauter,et al.  Stronger Security of Authenticated Key Exchange , 2006, ProvSec.

[41]  Cas J. F. Cremers Session-state Reveal Is Stronger Than Ephemeral Key Reveal: Attacking the NAXOS Authenticated Key Exchange Protocol , 2009, ACNS.

[42]  Christoph G. Günther,et al.  An Identity-Based Key-Exchange Protocol , 1990, EUROCRYPT.