Scalable Protocols for Authenticated Group Key Exchange

We consider the problem of authenticated group key exchange among n parties communicating over an insecure public network. A number of solutions to this problem have been proposed; however, all prior provably secure solutions do not scale well and, in particular, require O(n) rounds. Our main contribution is the first scalable protocol for this problem along with a rigorous proof of security in the standard model under the DDH assumption; our protocol uses a constant number of rounds and requires only O(1) "full" modular exponentiations per user. Toward this goal (and adapting work of Bellare, Canetti, and Krawczyk), we first present an efficient compiler that transforms any group key-exchange protocol secure against a passive eavesdropper to an authenticated protocol which is secure against an active adversary who controls all communication in the network. This compiler adds only one round and O(1) communication (per user) to the original scheme. We then prove secure—against a passive adversary—a variant of the two-round group key-exchange protocol of Burmester and Desmedt. Applying our compiler to this protocol results in a provably secure three-round protocol for authenticated group key exchange which also achieves forward secrecy.

[1]  Hugo Krawczyk,et al.  A modular approach to the design and analysis of authentication and key exchange protocols (extended abstract) , 1998, STOC '98.

[2]  Gene Tsudik,et al.  Key Agreement in Dynamic Peer Groups , 2000, IEEE Trans. Parallel Distributed Syst..

[3]  Kenneth G. Paterson,et al.  Tripartite Authenticated Key Agreement Protocols from Pairings , 2003, IMACC.

[4]  Yvo Desmedt,et al.  A secure and scalable Group Key Exchange system , 2005, Inf. Process. Lett..

[5]  Gene Tsudik,et al.  New multiparty authentication services and key agreement protocols , 2000, IEEE Journal on Selected Areas in Communications.

[6]  Emmanuel Bresson,et al.  Dynamic Group Diffie-Hellman Key Exchange under Standard Assumptions , 2002, EUROCRYPT.

[7]  Colin Boyd,et al.  On Key Agreement and Conference Key Agreement , 1997, ACISP.

[8]  Jonathan Katz,et al.  Modeling insider attacks on group key-exchange protocols , 2005, CCS '05.

[9]  Gene Tsudik,et al.  Authenticated group key agreement and friends , 1998, CCS '98.

[10]  Gene Tsudik,et al.  Simple and fault-tolerant key agreement for dynamic collaborative groups , 2000, CCS.

[11]  Jean-Jacques Quisquater,et al.  A security analysis of the cliques protocols suites , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..

[12]  Moti Yung,et al.  Secure protocol transformation via “expansion”: from two-party to groups , 1999, CCS '99.

[13]  Victor Shoup,et al.  On Formal Models for Secure Key Exchange , 1999, IACR Cryptol. ePrint Arch..

[14]  Rafail Ostrovsky,et al.  Forward Secrecy in Password-Only Key Exchange Protocols , 2002, SCN.

[15]  Wen-Guey Tzeng,et al.  Round-Efficient Conference Key Agreement Protocols with Provable Security , 2000, ASIACRYPT.

[16]  Emmanuel Bresson,et al.  Provably authenticated group Diffie-Hellman key exchange , 2001, CCS '01.

[17]  Ran Canetti,et al.  The random oracle methodology, revisited , 2000, JACM.

[18]  Gene Tsudik,et al.  Communication-Efficient Group Key Agreement , 2001, SEC.

[19]  Jean-Jacques Quisquater,et al.  Some Attacks Upon Authenticated Group Key Agreement Protocols , 2003, J. Comput. Secur..

[20]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.

[21]  Kyo-Min Ku,et al.  ID-based Multi-party Authenticated Key Agreement Protocols from Multilinear Forms , 2005, ISC.

[22]  Chak-Kuen Wong,et al.  A conference key distribution system , 1982, IEEE Trans. Inf. Theory.

[23]  Hugo Krawczyk,et al.  SKEME: a versatile secure key exchange mechanism for Internet , 1996, Proceedings of Internet Society Symposium on Network and Distributed Systems Security.

[24]  Mihir Bellare,et al.  Provably secure session key distribution: the three party case , 1995, STOC '95.

[25]  Hugo Krawczyk,et al.  Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels , 2001, EUROCRYPT.

[26]  Young-Ran Lee,et al.  Multi-party authenticated key agreement protocols from multi-linear forms , 2004, Appl. Math. Comput..

[27]  Hugo Krawczyk,et al.  Universally Composable Notions of Key Exchange and Secure Channels , 2002, EUROCRYPT.

[28]  Emmanuel Bresson,et al.  Provably Authenticated Group Diffie-Hellman Key Exchange - The Dynamic Case , 2001, ASIACRYPT.

[29]  Seif Haridi,et al.  Distributed Algorithms , 1992, Lecture Notes in Computer Science.

[30]  Mihir Bellare,et al.  Authenticated Key Exchange Secure against Dictionary Attacks , 2000, EUROCRYPT.

[31]  Serge Vaudenay,et al.  Authenticated Multi-Party Key Agreement , 1996, ASIACRYPT.

[32]  Moti Yung,et al.  Systematic Design of Two-Party Authentication Protocols , 1991, CRYPTO.

[33]  Nancy A. Lynch,et al.  Impossibility of distributed consensus with one faulty process , 1983, PODS '83.

[34]  Uta Wille,et al.  Communication complexity of group key distribution , 1998, CCS '98.

[35]  Antoine Joux,et al.  A One Round Protocol for Tripartite Diffie–Hellman , 2000, Journal of Cryptology.

[36]  Young-Ran Lee,et al.  An Authenticated Group Key Agreement Protocol on Braid groups , 2003, IACR Cryptol. ePrint Arch..

[37]  Moti Yung,et al.  Systematic Design of a Family of Attack-Resistant Authentication Protocols , 1993, IEEE J. Sel. Areas Commun..

[38]  Whitfield Diffie,et al.  A Secure Audio Teleconference System , 1988, CRYPTO.

[39]  Silvio Micali,et al.  Public-Key Encryption in a Multi-user Setting: Security Proofs and Improvements , 2000, EUROCRYPT.

[40]  Paul C. van Oorschot,et al.  Authentication and authenticated key exchanges , 1992, Des. Codes Cryptogr..

[41]  Yongdae Kim,et al.  On the performance of group key agreement protocols , 2004, TSEC.

[42]  Colin Boyd,et al.  Round-Optimal Contributory Conference Key Agreement , 2003, Public Key Cryptography.

[43]  Wen-Guey Tzeng,et al.  A Practical and Secure-Fault-Tolerant Conferenc-Key Agreement Protocol , 2000, Public Key Cryptography.

[44]  Mihir Bellare,et al.  Entity Authentication and Key Distribution , 1993, CRYPTO.

[45]  Mihir Bellare,et al.  Fast Batch Verification for Modular Exponentiation and Digital Signatures , 1998, IACR Cryptol. ePrint Arch..

[46]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[47]  Hugo Krawczyk,et al.  Security Analysis of IKE's Signature-Based Key-Exchange Protocol , 2002, CRYPTO.

[48]  Jonathan Katz,et al.  Scalable Protocols for Authenticated Group Key Exchange , 2003, CRYPTO.