On Security Models and Compilers for Group Key Exchange Protocols

Group key exchange (GKE) protocols can be used to guarantee confidentiality and authentication in group applications. The paradigm of provable security subsumes an abstract formalization (security model) that considers the protocol environment and identifies its security goals. The first security model for GKE protocols was proposed by Bresson, Chevassut, Pointcheval, and Quisquater in 2001, and has been subsequently applied in many security proofs. Their definitions of AKE-security (authenticated key exchange; a.k.a. indistinguishability of the key) and MA-security (mutual authentication) became meanwhile standard. In this paper we analyze the BCPQ model and some of its variants and identify several risks resulting from its technical core construction - the notion of partnering. Consequently, we propose a revised model extending AKE- and MA-security in order to capture attacks by malicious participants and strong corruptions. Then, we turn to generic solutions (known as compilers) for AKE- and MA-security in BCPQ-like models. We describe a compiler C-AMA which provides AKE- and MA-security for any GKE protocol, under standard cryptographic assumptions, that eliminates some identified limitations in existing compilers.

[1]  Emmanuel Bresson,et al.  Provably Authenticated Group Diffie-Hellman Key Exchange - The Dynamic Case , 2001, ASIACRYPT.

[2]  Tal Rabin,et al.  On the Security of Joint Signature and Encryption , 2002, EUROCRYPT.

[3]  Mihir Bellare,et al.  Practice-Oriented Provable-Security , 1997, ISW.

[4]  Gene Tsudik,et al.  Simple and fault-tolerant key agreement for dynamic collaborative groups , 2000, CCS.

[5]  Mihir Bellare,et al.  Provably secure session key distribution: the three party case , 1995, STOC '95.

[6]  Alfred Menezes,et al.  Another Look at "Provable Security" , 2005, Journal of Cryptology.

[7]  Jonathan Katz,et al.  Scalable Protocols for Authenticated Group Key Exchange , 2003, Journal of Cryptology.

[8]  Dong Hoon Lee,et al.  Constant-Round Authenticated Group Key Exchange for Dynamic Groups , 2004, ASIACRYPT.

[9]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[10]  Colin Boyd,et al.  Errors in Computational Complexity Proofs for Protocols , 2005, ASIACRYPT.

[11]  Yacov Yacobi,et al.  On Key Distribution Systems , 1989, CRYPTO.

[12]  Gene Tsudik,et al.  Diffie-Hellman key distribution extended to group communication , 1996, CCS '96.

[13]  Marc Fischlin,et al.  Pseudorandom Function Tribe Ensembles Based on One-Way Permutations: Improvements and Applications , 1999, EUROCRYPT.

[14]  Emmanuel Bresson,et al.  Dynamic Group Diffie-Hellman Key Exchange under Standard Assumptions , 2002, EUROCRYPT.

[15]  Yehuda Lindell,et al.  Protocol Initialization for the Framework of Universal Composability , 2004, IACR Cryptol. ePrint Arch..

[16]  Chak-Kuen Wong,et al.  A conference key distribution system , 1982, IEEE Trans. Inf. Theory.

[17]  Ron Steinfeld,et al.  A Non-malleable Group Key Exchange Protocol Robust Against Active Insiders , 2006, ISC.

[18]  Ran Canetti,et al.  Universally composable security: a new paradigm for cryptographic protocols , 2001, Proceedings 2001 IEEE International Conference on Cluster Computing.

[19]  Whitfield Diffie,et al.  A Secure Audio Teleconference System , 1988, CRYPTO.

[20]  Victor Shoup,et al.  On Formal Models for Secure Key Exchange , 1999, IACR Cryptol. ePrint Arch..

[21]  Colin Boyd,et al.  Examining Indistinguishability-Based Proof Models for Key Establishment Protocols , 2005, ASIACRYPT.

[22]  Paul C. van Oorschot,et al.  Authentication and authenticated key exchanges , 1992, Des. Codes Cryptogr..

[23]  Emmanuel Bresson,et al.  Malicious Participants in Group Key Exchange: Key Control and Contributiveness in the Shadow of Trust , 2007, ATC.

[24]  Jean-Jacques Quisquater,et al.  Some Attacks Upon Authenticated Group Key Agreement Protocols , 2003, J. Comput. Secur..

[25]  Gene Tsudik,et al.  CLIQUES: a new approach to group key agreement , 1998, Proceedings. 18th International Conference on Distributed Computing Systems (Cat. No.98CB36183).

[26]  Ratna Dutta,et al.  Dynamic Group Key Agreement in Tree-Based Setting , 2005, ACISP.

[27]  Ratna Dutta,et al.  Provably Secure Authenticated Tree Based Group Key Agreement , 2004, ICICS.

[28]  Mihir Bellare,et al.  Entity Authentication and Key Distribution , 1993, CRYPTO.

[29]  Victor Shoup,et al.  Sequences of games: a tool for taming complexity in security proofs , 2004, IACR Cryptol. ePrint Arch..

[30]  Emmanuel Bresson,et al.  Provably authenticated group Diffie-Hellman key exchange , 2001, CCS '01.

[31]  Gene Tsudik,et al.  Communication-Efficient Group Key Agreement , 2001, SEC.

[32]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.

[33]  Zhang Ya-juan,et al.  An identity-based key-exchange protocol , 2008, Wuhan University Journal of Natural Sciences.

[34]  Jean-Jacques Quisquater,et al.  A security analysis of the cliques protocols suites , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..

[35]  Mike Burmester,et al.  On the Risk of Opening Distributed Keys , 1994, CRYPTO.

[36]  Hugo Krawczyk,et al.  Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels , 2001, EUROCRYPT.

[37]  Ran Canetti,et al.  Security and Composition of Multiparty Cryptographic Protocols , 2000, Journal of Cryptology.

[38]  Adrian Perrig,et al.  Efficient Collaborative Key Management Protocols for Secure Autonomous Group Communication , 1999 .

[39]  Jonathan Katz,et al.  Modeling insider attacks on group key-exchange protocols , 2005, CCS '05.

[40]  Gene Tsudik,et al.  Authenticated group key agreement and friends , 1998, CCS '98.

[41]  Emmanuel Bresson,et al.  Group Diffie-Hellman Key Exchange Secure against Dictionary Attacks , 2002, ASIACRYPT.

[42]  Emmanuel Bresson,et al.  Password-Based Group Key Exchange in a Constant Number of Rounds , 2006, Public Key Cryptography.

[43]  Uta Wille,et al.  Communication complexity of group key distribution , 1998, CCS '98.

[44]  Colin Boyd,et al.  Round-Optimal Contributory Conference Key Agreement , 2003, Public Key Cryptography.

[45]  Oded Goldreich,et al.  Foundations of Cryptography: Basic Tools , 2000 .

[46]  Ratna Dutta,et al.  Constant Round Dynamic Group Key Agreement , 2005, ISC.

[47]  Mark Manulis Provably secure group key exchange , 2007 .

[48]  Colin Boyd,et al.  Protocols for Authentication and Key Establishment , 2003, Information Security and Cryptography.

[49]  Alfred Menezes,et al.  Handbook of Applied Cryptography , 2018 .

[50]  Rainer Steinwandt,et al.  Secure group key establishment revisited , 2007, International Journal of Information Security.