Group Key Exchange Resilient to Leakage of Ephemeral Secret Keys with Strong Contributiveness

A group key exchange GKE protocol enables users to set up a common secret key to be used later. There are three major security definitions regarding GKE: authenticated key exchange AKE-security, mutual authentication MA-security and contributiveness. In this paper, we propose a stronger model in which both internal state and ephemeral key leakage is considered in different exposure levels. On the other hand, we demonstrate the previous definition on contributiveness is weak, and cannot provide necessary security guarantees. As a solution, we give a stronger definition for contributiveness that is suitable in most interesting cases. We then present an efficient GKE protocol secure in our stronger model. Finally, as an independent interest, we revisit the security of a previous GKE protocol BGS+, showing it fails to provide the desirable security requirement defined in its own model.

[1]  Colin Boyd,et al.  Universally composable contributory group key exchange , 2009, ASIACCS '09.

[2]  Huaxiong Wang,et al.  Malleability attacks on multi-party key agreement protocols , 2004 .

[3]  Kristin E. Lauter,et al.  Stronger Security of Authenticated Key Exchange , 2006, ProvSec.

[4]  Emmanuel Bresson,et al.  Securing group key exchange against strong corruptions , 2008, ASIACCS '08.

[5]  Rainer Steinwandt,et al.  Secure group key establishment revisited , 2007, International Journal of Information Security.

[6]  Berkant Ustaoglu,et al.  Comparing SessionStateReveal and EphemeralKeyReveal for Diffie-Hellman Protocols , 2009, ProvSec.

[7]  Colin Boyd,et al.  Modeling Key Compromise Impersonation Attacks on Group Key Exchange Protocols , 2009, Public Key Cryptography.

[8]  Aggelos Kiayias,et al.  Traitor Tracing with Constant Transmission Rate , 2002, EUROCRYPT.

[9]  Alfred Menezes,et al.  Comparing the Pre- and Post-specified Peer Models for Key Agreement , 2008, ACISP.

[10]  Dong Hoon Lee,et al.  Constant-Round Authenticated Group Key Exchange for Dynamic Groups , 2004, ASIACRYPT.

[11]  Dawu Gu,et al.  Stronger security model of group key agreement , 2011, ASIACCS '11.

[12]  Emmanuel Bresson,et al.  Malicious Participants in Group Key Exchange: Key Control and Contributiveness in the Shadow of Trust , 2007, ATC.

[13]  Stanislaw Jarecki,et al.  Public Key Cryptography – PKC 2009 , 2009, Lecture Notes in Computer Science.

[14]  Ron Steinfeld,et al.  A Non-malleable Group Key Exchange Protocol Robust Against Active Insiders , 2006, ISC.

[15]  Jonathan Katz,et al.  Scalable Protocols for Authenticated Group Key Exchange , 2003, CRYPTO.

[16]  Information Security and Privacy , 1996, Lecture Notes in Computer Science.

[17]  Emmanuel Bresson,et al.  Dynamic Group Diffie-Hellman Key Exchange under Standard Assumptions , 2002, EUROCRYPT.

[18]  Jonathan Katz,et al.  Modeling insider attacks on group key-exchange protocols , 2005, CCS '05.

[19]  Gene Tsudik,et al.  Authenticated group key agreement and friends , 1998, CCS '98.

[20]  Dan Boneh,et al.  Advances in Cryptology - CRYPTO 2003 , 2003, Lecture Notes in Computer Science.

[21]  Mark Manulis,et al.  Modeling Leakage of Ephemeral Secrets in Tripartite/Group Key Exchange , 2013, IEICE Trans. Fundam. Electron. Commun. Comput. Sci..

[22]  Emmanuel Bresson,et al.  Provably authenticated group Diffie-Hellman key exchange , 2001, CCS '01.

[23]  Pil Joong Lee,et al.  Advances in Cryptology — ASIACRYPT 2001 , 2001, Lecture Notes in Computer Science.

[24]  Chris J. Mitchell,et al.  Key control in key agreement protocols , 1998 .

[25]  Emmanuel Bresson,et al.  Provably Authenticated Group Diffie-Hellman Key Exchange - The Dynamic Case , 2001, ASIACRYPT.

[26]  Dong Hoon Lee,et al.  Information, Security and Cryptology - ICISC 2009, 12th International Conference, Seoul, Korea, December 2-4, 2009, Revised Selected Papers , 2010, ICISC.

[27]  Cas J. F. Cremers Session-state Reveal Is Stronger Than Ephemeral Key Reveal: Attacking the NAXOS Authenticated Key Exchange Protocol , 2009, ACNS.