Scalable Protocols for Authenticated Group Key Exchange

We consider the fundamental problem of authenticated group key exchange among n parties within a larger and insecure public network. A number of solutions to this problem have been proposed; however, all provably-secure solutions thus far are not scalable and, in particular, require n rounds. Our main contribution is the first scalable protocol for this problem along with a rigorous proof of security in the standard model under the DDH assumption; our protocol uses a constant number of rounds and requires only O(1) modular exponentiations per user (for key derivation). Toward this goal and of independent interest, we first present a scalable compiler that transforms any group key-exchange protocol secure against a passive eavesdropper to an authenticated protocol which is secure against an active adversary who controls all communication in the network. This compiler adds only one round and O(1) communication (per user) to the original scheme. We then prove secure — against a passive adversary — a variant of the two-round group key-exchange protocol of Burmester and Desmedt. Applying our compiler to this protocol results in a provably-secure three-round protocol for authenticated group key exchange which also achieves forward secrecy.

[1]  Emmanuel Bresson,et al.  Provably Authenticated Group Diffie-Hellman Key Exchange - The Dynamic Case , 2001, ASIACRYPT.

[2]  Mihir Bellare,et al.  Provably secure session key distribution: the three party case , 1995, STOC '95.

[3]  Serge Vaudenay,et al.  Authenticated Multi-Party Key Agreement , 1996, ASIACRYPT.

[4]  Moti Yung,et al.  Systematic Design of Two-Party Authentication Protocols , 1991, CRYPTO.

[5]  Silvio Micali,et al.  Public-Key Encryption in a Multi-user Setting: Security Proofs and Improvements , 2000, EUROCRYPT.

[6]  Paul C. van Oorschot,et al.  Authentication and authenticated key exchanges , 1992, Des. Codes Cryptogr..

[7]  Nancy A. Lynch,et al.  Impossibility of distributed consensus with one faulty process , 1985, JACM.

[8]  Nancy A. Lynch,et al.  Distributed Algorithms , 1994, Lecture Notes in Computer Science.

[9]  Victor Shoup,et al.  On Formal Models for Secure Key Exchange , 1999, IACR Cryptol. ePrint Arch..

[10]  Whitfield Diffie,et al.  A Secure Audio Teleconference System , 1988, CRYPTO.

[11]  Hugo Krawczyk,et al.  Universally Composable Notions of Key Exchange and Secure Channels , 2002, EUROCRYPT.

[12]  Chak-Kuen Wong,et al.  A conference key distribution system , 1982, IEEE Trans. Inf. Theory.

[13]  Ran Canetti,et al.  The random oracle methodology, revisited , 2000, JACM.

[14]  Hugo Krawczyk,et al.  SKEME: a versatile secure key exchange mechanism for Internet , 1996, Proceedings of Internet Society Symposium on Network and Distributed Systems Security.

[15]  Jean-Jacques Quisquater,et al.  Some Attacks Upon Authenticated Group Key Agreement Protocols , 2003, J. Comput. Secur..

[16]  Young-Ran Lee,et al.  Multi-party authenticated key agreement protocols from multi-linear forms , 2004, Appl. Math. Comput..

[17]  Hugo Krawczyk,et al.  Security Analysis of IKE's Signature-Based Key-Exchange Protocol , 2002, CRYPTO.

[18]  Wen-Guey Tzeng,et al.  A Practical and Secure-Fault-Tolerant Conferenc-Key Agreement Protocol , 2000, Public Key Cryptography.

[19]  Mihir Bellare,et al.  Entity Authentication and Key Distribution , 1993, CRYPTO.

[20]  Gene Tsudik,et al.  Key Agreement in Dynamic Peer Groups , 2000, IEEE Trans. Parallel Distributed Syst..

[21]  Kenneth G. Paterson,et al.  Tripartite Authenticated Key Agreement Protocols from Pairings , 2003, IMACC.

[22]  Mihir Bellare,et al.  Fast Batch Verification for Modular Exponentiation and Digital Signatures , 1998, IACR Cryptol. ePrint Arch..

[23]  Gene Tsudik,et al.  Simple and fault-tolerant key agreement for dynamic collaborative groups , 2000, CCS.

[24]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[25]  Mihir Bellare,et al.  Authenticated Key Exchange Secure against Dictionary Attacks , 2000, EUROCRYPT.

[26]  Yvo Desmedt,et al.  A Secure and Efficient Conference Key Distribution System (Extended Abstract) , 1994, EUROCRYPT.

[27]  Rafail Ostrovsky,et al.  Forward Secrecy in Password-Only Key Exchange Protocols , 2002, SCN.

[28]  Moti Yung,et al.  Secure protocol transformation via “expansion”: from two-party to groups , 1999, CCS '99.

[29]  Jean-Jacques Quisquater,et al.  A security analysis of the cliques protocols suites , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..

[30]  Antoine Joux A One Round Protocol for Tripartite Diffie-Hellman , 2000, ANTS.

[31]  Emmanuel Bresson,et al.  Dynamic Group Diffie-Hellman Key Exchange under Standard Assumptions , 2002, EUROCRYPT.

[32]  Colin Boyd,et al.  Round-Optimal Contributory Conference Key Agreement , 2003, Public Key Cryptography.

[33]  Uta Wille,et al.  Communication complexity of group key distribution , 1998, CCS '98.

[34]  Moti Yung,et al.  Systematic Design of a Family of Attack-Resistant Authentication Protocols , 1993, IEEE J. Sel. Areas Commun..

[35]  Gene Tsudik,et al.  New multiparty authentication services and key agreement protocols , 2000, IEEE Journal on Selected Areas in Communications.

[36]  Colin Boyd,et al.  On Key Agreement and Conference Key Agreement , 1997, ACISP.

[37]  Hugo Krawczyk,et al.  A modular approach to the design and analysis of authentication and key exchange protocols (extended abstract) , 1998, STOC '98.

[38]  Gene Tsudik,et al.  Authenticated group key agreement and friends , 1998, CCS '98.

[39]  Wen-Guey Tzeng,et al.  Round-Efficient Conference Key Agreement Protocols with Provable Security , 2000, ASIACRYPT.

[40]  Emmanuel Bresson,et al.  Provably authenticated group Diffie-Hellman key exchange , 2001, CCS '01.

[41]  Gene Tsudik,et al.  Communication-Efficient Group Key Agreement , 2001, SEC.

[42]  Yongdae Kim,et al.  On the performance of group key agreement protocols , 2002, Proceedings 22nd International Conference on Distributed Computing Systems.

[43]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.

[44]  Hugo Krawczyk,et al.  Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels , 2001, EUROCRYPT.