Generic One Round Group Key Exchange in the Standard Model

Minimizing complexity of group key exchange (GKE) protocols is an important milestone towards their practical deployment. An interesting approach to achieve this goal is to simplify the design of GKE protocols by using generic building blocks. In this paper we investigate the possibility of founding GKE protocols based on a primitive called multi key encapsulation mechanism (mKEM) and describe advantages and limitations of this approach. In particular, we show how to design a one-round GKE protocol which satisfies the classical requirement of authenticated key exchange (AKE) security, yet without forward secrecy. As a result, we obtain the first one-round GKE protocol secure in the standard model. We also conduct our analysis using recent formal models that take into account both outsider and insider attacks as well as the notion of key compromise impersonation resilience (KCIR). In contrast to previous models we show how to model both outsider and insider KCIR within the definition of mutual authentication. Our analysis additionally implies that the insider security compiler by Katz and Shin from ACM CCS 2005 can be used to achieve more than what is shown in the original work, namely both outsider and insider KCIR.

[1]  Jonathan Katz,et al.  Chosen-Ciphertext Security from Identity-Based Encryption , 2004, SIAM J. Comput..

[2]  Emmanuel Bresson,et al.  Provably authenticated group Diffie-Hellman key exchange , 2001, CCS '01.

[3]  Colin Boyd,et al.  Protocols for Authentication and Key Establishment , 2003, Information Security and Cryptography.

[4]  Emmanuel Bresson,et al.  Contributory group key exchange in the presence of malicious participants , 2008, IET Inf. Secur..

[5]  Rainer Steinwandt,et al.  Deniable Group Key Agreement , 2006, VIETCRYPT.

[6]  Jonathan Katz,et al.  Scalable Protocols for Authenticated Group Key Exchange , 2003, CRYPTO.

[7]  Emmanuel Bresson,et al.  Mutual Authentication and Group Key Agreement for low-Power Mobile Devices , 2003, MWCN.

[8]  Kenneth G. Paterson,et al.  Tripartite Authenticated Key Agreement Protocols from Pairings , 2003, IMACC.

[9]  Emmanuel Bresson,et al.  Provably Authenticated Group Diffie-Hellman Key Exchange - The Dynamic Case , 2001, ASIACRYPT.

[10]  Colin Boyd,et al.  Modeling Key Compromise Impersonation Attacks on Group Key Exchange Protocols , 2009, Public Key Cryptography.

[11]  Colin Boyd,et al.  Round-Optimal Contributory Conference Key Agreement , 2003, Public Key Cryptography.

[12]  Kenneth G. Paterson,et al.  One-round key exchange in the standard model , 2009, Int. J. Appl. Cryptogr..

[13]  Emmanuel Bresson,et al.  Dynamic Group Diffie-Hellman Key Exchange under Standard Assumptions , 2002, EUROCRYPT.

[14]  Frederik Armknecht,et al.  A Universally Composable Group Key Exchange Protocol with Minimum Communication Effort , 2008, SCN.

[15]  Colin Boyd,et al.  On the Connection Between Signcryption and One-Pass Key Establishment , 2007, IMACC.

[16]  Ronald Cramer,et al.  Design and Analysis of Practical Public-Key Encryption Schemes Secure against Adaptive Chosen Ciphertext Attack , 2003, SIAM J. Comput..

[17]  Colin Boyd,et al.  On Key Agreement and Conference Key Agreement , 1997, ACISP.

[18]  Nigel P. Smart,et al.  Efficient Key Encapsulation to Multiple Parties , 2004, SCN.

[19]  Emmanuel Bresson,et al.  Securing group key exchange against strong corruptions , 2008, ASIACCS '08.

[20]  Rainer Steinwandt,et al.  Secure group key establishment revisited , 2007, International Journal of Information Security.

[21]  Ronald Cramer,et al.  A Practical Public Key Cryptosystem Provably Secure Against Adaptive Chosen Ciphertext Attack , 1998, CRYPTO.

[22]  Jonathan Katz,et al.  Modeling insider attacks on group key-exchange protocols , 2005, CCS '05.

[23]  Silvio Micali,et al.  How to construct random functions , 1986, JACM.

[24]  Colin Boyd,et al.  Towards a classification of key agreement protocols , 1995, Proceedings The Eighth IEEE Computer Security Foundations Workshop.