Academia.eduAcademia.edu

Outline

Title
Abstract
Introduction
Previous Work
Compilers for Key-Exchange Protocols
Participants and Initialization
Scalable Compiler for Group Ake Protocols
Constant-Round Group Ke Protocol
References
All Topics
Computer Science
Cryptography

Scalable Protocols for Authenticated Group Key Exchange

Profile image of Jonathan KatzJonathan Katz

2003, Lecture Notes in Computer Science

https://doi.org/10.1007/978-3-540-45146-4_7
visibility

description

16 pages

link

1 file

Abstract

We consider the fundamental problem of authenticated group key exchange among n parties within a larger and insecure public network. A number of solutions to this problem have been proposed; however, all provably-secure solutions thus far are not scalable and, in particular, require n rounds. Our main contribution is the first scalable protocol for this problem along with a rigorous proof of security in the standard model under the DDH assumption; our protocol uses a constant number of rounds and requires only O(1) modular exponentiations per user (for key derivation). Toward this goal and of independent interest, we first present a scalable compiler that transforms any group key-exchange protocol secure against a passive eavesdropper to an authenticated protocol which is secure against an active adversary who controls all communication in the network. This compiler adds only one round and O(1) communication (per user) to the original scheme. We then prove secure -against a passive adversary -a variant of the tworound group key-exchange protocol of Burmester and Desmedt. Applying our compiler to this protocol results in a provably-secure three-round protocol for authenticated group key exchange which also achieves forward secrecy.

Related papers

On Security Models and Compilers for Group Key Exchange Protocols
Mark Manulis

Lecture Notes in Computer Science, 2007

Group key exchange (GKE) protocols can be used to guarantee confidentiality and authentication in group applications. The paradigm of provable security subsumes an abstract formalization (security model) that considers the protocol environment and identifies its security goals. The first security model for GKE protocols was proposed by Bresson, Chevassut, Pointcheval, and Quisquater in 2001, and has been subsequently applied in many security proofs. Their definitions of AKEsecurity (authenticated key exchange; a.k.a. indistinguishability of the key) and MA-security (mutual authentication) became meanwhile standard. In this paper we analyze the BCPQ model and some of its variants and identify several risks resulting from its technical core constructionthe notion of partnering. Consequently, we propose a revised model extending AKE-and MA-security in order to capture attacks by malicious participants and strong corruptions. Then, we turn to generic solutions (known as compilers) for AKE-and MA-security in BCPQ-like models. We describe a compiler C-AMA which provides AKE-and MA-security for any GKE protocol, under standard cryptographic assumptions, that eliminates some identified limitations in existing compilers.

View PDFchevron_right
On the security of group communication schemes
Shouhuai Xu

Journal of Computer Security, 2007

Many emerging applications in both wired and wireless networks need support of secure group communications. There have been many secure group communication schemes in the setting of wired networks.

View PDFchevron_right
Scalable Secure Bidirectional Group Communication
John Canny

2007

Abstract Many network applications are based on a group communications model where one party sends messages to a large number of authorized recipients and/or receives messages from multiple senders. In this paper we present a secure group communication scheme based on a new cryptosystem that admits a rigorous proof of security against adaptive chosen ciphertext attack (IND-CCA2). Our scheme is bi-directional, supporting both one-to-many and many-to-one communications.

View PDFchevron_right
A provably secure revocable ID-based authenticated group key exchange protocol with identifying malicious participants
Yuh-Min Tseng

TheScientificWorldJournal, 2014

The existence of malicious participants is a major threat for authenticated group key exchange (AGKE) protocols. Typically, there are two detecting ways (passive and active) to resist malicious participants in AGKE protocols. In 2012, the revocable identity- (ID-) based public key system (R-IDPKS) was proposed to solve the revocation problem in the ID-based public key system (IDPKS). Afterwards, based on the R-IDPKS, Wu et al. proposed a revocable ID-based AGKE (RID-AGKE) protocol, which adopted a passive detecting way to resist malicious participants. However, it needs three rounds and cannot identify malicious participants. In this paper, we fuse a noninteractive confirmed computation technique to propose the first two-round RID-AGKE protocol with identifying malicious participants, which is an active detecting way. We demonstrate that our protocol is a provably secure AGKE protocol with forward secrecy and can identify malicious participants. When compared with the recently propo...

View PDFchevron_right
On the security of group communication schemes based on symmetric key cryptosystems
Shouhuai Xu

Proceedings of the 3rd ACM workshop on Security of ad hoc and sensor networks - SASN '05, 2005

Many emerging applications in both wired and wireless networks, such as information dissemination and distributed collaboration in an adversarial environment, need support of secure group communications. There have been many such schemes in the setting of wired networks. These schemes can be directly adopted in, or appropriately adapted to, the setting of wireless networks such as mobile ad hoc networks (MANETs) and sensor networks. In this paper we show that the popular group communication schemes that we have examined are vulnerable to the following attack: an outsider adversary who compromises a legitimate group member could obtain some or all past group keys as well as the current group key; this is in sharp contrast to the widelyaccepted belief that a such adversary can only obtain the current group key. This attack is very powerful also because it provides the adversary the following flexibility: since the adversary knows which members are the "most valuable" ones from its own perspective of view, compromise of any such member leads to the exposure of all the past and current group keys. This flexibility is particularly relevant in the setting of MANETs and sensor networks because they are typically deployed in a small area and the adversary can capture and compromise the easiest-to-obtain node. In order to deal with this powerful attack, we formalize two security models for stateful and stateless group communication schemes, respectively. We show that some practical methods can make a subclass of the group communication schemes immune to this attack at the following extra expense: at each rekeying event, a group member conducts logarithmically-many pseudorandom function evaluations.

View PDFchevron_right
On the impossibility of building secure Cliques-type authenticated group key agreement protocols
Jean-jacques Quisquater

Journal of Computer Security

The A-GDH.2 and SA-GDH.2 authenticated group key agreement protocols showed to be flawed in 2001. Even though the corresponding attacks (or some variants of them) have been rediscovered in several different frameworks, no fixed version of these protocols has been proposed until now. In this paper, we prove that it is in fact impossible to design a scalable authenticated group key agreement protocol based on the same design assumptions as the A-GDH ones. We proceed by providing a systematic way to derive an attack against any A-GDH-type protocol with at least four participants and exhibit protocols with two and three participants which we cannot break using our technique. As far as we know, this is the first generic insecurity result reported in the literature concerning authentication protocols.

View PDFchevron_right
Scalable Compilers for Group Key Establishment : Two/Three Party to Group
sree vivek

2009

This work presents the first scalable, efficient and generic compilers to construct group key exchange (GKE) protocols from two/three party key exchange (2-KE/3-KE) protocols. We propose three different compilers where the first one is a 2-KE to GKE compiler (2-TGKE) for tree topology, the second one is also for tree topology but from 3-KE to GKE (3-TGKE) and the third one is a compiler that constructs a GKE from 3-KE for circular topology. Our compilers 2-TGKE and 3-TGKE are first of their kind and are efficient due to the underlying tree topology. For the circular topology, we design a compiler called 3-CGKE. 2-TGKE and 3-TGKE compilers require a total of O (n lg n) communication, when compared to the existing compiler for circular topology, where the communication cost is O`n 2´. By extending the compilers 2-TGKE and 3-TGKE using the techniques in [18], scalable compilers for tree based authenticated group key exchange protocols (2-TAGKE/3-TAGKE), which are secure against active adversaries can be constructed. As an added advantage our compilers can be used in a setting where there is asymmetric distribution of computing power. Finally, we present a constant round authenticated group key exchange (2-TAGKE) obtained by applying Diffie-Hellman protocol and the technique in [18] to our compiler 2-TGKE. We prove the security of our compilers in a stronger Real or Random model and do not assume the existence of random oracles.

View PDFchevron_right
The Fairy-Ring Dance: Password Authenticated Key Exchange in a Group
Siamak F Shahandashti

In this paper, we study Password Authenticated Key Exchange (PAKE) in a group. First, we present a generic "fairy-ring dance" construction that transforms any secure two-party PAKE scheme to a group PAKE protocol while preserving the round efficiency in the optimal way. Based on this generic construction, we present two concrete instantiations based on using SPEKE and J-PAKE as the underlying PAKE primitives respectively. The first protocol, called SPEKE+, accomplishes authenticated key exchange in a group with explicit key confirmation in just two rounds. This is more round-efficient than any existing group PAKE protocols in the literature. The second protocol, called J-PAKE+, requires one more round than SPEKE+, but is computationally faster. Finally, we present full implementations of SPEKE+ and J-PAKE+ with detailed performance measurements. Our experiments suggest that both protocols are feasible for practical applications in which the group size may vary from three to several dozen. This makes them useful, as we believe, for a wide range of applications-e.g., to bootstrap secure communication among a group of smart devices in the Internet of Things (IoT).

View PDFchevron_right
SGKMP: A scalable group key management protocol
Naveed Islam

Sustainable Cities and Society, 2018

The Online Social Network (OSN) has changed the ways of communication among users from one-to-one toward the group communication. The users of a particular group are interested in communicating securely among the group members using secure group key. Although the data remains secure during the transmission when it is encrypted with the group key, however, the group key management and generation is a challenge while using the insecure channel and untrusted server. The contributory key management is a solution in such situations, but the creation process of the group key, among the group members itself, is a challenge. In the literature, the contributory key generation requires at least n rounds to accomplish the group key generation process. Modification in a group requires the re-keying process for backward and forward security, and it also needs the same number of rounds again. In this paper, a scalable group key management protocol (SGKMP) is proposed, which requires only two rounds to complete the group key generation process, irrespective of group size and it is secure from the eavesdropper in the middle. The backward and forward secrecy is maintained when any user joins or leaves the group while doing a single activity by the group leader. The proposed protocol is implemented using Java as a programming language in order to validate the applicability of the protocol.

View PDFchevron_right
Generic insecurity of cliques-type authenticated group key agreement protocols
Jean-jacques Quisquater

Proceedings. 17th IEEE Computer Security Foundations Workshop, 2004., 2004

The A-GDH.2 and SA-GDH.2 authenticated group key agreement protocols showed to be flawed in 2001. Even though the corresponding attacks (or some variants of them) have been rediscovered in several different frameworks, no fixed version of these protocols has been proposed until now.

View PDFchevron_right

References (33)

  1. S.S. Al-Riyami and K.G. Paterson. Tripartite Authenticated Key Agreement Pro- tocols from Pairings. Available at http://eprint.iacr.org/2002/035/.
  2. G. Ateniese, M. Steiner, and G. Tsudik. Authenticated Group Key Agreement and Friends. ACM CCCS '98.
  3. G. Ateniese, M. Steiner, and G. Tsudik. New Multi-Party Authentication Services and Key Agreement Protocols. IEEE Journal on Selected Areas in Communica- tions, 18(4): 628-639 (2000).
  4. M. Bellare, R. Canetti, and H. Krawczyk. A Modular Approach to the Design and Analysis of Authentication and Key Exchange Protocols. STOC '98.
  5. M. Bellare, D. Pointcheval, and P. Rogaway. Authenticated Key Exchange Secure Against Dictionary Attacks. Eurocrypt 2000.
  6. M. Bellare and P. Rogaway. Entity Authentication and Key Distribution. Crypto '93.
  7. M. Bellare and P. Rogaway. Provably-Secure Session Key Distribution: the Three Party Case. STOC '95.
  8. R. Bird, I. Gopal, A. Herzberg, P. Janson, S. Kutten, R. Molva, and M. Yung. Systematic Design of Two-Party Authentication Protocols. IEEE J. on Selected Areas in Communications, 11(5): 679-693 (1993). A preliminary version appeared in Crypto '91.
  9. C. Boyd. On Key Agreement and Conference Key Agreement. ACISP '97.
  10. C. Boyd and J.M.G. Nieto. Round-Optimal Contributory Conference Key Agree- ment. PKC 2003.
  11. E. Bresson, O. Chevassut, and D. Pointcheval. Provably Authenticated Group Diffie-Hellman Key Exchange -The Dynamic Case. Asiacrypt 2001.
  12. E. Bresson, O. Chevassut, and D. Pointcheval. Dynamic Group Diffie-Hellman Key Exchange under Standard Assumptions. Eurocrypt 2002.
  13. E. Bresson, O. Chevassut, D. Pointcheval, and J.-J. Quisquater. Provably Authen- ticated Group Diffie-Hellman Key Exchange. ACM CCCS 2001.
  14. M. Burmester and Y. Desmedt. A Secure and Efficient Conference Key Distribution System. Eurocrypt '94.
  15. R. Canetti and H. Krawczyk. Key-Exchange Protocols and Their Use for Building Secure Channels. Eurocrypt 2001.
  16. R. Canetti and H. Krawczyk. Universally Composable Notions of Key Exchange and Secure Channels. Eurocrypt 2002.
  17. R. Canetti and H. Krawczyk. Security Analysis of IKE's Signature-Based Key- Exchange Protocol. Crypto 2002.
  18. Y. Desmedt. Personal communication (including a copy of the pre-proceedings version of [14]), March 2003.
  19. W. Diffie and M. Hellman. New Directions in Cryptography. IEEE Transactions on Information Theory, 22(6): 644-654 (1976).
  20. W. Diffie, P. van Oorschot, and M. Wiener. Authentication and Authenticated Key Exchanges. Designs, Codes, and Cryptography, 2(2): 107-125 (1992).
  21. M. Fischer, N. Lynch, and M. Patterson. Impossibility of Distributed Consensus with One Faulty Process. J. ACM 32(2): 374-382 (1985).
  22. I. Ingemarsson, D.T. Tang, and C.K. Wong. A Conference Key Distribution Sys- tem. IEEE Transactions on Information Theory, 28(5): 714-720 (1982).
  23. A. Joux. A One Round Protocol for Tripartite Diffie Hellman. ANTS 2000.
  24. M. Just and S. Vaudenay. Authenticated Multi-Party Key Agreement. Asiacrypt '96.
  25. H. Krawczyk. SKEME: A Versatile Secure Key-Exchange Mechanism for the In- ternet. Proceedings of the Internet Society Symposium on Network and Distributed System Security, Feb. 1996, pp. 114-127.
  26. H.-K. Lee, H.-S. Lee, and Y.-R. Lee. Multi-Party Authenticated Key Agreement Protocols from Multilinear Forms. Available at http://eprint.iacr.org/2002/166/.
  27. H.-K. Lee, H.-S. Lee, and Y.-R. Lee. An Authenticated Group Key Agreement Protocol on Braid groups. Available at http://eprint.iacr.org/2003/018/.
  28. A. Mayer and M. Yung. Secure Protocol Transformation via "Expansion": From Two-Party to Groups. ACM CCCS '99.
  29. O. Pereira and J.-J. Quisquater. A Security Analysis of the Cliques Protocol Suites. IEEE Computer Security Foundations Workshop, June 2001.
  30. V. Shoup. On Formal Models for Secure Key Exchange. Draft, 1999. Available at http://eprint.iacr.org/1999/012.
  31. M. Steiner, G. Tsudik, and M. Waidner. Key Agreement in Dynamic Peer Groups. IEEE Trans. on Parallel and Distributed Systems 11(8): 769-780 (2000). A pre- liminary version appeared in ACM CCCS '96.
  32. W.-G. Tzeng. A Practical and Secure Fault-Tolerant Conference Key Agreement Protocol. PKC 2000.
  33. W.-G. Tzeng and Z.-J. Tzeng. Round Efficient Conference Key Agreement Proto- cols with Provable Security. Asiacrypt 2000.

Related papers

Constant-Round Authenticated Group Key Exchange with Logarithmic Computation Complexity
Juryon Paik

2007

Protocols for group key exchange (GKE) are cryptographic algorithms that describe how a group of parties communicating over a public network can come up with a common secret key. Due to their critical role in building secure multicast channels, a number of GKE protocols have been proposed over the years in a variety of settings. However despite many impressive achievements, it still remains a challenging problem to design a secure GKE protocol which scales very well for large groups. Our observation is that all constant-round authenticated GKE protocols providing forward secrecy thus far are not fully scalable, but have a computation complexity that scales only linearly in group size. Motivated by this observation, we propose a new and the first forward-secure authenticated GKE protocol that achieves both constant round complexity and logarithmic computation complexity. In particular, our GKE protocol is fully scalable in all key metrics when considered in the context of a broadcast network. The scalability of the protocol is achieved by using a complete binary tree structure combined with a so-called “nonce-chained authentication technique”. Besides its scalability, our protocol features provable security against active adversaries under the decisional Diffie-Hellman assumption. We provide a rigorous proof of security for the protocol in a well-defined formal model of communication and adversary capabilities. The result of the current work means that forward-secure generation of session keys even for very large groups can be now done both securely and efficiently.

View PDFchevron_right
Provably-Secure and communication-efficient scheme for dynamic group key exchange
Seungjoo Kim

2004

Group key agreement protocols are designed to solve the fundamental problem of securely establishing a session key among a group of parties communicating over a public channel. Although a number of protocols have been proposed to solve this problem over the years, they are not well suited for a high-delay wide area network; their communication overhead is significant in terms of the number of communication rounds or the number of exchanged messages, both of which are recognized as the dominant factors that slow down group key agreement over a networking environment with high communication latency. In this paper we present a communication-efficient group key agreement protocol and prove its security in the random oracle model under the factoring assumption. The proposed protocol provides perfect forward secrecy and requires only a constant number of communication rounds for any of group rekeying operations, while achieving optimal message complexity.

View PDFchevron_right
Scalable and fault-tolerant key agreement protocol for dynamic groups
A. Miri

International Journal of Network Management, 2006

With the widespread use of the Internet, the popularity of group communication-based applications has grown considerably. Since most communications over the Internet involve the traversal of insecure networks, basic security services are necessary for these collaborative applications. These security services can be facilitated if the authorized group members share a common secret. In such distributed applications, key agreement protocols are preferred to key distribution protocols. In the past two decades, there have been many proposals for key agreement protocols. Most of these protocols are not efficient and limit the size of the underlying group. In this paper, we consider the scalability problem in group key agreement protocols. We propose a novel framework based on extension of the Diffie-Hellman key exchange protocol. The efficiency of our protocol comes from the clustering of the group members, where the common session key is established collaboratively by all participants. We present the auxiliary protocols needed when the membership changes. We show that our protocol is superior in complexity in both communication and computation overheads required to generate the session key.

View PDFchevron_right
A Secure and Scalable Framework for Group Communication
Annappa B

2006

View PDFchevron_right
Efficient Compilers for Authenticated Group Key Exchange
Chris Mitchell

Lecture Notes in Computer Science, 2005

In this paper we propose two compilers which are designed to transform a group key exchange protocol secure against any passive adversary into an authenticated group key exchange protocol with key confirmation which is secure against any passive adversary, active adversary, or malicious insider. We show that the first proposed compiler gives protocols that are more efficient than those produced by the compiler of Katz and Yung. The second proposed compiler further reduces the computational complexity of the output protocols by using a Trusted Third Party (TTP). We moreover show that, although the protocols produced by the novel compilers have lower computational complexity than the protocols produced by the Katz-Yung compiler, the protocols nevertheless achieve key confirmation, unlike the protocols output by the Katz-Yung compiler.

View PDFchevron_right

Related topics

  • Computer Science
  • Provable Security
  • Group Key Exchange
  • Key Exchange
  • Authentication Protocol
  • Group key

    • Cited by

    An Efficient Protocol for Authenticated Group Key Agreement in Heterogeneous Networks
    joseph oyewale
    View PDFchevron_right
    Asymmetric Group Key Agreement
    qianhong wu

    2009

    A group key agreement (GKA) protocol allows a set of users to establish a common secret via open networks. Observing that a major goal of GKAs for most applications is to establish a confidential channel among group members, we revisit the group key agreement definition and distinguish the conventional (symmetric) group key agreement from asymmetric group key agreement (ASGKA) protocols. Instead of a common secret key, only a shared encryption key is negotiated in an ASGKA protocol. This encryption key is accessible to attackers and corresponds to different decryption keys, each of which is only computable by one group member. We propose a generic construction of one-round ASGKAs based on a new primitive referred to as aggregatable signature-based broadcast (ASBB), in which the public key can be simultaneously used to verify signatures and encrypt messages while any signature can be used to decrypt ciphertexts under this public key. Using bilinear pairings, we realize an efficient ASBB scheme equipped with useful properties. Following the generic construction, we instantiate a one-round ASGKA protocol tightly reduced to the decision Bilinear Diffie-Hellman Exponentiation (BDHE) assumption in the standard model.

    View PDFchevron_right
    How to Strengthen Any Weakly Unforgeable Signature into a Strongly Unforgeable Signature
    Ron Steinfeld

    2007

    Standard signature schemes are usually designed only to achieve weak unforgeability – i.e. preventing forgery of signatures on new messages not previously signed. However, most signature schemes are randomised and allow many possible signatures for a single message. In this case, it may be possible to produce a new signature on a previously signed message. Some applications require that this type of forgery also be prevented – this requirement is called strong unforgeability. At PKC2006, Boneh Shen and Waters presented an efficient transform based on any randomised trapdoor hash function which converts a weakly unforgeable signature into a strongly unforgeable signature and applied it to construct a strongly unforgeable signature based on the CDH problem. However, the transform of Boneh et al only applies to a class of so-called partitioned signatures. Although many schemes fall in this class, some do not, for example the DSA signature. Hence it is natural to ask whether one can obtain a truly generic efficient transform based on any randomised trapdoor hash function which converts any weakly unforgeable signature into a strongly unforgeable one. We answer this question in the positive by presenting a simple modification of the Boneh-Shen-Waters transform. Our modified transform uses two randomised trapdoor hash functions.

    View PDFchevron_right
    An Efficient Dynamic Group Key Agreement for Low-Power Mobile Devices
    Seungjoo Kim

    Lecture Notes in Computer Science, 2005

    Group key agreement protocols are designed to provide a group of parties securely communicating over a public network with a session key. The mobile computing architecture is asymmetric in the sense of computational capabilities of participants. That is, the protocol participants consist of the stationary server (application servers) with sufficient computational power and a cluster of mobile devices (clients) with limited computational resources. It is desirable to minimize the amount of computation performed by each group member in a group involving low-power mobile devices such as smart cards or personal digital assistants (PDAs). Furthermore, we are required to update the group key with low computational costs when the members need to be excluded from the group or multiple new members need to be brought into an existing group. In this paper, we propose a dynamic group key protocol that offers computational efficiency to the clients with low-power mobile devices. We compare the total communicative and computational costs of our protocol with others and prove its security against a passive adversary in the random oracle model.

    View PDFchevron_right
    Modeling key compromise impersonation attacks on group key exchange protocols
    Mark Manulis

    ACM Transactions on Information and System Security, 2011

    A key exchange protocol allows a set of parties to agree upon a secret session key over a public network. Two-party key exchange (2PKE) protocols have been rigorously analyzed under various models considering different adversarial actions. However, the analysis of group key exchange (GKE) protocols has not been as extensive as that of 2PKE protocols. Particularly, the security attribute of key compromise impersonation (KCI) resilience has so far been ignored for the case of GKE protocols. We first model the security of GKE protocols addressing KCI attacks by both outsider and insider adversaries. We then show that a few existing protocols are not secure even against outsider KCI attacks. The attacks on these protocols demonstrate the necessity of considering KCI resilience for GKE protocols. Finally, we give a new proof of security for an existing GKE protocol under the revised model assuming random oracles.

    View PDFchevron_right
    580 California St., Suite 400
    San Francisco, CA, 94104
    © 2025 Academia. All rights reserved