Results 1  10
of
39
Provably Authenticated Group DiffieHellman Key Exchange
, 2001
"... Group DiffieHellman protocols for Authenticated Key Exchange (AKE) are designed to provide a pool of players with a shared secret key which may later be used, for example, to achieve multicast message integrity. Over the years, several schemes have been offered. However, no formal treatment for thi ..."
Abstract

Cited by 119 (17 self)
 Add to MetaCart
Group DiffieHellman protocols for Authenticated Key Exchange (AKE) are designed to provide a pool of players with a shared secret key which may later be used, for example, to achieve multicast message integrity. Over the years, several schemes have been offered. However, no formal treatment for this cryptographic problem has ever been suggested. In this paper, we present a security model for this problem and use it to precisely define AKE (with "implicit" authentication) as the fundamental goal, and the entityauthentication goal as well. We then define in this model the execution of an authenticated group DiffieHellman scheme and prove its security.
Scalable Protocols for Authenticated Group Key Exchange
 Advances in Cryptology — Crypto 2003, LNCS
"... We consider the problem of authenticated group key exchange among n parties communicating over an insecure public network. A number of solutions to this problem have been proposed; however, all prior provablysecure solutions do not scale well and, in particular, require O(n) rounds. Our main contri ..."
Abstract

Cited by 103 (2 self)
 Add to MetaCart
We consider the problem of authenticated group key exchange among n parties communicating over an insecure public network. A number of solutions to this problem have been proposed; however, all prior provablysecure solutions do not scale well and, in particular, require O(n) rounds. Our main contribution is the first scalable protocol for this problem along with a rigorous proof of security in the standard model under the DDH assumption; our protocol uses a constant number of rounds and requires only O(1) “full ” modular exponentiations per user. Toward this goal (and adapting work of Bellare, Canetti, and Krawczyk), we first present an efficient compiler that transforms any group keyexchange protocol secure against a passive eavesdropper to an authenticated protocol which is secure against an active adversary who controls all communication in the network. This compiler adds only one round and O(1) communication (per user) to the original scheme. We then prove secure — against a passive adversary — a variant of the tworound group keyexchange protocol of Burmester and Desmedt. Applying our compiler to this protocol results in a provablysecure threeround protocol for authenticated group key exchange which also achieves forward secrecy. 1
Formal Methods for Cryptographic Protocol Analysis: Emerging Issues and Trends
, 2003
"... The history of the application of formal methods to cryptographic protocol analysis spans over 20 years and recently has been showing signs of new maturity and consolidation. Not only have a number of specialized tools been developed, and generalpurpose ones been adapted, but people have begun apply ..."
Abstract

Cited by 60 (0 self)
 Add to MetaCart
The history of the application of formal methods to cryptographic protocol analysis spans over 20 years and recently has been showing signs of new maturity and consolidation. Not only have a number of specialized tools been developed, and generalpurpose ones been adapted, but people have begun applying these tools to realistic protocols, in many cases supplying feedback to designers that can be used to improve the protocol’s security. In this paper, we will describe some of the ongoing work in this area, as well as describe some of the new challenges and the ways in which they are being met.
Deciding the security of protocols with DiffieHellman exponentiation and products in exponents
, 2003
"... ..."
Symbolic protocol analysis with products and DiffieHellman exponentiation
, 2003
"... We demonstrate that for any welldefined cryptographic protocol, the symbolic trace reachability problem in the presence of an Abelian group operator (e.g., multiplication) can be reduced to solvability of a decidable system of quadratic Diophantine equations. This result enables complete, fully aut ..."
Abstract

Cited by 36 (0 self)
 Add to MetaCart
We demonstrate that for any welldefined cryptographic protocol, the symbolic trace reachability problem in the presence of an Abelian group operator (e.g., multiplication) can be reduced to solvability of a decidable system of quadratic Diophantine equations. This result enables complete, fully automated formal analysis of protocols that employ primitives such as DiffieHellman exponentiation, multiplication, andxor, with a bounded number of role instances, but without imposing any bounds on the size of terms created by the attacker. 1
Roundoptimal contributory conference key agreement
, 2003
"... Abstract. Becker and Wille derived a lower bound of only one round for multiparty contributory key agreement protocols. Up until nowno protocol meeting this bound has been proven secure. We present a protocol meeting the bound and prove it is secure in Bellare and Rogaway’s model. The protocol is m ..."
Abstract

Cited by 34 (5 self)
 Add to MetaCart
Abstract. Becker and Wille derived a lower bound of only one round for multiparty contributory key agreement protocols. Up until nowno protocol meeting this bound has been proven secure. We present a protocol meeting the bound and prove it is secure in Bellare and Rogaway’s model. The protocol is much more efficient than other conference key agreement protocols with provable security, but lacks forward secrecy. 1
A Unification Algorithm for the Group DiffieHellman Protocol
 IN PROC. OF WITS 2002
, 2002
"... Equational unification can be an effective tool for the analysis of cryptographic protocols. This, for example ..."
Abstract

Cited by 27 (3 self)
 Add to MetaCart
Equational unification can be an effective tool for the analysis of cryptographic protocols. This, for example
Abstraction and Resolution Modulo AC: How to Verify DiffieHellmanlike Protocols Automatically
, 2004
"... We show how cryptographic protocols using DiffieHellman primitives, i.e., modular exponentiation on a fixed generator, can be encoded in Horn clauses modulo associativity and commutativity. In order to obtain a sufficient criterion of security, we design a complete (but not sound in general) resolu ..."
Abstract

Cited by 22 (4 self)
 Add to MetaCart
We show how cryptographic protocols using DiffieHellman primitives, i.e., modular exponentiation on a fixed generator, can be encoded in Horn clauses modulo associativity and commutativity. In order to obtain a sufficient criterion of security, we design a complete (but not sound in general) resolution procedure for a class of flattened clauses modulo simple equational theories, including associativitycommutativity. We report on a practical implementation of this algorithm in the MOP modular platform for automated proving; in particular, we obtain the first fully automated proof of security of the IKA.1 initial key agreement protocol in the socalled pure eavesdropper model.
Decidable analysis of cryptographic protocols with products and modular exponentiation
 In Proc. 13th European Symposium on Programming (ESOP ’04), volume 2986 of LNCS
, 2004
"... Abstract. We demonstrate that the symbolic trace reachability problem for cryptographic protocols is decidable in the presence of an Abelian group operator and modular exponentiation from arbitrary bases. We represent the problem as a sequence of symbolic inference constraints and reduce it to a sys ..."
Abstract

Cited by 16 (2 self)
 Add to MetaCart
Abstract. We demonstrate that the symbolic trace reachability problem for cryptographic protocols is decidable in the presence of an Abelian group operator and modular exponentiation from arbitrary bases. We represent the problem as a sequence of symbolic inference constraints and reduce it to a system of linear Diophantine equations. For a finite number of protocol sessions, this result enables fully automated, sound and complete analysis of protocols that employ primitives such as DiffieHellman exponentiation and modular multiplication without imposing any bounds on the size of terms created by the attacker, but taking into account the relevant algebraic properties.
Symbolic protocol analysis with an abelian group operator or DiffieHellman exponentiation
 Journal of Computer Security
, 2005
"... We demonstrate that for any welldefined cryptographic protocol, the symbolic trace reachability problem in the presence of an Abelian group operator (e.g., multiplication) can be reduced to solvability of a decidable system of quadratic Diophantine equations. This result enables complete, fully aut ..."
Abstract

Cited by 14 (1 self)
 Add to MetaCart
We demonstrate that for any welldefined cryptographic protocol, the symbolic trace reachability problem in the presence of an Abelian group operator (e.g., multiplication) can be reduced to solvability of a decidable system of quadratic Diophantine equations. This result enables complete, fully automated formal analysis of protocols that employ primitives such as DiffieHellman exponentiation, multiplication, and xor, with a bounded number of role instances, but without imposing any bounds on the size of terms created by the attacker. 1