Abstract. Cryptographic protocol design in a two-party setting has often ignored the possibility of simultaneous message transmission by each of the two parties (i.e., using a duplex channel). In particular, most protocols for two-party key exchange have been designed assuming that parties alternate sending their messages (i.e., assuming a bidirectional half-duplex channel). However, by taking advantage of the communication characteristics of the network it may be possible to design protocols with improved latency. This is the focus of the present work. We present a number of provably-secure protocols for two-party authenticated key exchange (AKE) which require only a single round. Our first protocol provides key independence only, and is analyzed in the random oracle model. This scheme matches the most efficient AKE protocols among those found in the literature. Our second scheme additionally provides forward secrecy, and is also analyzed in the random oracle model. Our final protocol provides the same strong security guarantees, but is proven secure in the standard model. This scheme is only slightly less efficient (from a computational perspective) than the previous ones. These last two schemes are the first provably-secure one-round protocols for authenticated 2-party key exchange which provide forward secrecy.

Abstract. An authenticated group key exchange (AGKE) scheme allows a group of users in a public network to share a session key which may later be used to achieve desirable cryptographic goals. In the paper, we study AGKE schemes for dynamically changing groups in ad hoc networks, i.e., for environments such that a member of a group may join and/or leave at any given time and a group key is exchanged without the help of any central sever. Difficulties in group key managements under such environments are caused by dynamically changing group and existence of no trustee. In most AGKE schemes proposed so far in the literature, the number of rounds is linear with respect to the number of group members. Such schemes are neither scalable nor practical since the number of group members may be quite large and the efficiency of the schemes is severely degraded with only one member’s delay. We propose an efficient provably secure AGKE scheme with constant-round. The propose scheme is still contributory and efficient, where each user executes three modular exponentiations and at most O(n) XOR operations.

Proofs are invaluable tools in assuring protocol implementers about the security properties of protocols. However, several instances of undetected flaws in the proofs of protocols (resulting in flawed protocols) undermine the credibility of provably-secure protocols. In this work, we examine several protocols with claimed proofs of security by Boyd & González Nieto (2003), Jakobsson & Pointcheval (2001), and Wong & Chan (2001), and an authenticator by Bellare, Canetti, & Krawczyk (1998). Using these protocols as case studies, we reveal previously unpublished flaws in these protocols and their proofs. We hope our analysis will enable similar mistakes to be avoided in the future.

We examine the role of session identifiers (SIDs) in security proofs for key establishment protocols. After reviewing the practical importance of SIDs we use as a case study the three-party server-based key distribution (3PKD) protocol of Bellare and Rogaway, proven secure in 1995. We show incidentally that the partnership function used in the existing security proof is flawed. There seems to be no way to define a SID for the 3PKD protocol that will preserve the proof of security. A small change to the protocol allows a natural definition for a SID and we prove that the new protocol is secure using this SID to define partnering.

A group key agreement protocol is designed to e#ciently implement secure multicast channels for a group of parties communicating over an untrusted, open network by allowing them to agree on a common secret key. In the past decade many problems related to group key agreement have been tackled and solved (diminished if not solved), and recently some constant-round protocols have been proven secure in concrete, realistic setting. However, all forward-secure protocols so far are still too expensive for small mobile devices. In this paper we propose a new constant-round protocol well suited for a mobile environment and prove its security under the Decisional Di#e-Hellman assumption. The protocol meets simplicity, e#ciency, and all the desired security properties.

Group Key Agreement (GKA) protocols enable the participants to derive a key based on each one’s contribution over a public network without any central authority. They also provide efficient ways to change the key when the participants change. While some of the proposed GKA protocols are too resource consuming for the constraint devices often present in ad hoc networks, others lack a formal security analysis. In this paper, we propose a simple, efficient and secure GKA protocol well-suited to ad hoc networks and present results of our implementation of the same in a prototype application. Key words: key agreement, ad hoc networks, provable security, cryptographic protocols. 1

A Group Key Agreement (GKA) protocol is a mechanism to establish a cryptographic key for a group of participants, based on each one’s contribution, over a public network. The key, thus derived, can be used to establish a secure channel between the participants. When the group composition changes (or otherwise), one can employ supplementary GKA protocols to derive a new key. Thus, they are well-suited to the key establishment needs of dynamic peer-to-peer networks as in ad hoc networks. While many of the proposed GKA protocols are too expensive to be employed by the constrained devices often present in ad hoc networks, others lack a formal security analysis. In this paper, we present a simple, secure and efficient GKA protocol well suited to dynamic ad hoc networks. We also present results of our implementation of the protocol in a prototype application. 1.

This paper considers the fundamental problem of key agreement among a group of parties communicating over an insecure public network. Over the years, a number of solutions to this problem have been proposed with varying degrees of complexity. However, there seems to have been no previous systematic look at the growing problem of key agreement over combined wired/wireless networks, consisting of both high-performance computing machines and low-power mobile devices. In this paper we present an efficient group key agreement scheme well suited for this networking environment. Our construction is intuitively simple, and yet offers a scalable solution to the problem.

Abstract. Group key exchange (GKE) protocols can be used to guarantee confidentiality and group authentication formalization (security model) that considers the environment of the protocol and identifies its security goals. The first security model for GKE protocols was proposed by Bresson, Chevassut, Pointcheval, and Quisquater in 2001, and has been subsequently applied in many security proofs. Their definitions of AKE- and MA-security became meanwhile standard. In this paper we analyze the BCPQ model and some of its later appeared modifications and identify several security risks resulting from the technical construction of this model – the notion of partnering. Consequently, we propose a revised model with extended definitions for AKE- and MA-security capturing, in addition, attacks of malicious protocol participants. Further, we analyze some well-known generic solutions (compilers) for AKE- and MA-security of GKE protocols proposed based on the definitions of the BCPQ model and its variants and identify several limitations resulting from the underlying assumptions. In order to remove these limitations and at the same time to show that our revised security model is in fact practical enough for the construction of reductionist security proofs we describe a modified compiler which provides AKE- and MA-security for any GKE protocol, under standard cryptographic assumptions. Key words: Group key exchange, extended security model, malicious participants, compiler for AKE- and

Group key agreement protocols are designed to solve the fundamental problem of securely establishing a session key among a group of parties communicating over a public channel. Although a number of protocols...