An attack is demonstrated on a previously proposed class of key agreement protocols. Analysis of the attack reveals that a small change in the construction of the protocols is sufficient to prevent the attack. The insight gained allows a generalisation of the class to a new design for conference key agreement protocols.

Authenticated key exchange protocols allow two participants A and B, communicating over a public network and each holding an authentication means, to exchange a shared secret value. Methods designed to deal with this cryptographic problem ensure A (resp. B) that no other participants aside from B (resp. A) can learn any information about the agreed value, and often also ensure A and B that their respective partner has actually computed this value. A natural extension to this cryptographic method is to consider a pool of participants exchanging a shared secret value and to provide a formal treatment for it. Starting from the famous 2-party Diffie-Hellman (DH) key exchange protocol, and from its authenticated variants, security experts have extended it to the multi-party setting for over a decade and completed a formal analysis in the framework of modern cryptography in the past few years. The present paper synthesizes this body of work on the provably-secure authenticated group DH key exchange.

Author’s declaration for electronic submission of a thesis I hereby declare that I am the sole author of this thesis. This is a true copy of the thesis, including any required final revisions, as accepted by my examiners. I understand that my thesis may be made electronically available to the public. ii In this thesis we study the problem of secure key establishment, motivated by the construc-tion of secure channels protocols to protect information transmitted over an open network. In the past, the purported security of a key establishment protocol was justified if it could be shown to withstand popular attack scenarios by heuristic analysis. Since this approach does not account for all possible attacks, the security guarantees are limited and often insufficient. This thesis examines the provable security approach to the analysis of key establishment protocols. We present the security models and definitions developed in 2001 and 2002 by Canetti and Krawczyk, critique the appropriateness of the models, and provide several security proofs under the definitions. In addition, we consider the importance of the key compromise impersonation resilience property in the context of these models. We list some open problems that were encountered in the study. iii Acknowledgements I would like to sincerely thank my supervisor, Alfred Menezes, for his advice, guidance, patience and support. I would also like to thank my two readers, Doug Stinson and Edlyn Teske, for carefully reviewing my thesis. Their valuable feedbacks and suggestions are greatly appreciated. I would like to thank the faculty and staff members of the C&O Department for making my graduate experience truly stimulating and rewarding. A special thanks goes to Marg Feeney for assisting me with various administrative tasks far beyond her duties.

Abstract. Minimizing complexity of group key exchange (GKE) protocols is an important milestone towards their practical deployment. An interesting approach to achieve this goal is to simplify the design of GKE protocols by using generic building blocks. In this paper we investigate the possibility of founding GKE protocols based on a primitive called multi key encapsulation mechanism (mKEM) and describe advantages and limitations of this approach. In particular, we show how to design a one-round GKE protocol which satisfies the classical requirement of authenticated key exchange (AKE) security, yet without forward secrecy. As a result, we obtain the first one-round GKE protocol secure in the standard model. We also conduct our analysis using recent formal models that take into account both outsider and insider attacks as well as the notion of key compromise impersonation resilience (KCIR). In contrast to previous models we show how to model both outsider and insider KCIR within the definition of mutual authentication. Our analysis additionally implies that the insider security compiler by Katz and Shin from ACM CCS 2005 can be used to achieve more than what is shown in the original work, namely both outsider and insider KCIR.