Abstract. Minimizing complexity of group key exchange (GKE) protocols is an important milestone towards their practical deployment. An interesting approach to achieve this goal is to simplify the design of GKE protocols by using generic building blocks. In this paper we investigate the possibility of founding GKE protocols based on a primitive called multi key encapsulation mechanism (mKEM) and describe advantages and limitations of this approach. In particular, we show how to design a one-round GKE protocol which satisfies the classical requirement of authenticated key exchange (AKE) security, yet without forward secrecy. As a result, we obtain the first one-round GKE protocol secure in the standard model. We also conduct our analysis using recent formal models that take into account both outsider and insider attacks as well as the notion of key compromise impersonation resilience (KCIR). In contrast to previous models we show how to model both outsider and insider KCIR within the definition of mutual authentication. Our analysis additionally implies that the insider security compiler by Katz and Shin from ACM CCS 2005 can be used to achieve more than what is shown in the original work, namely both outsider and insider KCIR.

Abstract. Password-authenticated key exchange (PAKE) protocols are designed to be secure even when the secret key used for authentication is a human-memorable password. In this paper, we consider PAKE protocols in the group scenario, in which a group of clients, each of them shares a password with an “honest but curious ” server, intend to establish a common secret key (i.e., a group key) with the help of the server. In this setting, the key established is known to the clients only and no one else, including the server. Each client needs to remember passwords only while the server keeps passwords in addition to private keys related to his identity. Towards our goal, we present the first compiler that transforms any group key exchange (KE) protocol secure against a passive eavesdropping to a group PAKE which is secure against an active adversary who controls all communication in the network. This compiler is built on any group KE protocol (e.g., the Burmester-Desmedt protocol), any identity-based encryption (IBE) scheme (e.g., Gentry’s scheme), and any identity-based signature (IBS) scheme (e.g., Paterson-Schuldt scheme). It adds only two rounds and O(1) communication (per client) to the original group KE protocol. As long as a group PAKE protocol is constructed by our compiler with a group KE protocol, an IBE scheme and an IBS scheme which have provably security without random oracles, it can be proven to be secure without random oracles. 1

Securing group communications in resource constrained, infrastructure-less environments such as Mobile Ad Hoc Networks (MANETs) is a very challenging research direction in the area of wireless networking and security. This is true as MANETs are emerging as the desired environment for an increasing number of civilian, commercial and military applications, addressing an increasing number of users. Most of these applications are sensitive and require specific security guarantees. The inherent limitations of MANETs impose major difficulties in establishing a suitable secure group communications framework. Key Management (KM) is the operation that enables and supports the secure exchange of data and ensures the capability of members ’ secure cooperation as a group. KM protocols provide a common symmetric group key to all group members, and ensure that only legitimate members have access to a valid group key at any instance. Our work focuses on the design of efficient, robust, novel or improved group KM schemes, capable of distributed operation where key infrastructure components are absent or inaccessible, that accomplish the following: (a) better performance than this

Abstract—Group key management is an important functional building block for any secure multicast architecture. Thereby, it has been extensively studied in the literature. In this paper we present relevant group key management protocols. Then, we compare them against some pertinent performance criteria. Keywords—Multicast, Security, Group Key Management. I.

Abstract—Password-authenticated key exchange (PAKE) protocols are designed to be secure even when the secret key used for authentication is a human-memorable password. In this paper, we consider PAKE protocols in the group scenario, in which a group of clients, each of them shares a password with an “honest but curious ” server, intend to establish a common secret key (i.e., a group key) with the help of the server. In this setting, the key established is known to the clients only and no one else, including the server. Each client needs to remember passwords only while the server keeps passwords in addition to private keys related to his identity. Towards our goal, we present a compiler that transforms any group key exchange (KE) protocol secure against a passive eavesdropping to a group PAKE which is secure against an active adversary who controls all communication in the network. This compiler is built on any group KE protocol (e.g., the Burmester-Desmedt protocol), any identity-based encryption (IBE) scheme (e.g., Gentry’s scheme), and any identity-based signature (IBS) scheme (e.g., Paterson-Schuldt scheme). It adds only two rounds and O(1) communication (per client) to the original group KE protocol. As long as the underlying group KE protocol, IBE scheme and an IBS scheme have provably security without random oracles, a group PAKE constructed by our compiler can be proven to be secure without random oracles.

Abstract — Group key establishment is an important mechanism to construct a common session key for group communications. Key transfer protocols rely on a mutually trusted key generation center (KGC) to select session keys and transport session keys to all communication entities secretly. Most often, KGC encrypts session keys under another secret key shared with each entity during registration. In this paper, we propose an authenticated key transfer protocol based on secret sharing scheme that KGC can broadcast group key information to all group members at once and only authorized group members can recover the group key; but unauthorized users cannot recover the group key. The confidentiality of this transformation is information theoretically secure. We also provide authentication for transporting this group key. Goals and security threats of our proposed group key transfer protocol will be analyzed in detail. Key words—Group key transfer protocol, session key, secret sharing, confidentiality, authentication. 1