Group communication can benefit from IP multicast to achieve scalable exchange of messages. However, there is a challenge of effectively controlling access to the transmitted data. IP multicast by itself does not provide any mechanisms for preventing nongroup members to have access to the group communication. Although encryption

We consider the fundamental problem of authenticated group key exchange among n parties within a larger and insecure public network. A number of solutions to this problem have been proposed; however, all provably-secure solutions thus far are not scalable and, in particular, require O(n) rounds. Our main contribution is the first scalable protocol for this problem along with a rigorous proof of security in the standard model under the DDH assumption; our protocol uses a constant number of rounds and requires only O(1) "full" modular exponentiations per user. Toward this goal and of independent interest, we first present a scalable compiler that transforms any group key-exchange protocol secure against a passive eavesdropper to an authenticated protocol which is secure against an active adversary who controls all communication in the network. This compiler adds only one round and O(1) communication (per user) to the original scheme. We then prove secure --- against a passive adversary --- a variant of the two-round group key-exchange protocol of Burmester and Desmedt.

Abstract. Cryptographic protocol design in a two-party setting has often ignored the possibility of simultaneous message transmission by each of the two parties (i.e., using a duplex channel). In particular, most protocols for two-party key exchange have been designed assuming that parties alternate sending their messages (i.e., assuming a bidirectional half-duplex channel). However, by taking advantage of the communication characteristics of the network it may be possible to design protocols with improved latency. This is the focus of the present work. We present a number of provably-secure protocols for two-party authenticated key exchange (AKE) which require only a single round. Our first protocol provides key independence only, and is analyzed in the random oracle model. This scheme matches the most efficient AKE protocols among those found in the literature. Our second scheme additionally provides forward secrecy, and is also analyzed in the random oracle model. Our final protocol provides the same strong security guarantees, but is proven secure in the standard model. This scheme is only slightly less efficient (from a computational perspective) than the previous ones. These last two schemes are the first provably-secure one-round protocols for authenticated 2-party key exchange which provide forward secrecy.

Group key management is an important functional building block for any secure multicast architecture. Thereby, it has been extensively studied in the literature. In this paper we present relevant group key management protocols. Then, we compare them against some pertinent performance criteria.

Multicast is an internetwork service that provides efficient delivery of data from a source to multiple receivers. It reduces the bandwidth requirements of the network and the computational overhead of the host devices. This makes multicast an ideal technology for communication among a large group of participants. Secure group communications involves many service types include teleconferencing, pay TV and realtime delivery of stock quotes.

Group key exchange protocols allow a group of servers communicating over an asynchronous network of point-to-point links to establish a common key, such that an adversary which fully controls the network links (but not the group members) cannot learn the key. Currently known group key exchange protocols rely on the assumption that all group members participate in the protocol and if a single server crashes, then no server may terminate the protocol. In this paper, we propose the first purely asynchronous group key exchange protocol that tolerates a minority of servers to crash. Our solution uses a constant number of rounds, which makes it suitable for use in practice. Furthermore, we also investigate how to provide forward secrecy with respect to an adversary that may break into some servers and observe their internal state. We show that any group key exchange protocol among n servers that tolerates tc > 0 servers to crash can only provide forward secrecy if the adversary breaks into less than n 2tc servers, and propose a group key exchange protocol that achieves this bound.

In recent years many different proposals have been presented to solve the problem of multicast communication security. There are proposals that employ a central entity, which is responsible for managing the whole group, and thus is not scalable for large groups. Other proposals distribute the group key generation among all members of the group. This also does not scale to large groups because every single member of a group participates in the key generation. Yet, other proposals divide large groups into smaller ones, employing a controller for each subgroup. Although these proposals solve the problem of scalability, other issues are raised. For example, some of these schemes employ a central controller for the subgroup controllers, and thus, if the central (subgroup) controller is compromised the whole group will be disrupted. On the other hand, the proposals, which have solved this issue by removing the subgroup central controller, have introduced new problems such as interference in ...

Authenticated key exchange protocols allow two participants A and B, communicating over a public network and each holding an authentication means, to exchange a shared secret value. Methods designed to deal with this cryptographic problem ensure A (resp. B) that no other participants aside from B (resp. A) can learn any information about the agreed value, and often also ensure A and B that their respective partner has actually computed this value. A natural extension to this cryptographic method is to consider a pool of participants exchanging a shared secret value and to provide a formal treatment for it. Starting from the famous 2-party Diffie-Hellman (DH) key exchange protocol, and from its authenticated variants, security experts have extended it to the multi-party setting for over a decade and completed a formal analysis in the framework of modern cryptography in the past few years. The present paper synthesizes this body of work on the provably-secure authenticated group DH key exchange.

Abstract—The need for content access control in hierarchies (CACH) appears naturally in all contexts where a set of users have different access rights to a set of resources. The hierarchy is defined using the access rights. The different resources are encrypted using different keys. Key management is a critical issue for scalable content access control. In this paper, we study the problem of key management for CACH. We present main existing access control models, and show why these models are not suitable to the CACH applications, and why they are not implemented in the existing key management schemes. Furthermore, we classify these key management schemes into two approaches, and construct an access control model for each approach. The proposed access control models are then used to describe the schemes in a uniform and coherent way. A final contribution of our work consists of a classification of the CACH applications, a comparison of the key management schemes, and a study of the suitability of the existing schemes to the CACH applications with respect to some analytical measurements. Index Terms—content access control, confidentiality, group communication, key management, hierarchy. I.

Abstract: In the paper we study parallel key exchange among multiple parties. The status of parallel key exchange can be depicted by a key graph. In a key graph, a vertex represents a party and an edge represents a relation of two parties who are to share a key. We first propose a security model for a key graph, which extends the Bellare-Rogaway model for two-party key exchange. Next, we clarify the relations among the various security notions of key exchange. Finally, we construct an efficient key exchange protocol for a key graph using the randomness re-use technique. Our protocol establishes the multiple keys corresponding to all edges of a key graph in a single session. The security of our protocol is proven in the standard model.