## Dynamic Group Diffie-Hellman Key Exchange under Standard Assumptions (2002)

### Cached

### Download Links

- [www.di.ens.fr]
- [www.di.ens.fr]
- [www.di.ens.fr]
- [www.dice.ucl.ac.be]
- [www.di.ens.fr]
- [www.dice.ucl.ac.be]
- [www.dice.ucl.ac.be]
- [www.iacr.org]
- [www.iacr.org]
- DBLP

### Other Repositories/Bibliography

Citations: | 65 - 13 self |

### BibTeX

@MISC{Bresson02dynamicgroup,

author = {E. Bresson and Olivier Chevassut and David Pointcheval},

title = {Dynamic Group Diffie-Hellman Key Exchange under Standard Assumptions},

year = {2002}

}

### Years of Citing Articles

### OpenURL

### Abstract

Authenticated Diffie-Hellman key exchange allows two principals communicating over a public network, and each holding public/private keys, to agree on a shared secret value. In this paper we study the natural extension of this cryptographic problem to a group of principals. We begin from existing formal security models and refine them to incorporate major missing details (e.g., strong-corruption and concurrent sessions). Within this model we define the execution of a protocol for authenticated dynamic group Diffie-Hellman and show that it is provably secure under the decisional Diffie-Hellman assumption. Our security result holds in the standard model and thus provides better security guarantees than previously published results in the random oracle model.

### Citations

2925 | New directions in cryptography
- Diffie, Hellman
- 1976
(Show Context)
Citation Context ...ce. Finally, in Section 5 we show that the protocol AKE1 + is provably secure in the standard model. Related Work. Several papers [1,10,19,14,27] have extended the 2-party Diffie-Hellman key exchange =-=[13]-=- to the multi-party setting however a formal analysis has only been proposed recently. In [8,7], we defined a formal model for the authenticated (dynamic) group Diffie-Hellman key exchange and proved ... |

1418 | Random Oracles are Practical: A Paradigm for Designing Efficient Protocols
- Bellare, Rogaway
- 1995
(Show Context)
Citation Context ...lman problem and the existence of a pseudo-random function family. OursDynamic group Diffie-Hellman Key Exchange under Standard Assumptions 3 security theorem does not need a random oracle assumption =-=[4]-=- and thus holds in the standard model. A proof in the standard model provides better security guarantees than one in an idealized model of computation [8,7]. Furthermore we exhibit a security reductio... |

750 | A pseudorandom generator from any one-way function
- Hastad, Impagliazzo, et al.
- 1999
(Show Context)
Citation Context ...F1 and F2 are implemented via the so-called “entropy-smoothing” property. We use the left-over-hash lemma to obtain (almost) uniformly distributed values over {0, 1} ℓ . Lemma 3 (Left-Over-Hash =-=Lemma [17]). Let Ds : {0,-=- 1} s be a probabilistic space with entropy at least σ. Let e be an integer and ℓ = σ −2e. Let h : {0, 1} k × {0, 1} s → {0, 1} ℓ be a universal hash function. Let r ∈U {0, 1} k , x ∈Ds... |

500 | Keying hash functions for message authentication
- Bellare, Canetti, et al.
- 1996
(Show Context)
Citation Context ...hevassut and David Pointcheval Message Authentication Code. A Message Authentication Code MAC= (MAC.Sgn,MAC.Vf) consists of the following two algorithms (where the key space is uniformly distributed) =-=[2]: – The-=- authentication algorithm MAC.Sgn which, on a message m and a key K as input, outputs a tag µ. We write µ ← MAC.Sgn(K, m). The pair (m, µ) is called an authenticated message. – The verification... |

343 | Authenticated Key Exchange Secure Against Dictionary Attacks
- Bellare, Pointcheval, et al.
- 2000
(Show Context)
Citation Context ...ly recently formal models have been refined to incorporate the cryptographic action of erasing a secret, and thus protocols achieving forward-secrecy in the strong-corruption sense have been proposed =-=[3,24]. Pr-=-otocols for group Diffie-Hellman key exchange [7] achieve the property of forward-secrecy in the strong-corruption sense assuming that “ephemeral” private keys are erased upon completion of a prot... |

337 | Group communication specifications: A comprehensive study
- Chockler, Keidar, et al.
- 2001
(Show Context)
Citation Context ...in a pool of principals agree on a shared secret value. We refer to this extension as authenticated group Diffie-Hellman key exchange. Consider scientific collaborations and conferencing applications =-=[5,11], -=-such as data sharing or electronic notebooks. Applications of this type usually involve ⋆ The second author was supported by the Director, Office of Science, Office of Advanced Scientific Computing ... |

277 | Authentication and authenticated key exchanges
- Diffie, Oorschot, et al.
- 1992
(Show Context)
Citation Context ...nly known to the principals in the multicast group during the period when sk ′ is the session key. (2-party) Diffie-Hellman key exchange protocols also usually achieve the property of forward-secrec=-=y [15,16] w-=-hich entails that corruption of a principal’s long-term key does not threaten the security of previously established session keys. Assuming the ability to erase a secret, some of these protocols ach... |

269 | New directions in cryptography - Di±e, Hellman - 1976 |

217 | Diffie-Hellman key distribution extended to group communication, in
- Steiner, Tsudik, et al.
- 1996
(Show Context)
Citation Context ...by Adv gddhΓ G (∆). The G-DDHΓ problem is (T, ε)-intractable if there is no (T, ε)-G-DDHΓ -distinguisher for G. If Γ = P(I)\{In}, we say that G-DHΓ is the Full Generalized Diffie-Hellman dist=-=ribution [6,20,26].-=- Note that if n = 2, we get the classical DDH problem, for which we use the straightforward notation Adv ddh G (·). Lemma 1. The DDH assumption implies the G-DDH assumption. Proof. Steiner, Tsudik an... |

212 |
A Secure and Efficient Conference Key Distribution System
- Burmester, Desmedt
- 1995
(Show Context)
Citation Context ...t down into functions. This helps us to implement the abstract interface. Finally, in Section 5 we show that the protocol AKE1 + is provably secure in the standard model. Related Work. Several papers =-=[1,10,19,14,27]-=- have extended the 2-party Diffie-Hellman key exchange [13] to the multi-party setting however a formal analysis has only been proposed recently. In [8,7], we defined a formal model for the authentica... |

208 | The Decision Diffie-Hellman Problem
- Boneh
- 1998
(Show Context)
Citation Context ...by Adv gddhΓ G (∆). The G-DDHΓ problem is (T, ε)-intractable if there is no (T, ε)-G-DDHΓ -distinguisher for G. If Γ = P(I)\{In}, we say that G-DHΓ is the Full Generalized Diffie-Hellman dist=-=ribution [6,20,26].-=- Note that if n = 2, we get the classical DDH problem, for which we use the straightforward notation Adv ddh G (·). Lemma 1. The DDH assumption implies the G-DDH assumption. Proof. Steiner, Tsudik an... |

208 | Validating a high-performance, programmable secure coprocessor
- Smith, Perez, et al.
- 1999
(Show Context)
Citation Context ...nternal state (i.e. strong-corruption [24]). In practice secret erasure is, for example, implemented by hardware devices which use physical security and tamper detection to not reveal any information =-=[12,22,21,28]-=-. Protocols for group Diffie-Hellman key exchange need to achieve forward-secrecy even when facing strong-corruption. Contributions. This paper is the third tier in the formal treatment of the group D... |

152 | Number-theoretic constructions of efficient pseudo-random functions
- Naor, Reingold
- 1997
(Show Context)
Citation Context ...by Adv gddhΓ G (∆). The G-DDHΓ problem is (T, ε)-intractable if there is no (T, ε)-G-DDHΓ -distinguisher for G. If Γ = P(I)\{In}, we say that G-DHΓ is the Full Generalized Diffie-Hellman dist=-=ribution [6,20,26].-=- Note that if n = 2, we get the classical DDH problem, for which we use the straightforward notation Adv ddh G (·). Lemma 1. The DDH assumption implies the G-DDH assumption. Proof. Steiner, Tsudik an... |

124 | Provably authenticated group DiffieHellman key exchange
- Bresson, Chevassut, et al.
- 2001
(Show Context)
Citation Context ...er is the third tier in the formal treatment of the group Diffie-Hellman key exchange using public/private key pairs. The first tier was provided for a scenario wherein the group membership is static =-=[7]-=- and the second, by extension of the latter for a scenario wherein the group membership is dynamic [8]. We start from the latter formal model and refine it to add important attributes. In the present ... |

99 | OAEP Reconsidered
- Shoup
- 2001
(Show Context)
Citation Context ...efine a sequence of games starting at G0 and ending up at G5. We define in the execution of Gi−1 and Gi a certain “bad” event Ei and show that as long as Ei does not occur the two games are iden=-=tical [25]. The di-=-fficulty is in choosing the “bad” event. We then show that the advantage of A in breaking the AKE security of P can be bounded by the probability that the “bad” events happen. We now define th... |

96 | Authenticated group key agreement and friends
- Ateniese, Steiner, et al.
- 2000
(Show Context)
Citation Context ...t down into functions. This helps us to implement the abstract interface. Finally, in Section 5 we show that the protocol AKE1 + is provably secure in the standard model. Related Work. Several papers =-=[1,10,19,14,27]-=- have extended the 2-party Diffie-Hellman key exchange [13] to the multi-party setting however a formal analysis has only been proposed recently. In [8,7], we defined a formal model for the authentica... |

96 |
A secure audio teleconference system
- Steer, Strawczynski, et al.
- 1988
(Show Context)
Citation Context ...t down into functions. This helps us to implement the abstract interface. Finally, in Section 5 we show that the protocol AKE1 + is provably secure in the standard model. Related Work. Several papers =-=[1,10,19,14,27]-=- have extended the 2-party Diffie-Hellman key exchange [13] to the multi-party setting however a formal analysis has only been proposed recently. In [8,7], we defined a formal model for the authentica... |

80 | On Formal Models for Secure Key Exchange
- Shoup
- 1999
(Show Context)
Citation Context ...ished session keys. Assuming the ability to erase a secret, some of these protocols achieve forward-secrecy even if the corruption also releases the principal’s internal state (i.e. strong-corruptio=-=n [24]-=-). In practice secret erasure is, for example, implemented by hardware devices which use physical security and tamper detection to not reveal any information [12,22,21,28]. Protocols for group Diffie-... |

71 | Authenticated multi-party key agreement
- Just, Vaudenay
- 1996
(Show Context)
Citation Context |

52 |
A review of experiences with reliable multicast. Software Practice and Experience
- Birman
- 1999
(Show Context)
Citation Context ...in a pool of principals agree on a shared secret value. We refer to this extension as authenticated group Diffie-Hellman key exchange. Consider scientific collaborations and conferencing applications =-=[5,11], -=-such as data sharing or electronic notebooks. Applications of this type usually involve ⋆ The second author was supported by the Director, Office of Science, Office of Advanced Scientific Computing ... |

52 | Authentication and authenticated key exchanges - Die, Oorschot, et al. - 1992 |

45 |
Physical security devices for computer subsystems: A survey of attacks and defenses
- Weingart
(Show Context)
Citation Context ... A gets back the internal data stored on the secure coprocessor. This query can be seen as an attack wherein A gets physical access to a secure coprocessor and bypasses the tamper detection mechanism =-=[29]-=-. This query is only available to the adversary when considering the strong-corruption model (see Section 5). The Corruptc-query also reveals the flows the secure coprocessor and the smart card have e... |

43 | Session key distribution using smart cards
- Shoup, Rubin
- 1996
(Show Context)
Citation Context ...graphic devices which are made available to the adversary through queries. Hardware devices are useful to overcome software limitations however there has thus far been little formal security analysis =-=[12,23]-=-. The types of crypto-devices and our notion of forward-secrecy leads us to modifications of existing protocols to obtain a protocol, we refer to it as AKE1 + , secure against strong corruptions. Due ... |

39 | The decision Die-Hellman problem - Boneh - 1998 |

39 | Number theoretic constructions of ecient pseudo random functions - Naor, Reingold |

32 |
Security requirements for cryptographic modules
- FIPS
- 2002
(Show Context)
Citation Context ...nternal state (i.e. strong-corruption [24]). In practice secret erasure is, for example, implemented by hardware devices which use physical security and tamper detection to not reveal any information =-=[12,22,21,28]-=-. Protocols for group Diffie-Hellman key exchange need to achieve forward-secrecy even when facing strong-corruption. Contributions. This paper is the third tier in the formal treatment of the group D... |

31 | Diffie hellman key distribution extended to group communication - Steiner, Tsudik, et al. - 1996 |

21 |
How to forget a secret
- Crescenzo, Ferguson, et al.
- 1999
(Show Context)
Citation Context ...nternal state (i.e. strong-corruption [24]). In practice secret erasure is, for example, implemented by hardware devices which use physical security and tamper detection to not reveal any information =-=[12, 22, 21, 28]-=-. Protocols for group Diffie-Hellman key exchange need to achieve forward-secrecy even when facing strong-corruption. Contributions. This paper is the third tier in the formal treatment of the group D... |

15 | A secure and ecient conference key distribution system - Burmester, Desmedt - 1995 |

15 | Group Communication Speci A Comprehensive Study - Vitenberg, Keidar, et al. - 1999 |

13 | Provably Authenticated Group Die-Hellman Key Exchange - Bresson, Chevassut, et al. - 2001 |

13 | Dynamic Group Di_e-Hellman Key Exchange under Standard Assumptions - Bresson, Chevassut, et al. - 2002 |

10 |
How to forget a secret
- Crescenzo, Ferguson, et al.
- 1999
(Show Context)
Citation Context ...nternal state (i.e. strong-corruption [24]). In practice secret erasure is, for example, implemented by hardware devices which use physical security and tamper detection to not reveal any information =-=[12,22,21,28]-=-. Protocols for group Diffie-Hellman key exchange need to achieve forward-secrecy even when facing strong-corruption. Contributions. This paper is the third tier in the formal treatment of the group D... |

9 | On the importance of securing your bins: The garbageman-in-the-middle attack
- Joye, Quisquater
- 1997
(Show Context)
Citation Context ...mplemented or the model is insufficient. Cryptographic protocols assume, and do not usually explicitly state, that secrets are definitively and reliably erased (only the most recent secrets are kept) =-=[12,18]-=-. Only recently formal models have been refined to incorporate the cryptographic action of erasing a secret, and thus protocols achieving forward-secrecy in the strong-corruption sense have been propo... |

8 |
A practical and secure fault-tolerant conference-key agreement protocol
- Tzeng
(Show Context)
Citation Context |

5 |
Smart cards requirements, properties, and applications
- Vedder, Weikmann
- 1997
(Show Context)
Citation Context |

3 |
A pseudorandom generator from any one-way function
- Hstad, Impagliazzo, et al.
- 1999
(Show Context)
Citation Context ...F1 and F2 are implemented via the so-called “entropy-smoothing” property. We use the left-over-hash lemma to obtain (almost) uniformly distributed values over {0, 1} ℓ . Lemma 3 (Left-Over-Hash Lemma =-=[17]-=-). Let Ds : {0, 1} s be a probabilistic space with entropy at least σ. Let e be an integer and ℓ = σ −2e. Let h : {0, 1} k × {0, 1} s → {0, 1} ℓ be a universal hash function. Let r ∈U {0, 1} k , x ∈Ds... |

1 |
An identity-based key exchange protocol
- Gunter
- 1989
(Show Context)
Citation Context ...nly known to the principals in the multicast group during the period when sk ′ is the session key. (2-party) Diffie-Hellman key exchange protocols also usually achieve the property of forward-secrec=-=y [15,16] w-=-hich entails that corruption of a principal’s long-term key does not threaten the security of previously established session keys. Assuming the ability to erase a secret, some of these protocols ach... |

1 |
Session-key disribution using smart cards
- Rubin, Shoup
- 1996
(Show Context)
Citation Context ...graphic devices which are made available to the adversary through queries. Hardware devices are useful to overcome software limitations however there has thus far been little formal security analysis =-=[12, 23]-=-. The types of crypto-devices and our notion of forward-secrecy leads us to modifications of existing protocols to obtain a protocol, we refer to it as AKE1 + , secure against strong corruptions. Due ... |

1 | On the importance of securing your bins: The garbage-man-inthe -middle attack - Joye, Quisquater - 1997 |