## Password-based group key exchange in a constant number of rounds (2006)

### Cached

### Download Links

- [www.di.ens.fr]
- [www.di.ens.fr]
- [dsd.lbl.gov]
- [www.iacr.org]
- DBLP

### Other Repositories/Bibliography

Venue: | In Public Key Cryptography (PKC |

Citations: | 40 - 5 self |

### BibTeX

@INPROCEEDINGS{Abdalla06password-basedgroup,

author = {Michel Abdalla and Emmanuel Bresson and Olivier Chevassut and David Pointcheval},

title = {Password-based group key exchange in a constant number of rounds},

booktitle = {In Public Key Cryptography (PKC},

year = {2006},

pages = {427--442}

}

### Years of Citing Articles

### OpenURL

### Abstract

Abstract. With the development of grids, distributed applications are spread across multiple computing resources and require efficient security mechanisms among the processes. Although protocols for authenticated group Diffie-Hellman key exchange protocols seem to be the natural mechanisms for supporting these applications, current solutions are either limited by the use of public key infrastructures or by their scalability, requiring a number of rounds linear in the number of group members. To overcome these shortcomings, we propose in this paper the first provably-secure password-based constant-round group key exchange protocol. It is based on the protocol of Burmester and Desmedt and is provably-secure in the random-oracle and ideal-cipher models, under the Decisional Diffie-Hellman assumption. The new protocol is very efficient and fully scalable since it only requires four rounds of communication and four multi-exponentiations per user. Moreover, the new protocol avoids intricate authentication infrastructures by relying on passwords for authentication. 1

### Citations

1188 |
S.: Probabilistic Encryption
- Goldwasser, Micali
- 1984
(Show Context)
Citation Context ...ivalent: for any time bound T , Adv ddh G (T ) ≤ Adv pddhn G (T ) ≤ n Adv ddh G (T ). Proof. We omit the proof of this lemma in this version of the paper as it follows from a standard hybrid argument =-=[13,14]-=- with n+1 hybrid experiments, in which the first i DDH values are replaced by random ones in the i-th hybrid experiment for i ∈ {0, . . . , n}. In fact, a proof of this lemma was implicitly made in th... |

419 | The GRID 2: Blueprint for a New Computing Infrastructure”, Elsevier - Foster, Kesselman - 2004 |

316 | Authenticated key exchange secure against dictionary attacks
- Bellare, Pointcheval, et al.
- 2000
(Show Context)
Citation Context .... Then, in Section 4, we show how to add password-authentication services to the Burmester and Desmedt scheme [9, 10]. Our protocol is provably secure in the random-oracle [4] and ideal-cipher models =-=[3]-=- under the Decisional Diffie-Hellman assumption. Related Work. Following the work of Bresson et al. on the group DiffieHellman key exchange problem [5,7,6,8], several researchers have developed simila... |

204 | Optimal Asymmetric Encryption - How to Encrypt with RSA
- Bellare, Rogaway
- 1994
(Show Context)
Citation Context ... of Lee, Hwang, and Lee [17]. Then, in Section 4, we show how to add password-authentication services to the Burmester and Desmedt scheme [9, 10]. Our protocol is provably secure in the random-oracle =-=[4]-=- and ideal-cipher models [3] under the Decisional Diffie-Hellman assumption. Related Work. Following the work of Bresson et al. on the group DiffieHellman key exchange problem [5,7,6,8], several resea... |

203 |
A Secure and Efficient Conference Key Distribution System
- Burmester, Desmedt
- 1994
(Show Context)
Citation Context ...scribe attacks against the schemes of Dutta and Barua [11] and of Lee, Hwang, and Lee [17]. Then, in Section 4, we show how to add password-authentication services to the Burmester and Desmedt scheme =-=[9, 10]-=-. Our protocol is provably secure in the random-oracle [4] and ideal-cipher models [3] under the Decisional Diffie-Hellman assumption. Related Work. Following the work of Bresson et al. on the group D... |

120 | Provably Authenticated Group Diffie-Hellman Key Exchange
- Bresson, Chevassut, et al.
- 2001
(Show Context)
Citation Context ...ds [12], distributed computations are spread across multiple computing resources requiring efficient security mechanisms between the processes. Although protocols for group DiffieHellman key exchange =-=[5,7,6,8]-=- provide a natural mechanism for supporting these applications, these protocols are limited in their scalability due to a number of rounds linear in the number of group members. An alternative is to u... |

113 |
Foundations of cryptography: Basic applications, volume 2. Cambridge Univ Pr
- Goldreich
- 2004
(Show Context)
Citation Context ...ivalent: for any time bound T , Adv ddh G (T ) ≤ Adv pddhn G (T ) ≤ n Adv ddh G (T ). Proof. We omit the proof of this lemma in this version of the paper as it follows from a standard hybrid argument =-=[13,14]-=- with n+1 hybrid experiments, in which the first i DDH values are replaced by random ones in the i-th hybrid experiment for i ∈ {0, . . . , n}. In fact, a proof of this lemma was implicitly made in th... |

105 | Scalable Protocols for Authenticated Group Key Exchange
- Katz, Yung
- 2003
(Show Context)
Citation Context ...s are limited in their scalability due to a number of rounds linear in the number of group members. An alternative is to use a protocol for group key exchange that runs in a constant number or rounds =-=[11,15,16]-=-. c○ IACR 2006.s428 M. Abdalla et al. The two measures of a protocol’s efficiency are the computational cost per member and the communication complexity (number of protocol rounds) of the given protoc... |

60 | Dynamic Group Diffie-Hellman Key Exchange under Standard Assumptions
- Bresson, Chevassut, et al.
- 2002
(Show Context)
Citation Context ...ds [12], distributed computations are spread across multiple computing resources requiring efficient security mechanisms between the processes. Although protocols for group DiffieHellman key exchange =-=[5,7,6,8]-=- provide a natural mechanism for supporting these applications, these protocols are limited in their scalability due to a number of rounds linear in the number of group members. An alternative is to u... |

56 | Password-based authenticated key exchange in the three-party setting
- Abdalla, Fouque, et al.
- 2005
(Show Context)
Citation Context ...ganized as follows. In Section 2, we recall the security model usually used for password-based group Diffie-Hellman key exchange. This model was previously defined in [7], but also takes advantage of =-=[1]-=-. In Section 3 we recall Burmester-Desmedt scheme and describe attacks against the schemes of Dutta and Barua [11] and of Lee, Hwang, and Lee [17]. In Section 4, we describe the mechanics behind our p... |

39 | Simple Password-Based Encrypted Key Exchange Protocols
- Abdalla, Pointcheval
- 2005
(Show Context)
Citation Context ... “mask” the first round only. One then comes up to the simple protocole, using a mask of the form h pw , where h is another generator of the group G, whose discrete logarithm in the base g is unknown =-=[2]-=-: – Each player Ui chooses a random exponent xi, computes zi = g xi and broadcasts z ⋆ i = zih pw ; – Each player extracts zi−1 and zi+1, and computes the Zi = z xi i−1 and Zi+1 = z xi+1 i = z xi i+1 ... |

30 | Group Diffie-Hellman Key Exchange Secure against Dictionary Attacks
- Bresson, Chevassut, et al.
- 2002
(Show Context)
Citation Context ...ds [12], distributed computations are spread across multiple computing resources requiring efficient security mechanisms between the processes. Although protocols for group DiffieHellman key exchange =-=[5,7,6,8]-=- provide a natural mechanism for supporting these applications, these protocols are limited in their scalability due to a number of rounds linear in the number of group members. An alternative is to u... |

24 | Constant-Round Authenticated Group Key Exchange for Dynamic Groups - Kim, Lee, et al. - 2004 |

15 |
Password-based encrypted group key agreement
- Dutta, Barua
- 2006
(Show Context)
Citation Context ...s are limited in their scalability due to a number of rounds linear in the number of group members. An alternative is to use a protocol for group key exchange that runs in a constant number or rounds =-=[11,15,16]-=-. c○ IACR 2006.s428 M. Abdalla et al. The two measures of a protocol’s efficiency are the computational cost per member and the communication complexity (number of protocol rounds) of the given protoc... |

7 |
and Yvo Desmedt. A secure and scalable group key exchange system
- Burmester
- 2005
(Show Context)
Citation Context ...scribe attacks against the schemes of Dutta and Barua [11] and of Lee, Hwang, and Lee [17]. Then, in Section 4, we show how to add password-authentication services to the Burmester and Desmedt scheme =-=[9, 10]-=-. Our protocol is provably secure in the random-oracle [4] and ideal-cipher models [3] under the Decisional Diffie-Hellman assumption. Related Work. Following the work of Bresson et al. on the group D... |

5 |
Efficient password-based group key exchange
- Lee, Hwang, et al.
(Show Context)
Citation Context ...(secure) solution had to be found in the context of a (short) password shared among the members of the group. Two attempts in this direction are due to Dutta and Barua [11] and to Lee, Hwang, and Lee =-=[17]-=-. Unfortunately, adding authentication services to a group key exchange protocol is a not trivial since redundancy in the flows of the protocol can open the door to different forms of attacks. In fact... |