Results 1 - 10
of
42
Scalable Protocols for Authenticated Group Key Exchange
- Advances in Cryptology — Crypto 2003, LNCS
"... We consider the problem of authenticated group key exchange among n parties communicating over an insecure public network. A number of solutions to this problem have been proposed; however, all prior provably-secure solutions do not scale well and, in particular, require O(n) rounds. Our main contri ..."
Abstract
-
Cited by 134 (2 self)
- Add to MetaCart
(Show Context)
We consider the problem of authenticated group key exchange among n parties communicating over an insecure public network. A number of solutions to this problem have been proposed; however, all prior provably-secure solutions do not scale well and, in particular, require O(n) rounds. Our main contribution is the first scalable protocol for this problem along with a rigorous proof of security in the standard model under the DDH assumption; our protocol uses a constant number of rounds and requires only O(1) “full ” modular exponentiations per user. Toward this goal (and adapting work of Bellare, Canetti, and Krawczyk), we first present an efficient compiler that transforms any group key-exchange protocol secure against a passive eavesdropper to an authenticated protocol which is secure against an active adversary who controls all communication in the network. This compiler adds only one round and O(1) communication (per user) to the original scheme. We then prove secure — against a passive adversary — a variant of the two-round group key-exchange protocol of Burmester and Desmedt. Applying our compiler to this protocol results in a provably-secure three-round protocol for authenticated group key exchange which also achieves forward secrecy. 1
Identity Based Authenticated Key Agreement Protocols from Pairings
- In: Proc. 16th IEEE Security Foundations Workshop
, 2002
"... We investigate a number of issues related to identity based authenticated key agreement protocols in the Diffie-Hellman family enabled by the Weil or Tate pairings. These issues include how to make protocols efficient; to avoid key escrow by a Trust Authority (TA) who issues identity based private k ..."
Abstract
-
Cited by 67 (2 self)
- Add to MetaCart
(Show Context)
We investigate a number of issues related to identity based authenticated key agreement protocols in the Diffie-Hellman family enabled by the Weil or Tate pairings. These issues include how to make protocols efficient; to avoid key escrow by a Trust Authority (TA) who issues identity based private keys for users, and to allow users to use different TAs. We describe a few authenticated key agreement (AK) protocols and AK with key confirmation (AKC) protocols by modifying Smart's AK protocol [Sm02]. We discuss the security of these protocols heuristically and give formal proofs of security for our AK and AKC protocols (using a security model based on the model defined in [BJM97]). We also prove that our AK protocol has the key compromise impersonation property. We also show that our second protocol has the TA forward secrecy property (which we define to mean that the compromise of the TA's private key will not compromise previously established session keys), and we note that this also implies that it has the perfect forward secrecy property.
A New Two-Party Identity-Based Authenticated Key Agreement
- In proceedings of CT-RSA 2005, LNCS 3376
, 2004
"... We present a new two-party identity-based key agreement that is more e#cient than previously proposed schemes. It is inspired on a new identity-based key pair derivation algorithm first proposed by Sakai and Kasahara. We show how this key agreement can be used in either escrowed or escrowless mo ..."
Abstract
-
Cited by 61 (0 self)
- Add to MetaCart
(Show Context)
We present a new two-party identity-based key agreement that is more e#cient than previously proposed schemes. It is inspired on a new identity-based key pair derivation algorithm first proposed by Sakai and Kasahara. We show how this key agreement can be used in either escrowed or escrowless mode. We also describe conditions under which users of di#erent Key Generation Centres can agree on a shared secret key. We give an overview of existing two-party key agreement protocols, and compare our new scheme with existing ones in terms of computational cost and storage requirements.
Examining Indistinguishability-Based Proof Models for Key Establishment Protocols (Full version available from http: //eprint.iacr.org/2005/270
, 2005
"... Abstract. We examine various indistinguishability-based proof models for key establishment protocols, namely the Bellare & Rogaway (1993, 1995), the Bellare, Pointcheval, & Rogaway (2000), and the Canetti & Krawczyk (2001) proof models. We then consider several variants of these proof m ..."
Abstract
-
Cited by 57 (10 self)
- Add to MetaCart
(Show Context)
Abstract. We examine various indistinguishability-based proof models for key establishment protocols, namely the Bellare & Rogaway (1993, 1995), the Bellare, Pointcheval, & Rogaway (2000), and the Canetti & Krawczyk (2001) proof models. We then consider several variants of these proof models, identify several subtle differences between these variants and models, and compare the relative strengths of the notions of security between the models. For each of the pair of relations between the models (either an implication or a non-implication), we provide proofs or counter-examples to support the observed relations. We also reveal a drawback with the original formulation of the Bellare, Pointcheval, & Rogaway (2000) model, whereby the Corrupt query is not allowed. 1
Revisit Of McCullagh-- Barreto Two-Party ID-Based Authenticated Key Agreement Protocols”, University of Technology
- T-110.7290 Research Seminar on Network Security, Autumn 2006 7 Cryptology ePrint Archive: Report 2004/343, URL: http://eprint.iacr.org/2004/343 (referenced
"... We revisit the two-party identity-based authenticated key agreement protocol (2P-IDAKA) and its variant resistant to key-compromise impersonation due to McCullagh & Barreto (2005). Protocol 2P-IDAKA carries a proof of security in the Bellare & Rogaway (1993) model. In this paper, we demonstr ..."
Abstract
-
Cited by 17 (1 self)
- Add to MetaCart
(Show Context)
We revisit the two-party identity-based authenticated key agreement protocol (2P-IDAKA) and its variant resistant to key-compromise impersonation due to McCullagh & Barreto (2005). Protocol 2P-IDAKA carries a proof of security in the Bellare & Rogaway (1993) model. In this paper, we demonstrated why both the protocol and its variant are not secure if the adversary is allowed to send a Reveal query to reveal non-partner players who had accepted the same session key (i.e., termed key-replicating attack in recent work of Krawczyk (2005)). We also demonstrate that both protocols do not achieve the key integrity property, first discussed by Janson & Tsudik (1995).
On the Indistinguishability-Based Security Model of Key Agreement Protocols - Simple Cases
, 2005
"... Since Bellare and Rogaway's work in 1994, the indistinguishability-based security models of authenticated key agreement protocols in simple cases have been evolving for more than ten years. In this paper, we review and organize the models under a unified framework with some new extensions. B ..."
Abstract
-
Cited by 14 (4 self)
- Add to MetaCart
Since Bellare and Rogaway's work in 1994, the indistinguishability-based security models of authenticated key agreement protocols in simple cases have been evolving for more than ten years. In this paper, we review and organize the models under a unified framework with some new extensions. By providing a new ability (the Coin query) to adversaries and redefining two key security notions, the framework fully exploits an adversary's capacity and can be used to prove all the commonly required security attributes of key agreement protocols with key confirmation. At the same time, the Coin query is also used to define a model which can be used to heuristically evaluate the security of a large category of authenticated protocols without key confirmation. We use the models to analyze a few identity-based authenticated key agreement protocols with pairings.
Pairing-Based One-Round Tripartite Key Agreement Protocols
, 2004
"... Since Joux published the first pairing-based one-round tripartite key agreement protocol [12], many authenticated protocols have been proposed. However most of them were soon broken or proved not to achieve some desirable security attributes. In this paper we present two protocol variants based ..."
Abstract
-
Cited by 13 (0 self)
- Add to MetaCart
(Show Context)
Since Joux published the first pairing-based one-round tripartite key agreement protocol [12], many authenticated protocols have been proposed. However most of them were soon broken or proved not to achieve some desirable security attributes. In this paper we present two protocol variants based on Shim [19] and Zhang et al.'s work [23]. As the formalized model of this kind of AK protocols is not mature, the security properties of the protocols are heuristically investigated by attempting a list of attacks presented as a reference that can be used to evaluate other protocols.
J.M.: Modeling Key Compromise Impersonation Attacks on Group Key Exchange Protocols
- In: Public Key Cryptography–PKC’09. Volume 5443 of LNCS., Springer (2009) 105–123 13 Gorantla,M.C.,Boyd,C.,Nieto,J.M.G.: Ontheconnectionbetweensigncryptionandone-passkeyestablishment. In Galbraith, S.D., ed.: IMA Int. Conf. Volume 4887 of LNCS
, 2007
"... Abstract. A key exchange protocol allows a set of parties to agree upon a secret session key over a public network. Two-party key exchange (2PKE) protocols have been rigorously analyzed under various models considering different adversarial actions. However, the analysis of group key exchange (GKE) ..."
Abstract
-
Cited by 11 (3 self)
- Add to MetaCart
(Show Context)
Abstract. A key exchange protocol allows a set of parties to agree upon a secret session key over a public network. Two-party key exchange (2PKE) protocols have been rigorously analyzed under various models considering different adversarial actions. However, the analysis of group key exchange (GKE) protocols has not been as extensive as that of 2PKE protocols. Particularly, the security attribute of key compromise impersonation (KCI) resilience has so far been ignored for the case of GKE protocols. We first model the security of GKE protocols addressing KCI attacks by both outsider and insider adversaries. We then show that a few existing protocols are not secure even against outsider KCI attacks. The attacks on these protocols demonstrate the necessity of considering KCI resilience for GKE protocols. Finally, we give a new proof of security for an existing GKE protocol under the revised model assuming random oracles.
Security-Focused Survey on Group Key Exchange Protocols
- HORST-GÖRTZ INSTITUTE, NETWORK AND DATA SECURITY GROUP
, 2006
"... In this paper we overview a large number of currently known group key ex-change protocols while focusing on the protocols designed for more than three par-ticipants (for an overview of two- and three-party key exchange protocols we refer to [BM03, DB05c]). For each mentioned protocol we briefly desc ..."
Abstract
-
Cited by 8 (3 self)
- Add to MetaCart
In this paper we overview a large number of currently known group key ex-change protocols while focusing on the protocols designed for more than three par-ticipants (for an overview of two- and three-party key exchange protocols we refer to [BM03, DB05c]). For each mentioned protocol we briefly describe the current state of security based on the original analysis as well as later results appeared in the liter-ature. We distinguish between (i) protocols with heuristic security arguments based on informally defined security requirements and (ii) protocols that have been proven secure in one of the existing security models for group key exchange. Note, this paper continues the work started in [Man06] which provides an analytical survey on security requirements and currently known models for group key exchange. We emphasize that the following survey focuses on the security aspects of the protocols and does not aim to provide any efficiency comparison. The reader interested in this kind of surveys we
Secure One-Round Tripartite Authenticated Key Agreement Protocol from Weil Pairing
- Proceedings of International Conference on Advanced Information Networking and Applications (AINA 2005
"... In 2000, Joux proposed a one-round protocol for tripartite Diffie-Hellman. In 2003, Shim presented an efficient one-round tripartite authenticated key agreement protocol based on Weil pairing to resist the man-in-the-middle attack appears in Joux ’ s. In this paper, we show that Shim ’ s protocol st ..."
Abstract
-
Cited by 7 (0 self)
- Add to MetaCart
(Show Context)
In 2000, Joux proposed a one-round protocol for tripartite Diffie-Hellman. In 2003, Shim presented an efficient one-round tripartite authenticated key agreement protocol based on Weil pairing to resist the man-in-the-middle attack appears in Joux ’ s. In this paper, we show that Shim ’ s protocol still cannot withstand the insider attack and the key-compromise impersonation attack. We propose a secure one-round tripartite authenticated key agreement protocol to solve the existed problems.
