Cryptology ePrint Archive: Report 2006/385

On Security Models and Compilers for Group Key Exchange Protocols

Emmanuel Bresson and Mark Manulis and Joerg Schwenk

Abstract: Group key exchange (GKE) protocols can be used to guarantee confidentiality and group authentication in a variety of group applications. The notion of provable security subsumes the existence of an abstract formalization (security model) that considers the environment of the protocol and identifies its security goals. The first security model for GKE protocols was proposed by Bresson, Chevassut, Pointcheval, and Quisquater in 2001, and has been subsequently applied in many security proofs. Their definitions of AKE- and MA-security became meanwhile standard.

In this paper we analyze the BCPQ model and some of its later appeared modifications and identify several security risks resulting from the technical construction of this model – the notion of partnering. Consequently, we propose a revised model with extended definitions for AKE- and MA-security capturing, in addition, attacks of malicious protocol participants.

Further, we analyze some well-known generic solutions (compilers) for AKE- and MA-security of GKE protocols proposed based on the definitions of the BCPQ model and its variants and identify several limitations resulting from the underlying assumptions.

In order to remove these limitations and at the same time to show that our revised security model is in fact practical enough for the construction of reductionist security proofs we describe a modified compiler which provides AKE- and MA-security for any GKE protocol, under standard cryptographic assumptions.

Category / Keywords: group key exchange, extended security model, malicious participants, compiler for AKE- and MA-security

Publication Info: IWSEC 2007

Date: received 2 Nov 2006, last revised 20 Aug 2007

Contact author: mark manulis at nds rub de

Available format(s): PDF | BibTeX Citation

Note: This paper supersedes the earlier version published on eprint archive on November 2, 2006, which was called "Extended Definitions of AKE- and MA-Security for Group Key Exchange Protocols".

In this revised version we also show that the model of the passive eavesdropping adversary assumed by Katz and Yung for their compiler for AKE-security (at Crypto 2003) is insufficient and needs to be strengthened in order to achieve generality.

Version: 20070820:133321 (All versions of this report)

Discussion forum: Show discussion | Start new discussion

[ Cryptology ePrint archive ]