In this paper we analyze the BCPQ model and some of its later appeared modifications and identify several security risks resulting from the technical construction of this model – the notion of partnering. Consequently, we propose a revised model with extended definitions for AKE- and MA-security capturing, in addition, attacks of malicious protocol participants.
Further, we analyze some well-known generic solutions (compilers) for AKE- and MA-security of GKE protocols proposed based on the definitions of the BCPQ model and its variants and identify several limitations resulting from the underlying assumptions.
In order to remove these limitations and at the same time to show that our revised security model is in fact practical enough for the construction of reductionist security proofs we describe a modified compiler which provides AKE- and MA-security for any GKE protocol, under standard cryptographic assumptions.Category / Keywords: group key exchange, extended security model, malicious participants, compiler for AKE- and MA-security Publication Info: IWSEC 2007 Date: received 2 Nov 2006, last revised 20 Aug 2007 Contact author: mark manulis at nds rub de Available format(s): PDF | BibTeX Citation Note: This paper supersedes the earlier version published on eprint archive on November 2, 2006, which was called "Extended Definitions of AKE- and MA-Security for Group Key Exchange Protocols".
In this revised version we also show that the model of the passive eavesdropping adversary assumed by Katz and Yung for their compiler for AKE-security (at Crypto 2003) is insufficient and needs to be strengthened in order to achieve generality.Version: 20070820:133321 (All versions of this report) Short URL: ia.cr/2006/385 Discussion forum: Show discussion | Start new discussion