On Security Models and Compilers for Group Key Exchange Protocols

(Extended Abstract)
  • Emmanuel Bresson
  • Mark Manulis
  • Jörg Schwenk
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4752)


Group key exchange (GKE) protocols can be used to guarantee confidentiality and authentication in group applications. The paradigm of provable security subsumes an abstract formalization (security model) that considers the protocol environment and identifies its security goals. The first security model for GKE protocols was proposed by Bresson, Chevassut, Pointcheval, and Quisquater in 2001, and has been subsequently applied in many security proofs. Their definitions of AKE-security (authenticated key exchange; a.k.a. indistinguishability of the key) and MA-security (mutual authentication) became meanwhile standard.

In this paper we analyze the BCPQ model and some of its variants and identify several risks resulting from its technical core construction – the notion of partnering. Consequently, we propose a revised model extending AKE- and MA-security in order to capture attacks by malicious participants and strong corruptions.

Then, we turn to generic solutions (known as compilers) for AKE- and MA-security in BCPQ-like models. We describe a compiler compauthma which provides AKE- and MA-security for any GKE protocol, under standard cryptographic assumptions, that eliminates some identified limitations in existing compilers.


Security Model Mutual Authentication Forward Secrecy Security Goal Passive Adversary 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Abdalla, M., Bresson, E., Chevassut, O., Pointcheval, D.: Password-Based Group Key Exchange in a Constant Number of Rounds. In: Yung, M., Dodis, Y., Kiayias, A., Malkin, T.G. (eds.) PKC 2006. LNCS, vol. 3958, pp. 427–442. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  2. 2.
    Ateniese, G., Steiner, M., Tsudik, G.: Authenticated Group Key Agreement and Friends. In: CCS 1998, pp. 17–26 (1998)Google Scholar
  3. 3.
    Barak, B., Lindell, Y., Rabin, T.: Protocol Initialization for the Framework of Universal Composability,
  4. 4.
    Bellare, M.: Practice-Oriented Provable-Security. In: Okamoto, E. (ed.) ISW 1997. LNCS, vol. 1396, pp. 221–231. Springer, Heidelberg (1998)Google Scholar
  5. 5.
    Bellare, M., Rogaway, P.: Entity Authentication and Key Distribution. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 232–249. Springer, Heidelberg (1994)Google Scholar
  6. 6.
    Bellare, M., Rogaway, P.: Random Oracles are Practical: A Paradigm for Designing Efficient Protocols. In: CCS 1993, pp. 62–73 (1993)Google Scholar
  7. 7.
    Bellare, M., Rogaway, P.: Provably Secure Session Key Distribution: The Three Party Case. In: STOC 1995, pp. 57–66 (1995)Google Scholar
  8. 8.
    Bohli, J.-M., Vasco, M.I.G., Steinwandt, R.: Secure Group Key Establishment Revisited,
  9. 9.
    Boyd, C., Mathuria, A.: Protocols for Authentication and Key Establishment. Springer, Heidelberg (2003)Google Scholar
  10. 10.
    Boyd, C., Nieto, J.M.: Round-Optimal Contributory Conference Key Agreement. In: Desmedt, Y.G. (ed.) PKC 2003. LNCS, vol. 2567, pp. 161–174. Springer, Heidelberg (2002)Google Scholar
  11. 11.
    Bresson, E., Chevassut, O., Pointcheval, D.: Provably Authenticated Group Diffie-Hellman Key Exchange - The Dynamic Case. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 290–390. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  12. 12.
    Bresson, E., Chevassut, O., Pointcheval, D.: Dynamic Group Diffie-Hellman Key Exchange under Standard Assumptions. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 321–336. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  13. 13.
    Bresson, E., Chevassut, O., Pointcheval, D.: Group Diffie-Hellman Key Exchange Secure against Dictionary Attacks. In: Zheng, Y. (ed.) ASIACRYPT 2002. LNCS, vol. 2501, pp. 497–514. Springer, Heidelberg (2002)Google Scholar
  14. 14.
    Bresson, E., Chevassut, O., Pointcheval, D., Quisquater, J.-J.: Provably Authenticated Group Diffie-Hellman Key Exchange. In: CCS 2001, pp. 255–264 (2001)Google Scholar
  15. 15.
    Bresson, E., Manulis, M.: Malicious Participants in Group Key Exchange: Key Control and Contributiveness in the Shadow of Trust. In: Xiao, B., Yang, L.T., Ma, J., Muller-Schloer, C., Hua, Y. (eds.) ATC 2007. LNCS, vol. 4610, pp. 395–409. Springer, Heidelberg (2007)Google Scholar
  16. 16.
    Burmester, M.: On the Risk of Opening Distributed Keys. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 308–317. Springer, Heidelberg (1994)Google Scholar
  17. 17.
    Burmester, M., Desmedt, Y.: A Secure and Efficient Conference Key Distribution System. In: De Santis, A. (ed.) EUROCRYPT 1994. LNCS, vol. 950, pp. 275–286. Springer, Heidelberg (1995)CrossRefGoogle Scholar
  18. 18.
    Canetti, R.: Universally Composable Security: A New Paradigm for Cryptographic Protocols. In: FOCS 2001, pp. 136–145 (2001)Google Scholar
  19. 19.
    Canetti, R., Krawczyk, H.: Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 453–474. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  20. 20.
    Choo, K.-K.R., Boyd, C., Hitchcock, Y.: Errors in Computational Complexity Proofs for Protocols. In: Roy, B. (ed.) ASIACRYPT 2005. LNCS, vol. 3788, pp. 624–643. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  21. 21.
    Choo, K.-K.R., Boyd, C., Hitchcock, Y.: Examining Indistinguishability-Based Proof Models for Key Establishment Protocols. In: Roy, B. (ed.) ASIACRYPT 2005. LNCS, vol. 3788, pp. 585–604. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  22. 22.
    Desmedt, Y., Pieprzyk, J., Steinfeld, R., Wang, H.: A Non-malleable Group Key Exchange Protocol Robust Against Active Insiders. In: Katsikas, S.K., Lopez, J., Backes, M., Gritzalis, S., Preneel, B. (eds.) ISC 2006. LNCS, vol. 4176, pp. 459–475. Springer, Heidelberg (2006)Google Scholar
  23. 23.
    Diffie, W., Hellman, M.E.: New Directions in Cryptography. IEEE Trans. on Information Theory IT-22(6), 644–654 (1976)CrossRefMathSciNetGoogle Scholar
  24. 24.
    Diffie, W., van Oorschot, P.C., Wiener, M.J.: Authentication and Authenticated Key Exchanges. Designs, Codes and Cryptography 2(2), 107–125 (1992)CrossRefMathSciNetGoogle Scholar
  25. 25.
    Dutta, R., Barua, R.: Constant Round Dynamic Group Key Agreement. In: Zhou, J., Lopez, J., Deng, R.H., Bao, F. (eds.) ISC 2005. LNCS, vol. 3650, pp. 74–88. Springer, Heidelberg (2005)Google Scholar
  26. 26.
    Dutta, R., Barua, R.: Dynamic Group Key Agreement in Tree-Based Setting. In: Boyd, C., González Nieto, J.M. (eds.) ACISP 2005. LNCS, vol. 3574, pp. 101–112. Springer, Heidelberg (2005)Google Scholar
  27. 27.
    Dutta, R., Barua, R., Sarkar, P.: Provably Secure Authenticated Tree Based Group Key Agreement. In: Lopez, J., Qing, S., Okamoto, E. (eds.) ICICS 2004. LNCS, vol. 3269, pp. 92–104. Springer, Heidelberg (2004)Google Scholar
  28. 28.
    Günther, C.G.: An Identity-Based Key-Exchange Protocol. In: Quisquater, J-J., Vandewalle, J. (eds.) EUROCRYPT 1989. LNCS, vol. 434, pp. 29–37. Springer, Heidelberg (1990)Google Scholar
  29. 29.
    Ingemarsson, I., Tang, D.T., Wong, C.K.: A Conference Key Distribution System. IEEE Trans. on Information Theory 28(5), 714–719 (1982)zbMATHCrossRefMathSciNetGoogle Scholar
  30. 30.
    Katz, J., Shin, J.S.: Modeling Insider Attacks on Group Key-Exchange Protocols. In: CCS 2005, pp. 180–189 (2005)Google Scholar
  31. 31.
    Katz, J., Yung, M.: Scalable Protocols for Authenticated Group Key Exchange. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 110–125. Springer, Heidelberg (2003)Google Scholar
  32. 32.
    Kim, H.-J., Lee, S.-M., Lee, D.H.: Constant-Round Authenticated Group Key Exchange for Dynamic Groups. In: Lee, P.J. (ed.) ASIACRYPT 2004. LNCS, vol. 3329, pp. 245–259. Springer, Heidelberg (2004)Google Scholar
  33. 33.
    Kim, Y., Perrig, A., Tsudik, G.: Simple and Fault-Tolerant Key Agreement for Dynamic Collaborative Groups. In: CCS 2000, pp. 235–244 (2000)Google Scholar
  34. 34.
    Kim, Y., Perrig, A., Tsudik, G.: Communication-Efficient Group Key Agreement. In: IFIP/Sec 2001, pp. 229–244 (2001)Google Scholar
  35. 35.
    Manulis, M.: Provably Secure Group Key Exchange. PhD thesis, Ruhr University Bochum (June 2007)Google Scholar
  36. 36.
    Menezes, A., van Oorschot, P., Vanstone, S.: Handbook of Applied Cryptography. CRC Press (October 1996)Google Scholar
  37. 37.
    Pereira, O., Quisquater, J.-J.: Some Attacks upon Authenticated Group Key Agreement Protocols. J. of Computer Security 11(4), 555–580 (2003)Google Scholar
  38. 38.
    Perrig, A.: Efficient Collaborative Key Management Protocols for Secure Autonomous Group Communication. In: CryptEC 1999, pp. 192–202 (1999)Google Scholar
  39. 39.
    Shoup, V.: On Formal Models for Secure Key Exchange (Version 4). IBM RZ 3120 (November 1999),
  40. 40.
    Shoup, V.: Sequences of Games: A Tool for Taming Complexity in Security Proofs,
  41. 41.
    Steer, D.G., Strawczynski, L., Diffie, W., Wiener, M.J.: A Secure Audio Teleconf. System. In: Goldwasser, S. (ed.) CRYPTO 1988. LNCS, vol. 403, pp. 520–528. Springer, Heidelberg (1990)Google Scholar
  42. 42.
    Steiner, M., Tsudik, G., Waidner, M.: CLIQUES: A New Approach to Group Key Agreement. In: ICDCS 1998, pp. 380–387 (1998)Google Scholar
  43. 43.
    Yacobi, Y., Shmuely, Z.: On Key Distribution Systems. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 344–355. Springer, Heidelberg (1990)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2007

Authors and Affiliations

  • Emmanuel Bresson
    • 1
  • Mark Manulis
    • 2
  • Jörg Schwenk
    • 2
  1. 1.DCSSI Crypto Lab Paris 
  2. 2.Horst Görtz Institute, Ruhr University BochumGermany

Personalised recommendations