ID-Based Group Password-Authenticated Key Exchange

  • Xun Yi
  • Raylin Tso
  • Eiji Okamoto
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5824)


Password-authenticated key exchange (PAKE) protocols are designed to be secure even when the secret key used for authentication is a human-memorable password. In this paper, we consider PAKE protocols in the group scenario, in which a group of clients, each of them shares his password with an “honest but curious” server, intend to establish a common secret key (i.e., a group key) with the help of the server. In this setting, the key established is known to the clients only and no one else, including the server. Each client needs to remember the password only while the server keeps passwords in addition to private keys related to its identity. Towards our goal, we present a compiler that transforms any group key exchange (KE) protocol which is secure against a passive eavesdropping to a group PAKE which is secure against an active adversary who controls all communications in the network. This compiler is built on a group KE protocol, an identity-based encryption (IBE) scheme, and an identity-based signature (IBS) scheme. It adds only two rounds and O(1) communication (per client) to the original group KE protocol. As long as the underlying group KE protocol, IBE scheme and an IBS scheme have provable security without random oracles, the group PAKE constructed by our compiler can be proven to be secure without random oracles.


Password-authenticated key exchange group key agreement protocol compiler common reference model 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Abdalla, M., Bohli, J.-M., González Vasco, M.I., Steinwandt, R. (Password) authenticated key establishment: From 2-party to group. In: Vadhan, S.P. (ed.) TCC 2007. LNCS, vol. 4392, pp. 499–514. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  2. 2.
    Abdalla, M., Bresson, E., Chevassut, O., Pointcheval, D.: Password-based group key exchange in a constant number of rounds. In: Yung, M., Dodis, Y., Kiayias, A., Malkin, T.G. (eds.) PKC 2006. LNCS, vol. 3958, pp. 427–442. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  3. 3.
    Abdalla, M., Fouque, P.-A., Pointcheval, D.: Password-based authenticated key exchange in the three-party setting. In: Vaudenay, S. (ed.) PKC 2005. LNCS, vol. 3386, pp. 65–84. Springer, Heidelberg (2005)Google Scholar
  4. 4.
    Abdalla, M., Fouque, P.A., Pointcheval, D.: Password-based authenticated key exchange in the three-party setting. In: IEE Proceedings in Information Security, vol. 153(1), pp. 27–39 (2006)Google Scholar
  5. 5.
    Abdalla, M., Pointcheval, D.: Simple password-based encrypted key exchange protocols. In: Menezes, A. (ed.) CT-RSA 2005. LNCS, vol. 3376, pp. 191–208. Springer, Heidelberg (2005)Google Scholar
  6. 6.
    Abdalla, M., Pointcheval, D.: A scalable password-based group key exchange protocol in the standard model. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 332–347. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  7. 7.
    Ateniese, G., Steiner, M., Tsudik, G.: Authenticated group key agreement and friends. In: Proc. CCS 1998, pp. 17–26 (1998)Google Scholar
  8. 8.
    Ateniese, G., Steiner, M., Tsudik, G.: New multi-party authentication services and key agreement protocol. IEEE Journal on Selected Areas in Communications 4(18), 628–639 (2000)CrossRefGoogle Scholar
  9. 9.
    Bao, F., Deng, R.H., Zhu, H.: Variations of diffie-hellman problem. In: Qing, S., Gollmann, D., Zhou, J. (eds.) ICICS 2003. LNCS, vol. 2836, pp. 301–312. Springer, Heidelberg (2003)Google Scholar
  10. 10.
    Becker, C., Wille, U.: Communication complexity of group key distribution. In: Proc. CCS 1998, pp. 1–6 (1998)Google Scholar
  11. 11.
    Bellare, M., Canetti, R., Krawczyk, H.: A modular approach to the design and analysis of authentication and key exchange protocol. In: Proc. 30th Annual ACM Symposium on Theory of Computing, pp. 419–428 (1998)Google Scholar
  12. 12.
    Bellare, M., Pointcheval, D., Rogaway, P.: Authenticated key exchange secure against dictionary attacks. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 139–155. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  13. 13.
    Bellare, M., Rogaway, P.: Entity authentication and key distribution. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 232–249. Springer, Heidelberg (1993)Google Scholar
  14. 14.
    Bellovin, S.M., Merritt, M.: Encrypted key exchange: Password-based protocol secure against dictionary attack. In: Proc. 1992 IEEE Symposium on Research in Security and Privacy, May 1992, pp. 72–84 (1992)Google Scholar
  15. 15.
    Bird, R., Gopal, I., Herzberg, A., Janson, P., Kutten, S., Molva, R., Yung, M.: Systematic design of two-party authentication protocols. IEEE Journal on Selected Areas in Communications 11(5), 679–693 (1993)CrossRefGoogle Scholar
  16. 16.
    Bohli, J.M., Vasco, M.I.G., Steinwandt, R.: Password-authenticated constant-round group key establishment with a common reference string. Cryptology ePrint Archive, Report 2006/214 (2006),
  17. 17.
    Boneh, D., Franklin, M.: Identity-based encryption from the weil pairing. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 213–229. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  18. 18.
    Boneh, D., Franklin, M.: Identity based encryption from the Weil pairing. SIAM Journal of Computing 32(3), 586–615 (2003)zbMATHCrossRefMathSciNetGoogle Scholar
  19. 19.
    Boyd, C.: On key agreement and conference key agreement. In: Mu, Y., Pieprzyk, J.P., Varadharajan, V. (eds.) ACISP 1997. LNCS, vol. 1270, pp. 294–302. Springer, Heidelberg (1997)CrossRefGoogle Scholar
  20. 20.
    Boyd, C., Nieto, J.M.G.: Round-optimal contributory conference key agreement. In: Desmedt, Y.G. (ed.) PKC 2003. LNCS, vol. 2567, pp. 161–174. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  21. 21.
    Boyko, V., MacKenzie, P.D., Patel, S.: Provably secure password-authenticated key exchange using diffie-hellman. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 156–171. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  22. 22.
    Bresson, E., Chevassut, O., Pointcheval, D.: Provably authenticated group diffie-hellman key exchange - the dynamic case. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 290–309. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  23. 23.
    Bresson, E., Chevassut, O., Pointcheval, D., Quisquater, J.J.: Provably authenticated group Diffie-Hellman key exchange. In: Proc. CCS 2001, pp. 255–264 (2001)Google Scholar
  24. 24.
    Bresson, E., Chevassut, O., Pointcheval, D.: Dynamic group diffie-hellman key exchange under standard assumptions. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 321–336. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  25. 25.
    Bresson, E., Chevassut, O., Pointcheval, D.: Group diffie-hellman key exchange secure against dictionary attacks. In: Zheng, Y. (ed.) ASIACRYPT 2002. LNCS, vol. 2501, pp. 497–514. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  26. 26.
    Bresson, E., Chevassut, O., Pointcheval, D.: Security proofs for an efficient password-based key exchange. In: Proc. CCS 2003, pp. 241–250 (2003)Google Scholar
  27. 27.
    Bresson, E., Chevassut, O., Pointcheval, D.: New security results on encrypted key exchange. In: Bao, F., Deng, R., Zhou, J. (eds.) PKC 2004. LNCS, vol. 2947, pp. 145–158. Springer, Heidelberg (2004)Google Scholar
  28. 28.
    Bresson, E., Chevassut, O., Pointcheval, D.: A security solution for IEEE 802.11s ad-hoc mode: password-authentication and group-Diffie-Hellman key exchange. International Journal of Wireless and Mobile Computing 2(1), 4–13 (2007)CrossRefGoogle Scholar
  29. 29.
    Burmester, M., Desmedt, Y.G.: A secure and efficient conference key distribution system. In: De Santis, A. (ed.) EUROCRYPT 1994. LNCS, vol. 950, pp. 275–286. Springer, Heidelberg (1995)CrossRefGoogle Scholar
  30. 30.
    Burmester, M., Desmedt, Y.G., Seberry, J.: Equitable key escrow with limited time span. In: Ohta, K., Pei, D. (eds.) ASIACRYPT 1998. LNCS, vol. 1514, pp. 380–391. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  31. 31.
    Burmester, M., Desmedt, Y.: A secure and scalable group key exchange system. Information Processing Letters 94(3), 137–143 (2005)CrossRefMathSciNetGoogle Scholar
  32. 32.
    Canetti, R., Krawczyk, H.: Key-exchange protocols and their use for building secure channels. In: Proc. Eurocrypt 2001, pp. 453–474 (2001)Google Scholar
  33. 33.
    Canetti, R., Krawczyk, H.: Universally composable notions of key exchange and secure channels. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 337–351. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  34. 34.
    Canetti, R., Krawczyk, H.: Security analysis of iKE’s signature-based key-exchange protocol. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 143–161. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  35. 35.
    Cramer, R., Shoup, V.: A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 13–25. Springer, Heidelberg (1998)Google Scholar
  36. 36.
    Diffie, W., Hellman, M.: New directions in cryptography. IEEE Transactions on Information Theory 32(2), 644–654 (1976)CrossRefMathSciNetGoogle Scholar
  37. 37.
    Diffie, W., van Oorschot, P., Wiener, M.: Authentication and authenticated key exchange. Designs, Codes, and Cryptography 2(2), 107–125 (1992)CrossRefMathSciNetGoogle Scholar
  38. 38.
    Galindo, D., Herranz, J., Kiltz, E.: On the generic construction of identity-based signatures with additional properties. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 178–193. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  39. 39.
    Gentry, C.: Practical identity-based encryption without random oracles. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 445–464. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  40. 40.
    Goldreich, O., Lindell, Y.: Session-key generation using human passwords only. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 408–432. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  41. 41.
    Goldwasser, S., Micali, S., Rivest, R.: A digital signature scheme secure against adaptive chosen-message attack. SIAM J. Computing 17(2), 281–308 (1988)zbMATHCrossRefMathSciNetGoogle Scholar
  42. 42.
    Halevi, S., Krawczyk, H.: Public-key cryptography and password protocols. ACM Transactions on Information and System Security 2(3), 230–268 (1999)CrossRefGoogle Scholar
  43. 43.
    Ingemarsson, I., Tang, D.T., Wong, C.K.: A conference key distribution system. IEEE Transactions on Information Theory 28(5), 714–720 (1982)zbMATHCrossRefMathSciNetGoogle Scholar
  44. 44.
    Just, M., Vaudenay, S.: Authenticated multi-party key agreement. In: Proc. Asiacrypt 1996, pp. 36–49 (1996)Google Scholar
  45. 45.
    Jiang, S., Gong, G.: Password based key exchange with mutual authentication. In: Handschuh, H., Hasan, M.A. (eds.) SAC 2004. LNCS, vol. 3357, pp. 267–279. Springer, Heidelberg (2004)Google Scholar
  46. 46.
    Katz, J., Ostrovsky, R., Yung, M.: Efficient password-authenticated key exchange using human-memorable passwords. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 475–494. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  47. 47.
    Katz, J., Ostrovsky, R., Yung, M.: Forward secrecy in password-only key exchange protocols. In: Cimato, S., Galdi, C., Persiano, G. (eds.) SCN 2002. LNCS, vol. 2576, pp. 29–44. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  48. 48.
    Katz, J., Yung, M.: Scalable protocols for authenticated group key exchange. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 110–125. Springer, Heidelberg (2003)Google Scholar
  49. 49.
    Kim, H.-J., Lee, S.-M., Lee, D.-H.: Constant-round authenticated group key exchange for dynamic groups. In: Lee, P.J. (ed.) ASIACRYPT 2004. LNCS, vol. 3329, pp. 245–259. Springer, Heidelberg (2004)Google Scholar
  50. 50.
    Kim, Y., Perig, A., Tsudik, G.: Simper and fault-tolerant key agreement for dynamic collaborative groups. In: Proc. CCS 2000, pp. 235–244 (2000)Google Scholar
  51. 51.
    Kim, Y., Perrig, A., Tsudik, G.: Communication-efficient group key agreement. In: Proc. IFIP TC11 16th Annual Working Conference on Information Security (IFIP/SEC), pp. 229–244 (2001)Google Scholar
  52. 52.
    Kown, J.O., Jeong, I.R., Sakurai, K., Lee, D.H.: Password-authenticated multi-party key exchange with different passwords. Cryptology ePrint Archive, Report 2006/476,
  53. 53.
    Maurer, U.M., Wolf, S.: Diffie-hellman oracles. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 268–282. Springer, Heidelberg (1996)Google Scholar
  54. 54.
    Paterson, K.G., Schuldt, J.C.N.: Efficient identity-based signatures secure in the standard model. In: Batten, L.M., Safavi-Naini, R. (eds.) ACISP 2006. LNCS, vol. 4058, pp. 207–222. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  55. 55.
    Patel, S.: Number-theoretic attack on secure password scheme. In: Proc. IEEE Symposium on Research in Security and Privacy, pp. 236–247 (1997)Google Scholar
  56. 56.
    Choo, K.-K.R., Boyd, C., Hitchcock, Y.: Errors in computational complexity proofs for protocols. In: Roy, B. (ed.) ASIACRYPT 2005. LNCS, vol. 3788, pp. 624–643. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  57. 57.
    Steer, D.G., Strawczynski, L., Diffie, W., Wiener, M.: A secure audio teleconference system. In: Goldwasser, S. (ed.) CRYPTO 1988. LNCS, vol. 403, pp. 520–528. Springer, Heidelberg (1998)Google Scholar
  58. 58.
    Steiner, M., Tsudik, G., Widner, M.: Key agreement in dynamic peer groups. IEEE Transactions on Parallel and Distributed Systems 11(8), 769–780 (2000)CrossRefGoogle Scholar
  59. 59.
    Tzeng, W.-G.: A practical and secure fault-tolerant conference-key agreement protocol. In: Imai, H., Zheng, Y. (eds.) PKC 2000. LNCS, vol. 1751, pp. 1–13. Springer, Heidelberg (2000)Google Scholar
  60. 60.
    Waters, B.: Efficient identity-based encryption without random oracles. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 114–127. Springer, Heidelberg (2005)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Xun Yi
    • 1
  • Raylin Tso
    • 2
  • Eiji Okamoto
    • 3
  1. 1.School of Engineering and ScienceVictoria UniversityMelbourneAustralia
  2. 2.Department of Computer ScienceNational Chengchi UniversityTaipeiTaiwan
  3. 3.Department of Risk EngineeringUniversity of TsukubaTsukuba,IbarakiJapan

Personalised recommendations