Modeling Leakage of Ephemeral Secrets in Tripartite/Group Key Exchange

  • Mark Manulis
  • Koutarou Suzuki
  • Berkant Ustaoglu
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5984)

Abstract

Recent advances in the design and analysis of secure two-party key exchange (2KE) such as the leakage of ephemeral secrets used during the attacked sessions remained unnoticed by the current models for group key exchange (GKE). Focusing on a special case of GKE — the tripartite key exchange (3KE) — that allows for efficient one-round protocols, we demonstrate how to incorporate these advances to the multi-party setting. From this perspective our work closes the most pronounced gap between provably secure 2KE and GKE protocols.

The proposed 3KE protocol is an implicitly authenticated protocol with one communication round which remains secure even in the event of ephemeral secret leakage. It also significantly improves upon currently known 3KE protocols, many of which are insecure. An optional key confirmation round can be added to our proposal to achieve the explicitly authenticated protocol variant.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Al-Riyami, S.S., Paterson, K.G.: Tripartite Authenticated Key Agreement Protocols from Pairings. In: Paterson, K.G. (ed.) Cryptography and Coding 2003. LNCS, vol. 2898, pp. 332–359. Springer, Heidelberg (2003)Google Scholar
  2. 2.
    Bellare, M., Rogaway, P.: Entity Authentication and Key Distribution. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 232–249. Springer, Heidelberg (1994)Google Scholar
  3. 3.
    Blake-Wilson, S., Johnson, D., Menezes, A.: Key Agreement Protocols and their Security Analysis. In: Darnell, M.J. (ed.) Cryptography and Coding 1997. LNCS, vol. 1355, pp. 30–45. Springer, Heidelberg (1997)Google Scholar
  4. 4.
    Bresson, E., Chevassut, O., Pointcheval, D.: Dynamic Group Diffie-Hellman Key Exchange under Standard Assumptions. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 321–336. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  5. 5.
    Bresson, E., Chevassut, O., Pointcheval, D., Quisquater, J.-J.: Provably Authenticated Group Diffie-Hellman Key Exchange. In: Proceedings of the 8th ACM conference on Computer and Communications Security (CCS 2001), pp. 255–264. ACM Press, New York (2001)CrossRefGoogle Scholar
  6. 6.
    Bresson, E., Manulis, M.: Malicious Participants in Group Key Exchange: Key Control and Contributiveness in the Shadow of Trust. In: Xiao, B., Yang, L.T., Ma, J., Muller-Schloer, C., Hua, Y. (eds.) ATC 2007. LNCS, vol. 4610, pp. 395–409. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  7. 7.
    Bresson, E., Manulis, M.: Contributory Group Key Exchange in the Presence of Malicious Participants. IET Information Security 2(3), 85–93 (2008)CrossRefGoogle Scholar
  8. 8.
    Bresson, E., Manulis, M.: Securing Group Key Exchange against Strong Corruptions. In: Proceedings of ACM Symposium on Information, Computer and Communications Security (ASIACCS 2008), pp. 249–260. ACM Press, New York (2008); Full version in Intl. J. Applied Cryptography in 2008CrossRefGoogle Scholar
  9. 9.
    Bresson, E., Manulis, M., Schwenk, J.: On Security Models and Compilers for Group Key Exchange Protocols. In: Miyaji, A., Kikuchi, H., Rannenberg, K. (eds.) IWSEC 2007. LNCS, vol. 4752, pp. 292–307. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  10. 10.
    Canetti, R., Krawczyk, H.: Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 453–474. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  11. 11.
    Cheng, Z., Vasiu, L., Comley, R.: Pairing-based one-round tripartite key agreement protocols. Cryptology ePrint Archive, Report 2004/079 (2004)Google Scholar
  12. 12.
    Cremers, C.: Session-state reveal is stronger than ephemeral key reveal: Attacking the NAXOS key exchange protocol. In: Abdalla, M., Pointcheval, D., Fouque, P.-A., Vergnaud, D. (eds.) ACNS 2009. LNCS, vol. 5536, pp. 20–33. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  13. 13.
    Diffie, W., Hellman, M.E.: New Directions in Cryptography. IEEE Transactions on Information Theory IT-22(6), 644–654 (1976)CrossRefMathSciNetGoogle Scholar
  14. 14.
    Gorantla, M.C., Boyd, C., González-Nieto, J.M.: Modeling Key Compromise Impersonation Attacks on Group Key Exchange Protocols. In: Jarecki, S., Tsudik, G. (eds.) Public Key Cryptography – PKC 2009. LNCS, vol. 5443, pp. 105–123. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  15. 15.
    Gorantla, M.C., Boyd, C., González-Nieto, J.M.: Universally Composable Contributory Group Key Exchange. In: Proceedings of the 4th International Symposium on Information, Computer, and Communications Security (ASIACCS 2009), pp. 146–156. ACM Press, New York (2009)CrossRefGoogle Scholar
  16. 16.
    Hitchcock, Y., Boyd, C., Nieto, J.M.G.: Tripartite Key Exchange in the Canetti-Krawczyk Proof Model. In: Canteaut, A., Viswanathan, K. (eds.) INDOCRYPT 2004. LNCS, vol. 3348, pp. 17–32. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  17. 17.
    Joux, A.: A one round protocol for tripartite Diffie–Hellman. In: Bosma, W. (ed.) ANTS 2000. LNCS, vol. 1838, pp. 385–393. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  18. 18.
    Joux, A.: A one round protocol for tripartite Diffie–Hellman. Journal of Cryptology 17(4), 263–276 (2004)CrossRefMathSciNetMATHGoogle Scholar
  19. 19.
    Kaliski Jr., B.S.: An unknown key-share attack on the mqv key agreement protocol. ACM Transaction on Information and System Security 4(3), 275–288 (2001) doi:10.1145/501978.501981CrossRefGoogle Scholar
  20. 20.
    Katz, J., Shin, J.S.: Modeling Insider Attacks on Group Key-Exchange Protocols. In: Proceedings of the 12th ACM Conference on Computer and Communications Security (CCS 2005), pp. 180–189. ACM Press, New York (2005)CrossRefGoogle Scholar
  21. 21.
    Katz, J., Yung, M.: Scalable protocols for authenticated group key exchange. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 110–125. Springer, Heidelberg (2003), http://eprint.iacr.org/2003/171 Google Scholar
  22. 22.
    Krawczyk, H.: HMQV: A high-performance secure Diffie-Hellman protocol. Cryptology ePrint Archive, Report 2005/176. Full version of [23]Google Scholar
  23. 23.
    Krawczyk, H.: HMQV: A high-performance secure Diffie-Hellman protocol. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 546–566. Springer, Heidelberg (2005)Google Scholar
  24. 24.
    LaMacchia, B., Lauter, K., Mityagin, A.: Stronger security of authenticated key exchange. Cryptology ePrint Archive, Report 2006/073 (2006)Google Scholar
  25. 25.
    LaMacchia, B., Lauter, K., Mityagin, A.: Stronger Security of Authenticated Key Exchange. In: Susilo, W., Liu, J.K., Mu, Y. (eds.) ProvSec 2007. LNCS, vol. 4784, pp. 1–16. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  26. 26.
    Law, L., Menezes, A., Qu, M., Solinas, J., Vanstone, S.: An efficient protocol for authenticated key agreement. Designs, Codes and Cryptography 28(2), 119–134 (2003)CrossRefMathSciNetMATHGoogle Scholar
  27. 27.
    Lim, M.-H., Lee, S., Lee, H.: Cryptanalysis on improved one-round Lin-Li’s tripartite key agreement protocol. Cryptology ePrint Archive, Report 2007/411Google Scholar
  28. 28.
    Lim, M.-H., Lee, S., Park, Y.-H., Lee, H.-J.: An enhanced one-round pairing-based tripartite authenticated key agreement protocol. In: Gervasi, O., Gavrilova, M.L. (eds.) ICCSA 2007, Part II. LNCS, vol. 4706, pp. 503–513. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  29. 29.
    Lin, C.-H., Lin, H.-H.: Secure one-round tripartite authenticated key agreement protocol from Weil pairing. In: Shibata, Y., Shih, T.K. (eds.) 19th International Conference on Advanced Information Networking and Applications – AINA 2005, vol. 2, pp. 135–138. IEEE, Los Alamitos (2005)Google Scholar
  30. 30.
    Manulis, M.: Survey on Security Requirements and Models for Group Key Exchange. Technical Report 2006/02, Horst-Görtz Institute, Network and Data Security Group (January 2008)Google Scholar
  31. 31.
    Menezes, A., Ustaoglu, B.: Comparing the Pre- and Post-specified Peer Models for Key Agreement. In: Mu, Y., Susilo, W., Seberry, J. (eds.) ACISP 2008. LNCS, vol. 5107, pp. 53–68. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  32. 32.
    Shim, K.: Efficient one round tripartite authenticated key agreement protocol from Weil pairing. IET Electronics Letters 39(2), 208–209 (2003)CrossRefGoogle Scholar
  33. 33.
    Sun, H.-M., Hsieh, B.-T.: Security Analysis of Shim’s Authenticated Key Agreement Protocols from Pairings. Cryptology ePrint Archive, Report 2003/113 (2003)Google Scholar
  34. 34.
    Ustaoglu, B.: Comparing SessionState Reveal and EphemeralKeyReveal for Diffie-Hellman protocols. To appear in ProvSec 2009 (2009)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  • Mark Manulis
    • 1
  • Koutarou Suzuki
    • 2
  • Berkant Ustaoglu
    • 2
  1. 1.Cryptographic Protocols GroupTU Darmstadt & CASEDGermany
  2. 2.NTT Information Sharing Platform LaboratoriesTokyoJapan

Personalised recommendations