Scalable Protocols for Authenticated Group Key Exchange

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2729)


We consider the fundamental problem of authenticated group key exchange among n parties within a larger and insecure public network. A number of solutions to this problem have been proposed; however, all provably-secure solutions thus far are not scalable and, in particular, require n rounds. Our main contribution is the first scalable protocol for this problem along with a rigorous proof of security in the standard model under the DDH assumption; our protocol uses a constant number of rounds and requires only O(1) modular exponentiations per user (for key derivation). Toward this goal and of independent interest, we first present a scalable compiler that transforms any group key-exchange protocol secure against a passive eavesdropper to an authenticated protocol which is secure against an active adversary who controls all communication in the network. This compiler adds only one round and O(1) communication (per user) to the original scheme. We then prove secure — against a passive adversary — a variant of the two-round group key-exchange protocol of Burmester and Desmedt. Applying our compiler to this protocol results in a provably-secure three-round protocol for authenticated group key exchange which also achieves forward secrecy.


Random Oracle Model Forward Secrecy Modular Exponentiation Passive Adversary Scalable Protocol 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Al-Riyami, S.S., Paterson, K.G.: Tripartite Authenticated Key Agreement Protocols from Pairings, Available at
  2. 2.
    Ateniese, G., Steiner, M., Tsudik, G.: Authenticated Group Key Agreement and Friends. In: ACM CCCS 1998 (1998)Google Scholar
  3. 3.
    Ateniese, G., Steiner, M., Tsudik, G.: New Multi-Party Authentication Services and Key Agreement Protocols. IEEE Journal on Selected Areas in Communications 18(4), 628–639 (2000)CrossRefGoogle Scholar
  4. 4.
    Bellare, M., Canetti, R., Krawczyk, H.: A Modular Approach to the Design and Analysis of Authentication and Key Exchange Protocols. In: STOC 1998 (1998)Google Scholar
  5. 5.
    Bellare, M., Pointcheval, D., Rogaway, P.: Authenticated Key Exchange Secure Against Dictionary Attacks. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, p. 139. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  6. 6.
    Bellare, M., Rogaway, P.: Entity Authentication and Key Distribution. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 232–249. Springer, Heidelberg (1994)Google Scholar
  7. 7.
    Bellare, M., Rogaway, P.: Provably-Secure Session Key Distribution: the Three Party Case. In: STOC 1995 (1995)Google Scholar
  8. 8.
    Bird, R., Gopal, I., Herzberg, A., Janson, P., Kutten, S., Molva, R., Yung, M.: Systematic Design of Two-Party Authentication Protocols. IEEE J. on Selected Areas in Communications 11(5), 679–693 (1993); A preliminary version appeared in Crypto 1991CrossRefGoogle Scholar
  9. 9.
    Boyd, C.: On Key Agreement and Conference Key Agreement. In: Mu, Y., Pieprzyk, J.P., Varadharajan, V. (eds.) ACISP 1997. LNCS, vol. 1270, Springer, Heidelberg (1997)CrossRefGoogle Scholar
  10. 10.
    Boyd, C., Nieto, J.M.G.: Round-Optimal Contributory Conference Key Agreement. In: Desmedt, Y.G. (ed.) PKC 2003. LNCS, vol. 2567, pp. 161–174. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  11. 11.
    Bresson, E., Chevassut, O., Pointcheval, D.: Provably Authenticated Group Diffie-Hellman Key Exchange — The Dynamic Case. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, p. 290. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  12. 12.
    Bresson, E., Chevassut, O., Pointcheval, D.: Dynamic Group Diffie-Hellman Key Exchange under Standard Assumptions. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, p. 321. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  13. 13.
    Bresson, E., Chevassut, O., Pointcheval, D., Quisquater, J.-J.: Provably Authenticated Group Diffie-Hellman Key Exchange. In: ACM CCCS 2001 (2001)Google Scholar
  14. 14.
    Burmester, M., Desmedt, Y.: A Secure and Efficient Conference Key Distribution System. In: De Santis, A. (ed.) EUROCRYPT 1994. LNCS, vol. 950, pp. 275–286. Springer, Heidelberg (1995)CrossRefGoogle Scholar
  15. 15.
    Canetti, R., Krawczyk, H.: Key-Exchange Protocols and Their Use for Building Secure Channels. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, p. 453. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  16. 16.
    Canetti, R., Krawczyk, H.: Universally Composable Notions of Key Exchange and Secure Channels. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, p. 337. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  17. 17.
    Canetti, R., Krawczyk, H.: Security Analysis of IKE’s Signature-Based Key- Exchange Protocol. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, p. 143. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  18. 18.
    Desmedt, Y.: Personal communication (including a copy of the pre-proceedings version of [14]) (March 2003)Google Scholar
  19. 19.
    Diffie, W., Hellman, M.: New Directions in Cryptography. IEEE Transactions on Information Theory 22(6), 644–654 (1976)zbMATHCrossRefMathSciNetGoogle Scholar
  20. 20.
    Diffie, W., van Oorschot, P., Wiener, M.: Authentication and Authenticated Key Exchanges. Designs, Codes, and Cryptography 2(2), 107–125 (1992)CrossRefMathSciNetGoogle Scholar
  21. 21.
    Fischer, M., Lynch, N., Patterson, M.: Impossibility of Distributed Consensus with One Faulty Process. J. ACM 32(2), 374–382 (1985)zbMATHCrossRefGoogle Scholar
  22. 22.
    Ingemarsson, I., Tang, D.T., Wong, C.K.: A Conference Key Distribution System. IEEE Transactions on Information Theory 28(5), 714–720 (1982)zbMATHCrossRefMathSciNetGoogle Scholar
  23. 23.
    Joux, A.: A One Round Protocol for Tripartite Diffie Hellman. In: ANTS 2000(2000)Google Scholar
  24. 24.
    Just, M., Vaudenay, S.: Authenticated Multi-Party Key Agreement. In: ASIACRYPT 1996. LNCS, vol. 1163. Springer, Heidelberg (1996)Google Scholar
  25. 25.
    Krawczyk, H.: SKEME: A Versatile Secure Key-Exchange Mechanism for the Internet. In: Proceedings of the Internet Society Symposium on Network and Distributed System Security, Febrauary 1996, pp. 114–127 (1996)Google Scholar
  26. 26.
    Lee, H.-K., Lee, H.-S., Lee, Y.-R.: Multi-Party Authenticated Key Agreement Protocols from Multilinear Forms, Available at
  27. 27.
    Lee, H.-K., Lee, H.-S., Lee, Y.-R.: An Authenticated Group Key Agreement Protocol on Braid groups, Available at
  28. 28.
    Mayer, A., Yung, M.: Secure Protocol Transformation via “Expansion”: From Two-Party to Groups. In: ACM CCCS 1999 (1999)Google Scholar
  29. 29.
    Pereira, O., Quisquater, J.-J.: A Security Analysis of the Cliques Protocol Suites. In: IEEE Computer Security Foundations Workshop (June 2001)Google Scholar
  30. 30.
    Shoup, V.: On Formal Models for Secure Key Exchange. Draft (1999), Available at
  31. 31.
    Tzeng, W.-G.: A Practical and Secure Fault-Tolerant Conference Key Agreement Protocol. In: PKC 2000 (2000)Google Scholar
  32. 32.
    Steiner, M., Tsudik, G., Waidner, M.: Key Agreement in Dynamic Peer Groups. IEEE Trans. on Parallel and Distributed Systems 11(8), 769–780 (2000); A preliminary version appeared in ACM CCCS 1996CrossRefGoogle Scholar
  33. 33.
    Tzeng, W.-G., Tzeng, Z.-J.: Round Efficient Conference Key Agreement Protocols with Provable Security. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, p. 614. Springer, Heidelberg (2000)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2003

Authors and Affiliations

  1. 1.Dept. of Computer ScienceUniversity of MarylandCollege Park
  2. 2.Dept. of Computer ScienceColumbia UniversityNew York

Personalised recommendations