A Universally Composable Group Key Exchange Protocol with Minimum Communication Effort

  • Jun Furukawa
  • Frederik Armknecht
  • Kaoru Kurosawa
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5229)


The universal composability (UC) framework by Canetti [15] is a general-purpose framework for designing secure protocols. It ensures the security of UC-secure protocols under arbitrary compositions. As key exchange protocols (KEs) belong to the most used cryptographic mechanisms, some research has been done on UC-secure 2-party KEs. However, the only result regarding UC-secure group key exchange protocols (GKEs) is a generic method presented by Katz and Shin [35]. It allows to turn any GKE protocol that fulfills certain security requirements into a UC-secure variant. This yields GKE protocols which require at least five communication rounds in practice when no session identities are provided by external mechanisms. Up to now, no effort has been taken to design dedicated UC-secure GKE protocols with a lower communication complexity.

In this paper, we propose a new UC-secure GKE which needs only two rounds. We show that two is the minimum possible number of rounds and that any 2-round UC-secure GKE requires at least as many messages as our protocol. The proof of security relies on a new assumption which is a combination of the decision bilinear Diffie-Hellman assumption and the linear Diffie-Hellman assumption.


Group key exchange universal composability session ID generation 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Barak, B., Lindell, Y., Rabin, T.: Protocol initialization for the framework of universal composability. Cryptology ePrint Archive, Report2004/006 (2004),
  2. 2.
    Bellare, M., Namprempre, C., Pointcheval, D., Semanko, M.: The one-more-rsa-inversion problems and the security of chaum’s blind signature scheme. J. Cryptology 16(3), 185–215 (2003)zbMATHCrossRefMathSciNetGoogle Scholar
  3. 3.
    Bellare, M., Palacio, A.: Gq and schnorr identification schemes: Proofs of security against impersonation under active and concurrent attacks. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 162–177. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  4. 4.
    Bellare, M., Pointcheval, D., Rogaway, P.: Authenticated key exchange secure against dictionary attacks. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 139–155. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  5. 5.
    Bellare, M., Rogaway, P.: Entity authentication and key distribution. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 232–249. Springer, Heidelberg (1994)Google Scholar
  6. 6.
    Bellare, M., Rogaway, P.: Provably secure session key distribution: the three party case. In: STOC, pp. 57–66. ACM, New York (1995)Google Scholar
  7. 7.
    Boneh, D., Boyen, X., Shacham, H.: Short group signatures. In: Franklin [13], pp. 41–55Google Scholar
  8. 8.
    Bresson, E., Chevassut, O., Pointcheval, D.: Provably authenticated group diffie-hellman key exchange - the dynamic case. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 290–309. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  9. 9.
    Bresson, E., Chevassut, O., Pointcheval, D.: Dynamic group diffie-hellman key exchange under standard assumptions. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 321–336. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  10. 10.
    Bresson, E., Chevassut, O., Pointcheval, D., Quisquater, J.-J.: Provably authenticated group diffie-hellman key exchange. In: CCS 2001: Proceedings of the 8th ACM conference on Computer and Communications Security, pp. 255–264. ACM Press, New York (2001)CrossRefGoogle Scholar
  11. 11.
    Bresson, E., Manulis, M., Schwenk, J.: On Security Models and Compilers for Group Key Exchange Protocols. In: Miyaji, A., Kikuchi, H., Rannenberg, K. (eds.) IWSEC 2007. LNCS, vol. 4752, pp. 292–307. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  12. 12.
    Burmester, M., Desmedt, Y.: A secure and efficient conference key distribution system (extended abstract). In: De Santis, A. (ed.) EUROCRYPT 1994. LNCS, vol. 950, pp. 275–286. Springer, Heidelberg (1995)CrossRefGoogle Scholar
  13. 13.
    Cachin, C., Strobl, R.: Asynchronous Group Key Exchange with Failures. In: Proceedings of the 23rd Annual ACM Symposium on Principles of Distributed Computing (PODC 2004), pp. 357–366. ACM Press, New York (2004)CrossRefGoogle Scholar
  14. 14.
    Camenisch, J., Lysyanskaya, A.: Signature schemes and anonymous credentials from bilinear maps. In: Franklin [31], pp. 56–72Google Scholar
  15. 15.
    Canetti, R.: Universally composable security: A new paradigm for cryptographic protocols. Cryptology ePrint Archive, Report 2000/067 (revised in 2005) (2000),
  16. 16.
    Canetti, R.: Universally composable signature, certification, and authentication. In: CSFW, p. 219. IEEE Computer Society, Los Alamitos (2004)Google Scholar
  17. 17.
    Canetti, R., Dodis, Y., Pass, R., Walfish, S.: Universally composable security with global setup. In: Vadhan, S.P. (ed.) TCC 2007. LNCS, vol. 4392, pp. 61–85. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  18. 18.
    Canetti, R., Fischlin, M.: Universally composable commitments. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 19–40. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  19. 19.
    Canetti, R., Halevi, S., Katz, J., Lindell, Y., MacKenzie, P.D.: Universally composable password-based key exchange. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 404–421. Springer, Heidelberg (2005)Google Scholar
  20. 20.
    Canetti, R., Krawczyk, H.: Analysis of key-exchange protocols and their use for building secure channels. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 453–474. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  21. 21.
    Canetti, R., Krawczyk, H.: Universally composable notions of key exchange and secure channels. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 337–351. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  22. 22.
    Canetti, R., Kushilevitz, E., Lindell, Y.: On the limitations of universally composable two-party computation without set-up assumptions. J. Cryptology 19(2), 135–167 (2006)zbMATHCrossRefMathSciNetGoogle Scholar
  23. 23.
    Canetti, R., Lindell, Y., Ostrovsky, R., Sahai, A.: Universally composable two-party and multi-party secure computation. In: STOC, pp. 494–503 (2002)Google Scholar
  24. 24.
    Canetti, R., Rabin, T.: Universal composition with joint state. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 265–281. Springer, Heidelberg (2003)Google Scholar
  25. 25.
    Crescenzo, G.D., Katz, J., Ostrovsky, R., Smith, A.: Efficient and non-interactive non-malleable commitment. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 40–59. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  26. 26.
    Desmedt, Y.G., Pieprzyk, J., Steinfeld, R., Wang, H.: A Non-Malleable Group Key Exchange Protocol Robust Against Active Insiders. In: Katsikas, S.K., López, J., Backes, M., Gritzalis, S., Preneel, B. (eds.) ISC 2006. LNCS, vol. 4176, pp. 459–475. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  27. 27.
    Dutta, R., Barua, R., Sarkar, P.: Provably secure authenticated tree based group key agreement. In: López, J., Qing, S., Okamoto, E. (eds.) ICICS 2004. LNCS, vol. 3269, pp. 92–104. Springer, Heidelberg (2004)Google Scholar
  28. 28.
    Fischlin, M.: Round-optimal composable blind signatures in the common reference string model. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 60–77. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  29. 29.
    Fischlin, M.: Universally composable oblivious transfer in the multi-party setting. In: Pointcheval, D. (ed.) CT-RSA 2006. LNCS, vol. 3860, pp. 332–349. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  30. 30.
    Fischlin, M., Fischlin, R.: Efficient non-malleable commitment schemes. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 413–431. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  31. 31.
    Franklin, M. (ed.): CRYPTO 2004. LNCS, vol. 3152. Springer, Heidelberg (2004)zbMATHGoogle Scholar
  32. 32.
    Hofheinz, D., Müller-Quade, J., Steinwandt, R.: Initiator-resilient universally composable key exchange. In: Snekkenes, E., Gollmann, D. (eds.) ESORICS 2003. LNCS, vol. 2808, pp. 61–84. Springer, Heidelberg (2003)Google Scholar
  33. 33.
    Impagliazzo, R., Levin, L.A., Luby, M.: Pseudo-random generation from one-way functions. In: STOC 1989: Proceedings of the twenty-first annual ACM symposium on Theory of computing, pp. 12–24. ACM Press, New York (1989)CrossRefGoogle Scholar
  34. 34.
    Impagliazzo, R., Zuckerman, D.: How to recycle random bits. In: FOCS, pp. 248–253. IEEE, Los Alamitos (1989)Google Scholar
  35. 35.
    Katz, J., Shin, J.S.: Modeling insider attacks on group key-exchange protocols. In: CCS 2005: Proceedings of the 12th ACM conference on Computer and communications security, pp. 180–189. ACM Press, New York (2005)CrossRefGoogle Scholar
  36. 36.
    Katz, J., Yung, M.: Scalable protocols for authenticated group key exchange. J. Cryptol. 20(1), 85–113 (2007)zbMATHCrossRefMathSciNetGoogle Scholar
  37. 37.
    Kurosawa, K., Furukawa, J.: Universally composable undeniable signature. Cryptology ePrint Archive, Report 2008/094 (2008),
  38. 38.
    Le, T.V., Burmester, M., de Medeiros, B.: Universally composable and forward-secure rfid authentication and authenticated key exchange. In: Bao, F., Miller, S. (eds.) ASIACCS, pp. 242–252. ACM, New York (2007)Google Scholar
  39. 39.
    Wikström, D.: A universally composable mix-net. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 317–335. Springer, Heidelberg (2004)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2008

Authors and Affiliations

  • Jun Furukawa
    • 1
  • Frederik Armknecht
    • 2
  • Kaoru Kurosawa
    • 3
  1. 1.NEC CorporationJapan
  2. 2.Ruhr-UniversitätGermany
  3. 3.Ibaraki UniversityJapan

Personalised recommendations