International Association for Cryptologic Research

International Association
for Cryptologic Research

CryptoDB

Paper: On Security Models and Compilers for Group Key Exchange Protocols

Authors:
Emmanuel Bresson
Mark Manulis
Jörg Schwenk
Download:
URL: http://eprint.iacr.org/2006/385
Search ePrint
Search Google
Abstract: Group key exchange (GKE) protocols can be used to guarantee confidentiality and group authentication in a variety of group applications. The notion of provable security subsumes the existence of an abstract formalization (security model) that considers the environment of the protocol and identifies its security goals. The first security model for GKE protocols was proposed by Bresson, Chevassut, Pointcheval, and Quisquater in 2001, and has been subsequently applied in many security proofs. Their definitions of AKE- and MA-security became meanwhile standard. In this paper we analyze the BCPQ model and some of its later appeared modifications and identify several security risks resulting from the technical construction of this model – the notion of partnering. Consequently, we propose a revised model with extended definitions for AKE- and MA-security capturing, in addition, attacks of malicious protocol participants. Further, we analyze some well-known generic solutions (compilers) for AKE- and MA-security of GKE protocols proposed based on the definitions of the BCPQ model and its variants and identify several limitations resulting from the underlying assumptions. In order to remove these limitations and at the same time to show that our revised security model is in fact practical enough for the construction of reductionist security proofs we describe a modified compiler which provides AKE- and MA-security for any GKE protocol, under standard cryptographic assumptions.
BibTeX
@misc{eprint-2006-21876,
  title={On Security Models and Compilers for Group Key Exchange Protocols},
  booktitle={IACR Eprint archive},
  keywords={group key exchange, extended security model, malicious participants, compiler for AKE- and MA-security},
  url={http://eprint.iacr.org/2006/385},
  note={IWSEC 2007 mark.manulis@nds.rub.de 13745 received 2 Nov 2006, last revised 20 Aug 2007},
  author={Emmanuel Bresson and Mark Manulis and Jörg Schwenk},
  year=2006
}