Research on Password-Authenticated
Group Key Exchange
Jeong Ok Kwon, Ik Rae Jeong, and Dong Hoon Lee
(CIST, Korea Univ.)
Kouchi Sakurai
(Kyushu Univ.)
March 5, 2006
TCC 2006
Motivation
• A fundamental problem in cryptography is how to
communicate securely over an insecure channel.
sk
sk
data privacy/integrity
Motivation
How can we obtain a secret session key?
• Public-key encryption or signature
– too high for certain applications
• Password-Authenticated Key Exchange (PAKE)
– PAKE allows to share a secret key between specified
parties using just a human-memorable password.
– convenience, mobility, and less hardware requirement
– no security infrastructure
Classification of PAKE
According to the number of parties sharing a session key
Two-party
Multi-Party (Group)
According to the sameness of pre-shared passwords
Parties with same passwords
Parties with different passwords
According to the need of servers
Model requiring help of server
Model not requiring help of server
According to the password form using by client and server
Symmetric model
Asymmetric model (Verifier-based model)
Our research topic on PAKE
According to the number of parties sharing a session key
Two-party
Multi-Party (Group)
According to the sameness of pre-shared passwords
Parties with same passwords
Parties with different passwords
According to the need of servers
Model requiring help of server
Model not requiring help of server
According to the password form using by client and server
Symmetric model
Asymmetric model (Verifier-based model)
- Password-Authenticated Group Key Exchange (PAGKE) -
PAGKE : Setting
• A broadcast group consisting of a set of users
– each user holds a low-entropy secret (pw)
pw
pw
Group with sk
pw
pw
Previous Works
• “Efficient Password-Based Group Key Exchange”
(Trust-Bus ’04) - S. M. Lee, J. Y. Hwang, and D. H. Lee.
– a provably secure constant-round PAGKE protocol
– forward-secure and secure against known-key attacks
– ideal-cipher and ideal-hash assumptions
• “Password-based Group Key Exchange in a Constant
Number of Rounds” (PKC ’06) - Abdalla, E. Bresson, O.
Chevassut, and D. Pointcheval.
– a provably secure constant-round PAGKE protocol
– secure against known-key attacks
– ideal-cipher and ideal-hash assumptions
Our Goal
• The focus of this work is to provide a
provably-secure constant-round PAGKE
protocol without using the random oracle
model.
Preliminary for protocol
• Public information
– G : a finite cyclic group has order q
– p : a safe prime such that p=2q+1
– g1,g2 : generators of G
– H : a one-way hash function
– F : a pseudo random function family
u1
Burmester and Desmedt’s Protocol
u2
u4
u3
U1
U2
U3
U4
r1 R G
r2 R G
r3 R G
r4 R G
X 2  g1r2
X 3  g1r3
R1
X1  g
R2
g 
Y1   r4 
g 
r1
1
r2
r1
U1 : sk1   g

g 
Y2   r1 
g 
r3
r4 r1
U 3 : sk3  g r2 r3
 X
 X
4
4
3
1
3
3
r2
g 
Y3   r2 
g 
r4
 X  X 3 , U 2 : sk2   g
2
2

X 4  g1r4
r3
r1r2
g 
Y4   r3 
g 
r1
 X X
 X X
 X 42  X 1 , U 4 : sk4  g r3r4
4
4
3
2
3
4
2
3
r4
 X4
2
1
 X2
sk  g r1r2  r2r3  r3r4  r4r1 mod p
M. Burmester and Y. Desmedt. “A Secure and Efficient Conference Key Distribution System,” In Proc. of EUROCRYPT ’94.
u1
Protocol
u2
u4
u3
U1
U2
U3
U4
r1 R G
r2 R G
r3 R G
r4 R G
R1 X 1  g  g 2
r1
1
g 
Y1   r4 
g 
r2
R2
X 2  g  g2
r2
1
H (U1 || pw )
r1
H (U 2 || pw )
g 
Y2   r1 
g 
r3
U1 : k1   g

r4 r1
U 3 : k3  g
r2 r3
 Y
 Y
4
4
3
1
3
3
r2
r
H (U || pw )
X 3  g1r3  g 2 H (U3 || pw) X 4  g1 4  g 2 4
g 
Y3   r2 
g 
r4
 Y  Y3 , U 2 : k2   g
2
2
r1r2

 Y  Y1 , U 4 : k4  g
2
4
r3
g 
Y4   r3 
g 
r1
 Y Y Y
 Y Y Y
r3 r4
4
4
3
2
3
4
2
3
2
1
sk  Fk (U1 || ... || U 4 || X 1 || ... || X 4 || Y1 || ... || Y4 ),
where k  g r1r2  r2r3  r3r4  r4r1
4
2
r4
Security Measurement
• Security theorem
pagke-kk&fs
PAGKE
Adv
(t, qex , qse )  2(n+2n  Ns +qse )  Adv
ddh
G
() + Adv
prf
F
2qse
n(qse  qe )2
() +
+
,
PW
q
where t is the maximum total game time including an adversary’s running
time, and an adversary makes qex execute-queries, qse send-queries. n is the
upper bound of the number of the parties in the game, Ns is the upper bound
of the number of sessions that an adversary makes, PW is the size of a
password space.
• Under the intractability assumption of the DDH
problem and if F is a secure pseudo random
function family, the proposed protocol is secure
against dictionary attacks and known-key attacks,
and provides forward secrecy.
Thank you !
Jeong Ok Kwon ([email protected])