Password-Authenticated Group Key Agreement with Adaptive Security and Contributiveness

Abstract: Abstract. Adaptively-secure key exchange allows the establishment of secure channels even in the presence of an adversary that can corrupt parties adaptively and obtain their internal states. In this paper, we give a formal definition of contributory protocols and define an ideal functionality for password-based group key exchange with explicit authentication and contributiveness in the UC framework. As with previous definitions in the same framework, our definitions do not assume any particular distribution o… Show more

“…This is also a necessary assumption for realizing PAKE schemes in the UC framework as shown by [19]. Like [5], our protocol achieves a strong 2 notion of contributiveness in the UC framework. In particular, even if it can control all the network communications, the adversary cannot bias the key as long as one of the players involved in the protocol is honest.…”

“…With few exceptions (e.g., [1]), most protocols in this setting are built from scratch and are quite complex. Among these protocols, we can clearly identify two types of protocols: constant-round protocols (e.g., [8,14,5]) and those whose number of communication rounds depends on the number of users involved in the protocol execution (e.g., [15]). Since constant-round protocols are generally easier to implement and less susceptible to synchronization problems when the number of user increases, we focus our attention on these protocols.…”

“…Since constant-round protocols are generally easier to implement and less susceptible to synchronization problems when the number of user increases, we focus our attention on these protocols. More precisely, we build upon the works of Abdalla, Catalano, Chevalier, and Pointcheval [5] and Abdalla, Bohli, González Vasco, and Steinwandt [1] and propose a new generic compiler which converts any two-party password-authenticated key exchange protocol into a password-authenticated group key exchange protocol. Like [1], our protocol relies on a common reference string (CRS) which seems to be a reasonable assumption when one uses a public software, that is somewhat "trusted".…”

“…The first one regards the optimality of the security, which only allows one password test per subgroup. As mentioned in [5] and in Barak et al [9], without any strong authentication mechanisms, which is the case in the passwordbased scenario, the adversary can always partition the players into disjoint subgroups and execute independent sessions of the protocol with each subgroup, playing the role of the other players. As a result, an adversary can always use each one of these partitions to test the passwords used by each subgroup.…”

“…Since this attack is unavoidable, this is the best security guarantee that we can hope for. In contrast, the protocol in [5] required an additional password test for each user in the group.…”

Contributory Password-Authenticated Group Key Exchange with Join Capability

“…This is also a necessary assumption for realizing PAKE schemes in the UC framework as shown by [19]. Like [5], our protocol achieves a strong 2 notion of contributiveness in the UC framework. In particular, even if it can control all the network communications, the adversary cannot bias the key as long as one of the players involved in the protocol is honest.…”

“…With few exceptions (e.g., [1]), most protocols in this setting are built from scratch and are quite complex. Among these protocols, we can clearly identify two types of protocols: constant-round protocols (e.g., [8,14,5]) and those whose number of communication rounds depends on the number of users involved in the protocol execution (e.g., [15]). Since constant-round protocols are generally easier to implement and less susceptible to synchronization problems when the number of user increases, we focus our attention on these protocols.…”

“…Since constant-round protocols are generally easier to implement and less susceptible to synchronization problems when the number of user increases, we focus our attention on these protocols. More precisely, we build upon the works of Abdalla, Catalano, Chevalier, and Pointcheval [5] and Abdalla, Bohli, González Vasco, and Steinwandt [1] and propose a new generic compiler which converts any two-party password-authenticated key exchange protocol into a password-authenticated group key exchange protocol. Like [1], our protocol relies on a common reference string (CRS) which seems to be a reasonable assumption when one uses a public software, that is somewhat "trusted".…”

“…The first one regards the optimality of the security, which only allows one password test per subgroup. As mentioned in [5] and in Barak et al [9], without any strong authentication mechanisms, which is the case in the passwordbased scenario, the adversary can always partition the players into disjoint subgroups and execute independent sessions of the protocol with each subgroup, playing the role of the other players. As a result, an adversary can always use each one of these partitions to test the passwords used by each subgroup.…”

“…Since this attack is unavoidable, this is the best security guarantee that we can hope for. In contrast, the protocol in [5] required an additional password test for each user in the group.…”

Contributory Password-Authenticated Group Key Exchange with Join Capability

Universally composable three‐party password‐authenticated key exchange with contributiveness

UC-secure and Contributory Password-Authenticated Group Key Exchange