Key agreement in dynamic peer groups

Steiner, Michael; Tsudik, Gene; Waidner, Michael

doi:10.1109/71.877936

Cited by 499 publications

(300 citation statements)

References 29 publications

Supporting

Mentioning

297

Contrasting

Unclassified

Order By: Relevance

“…In this class a number of variants exists. The most prominent ones besides Discrete Logarithm (DL) itself are the computational and decisional Diffie-Hellman (DH) assumptions [2,3,4] and their generalization [5,6]. Less known assumptions are Matching Diffie-Hellman [7,8], Square Exponent 1 (SE) [10,11], and the Inverse Exponent (IE) [12], an assumption also implicitly required for the security of [13,14].…”

Section: Introductionmentioning

confidence: 99%

Assumptions Related to Discrete Logarithms: Why Subtleties Make a Real Difference

Sadeghi

Steiner

2001

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. The security of many cryptographic constructions relies on assumptions related to Discrete Logarithms (DL), e.g., the Diffie-Hellman, Square Exponent, Inverse Exponent or Representation Problem assumptions. In the concrete formalizations of these assumptions one has some degrees of freedom offered by parameters such as computational model, the problem type (computational, decisional) or success probability of adversary. However, these parameters and their impact are often not properly considered or are simply overlooked in the existing literature. In this paper we identify parameters relevant to cryptographic applications and describe a formal framework for defining DL-related assumptions. This enables us to precisely and systematically classify these assumptions. In particular, we identify a parameter, termed granularity, which describes the underlying probability space in an assumption. Varying granularity we discover the following surprising result: We prove that two DLrelated assumptions can be reduced to each other for medium granularity but we also show that they are provably not reducible with generic algorithms for high granularity. Further we show that reductions for medium granularity can achieve much better concrete security than equivalent high-granularity reductions.

show abstract

Section: Introductionmentioning

confidence: 99%

Assumptions Related to Discrete Logarithms: Why Subtleties Make a Real Difference

Sadeghi

Steiner

2001

Lecture Notes in Computer Science

View full text Add to dashboard Cite

show abstract

“…The group KE protocols proposed by Ingemarsson et al [43], Burmester and Desmedt [29], and Steiner et al [58] may be the most well-known. Among them, Burmester-Desmedt protocol has been shown to be secure against passive eavesdropping in the standard model by Katz and Yung [48].…”

Section: Group Key Exchangementioning

confidence: 99%

“…A number of works have considered extending the 2-party Diffie-Hellman protocol [36] to the multi-party setting [43,57,29,58,10,50,51]. Among them, the works of Ingemarsson et al [43], Burmester and Desmedt [29], and Steiner et al [58] may be the most well-known. They are merely key exchange (KE) protocols, intended to be secure against a passive adversary only.…”

Section: Introductionmentioning

confidence: 99%

ID-Based Group Password-Authenticated Key Exchange

Tso

Okamoto

2009

Advances in Information and Computer Security

View full text Add to dashboard Cite

Abstract-Password-authenticated key exchange (PAKE) protocols are designed to be secure even when the secret key used for authentication is a human-memorable password. In this paper, we consider PAKE protocols in the group scenario, in which a group of clients, each of them shares a password with an "honest but curious" server, intend to establish a common secret key (i.e., a group key) with the help of the server. In this setting, the key established is known to the clients only and no one else, including the server. Each client needs to remember passwords only while the server keeps passwords in addition to private keys related to his identity. Towards our goal, we present a compiler that transforms any group key exchange (KE) protocol secure against a passive eavesdropping to a group PAKE which is secure against an active adversary who controls all communication in the network. This compiler is built on any group KE protocol (e.g., the Burmester-Desmedt protocol), any identity-based encryption (IBE) scheme (e.g., Gentry's scheme), and any identity-based signature (IBS) scheme (e.g., Paterson-Schuldt scheme). It adds only two rounds and O(1) communication (per client) to the original group KE protocol. As long as the underlying group KE protocol, IBE scheme and an IBS scheme have provably security without random oracles, a group PAKE constructed by our compiler can be proven to be secure without random oracles.

show abstract

“…Following their work, many GKA protocols such as [15,2,10,4,12] were proposed. One of these protocols, BurmesterDesmedt (BD) [2] protocol, is an efficient and secure GKA protocol, which Katz and Yung [9] recently provided a rigorous security proof in the standard model.…”

Section: Related Workmentioning

confidence: 99%