TCC 2006TCC 2006

Research on Password-Authenticated Group Key Exchange

Jeong Ok Kwon, Ik Rae Jeong, and Dong Hoon Lee (CIST, Korea Univ.)

Kouchi Sakurai (Kyushu Univ.)

March 5, 　 2006

• A fundamental problem in cryptography is how to communicate securely over an insecure channel.

MotivationMotivation

sk sk

data privacy/integrity

How can we obtain a secret session key?

• Public-key encryption or signature– too high for certain applications

• Password-Authenticated Key Exchange (PAKE)– PAKE allows to share a secret key between specified

parties using just a human-memorable password.

– convenience, mobility, and less hardware requirement

– no security infrastructure

MotivationMotivation

Classification of PAKEClassification of PAKE

According to the number of parties sharing a session key

According to the sameness of pre-shared passwords

Parties with same passwords

Parties with different passwords

According to the need of servers

Model requiring help of server

Model not requiring help of server

Two-party

Multi-Party (Group)

According to the password f orm using by client and server

Symmetric model

Asymmetric model (Verifier-based model)

According to the number of parties sharing a session key

According to the sameness of pre-shared passwords

Parties with same passwords

Parties with different passwords

According to the need of servers

Model requiring help of server

Model not requiring help of server

Two-party

Multi-Party (Group)

According to the password f orm using by client and server

Symmetric model

Asymmetric model (Verifier-based model)

Our research topic on PAKEOur research topic on PAKE

- Password-Authenticated Group Key Exchange (PAGKE) -

Group with sk

PAGKE : PAGKE : SettingSetting

• A broadcast group consisting of a set of users– each user holds a low-entropy secret (pw)

pw

pw pw

pw

Previous WorkPrevious Workss

• “Efficient Password-Based Group Key Exchange” (Trust-Bus ’04) - S. M. Lee, J. Y. Hwang, and D. H. Lee.

– a provably secure constant-round PAGKE protocol– forward-secure and secure against known-key attacks

– ideal-cipher and ideal-hash assumptions

• “Password-based Group Key Exchange in a Constant Number of Rounds” (PKC ’06) - Abdalla,

E. Bresson, O. Chevassut, and D. Pointcheval.

– a provably secure constant-round PAGKE protocol– secure against known-key attacks– ideal-cipher and ideal-hash assumptions

Our GoalOur Goal

• The focus of this work is to provide a provably-secure constant-round PAGKE protocol without using the random oracle model.

Preliminary for protocolPreliminary for protocol

• Public information

– G : a finite cyclic group has order q

– p : a safe prime such that p=2q+1

– g1,g2 : generators of G

– H : a one-way hash function – F : a pseudo random function family

Burmester and DesmedtBurmester and Desmedt’s Protocol’s Protocol

U1 U2 U3 U4

11 1

rX gR1

R2

12

41

rr

r

gY

g

23

12

rr

r

gY

g

34

23

rr

r

gY

g

41

34

rr

r

gY

g

1u

2u

3u4u

22 1

rX g 33 1

rX g 44 1

rX g2 Rr G 4 Rr G

3 Rr G1 Rr G

4 1 1 2

2 3 3 4

4 43 2 3 21 1 2 3 2 2 3 4

4 43 2 3 23 3 4 1 4

1 2

3 4 4 1 2

: , :

: , :

r r r r

r r r r

U U

U

sk g X X X sk g X X X

sk g X X X s XU k g X X

1 2 2 3 3 4 4 1 modr r r r r r r rsk g p M. Burmester and Y. Desmedt. “A Secure and Efficient Conference Key Distribution System,” In Proc. of EUROCRYPT

’94.

ProtocolProtocol

U1 U2 U3 U4

1 1( || )21 1H pr U wX g g R1

R2

12

41

rr

r

gY

g

23

12

rr

r

gY

g

34

23

rr

r

gY

g

41

34

rr

r

gY

g

4 1 1 2

2 3 3 4

4 43 2 3 21 1 2 3 2 2 3 4

4 43 2 3 23 3 4

1 2

13 14 4 4 2

: , :

: , :

r r r r

r r r r

U U

U

k g Y Y Y k g Y Y Y

k g Y Y Y U k g Y Y Y

1u

2u

3u4u

1 2 2 3 3 4 4 1

1 4 1 4 1 4( || ... || || || ... || || || ... || ),k

r r r r r r r r

sk F U U X X Y Y

where k g

2 2( || )22 1H pr U wX g g 3 3( || )

23 1H pr U wX g g 4 4( || )

24 1H pr U wX g g

2 Rr G 4 Rr G3 Rr G1 Rr G

Security Measurement

• Security theorem

where t is the maximum total game time including an adversary’s running time, and an adversary makes qex execute-queries, qse send-queries. n is the upper bound of the number of the parties in the game, Ns is the upper bound of the number of sessions that an adversary makes, PW is the size of a password space.

• Under the intractability assumption of the DDH problem and if F is a secure pseudo random function family, the proposed protocol is secure against dictionary attacks and known-key attacks, and provides forward secrecy.

2)2 ,

pagke-kk&fs ddh prf se se e

s se G F

2q n(q qAdv (n+2n N +q ) Adv Adv

PW qPAGKE ex se(t,q ,q ) () () + + +

Thank you !

Jeong Ok Kwon (pitapat@korea.ac.kr)