Modeling Leakage of Ephemeral Secrets in Tripartite/Group Key Exchange
Lecture Notes in Computer Science
Recent advances in the design and analysis of secure two-party key exchange (2KE) such as the leakage of ephemeral secrets used during the attacked sessions remained unnoticed by the current models for group key exchange (GKE). Focusing on a special case of GKE -the tripartite key exchange (3KE) -that allows for efficient one-round protocols, we demonstrate how to incorporate these advances to the multi-party setting. From this perspective our work closes the most pronounced gap between
... secure 2KE and GKE protocols. The proposed 3KE protocol is an implicitly authenticated protocol with one communication round which remains secure even in the event of ephemeral secret leakage. It also significantly improves upon currently known 3KE protocols, many of which are insecure. An optional key confirmation round can be added to our proposal to achieve the explicitly authenticated protocol variant. Introduction Bellare and Rogaway  and Blake-Wilson, Johnson and Menezes  independently proposed models for analyzing security of two-party key exchange (2KE) protocols in the shared and public key settings, respectively. In their approach an adversary is given the ability to interact with parties and controls the communication with the simple goal of distinguishing a test session key from a random key. Motivating with the signed variant 1 of the classical unauthenticated Diffie-Hellman  protocol, Canetti and Krawzcyk  argued that it is desirable to augment the 2KE adversary with the ability to learn sessionspecific and protocol-defined ephemeral information that is not related to the test session. LaMacchia, Lauter and Mityagin  allowed leakage of some test session specific ephemeral information under certain conditions. Menezes and Ustaoglu  extended the timing of the information leakage. All these developments were within the framework of two-party key exchange. Group key exchange (GKE) protocols are essentially the generalization of 2KE protocols to the group case. However, this generalization brings additional problems both in the design and the analysis of the protocols. The first formal model for GKE protocol was described by Bresson et al.  inspired by the two-party approach in . Many modifications and improvements appeared thereafter, see the survey in  . GKE models mainly focus on the outsider security which is modeled through the requirement of AKE-security, e.g. [5, 4, 21, 9] , as this requirement deals explicitly with the secrecy of the established keys, which becomes meaningless if the adversary is an insider. Yet, several models, e.g. [20, 6, 8, 15, 14] , consider the optional insider security aiming to prevent attacks by which insiders force parties to complete either with different keys (usually modeled as MA-security) or with keys that have some biased distribution (usually modeled as contributiveness). Several compilers have been proposed to augment AKE-secure protocols with security against insider attacks, e.g. [20, 6, 7] . Beside consideration of outsider and insider security GKE models differ in the treatment of corruptions. Earlier 1 In the signed Diffie-Hellman protocol users sign outgoing ephemeral public keys with their static keys.