Security Model. We assume that the reader is familier with the model of ▇▇▇▇▇▇▇ et al. [14], which is the model in which we prove security of our dynamic key aggreement protocol. For completeness, we review their definitions and refer the reader to [14] for more details. Let P = {U1, . . . , Un} be a set of n (fixed) users or participants. A user can execute the protocol for group key agreement several times with different partners, can join or leave the group at it’s desire by executing the protocols for Insert or Delete. We assume that users do not deviate from the protocol and adversary never participates as a user in the protocol. This adversarial model allows concurrent execution of the protocol. The interaction between the adversary A and the protocol participants occur only via oracle queries, which model the adversary’s capabilities in a real attack. These queries are as follows, where Π Πi . denotes the i-th instance of user U and ski denotes the session key after execution of the protocol by – Send(U, i, m) : This query models an active attack, in which the adversary may intercept a message and then either modify it, create a new one or simply forward it to the intended participant. The output of the query is the reply (if any) generated by the instance Πi upon receipt of message m. The adversary is allowed to prompt the unused instance Πi to initiate the protocol with partners U2, . . . , Ul, l ≤ n, by invoking Send(U, i, ⟨U2, . . . , Ul⟩). – Execute({(V1, i1), . . . , (Vl, il)}) : Here {V1, . . . , Vl} is a non empty subset of P. This query models passive attacks in which the attacker evesdrops on honest execution of group key agreement protocol among unused instances Πi1 , . . . , Πil and outputs the transcript of the execution. A transcript consists of V1 Vl the messages that were exchanged during the honest execution of the protocol. – Join({(V1, i1), . . . , (Vl, il)}, (U, i)) : This query models the insertion of a user instance Πi in the group (V1, . . . , Vl) ∈ P for which Execute have already been queried. The output of this query is the transcript generated by the invocation of algorithm Insert. If Execute({(V1, i1), . . . (Vl, il)}) has not taken place, then the adversary is given no output. – Leave({(V1, i1), . . . , (Vl, il)}, (U, i)) : This query models the removal of a user instance Πi from the group (V1, . . . Vl) ∈ P. If Execute({(V1, i1), . . . (Vl, il)}) has not taken place, then the adversary is given no output. Otherwise, algorithm Delete is invoked. The adversary is given the transcript generated by the honest execution of procedure Delete. – Reveal(U, i) : This outputs session key ski . This query models the misuse of the session keys, i.e known session key attack. – Corrupt(U ) : This outputs the long-term secret key (if any) of player U . The adversarial model that we adopt is a weak-corruption model in the sense that only the long-term secret keys are compromised, but the ephemeral keys or the internal data of the protocol participants are not corrupted. This query models (perfect) forward secrecy. – Test(U, i) : This query is allowed only once, at any time during the adversary’s execution. A bit b ∈ {0, 1} is chosen uniformly at random. The adversary is given ski if b = 1, and a random session key if b = 0. This oracle computes the adversary’s ability to distinguish a real session key from a random one. An adversary which has access to the Execute, Join, Leave, Reveal, Corrupt and Test oracles, is considered to be passive while an active adversary is given access to the Send oracle in addition. We also use notations sidi : session identity for instance Πi . We set sidi = S = {(U1, i1), . . . , (Uk, ik)} such that (U, i) ∈ S and Πi1 , . . . , Πik wish to agree upon a common key. U1 Uk pidi : partner identity for instance Πi , defined by pidi = {U1, . . . , Uk}, such that (Uj, ij) ∈ sidi for all 1 ≤ j ≤ k. acci : 0/1-valued variable which is set to be 1 by Πi 0 otherwise. upon normal termination of the session and The adversary can ask Send, Execute, Join, Leave, Reveal and Corrupt queries several times, but Test query is asked only once and on a fresh instance. We say that an instance Πi adversary, at some point, queried Reveal(U, i) or Reveal(U ', j) with U ' ∈ pidi is fresh unless either the or the adversary queried Corrupt(V ) (with V ∈ pidi ) before a query of the form Send(U, i, ∗) or Send(U ', j, ∗) where U ' ∈ pidi . Finally adversary outputs a guess bit b'. Such an adversary is said to win the game if b = b' where b is the hidden bit used by the Test oracle. Let Succ denote the event that the adversary A wins the game for a protocol XP. We define AdvA,XP := |2 Prob[Succ] − 1| to be the advantage of the adversary A in attacking the protocol XP. The protocol XP is said to be a secure unauthenticated group key agreement (KA) protocol if there is no polynomial time passive adversary with non-negligible advantage. We say that protocol XP is a secure authenticated group key agreement (AKA) protocol if there is no polynomial time active adversary with non-negligible advantage. Next we define the advantage functions. XP AdvKA(t, qE) := the maximum advantage of any passive adversary attacking protocol XP, running in time t and ma ▇▇▇▇ ▇▇ calls to the Execute oracle. XP AdvAKA(t, qE, qJ , qL, qS) := the maximum advantage of any active adversary attacking protocol XP, running in time t and m ▇▇▇▇▇ qE calls to the Execute oracle, qJ calls to Join oracle, qL calls to the Leave oracle and qS calls to the Send oracle.
Appears in 1 contract
Sources: Group Key Agreement Protocol
Security Model. We assume that now briefly describe the reader is familier with the formal security model of Bel- ▇▇▇▇ et al. [6] as standardized by ▇▇▇▇▇▇▇ et al. [14]12, which is the model in which we prove security of our dynamic key aggreement protocol. For completeness, we review their definitions 13] and refer the reader to [146, 12, 13] for more details. Let A protocol P for password-based group key agreement assumes that there is a set P = {U1, U2, . . . , Un} be a set of n users (n is fixed) users or participants), who share a low entropy secret password pw drawn uniformly from a small dictionary of size N . A user can execute The adversary is given control over all communication in the protocol for group key agreement several times with different partners, can join or leave the group at it’s desire by executing the protocols for Insert or Deleteexternal network. We assume that users do not deviate from the protocol and adversary never participates as a user in the protocolproto- col. This adversarial model allows concurrent execution of the protocolprotocol among n users. The interaction between the adversary A and the protocol participants occur only via oracle queries, which model the adversary’s capabilities capabil- ities in a real attack. These queries are as follows, where Π follows (Πi . denotes the i-th instance of user U and ski denotes the session key after execution of the protocol by Πi ): – Send(U, i, m) : This query models ): The adversary can carry out an active attack, in which the ac- tive attack by this query. The adversary may intercept in- tercept a message and then either modify it, create a new one or simply forward it to the intended participantpar- ticipant. The output of the query is the reply (if any) generated by the instance Πi upon receipt of message m. The adversary is allowed to prompt the unused instance Πi to initiate the protocol with partners U2by invok- 2 Preliminaries In this section, we define the Computation ▇▇▇▇▇▇-▇▇▇▇▇▇▇ (CDH) problem and describe the security notion that a password-based group key agreement protocol should achieve. . . , Ul, l ≤ n, by invoking We use the notation a∈RS to denote that a is chosen uniformly from the set S.
2.1 Computation ▇▇▇▇▇▇-▇▇▇▇▇▇▇ (CDH) ing Send(U, i, ⟨U2, . . . , Ul⟩“Start”). U1 U – Execute({(V1Execute({(U1, i1), . . . , (VlUn, ilin)}) : Here {V1, . . . , Vl} is a non empty subset of P. ): This query models passive attacks in which reflects the attacker evesdrops adversary’s ability to passively eavesdrop on honest hon- est execution of password-based group key agreement protocol among unused instances Πi1 , . . . , Πil Πin and outputs the transcript of the execution. A transcript consists of V1 Vl the messages that were exchanged during the honest execution of the protocol. – Join({(V1, i1), . . . , (Vl, il)}, (U, i)) : This query models the insertion of a user instance Πi in the group (V1, . . . , Vl) ∈ P for which Execute have already been queried. The output of this query is the transcript generated by the invocation of algorithm Insert. If Execute({(V1, i1), . . . (Vl, il)}) has not taken place, then the adversary is given no output. – Leave({(V1, i1), . . . , (Vl, il)}, (U, i)) : This query models the removal of a user instance Πi from the group (V1, . . . Vl) ∈ P. If Execute({(V1, i1), . . . (Vl, il)}) has not taken place, then the adversary is given no output. Otherwise, algorithm Delete is invoked. The adversary is given the transcript generated by the honest execution of procedure Delete. – Reveal(U, i) : This outputs session ): If a group key ski . This query models the misuse of the session keys, i.e known session key attack. – Corrupt(U ) : This outputs the long-term secret key (if any) of player has previously been ac- Problem i U . The adversarial model that we adopt is a weak-corruption model in the sense that only the long-term secret keys are compromised, but the ephemeral keys or the internal data of the protocol participants are not corrupted. This query models (perfect) forward secrecy. – Test(U, i) : This query is allowed only once, at any time during the adversary’s execution. A bit b ∈ {0, 1} is chosen uniformly at random. The adversary is given ski if b Let G = 1, and a random session key if b = 0. This oracle computes the adversary’s ability to distinguish a real session key from a random one. An adversary which has access to the Execute, Join, Leave, Reveal, Corrupt and Test oracles, is considered to be passive while an active adversary is given access to the Send oracle in addition. We also use notations sidi : session identity for instance Πi . We set sidi = S = {(U1, i1), . . . , (Uk, ik)} such that (U, i) ∈ S and Πi1 , . . . , Πik wish to agree upon a common key. U1 Uk pidi : partner identity for instance Πi , defined by pidi = {U1, . . . , Uk}, such that (Uj, ij) ∈ sidi for all 1 ≤ j ≤ k. acci : 0/1-valued variable which is set to be 1 by Πi 0 otherwise. upon normal termination of the session and The adversary can ask Send, Execute, Join, Leave, Reveal and Corrupt queries several times, but Test query is asked only once and on a fresh instance. We say that an instance Πi adversary, at some point, queried Reveal(U, i) or Reveal(U ', j) with U ' ∈ pidi is fresh unless either the or the adversary queried Corrupt(V ) (with V ∈ pidi ) before a query of the form Send(U, i, ∗) or Send(U ', j, ∗) where U ' ∈ pidi . Finally adversary outputs a guess bit b'. Such an adversary is said to win the game if b = b' where b is the hidden bit used by the Test oracle. Let Succ denote the event that the adversary A wins the game for a protocol XP. We define AdvA,XP := |2 Prob[Succ] − 1| to be the advantage of the adversary A in attacking the protocol XP. The protocol XP is said to ⟨g⟩ be a secure unauthenticated multiplicative group key agreement (KA) protocol if there is no polynomial time passive adversary with non-negligible advantage. We say that protocol XP is a secure authenticated group key agreement (AKA) protocol if there is no polynomial time active adversary with non-negligible advantage. Next we define the advantage functions. XP AdvKA(t, qE) := the maximum advantage of any passive adversary attacking protocol XP, running in time t and ma some large prime order q. Then Computation ▇▇▇▇ ▇▇ calls to the Execute oracle. XP AdvAKA(t, qE, qJ , qL, qS) := the maximum advantage of any active adversary attacking protocol XP, running in time t and m ▇▇-▇▇▇▇▇▇▇ qE calls to the Execute oracle(CDH) problem in G is defined as follows: Instance: (g, qJ calls to Join oraclega, qL calls to the Leave oracle and qS calls to the Send oracle.gb) for some a, b ∈ Z∗.
Appears in 1 contract
Security Model. We assume that now briefly describe the reader is familier with the formal security model of Bel- ▇▇▇▇ et al. [6] as standardized by ▇▇▇▇▇▇▇ et al. [14]12, which is the model in which we prove security of our dynamic key aggreement protocol. For completeness, we review their definitions 13] and refer the reader to [146, 12, 13] for more details. Let A protocol P for password-based group key agreement assumes that there is a set P = {U1, U2, . . . , Un} be a set of n users (n is fixed) users or participants), who share a low entropy secret password pw drawn uniformly from a small dictionary of size N . A user can execute The adversary is given control over all communication in the protocol for group key agreement several times with different partners, can join or leave the group at it’s desire by executing the protocols for Insert or Deleteexternal network. We assume that users do not deviate from the protocol and adversary never participates as a user in the protocolproto- col. This adversarial model allows concurrent execution of the protocolprotocol among n users. The interaction between the adversary A and the protocol participants occur only via oracle queries, which model the adversary’s capabilities capabil- ities in a real attack. These queries are as follows, where Π follows (Πi . denotes the i-th instance of user U and ski denotes the session key after execution of the protocol by Πi ): – Send(U, i, m) : This query models ): The adversary can carry out an active attack, in which the ac- tive attack by this query. The adversary may intercept in- tercept a message and then either modify it, create a new one or simply forward it to the intended participantpar- ticipant. The output of the query is the reply (if any) generated by the instance Πi upon receipt of message m. The adversary is allowed to prompt the unused instance Πi to initiate the protocol with partners U2by invok- 2 Preliminaries In this section, we define the Computation ▇▇▇▇▇▇-▇▇▇▇▇▇▇ (CDH) problem and describe the security notion that a password-based group key agreement protocol should achieve. . . , Ul, l ≤ n, by invoking We use the notation a∈RS to denote that a is chosen uniformly from the set S.
2.1 Computation ▇▇▇▇▇▇-▇▇▇▇▇▇▇ (CDH) ing Send(U, i, ⟨U2, . . . , Ul⟩“Start”). U1 U – Execute({(V1Execute({(U1, i1), . . . , (VlUn, ilin)}) : Here {V1, . . . , Vl} is a non empty subset of P. ): This query models passive attacks in which reflects the attacker evesdrops adversary’s ability to passively eavesdrop on honest hon- est execution of password-based group key agreement protocol among unused instances Πi1 , . . . , Πil Πin and outputs the transcript of the execution. A transcript consists of V1 Vl the messages that were exchanged during the honest execution of the protocol. – Join({(V1, i1), . . . , (Vl, il)}, (U, i)) : This query models the insertion of a user instance Πi in the group (V1, . . . , Vl) ∈ P for which Execute have already been queried. The output of this query is the transcript generated by the invocation of algorithm Insert. If Execute({(V1, i1), . . . (Vl, il)}) has not taken place, then the adversary is given no output. – Leave({(V1, i1), . . . , (Vl, il)}, (U, i)) : This query models the removal of a user instance Πi from the group (V1, . . . Vl) ∈ P. If Execute({(V1, i1), . . . (Vl, il)}) has not taken place, then the adversary is given no output. Otherwise, algorithm Delete is invoked. The adversary is given the transcript generated by the honest execution of procedure Delete. – Reveal(U, i) : This outputs session ): If a group key ski . This query models the misuse of the session keys, i.e known session key attack. – Corrupt(U has previously been ac- Problem i U Let G = (g) : This outputs the long-term secret key (if any) of player U . The adversarial model that we adopt is a weak-corruption model in the sense that only the long-term secret keys are compromised, but the ephemeral keys or the internal data of the protocol participants are not corrupted. This query models (perfect) forward secrecy. – Test(U, i) : This query is allowed only once, at any time during the adversary’s execution. A bit b ∈ {0, 1} is chosen uniformly at random. The adversary is given ski if b = 1, and a random session key if b = 0. This oracle computes the adversary’s ability to distinguish a real session key from a random one. An adversary which has access to the Execute, Join, Leave, Reveal, Corrupt and Test oracles, is considered to be passive while an active adversary is given access to the Send oracle in addition. We also use notations sidi : session identity for instance Πi . We set sidi = S = {(U1, i1), . . . , (Uk, ik)} such that (U, i) ∈ S and Πi1 , . . . , Πik wish to agree upon a common key. U1 Uk pidi : partner identity for instance Πi , defined by pidi = {U1, . . . , Uk}, such that (Uj, ij) ∈ sidi for all 1 ≤ j ≤ k. acci : 0/1-valued variable which is set to be 1 by Πi 0 otherwise. upon normal termination of the session and The adversary can ask Send, Execute, Join, Leave, Reveal and Corrupt queries several times, but Test query is asked only once and on a fresh instance. We say that an instance Πi adversary, at some point, queried Reveal(U, i) or Reveal(U ', j) with U ' ∈ pidi is fresh unless either the or the adversary queried Corrupt(V ) (with V ∈ pidi ) before a query of the form Send(U, i, ∗) or Send(U ', j, ∗) where U ' ∈ pidi . Finally adversary outputs a guess bit b'. Such an adversary is said to win the game if b = b' where b is the hidden bit used by the Test oracle. Let Succ denote the event that the adversary A wins the game for a protocol XP. We define AdvA,XP := |2 Prob[Succ] − 1| to be the advantage of the adversary A in attacking the protocol XP. The protocol XP is said to be a secure unauthenticated multiplicative group key agreement (KA) protocol if there is no polynomial time passive adversary with non-negligible advantage. We say that protocol XP is a secure authenticated group key agreement (AKA) protocol if there is no polynomial time active adversary with non-negligible advantage. Next we define the advantage functions. XP AdvKA(t, qE) := the maximum advantage of any passive adversary attacking protocol XP, running in time t and ma some large prime order q. Then Computation ▇▇▇▇ ▇▇ calls to the Execute oracle. XP AdvAKA(t, qE, qJ , qL, qS) := the maximum advantage of any active adversary attacking protocol XP, running in time t and m ▇▇-▇▇▇▇▇▇▇ qE calls to the Execute oracle(CDH) problem in G is defined as follows: Instance: (g, qJ calls to Join oraclega, qL calls to the Leave oracle and qS calls to the Send oracle.gb) for some a, b ∈ Z∗.
Appears in 1 contract