Presentation on theme: "TCC 2006 Research on Password-Authenticated Group Key Exchange Jeong Ok Kwon, Ik Rae Jeong, and Dong Hoon Lee (CIST, Korea Univ.) Kouchi Sakurai (Kyushu."— Presentation transcript:
TCC 2006 Research on Password-Authenticated Group Key Exchange Jeong Ok Kwon, Ik Rae Jeong, and Dong Hoon Lee (CIST, Korea Univ.) Kouchi Sakurai (Kyushu Univ.) March 5, 2006
A fundamental problem in cryptography is how to communicate securely over an insecure channel. Motivation sk data privacy/integrity
How can we obtain a secret session key? Public-key encryption or signature –too high for certain applications Password-Authenticated Key Exchange (PAKE) –PAKE allows to share a secret key between specified parties using just a human-memorable password. –convenience, mobility, and less hardware requirement –no security infrastructure Motivation
Classification of PAKE
Our research topic on PAKE - Password-Authenticated Group Key Exchange (PAGKE) -
Group with sk PAGKE : Setting A broadcast group consisting of a set of users –each user holds a low-entropy secret (pw) pw
Previous Works Efficient Password-Based Group Key Exchange (Trust-Bus 04) - S. M. Lee, J. Y. Hwang, and D. H. Lee. –a provably secure constant-round PAGKE protocol –forward-secure and secure against known-key attacks –ideal-cipher and ideal-hash assumptions Password-based Group Key Exchange in a Constant Number of Rounds (PKC 06) - Abdalla, E. Bresson, O. Chevassut, and D. Pointcheval. –a provably secure constant-round PAGKE protocol –secure against known-key attacks –ideal-cipher and ideal-hash assumptions
Our Goal The focus of this work is to provide a provably-secure constant-round PAGKE protocol without using the random oracle model.
Preliminary for protocol Public information –G : a finite cyclic group has order q –p : a safe prime such that p=2q+1 –g 1,g 2 : generators of G –H : a one-way hash function –F : a pseudo random function family
Burmester and Desmedts Protocol U1U1 U2U2 U3U3 U4U4 R1R1 R2R2 M. Burmester and Y. Desmedt. A Secure and Efficient Conference Key Distribution System, In Proc. of EUROCRYPT 94.
Protocol U1U1 U2U2 U3U3 U4U4 R1R1 R2R2
Security Measurement Security theorem where t is the maximum total game time including an adversarys running time, and an adversary makes q ex execute-queries, q se send-queries. n is the upper bound of the number of the parties in the game, N s is the upper bound of the number of sessions that an adversary makes, PW is the size of a password space. Under the intractability assumption of the DDH problem and if F is a secure pseudo random function family, the proposed protocol is secure against dictionary attacks and known-key attacks, and provides forward secrecy.