Skip to main content
SpringerLink
Log in

SoK: Game-Based Security Models for Group Key Exchange

  • Conference paper
  • First Online:
Topics in Cryptology – CT-RSA 2021 (CT-RSA 2021)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 12704))

Included in the following conference series:

Abstract

Group key exchange (GKE) protocols let a group of users jointly establish fresh and secure key material. Many flavors of GKE have been proposed, differentiated by, among others, whether group membership is static or dynamic, whether a single key or a continuous stream of keys is established, and whether security is provided in the presence of state corruptions (forward and post-compromise security). In all cases, an indispensable ingredient to the rigorous analysis of a candidate solution is a corresponding formal security model. We observe, however, that most GKE-related publications are more focused on building new constructions that have more functionality or are more efficient than prior proposals, while leaving the job of identifying and working out the details of adequate security models a subordinate task.

In this systematization of knowledge we bring the formal modeling of GKE security to the fore by revisiting the intuitive goals of GKE, critically evaluating how these goals are reflected (or not) in the established models, and how they would be best considered in new models. We classify and compare characteristics of a large selection of game-based GKE models that appear in the academic literature, including those proposed for GKE with post-compromise security. We observe a range of shortcomings in some of the studied models, such as dependencies on overly restrictive syntactical constrains, unrealistic adversarial capabilities, or simply incomplete definitions. Our systematization enables us to identify a coherent suite of desirable characteristics that we believe should be represented in all general purpose GKE models. To demonstrate the feasibility of covering all these desirable characteristics simultaneously in one concise definition, we conclude with proposing a new generic reference model for GKE.

The full version [PRSS21] of this article is available as entry 2021/305 in the IACR eprint archive.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 99.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 129.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    CRYPTO, Eurocrypt, Asiacrypt, CCS, S&P, Usenix Security, and the Journal of Cryptology.

  2. 2.

    TCC, PKC, CT-RSA, ACNS, ESORICS, CANS, ARES, ProvSec, FC.

  3. 3.

    We appreciate that many more publications introduce other GKE constructions (e.g., [BC04, ABCP06, JKT07, JL07, Man09, NS11, XHZ15, BDR20]). However, we did not identify that they contribute new insights to the modeling of GKE.

  4. 4.

    Since our analysis started before [ACDT20] was submitted to CRYPTO 2020, we consider a fixed preprint version [ACDT19] here. Note that the two follow-up works [ACJM20, AJM20] use simulation-based security models.

  5. 5.

    We further clarify on the relation between local instances and parties and their participation in sessions in the full version [PRSS21].

  6. 6.

    Surprisingly, this holds even for models that appeared in close succession in publications of the same authors.

  7. 7.

    The case of [ACC+19] is somewhat special: While their syntax in principle allows that parties operate multiple instances, their security definition reduces this to strictly one instance per party. For their application (secure instant messaging) this is not a limitation as parties are short-lived and created ad-hoc to participate in only a single session.

  8. 8.

    In continuation of Footnote 7: The case of [ACC+19] is special in that the requirement is an ephemeral asymmetric key, that is, a public key that is ad-hoc generated and used only once.

  9. 9.

    Consider, for instance, that situations stemming from participants concurrently performing conflicting operations might have to be resolved, as have to be cases where participants become temporarily unavailable without notice.

  10. 10.

    In some cases, however, it seems feasible to reverse-engineer some information about an assumed syntax from the security reductions also contained in the corresponding works.

  11. 11.

    Although \(\mathrm {exec}\) and \(\mathrm {proc}\) could implicitly initialize the state internally, we treat the state initialization explicitly for reasons of clarity.

  12. 12.

    \(\mathcal {P}(\mathcal {X})\) denotes the powerset of \(\mathcal {X}\).

  13. 13.

    During the research for this article, we found two recent papers’ security definitions for two-party authenticated key exchange that, due to reusing the partnering definition for multiple purposes, cannot be fulfilled: Li and Schäge [LS17] and Cohn-Gordon et al. [CCG+19] both require in their papers’ proceedings version for authentication that an instance only computes a key if there exists a partner instance that also computed the key (which is impossible as not all/both participants compute the key simultaneously). Still, the underlying partnering concept suffices for detecting reveals and challenges of the same key (between partnered instances).

  14. 14.

    Note that every manipulated bit in the transcript (including signatures or MAC tags themselves) dissolves partnering.

  15. 15.

    Moreover, in [BCP02b, ACC+19], party secrets cannot be derived via state exposures. Although [ACC+19] allow the exposure of instance states, their syntax, strictly speaking, does not have a method for using party secrets in the protocol execution, even though their construction makes use of them (violating the syntax definition).

  16. 16.

    Note, for example, that post-compromise security is rather irrelevant for short-lived static GKE protocols.

References

  1. Abdalla, M., Bresson, E., Chevassut, O., Pointcheval, D.: Password-based group key exchange in a constant number of rounds. In: Yung, M., Dodis, Y., Kiayias, A., Malkin, T. (eds.) PKC 2006. LNCS, vol. 3958, pp. 427–442. Springer, Heidelberg (2006). https://doi.org/10.1007/11745853_28

    Chapter  MATH  Google Scholar 

  2. Alwen, J., et al.: Keep the dirt: tainted TreeKEM, an efficient and provably secure continuous group key agreement protocol. Cryptology ePrint Archive, Report 2019/1489 (2019). https://eprint.iacr.org/2019/1489. Accessed 13 Feb 2020

  3. Alwen, J., Coretti, S., Dodis, Y., Tselekounis, Y.: Security analysis and improvements for the IETF MLS standard for group messaging. Cryptology ePrint Archive, Report 2019/1189 (2019). https://eprint.iacr.org/2019/1189. Accessed 13 Feb 2020

  4. Alwen, J., Coretti, S., Dodis, Y., Tselekounis, Y.: Security analysis and improvements for the IETF MLS standard for group messaging. In: Micciancio, D., Ristenpart, T. (eds.) CRYPTO 2020, Part I. LNCS, vol. 12170, pp. 248–277. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-56784-2_9

    Chapter  Google Scholar 

  5. Alwen, J., Coretti, S., Jost, D., Mularczyk, M.: Continuous group key agreement with active security. Cryptology ePrint Archive, Report 2020/752 (2020). https://eprint.iacr.org/2020/752

  6. Alwen, J., Jost, D., Mularczyk, M.: On the insider security of MLS. Cryptology ePrint Archive, Report 2020/1327 (2020). https://eprint.iacr.org/2020/1327

  7. Barnes, R., Beurdouche, B., Millican, J., Omara, E., Cohn-Gordon, K., Robert, R.: The messaging layer security (MLS) protocol. Technical report (2020). https://datatracker.ietf.org/doc/draft-ietf-mls-protocol/

  8. Bresson, E., Catalano, D.: Constant round authenticated group key agreement via distributed computation. In: Bao, F., Deng, R., Zhou, J. (eds.) PKC 2004. LNCS, vol. 2947, pp. 115–129. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24632-9_9

    Chapter  MATH  Google Scholar 

  9. Bresson, E., Chevassut, O., Pointcheval, D.: Provably authenticated group Diffie-Hellman key exchange — the dynamic case. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 290–309. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-45682-1_18

    Chapter  Google Scholar 

  10. Bresson, E., Chevassut, O., Pointcheval, D.: Dynamic group Diffie-Hellman key exchange under standard assumptions. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 321–336. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-46035-7_21

    Chapter  Google Scholar 

  11. Bresson, E., Chevassut, O., Pointcheval, D.: Group Diffie-Hellman key exchange secure against dictionary attacks. In: Zheng, Y. (ed.) ASIACRYPT 2002. LNCS, vol. 2501, pp. 497–514. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-36178-2_31

    Chapter  Google Scholar 

  12. Bresson, E., Chevassut, O., Pointcheval, D., Quisquater, J.-J.: Provably authenticated group Diffie-Hellman key exchange. In: Reiter, M.K., Samarati, P. (eds.) ACM CCS 2001, pp. 255–264. ACM Press, November 2001

    Google Scholar 

  13. Burmester, M., Desmedt, Y.: A secure and efficient conference key distribution system. In: De Santis, A. (ed.) EUROCRYPT 1994. LNCS, vol. 950, pp. 275–286. Springer, Heidelberg (1995). https://doi.org/10.1007/BFb0053443

    Chapter  Google Scholar 

  14. Burmester, M., Desmedt, Y.: A secure and scalable group key exchange system. Inf. Process. Lett. 94(3), 137–143 (2005)

    Article  MathSciNet  MATH  Google Scholar 

  15. Bienstock, A., Dodis, Y., Rösler, P.: On the price of concurrency in group ratcheting protocols. In: Pass, R., Pietrzak, K. (eds.) TCC 2020, Part II. LNCS, vol. 12551, pp. 198–228. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64378-2_8

    Chapter  Google Scholar 

  16. Brzuska, C., Fischlin, M., Warinschi, B., Williams, S.C.: Composability of Bellare-Rogaway key exchange protocols. In: Chen, Y., Danezis, G., Shmatikov, V. (eds.) ACM CCS 2011, pp. 51–62. ACM Press, October 2011

    Google Scholar 

  17. Bellare, M., Rogaway, P.: Entity authentication and key distribution. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 232–249. Springer, Heidelberg (1994). https://doi.org/10.1007/3-540-48329-2_21

    Chapter  Google Scholar 

  18. Canetti, R.: Universally composable security: a new paradigm for cryptographic protocols. In: 42nd FOCS, pp. 136–145. IEEE Computer Society Press, October 2001

    Google Scholar 

  19. Cohn-Gordon, K., Cremers, C., Garratt, L., Millican, J., Milner, K.: On ends-to-ends encryption: asynchronous group messaging with strong security guarantees. In: Lie, D., Mannan, M., Backes, M., Wang, X. (eds.) ACM CCS 2018, pp. 1802–1819. ACM Press, October 2018

    Google Scholar 

  20. Cohn-Gordon, K., Cremers, C., Gjøsteen, K., Jacobsen, H., Jager, T.: Highly efficient key exchange protocols with optimal tightness. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019, Part III. LNCS, vol. 11694, pp. 767–797. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26954-8_25

    Chapter  Google Scholar 

  21. Gorantla, M.C., Boyd, C., González Nieto, J.M.: Modeling key compromise impersonation attacks on group key exchange protocols. In: Jarecki, S., Tsudik, G. (eds.) PKC 2009. LNCS, vol. 5443, pp. 105–123. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-00468-1_7

    Chapter  MATH  Google Scholar 

  22. Ingemarsson, I., Tang, D., Wong, C.: A conference key distribution system. IEEE Trans. Inf. Theory 28(5), 714–720 (1982)

    Article  MathSciNet  MATH  Google Scholar 

  23. Jarecki, S., Kim, J., Tsudik, G.: Group secret handshakes or affiliation-hiding authenticated group key agreement. In: Abe, M. (ed.) CT-RSA 2007. LNCS, vol. 4377, pp. 287–308. Springer, Heidelberg (2006). https://doi.org/10.1007/11967668_19

    Chapter  Google Scholar 

  24. Jarecki, S., Liu, X.: Unlinkable secret handshakes and key-private group key management schemes. In: Katz, J., Yung, M. (eds.) ACNS 2007. LNCS, vol. 4521, pp. 270–287. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-72738-5_18

    Chapter  MATH  Google Scholar 

  25. Jaeger, J., Stepanovs, I.: Optimal channel security against fine-grained state compromise: the safety of messaging. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018, Part I. LNCS, vol. 10991, pp. 33–62. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96884-1_2

    Chapter  Google Scholar 

  26. Kim, H.-J., Lee, S.-M., Lee, D.H.: Constant-round authenticated group key exchange for dynamic groups. In: Lee, P.J. (ed.) ASIACRYPT 2004. LNCS, vol. 3329, pp. 245–259. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-30539-2_18

    Chapter  Google Scholar 

  27. Katz, J., Shin, J.S.: Modeling insider attacks on group key-exchange protocols. In: Atluri, V., Meadows, C., Juels, A. (eds.) ACM CCS 2005, pp. 180–189. ACM Press, November 2005

    Google Scholar 

  28. Katz, J., Yung, M.: Scalable protocols for authenticated group key exchange. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 110–125. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-45146-4_7

    Chapter  Google Scholar 

  29. Li, Y., Schäge, S.: No-match attacks and robust partnering definitions: defining trivial attacks for security protocols is not trivial. In: Thuraisingham, B.M., Evans, D., Malkin, T., Xu, D. (eds.) ACM CCS 2017, pp. 1343–1360. ACM Press, October/November 2017

    Google Scholar 

  30. Manulis, M.: Group key exchange enabling on-demand derivation of peer-to-peer keys. In: Abdalla, M., Pointcheval, D., Fouque, P.-A., Vergnaud, D. (eds.) ACNS 2009. LNCS, vol. 5536, pp. 1–19. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-01957-9_1

    Chapter  Google Scholar 

  31. Neupane, K., Steinwandt, R.: Communication-efficient 2-round group key establishment from pairings. In: Kiayias, A. (ed.) CT-RSA 2011. LNCS, vol. 6558, pp. 65–76. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-19074-2_5

    Chapter  Google Scholar 

  32. Poettering, B., Rösler, P.: Asynchronous ratcheted key exchange. Cryptology ePrint Archive, Report 2018/296 (2018). https://eprint.iacr.org/2018/296

  33. Poettering, B., Rösler, P.: Towards bidirectional ratcheted key exchange. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018, Part I. LNCS, vol. 10991, pp. 3–32. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96884-1_1

    Chapter  Google Scholar 

  34. Poettering, B., Rösler, P., Schwenk, J., Stebila, D.: SoK: game-based security models for group key exchange. Cryptology ePrint Archive, Report 2021/305 (2021). https://eprint.iacr.org/2021/305

  35. Rösler, P., Mainka, C., Schwenk, J.: More is less: on the end-to-end security of group chats in Signal, WhatsApp, and Threema. In: 2018 IEEE European Symposium on Security and Privacy (EuroS&P), pp. 415–429. IEEE (2018)

    Google Scholar 

  36. Shoup, V.: On formal models for secure key exchange. Technical report RZ 3120, IBM (1999)

    Google Scholar 

  37. Xu, J., Hu, X.-X., Zhang, Z.-F.: Round-optimal password-based group key exchange protocols in the standard model. In: Malkin, T., Kolesnikov, V., Lewko, A.B., Polychronakis, M. (eds.) ACNS 2015. LNCS, vol. 9092, pp. 42–61. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-28166-7_3

    Chapter  Google Scholar 

  38. Yang, Z., Khan, M., Liu, W., He, J.: On security analysis of generic dynamic authenticated group key exchange. In: Gruschka, N. (ed.) NordSec 2018. LNCS, vol. 11252, pp. 121–137. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03638-6_8

    Chapter  Google Scholar 

Download references

Acknowledgments

We thank the reviewers of CT-RSA 2021 for their detailed and helpful comments. B.P. was supported by the European Union’s Horizon 2020 Research and Innovation Programme under Grant Agreement No. 786725 – OLYMPUS. P.R. was supported by the research training group “Human Centered Systems Security” (NERD.NRW) sponsored by the state of North-Rhine Westphalia. D.S. was supported by Natural Sciences and Engineering Research Council of Canada (NSERC) Discovery grant RGPIN-2016-05146 and NSERC Discovery Accelerator Supplement grant RGPIN-2016-05146.

Author information

Authors and Affiliations

  1. IBM Research – Zurich, Rüschlikon, Switzerland

    Bertram Poettering

  2. TU Darmstadt, Darmstadt, Germany

    Paul Rösler

  3. Ruhr University Bochum, Bochum, Germany

    Jörg Schwenk

  4. University of Waterloo, Waterloo, Canada

    Douglas Stebila

Authors
  1. Bertram Poettering
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Paul Rösler
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Jörg Schwenk
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Douglas Stebila
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Paul Rösler .

Editor information

Editors and Affiliations

  1. ETH Zürich, Zürich, Switzerland

    Kenneth G. Paterson

Rights and permissions

Reprints and permissions

Copyright information

© 2021 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Poettering, B., Rösler, P., Schwenk, J., Stebila, D. (2021). SoK: Game-Based Security Models for Group Key Exchange. In: Paterson, K.G. (eds) Topics in Cryptology – CT-RSA 2021. CT-RSA 2021. Lecture Notes in Computer Science(), vol 12704. Springer, Cham. https://doi.org/10.1007/978-3-030-75539-3_7

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-75539-3_7

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-75538-6

  • Online ISBN: 978-3-030-75539-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation