Skip to main content
Log in

A new strong security model for stateful authenticated group key exchange

  • Regular Contribution
  • Published:
International Journal of Information Security Aims and scope Submit manuscript

Abstract

Stateful authenticated group key exchange (stAGKE) represents an important class of authenticated group key exchange (AGKE) such as tree-based AGKE. The computation of either ephemeral public key or session key in a new stAGKE session may be based on the ephemeral secret state from some previously established session. We notice that earlier AGKE models may be not able to provide appropriate security arguments for stAGKE. In this work, a new model is proposed for stAGKE to formulate security properties in particular for resistance to the leakage attacks on ephemeral key. To be of independent interest, the new model is also flexible, which can be used for analyzing either stateless or stateful AGKE protocols. We show the validity of our model by introducing a new tree-based protocol construction for stAGKE. The proposed scheme is proven secure in our new proposed model without random oracles.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1

Similar content being viewed by others

Notes

  1. The process oracle might be called as just oracle for short.

  2. The variable \(\varPi ^s_{\mathsf {id}_i,\text {SO}}\) stores all oracles which contribute the initiation state of the oracle \(\pi ^s_{\mathsf {id}_i}\). The variable \(\varPi ^s_{\mathsf {id}_i,\text {IO}}\) stores all oracles which has the same the initiation state of the oracle \(\pi ^s_{\mathsf {id}_i}\).

  3. All oracles in \(\varPi ^s_{\mathsf {id}_i,\text {SO}}\) may contribute the initialization state of \(\pi ^s_{\mathsf {id}_i}\). Thus, we require all oracles in \(\varPi ^s_{\mathsf {id}_i,\text {SO}}\) must be fresh.

  4. The oracle \(\pi ^s_{\mathsf {id}_i}\) may have matching sessions at different parties, but it only allows to have at most one matching session at a party. This would prevent active attacks like known session key attacks.

  5. Similar idea could be found in [31].

  6. Forget the (subscripts) positions of the DH keys recorded in \(\mathsf {sid}^s_i\) of \(\pi ^s_{\mathsf {id}_i}\) for the time being. We here need to differentiate the DH keys generated by the oracle \(\pi ^s_{\mathsf {id}_i}\) with other DH keys received by \(\pi ^s_{\mathsf {id}_i}\) in the following modification, even though those DH keys of \(\pi ^s_{\mathsf {id}_i}\) might be located in different position in \(\mathsf {sid}^s_{\mathsf {id}_i}\) rather than the first place.

References

  1. Akavia, A., Goldwasser, S., Vaikuntanathan, V.: Simultaneous hardcore bits and cryptography against memory attacks. In: Proceedings of the 6th Theory of Cryptography Conference, pp. 474–495 (2009)

  2. Alawatugoda, J., Boyd, C., Stebila, D.: Continuous after-the-fact leakage-resilient key exchange. In: Proceedings of the 19th Australasian Conference on Information Security and Privacy, pp. 258–273 (2014)

  3. Alawatugoda, J., Stebila, D., Boyd, C.: Modelling after-the-fact leakage for key exchange. In: Proceedings of the 9th ACM Symposium on Information, Computer and Communications Security, pp. 207–216 (2014)

  4. Barua, R., Dutta, R., Sarkar, P.: Extending joux’s protocol to multi party key agreement. In: Proceedings of the 4th International Conference on Cryptology in India—INDOCRYPT 2003, pp. 205–217 (2003)

  5. Bellare, M., Rogaway, P.: Entity authentication and key distribution. In: Proceedings of Advances in Cryptology—CRYPTO’93, pp. 232–249 (1994)

  6. Bellare, M., Rogaway, P.: The security of triple encryption and a framework for code-based game-playing proofs. In: Proceedings of the 24th annual international conference on The Theory and Applications of Cryptographic Techniques—EUROCRYPT’06, pp. 409–426 (2006)

  7. Boneh, D., DeMillo, R.A., Lipton, R.J.: On the importance of checking cryptographic protocols for faults. In: Proceedings of Advances in Cryptology—EUROCRYPT’07, pp. 37–51 (1997)

  8. Brakerski, Z., Kalai, Y.T., Katz, J., Vaikuntanathanm, V.: Overcoming the hole in the bucket: public-key cryptography resilient to continual memory leakage. In: Proceedings of the 51st Annual Symposium on Foundations of Computer Science, pp. 501–510 (2010)

  9. Brecher, T., Bresson, E., Manulis, M.: Fully robust tree-diffie-hellman group key exchange. In: Proceedings of the 8th International Conference on Cryptology and Network Security, pp. 478–497 (2009)

  10. Bresson, E., Chevassut, O., Pointcheval, D.: Provably authenticated group Diffie-Hellman key exchange—the dynamic case. In: Proceedings of Advances in Cryptology—ASIACRYPT, vol. 2001, pp. 290–309 (2001)

  11. Bresson, E., Chevassut, O., Pointcheval, D., Quisquater, J.-J.: Provably authenticated group Diffie-Hellman key exchange. In: Proceedings of the 8th Conference on Computer and Communications Security, pp. 255–264 (2001)

  12. Bresson, E., Manulis, M.: Securing group key exchange against strong corruptions. In: Proceedings of the 3th ACM Symposium on Information, Computer and Communications Security, pp. 249–260 (2008)

  13. Burmester, M., Desmedt, Y.: A secure and efficient conference key distribution system. In: Proceedings of Advances in Cryptology—EUROCRYPT’94, pp. 275–286 (1995)

  14. Chen, Y.R., Tzeng, W.G.: Group key management with efficient rekey mechanism: a semi-stateful approach for out-of-synchronized members. Comput. Commun. 98, 31–42 (2017)

    Article  Google Scholar 

  15. Canetti, R., Krawczyk, H.: Analysis of key-exchange protocols and their use for building secure channels. In: Proceedings of Advances in Cryptology—EUROCRYPT, vol. 2001, pp. 453–474 (2001)

  16. Cremers, C., Feltz, M.: Beyond eCK: perfect forward secrecy under actor compromise and ephemeral-key reveal. In: Proceedings of the 17th European Symposium on Research in Computer Security, pp. 734–751 (2012)

  17. Desmedt, Y., Lange, T., Burmester, M.: Scalable authenticated tree based group key exchange for ad-hoc groups. In: Proceedings of the 11th International Conference on Financial Cryptography and Data Security, pp. 104–118 (2007)

  18. Dutta, R., Barua, R.: Dynamic group key agreement in tree-based setting. In: Proceedings of the 10th Australasian Conference on Information Security and Privacy, pp. 101–112 (2005)

  19. Fortino, G., Russo, W., Mastroianni, C., Palau, C.E., Esteve, M.: CDN-supported collaborative media streaming control. IEEE MultiMedia 14(2), 60–71 (2007)

    Article  Google Scholar 

  20. Fujioka, A., Manulis, M., Suzuki, K., Ustaoglu, B.: Sufficient condition for ephemeral key-leakage resilient tripartite key exchange. In: Proceedings of the 17th Australasian Conference on Information Security and Privacy, pp. 15–28 (2012)

  21. Gorantla, M.C., Boyd, C., Nieto, J.M.G.: Modeling key compromise impersonation attacks on group key exchange protocols. In: Proceedings of the 12th International Conference on Theory and Practice of Public Key Cryptography, pp. 105–123 (2009)

  22. He, S., Wu, Q., Qin, B., Liu, J., Li, Y.: Efficient group key management for secure big data in predictable large-scale networks. Concurr. Comput. Pract. Exp. 28(4), 1174–1192 (2016)

    Article  Google Scholar 

  23. Halderman, J.A., Schoen, S.D., Heninger, N., Clarkson, W., Paul, W., Calandrino, J.A., Feldman, A.J., Appelbaum, J., Felten, E.W.: Lest we remember: cold-boot attacks on encryption keys. Commun. ACM 52(5), 91–98 (2009)

    Article  Google Scholar 

  24. Jiang, S.: Group key agreement with local connectivity. IEEE Trans. Dependable Secur. Comput. 13(3), 326–339 (2016)

    Article  MathSciNet  Google Scholar 

  25. Katz, J., Yung, M.: Scalable protocols for authenticated group key exchange. In: Proceedings of Advances in Cryptology—CRYPTO, vol. 2003, pp. 110–125 (2003)

  26. Kim, Y., Perrig, A., Tsudik, G.: Communication-efficient group key agreement. In: Proceedings of IFIP International Conference on Trusted Information, pp. 229–244 (2001)

  27. Kim, Yongdae, Perrig, Adrian, Tsudik, Gene: Tree-based group key agreement. ACM Trans. Inf. Syst. Secur. 7(1), 60–96 (2004)

    Article  Google Scholar 

  28. Kocher, P., Jaffe, J., Jun, B.: Differential power analysis. In: Proceedings of Advances in Cryptology—CRYPTO’99, pp. 388–397 (1999)

  29. Krawczyk, H.: HMQV: a high-performance secure diffie-hellman protocol. In: Proceedings of Advances in Cryptology—CRYPTO, vol. 2005, pp. 546–566 (2005)

  30. LaMacchia, B., Lauter, K., Mityagin, A.: Stronger security of authenticated key exchange. In: Proceedings of the 1st International Conference on Provable Security, pp. 1–16 (2007)

  31. Li, Y., Yang, Z.: Strongly secure one-round group authenticated key exchange in the standard model. In: Proceedings of the 12th International Conference on Cryptology and Network Security, pp. 122–138 (2013)

  32. Liao, L., Manulis, M.: Tree-based group key agreement framework for mobile ad-hoc networks. Future Gener. Comput. Syst. 23(6), 787–803 (2007)

    Article  Google Scholar 

  33. Manulis, M., Suzuki, K., Ustaoglu, B.: Modeling leakage of ephemeral secrets in tripartite/group key exchange. In: Proceedings of the 12th International Conference on Information Security and Cryptology, pp. 16–33 (2010)

  34. Shoup, V.: Sequences of games: a tool for taming complexity in security proofs. Cryptology ePrint Archive: http://eprint.iacr.org/2004/332

  35. Sun, Y., Chen, M., Bacchus, A., Lin, X.: Towards collusion-attack-resilient group key management using one-way function tree. Comput. Netw. 104, 16–26 (2016)

  36. Vijayakumar, P., Naresh, R., Deborah, L.J., Islam, S.H.: An efficient group key agreement protocol for secure P2P communication. Secur. Commun. Netw. 9(17), 3952–3965 (2016)

  37. Yang, Z.: Towards modelling perfect forward secrecy for one-round group key exchange. Int. J. Netw. Sec. 18, 304–315 (2016)

    Google Scholar 

  38. Yang, Z.: On constructing practical multi-recipient key-encapsulation with short ciphertext and public key. Secur. Commun. Netw. 8(18), 4191–4202 (2015)

    Article  Google Scholar 

Download references

Acknowledgements

This study was supported by National Natural Science Foundation of China (Grant Nos. 11647097, 11547148 and 61503052), Research Project of Humanities and Social Sciences of Ministry of Education of China (Grant Nos. 16YJC870018, 15YJC790061 and 16JDSZ2019) and Scientific and Technological Research Program of Chongqing Municipal Education Commission (Grant Nos. KJ1500918, KJ1600928 and KJ1600932)

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Zheng Yang.

Appendix: Proof of Theorem 1

Appendix: Proof of Theorem 1

In this section, we present the security proof of Theorem 1. We first consider the proof for \(\mathsf {3AKE}\). Then, we extend the proof for the general case of \(\mathsf {TrAGKE}\).

1.1 A.1 Proof for \(\mathsf {3AKE}\)

Generically speaking, the proof proceeds in a sequence of games, following the approach in [6, 34]. Let \(\mathsf {Adv}_\delta \) denote the advantage of \(\mathcal {A} \) wining in Game \({\delta }\). Unlike [31], we give a general proof reduction rather than the proof in all specific freshness cases. This would somehow simplify the proof.

Game 0. This is the original game played with an adversary \(\mathcal {A} \) who always chooses a test oracle executing a \(\mathsf {3AKE}\) protocol instance. The system parameters are chosen honestly by the challenger \(\mathcal {C}\) following the protocol specification. However, \(\mathcal {C}\) chooses four uniformly random values \(\{r_{j}\} \mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}\mathbb {Z}_p^*\) for \(0 \le j \le 3\), and sets \(u_{j}{:}{=}g^{r_{j}}\) as the public parameters. Thus, we have that

$$\begin{aligned} \epsilon _{\mathsf {3AKE}} = \mathsf {Adv}_{0}. \end{aligned}$$

Game 1. In this game, we add an abortion condition. Namely, the challenger \(\mathcal {C}\) proceeds exactly as before, but it raises an event \(\mathsf {abort}_\mathsf {hash} \) and aborts if there exist two distinct (either ephemeral or long-term) public keys which result in the same hash value of \(\mathsf {TCRHF}\). Meanwhile, the probability that two oracles output the same ephemeral key is bound by birthday paradox. Obviously the probability is bound by \(\Pr [\mathsf {abort}_\mathsf {hash} ] \le \epsilon _{\mathsf {TCRHF}} \), according to the security property of the underlying hash function. Thus we have

$$\begin{aligned} \mathsf {Adv}_{\mathsf {0}} \le \mathsf {Adv}_{\mathsf {1}} + \frac{(\rho \ell )^2}{2^{\lambda }}+ \epsilon _{\mathsf {TCRHF}}. \end{aligned}$$

In this game, each oracle must have at most one matching session at a party, since there is no collision on generated ephemeral public key.

Game 2. This game proceeds exactly as before, but the challenger raises an event \(\mathsf {abort}_\mathsf {sig} \) and aborts if the following condition holds: there exists a fresh oracle \(\pi _{\mathsf {id}_i}^s\) with intended communication partner \(\mathsf {id}_j\) such that

  • \(\pi _{\mathsf {id}_i}^s\) received a message \(m_{\mathsf {id}_j}\), and

  • there is no oracle \(\pi _{\mathsf {id}_j}^t\) which has sent the message \(m_{\mathsf {id}_j}\),

  • but the signature received by \(\pi _{\mathsf {id}_i}^s\) that is computed over \(m_{\mathsf {id}_j}\) verifies correctly under the long-term public key \(pk^{sig}_{\mathsf {id}_j}\).

We claim that

$$\begin{aligned} \mathsf {Adv}_{\mathsf {1}} \le \mathsf {Adv}_{\mathsf {2}} + \Pr [\mathsf {abort}_\mathsf {sig} ]. \end{aligned}$$

If the event \(\mathsf {abort}_\mathsf {sig} \) happens with non-negligible probability, then we could construct a signature forger \(\mathcal {F}\) as follows. The forger \(\mathcal {F}\) receives as input a public key \(pk^*\) and runs the adversary \(\mathcal {A} \) as a subroutine and simulates the challenger for \(\mathcal {A} \). It first guesses an index \(\theta \mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}[\ell ]\) pointing to the public key for which the adversary is able to forge, and sets \(pk^{sig}_{\mathsf {id}_\theta } = pk^*\). Next \(\mathcal {F}\) generates all other long-term public/secret key pairs honestly as the challenger in the previous game. Then \(\mathcal {F}\) proceeds as the challenger in Game 2, except that it uses its singing oracle to generate a signature under \(pk^{sig}_{\mathsf {id}_\theta }\) for the oracles of the party \(\mathsf {id}_\theta \).

When \(\mathsf {abort}_\mathsf {sig} \) is raised, then this means that the adversary has forged a signature on behalf of an honest party \(\mathsf {id}_\theta \) before it is corrupted. If the simulator guessed the party \(\mathsf {id}_\theta \) correctly, which happens with probability at least \(1/\ell \), then \(\mathcal {F}\) can use the signature received by \(\pi _{\mathsf {id}_i}^s\) to break the SEUF-CMA security of the underlying signature scheme with success probability \(\epsilon _{\mathsf {SIG}}\). So the event \(\mathsf {abort}_\mathsf {sig} \) happens with the probability \(\frac{\Pr [\mathsf {abort}_\mathsf {sig} ]}{\ell } \le \epsilon _{\mathsf {SIG}}\). Therefore, we have

$$\begin{aligned} \mathsf {Adv}_{\mathsf {2}} \le \mathsf {Adv}_{\mathsf {2}} + \ell \cdot \epsilon _{\mathsf {SIG}}. \end{aligned}$$

Note that, in this game, each accepting fresh oracle \(\pi _{\mathsf {id}_i}^s\) with intended communication partner \(\mathsf {id}_j\), there always exists an oracle \(\pi _{\mathsf {id}_j}^t\) which has an origin session to \(\pi _{\mathsf {id}_i}^s\). This means the last condition in the freshness defn would never occur in this game. Thus, the messages received by the test oracle must come from its origin-oracles.

Game 3. This game proceeds as the previous game, but \(\mathcal {C}\) aborts if one of the following guesses fails: (i) the freshness case occurred to the test oracle from all 14 possibilities (when we expand the conditions related to \(\mathsf {EphemeralKeyReveal}\) and \(\mathsf {Corrupt}\) in the freshness defn), (ii) the test oracle, (iii) the intended communication partners of the test oracle, and (iv) all oracles (if they exist in terms of the specific guessed freshness case) which have origin session to the test oracle. Since there are 14 fresh cases that need to do proof simulation , \(\ell \) parties at all and at most \(\rho \) oracles for each party, then the probability that all above guesses of \(\mathcal {C}\) are correct is at least \(\frac{1}{14\rho ^3\ell ^3}\). Thus, we have that

$$\begin{aligned} \mathsf {Adv}_{\mathsf {2}} \le 14 (\rho \ell )^3 \cdot \mathsf {Adv}_{\mathsf {3}}. \end{aligned}$$

Game 4. Note that the freshness defn guarantees that for our protocol there are at least 3 Diffie–Hellman (DH) keys from all session participants of the fresh test oracle are not compromised by the adversary. We call such guessed 3 uncompromised DH keys as target DH keys. This game is proceeded as the previous game, but the challenger \(\mathcal {C}\) replaces the key material \(k^s_{\mathsf {id}_i}\) with a random value \(\widetilde{k^s_i}\) for all oracles \(\{\pi ^s_{\mathsf {id}_i} : i \in [\ell ], s \in [\rho ]\}\) which satisfy the following conditions:

  • \(k^s_{\mathsf {id}_i}\) is computed involving 3 target DH keys which are guessed by \(\mathcal {C}\) for the test oracle, and

  • These target DH keys used by \(\pi ^s_{\mathsf {id}_i}\) are from 3 distinct parties.

Of course if two oracles have matching sessions and satisfy both above conditions, then we could use the same modified random key material to generate the corresponding session key. The above two conditions ensure that the changed key material cannot be trivially generated by the adversary. This also enables us to embed the \(\mathsf {CBDDH}\) challenge instance into the simulation of all oracles satisfying the above conditions. The second condition is used to exclude the situation that the DH keys from some parties are all compromised, in which case the adversary can simply compute the session key.

If there exists an adversary \(\mathcal {A} \) can distinguish Game 4 and Game 3, then we can use it to construct a distinguisher \(\mathcal {D}\) to solve the \(\mathsf {CBDDH}\) problem. Given a \(\mathsf {CBDDH}\) challenge instance \((g,{g^{\mu }},\varGamma ) \in \mathbb {G}^2 \times \mathbb {G}_T\), the goal of \(\mathcal {D}\) is to determine whether \(\varGamma =e(g,g)^{\mu ^{3}}\) or a random element from \(\mathbb {G}_T\) where g is a generator of \(\mathbb {G}\). Meanwhile, \(\mathcal {D}\) simulates the challenger for \(\mathcal {A}\) as the previous game but with the following modifications based on its correct guesses (otherwise it aborts). We highlight that, after all those correct guesses, \(\mathcal {D}\) knows the ‘distribution’ of all 3 uncompromised target DH keys among honest parties and their oracles. Namely, \(\mathcal {D}\) knows the facts about which parties’ long-term keys are not corrupted (if any) and which oracles’ ephemeral keys are not revealed (if any), under specific guessed freshness cases. Let \(p(h) =\sum ^{3}_{j=0}p_{j}^{h^j}=(h-h_{W_1})(h-h_{W_{2}})(h-h_{W_{3}})\) be a polynomial of degree 3 over \(\mathbb {Z}_p^*\) such that \(p(h_{W_1}) = p(h_{W_2})= p(h_{W_{3}})= 0\) where \(h_{W_j} = \mathsf {TCRHF}(W_j)\) for \(1\le j \le 3\) and each \(W_j\) is either uncorrupted long-term key \(pk^{ke}_{j,1}\) or uncompromised ephemeral key \(epk_{j,1}\) in specific freshness case. Let \(q(h) = \sum ^{3}_{j=0}q_{j}^{h^j}\) be a random polynomial of degree 3 over \(\mathbb {Z}_p^*\). We will also set \(u_{j}={g^{\mu }}^{p_{j}}g^{q_{j}}\) for \(0\le j \le 3\). Meanwhile, we would plug the challenge value \(g^{\mu }\) to all 3 target uncompromised DH keys in specific (guessed) freshness case, i.e., \(\mathcal {D}\) generates the DH key as \(W_j = g^{\mu r_{w_j}}\) where \(r_{w_j} \mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}\mathbb {Z}_p^*\). Moreover, let the variable \(t_{W_j}\) be the tag (consistency proof) of \(W_j\), which would be either \(epk_{j,2}\) or \(pk_{j,2}\) that is determined by \(W_j\). Then, \(t_{W_j}\) would be computed as \(t_{W_j} = W_j^{q(h_{W_j})}\). The remaining problem is to simulate the \(\mathsf {RevealKey}\) query and the \(\mathsf {Test}\) query correctly in terms of the guessed freshness case.

On the next, we discuss how to simulate the key material for any oracle \(\pi ^s_{\mathsf {id}_i}\) (\(i \in [\ell ], s\in [\rho ]\)), including the test oracle and its partner-oracles (if they exist) or its origin-oracles (if they exist). In the sequel, we let \((pk^{ke}_{1,1},pk^{ke}_{1,2},epk_{1,1},epk_{1,2})\) denote the values generated for the oracle \(\pi ^s_{\mathsf {id}_i}\) (for simplicity), and let \(\{pk^{ke}_{j,1},pk^{ke}_{j,2},epk_{j,1},epk_{j,2}\}_{2 \le j \le 3}\) denote a set of values received by the oracle \(\pi ^s_{\mathsf {id}_i}\).Footnote 6 We consider the following cases (which cover all) concerning the DH keys of \(\pi ^s_{\mathsf {id}_i}\):

  1. 1.

    Case 1: the ephemeral key \(epk_{1,1}\) is generated from challenge value \(g^{\mu }\).

  2. 2.

    Case 2: the long-term key \(pk^{ke}_{1,1}\) is generated from challenge value \(g^{\mu }\).

  3. 3.

    Case 3: neither long-term key \(pk^{ke}_{1,1}\) nor ephemeral key \(epk_{1,1}\) is generated from challenge value \(g^{\mu }\).

It is not hard to see, in the Case 3 \(\mathcal {D}\) can simulate the key honestly as the protocol specification. Thus, we only need to do modifications on oracles \(\pi ^s_{\mathsf {id}_i}\) under Case 1 and Case 2. With respect to the Case 1, \(sk^{ke}_1 \mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}\mathbb {Z}^*_p\) is chosen by \(\mathcal {D}\) as the protocol specification and \(epk_{1,1}\) is generated using the challenge value as \(epk_{1,1}{:}{=}g^{\mu r_{x_1}}\) where \(r_{x_1} \mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}\mathbb {Z}_p^*\). Then the tag \(epk_{2}\) can be computed as \(epk_2{:}{=}epk_{1,1}^{q(h_{epk_{1,1}})}\) and \(h_{epk_{1,1}} = \mathsf {TCRHF}(epk_{1,1})\). With respect to the Case 2, \(esk_1 \mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}\mathbb {Z}^*_p\) might be chosen by \(\mathcal {D}\) and \(pk^{ke}_{1,1}\) can be set as \(pk^{ke}_{1,1}{:}{=}g^{\mu r_{d_1}}\) where \(r_{d_1} \mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}\mathbb {Z}_p^*\). The tag \(pk^{ke}_{2}\) can be computed as \(pk^{ke}_2{:}{=}{pk^{ke}_{1,1}}^{q(h_{pk^{ke}_{1,1}})}\) and \(h_{pk^{ke}_{1,1}} = \mathsf {TCRHF}(pk^{ke}_{1,1})\).

Let \(W_1\) denote the DH key generated for the oracle \(\pi ^s_{\mathsf {id}_i}\) such that \(W_1 \in \{pk^{ke}_{1,1},epk_{1,1}\}\) and \(W_1\) is generated using the challenge value as \(g^{\mu r_{w_1}}\) where \(r_{w_1} \in \{r_{x_1},r_{d_1}\}\) depending on the value of \(W_1\). We further let \(\overline{W}_1=g^{\overline{w}_1}\) denote the DH key generated for oracle \(\pi ^s_{\mathsf {id}_i}\) such that \(\overline{W}_1 \in \{pk^{ke}_{1,1},epk_{1,1}\}\) and \(\overline{W}_1\) is not generated using the challenge value. Then, we could rewrite the key material \(k^s_{\mathsf {id}_i}\) of the oracle \(\pi ^s_{\mathsf {id}_i}\) as

$$\begin{aligned} k^s_{\mathsf {id}_i}=&e(pk^{ke}_2epk_2,pk^{ke}_{3}epk_{3})^{sk^{ke}_1+esk_1} \\ =&e(pk^{ke}_2epk_2,pk^{ke}_{3}epk_{3})^{\overline{w}_1+w_1}\\ =&e(pk^{ke}_2epk_2,pk^{ke}_{3}epk_{3})^{w_1}\cdot e(pk^{ke}_2epk_2,pk^{ke}_{3}epk_{3})^{\overline{w}_1}. \end{aligned}$$

Since \(\overline{w}_1\) is chosen by \(\mathcal {D}\) then it is able to compute the value

$$\begin{aligned} \alpha =e(pk^{ke}_2 epk_2,pk^{ke}_{3}epk_{3})^{\overline{w}_1}. \end{aligned}$$

For both above cases, we further consider the following disjoint event that covers all possibilities.

  • Event 1: Firstly, we consider the event that every DH key tuple \((pk^{ke}_j, epk_j)\) for \(2 \le j \le 3\) received by the oracle \(\pi ^s_{\mathsf {id}_i}\) consists of one DH key that is computed using the challenge value \(g^{\mu }\). As all values recorded in \(\mathsf {sid}^s_{\mathsf {id}_i}\) are distinct, so that in each received DH key tuple \((pk^{ke}_j, epk_j)\) there is at most one DH key that is generated using the challenge value in this event. We further let \(W_j=g^{\mu r_{w_j}}\) for \(2 \le j \le 3\) denote the DH key received by the oracle \(\pi ^s_{\mathsf {id}_i}\) such that \(W_j \in \{pk^{ke}_j,epk_j\}\) and \(W_j\) is generated using the challenge value. And we let \(\overline{W}_j=g^{\overline{w}_j}\) for \(2 \le j \le 3\) denote the DH key received by the oracle \(\pi ^s_{\mathsf {id}_i}\) such that \(\overline{W}_j \in \{D_j,X_j\}\) and \(\overline{W}_j\) is not generated using the challenge value for \(2 \le j \le 3\). Then in this event, \(\mathcal {D}\) could compute the key material \(k^s_i\) using the value \(\varGamma \), randomness \(r_{w_1}\) and the value \(g^{\mu \overline{w}_j}\) extracted from \(t_{\overline{W}_j}\), and bilinear map operations. To elaborate the simulation of \(k^s_{\mathsf {id}_i}\), we rewrite \(\beta {:}{=}e(pk^{ke}_{2}epk_{2},pk^{ke}_{3}epk_{3})^{w_1}\) as following:

    $$\begin{aligned} \begin{aligned} \beta {:}{=}&e(g^{\mu \overline{w}_2r_{w_1}},pk^{ke}_{3}epk_{3})\cdot e(W_2,pk^{ke}_{3}epk_{3})^{w_1}\\ =&e(g^{\mu \overline{w}_2r_{w_1}},pk^{ke}_{3}epk_{3})\cdot e(g^{\mu \overline{w}_2r_{w_1}},g^{\mu \overline{w}_3r_{w_1}})\\&\quad \cdot e(W_2,W_3)^{w_1}\\ \end{aligned} \end{aligned}$$

    The above ‘expansion’ of the equation is only conceptual that is consistent with the original computation of \(\beta \). However, this enables us to embed the challenge value \(\varGamma \) into the key material \(k^s_i\) and compute \(k^s_i\) without knowing \(w_1\). More specifically we change \(\beta \) to \(\beta '\) by replacing the value \(e(W_2,W_3)^{w_1}\) in above computation of \(\beta \) with value \(\varGamma ^{r_{w_1}\cdots r_{w_{3}}}\) and computing values \(g^{\mu \overline{w}_j}\) from tag \(t_{\overline{W}_j}\) as \(g^{\mu \overline{w}_j}=(\frac{t_{\overline{W}_j}}{\overline{W}_j^{q(h_{\overline{W}_j})}})^{\frac{1}{p(h_{\overline{W}_j})}}\) where \(t_{\overline{W}_j} \in \{pk^{ke}_{j,2},epk_{j,2}\}\) and \(2 \le j \le 3\). Eventually, we compute the key material \(k^s_i=\alpha \cdot \beta '\) and use it to compute the final session key of the oracle \(\pi ^s_{\mathsf {id}_i}\).

  • Event 2: Secondly, we consider the event that there exists one DH key tuple \((pk^{ke}_{j,1},epk_{j,1})\) (\(2 \le j \le 3\)) received by the oracle \(\pi ^s_{\mathsf {id}_i}\) which are all not generated using the challenge value \(g^{\mu }\). Then, in order to simulate the key material \(k^s_{\mathsf {id}_i}\), the jobs of \(\mathcal {D}\) are only to compute \(g^{\mu sk^{ke}_j}\) from \(epk^{ke}_{j,2}\) (if \(pk^{ke}_{j,1}\) is chosen by the adversary, as otherwise \(\mathcal {D}\) knows the corresponding exponent \(sk^{ke}_j\)) as \({g^{\mu }}^{sk^{ke}_j}{:}{=} (\frac{epk^{ke}_{j,2}}{{pk^{ke}_{j,1}}^{q(h_{pk^{ke}_{j,1}})}})^{\frac{1}{p(h_{pk^{ke}_{j,1}})}}\) and to compute \(g^{\mu esk_j}\) from \(epk_{j,2}\) as \({g^{\mu }}^{esk_j}{:}{=} (\frac{epk_{j,2}}{epk_{j,1}^{q(h_{epk_{j,2}})}})^{\frac{1}{p(h_{epk_{j,2}})}}\). Let \(\eta \) be a variable which stores distinct integer number ranging from 2 to 3 except for j. Thus, the key material is generated as \(k^s_i = \alpha \cdot e({g^{\mu }}^{sk^{ke}_jr_{w_1}}{g^{\mu }}^{esk_jr_{w_1}},pk^{ke}_{\eta ,1}epk_{\eta ,1})\), which is consistent to the original form.

The other parts of the simulations would be proceeded as the same as the protocol specification. In a nutshell \(\mathcal {D}\) is able to simulate all session keys appropriately in terms of the tags of both ephemeral key and long-term key. If \(\varGamma = e(g,g)^{\mu ^{3}}\) then the simulation is exactly equivalent to the previous game; otherwise, it equals to this game. By applying the security of \(\mathsf {CBDDH}\) assumption, we therefore obtain that

$$\begin{aligned} \mathsf {Adv}_{\mathsf {3}} \le \mathsf {Adv}_{\mathsf {4}} + \epsilon _{\mathsf {CBDDH}}. \end{aligned}$$

Game 5. In this game, we change the function \(\mathsf {PRF}(\widetilde{k^*_i},\cdot )\) to a truly random function for the test oracle and its partner-oracles (if they exist). We make use of the fact that the secret seed \(\widetilde{k^*_i}\) of the test oracle is a truly random value. If there exists a polynomial time adversary \(\mathcal {A} \) can distinguish Game 5 from Game 4. Then, we can construct an algorithm \(\mathcal {B}\) using \(\mathcal {A} \) to break the security of \(\mathsf {PRF}\). Exploiting the security of \(\mathsf {PRF}\), we have that

$$\begin{aligned} \mathsf {Adv}_{\mathsf {4}} \le \mathsf {Adv}_{\mathsf {5}} + \epsilon _{\mathsf {PRF}}. \end{aligned}$$

Note that in this game the session key returned by \(\mathsf {Test}\)-query is totally a truly random value which is independent to the bit b and any messages. Thus, the advantage that the adversary wins this game is \(\mathsf {Adv}_{\mathsf {5}} = 0\).

Sum up the probabilities from Game 0 to Game 5, we proved this theorem.

$$\begin{aligned} \epsilon _{\mathsf {3AKE}}\le & {} \frac{(\rho \ell )^2}{2^{\lambda }} + \epsilon _{\mathsf {TCRHF}} + \ell \epsilon _{\mathsf {SIG}}\\&+\,14(\rho \ell )^3 \cdot (\epsilon _{\mathsf {CBDDH}}+ \epsilon _{\mathsf {PRF}}). \end{aligned}$$

1.2 A.2 Proof for \(\mathsf {TrAGKE}\)

Basically, the proof for \(\mathsf {TrAGKE}\) is similar to that of \(\mathsf {3AKE}\) but with slight differences. In the sequel, we mainly sketch the proof idea. In a situation when the group members are larger than three, the test oracle or its partner-oracles may be stateful, i.e., the initiation state of such oracles may come from the globe variable \({\mathcal {GST}}\). A tree \(\mathsf {TN}\) may have several oracles which may share the common secret states, e.g., the keys of the root node. However, if the test oracle is executed among three entities then it is exactly identical to \(\mathsf {3AKE}\). Hence, we are going to reduce the security of \(\mathsf {TrAGKE}\) to the security of \(\mathsf {3AKE}\).

Game 0. This is the original game with adversary \(\mathcal {A} \). The system parameters are chosen honestly by the challenger \(\mathcal {C}\) as the protocol specification. However, the challenger chooses 3 uniformly random values \(\{r_{j}\} \mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}\mathbb {Z}_p^*\) for \(0 \le j \le n\), and sets \(u_{j}{:}{=}g^{r_{j}}\) as the public parameters. Suppose the tree generated by the test oracle has height \(h^*\). Then, the advantage of the adversary distinguishing the key of the test oracle is rewritten as \(\epsilon _{\mathsf {AGKE}} = \epsilon ^{h^*}_{\mathsf {AGKE}}\). Thus, we have that

$$\begin{aligned} \epsilon ^{h^*}_{\mathsf {AGKE}} = \mathsf {Adv}_{0}. \end{aligned}$$

Game 1. In this game, the challenger proceeds exactly like the previous game, except that we add an abortion rule. The challenger raises an event \(\mathsf {abort}_\mathsf {eph} \) and aborts if two trees generate the same ephemeral secret key (which would be either a fresh random value from \(\mathbb {Z}^*_p\) or a map of session key of the previous session), or the public keys’ or the identities’ hash values have collisions. Additionally, the challenger also aborts if there exists a forgery of the signature for an uncorrupted party. The security of \(\mathsf {3AKE}\) therefore implies that

$$\begin{aligned} \mathsf {Adv}_{\mathsf {0}} \le \mathsf {Adv}_{\mathsf {1}} + \frac{(\rho \ell )^2}{2^{\lambda }} + 2\epsilon _{\mathsf {TCRHF}} + \ell \epsilon _{\mathsf {SIG}}. \end{aligned}$$

The proof of this game is similar to the proofs from Game 0 to Game 2 in Appendix A.1. Again in this game, each accepting fresh oracle \(\pi _{\mathsf {id}_i}^s\) with intended communication partner \(\mathsf {id}_j\), there always exists an oracle \(\pi _{\mathsf {id}_j}^t\) which has an origin session to \(\pi _{\mathsf {id}_i}^s\). That means the last condition in the freshness defn would never occurred in this game. Thus, the messages received by the test oracle must come from its origin-oracles.

Game 2. This game proceeds as the previous game, but \(\mathcal {C}\) aborts if one of the following guesses fails: (i) the freshness case occurred to the test oracle from all 14 possibilities, (ii) the test oracle, (iii) two origin-oracles which contributes the distinct (ephemeral and long-term) target DH Keys. For those oracles running for the same tree, we could consider them to jointly form a virtual party (i.e., the root node of the corresponding tree) that takes part in the \(\mathsf {3AKE}\) protocol instance. Thus, the number of the freshness cases related to \(\mathsf {EphemeralKeyReveal}\) and \(\mathsf {Corrupt}\) queries are identical to that of the cases for \(\mathsf {3AKE}\). The second guess is necessary, since it will affect the initiation of long-term key in the next game. As there are \(\ell \) parties at all and at most \(\rho \) oracles for each party, the probability that all above guesses of \(\mathcal {C}\) are correct is at least \(\frac{1}{14\rho ^3\ell ^3}\). Thus we have that

$$\begin{aligned} \mathsf {Adv}_{\mathsf {1}} \le 14 (\rho \ell )^3 \cdot \mathsf {Adv}_{\mathsf {2}}. \end{aligned}$$

Game 3. Assume the test oracle is selected at the tree level \(h^*\), then the first node at this level is denoted by \(\mathsf {TN}_1^*\) which may have a sub-tree of height \(h^*-1\). The node \(\mathsf {TN}_1^*\) may be run by either the test oracle or its partner-oracles or its origin-oracles (if they exist). Consider two distinct sub-freshness cases for the tree node \(\mathsf {TN}_1^*\) described as follows:

  • Case 1: the adversary \(\mathcal {A} \) did not query \(\mathsf {Corrupt}(\mathsf {id}_{\mathsf {TN}_1^*})\) nor query \(\mathsf {Corrupt}(\mathsf {id}_j)\) to some leaf node \(\mathsf {id}_j\) of \(\mathsf {TN}_1^*\).

  • Case 2: the secret key esk of \(\mathsf {TN}_1^*\) is not exposed (i.e., all children of \(\mathsf {TN}_1^*\) are fresh).

This game is proceeded as the previous game, but the challenger replaces the long-term keys of all nodes of \(\mathsf {TN}_1^*\) to be random values when Case 1 occurred, and replaces the ephemeral public key epk of \(\mathsf {TN}_1^*\) to be a random value when Case 2 occurred. So that if there exists an adversary \(\mathcal {A}\) which can distinguish this game from the previous game, then we could use it to solve the \(\mathsf {CBDDH}\) problem in Case 1 and break the security of \(\mathsf {TrAGKE}\) on level \(h^*-1\), where \(1 \le h^* \le \rho \ell -1\).

  • If the modified DH key is ephemeral key, then \(\mathcal {A}\) must be able to distinguish the session key \(K_{\mathsf {TN}_1^*}\) of the tree node \(\mathsf {TN}_1^*\) with probability denoted by \(\epsilon ^{h^*-1}_{\mathsf {AGKE}}\). Meanwhile, \(\mathcal {B}\) could simulate the game for \(\mathcal {A} \) and answer the \(\mathsf {EphemeralKeyReveal}\) query to \(\mathsf {TN}_1^*\) with the result of its \(\mathsf {Test}\) query. As for other queries from \(\mathcal {A} \), \(\mathcal {B}\) could forward them to its challenger. Then if \(\mathcal {A} \) distinguishes the ephemeral secret key of \(\mathsf {TN}_1^*\), so does \(\mathcal {B}\). Thus, \(\epsilon ^{h^*-1}_{\mathsf {AGKE}}\) can be illiterately replaced with advantages of the adversaries from height \(h^*-1\) to 1 (i.e., the advantage of the adversary on the first level is equivalent to that of breaking \(\mathsf {3AKE}\)). Note that the freshness defn requires that if \(\mathsf {TN}_1^*\) is fresh then all its sub-trees must be fresh either.

  • If the modified DH key is long-term key, then all leaf nodes in the root \(\mathsf {TN}_1^*\) must be not corrupted. Then, we could play a series of games \((G_1, G_2,\ldots , G_{h^*-1})\) for the sub-tree of \(\mathsf {TN}_1^*\) having height \( 1\le h'\le h^*-1\). As for the long-term public keys of the nodes below the level \(h'\), we replace them with random values. And other public keys are generated honestly as the protocol specification. First consider the game \(G_2\), the long-term public key \(pk^2_1\) for the non-leaf node on the second level, which is generated according to the public keys \((pk^1_1, pk^1_2,pk^1_3)\) of the leaf nodes on the first level. Given a \(\mathsf {CBDDH}\) challenge instance \((g,g^a,\varGamma )\), \(\mathcal {B}\) could embed the challenge value \(g^a\) to initialize the keys \(pk^1_1,pk^1_2\) and \(pk^1_3\) and simulate the game similarly as the proof of Game 4 in Appendix A.1 (when all ephemeral keys are exposed). Meanwhile, \(\mathcal {B}\) replaces \(pk^2_1\) with a value generated based on \(\varGamma \). Furthermore, \(\mathcal {B}\) also embeds the challenge value to the keys of programmable hash function as the same as the proof of Game 4 in A.1. Then, \(\mathcal {B}\) could generate the long-term shared keys for any nodes involving one or two keys from \(pk_1\), \(pk_2\) and \(pk_3\), i.e., extract the key material from the proof of public key using weak PHF. Then, the changed long-term key is random if and only if \(\varGamma \) is a random value; otherwise, it is a true key. We omit the detail here to avoid repetition, and one could refer to the detail proof of Game 4 in A.1. Hence, the advantage of the adversary in the game G1 is reduced to \(\epsilon _{\mathsf {CBDDH}}\). Similarly we could have the advantage of the adversary in the game \(G_{3}\) is \(2 \cdot \epsilon _{\mathsf {CBDDH}}\). Hence, the advantage of the adversary in the game \(G_{h^*-1}\) is \((h^*-2) \cdot \epsilon _{\mathsf {CBDDH}}\), i.e., the sum of advantages in each game \(G_{h'}\). Thus we have that

$$\begin{aligned} \mathsf {Adv}_{\mathsf {2}} \le \mathsf {Adv}_{\mathsf {3}} + (h^*-2) \cdot \epsilon _{\mathsf {CBDDH}} + \epsilon ^{h^*-1}_{\mathsf {AGKE}}. \end{aligned}$$

Game 4. This game is proceeded as the previous game, but the challenger \(\mathcal {C}\) replaces the key material \(k^s_{\mathsf {id}_i}\) with a random value \(\widetilde{k^s_{\mathsf {id}_i}}\) for oracles \(\{\pi ^s_{\mathsf {id}_i} : i \in [\ell ], s \in [\rho ]\}\) which satisfy the following conditions:

  • \(k^s_{\mathsf {id}_i}\) is computed involving 3 target DH keys which are guessed by \(\mathcal {C}\) for the test oracle, and

  • Those target DH keys used by \(\pi ^s_{\mathsf {id}_i}\) come from 3 tree nodes.

As we replace the 3 target DH keys to be random values in the previous game, thus the initiation of those target DH keys are the same as 3AKE. Thus, the proof of this game can be proceeds as similarly as the proof of Game 4 in A.1, except for the increased signatures (which can be generated honestly as the protocol specification). If there exists an adversary \(\mathcal {A} \) can distinguish Game 4 and 3, then we can use it to construct a distinguisher \(\mathcal {D}\) to solve the \(\mathsf {CBDDH}\) problem. The \(\mathsf {CBDDH}\) assumption implies that

$$\begin{aligned} \mathsf {Adv}_{\mathsf {3}} \le \mathsf {Adv}_{\mathsf {4}} + \epsilon _{\mathsf {CBDDH}}. \end{aligned}$$

Game 5. In this game, we change function \(\mathsf {PRF}(\widetilde{k^*_{\mathsf {id}_i}},\cdot )\) to a truly random function for the test oracle and its partner-oracles (if they exist). We make use of the fact, that the secret seed \(\widetilde{k^*_{\mathsf {id}_i}}\) of the test oracle is a truly random value. If there exists a polynomial time adversary \(\mathcal {A} \) can distinguish Game 5 from Game 4. Then, we can construct an algorithm \(\mathcal {B}\) using \(\mathcal {A} \) to break the security of \(\mathsf {PRF}\). Exploiting the security of \(\mathsf {PRF}\), we have that

$$\begin{aligned} \mathsf {Adv}_{\mathsf {4}} \le \mathsf {Adv}_{\mathsf {5}} + \epsilon _{\mathsf {PRF}}. \end{aligned}$$

Note that in this game the session key returned by \(\mathsf {Test}\)-query is totally a truly random value which is independent to the bit b and any messages. Thus, the advantage that the adversary wins this game is \(\mathsf {Adv}_{\mathsf {5}} = 0\).

Collect the probabilities from Game 0 to Game 5, we have that

$$\begin{aligned} \epsilon _{\mathsf {AGKE}}\le & {} \frac{(\rho \ell )^2}{2^{\lambda }} + 2\epsilon _{\mathsf {TCRHF}} + \ell \epsilon _{\mathsf {SIG}} + 14 (\rho \ell )^3 \cdot \left( (h^*-1) \cdot \epsilon _{\mathsf {CBDDH}}\right. \\&\left. +\, \epsilon _{\mathsf {PRF}} + \epsilon ^{h^*-1}_{\mathsf {AGKE}} \right) \\\le & {} \frac{(\rho \ell )^2}{2^{\lambda }} + 2\epsilon _{\mathsf {TCRHF}} + \ell \epsilon _{\mathsf {SIG}} + 14 (\rho \ell )^3 (h^* \cdot \epsilon _{\mathsf {CBDDH}} +\epsilon _{\mathsf {PRF}} \\&+\left( \frac{(\rho \ell )^2}{2^{\lambda }} + 2\epsilon _{\mathsf {TCRHF}} \!+ \ell \epsilon _{\mathsf {SIG}} \!+ 14 (\rho \ell )^3 \cdot ( (h^*-1) \cdot \epsilon _{\mathsf {CBDDH}} \right. \\&\left. +\epsilon _{\mathsf {PRF}} + \epsilon ^{h^*-2}_{\mathsf {AGKE}}) \right) \\< & {} (14\rho \ell )^{3(h^*-1)} \cdot \epsilon _{\mathsf {3AKE}} \\\le & {} (14\rho \ell )^{3(h^*-1)} \left( \frac{(\rho \ell )^2}{2^{\lambda }} + 2\epsilon _{\mathsf {TCRHF}} + \ell \epsilon _{\mathsf {SIG}}\right. \\&\left. + 14 (\rho \ell )^3 \cdot (\epsilon _{\mathsf {CBDDH}} +\epsilon _{\mathsf {PRF}})\right) .\\ \end{aligned}$$

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Yang, Z., Liu, C., Liu, W. et al. A new strong security model for stateful authenticated group key exchange. Int. J. Inf. Secur. 17, 423–440 (2018). https://doi.org/10.1007/s10207-017-0373-1

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10207-017-0373-1

Keywords

Mathematics Subject Classification

Navigation