# Building Group Key Establishment on Group Theory: A Modular Approach

^{1}

^{2}

^{3}

^{*}

## Abstract

**:**

## 1. Introduction

- Instead of the random oracle model, we use the common reference string model. An (expected) price we pay for this, is the need of a decisional assumption instead of a computational one that is used in [21].
- Instead of setting out for a group key establishment directly, we suggest a construction for the two-party case and thereafter apply a protocol compiler of Abdalla et al. [22].

## 2. Preliminaries: Security Model and Protocol Goals

- Two values ${v}_{0}$, ${v}_{1}.$ These will be the input for a pseudorandom function at the time of computing the session identifier and session key;
- The information necessary to implement a non-interactive and non-malleable commitment scheme (see Section 3.1 for further details);
- Two elements, chosen independently and uniformly at random, each taken from a family of universal hash functions (one as needed for the compiler in [22] and one for our two-party solution as detailed in Section 3.1).

#### 2.1. Communication Model and Adversarial Capabilities

#### 2.1.1. Protocol Instances

- ${\mathsf{used}}_{i}^{{s}_{i}}$
- will indicate whether this instance is or has been used for a protocol run. The ${\mathsf{used}}_{i}^{{s}_{i}}$ flag is set through a protocol message received by the corresponding instance due to a call to the $\mathsf{Send}$ oracle (see below);
- ${\mathsf{state}}_{i}^{{s}_{i}}$
- stores the state information needed during the protocol execution;
- ${\mathsf{term}}_{i}^{{s}_{i}}$
- indicates if the execution has terminated;
- ${\mathsf{sid}}_{i}^{{s}_{i}}$
- denotes a session identifier (which may be public) which may be later use as identifier for the session key ${\mathsf{sk}}_{i}^{{s}_{i}}$ (in particular, the adversary is thus allowed to learn session identifiers);
- ${\mathsf{pid}}_{i}^{{s}_{i}}$
- stores the user identities that ${\Pi}_{i}^{{s}_{i}}$ aims at establishing a key with. This set includes ${U}_{i}$ himself;
- ${\mathsf{acc}}_{i}^{{s}_{i}}$
- indicates that the protocol instance completed a protocol successfully. That is, whether the involved user accepted the session key or not;
- ${\mathsf{sk}}_{i}^{{s}_{i}}$
- stores a distinguished null value in the beginning. After a session key is accepted by ${\Pi}_{i}^{{s}_{i}},$ this session key replaces the null value.

#### 2.1.2. Communication Network

#### 2.1.3. Adversarial Capabilities

- Send(U
_{i}, s_{i}, M) - This oracle sends a message M to instance ${\Pi}_{i}^{{s}_{i}}$ and returns the message generated by this instance. In case the instance ${\Pi}_{i}^{{s}_{i}}$ is previously unused and the message $M\subseteq \mathcal{P}$ contains a set of user identities, the ${\mathsf{used}}_{i}^{{s}_{i}}$-flag is set, ${\mathsf{pid}}_{i}^{{s}_{i}}$ initialized with ${\mathsf{pid}}_{i}^{{s}_{i}}:=\left\{{U}_{i}\right\}\cup M$. ${\Pi}_{i}^{{s}_{i}}$ initiates the protocol with the first message which is returned.
- Reveal(U
_{i}, s_{i}) - This outputs the computed key of the instance stored in ${\mathsf{sk}}_{i}^{{s}_{i}}$.
- Test(U
_{i}, s_{i}) - If the corresponding session key is defined (i. e., ${\mathsf{acc}}_{i}^{{s}_{i}}=\mathsf{true}$ and ${\mathsf{sk}}_{i}^{{s}_{i}}\ne $ null) and instance ${\Pi}_{i}^{{s}_{i}}$ is fresh (see Definition 4), $\mathcal{A}$ can execute this oracle query at any time when being activated. Then, if $b=0$ the session key ${\mathsf{sk}}_{i}^{{s}_{i}}$ is returned, while if $b=1$ a uniformly chosen random session key is returned. An arbitrary number of $\mathsf{Test}$ queries is allowed for the adversary $\mathcal{A}$, but once the $\mathsf{Test}$ oracle returned a value for an instance ${\Pi}_{i}^{{s}_{i}}$, the same value will be returned for all instances partnered with ${\Pi}_{i}^{{s}_{i}}$ (see Definition 3).
- Corrupt(U
_{i}) - This oracle models forward secrecy, as this query will output the secret signing key of user ${U}_{i}$.

#### 2.2. Goals of a Key Establishment Protocol: Correctness, Integrity, and Security

**Definition**

**1**

**.**A group key establishment protocol $\mathsf{P}$ is correct , if in the presence of a passive adversary $\mathcal{A}$ the following holds: for all $i,j$ with both ${\mathsf{sid}}_{i}^{{s}_{i}}={\mathsf{sid}}_{j}^{{s}_{j}}$ and ${\mathsf{acc}}_{i}^{{s}_{i}}={\mathsf{acc}}_{j}^{{s}_{j}}=\mathsf{true}$, we have ${\mathsf{sk}}_{i}^{{s}_{i}}={\mathsf{sk}}_{j}^{{s}_{j}}\ne $ null and ${\mathsf{pid}}_{i}^{{s}_{i}}={\mathsf{pid}}_{j}^{{s}_{j}}$.

**Definition**

**2**

**.**A correct group key establishment protocol fulfills key integrity, if all instances of users that have accepted with the same session identifier ${\mathsf{sid}}_{j}^{{s}_{j}}$ hold with overwhelming probability identical session keys ${\mathsf{sk}}_{j}^{{s}_{j}}$ and identical partner identifiers ${\mathsf{pid}}_{j}^{{s}_{j}}$.

**Definition**

**3**

**.**Instances ${\Pi}_{i}^{{s}_{i}}$ and ${\Pi}_{j}^{{s}_{j}}$ are partnered if ${\mathsf{pid}}_{i}^{{s}_{i}}={\mathsf{pid}}_{j}^{{s}_{j}}$, ${\mathsf{sid}}_{i}^{{s}_{i}}={\mathsf{sid}}_{j}^{{s}_{j}}$, and ${\mathsf{acc}}_{i}^{{s}_{i}}={\mathsf{acc}}_{j}^{{s}_{j}}=\mathsf{true}$.

**Definition**

**4**

**.**An instance ${\Pi}_{i}^{{s}_{i}}$ is called fresh provided that none of the following condition holds:

- For some${U}_{j}\in {\mathsf{pid}}_{i}^{{s}_{i}}$a query$\mathsf{Corrupt}\left({U}_{j}\right)$was executed before a query of the form$\mathsf{Send}({U}_{k},{s}_{k},\ast )$has taken place where${U}_{k}\in {\mathsf{pid}}_{i}^{{s}_{i}}$.
- The adversary queried$\mathsf{Reveal}({U}_{j},{s}_{j})$with${\Pi}_{i}^{{s}_{i}}$and${\Pi}_{j}^{{s}_{j}}$being partnered.

**Definition**

**5.**

## 3. Building on a Group-Theoretic Assumption

#### 3.1. A Two-Party Solution

- A
**non-interactive non-malleable commitment scheme $\mathcal{C}$**, satisfying the following requirements:- –
- It is perfectly binding in the sense that every commitment can be decommitted to at most one value.
- –
- It is non-malleable for multiple commitments. This means that an adversary who knows commitments to a polynomial sized set of values $\nu $, will not be able to output commitments to a polynomial sized set of values $\beta $ related to $\nu $ in a meaningful way. It is well-known that in the CRS model such a commitment scheme can be implemented by means of any IND-CCA2 secure public key encryption scheme, for instance.

- A
**family of universal hash functions $\mathcal{U}\mathcal{H}$**mapping triples consisting of two elements from G and a ${\mathsf{pid}}_{i}^{{s}_{i}}$-value onto a superpolynomial sized set ${\{0,1\}}^{L}$. A universal hash function $\mathrm{UH}$ will be selected by the CRS from this family. - A
**collision-resistant pseudorandom function family $\mathcal{F}={\left\{{F}^{\ell}\right\}}_{\ell \in \mathbb{N}}$**(see Katz and Shin [28]). We assume ${F}^{\ell}={\left\{{F}_{\eta}^{\ell}\right\}}_{\eta \in {\{0,1\}}^{L}}$ to be indexed by ${\{0,1\}}^{L}$ and further denote by ${v}_{0}={v}_{0}\left(\ell \right)$ a publicly known value such that no ppt adversary can find two different indices $\lambda \ne {\lambda}^{\prime}\in {\{0,1\}}^{L}$ such that ${F}_{\lambda}\left({v}_{0}\right)={F}_{{\lambda}^{\prime}}\left({v}_{0}\right)$. We further use another public value ${v}_{1},$ fulfilling the same requirement as ${v}_{0}$ for deriving the session key (this can also be included in the CRS—see [28] for more details).

- $\mathsf{DomPar}$, the domain parameter generation algorithm, is a (stateless) ppt algorithm that, upon input of the security parameter ${1}^{\ell}$, outputs a finite sequence S of elements in G. The subgroup of G spanned by S, $\langle S\rangle $, will be publicly known. Note that, for the special case of applying our framework to a DDH-assumption, S specifies a public generator of a cyclic group.
- $\mathsf{SamAut}$, the automorphism group sampling algorithm, is a (stateless) ppt algorithm that, upon input of the security parameter ${1}^{\ell}$ and a sequence S output by $\mathsf{DomPar}$, returns a description of an automorphism $\varphi $ on the subgroup $\langle S\rangle $, so that both $\varphi $ and ${\varphi}^{-1}$ can be efficiently evaluated. For example, for a cyclic group, $\varphi $ could be given as an exponent, or for an inner automorphism the conjugating group element could be specified.
- $\mathsf{SamSub}$, the subgroup sampling algorithm, is a (stateless) ppt that, upon input of the security parameter ${1}^{\ell}$ and a sequence S output by $\mathsf{DomPar}$, returns a word $x\left(S\right)$ representing an element $x\in \langle S\rangle $. Intuitively, $\mathsf{SamSub}$ chooses a random $x\in \langle S\rangle $, so that it is hard to recognize x if we know elements of x’s orbit under $\mathrm{Aut}(\langle S\rangle )$. Thus, our protocol requires an explicit representation of x in terms of the generators S.

**Definition**

**6**

**.**Suppose that we have fixed a quadruple $(G,\mathsf{DomPar},\mathsf{SamAut},\mathsf{SamSub})$. Then the decision automorphism application (DAA) assumption states that for all ppt algorithms $\mathcal{A}$ the advantage function ${\mathsf{Adv}}_{\mathcal{A}}^{\mathsf{DAA}}={\mathsf{Adv}}_{\mathcal{A}}^{\mathsf{DAA}}\left(\ell \right):=$

**Example**

**1**

**.**Let G be a finite cyclic group and $S:=\langle g\rangle $ a prime order subgroup with generator g of order q. If we let $\mathsf{SubSam}$ choose uniformly at random an exponent $x\in \{1,\dots ,q-1\}$ and $\mathsf{SamAut}$ uniformly at a random exponent $\varphi \in \{1,\dots ,q-1\}$, then the DAA problem just described can be recognized as polynomial-time equivalent to a decision Diffie–Hellman (DDH) problem:

**“DDH solution**⇒**DAA solution”:**- When facing, the DAA problem, we obtain as input a tuple$(g,{g}^{y},{({g}^{{\varphi}_{i}},{g}^{x{\varphi}_{i}})}_{i=1,2})$where either$y=x$, or y has been chosen uniformly at random from$\{1,\dots ,q-1\}$—independently of x and the${\varphi}_{i}$s. Given a DDH oracle, we just query it with$(g,{g}^{y},{g}^{{\varphi}_{1}},{g}^{x{\varphi}_{1}})$to see with non-negligible success probability which is the case.
**“DDH solution**⇒**DAA solution”:**- When facing the DDH problem, we obtain as input a tuple$(g,{g}^{{\varphi}_{1}},{g}^{x},{g}^{y})$, where either$y={\varphi}_{1}x\phantom{\rule{0.277778em}{0ex}}\mathrm{mod}\phantom{\rule{0.277778em}{0ex}}q$, or y has been chosen uniformly at random from$\{1,\dots ,q-1\}$—independently of x and${\varphi}_{1}$. Choosing another random${\varphi}_{2}\in \{1,\dots ,q-1\}$, we can compute the input$$({g}^{{\varphi}_{1}},{g}^{y},((\underset{=({g}^{{\varphi}_{1}}{)}^{{\varphi}_{1}^{-1}}}{\underbrace{g}},\underset{={\left({g}^{{\varphi}_{1}x}\right)}^{{\varphi}_{1}^{-1}}}{\underbrace{{g}^{x}}}),(\underset{={\left({g}^{{\varphi}_{1}}\right)}^{{\varphi}_{1}^{-1}{\varphi}_{2}}}{\underbrace{{g}^{{\varphi}_{2}}}},\underset{={\left({g}^{{\varphi}_{1}x}\right)}^{{\varphi}_{1}^{-1}{\varphi}_{2}}}{\underbrace{{\left({g}^{x}\right)}^{{\varphi}_{2}}}}))$$

**Proposition**

**1**

**.**Assume that for each ppt time algorithm $\mathcal{A}$, its advantage ${\mathsf{Adv}}_{\mathcal{A}}^{\mathsf{Sig}}$ of achieving an existential forgery under the adaptive chosen-message attack for the underlying signature scheme, and ${\mathsf{Adv}}_{\mathcal{A}}^{\mathsf{DAA}},$ its advantage of solving DAA, can be bounded by a negligible function (in ℓ). Then the protocol in Figure 1 is a correct and secure two-party key establishment protocol fulfilling key integrity.

#### 3.2. Security Analysis for the Two-Party Case: Proof of Proposition 1

**Game 0.**All oracles are simulated as defined in the model. Thus, $\mathsf{Adv}(\mathcal{A},{G}_{0})$ is exactly ${\mathsf{Adv}}_{\mathcal{A}}$ and $\mathsf{Succ}(\mathcal{A},{G}_{0})$ is the probability of violating the security of our key exchange protocol.

**Game 1.**In this game, the simulator keeps a list with entries $(i,M,{\sigma}_{M})$ for every message M and corresponding signature ${\sigma}_{M}$ he has produced and returned to the adversary $\mathcal{A}$ in a Round 2 message following a $\mathsf{Send}$ query.

**Lemma**

**1.**

**Proof.**

**Game 2.**Now the simulation of the $\mathsf{Test}$ oracle is modified, so that, on input of a fresh instance, it will always output an element selected uniformly at random in the key space. Thus, $\mathsf{Adv}(\mathcal{A},{G}_{2})=0.$

## 4. Conclusions

## Author Contributions

## Funding

## Acknowledgments

## Conflicts of Interest

## References

- Anshel, I.; Anshel, M.; Goldfeld, D. An Algebraic Method for Public-Key Cryptography. Math. Res. Lett.
**1999**, 6, 287–291. [Google Scholar] [CrossRef] - Ko, K.H.; Lee, S.J.; Cheon, J.H.; Han, J.W.; Kang, J.S.; Park, C. New Public-Key Cryptosystem Using Braid Groups. In Proceedings of the Advances in Cryptology—CRYPTO 2000, Santa Barbara, CA, USA, 20–24 August 2000; pp. 166–183. [Google Scholar]
- Anshel, I.; Anshel, M.; Fisher, B.; Goldfeld, D. New Key Agreement Protocols in Braid Group Cryptography. In Proceedings of the Topics in Cryptology—CT-RSA 2001, San Francisco, CA, USA, 8–12 April 2001; pp. 13–27. [Google Scholar]
- Grigoriev, D.; Ponomarenko, I. Constructions in public-key cryptography over matrix groups. In Contemporary Mathematics: Algebraic Methods in Cryptography; American Mathematical Society: Providence, RI, USA, 2006; Volume 418, pp. 103–119. [Google Scholar]
- Lee, H.K.; Lee, H.S.; Lee, Y.R. An Authenticated Group Key Agreement Protocol on Braid groups. Cryptology ePrint Archive: Report 2003/018. 2003. Available online: http://eprint.iacr.org/2003/018 (accessed on 1 December 2019).
- Shpilrain, V.; Ushakov, A. Thompson’s Group and Public Key Cryptography. In Proceedings of the ACNS 2005—Third International Conference on Applied Cryptography and Network Security, New York, NY, USA, 7–10 June 2005; Volume 3531, pp. 151–163. [Google Scholar]
- Shpilrain, V.; Zapata, G. Combinatorial group theory and public key cryptography. Appl. Algebra Eng. Commun. Comput.
**2006**, 17, 291–302. [Google Scholar] [CrossRef] [Green Version] - Shpilrain, V.; Ushakov, A. A new key exchange protocol based on the decomposition problem. In Contemporary Mathematics: Algebraic Methods in Cryptography; American Mathematical Society: Providence, RI, USA, 2006; Volume 418, pp. 161–167. [Google Scholar]
- Anshel, I.; Anshel, M.; Goldfeld, D.; Lemieux, S. Key agreement, the Algebraic Eraser
^{TM}, and lightweight cryptography. In Contemporary Mathematics: Algebraic Methods in Cryptography; American Mathematical Society: Providence, RI, USA, 2006; Volume 418, pp. 1–34. [Google Scholar] [CrossRef] - Anshel, I.; Atkins, D.; Goldfeld, D.; Gunnells, P.E. Ironwood Meta Key Agreement and Authentication Protocol. arXiv
**2017**, arXiv:1702.02450. [Google Scholar] - Bellare, M.; Rogaway, P. Entitiy Authentication and Key Distribution. In Proceedings of the CRYPTO 1993—13th Annual International Cryptology Conference on Advances in Cryptology, Santa Barbara, CA, USA, 22–26 August 1993; Volume 773, pp. 232–249. [Google Scholar]
- Bellare, M.; Canetti, R.; Krawczyk, H. A Modular Approach to the Design and Analysis of Authentication and Key Exchange Protocols. In Proceedings of the 30th Annual ACM Symposium on Theory of Computing STOC, Dallas, TX, USA, 24–26 May 1998; pp. 319–428. [Google Scholar]
- Shoup, V. On Formal Models for Secure Key Exchange (Version 4). Revision of IBM Research Report RZ 3120 (April 1999). 1999. Available online: http://www.shoup.net/papers/skey.pdf (accessed on 1 December 2019).
- Bellare, M.; Pointcheval, D.; Rogaway, P. Authenticated Key Exchange Secure Against Dictionary Attacks. In Proceedings of the EUROCRYPT 2000—Advances in Cryptology, Bruges, Belgium, 14–18 May 2000; Volume 1807, pp. 139–155. [Google Scholar]
- Bresson, E.; Chevassut, O.; Pointcheval, D.; Quisquater, J.J. Provably Authenticated Group Diffie–Hellman Key Exchange. In Proceedings of the 8th ACM Conference on Computer and Communications Security; Samarati, P., Ed.; ACM Press: New York, NY, USA, 2001; pp. 255–264. [Google Scholar]
- Canetti, R.; Krawczyk, H. Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels. In Advances in Cryptology—EUROCRYPT 2001; Lecture Notes in Computer Science; Springer: Berlin/Heidelberg, Germany, 2001; Volume 2045, pp. 453–474. [Google Scholar]
- Ben-Zvi, A.; Blackburn, S.R.; Tsaban, B. A Practical Cryptanalysis of the Algebraic Eraser. In Advances in Cryptology—CRYPTO 2016 Proceedings, Part I; Lecture Notes in Computer Science; Robshaw, M., Katz, J., Eds.; Springer: Berlin/Heidelberg, Germany, 2016; Volume 9814, pp. 179–189. [Google Scholar]
- Cramer, R.; Shoup, V. Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption. In Advances in Cryptology—EUROCRYPT 2002; Lecture Notes in Computer Science; Knudsen, L., Ed.; Springer: Berlin/Heidelberg, Germany, 2002; Volume 2332, pp. 45–64. [Google Scholar]
- González Vasco, M.I.; Martínez, C.; Steinwandt, R.; Villar, J.L. A new Cramer-Shoup like methodology for group based provably secure schemes. In Proceedings of the 2nd Theory of Cryptography Conference (TCC 2005); Lecture Notes in Computer Science; Kilian, J., Ed.; Springer: Berlin/Heidelberg, Germany, 2005; Volume 3378, pp. 495–509. [Google Scholar]
- Catalano, D.; Pointcheval, D.; Pornin, T. IPAKE: Isomorphisms for Password-based Authenticated Key Exchange. In Advances in Cryptology—CRYPTO 2004; Lecture Notes in Computer Science; Franklin, M.K., Ed.; Springer: Berlin/Heidelberg, Germany, 2004; Volume 3152, pp. 477–493. [Google Scholar]
- Bohli, J.M.; Glas, B.; Steinwandt, R. Towards Provably Secure Group Key Agreement Building on Group Theory. In Proceedings of VietCrypt 2006; Lecture Notes in Computer Science; Springer: Berlin/Heidelberg, Germany, 2006; Volume 4341, pp. 322–336. [Google Scholar]
- Abdalla, M.; Bohli, J.; González Vasco, M.I.; Steinwandt, R. (Password) Authenticated Key Establishment: From 2-Party to Group. In Proceedings of the 4th Theory of Cryptography Conference TCC 2007; Lecture Notes in Computer Science; Vadhan, S.P., Ed.; Springer: Berlin/Heidelberg, Germany, 2007; Volume 4392, pp. 499–514. [Google Scholar]
- Burmester, M.; Desmedt, Y. A Secure and Efficient Conference Key Distribution System. In Advances in Cryptology—EUROCRYPT’94; Lecture Notes in Computer Science; Santis, A.D., Ed.; Springer: Berlin/Heidelberg, Germany, 1995; Volume 950, pp. 275–286. [Google Scholar]
- Gennaro, R.; Lindell, Y. A Framework for Password-Based Authenticated Key Exchange. Cryptology ePrint Archive: Report 2003/032. 2003. Available online: http://eprint.iacr.org/2003/032 (accessed on 1 December 2019).
- Gennaro, R.; Lindell, Y. A Framework for Password-Based Authenticated Key Exchange (Extended Abstract). In Advances in Cryptology—EUROCRYPT 2003; Lecture Notes in Computer Science; Biham, E., Ed.; Springer: Berlin/Heidelberg, Germany, 2003; Volume 2656, pp. 524–543. [Google Scholar]
- Bohli, J.M.; González Vasco, M.I.; Steinwandt, R. Secure group key establishment revisited. Int. J. Inf. Secur.
**2007**, 6, 243–254. [Google Scholar] [CrossRef] - Bohli, J.M.; González Vasco, M.I.; Steinwandt, R. Password-authenticated group key establishment from smooth projective hash functions. Int. J. Appl. Math. Comput. Sci.
**2019**, 29, 797–815. Available online: http://eprint.iacr.org/2006/214 (accessed on 1 December 2019). [CrossRef] [Green Version] - Katz, J.; Shin, J.S. Modeling insider attacks on group key-exchange protocols. In Proceedings of the 12th ACM Conference on Computer and Communications Security (CCS 2005); Atluri, V., Meadows, C.A., Juels, A., Eds.; ACM: New York, NY, USA, 2005; pp. 180–189. Available online: http://eprint.iacr.org/2005/163 (accessed on 1 December 2019).
- Nam, J.; Paik, J.; Won, D. A security weakness in Abdalla et al.’s generic construction of a group key exchange protocol. Inf. Sci.
**2011**, 181, 234–238. [Google Scholar] [CrossRef]

**Figure 2.**The protocol compiler from [22].

© 2020 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (http://creativecommons.org/licenses/by/4.0/).

## Share and Cite

**MDPI and ACS Style**

Bohli, J.-M.; González Vasco, M.I.; Steinwandt, R.
Building Group Key Establishment on Group Theory: A Modular Approach. *Symmetry* **2020**, *12*, 197.
https://doi.org/10.3390/sym12020197

**AMA Style**

Bohli J-M, González Vasco MI, Steinwandt R.
Building Group Key Establishment on Group Theory: A Modular Approach. *Symmetry*. 2020; 12(2):197.
https://doi.org/10.3390/sym12020197

**Chicago/Turabian Style**

Bohli, Jens-Matthias, María I. González Vasco, and Rainer Steinwandt.
2020. "Building Group Key Establishment on Group Theory: A Modular Approach" *Symmetry* 12, no. 2: 197.
https://doi.org/10.3390/sym12020197