Next Article in Journal
What Drives Sustainable Brand Awareness: Exploring the Cognitive Symmetry between Brand Strategy and Consumer Brand Knowledge
Previous Article in Journal
Research on Rotorcraft Blade Tip Vortex Identification and Motion Characteristics in Hovering State
Previous Article in Special Issue
Block Cipher in the Ideal Cipher Model: A Dedicated Permutation Modeled as a Black-Box Public Random Permutation
Open AccessArticle

Building Group Key Establishment on Group Theory: A Modular Approach

Department of Information Technology, Mannheim University of Applied Sciences, 68163 Mannheim, Germany
MACIMTE, U. Rey Juan Carlos, 28933 Móstoles, Madrid, Spain
Department of Mathematical Sciences, Florida Atlantic University, Boca Raton, FL 33431, USA
Author to whom correspondence should be addressed.
Symmetry 2020, 12(2), 197;
Received: 26 December 2019 / Revised: 15 January 2020 / Accepted: 19 January 2020 / Published: 30 January 2020
(This article belongs to the Special Issue Interactions between Group Theory, Symmetry and Cryptology)


A group key establishment protocol is presented and proven secure in the common reference string mode. The protocol builds on a group-theoretic assumption, and a concrete example can be obtained with a decision Diffie–Hellman assumption. The protocol is derived from a two-party solution by means of a protocol compiler presented by Abdalla et al. at TCC 2007, evidencing the possibility of meaningfully integrating cryptographic and group-theoretic tools in cryptographic protocol design. This compiler uses a standard ring configuration, where all users behave symmetrically, exchanging keys with their left and right neighbor, which are later combined to yield a shared group key.
Keywords: group key establishment; group theory; provable security; protocol compiler group key establishment; group theory; provable security; protocol compiler

1. Introduction

Cryptography is the science of handling, storing, transmitting, and processing information securely, even in the presence of adversaries. For centuries, cryptographic techniques were developed for diplomatic or military scenarios, while nowadays individuals and institutions (often obliviously) make use of cryptographic tools every day. As a complex discipline, cryptography builds upon physics, mathematics, and different research areas within computer science. Mathematics are the main source of tools for cryptographic developments, in which, security is often demonstrated using the hardness of well understood mathematical problems. This paper is concerned with the construction of a widely used cryptographic tool, a group key exchange, using group theory as a base. Key exchange allows a number of users to establish a common secret value which will be subsequently used to secure their communication. Such cryptographic tools are often constructed from number theoretical problems (described in finite cyclic groups), and a challenging research question is whether secure constructions can be derived from different problems arising in group theory.
In recent years, not only due to the advent of quantum computation, significant efforts have been made to identify new mathematical platforms for implementing cryptographic schemes. One of the explored candidate platforms is the theory of finitely presented groups, where, in particular, a number of works on key establishment have been published. The first constructions in this direction where published about twenty years ago [1,2,3], and different approaches towards secure constructions have been explored regularly, such as [4,5,6,7,8,9], and the more recently [10]. Unfortunately, most of the proposed protocols have not been analyzed in a modern cryptographic security model (like [11,12,13,14,15,16]), and only few group-theoretic constructions with a rigorous security analysis seem to be known. This lack of formalism has resulted in weaknesses being overlooked (see, for instance, [17]).
One approach to facilitate the synergy between group-theoretic and cryptographic tools is the identification of general constructions that under suitable group-theoretic conditions yield an (efficient) cryptographic scheme with provable security guarantees. As examples for research along this line of thought, proposals for constructing IND-CCA secure asymmetric encryption schemes can be mentioned [18,19]. Also, constructions for building provably secure group key establishment schemes have been proposed (cf. [20,21]), but identifying practical non-abelian instances still appears to be a challenging problem. In this contribution, we build on [21], and try to extend and simplify their approach in the following sense:
  • Instead of the random oracle model, we use the common reference string model. An (expected) price we pay for this, is the need of a decisional assumption instead of a computational one that is used in [21].
  • Instead of setting out for a group key establishment directly, we suggest a construction for the two-party case and thereafter apply a protocol compiler of Abdalla et al. [22].
In terms of round complexity, we lose some efficiency through the modular design approach we chose. On the other hand, this modular design approach illustrates how an integration of group-theoretic and cryptographic tools can look like. Moreover, we obtain a comparatively clear group-theoretic condition which hopefully stimulates further research on finding concrete non-abelian instances. Concrete examples of our protocol can be derived from a decision Diffie–Hellman assumption, but we hope that in subsequent work also concrete non-abelian instances can be identified.

2. Preliminaries: Security Model and Protocol Goals

To explore the security of our protocol, we adopt the model used by Abdalla et al. [22], which can be traced back to [23,24,25,26,27]. Both to formulate our two-party solution and to use the “2-to-n compiler” from [22], we assume a common reference string (CRS) to be available that encodes the following information:
  • Two values v 0 , v 1 . These will be the input for a pseudorandom function at the time of computing the session identifier and session key;
  • The information necessary to implement a non-interactive and non-malleable commitment scheme (see Section 3.1 for further details);
  • Two elements, chosen independently and uniformly at random, each taken from a family of universal hash functions (one as needed for the compiler in [22] and one for our two-party solution as detailed in Section 3.1).
This is similar to the constructions for password-authenticated key establishment in [24,27].

2.1. Communication Model and Adversarial Capabilities

As usual, we model protocol participants as probabilistic polynomial time (ppt) Turing machines (all our proofs hold for both uniform and non-uniform machines). We denote by P the total set of users which is assumed to be of polynomial size and by U = { U 0 , , U n 1 } P the set of protocol participants. To enable authentication among the protocol participants, we assume that an existentially unforgeable signature scheme is available with all signing keys being chosen independently in a trusted initialization phase. The verification keys are assumed to be distributed in a trusted initialization phase, prior to the protocol execution.

2.1.1. Protocol Instances

We allow each protocol participant U i U to execute polynomially many protocols instances in parallel. Each single instance Π i s i may be understood as a process executed by participant U i . We will denote by Π i s i ( s i N ) the s i t h instance of user U i U , and the following seven variables are assigned to each instance:
used i s i
will indicate whether this instance is or has been used for a protocol run. The used i s i flag is set through a protocol message received by the corresponding instance due to a call to the Send oracle (see below);
state i s i
stores the state information needed during the protocol execution;
term i s i
indicates if the execution has terminated;
sid i s i
denotes a session identifier (which may be public) which may be later use as identifier for the session key sk i s i (in particular, the adversary is thus allowed to learn session identifiers);
pid i s i
stores the user identities that Π i s i aims at establishing a key with. This set includes U i himself;
acc i s i
indicates that the protocol instance completed a protocol successfully. That is, whether the involved user accepted the session key or not;
sk i s i
stores a distinguished null value in the beginning. After a session key is accepted by Π i s i , this session key replaces the null value.
We refer to a paper of Bellare et al. [14] for more details on the usage of these variables.

2.1.2. Communication Network

The network is considered to be fully asynchronous and under complete control of the adversary. Arbitrary point-to-point connections among users are available, but the adversary may delay, eavesdrop, insert, and delete messages at will.

2.1.3. Adversarial Capabilities

We restrict to adversaries A running in probabilistic polynomial time, whose capabilities are made explicit through the four oracles listed below. These oracles formalize the interaction between A and the protocol instances run by the users. For the description of the Test oracle, we denote by b a bit that is chosen uniformly at random.
Send(Ui, si, M)
This oracle sends a message M to instance Π i s i and returns the message generated by this instance. In case the instance Π i s i is previously unused and the message M P contains a set of user identities, the used i s i -flag is set, pid i s i initialized with pid i s i : = { U i } M . Π i s i initiates the protocol with the first message which is returned.
Reveal(Ui, si)
This outputs the computed key of the instance stored in sk i s i .
Test(Ui, si)
If the corresponding session key is defined (i. e., acc i s i = true and sk i s i null) and instance Π i s i is fresh (see Definition 4), A can execute this oracle query at any time when being activated. Then, if b = 0 the session key sk i s i is returned, while if b = 1 a uniformly chosen random session key is returned. An arbitrary number of Test queries is allowed for the adversary A , but once the Test oracle returned a value for an instance Π i s i , the same value will be returned for all instances partnered with Π i s i (see Definition 3).
This oracle models forward secrecy, as this query will output the secret signing key of user U i .

2.2. Goals of a Key Establishment Protocol: Correctness, Integrity, and Security

We assume that an instance Π i s i always accepts the session key constructed at the end of a protocol run if no deviation from the protocol specification has occurred. The subsequent definition of correctness captures the protocol goal that, if the adversary is passive, all users involved in the same protocol session should come up with the same session key. By A being passive, we mean that A must not use the Corrupt oracle, and may query the Send oracle for the purpose of executing honest protocol executions only.
Definition 1
(Correctness). A group key establishment protocol P is correct , if in the presence of a passive adversary A the following holds: for all i , j with both sid i s i = sid j s j and acc i s i = acc j s j = true , we have sk i s i = sk j s j null and pid i s i = pid j s j .
Unlike correctness, the concept of integrity imposes no restrictions on the adversary’s behavior:
Definition 2
(Key Integrity). A correct group key establishment protocol fulfills key integrity, if all instances of users that have accepted with the same session identifier sid j s j hold with overwhelming probability identical session keys sk j s j and identical partner identifiers pid j s j .
Finally, for defining security, we detail our interpretation of partnering and freshness:
Definition 3
(Partnering). Instances Π i s i and Π j s j are partnered if pid i s i = pid j s j , sid i s i = sid j s j , and acc i s i = acc j s j = true .
The idea of freshness is to characterize those instances where the adversary does not know the secret session key for trivial reasons. In particular, note that after revealing a session key from instance Π i s i , the session keys of all instances partnered with Π i s i are known, too:
Definition 4
(Freshness). An instance Π i s i is called fresh provided that none of the following condition holds:
  • For some U j pid i s i a query Corrupt ( U j ) was executed before a query of the form Send ( U k , s k , ) has taken place where U k pid i s i .
  • The adversary queried Reveal ( U j , s j ) with Π i s i and Π j s j being partnered.
Now the advantage Adv A ( ) of a probabilistic polynomial time adversary A in attacking a key establishment protocol P is the function
Adv A : = | 2 · Succ A 1 |
in the security parameter . Here, Succ A denotes the probability that A queries Test only on fresh instances and correctly outputs the bit b used by the Test oracle while preserving the freshness of all instances queried to Test .
Definition 5.
We say that an authenticated group key establishment protocol P is secure , if the following inequality holds for every probabilistic polynomial time adversary A some negligible function negl ( ) in the security parameter ℓ: Adv A ( ) negl ( )
As in [22], our security definition above implies forward secrecy. Specifically, our freshness definition (Definition 4) allows Test queries to an instances, for which the long term secret key has been revealed by a Corrupt query (or is partnered with a instance that has be queried Corrupt ) as long as the adversary has not asked a Send query to any of these instances (or their partners) after the Corrupt query.

3. Building on a Group-Theoretic Assumption

As already indicated, we construct our group key establishment protocol in two steps: In Section 3.1 we describe a two-party solution, which subsequently is lifted to an n-party solution by means of the protocol compiler in [22].

3.1. A Two-Party Solution

On the cryptographic side, our two-party solution mainly builds on three technical tools:
  • A non-interactive non-malleable commitment scheme C , satisfying the following requirements:
    It is perfectly binding in the sense that every commitment can be decommitted to at most one value.
    It is non-malleable for multiple commitments. This means that an adversary who knows commitments to a polynomial sized set of values ν , will not be able to output commitments to a polynomial sized set of values β related to ν in a meaningful way. It is well-known that in the CRS model such a commitment scheme can be implemented by means of any IND-CCA2 secure public key encryption scheme, for instance.
  • A family of universal hash functions U H mapping triples consisting of two elements from G and a pid i s i -value onto a superpolynomial sized set { 0 , 1 } L . A universal hash function UH will be selected by the CRS from this family.
  • A collision-resistant pseudorandom function family F = { F } N (see Katz and Shin [28]). We assume F = { F η } η { 0 , 1 } L to be indexed by { 0 , 1 } L and further denote by v 0 = v 0 ( ) a publicly known value such that no ppt adversary can find two different indices λ λ { 0 , 1 } L such that F λ ( v 0 ) = F λ ( v 0 ) . We further use another public value v 1 , fulfilling the same requirement as v 0 for deriving the session key (this can also be included in the CRS—see [28] for more details).
Our protocol builds on [21], and for the security proof we have to assume that the underlying group G (respectively, the family of groups G = G ( ) , indexed by the security parameter) satisfies a number of conditions. Besides assuming products and inverses of group elements to be computable by efficient (ppt) algorithms, we further assume G to have a ppt computable canonical representation of elements. The latter allows us to identify group elements with their canonical representation. Furthermore, as in [21], we need three algorithms to perform the computations occurring in a protocol execution:
  • DomPar , the domain parameter generation algorithm, is a (stateless) ppt algorithm that, upon input of the security parameter 1 , outputs a finite sequence S of elements in G. The subgroup of G spanned by S, S , will be publicly known. Note that, for the special case of applying our framework to a DDH-assumption, S specifies a public generator of a cyclic group.
  • SamAut , the automorphism group sampling algorithm, is a (stateless) ppt algorithm that, upon input of the security parameter 1 and a sequence S output by DomPar , returns a description of an automorphism ϕ on the subgroup S , so that both ϕ and ϕ - 1 can be efficiently evaluated. For example, for a cyclic group, ϕ could be given as an exponent, or for an inner automorphism the conjugating group element could be specified.
  • SamSub , the subgroup sampling algorithm, is a (stateless) ppt that, upon input of the security parameter 1 and a sequence S output by DomPar , returns a word x ( S ) representing an element x S . Intuitively, SamSub chooses a random x S , so that it is hard to recognize x if we know elements of x’s orbit under Aut ( S ) . Thus, our protocol requires an explicit representation of x in terms of the generators S.
With this notation, we can now define a decision problem, whose supposed difficulty will be essential for our security proof. As usual, with the notation o A ( i ) we describe that algorithm A upon receiving input i outputs o:
Definition 6
(Decision Automorphism Application). Suppose that we have fixed a quadruple ( G , DomPar , SamAut , SamSub ) . Then the decision automorphism application (DAA) assumption states that for all ppt algorithms A the advantage function Adv A DAA = Adv A DAA ( ) : =
Pr A ( S , x , ( ϕ i ( S ) , ϕ i ( x ) ) i = 1 , 2 ) = 0 S DomPar ( 1 ) , x SamSub ( 1 , S ) , ( ϕ i SamAut ( 1 , S ) ) i = 1 , 2 Pr A ( S , r , ( ϕ i ( S ) , ϕ i ( x ) ) i = 1 , 2 ) = 0 S DomPar ( 1 ) , x SamSub ( 1 , S ) , ( ϕ i SamAut ( 1 , S ) ) i = 1 , 2 , r SamSub ( 1 , S )
is negligible.
Example 1
(Building on decision Diffie–Hellman). Let G be a finite cyclic group and S : = g a prime order subgroup with generator g of order q. If we let SubSam choose uniformly at random an exponent x { 1 , , q 1 } and SamAut uniformly at a random exponent ϕ { 1 , , q 1 } , then the DAA problem just described can be recognized as polynomial-time equivalent to a decision Diffie–Hellman (DDH) problem:
“DDH solutionDAA solution”:
When facing, the DAA problem, we obtain as input a tuple ( g , g y , ( g ϕ i , g x ϕ i ) i = 1 , 2 ) where either y = x , or y has been chosen uniformly at random from { 1 , , q 1 } —independently of x and the ϕ i s. Given a DDH oracle, we just query it with ( g , g y , g ϕ 1 , g x ϕ 1 ) to see with non-negligible success probability which is the case.
“DDH solutionDAA solution”:
When facing the DDH problem, we obtain as input a tuple ( g , g ϕ 1 , g x , g y ) , where either y = ϕ 1 x mod q , or y has been chosen uniformly at random from { 1 , , q 1 } —independently of x and ϕ 1 . Choosing another random ϕ 2 { 1 , , q 1 } , we can compute the input
( g ϕ 1 , g y , ( ( g = ( g ϕ 1 ) ϕ 1 1 , g x = ( g ϕ 1 x ) ϕ 1 1 ) , ( g ϕ 2 = ( g ϕ 1 ) ϕ 1 1 ϕ 2 , ( g x ) ϕ 2 = ( g ϕ 1 x ) ϕ 1 1 ϕ 2 ) )
needed for a DAA attacker. Running a successful DAA attacker with this input, we immediately obtain the desired DDH attacker.
A two-party key establishment protocol building on the DAA assumption is presented in Figure 1. The figure describes the operations to be performed by instance Π i s i of U i . For the sake of readability we name the users trying to establish a common key as U 0 and U 1 , and here, as in the sequel, we often omit making explicit the identifiers s i of the instances Π i s i involved in the protocol execution and just write sid i instead of sid i s i , for instance. The common reference string is denoted by ρ , and for a commitment to a value x involving random choices r we write C ρ ( x ; r ) . Finally, S denotes the subgroup generators which are to be fixed prior to the protocol execution by means of DomPar (and may also be included in the CRS ρ ).
In the subsequent section we prove the following result:
Proposition 1
(Security of the Two-Party Protocol). Assume that for each ppt time algorithm A , its advantage Adv A Sig of achieving an existential forgery under the adaptive chosen-message attack for the underlying signature scheme, and Adv A DAA , its advantage of solving DAA, can be bounded by a negligible function (in ℓ). Then the protocol in Figure 1 is a correct and secure two-party key establishment protocol fulfilling key integrity.
In Figure 2, we describe the group key establishment protocol obtained from a given two party group key establishment protocol 2 - AKE via the compiler from [22]. We note here that given the result of Proposition 1, we can apply [22, Theorem 1] (which, as noted by Nam et al. in [29] is only valid if the underlying two party construction fulfills integrity) to obtain our desired security result:
Corollary 1
(Security of the n-Party Protocol). Denoting the two-party key establishment protocol in Figure 1 by 2 - AKE , the protocol described in Figure 2 is a secure group key establishment fulfilling key integrity.

3.2. Security Analysis for the Two-Party Case: Proof of Proposition 1

Correctness and Integrity. Due to the collision-resistance of the family F , all oracles that accept with identical session identifier use the same index value UH ( K ) and therewith also obtain the same session key and have identical pid i -values with overwhelming probability.
Security. Let q s and q t denote the (polynomially bounded) number of adversarial queries to the Send and Test oracle, respectively.
We consider a simulator simulating all oracles and instances for the adversary. The proof is thus set up following a sequence of experiments or games, where from game to game the simulator’s behavior deviates from the previous in a certain controlled way. We follow standard notation and we denote by Adv ( A , G i ) the advantage of the adversary when confronted with Game i and by Succ ( A , G i ) the success probability of A winning in Game i. As usual, the security parameter will be denoted denoted by .
Game 0. All oracles are simulated as defined in the model. Thus, Adv ( A , G 0 ) is exactly Adv A and Succ ( A , G 0 ) is the probability of violating the security of our key exchange protocol.
Game 1. In this game, the simulator keeps a list with entries ( i , M , σ M ) for every message M and corresponding signature σ M he has produced and returned to the adversary A in a Round 2 message following a Send query.
By Forge we denote the event that A queries the Send oracle with a message M containing a valid signature σ M of an uncorrupted principal U i and with ( i , M , σ M ) not being contained in the simulator’s list. If the event Forge occurs, we abort the simulation and take the adversary A for being successful in breaking the security of the protocol. Thus,
| Succ ( A , G 1 ) Succ ( A , G 0 ) | P ( Forge )
Lemma 1.
If the signature scheme used in the above protocol is existentially unforgeable under adaptive chosen-message attacks, then P ( Forge ) is negligible: P ( Forge ) | P | · Adv A Sig .
Any ppt adversary A provoking the event Forge can be turned into an attacker against the underlying signature scheme by means of our simulator: The simulator obtains the public verification key P K and access to a signing oracle. In the initialization phase of the protocol, the simulator assigns the key P K uniformly at random to one of the at most | P | users the adversary can involve. Whenever during the subsequent simulation a signature for this user has to be generated, the simulator queries the signing oracle.
If A comes up with a message/signature pair that is not stored in the simulator’s list, the simulator returns this message as existential forgery. If A does not come up with such a message, the simulator outputs ⊥. Having chosen the party U i uniformly at random, the simulator’s success probability for an existential forgery is at least 1 / | P | · P ( Forge ) , and we get P ( Forge ) | P | · Adv A Sig . □
Thus, from Equation (1), we get
| Adv ( A , G 1 ) Adv ( A , G 0 ) | negl ( )
Game 2. Now the simulation of the Test oracle is modified, so that, on input of a fresh instance, it will always output an element selected uniformly at random in the key space. Thus, Adv ( A , G 2 ) = 0 .
Suppose that A is able to distinguish between Game 2 and Game 1. We construct an attacker D, that breaks the DAA assumption and uses A as a black-box. The attacker D will start by setting up the instances with key pairs for the signature scheme and receive a DAA-instance as a challenge. Further, D will choose an index a { 1 , , q t } uniformly at random and select two values u , v { 1 , , q s } chosen independently and uniformly at random subject to the condition u v . Then the adversary A is started. D will simulate the model as in Game 1 except for the u th and v th instance activated by the adversary A and the answers to the Test query. For the u th and v th instances activated by A , the messages will be constructed from the DAA challenge. If these two instances do not end up in the same session, D aborts the simulation and starts anew. The same happens, if A does not query his a th Test query to one of these two instances.
D will simulate the Test oracle as follows: The first a 1 queries of Test will be answered with the real session key, in the a th query, D will return the challenge, and from query a + 1 on, D will always answer with a random element.
By a standard hybrid argument, D will win the challenge in 1 / q t of the cases where A distinguished Game 1 and Game 2. Excluding the necessary aborts (namely, if the instances that were chosen were not those used in the a th query of Test ), we have:
| Adv ( A , G 2 ) Adv ( A , G 1 ) | q s 2 q t Adv DAA
Combining Equations (2) and (3) yields the desired negligible upper bound for Adv A .

4. Conclusions

Our discussion evidences the possibility of meaningfully integrating tools from group theory and cryptography. Unfortunately, so far we cannot provide a concrete non-abelian example, but a concrete instance of our protocol can be derived by means of the decision Diffie–Hellman assumption. We hope, however, that the modular approach taken above facilitates the design of group key establishment schemes building on group-theoretic tools and fertilizes the exchange of ideas between group theory and cryptography.

Author Contributions

All authors contributed equally to this paper, and were cooperatively involved in conceptualization, investigation, formal analysis and writing. All authors have read and agreed to the published version of the manuscript.


This research was sponsored in part by the NATO Science for Peace and Security Programme under grant G5448 and in part by Spanish MINECO under grant MTM2016-77213-R.


This paper was written in grateful memory of our advisor and friend Thomas Beth.

Conflicts of Interest

The authors declare no conflict of interest.


  1. Anshel, I.; Anshel, M.; Goldfeld, D. An Algebraic Method for Public-Key Cryptography. Math. Res. Lett. 1999, 6, 287–291. [Google Scholar] [CrossRef]
  2. Ko, K.H.; Lee, S.J.; Cheon, J.H.; Han, J.W.; Kang, J.S.; Park, C. New Public-Key Cryptosystem Using Braid Groups. In Proceedings of the Advances in Cryptology—CRYPTO 2000, Santa Barbara, CA, USA, 20–24 August 2000; pp. 166–183. [Google Scholar]
  3. Anshel, I.; Anshel, M.; Fisher, B.; Goldfeld, D. New Key Agreement Protocols in Braid Group Cryptography. In Proceedings of the Topics in Cryptology—CT-RSA 2001, San Francisco, CA, USA, 8–12 April 2001; pp. 13–27. [Google Scholar]
  4. Grigoriev, D.; Ponomarenko, I. Constructions in public-key cryptography over matrix groups. In Contemporary Mathematics: Algebraic Methods in Cryptography; American Mathematical Society: Providence, RI, USA, 2006; Volume 418, pp. 103–119. [Google Scholar]
  5. Lee, H.K.; Lee, H.S.; Lee, Y.R. An Authenticated Group Key Agreement Protocol on Braid groups. Cryptology ePrint Archive: Report 2003/018. 2003. Available online: (accessed on 1 December 2019).
  6. Shpilrain, V.; Ushakov, A. Thompson’s Group and Public Key Cryptography. In Proceedings of the ACNS 2005—Third International Conference on Applied Cryptography and Network Security, New York, NY, USA, 7–10 June 2005; Volume 3531, pp. 151–163. [Google Scholar]
  7. Shpilrain, V.; Zapata, G. Combinatorial group theory and public key cryptography. Appl. Algebra Eng. Commun. Comput. 2006, 17, 291–302. [Google Scholar] [CrossRef]
  8. Shpilrain, V.; Ushakov, A. A new key exchange protocol based on the decomposition problem. In Contemporary Mathematics: Algebraic Methods in Cryptography; American Mathematical Society: Providence, RI, USA, 2006; Volume 418, pp. 161–167. [Google Scholar]
  9. Anshel, I.; Anshel, M.; Goldfeld, D.; Lemieux, S. Key agreement, the Algebraic EraserTM, and lightweight cryptography. In Contemporary Mathematics: Algebraic Methods in Cryptography; American Mathematical Society: Providence, RI, USA, 2006; Volume 418, pp. 1–34. [Google Scholar] [CrossRef]
  10. Anshel, I.; Atkins, D.; Goldfeld, D.; Gunnells, P.E. Ironwood Meta Key Agreement and Authentication Protocol. arXiv 2017, arXiv:1702.02450. [Google Scholar]
  11. Bellare, M.; Rogaway, P. Entitiy Authentication and Key Distribution. In Proceedings of the CRYPTO 1993—13th Annual International Cryptology Conference on Advances in Cryptology, Santa Barbara, CA, USA, 22–26 August 1993; Volume 773, pp. 232–249. [Google Scholar]
  12. Bellare, M.; Canetti, R.; Krawczyk, H. A Modular Approach to the Design and Analysis of Authentication and Key Exchange Protocols. In Proceedings of the 30th Annual ACM Symposium on Theory of Computing STOC, Dallas, TX, USA, 24–26 May 1998; pp. 319–428. [Google Scholar]
  13. Shoup, V. On Formal Models for Secure Key Exchange (Version 4). Revision of IBM Research Report RZ 3120 (April 1999). 1999. Available online: (accessed on 1 December 2019).
  14. Bellare, M.; Pointcheval, D.; Rogaway, P. Authenticated Key Exchange Secure Against Dictionary Attacks. In Proceedings of the EUROCRYPT 2000—Advances in Cryptology, Bruges, Belgium, 14–18 May 2000; Volume 1807, pp. 139–155. [Google Scholar]
  15. Bresson, E.; Chevassut, O.; Pointcheval, D.; Quisquater, J.J. Provably Authenticated Group Diffie–Hellman Key Exchange. In Proceedings of the 8th ACM Conference on Computer and Communications Security; Samarati, P., Ed.; ACM Press: New York, NY, USA, 2001; pp. 255–264. [Google Scholar]
  16. Canetti, R.; Krawczyk, H. Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels. In Advances in Cryptology—EUROCRYPT 2001; Lecture Notes in Computer Science; Springer: Berlin/Heidelberg, Germany, 2001; Volume 2045, pp. 453–474. [Google Scholar]
  17. Ben-Zvi, A.; Blackburn, S.R.; Tsaban, B. A Practical Cryptanalysis of the Algebraic Eraser. In Advances in Cryptology—CRYPTO 2016 Proceedings, Part I; Lecture Notes in Computer Science; Robshaw, M., Katz, J., Eds.; Springer: Berlin/Heidelberg, Germany, 2016; Volume 9814, pp. 179–189. [Google Scholar]
  18. Cramer, R.; Shoup, V. Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption. In Advances in Cryptology—EUROCRYPT 2002; Lecture Notes in Computer Science; Knudsen, L., Ed.; Springer: Berlin/Heidelberg, Germany, 2002; Volume 2332, pp. 45–64. [Google Scholar]
  19. González Vasco, M.I.; Martínez, C.; Steinwandt, R.; Villar, J.L. A new Cramer-Shoup like methodology for group based provably secure schemes. In Proceedings of the 2nd Theory of Cryptography Conference (TCC 2005); Lecture Notes in Computer Science; Kilian, J., Ed.; Springer: Berlin/Heidelberg, Germany, 2005; Volume 3378, pp. 495–509. [Google Scholar]
  20. Catalano, D.; Pointcheval, D.; Pornin, T. IPAKE: Isomorphisms for Password-based Authenticated Key Exchange. In Advances in Cryptology—CRYPTO 2004; Lecture Notes in Computer Science; Franklin, M.K., Ed.; Springer: Berlin/Heidelberg, Germany, 2004; Volume 3152, pp. 477–493. [Google Scholar]
  21. Bohli, J.M.; Glas, B.; Steinwandt, R. Towards Provably Secure Group Key Agreement Building on Group Theory. In Proceedings of VietCrypt 2006; Lecture Notes in Computer Science; Springer: Berlin/Heidelberg, Germany, 2006; Volume 4341, pp. 322–336. [Google Scholar]
  22. Abdalla, M.; Bohli, J.; González Vasco, M.I.; Steinwandt, R. (Password) Authenticated Key Establishment: From 2-Party to Group. In Proceedings of the 4th Theory of Cryptography Conference TCC 2007; Lecture Notes in Computer Science; Vadhan, S.P., Ed.; Springer: Berlin/Heidelberg, Germany, 2007; Volume 4392, pp. 499–514. [Google Scholar]
  23. Burmester, M.; Desmedt, Y. A Secure and Efficient Conference Key Distribution System. In Advances in Cryptology—EUROCRYPT’94; Lecture Notes in Computer Science; Santis, A.D., Ed.; Springer: Berlin/Heidelberg, Germany, 1995; Volume 950, pp. 275–286. [Google Scholar]
  24. Gennaro, R.; Lindell, Y. A Framework for Password-Based Authenticated Key Exchange. Cryptology ePrint Archive: Report 2003/032. 2003. Available online: (accessed on 1 December 2019).
  25. Gennaro, R.; Lindell, Y. A Framework for Password-Based Authenticated Key Exchange (Extended Abstract). In Advances in Cryptology—EUROCRYPT 2003; Lecture Notes in Computer Science; Biham, E., Ed.; Springer: Berlin/Heidelberg, Germany, 2003; Volume 2656, pp. 524–543. [Google Scholar]
  26. Bohli, J.M.; González Vasco, M.I.; Steinwandt, R. Secure group key establishment revisited. Int. J. Inf. Secur. 2007, 6, 243–254. [Google Scholar] [CrossRef]
  27. Bohli, J.M.; González Vasco, M.I.; Steinwandt, R. Password-authenticated group key establishment from smooth projective hash functions. Int. J. Appl. Math. Comput. Sci. 2019, 29, 797–815. Available online: (accessed on 1 December 2019). [CrossRef]
  28. Katz, J.; Shin, J.S. Modeling insider attacks on group key-exchange protocols. In Proceedings of the 12th ACM Conference on Computer and Communications Security (CCS 2005); Atluri, V., Meadows, C.A., Juels, A., Eds.; ACM: New York, NY, USA, 2005; pp. 180–189. Available online: (accessed on 1 December 2019).
  29. Nam, J.; Paik, J.; Won, D. A security weakness in Abdalla et al.’s generic construction of a group key exchange protocol. Inf. Sci. 2011, 181, 234–238. [Google Scholar] [CrossRef]
Figure 1. A two-party key establishment protocol in the common reference string (CRS) model.
Figure 1. A two-party key establishment protocol in the common reference string (CRS) model.
Symmetry 12 00197 g001
Figure 2. The protocol compiler from [22].
Figure 2. The protocol compiler from [22].
Symmetry 12 00197 g002
Back to TopTop