# Cryptanalysis of a Group Key Establishment Protocol

^{1}

^{2}

^{*}

^{†}

*Keywords:*cryptanalysis; group key establishment

Next Article in Journal

Next Article in Special Issue

Next Article in Special Issue

Previous Article in Journal

Previous Article in Special Issue

Previous Article in Special Issue

School of Computing and Mathematics, Ulster University, Belfast BT37 0QB, UK

Department of Mathematical Sciences, Universidad de León, 24071 León, Spain

Author to whom correspondence should be addressed.

These authors contributed equally to this work.

Academic Editors: Juan Alberto Rodríguez Velázquez and Alejandro Estrada-Moreno

Received: 20 January 2021 / Revised: 7 February 2021 / Accepted: 9 February 2021 / Published: 17 February 2021

(This article belongs to the Special Issue Theoretical Computer Science and Discrete Mathematics)

In this paper, we analyze the security of a group key establishment scheme proposed by López-Ramos et al. This proposal aims at allowing a group of users to agree on a common key. We present several attacks against the security of the proposed protocol. In particular, an active attack is presented, and it is also proved that the protocol does not provide forward secrecy.

Secure multiparty communication is an important concern for many current applications that work over public insecure channels, such as the Internet. Wireless sensor networks, collaborative applications, multiparty voice and video conferences, etc. need to guarantee confidentiality, integrity and authentication in their communications.

Group key establishment (GKE) protocols are fundamental in that sense. They allow a set of participants to agree on a common secret key to be used afterwards with symmetric key cryptographic primitives.

In some settings all the nodes play an equivalent role, and thus the group protocol is somewhat symmetric. Nevertheless, there are other applications where some nodes are distinguished and one can assume they may have more computational power and resources, and thus, they are required to perform more computations.

Over recent decades, group key establishment protocols were widely discussed in the literature [1,2,3,4,5,6,7], and formal security models were proposed, indicating which attacks the adversary can perform and what a secure key establishment protocol is. What is typically required is that, after completion of the protocol, the intended users agree on a common key, whereas the adversary does not learn anything about it.

A standard technique to augment the security of a scheme is the use of compilers, which allows a modular design, going from passively secure solutions to authenticated ones [8], from 2-party to group solutions [9], or adding forward secrecy [10].

However, several protocols were found to be insecure after they were published, because the proposals do not provide security proofs or the proofs are not correct [11,12,13]. Other protocols were found to be insecure when considering active attacks [14].

Motivated by the works in López-Ramos et al. [14], in this paper, we analyze a group key establishment proposal by López-Ramos et al. [15] and present several attacks on the proposed protocols. In particular, we present here some active attacks against the protocols, proving they are insecure when considering active adversaries.

Contributions: We present several concrete attacks showing the security flaws of the protocols proposed in López-Ramos et al. [15]. In Section 2, we review the proposal of López Ramos et al. Then, in Section 3 we review a standard security model for group key exchange. We then present our attacks in Section 4.

In this section, we describe Protocol 1 in López-Ramos et al. [15], which can be seen as an extension of the classical 2-party Diffie-Hellman key exchange. Four different protocols are presented, which are modifications of this first one. In particular, Protocol 2 computes the same session key, but publishing only one public key and sending a different message in Round 2. Protocol 3 describe the extra steps to be done if some participants leave the group and Protocol 4 deals with the case where some users join the group.

- Initialization

Let $\{{U}_{1},\cdots ,{U}_{n}\}$ be the finite set of protocol participants, including ${U}_{{c}_{1}}$, who will act as controller. The users agree on a multiplicative cyclic group G of prime order p and on g, a generator of G.

Each user ${U}_{i},1\le i\le n$ will have two random values, ${r}_{i},{x}_{i}\in {\mathbb{Z}}_{p}^{*}$ as private keys and ${g}^{{r}_{i}}$ and ${g}^{{x}_{i}}$ will be their public keys.

- Round 1

- Each user ${U}_{i}$ publishes his pair of public keys $({g}^{{r}_{i}},{g}^{{x}_{i}})$ (We assume that these keys are sent to the users, hence the adversary can potentially manipulate those values).
- The group controller calculate ${K}_{1}={g}^{{r}_{{c}_{1}}{\displaystyle \sum _{j=1,j\ne {c}_{1}}^{n}}{r}_{j}}$, which will be the session key.
- The group controller will choose a new pair of elements $({r}_{{c}_{1}}^{\prime},{x}_{{c}_{1}}^{\prime})$ that will be privately kept and will become his new private information at a later stage.

- Round 2

Every user ${U}_{i}$, using the public information, computes ${g}^{{\sum}_{j\ne i,{c}_{1}}{r}_{j}}$ and sends this value to ${U}_{{c}_{1}}$ (Notice that there is no need to send this information, since this value can be computed from the published public keys).

The group controller ${U}_{{c}_{1}}$, moreover, computes

$${Y}_{1,i}={g}^{-{x}_{{c}_{1}}{x}_{i}}\left({g}^{{r}_{{c}_{1}}{\displaystyle \sum _{j\ne {c}_{1},i}}{r}_{j}}\right)\phantom{\rule{1.em}{0ex}}\mathrm{for}\phantom{\rule{1.em}{0ex}}i\in \{1,\cdots ,n\}\backslash \left\{{c}_{1}\right\}\phantom{\rule{1.em}{0ex}}\mathrm{and}$$

$${Y}_{1,{c}_{1}}={K}_{1}{g}^{-{r}_{{c}_{1}}^{\prime}{r}_{{c}_{1}}}{g}^{-{x}_{{c}_{1}}^{\prime}{x}_{{c}_{1}}},$$

$${R}_{1}={g}^{{r}_{{c}_{1}}}\phantom{\rule{1.em}{0ex}}\mathrm{and}\phantom{\rule{1.em}{0ex}}{S}_{1}={g}^{{x}_{{c}_{1}}}.$$

He broadcasts $({Y}_{1,1},\cdots ,{Y}_{1,{c}_{1}},\cdots ,{Y}_{1,n},{R}_{1},{S}_{1})$

- Key Computation

Once user ${U}_{i}$ has received the second round message, he computes the common session key ${K}_{1}:={K}_{1,i}={Y}_{1,i}{S}_{1}^{{x}_{i}}{R}_{1}^{{r}_{i}}$.

The protocol is summarized in Figure 1.

The subindex 1 in the session key ${K}_{1}$ indicates here that it is the first execution of the protocol. In Protocols 3 and 4 in López-Ramos et al. [15], this subindex changes when the participants involved in the protocol change, i.e., some participants leave or join the protocol, and thus, some extra computations are needed.

To formalize secure group key establishment, we use the somewhat standard Bohli et al.’s [5] security model, which builds on Jonathan Katz and Moti Yung [8].

- Participants:

The (potential) protocol participants are modelled as probabilistic polynomial time (ppt) Turing machines in the finite set $\mathcal{U}=\{{U}_{1},\cdots ,{U}_{n}\}$. Each participant ${U}_{i}$ in the set $\mathcal{U}$ is able to run a polynomial amount of protocol instances in parallel.

We will refer to instance ${s}_{i}$ of principal ${U}_{i}$ as ${\Pi}_{i}^{{s}_{i}}$ $(i\in \mathbb{N})$ and it has the following variables assigned:

- ${\mathsf{pid}}_{i}^{{s}_{i}}$:
- stores the identities of the parties user ${U}_{i}$ aims at establishing a session key with (including ${U}_{i}$ itself);
- ${\mathsf{sid}}_{i}^{{s}_{i}}$:
- is a variable storing a non-secret session identifier to the session key stored in ${\mathsf{sk}}_{i}^{{s}_{i}}$;
- ${\mathsf{acc}}_{i}^{{s}_{i}}$:
- is a variable which indicates whether the session key in ${\mathsf{sk}}_{i}^{{s}_{i}}$ was accepted;
- ${\mathsf{term}}_{i}^{{s}_{i}}$:
- is a variable which indicates whether the protocol execution has terminated;
- ${\mathsf{used}}_{i}^{{s}_{i}}$:
- is a variable which indicates whether this instance is taking part in a protocol run;
- ${\mathsf{sk}}_{i}^{{s}_{i}}$:
- this variable is initialized with a distinguished null value and will store the session key.

- Communication network and adversarial capabilities:

We assume there exist arbitrary point to point connections among users and the network is non-private, fully asynchronous and in complete control of the adversary $\mathcal{A}$, who can eavesdrop, delay, delete, modify or insert messages. The adversary’s capabilities are captured by the following oracles:

- $\mathsf{Send}({U}_{i},{s}_{i},M):$ when querying this oracle, message M is sent to instance ${\Pi}_{i}^{{s}_{i}}$ of user ${U}_{i}\in \mathcal{U}$. The output will be the protocol message that the instance outputs after receiving message M. This oracle can also be used for the adversary $\mathcal{A}$ to initialize a protocol execution, by using the special message $M=\{{U}_{{i}_{1}},\cdots ,{U}_{{i}_{r}}\}$ to an unused instance ${\Pi}_{i}^{{s}_{i}}$. This oracle initializes a protocol run among ${U}_{{i}_{1}},\cdots ,{U}_{{i}_{r}}\in \mathcal{U}$. After such a query, ${\Pi}_{i}^{{s}_{i}}$ sets ${\mathsf{pid}}_{i}^{{s}_{i}}:=\{{U}_{{i}_{1}},\cdots ,{U}_{{i}_{r}}\}$, ${\mathsf{used}}_{i}^{{s}_{i}}:=\mathsf{TRUE}$, and processes the first step of the protocol.
- $\mathsf{Execute}({U}_{1},{s}_{1},\cdots ,{U}_{r},{s}_{r}):$ if the instances ${s}_{1},\cdots ,{s}_{r}$ have not yet been used, this oracle will return a transcript of a complete execution of the protocol among the specified instances.
- $\mathsf{Reveal}({U}_{i},{s}_{i}):$ this oracle returns the session key stored in $s{k}_{i}^{{s}_{i}}$ if ${\mathsf{acc}}_{i}^{{s}_{i}}=$ true and a null value otherwise.
- $\mathsf{Corrupt}\left({U}_{i}\right):$ this query returns ${U}_{i}$’s long term secret key.

We can distinguish two types of adversaries. An adversary with access to all the oracles described above is considered to be active. If the adversary is not granted access to any of the Send oracles, then it is considered a passive adversary.

To define semantic security, we also allow the adversary to have access to a $\mathsf{Test}$ oracle, which can be queried only once. The query $\mathsf{Test}({U}_{i},{s}_{i})$ can be made on input an instance ${\Pi}_{i}^{{s}_{i}}$ of user ${U}_{i}\in \mathcal{U}$ only if ${\mathsf{acc}}_{i}^{{s}_{i}}=\mathrm{true}$. In that case, a bit $b\leftarrow \{0,1\}$ is chosen uniformly at random; if $b=0$, the oracle returns the session key stored in ${\mathsf{sk}}_{i}^{{s}_{i}}$. Otherwise, the oracle outputs a uniformly at random chosen element from the space of session keys.

- Security notions:

For the schemes to be useful, we need the group key establishments to be correct, i.e., without adversarial interference, the protocol would allow all users to compute the same key.

(correctness)**.** A group key establishment is correct if for all instances ${\Pi}_{i}^{{s}_{i}}$, ${\Pi}_{j}^{{s}_{j}}$ which accepted with ${\mathsf{sid}}_{i}^{{s}_{i}}={\mathsf{sid}}_{j}^{{s}_{j}}$ and ${\mathsf{pid}}_{i}^{{s}_{i}}={\mathsf{pid}}_{j}^{{s}_{j}}$, the condition ${\mathsf{sk}}_{i}^{{s}_{i}}={\mathsf{sk}}_{j}^{{s}_{j}}\ne \mathrm{NULL}$ is satisfied.

To be more precise in the security definition, it is important to specify under which conditions the adversary can query the Test oracle. To do so, we first define the following notion of partnering:

(partnering)**.** Two terminated instances ${\Pi}_{i}^{{s}_{i}}$ and ${\Pi}_{j}^{{s}_{j}}$ are partnered if ${\mathsf{sid}}_{i}^{{s}_{i}}={\mathsf{sid}}_{j}^{{s}_{j}}$, ${\mathsf{pid}}_{i}^{{s}_{i}}={\mathsf{pid}}_{j}^{{s}_{j}}$ and ${\mathsf{acc}}_{{U}_{i}}^{{s}_{i}}={\mathsf{acc}}_{{U}_{j}}^{{s}_{j}}=\mathrm{TURE}$.

To avoid queries that would trivially allow the adversary to know the key, we restrict the instances that can be queried to the Test oracle, only allowing fresh instances:

(freshness)**.** We say an instance ${\Pi}_{i}^{{s}_{i}}$ is fresh if none of the following events has occurred:

- the adversary queried $\mathsf{Reveal}({U}_{j},{s}_{j})$ for an instance ${\Pi}_{j}^{{s}_{j}}$ that is partnered with ${\Pi}_{i}^{{s}_{i}}$;
- the adversary queried $\mathsf{Corrupt}\left({U}_{j}\right)$ for a user ${U}_{j}\in {\mathsf{pid}}_{i}^{{s}_{i}}$ before a query of the form $\mathsf{Send}({U}_{l},{s}_{l},*)$;

The previous definition for freshness allows including the desired goal of forward secrecy in our definition of security given below: an adversary $\mathcal{A}$ is allowed to query $\mathsf{Corrupt}$ for all users and obtain their long term keys without violating freshness, if he does not send any message afterwards.

Let ${\mathsf{Succ}}_{\mathcal{A}}$ be the event that the adversary $\mathcal{A}$ queries the $\mathsf{Test}$ oracle with a fresh instance and makes a correct guess about the random bit b used by the $\mathsf{Test}$ oracle, we define the advantage of an adversary $\mathcal{A}$ attacking protocol P as

$${\mathrm{Adv}}_{\mathcal{A}}^{\mathrm{ke}}={\mathrm{Adv}}_{\mathcal{A}}^{\mathrm{ke}}\left(k\right):=\left|Pr\left[{\mathsf{Succ}}_{\mathcal{A}}\right]-\frac{1}{2}\right|.$$

(semantic security)**.** A group key establishment protocol is (semantically) secure, if ${\mathrm{Adv}}_{\mathcal{A}}^{\mathrm{ke}}={\mathrm{Adv}}_{\mathcal{A}}^{\mathrm{ke}}\left(k\right)$ is negligible for every ppt adversary $\mathcal{A}$.

In this section, we describe several concrete attacks refuting the security results of López-Ramos et al. [15], where four different, but related, GKE protocols are described. The four protocols will be considered in this section. However, we will only explicitly attack Protocol 1, being the attacks to the others straightforwardly adapted.

Informally, since the protocol is not authenticated, we will describe here how an adversary can attack the protocol by mounting a Man-In-The-Middle attack. Users will end up sharing a key with the adversary, instead of with all the intended communication partners. We formalize the attack below.

Let us fix $\{{U}_{1},\dots ,{U}_{n}\}$ the set of communication parties and let $\mathcal{A}$ be an active attacker able to supersede some parties in the set. We will distinguish two different cases: $\mathcal{A}$ shares a key with the group controller ${U}_{{c}_{1}}$ and other with the rest of the users and $\mathcal{A}$ shares a key with any other party ${U}_{i}$, $i\ne {c}_{1}$, and a different key with the rest, including the controller.

If $\mathcal{A}$ tries to share a different key with the group controller ${U}_{{c}_{1}}$ the adversary can build an attack by following the next steps:

- The attacker $\mathcal{A}$ queries $\mathsf{Send}({U}_{1},{s}_{1},\cdots ,{U}_{n},{s}_{n})$, to initiate a protocol instance. After this query, the first step of the protocol is executed. In particular, the adversary obtains every users’ pairs of public keys $({g}^{{r}_{i}},{g}^{{x}_{i}})$, with ${r}_{i},{x}_{i}\in {\mathbb{Z}}_{p}^{*}$.
- The adversary $\mathcal{A}$ will delete the message $({g}^{{r}_{{c}_{1}}},{g}^{{x}_{{c}_{1}}})$ sent by the controller ${U}_{{c}_{1}}$ to the rest of the users and delete the public keys $({g}^{{r}_{1}},{g}^{{x}_{1}})$ sent by user ${U}_{1}$ to ${U}_{{c}_{1}}$.
- The adversary $\mathcal{A}$ generates its private keys ${a}_{{c}_{1}},{b}_{{c}_{1}}\in {\mathbb{Z}}_{p}^{*}$ and public keys $({g}^{{a}_{{c}_{1}}},{g}^{{b}_{{c}_{1}}})$ and queries $\mathsf{Send}({U}_{i},{s}_{i},({g}^{{a}_{{c}_{1}}},{g}^{{b}_{{c}_{1}}}))$, for all $i\in \{1,\dots ,n\}\backslash \left\{{c}_{1}\right\}$. the adversary $\mathcal{A}$ generates its private keys ${a}_{1},{b}_{1}\in {\mathbb{Z}}_{p}^{*}$ and public keys $({g}^{{a}_{1}},{g}^{{b}_{1}})$ and queries $\mathsf{Send}({U}_{{c}_{1}},{s}_{{c}_{1}},({g}^{{a}_{1}},{g}^{{b}_{1}}))$.

Notice that every user ${U}_{i}$, $i\ne 1,{c}_{1}$, after receiving that message, will compute and send the value ${g}^{{\displaystyle \sum _{j=1,j\ne {c}_{1}}^{n}}{r}_{j}}$ and therefore this value will be output by the $\mathsf{Send}$ oracle.

The controller ${U}_{{c}_{1}}$, after receiving that message, will compute and send the value ${g}^{{a}_{1}+{\displaystyle \sum _{j=2,j\ne {c}_{1}}^{n}}{r}_{j}}$ and therefore this value will be output by the $\mathsf{Send}$ oracle.

- 4.
- The adversary $\mathcal{A}$ will compute the session key ${Q}_{1}={g}^{{a}_{{c}_{1}}\left({\displaystyle \sum _{j=1,j\ne {c}_{1}}^{n}}{r}_{j}\right)}$ and the values ${T}_{1}={g}^{{a}_{{c}_{1}}}$ and ${V}_{1}={g}^{{b}_{{c}_{1}}}$, along with the keying values$${Z}_{1,i}={g}^{-{b}_{{c}_{1}}{x}_{i}}{g}^{{a}_{{c}_{1}}\left({\displaystyle \sum _{j=1,j\ne {c}_{1},i}^{n}}{r}_{j}\right)},\phantom{\rule{1.em}{0ex}}i\ne {c}_{1}$$$${Z}_{1,{c}_{1}}={Q}_{1}{g}^{-{a}_{{c}_{1}}^{\prime}{a}_{{c}_{1}}}{g}^{-{b}_{{c}_{1}}^{\prime}{b}_{{c}_{1}}}.$$
- 5.
- The adversary $\mathcal{A}$ will query $\mathsf{Send}({U}_{i},{s}_{i},({Z}_{1,1},\cdots ,{Z}_{1,n},{T}_{1},{V}_{1})$ oracle, for all $i\in \{1,\dots ,n\}$$\backslash \left\{{c}_{1}\right\}$.
- 6.
- The adversary $\mathcal{A}$ will compute the session key ${K}_{1}={g}^{{r}_{{c}_{1}}\left({\displaystyle \sum _{j=1,j\ne {c}_{1}}^{n}}{r}_{j}\right)}$ and the values ${R}_{1}={g}^{{r}_{{c}_{1}}}$ and ${S}_{1}={g}^{{x}_{{c}_{1}}}$, along with the keying values$${Y}_{1,i}={g}^{-{x}_{{c}_{1}}{x}_{i}}{g}^{{r}_{{c}_{1}}({a}_{1}+{\displaystyle \sum _{j=2,j\ne {c}_{1},i}^{n}}{r}_{j})},\phantom{\rule{1.em}{0ex}}i\ne {c}_{1}$$$${Y}_{1,{c}_{1}}={K}_{1}{g}^{-{r}_{{c}_{1}}^{\prime}{r}_{{c}_{1}}}{g}^{-{x}_{{c}_{1}}^{\prime}{x}_{{c}_{1}}}.$$
- 7.
- The adversary $\mathcal{A}$ will query $\mathsf{Send}({U}_{1},{s}_{1},({Y}_{1,1},\cdots ,{Y}_{1,n},{S}_{1},{T}_{1})$ oracle.

Please note that after receiving this last message, users $\{{U}_{1},\cdots ,{U}_{n}\}\backslash \left\{{U}_{{c}_{1}}\right\}$, following the protocol, will compute ${Q}_{1,i}={Z}_{1,i}{T}_{1}^{{x}_{i}}{V}_{1}^{{r}_{i}}$. Please note that ${Q}_{1,i}={Q}_{1}$ for every $i\ne {c}_{1}$.

On the other hand, the group controller ${U}_{{c}_{1}}$ will compute ${K}_{1}={Y}_{1,1}{S}_{1}^{{b}_{1}}{R}_{1}^{{a}_{1}}$.

Therefore, after this attack, the adversary has established a shared key ${Q}_{1}$ with the set of parties $\{{U}_{1},\cdots ,{U}_{n}\}\backslash \left\{{U}_{{c}_{1}}\right\}$ and the key ${K}_{1}$ with the group controller ${U}_{{c}_{1}}$, where

$${Q}_{1}={g}^{{a}_{{c}_{1}}{\displaystyle \sum _{j=1,j\ne {c}_{1}}^{n}}{r}_{j}}\phantom{\rule{1.em}{0ex}}\mathrm{and}\phantom{\rule{1.em}{0ex}}{K}_{1}{=}^{{r}_{{c}_{1}}({a}_{1}+{\displaystyle \sum _{j=2,j\ne {c}_{1}}^{n}}{r}_{j})}.$$

Consequently, all the users will believe they are establishing a common key when they are not. Moreover, the adversary can decrypt the messages sent encrypted with both keys and forward the communication between the users that do not share a key.

This attack is outlined in Figure 2.

If $\mathcal{A}$ tries to compute a different key with any user different from the group controller, we can assume without loss of generality that $\mathcal{A}$ is sharing it with ${U}_{1}$. The adversary $\mathcal{A}$ can build an attack following the subsequent steps:

- The attacker $\mathcal{A}$ queries $\mathsf{Send}({U}_{1},{s}_{1},\cdots ,{U}_{n},{s}_{n})$, to initiate a protocol instance. After this query, the first step of the protocol is executed. In particular, the users send their public keys and thus, the adversary obtains $({g}^{{r}_{i}},{g}^{{x}_{i}})$, with ${r}_{i},{x}_{i}\in {{\mathbb{Z}}_{p}}^{*}$ for all the participants $\{{U}_{1},\dots ,{U}_{n}\}$.
- The adversary $\mathcal{A}$ will delete the message $({g}^{{r}_{{c}_{1}}},{g}^{{x}_{{c}_{1}}})$ sent by the controller ${U}_{{c}_{1}}$ to user ${U}_{1}$ and the message $({g}^{{r}_{1}},{g}^{{x}_{1}})$ sent by user ${U}_{1}$ to the rest of the participants.
- The adversary $\mathcal{A}$, will choose random values ${a}_{1},{b}_{1},{a}_{{c}_{1}},{b}_{{c}_{1}}\in {{\mathbb{Z}}_{p}}^{*}$, and queries $\mathsf{Send}({U}_{i},{s}_{i},({g}^{{a}_{1}},{g}^{{b}_{1}}))$, for all $i\in \{2,\dots ,n\}$, including ${c}_{1}$.

Notice that every user ${U}_{i}$, $i\ne 1,{c}_{1}$ and the adversary $\mathcal{A}$, after receiving that message, will compute ${g}^{({a}_{1}+{\displaystyle \sum _{j=2,j\ne {c}_{1}}^{n}}{r}_{j})}$ and therefore this value will be output by the $\mathsf{Send}$ oracle.

Moreover, the group controller ${U}_{{c}_{1}}$ will calculate the session key ${Q}_{1}={g}^{{r}_{{c}_{1}}({a}_{1}+{\displaystyle \sum _{j=2,j\ne {c}_{1}}^{n}}{r}_{j})}$ and he will send ${R}_{1}={g}^{{r}_{{c}_{1}}}$ and ${S}_{1}={g}^{{x}_{{c}_{1}}}$, along with the keying values

$${Z}_{1,1}={g}^{-{x}_{{c}_{1}}{b}_{1}}{g}^{\left({r}_{{c}_{1}}{\displaystyle \sum _{j=2,j\ne {c}_{1}}^{n}}{r}_{j}\right)},$$

$${Z}_{1,i}={g}^{-{x}_{{c}_{1}}{x}_{i}}{g}^{{r}_{{c}_{1}}({a}_{1}+{\displaystyle \sum _{j=2,j\ne {c}_{1}}^{n}}{r}_{j})}\phantom{\rule{1.em}{0ex}}i\ne 1,{c}_{1},$$

$${Z}_{1,{c}_{1}}={Q}_{1}{g}^{-{r}_{{c}_{1}}^{\prime}{r}_{{c}_{1}}}{g}^{-{x}_{{c}_{1}}^{\prime}{x}_{{c}_{1}}}.$$

These values will also be part of the output of the $\mathsf{Send}$ oracle.

Please note that after receiving this message every user ${U}_{i}$, $i\ne 1$, can compute the key ${Q}_{1}={Z}_{1,i}{S}_{1}^{{x}_{i}}{R}_{1}^{{r}_{i}}$ that will be shared with the adversary $\mathcal{A}$.

- 4.
- The attacker $\mathcal{A}$ will delete the message sent by ${U}_{{c}_{1}}$ to the superseded user ${U}_{1}$, and queries $\mathsf{Send}({U}_{1},{s}_{1},({W}_{1,1},\cdots ,{W}_{1,n},{T}_{1},{V}_{1}))$, where$${W}_{1,i}={g}^{-{b}_{{c}_{1}}{x}_{i}}{g}^{{a}_{{c}_{1}}\left({\displaystyle \sum _{j=1,j\ne i,{c}_{1}}^{n}}{r}_{j}\right)},$$$${W}_{1,{c}_{1}}={K}_{1}{g}^{-{a}_{{c}_{1}}^{\prime}{a}_{{c}_{1}}}{g}^{-{b}_{{c}_{1}}^{\prime}{b}_{{c}_{1}}},$$$${T}_{1}={g}^{{a}_{{c}_{1}}}\phantom{\rule{1.em}{0ex}}\mathrm{and}\phantom{\rule{1.em}{0ex}}{V}_{1}={g}^{{b}_{{c}_{1}}}.$$

Please note that user ${U}_{1}$, after receiving these last messages, can compute the key ${K}_{1}={W}_{1,1}{T}_{1}^{{x}_{1}}{V}_{1}^{{r}_{1}}$ which is shared with the adversary $\mathcal{A}$.

- 5.
- With the information received, the users, following the protocol, will compute the subsequent keys:
- (a)
- The superseded user ${U}_{1}$ will compute ${K}_{1}={W}_{1,1}{T}_{1}^{{x}_{1}}{V}_{1}^{{r}_{1}}$.
- (b)
- Every user ${U}_{i}$, $i\ne 1$ computes ${Q}_{1,i}={Y}_{1,i}{S}_{1}^{{x}_{i}}{R}_{1}^{{r}_{i}}$.
- (c)
- Adversary $\mathcal{A}$ computes ${Q}_{1,1}={Z}_{1,1}{S}_{1}^{{b}_{1}}{R}_{1}^{{a}_{1}}$ and ${K}_{1}={W}_{1,1}{T}_{1}^{{x}_{1}}{V}_{1}^{{r}_{1}}$.

Therefore, the adversary $\mathcal{A}$ has established a shared key ${Q}_{1}$ with the set of parties $\{{U}_{2},\dots ,{U}_{n}\}$. On the other hand, both ${U}_{1}$ and the adversary $\mathcal{A}$ share the common key ${K}_{1}$.

While in López-Ramos et al. [15] four different protocols were described, in the previous lines only Protocol 1 was attacked.

In Protocol 2, authors try to share the computational requirements in a more even way among the parties by slightly modifying which values every participant sends to the group controller and the computations that this user has to perform. However, the only private information for every user is the tuple $({r}_{i},{x}_{i})$ as in Protocol 1. Thus, an attack can be built analogously by following the steps described above.

In Protocol 3, authors assume that the group controller has changed. The new group controller, by using two private elements $({r}_{{c}_{t}}^{\prime},{x}_{{c}_{t}}^{\prime})$ makes a transformation of the key. The next steps of Protocol 3 follows the description of Protocol 1. Therefore, an attack can be built following the previous description.

In Protocol 4, new users take part in the round with new private elements $({r}_{t},{x}_{t})$. Therefore a new key has to be computed by the group controller using those new elements. Once more, subsequent steps of Protocol 4 follows the description of Protocol 1 and an attack can be constructed analogously.

We will informally describe how a passive adversary who corrupts a participant ${U}_{i}\in \{{U}_{1},\cdots ,{U}_{n}\}$ involved in a protocol run will be able to compute the shared session key. Therefore, the protocol does not provide forward secrecy.

Let $\mathcal{A}$ be a probabilistic polynomial time adversary (modelled as a Turing machine). He may perform an attack by following the next steps:

- The attacker $\mathcal{A}$ queries $\mathsf{Corrupt}\left({U}_{i}\right)$, obtaining the private keys ${r}_{i}$ and ${x}_{i}$.
- Afterwards, he queries, $\mathsf{Execute}({U}_{1},{s}_{1},\cdots ,{U}_{r},{s}_{r})$, obtaining a protocol transcript. In particular, he gets the values ${Y}_{1,i},{R}_{1}$ and ${S}_{1}$.
- The adversary now can compute the key as user ${U}_{i}$ would do according to the protocol description: ${K}_{1}={Y}_{1,i}{S}_{1}^{{x}_{i}}{R}_{1}^{{r}_{i}}$.
- The adversary now queries $\mathsf{Test}({\mathsf{U}}_{\mathsf{j}},{\mathsf{s}}_{\mathsf{j}})$ on any user instance involved in the above execution. Since he knows the key established, he wins the game with probability one.

Please note that session ${s}_{j}$ of user ${U}_{j}$ remains fresh, since, the adversary has not made any Send or Reveal query, so the attack is legitimate.

In Protocols 3 and 4 in López-Ramos et al. [15], it is described how to proceed when participants may join or leave the group. However, when a participant leaves, the only user changing his private and public keys is the new controller. This means that the rest of the users will have the same private and public key used for previous instances. Therefore, when corrupting any user that is not the new controller, one will obtain their private keys and mount the attack described above. Protocol 2, can also be attacked in the same way, just changing the computations to obtain the session key according to the protocol description.

As observed in Theorem 2.4 in López-Ramos et al. [15], the keying messages sent to establish the key can be seen as ElGamal-like encryptions of the key ${K}_{1}$ under a different key for each user. In that sense, the protocol can be interpreted as a key transport protocol, which cannot be forward secret.

As demonstrated above, the protocol proposed by López Ramos et al. [15] does not offer security guarantees. The paper does not provide a rigorous security proof in any standard security model using provable security techniques. The proofs provided are too schematic. If a compiler for authentication is used and the private keys are ephemeral, some attacks could not be applicable. Nevertheless, a security proof should be provided.

Individual contributions to this article: conceptualization, J.M.C. and A.S.C.; methodology, J.M.C. and A.S.C.; validation, J.M.C. and A.S.C.; formal analysis, J.M.C. and A.S.C.; software, J.M.C. and A.S.C.; investigation, J.M.C. and A.S.C.; resources, J.M.C. and A.S.C.; writing—original draft preparation, J.M.C. and A.S.C.; writing–review and editing, J.M.C. and A.S.C.; project administration, J.M.C. and A.S.C.; funding acquisition, J.M.C. and A.S.C. All authors have read and agreed to the published version of the manuscript.

This research was funded in part through research project MTM2017-83506-C2-2-P by the Spanish MICINN.

Not applicable.

Not applicable.

Not applicable.

The authors declare no conflict of interest.

- Bellare, M.; Rogaway, P. Entity Authentication and Key Distribution; CRYPTO, Lecture Notes in Computer Science; Springer: Berlin/Heidelberg, Germany, 1993; Volume 773, pp. 232–249. [Google Scholar]
- Bellare, M.; Pointcheval, D.; Rogaway, P. Authenticated Key Exchange Secure against Dictionary Attacks; EUROCRYPT, Lecture Notes in Computer Science; Springer: Berlin/Heidelberg, Germany, 2000; Volume 1807, pp. 139–155. [Google Scholar]
- Boyd, C.; Mathuria, A. Protocols for Authentication and Key Establishment; Information Security and Cryptography; Springer: Berlin/Heidelberg, Germany, 2003. [Google Scholar]
- Burmester, M.; Desmedt, Y. A secure and scalable Group Key Exchange system. Inf. Process. Lett.
**2005**, 94, 137–143. [Google Scholar] [CrossRef] - Bohli, J.; Vasco, M.I.G.; Steinwandt, R. Secure group key establishment revisited. Int. J. Inf. Sec.
**2007**, 6, 243–254. [Google Scholar] [CrossRef] - Boyd, C.; Davies, G.T.; Gjøsteen, K.; Jiang, Y. Offline Assisted Group Key Exchange; ISC, Lecture Notes in Computer Science; Springer: Berlin/Heidelberg, Germany, 2018; Volume 11060, pp. 268–285. [Google Scholar]
- Vasco, M.I.G.; del Pozo, A.L.P.; Corona, A.S. Group key exchange protocols withstanding ephemeral-key reveals. IET Inf. Secur.
**2018**, 12, 79–86. [Google Scholar] [CrossRef] - Katz, J.; Yung, M. Scalable Protocols for Authenticated Group Key Exchange; CRYPTO, Lecture Notes in Computer Science; Springer: Berlin/Heidelberg, Germany, 2003; Volume 2729, pp. 110–125. [Google Scholar]
- Abdalla, M.; Bohli, J.; Vasco, M.I.G.; Steinwandt, R. (Password) Authenticated Key Establishment: From 2-Party to Group; TCC, Lecture Notes in Computer Science; Springer: Berlin/Heidelberg, Germany, 2007; Volume 4392, pp. 499–514. [Google Scholar]
- Neupane, K.; Steinwandt, R.; Corona, A.S. Group Key Establishment: Adding Perfect Forward Secrecy at the Cost of One Round; CANS; Springer: Berlin/Heidelberg, Germany, 2012; Volume 7712, pp. 158–168. [Google Scholar]
- Vasco, M.I.G.; Robinson, A.; Steinwandt, R. Cryptanalysis of a Proposal Based on the Discrete Logarithm Problem Inside S
_{n}. Cryptography**2018**, 2, 16. [Google Scholar] [CrossRef] - Steinwandt, R.; Corona, A.S. Cryptanalysis of a 2-party key establishment based on a semigroup action problem. Adv. Math. Commun.
**2011**, 5, 87–92. [Google Scholar] [CrossRef] - Vasco, M.I.G.; del Pozo, A.L.P.; Corona, A.S. Pitfalls in a server-aided authenticated group key establishment. Inf. Sci.
**2016**, 363, 1–7. [Google Scholar] [CrossRef] - Baouch, M.; López-Ramos, J.A.; Torrecillas, B.; Schnyder, R. An active attack on a distributed Group Key Exchange system. Adv. Math. Commun.
**2017**, 11, 715–717. [Google Scholar] [CrossRef] - López-Ramos, J.A.; Rosenthal, J.; Schipani, D.; Schnyder, R. An Application of Group Theory in Confidential Network Communications. Math. Methods Appl. Sci.
**2016**. [Google Scholar] [CrossRef]

Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations. |

© 2021 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (http://creativecommons.org/licenses/by/4.0/).