M. Steiner, G. Tsudik, and M. Waidner, "Di#e-Hellman key distribution extended to groups," in Proc. of ACM CCS'96, 1996.  Home/Search   Document Not in Database   Summary   ACM   TOC   Related Articles   Check

....of the paper. Email: denker csl.sri.com Email: millen csl.sri.com c 2002 Published by Elsevier Science B. V. e.g. GDOI [BHHW01] GSAKMP [HCH 01] Some existing key exchange protocols for secure communication have been extended to the group setting (e.g. Group Die Hellman GDH [STW96] and its authenticated form A GDH [AST00] There have been only a few results on the formal analysis of group management protocols (e.g. Pereira and Quisquater analyzed A GDH [PQ01] and Meadows discovered security aws in early versions of GDOI [Mea01] The analysis of group management ....

....protocols is provided in Section 3. Rewrite rule generation is covered in Section 4. Section 5 describes future work. 2 Group Die Hellman Protocol We illustrate the semantic model with the help of the Group Die Hellman (GDH) protocol, which served as the basis for the Cliques protocol suite [STW96,STW98] GDH [STW96] is an extension of the two party DieHellman key agreement scheme to an arbitrary group size. The GDH protocol suite consists of a key distribution algorithm and protocols for member addition and deletion. For the purposes of this paper, we chose the key distribution protocol ....

[Article contains additional citation context not shown here]

M. Steiner, G. Tsudik, and M. Waidner. Die-Hellman Key Distribution Extended to Groups. In ACM Conference on Computer and Communications Security. ACM, 1996.

....tuple is appended g , outputs 0 or 1 such that: Pr [ X) 1 j X 2 G DH ] Pr [ X) 1 j X 2 G DH ] G ( The G DDH problem is (T; intractable if there is no (T; G DDH distinguisher for G . If = P(I)nfI n g, we say that G DH is the Full Generalized Die Hellman distribution [6, 20, 26]. Note that if n = 2, we get the classical DDH problem, for which we use the straightforward notation Adv G ( Lemma 1. The DDH assumption implies the G DDH assumption. Proof. Steiner, Tsudik and Waidner proved it in [26] ut Multi Decisional Die Hellman Assumption (M DDH) We introduce a ....

....say that G DH is the Full Generalized Die Hellman distribution [6, 20, 26] Note that if n = 2, we get the classical DDH problem, for which we use the straightforward notation Adv G ( Lemma 1. The DDH assumption implies the G DDH assumption. Proof. Steiner, Tsudik and Waidner proved it in [26]. ut Multi Decisional Die Hellman Assumption (M DDH) We introduce a new decisional assumption, based on the Die Hellman assumption. Let us de ne the Multi Die Hellman M DH and the Random Multi Die Hellman distributions of size n as: M DH n = f(fg g 1 i j n ) j x 1 ; x n 2R Z q ....

M. Steiner, G. Tsudik, and M. Waidner. Die-Hellman key distribution extended to group communication. In ACM CCS '96, pp. 31-37. 1996.

....version. P (n) and E(n) are at most ve times more than those for unauthenticated version. B(n) is double that of for unauthenticated version. In addition, the authenticated version involves at most three elliptic curve (EC) addition per user per round. 6 Comparison R(n) B(n) E(n) GDH 2 [19] n 2 1 GDH 3 [19] n 1 3(n 1) 5n 6 BD [5] 2 2n n(n 1) TGDH [12] dlog 2 ne ndlog 2 ne ndlog 2 ne Our Protocol dlog 3 ne 1 Table 1 : Protocol Comparison (unauthenticated versions) Points to note for unauthenticated protocols : 1. The underlying group of GDH 2, GDH 3 and ....

....and E(n) are at most ve times more than those for unauthenticated version. B(n) is double that of for unauthenticated version. In addition, the authenticated version involves at most three elliptic curve (EC) addition per user per round. 6 Comparison R(n) B(n) E(n) GDH 2 [19] n 2 1 GDH 3 [19] n 1 3(n 1) 5n 6 BD [5] 2 2n n(n 1) TGDH [12] dlog 2 ne ndlog 2 ne ndlog 2 ne Our Protocol dlog 3 ne 1 Table 1 : Protocol Comparison (unauthenticated versions) Points to note for unauthenticated protocols : 1. The underlying group of GDH 2, GDH 3 and BD protocol is a ....

M. Steiner, G. Tsudik, M. Waidner. Die-Hellman Key Distribution Extended to Group Communication, ACM Conference on Computation and Communication Security, 1996.

....not recover by eavesdropping on ows exchanged between the two principals. Nowadays with the advance of multicast communication infrastructures come the need to extend this method to allow a pool of principals to agree on a secret value. We refer to this extension as the group Die Hellman protocol [21]. In its original publication, the Die Hellman protocol and the group Die Hellman protocol were designed to protect against a (passive) adversary that only eavesdrop on messages. However, when it comes to use it in practice, a much stronger adversary need to be considered. In the real world the ....

M. Steiner, G. Tsudik, and M. Waidner. Die-hellman key distribution extended to group communication. In Proceedings of IEEE ICDCS'97, 1997.

....broadcast values, should not be able to compute the global secret S. This is a direct generalization of the Die Hellman protocol to n 1 parties (Die Hellman is designed for two parties) Solutions to this problem are useful in reducing the number of round trips in group key management protocols [28]. This is a long standing open problem. More precisely, a one round n way conference key exchange scheme consists of the following three randomized polynomial time algorithms: Setup(t; n) Takes a security parameter t 2 Z and the number of participants n. It runs in polynomial time in t; n ....

M. Steiner, G. Tsudik, M. Waidner, \Die-Hellman key distribution extended to group communication", in Proc. 3rd ACM Conference on Communications Security, pp. 31-37, 1996. 20

.... was shared between KDC A and KDC B; this key was computed using public key cryptography techniques (e.g. the two party DieHellman key exchange [4] For the above protocol we can use any extension of these techniques to more than two parties (e.g. the n party generalized DieHellman key exchange [11] Figure 5 shows how Alice can send a message to the Group, which in this example includes Bob and Charlie, according to this protocol. In step 1, Alice authenticates to her local KDC and requests a ticket for the multicast group, denoted Group in the Figure 5. Alice presents her Kerberos ....

M. Steiner, G. Tsudik, and M. Waidner. Diehellman key distribution extended to groups. In Proceedings of the 3rd ACM Conference on Computer and Communications in Security, CCS'96, pages 31-37, March 1996.

....then DDH p;g;g a(x 1 x 2 ) 1. 4. Let x 1 ; x 2 2 S 1 p;g;g a, then DDH p;g;g a(x 1 x 2 ) 1. Above properties are true, even if we consider m many x s in place of two, provided m 2 K 1 . The Decisional Die Hellman assumption was used as a basis for several cryptographic constructions [25, 27, 26, 33, 34]. An additive homomorphic trapdoor predicate could be used to privately calculate XOR of bits in the database, while a multiplicative predicate could be used to privately calculate OR AND of bits in the database. 2.1.7 Secret Sharing Scheme A generalized perfect secret sharing scheme realizing ....

M. Steiner, G. Tsudik, and M. Waidner. Die-Hellman Key distribution extended to group communication. In Proceedings of 3rd CCCS, 1996, pp 31-37.

....whose semantic security (see [38] is equivalent to the DDH Assumption 2 . The price of encrypting many bits using the ElGamal cryptosystem is a single (or two) exponentiation. This is comparable with the Blum Goldwasser cryptosystem [10] Other applications that previously appeared are [4, 14, 17, 30, 71, 70] and recently [24] we describe these applications in Section 3.1) To previous applications one can add a pseudo random generator [11, 73] that practically doubles the input length and a pseudo random synthesizer (see de nition in [56] whose output length is similar to its arguments length. ....

....and Factoring In Section 5 we suggest a related construction of pseudo random functions that is based on the (computational) GDH Assumption. This generalization of the DH Assumption was previously considered in the context of a key exchange protocol for a group of parties (see e.g. [66, 71]) The GDH Assumption is implied by the DDH Assumption (as shown in [71] and in this paper) but the assumptions are not known to be equivalent. In addition, the GDH Assumption modulo a Blum integer is not stronger than the assumption that factoring Blum integers is hard (see [6, 66] This implies ....

[Article contains additional citation context not shown here]

M. Steiner, G. Tsudik and M. Waidner, Die-Hellman key distribution extended to group communication, Proceedings 3rd ACM Conference on Computer and Communications Security, 1996, pp. 31-37.

....than oneto many commonly found in larger, hierarchical groups. The specific security requirements and needs of dynamic peer groups in particular, key management are still considered as open research challenges [1] Recently, several key agreement protocols geared for DPG s were proposed in [2]. They were obtained by extending the well known Giuseppe Ateniese was with the USC Information Sciences Institute. He is now with the IBM Zurich Research Laboratory, 8803 Ruschlikon, Switzerland (e mail: gat zurich.ibm.com) Michael Steiner was with the IBM Zurich Research Laboratory, 8803 ....

....based on Di#e Hellman extensions, have been developed in [4] Both IKA and AKA protocols have been shown secure against passive adversaries. The security is based on the polynomial indistinguishability of a Di#e Hellman key from an arbitrary random value. This paper leverages the results of [2], 4] to develop practical and secure authenticated key agreement protocols for DPG s. Also considered are other relevant security features such as key confirmation, key integrity and entity authentication. In doing so, we discover that the meaning of these and other familiar notions need to be ....

[Article contains additional citation context not shown here]

Michael Steiner, Gene Tsudik, and Michael Waidner, "Di#ehellman key distribution extended to groups," in Third ACM Conference on Computer and Communications Security. Mar. 1996, pp. 31--37, ACM Press.

No context found.

M. Steiner, G. Tsudik, and M. Waidner, "Di#e-Hellman key distribution extended to groups," in Proc. of ACM CCS'96, 1996.

No context found.

Steiner, M., G. Tsudik, and M. Waidner: 1996, `Di#e-Hellman key distribution extended to group communication'. In: Proc. 3rd ACM Conference on Computer and Communications Security (CCS' 96). pp. 31--37.

No context found.

M. Steiner, G. Tsudik, M. Waidner. Die-Hellman Key Distribution Extended to Group Communication, ACM Conference on Computation and Communication Security, 1996. 17

No context found.

M. Steiner, G. Tsudik, M. Waidner. Die-Hellman Key Distribution Extended to Group Communication, ACM Conference on Computation and Communication Security, 1996. Prob[Forge]  jPj Adv DSig (t

No context found.

Michael Steiner, Gene Tsudik, and Michael Waidner. Die-Hellman key distribution extended to group communication. In Proceedings of the 3rd ACM Conference on Computer and Communications Security, pages 31-37, 1996.

No context found.

M. Steiner, G. Tsudik, M. Waidner. Die-Hellman Key Distribution Extended to Group Communication, ACM Conference on Computation and Communication Security, 1996.

No context found.

Michael Steiner, Gene Tsudik, and Michael Waidner. DieHellman key distribution extended to group communication. In ACM Conference on Computer and Communications Security, pages 31-37, 1996.

No context found.

Gene Tsudik Michael Steiner and Michael Waidner. Die-Hellman key distribution extended to groups. In Proceedings 1996 ACM Conference on Computer and Communications Security, 1996.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC