Secure group protocols' are not easy to design: this paper will show new attacks' found against a protocol suite for sharing key. The method we propose to analyse these protocols' is' very systematic, and can be applied to numerous protocols' of this' type. The A-GDH. 2 protocols' suite analysed throughout this' paper is part of the Cliques suites that propose extensions of the Diffie-Hellman key exchange protocol to a group setting. The A-GDH. 2 main protocol is intended to allow a group to share an authenticated key while the other protocols' of the suite allow to perform dynamic changes in the group constitution (adding and deleting members', fusion of groups .... ). We are proposing an original method to analyse these protocols' and are presenting a number of unpublished flaws' with respect to each of the main security properties claimed in protocol definition (key authentication, perfect forward secrecy, resistance to known-keys attacks'). Most of these fiaws arise from the fact that using a group setting does not allow to reason about security properties in the same way as when only two (or three) parties are concerned. Our method has been easily applied on other Cliques protocols' and allowed us to pinpoint similar flaws.

We demonstrate that for any well-defined cryptographic protocol, the symbolic trace reachability problem in the presence of an Abelian group operator (e.g., multiplication) can be reduced to solvability of a decidable system of quadratic Diophantine equations. This result enables complete, fully automated formal analysis of protocols that employ primitives such as Diffie-Hellman exponentiation, multiplication, andxor, with a bounded number of role instances, but without imposing any bounds on the size of terms created by the attacker. 1

Security protocols are small programs that are executed in hostile environments. Many results and tools have been developed to formally analyze the security of a protocol in the presence of an active attacker that may block, intercept and send new messages. However even when a protocol has been proved secure, there is absolutely no guarantee if the protocol is executed in an environment where other protocols are executed, possibly sharing some common identities and keys like public keys or long-term symmetric keys. In this paper, we show that security of protocols can be easily composed. More precisely, we show that whenever a protocol is secure, it remains secure even in an environment where arbitrary protocols satisfying a reasonable (syntactic) condition are executed. This result holds for a large class of security properties that encompasses secrecy and various formulations of authentication.

During the last few years, a number of authenticated group key agreement protocols have been proposed in the literature. We observed that the efforts in this domain were mostly dedicated to the improvement of their performance in term of bandwidth or computational requirements, but that there were very few systematic studies on their security properties. In this paper, we tried to develop a systematic way to analyse protocol suites extending the Diffie-Hellman key-exchange scheme to a group setting and presented in the context of the Cliques project. This led us to propose a very simple machinery that allowed us to manually pinpoint several unpublished attacks against the main security properties claimed in the definition of these protocols (implicit key agreement, perfect forward secrecy, resistance to known-key attacks).

We demonstrate that for any well-defined cryptographic protocol, the symbolic trace reachability problem in the presence of an Abelian group operator (e.g., multiplication) can be reduced to solvability of a decidable system of quadratic Diophantine equations. This result enables complete, fully automated formal analysis of protocols that employ primitives such as Diffie-Hellman exponentiation, multiplication, and xor, with a bounded number of role instances, but without imposing any bounds on the size of terms created by the attacker. 1

Since Bellare and Rogaway's work in 1994, the indistinguishability-based security models of authenticated key agreement protocols in simple cases have been evolving for more than ten years. In this paper, we review and organize the models under a unified framework with some new extensions. By providing a new ability (the Coin query) to adversaries and redefining two key security notions, the framework fully exploits an adversary's capacity and can be used to prove all the commonly required security attributes of key agreement protocols with key confirmation. At the same time, the Coin query is also used to define a model which can be used to heuristically evaluate the security of a large category of authenticated protocols without key confirmation. We use the models to analyze a few identity-based authenticated key agreement protocols with pairings.

Abstract. Many recent results are concerned with interpreting proofs of security done in symbolic models in the more detailed models of computational cryptography. In the case of symmetric encryption, these results stringently demand that no key cycle (e.g. {k}k) can be produced during the execution of protocols. While security properties like secrecy or authentication have been proved decidable for many interesting classes of protocols, the automatic detection of key cycles has not been studied so far. In this paper, we prove that deciding the existence of key-cycles is NP-complete for a bounded number of sessions. Next, we observe that the techniques that we use are of more general interest and apply them to reprove the decidability of a significant existing fragment of protocols with timestamps. 1

Université catholique de Louvain Task-PIOA is a modeling framework for distributed systems with both probabilistic and nondeterministic behaviors. It is suitable for cryptographic applications because its task-based scheduling mechanism is less powerful than the traditional perfect-information scheduler. Moreover, one can speak of two types of complexity restrictions: time bounds on description of task-PIOAs and time bounds on length of schedules. This distinction, along with the flexibility of nondeterministic specifications, are interesting departures from existing formal frameworks for computational security. The current paper presents a new approximate implementation relation for task-PIOAs. This relation is transitive and is preserved under hiding of external actions. Also, it is shown to be preserved under concurrent composition, with any polynomial number of substitutions. Building upon this foundation, we present the notion of structures, which classifies communications into two categories: those with a distinguisher environment and those with an adversary. We then formulate secure emulation in the spirit of traditional simulation-based security, and a composition theorem follows as a corollary of the composition theorem for the new approximate implementation relation. ∗Canetti’s work on this project was supported by NSF CyberTrust Grant #0430450. Cheung was supported by DFG/NWO bilateral cooperation

protocol Abstract primitives Concrete primitives Concrete protocol Abstract goals Concrete goals uses abstraction replace primitives cryptographic semantics uses fulfils fulfils abstraction Figure 1.1: Goals of faithful abstraction. Bold arrows should be defined once and for all, normal arrows once per protocol. It should be proven that dashed arrows follow automatically.

We recently presented several papers introducing various models and techniques for group key agreement protocols analysis. Such protocols are designed to be executed by a poll of players, possibly dishonest, and the security analysis often raises technical diculties. Typical example is the group Die-Hellman key exchange. The aim of this talk would be to synthesize our results, and discuss the bene ts and shortcomings of the applied methods.