Flexible Group Key Exchange with On Demand Computation of Subgroup - PowerPoint PPT Presentation

Flexible Group Key Exchange with On ‐ Demand Computation of Subgroup Keys Michel Abdalla 1 , Celine Chevalier 2 , Mark Manulis 3 , David Pointcheval 1 1 École Normale Supérieure CNRS ‐ INRIA, Paris, France 2 Telecom ParisTech, France 3 Cryptographic Protocols Group, TU Darmstadt & CASED, Germany CRYP � Flexible Group Key Exchange with On ‐ Demand Computation of Subgroup Keys AFRICACRYPT 2010, Stellenbosch 05.05.2010 | Mark Manulis | www.manulis.eu CRYPTOGRAPHIC PROTOCOLS

Group Key Exchange Users in U � �U 1 , …, U N � run a Group Key Exchange �GKE� protocol and compute a session group key k indistinguishable from k* ∈ R �0,1� κ U N U i U 1 main building block for secure group communication accept k i accept k N accept k 1 Correctness requires that k 1 � k 2 � … � k N CRYP � Flexible Group Key Exchange with On ‐ Demand Computation of Subgroup Keys AFRICACRYPT 2010, Stellenbosch 05.05.2010 | Mark Manulis | www.manulis.eu CRYPTOGRAPHIC PROTOCOLS 2

Flexible Group Key Exchange Goal Extend the notion of GKE towards computation of subgroup/p2p keys. U 4 U 2 U 3 U 1 GKE�S traditional GKE group key k U 2 U 3 U 2 U 4 U 1 U 3 U 4 U 2 U 3 U 4 U 1 U 1 subg. key k 1,2,3 subg. key k 1,2,4 subg. key k 1,3,4 subg. key k 2,3,4 U 2 U 4 U 3 U 4 U 3 U 4 U 1 U 1 U 3 U 1 U 2 U 2 p2p key k 1,2 p2p key k 1,3 p2p key k 1,4 p2p key k 2,3 p2p key k 2,4 p2p key k 3,4 Naïve solution Each subgroup executes its own GKE/2KE session on‐demand. Is it possible to compute subgroup/p2p keys in some optimized, more efficient way? CRYP � Flexible Group Key Exchange with On ‐ Demand Computation of Subgroup Keys AFRICACRYPT 2010, Stellenbosch 05.05.2010 | Mark Manulis | www.manulis.eu CRYPTOGRAPHIC PROTOCOLS 3

Challenge 1: Independence of Subgroup Keys U 2 U 3 U 4 U 1 group key k U 2 U 3 U 4 U 4 U 1 U 1 U 2 U 1 U 3 U 4 U 2 U 3 subg. key k 1,2,3 subg. key k 1,2,4 subg. key k 1,3,4 subg. key k 2,3,4 U 4 U 4 U 1 U 2 U 1 U 2 U 3 U 4 U 3 U 1 U 3 U 2 p2p key k 1,2 p2p key k 1,4 p2p key k 3,4 p2p key k 1,3 p2p key k 2,3 p2p key k 2,4 Adversary � may learn some session keys �incl. the group key�. Still, security of other unknown subgroup/p2p keys should be preserved. Session keys must be independent �indistinguishable from random keys�. CRYP � Flexible Group Key Exchange with On ‐ Demand Computation of Subgroup Keys AFRICACRYPT 2010, Stellenbosch 05.05.2010 | Mark Manulis | www.manulis.eu CRYPTOGRAPHIC PROTOCOLS 4

Challenge 2: Insider/Collusion Attacks U 2 U 3 U 4 U 1 group key k U 2 U 3 U 4 U 4 U 1 U 1 U 2 U 1 U 3 U 4 U 2 U 3 subg. key k 1,2,3 subg. key k 1,2,4 subg. key k 1,3,4 subg. key k 2,3,4 U 4 U 4 U 1 U 2 U 1 U 2 U 3 U 2 U 4 U 3 U 1 U 3 p2p key k 1,2 p2p key k 1,4 p2p key k 3,4 p2p key k 1,3 p2p key k 2,3 p2p key k 2,4 Adversary � may be a group member and misbehave during the protocol execution. Still, security of subgroup keys �where � is not a member� should be preserved. Independence of �sub�group keys must hold in case of insider /collusion attacks. CRYP � Flexible Group Key Exchange with On ‐ Demand Computation of Subgroup Keys AFRICACRYPT 2010, Stellenbosch 05.05.2010 | Mark Manulis | www.manulis.eu CRYPTOGRAPHIC PROTOCOLS 5

GKE+P Protocols GKE�P GKE with On‐Demand Derivation of P2P Keys �Man09� Can be seen as a special case of GKE�S. U 4 U 1 U 2 U 3 GKE�P traditional GKE group key k U 4 U 2 U 3 U 4 U 3 U 4 U 1 U 1 U 3 U 1 U 2 U 2 p2p key k 1,2 p2p key k 1,3 p2p key k 1,4 p2p key k 2,3 p2p key k 2,4 p2p key k 3,4 Many GKE protocols extend the classical Diffie‐Hellman method to a group setting. The group key k is derived from some element k‘ � f�g, x 1 , …, x N � N � �, where x i ∈ � Q is an exponent chosen by U i . for some function f : � � � Q Is it possible to re‐use exponents x i and x j to derive p2p keys from g xixj ? CRYP � Flexible Group Key Exchange with On ‐ Demand Computation of Subgroup Keys AFRICACRYPT 2010, Stellenbosch 05.05.2010 | Mark Manulis | www.manulis.eu CRYPTOGRAPHIC PROTOCOLS 6

Parallel Diffie ‐ Hellman Key Exchange As a basic tool to derive p2p keys we want to use the parallel version of DHKE. Parallel DHKE �PDHKE� Let U � �U 1 , …, U N � be a set of users �their unique identities�. U N U i U 1 x N ∈ R �* Q x i ∈ R �* Q x 1 ∈ R �* Q y N � g xN y i � g xi y 1 � g x1 y i y 1 y N “broadcast” via asynchronous, p2p channel accept accept accept �k’ N,j � y j xN � j �k’ i,j � y j xi � j �k’ 1,j � y j x1 � j Allows U i to compute k‘ i,1 � g xix1 , k‘ i,2 � g xix2 , … , k‘ i,N � g xixN . However,… CRYP � Flexible Group Key Exchange with On ‐ Demand Computation of Subgroup Keys AFRICACRYPT 2010, Stellenbosch 05.05.2010 | Mark Manulis | www.manulis.eu CRYPTOGRAPHIC PROTOCOLS 7

Simple Insider Attack on PDHKE Recall that P2P keys should remain independent. Insider Attack on PDHKE U N U 2 U 1 U i x N ∈ R �* Q x i ∈ R �* Q x 2 ∈ R �* Q wait for y 2 y N � g xN y i � g xi y 2 � g x2 y 2 y 2 y i y N “broadcast” via asynchronous, p2p channel accept accept accept �k’ N,j � y j xN � j �k’ 2,j � y j x2 � j �k’ i,j � y j xi � j Although � does not learn x 2 we have k‘ i,1 � k‘ i,2 � g xix2 for all U i . Exposure of any k‘ i,1 to � reveals k‘ i,2 , which however should remain secret. CRYP � Flexible Group Key Exchange with On ‐ Demand Computation of Subgroup Keys AFRICACRYPT 2010, Stellenbosch 05.05.2010 | Mark Manulis | www.manulis.eu CRYPTOGRAPHIC PROTOCOLS 8

Hash ‐ based Key Derivation for PDHKE The problem can be fixed by appropriate key derivation function applied to k‘ i,j . Hash‐based Key Derivation for PDHKE Let H p : �0,1�* � �0,1� κ be a cryptographic hash function �random oracle�. U i k i,j � H p �k’ i,j , �U i , y i �, �U j , y j �� for any U i , U j the input order to H is determined by i � j �s.t. k i,j � k j,i � uniqueness of U i , U j x i ∈ R �* Q y i � uniqueness of hash inputs H p �*, �U i ,*�, �U j ,*�� y i � g xi �y j � j uniqueness of y i per session �k’ i,j � y j xi � j � independence of p2p session keys �k i,j � j of U i accept �in the random oracle model� �k i,j � H p �k’ i,j , �U i , y i �, �U j , y j ��� j This allows us to derive independent p2p keys for any pair �U i , U j �. Can we integrate PDHKE into a GKE protocol? CRYP � Flexible Group Key Exchange with On ‐ Demand Computation of Subgroup Keys AFRICACRYPT 2010, Stellenbosch 05.05.2010 | Mark Manulis | www.manulis.eu CRYPTOGRAPHIC PROTOCOLS 9

Integration into Burmester ‐ Desmedt GKE Fails Burmester‐Desmedt �BD� GKE �BD94� Cyclic DL‐hard group � � �g, P, Q�. Users U 1 , …, U N are arranged into a cycle such that U 0 � U N , U N�1 � U 1 . U i‐1 U i U i�1 x i‐1 ∈ R � Q x i ∈ R � Q x i�1 ∈ R � Q y i‐1 � g xi‐1 y i � g xi y i�1 � g xi�1 Round 1 z i‐1 � �y i /y i‐2 � xi‐1 z i � �y i�1 /y i‐1 � xi z i�1 � �y i�2 /y i � xi�1 Round 2 k’ i � y i‐1 Nxi z i N‐1 z i�1 N‐2 …z i�N‐2 � g x1x2 � x2x3 � … � xN‐1xN group key k i � H g �g x1x2 � x2x3 � … � xN‐1xN , �U 1 , y 1 �, …, �U N , y N �� p2p keys k i,j � H p �g xixj , �U i , y i �, �U j , y j �� However,… CRYP � Flexible Group Key Exchange with On ‐ Demand Computation of Subgroup Keys AFRICACRYPT 2010, Stellenbosch 05.05.2010 | Mark Manulis | www.manulis.eu CRYPTOGRAPHIC PROTOCOLS 10

Problem and Solution P2P keys are not independent �Ma09� Each U i sends z i � �y i�1 /y i‐1 � xi � g xixi�1 /g xi‐1xi . U i‐1 can compute g xixi�1 and thus derive the p2p key k i,i�1 shared between U i and U i�1 . Our Solution – modified BD �mBD� Use hash function H : � � �0,1� κ . Let sid i � ��U 1 , y 1 �, …, �U N , y N �� known to each U i after first BD round. In the second round U i computes xi , sid i � and broadcasts z i � z i,i–1 � z i,i�1 . z i–1,i � H�y i–1 xi , sid i � , z i,i�1 � H�y i�1 From z i–1,i and z 1 , …, z N each U i can recover z 1,2 , z 2,3 , …, z N,1 �via iterated ��. In mBD�P users derive: group key k i � H g �z 1,2 , …, z N,1 , �U 1 , y 1 �, …, �U N , y N �� p2p keys k i,j � H p �g xixj , �U i , y i �, �U j , y j �� Knowledge of z 1,2 , …, z N,1 is not sufficient for the computation of any g xixj . In the paper we prove security of mBD�P using Gap Diffie‐Hellman assumption. CRYP � Flexible Group Key Exchange with On ‐ Demand Computation of Subgroup Keys AFRICACRYPT 2010, Stellenbosch 05.05.2010 | Mark Manulis | www.manulis.eu CRYPTOGRAPHIC PROTOCOLS 11