Pairwise Key Agreement in Broadcasting Networks

1
Pairwise Key Agreement in Broadcasting Networks

• - 2005.11.11
• - Ik Rae Jeong

2
Contents

• Security Notions of Key Exchange
• Type of Networks
• Key Agreement for Key Graphs

3
Security Notions of Key Exchange

• IA (Implicit Authentication)
• Only a designated party can calculate the same
  session key. Dishonest parties can not get any
  information about the session key.
• KI (Key Independence)
• security against Denning-Sacco attacks
• (known key attacks)
• for the cases when other session keys are
  revealed
• FS (Forward Secrecy)
• for the cases when long-term secrets are revealed

4
Types of Network

• half-duplex
• full-duplex

Alice
Bob
4 Rounds
Alice
Bob
2 Rounds
5
Types of Network

• Broadcasting Network

P3
P1
P2
P4
Round 1
Round 2
6
DH (half-duplex)
Bob
Alice
2 Rounds
7
DH (full-duplex)
Bob
Alice
1 Round
8
Session Identifier

• The unique string per session
• Used to define matching session in the definition
  of security of key exchange
• In the full-duplex channel
• the message concatenation by the ordering of
  owners

9
III. Key Agreement for Key Graphs

• We have constructed more efficient key exchange
  schemes which provides pairwise key exchange
  between parties via randomness re-use technique.

10
Sequential Key Exchangebetween Parties
P1
P2
P4
P3
11
Concurrent Key Exchangebetween Parties
P1
P2
P4
P3
12
Motivation

• How do we efficiently do concurrent execution of
  the two-party key exchange scheme ?

13
Our Results

• An efficient one-round key exchange scheme
  providing key independence in the standard model
• A two-round key exchange scheme providing forward
  secrecy in the standard model

14
Key Graphfor Session keys (1)
GV,E VP1,P2,P3,P4 E(P1,P2),(P1,P3),(P1,P4)

GV,E VP1,P2,P3,P4 E(P1,P2),(P2,P3),(P3,P4)
, (P4,P1)
15
Key Graphfor Session keys (2)
GV,E VP1,P2,P3,P4 E(P1,P2),(P1,P3),
(P2,P4), (P2,P5), (P3,P6), (P3,P7)
GV,E VP1,P2,P3,P4 E(P1,P2),(P1,P3),(P1,P4)
, (P2,P3),(P2,P4),(P3,P4)
16
Key Exchange Model for Key Graphs

• Broadcasting network
• Several session keys in a single session

17
One-Round Two-Party Diffie-Hellman Key Exchange
P1
P2
18
One-Round Concurrent Key Exchange using Two-Party
Key Exchange
P1
P2
P4
P3
P1 requires three random values.
19
One-Round Concurrent Key Exchange using
randomness re-use technique
P1
P2
P4
P3
P1 requires one random values.
20
Randomness Re-useunder the DDH assumption

• Pairwise DDH assumption 1

Exp
21
Randomness Re-useunder the DDH assumption

• Pairwise DDH assumption 2

Exp
22
PKA1
KI in the standard model
P3
P1
P2
P4
Round 1
23
PKA2
FS in the standard model
P3
P1
P2
P4
Round 1
24
Security

• PKA1 and PKA2
• reduced to the DDH problem in the standard model

25
Discussion

• Key exchange for key graph is an extension of
  two-party key exchange.
• Key exchange for key graph can be used as a
  subprotocol of another protocol such as group key
  exchange protocols.

26

• Thank You !