Building Group Key Establishment on Group Theory: A Modular Approach

: A group key establishment protocol is presented and proven secure in the common reference string mode. The protocol builds on a group-theoretic assumption, and a concrete example can be obtained with a decision Difﬁe–Hellman assumption. The protocol is derived from a two-party solution by means of a protocol compiler presented by Abdalla et al. at TCC 2007, evidencing the possibility of meaningfully integrating cryptographic and group-theoretic tools in cryptographic protocol design. This compiler uses a standard ring conﬁguration, where all users behave symmetrically, exchanging keys with their left and right neighbor, which are later combined to yield a shared group key.


Introduction
Cryptography is the science of handling, storing, transmitting, and processing information securely, even in the presence of adversaries. For centuries, cryptographic techniques were developed for diplomatic or military scenarios, while nowadays individuals and institutions (often obliviously) make use of cryptographic tools every day. As a complex discipline, cryptography builds upon physics, mathematics, and different research areas within computer science. Mathematics are the main source of tools for cryptographic developments, in which, security is often demonstrated using the hardness of well understood mathematical problems. This paper is concerned with the construction of a widely used cryptographic tool, a group key exchange, using group theory as a base. Key exchange allows a number of users to establish a common secret value which will be subsequently used to secure their communication. Such cryptographic tools are often constructed from number theoretical problems (described in finite cyclic groups), and a challenging research question is whether secure constructions can be derived from different problems arising in group theory.
In recent years, not only due to the advent of quantum computation, significant efforts have been made to identify new mathematical platforms for implementing cryptographic schemes. One of the explored candidate platforms is the theory of finitely presented groups, where, in particular, a number of works on key establishment have been published. The first constructions in this direction where published about twenty years ago [1][2][3], and different approaches towards secure constructions have been explored regularly, such as [4][5][6][7][8][9], and the more recently [10]. Unfortunately, most of the proposed protocols have not been analyzed in a modern cryptographic security model (like [11][12][13][14][15][16]), and only few group-theoretic constructions with a rigorous security analysis seem to be known. This lack of formalism has resulted in weaknesses being overlooked (see, for instance, [17]).
One approach to facilitate the synergy between group-theoretic and cryptographic tools is the identification of general constructions that under suitable group-theoretic conditions yield an (efficient) cryptographic scheme with provable security guarantees. As examples for research along this line of thought, proposals for constructing IND-CCA secure asymmetric encryption schemes can be mentioned [18,19]. Also, constructions for building provably secure group key establishment schemes have been proposed (cf. [20,21]), but identifying practical non-abelian instances still appears to be a challenging problem. In this contribution, we build on [21], and try to extend and simplify their approach in the following sense: • Instead of the random oracle model, we use the common reference string model. An (expected) price we pay for this, is the need of a decisional assumption instead of a computational one that is used in [21]. • Instead of setting out for a group key establishment directly, we suggest a construction for the two-party case and thereafter apply a protocol compiler of Abdalla et al. [22].
In terms of round complexity, we lose some efficiency through the modular design approach we chose. On the other hand, this modular design approach illustrates how an integration of group-theoretic and cryptographic tools can look like. Moreover, we obtain a comparatively clear group-theoretic condition which hopefully stimulates further research on finding concrete non-abelian instances. Concrete examples of our protocol can be derived from a decision Diffie-Hellman assumption, but we hope that in subsequent work also concrete non-abelian instances can be identified.

Preliminaries: Security Model and Protocol Goals
To explore the security of our protocol, we adopt the model used by Abdalla et al. [22], which can be traced back to [23][24][25][26][27]. Both to formulate our two-party solution and to use the "2-to-n compiler" from [22], we assume a common reference string (CRS) to be available that encodes the following information: • Two values v 0 , v 1 . These will be the input for a pseudorandom function at the time of computing the session identifier and session key; • The information necessary to implement a non-interactive and non-malleable commitment scheme (see Section 3.1 for further details); • Two elements, chosen independently and uniformly at random, each taken from a family of universal hash functions (one as needed for the compiler in [22] and one for our two-party solution as detailed in Section 3.1).
This is similar to the constructions for password-authenticated key establishment in [24,27].

Communication Model and Adversarial Capabilities
As usual, we model protocol participants as probabilistic polynomial time (ppt) Turing machines (all our proofs hold for both uniform and non-uniform machines). We denote by P the total set of users which is assumed to be of polynomial size and by U = {U 0 , . . . , U n−1 } ⊆ P the set of protocol participants. To enable authentication among the protocol participants, we assume that an existentially unforgeable signature scheme is available with all signing keys being chosen independently in a trusted initialization phase. The verification keys are assumed to be distributed in a trusted initialization phase, prior to the protocol execution.

Protocol Instances
We allow each protocol participant U i ∈ U to execute polynomially many protocols instances in parallel. Each single instance Π s i i may be understood as a process executed by participant U i . We will denote by Π s i i (s i ∈ N) the s i − th instance of user U i ∈ U , and the following seven variables are assigned to each instance: We refer to a paper of Bellare et al. [14] for more details on the usage of these variables.

Communication Network
The network is considered to be fully asynchronous and under complete control of the adversary. Arbitrary point-to-point connections among users are available, but the adversary may delay, eavesdrop, insert, and delete messages at will.

Adversarial Capabilities
We restrict to adversaries A running in probabilistic polynomial time, whose capabilities are made explicit through the four oracles listed below. These oracles formalize the interaction between A and the protocol instances run by the users. For the description of the Test oracle, we denote by b a bit that is chosen uniformly at random.
If the corresponding session key is defined (i. e., acc s i i = true and sk s i i = NULL) and instance Π s i i is fresh (see Definition 4), A can execute this oracle query at any time when being activated. Then, if b = 0 the session key sk s i i is returned, while if b = 1 a uniformly chosen random session key is returned. An arbitrary number of Test queries is allowed for the adversary A, but once the Test oracle returned a value for an instance Π s i i , the same value will be returned for all instances partnered with Π This oracle models forward secrecy, as this query will output the secret signing key of user U i .

Goals of a Key Establishment Protocol: Correctness, Integrity, and Security
We assume that an instance Π s i i always accepts the session key constructed at the end of a protocol run if no deviation from the protocol specification has occurred. The subsequent definition of correctness captures the protocol goal that, if the adversary is passive, all users involved in the same protocol session should come up with the same session key. By A being passive, we mean that A must not use the Corrupt oracle, and may query the Send oracle for the purpose of executing honest protocol executions only.

Definition 1 (Correctness).
A group key establishment protocol P is correct, if in the presence of a passive adversary A the following holds: for all i, j with both sid s i i = sid s j j and acc Unlike correctness, the concept of integrity imposes no restrictions on the adversary's behavior: Finally, for defining security, we detail our interpretation of partnering and freshness: The idea of freshness is to characterize those instances where the adversary does not know the secret session key for trivial reasons. In particular, note that after revealing a session key from instance Π • For some U j ∈ pid s i i a query Corrupt(U j ) was executed before a query of the form Send(U k , s k , * ) has taken place where U k ∈ pid s i i .

•
The adversary queried Reveal(U j , s j ) with Π s i i and Π s j j being partnered.
Now the advantage Adv A ( ) of a probabilistic polynomial time adversary A in attacking a key establishment protocol P is the function in the security parameter . Here, Succ A denotes the probability that A queries Test only on fresh instances and correctly outputs the bit b used by the Test oracle while preserving the freshness of all instances queried to Test.

Definition 5.
We say that an authenticated group key establishment protocol P is secure, if the following inequality holds for every probabilistic polynomial time adversary A some negligible function negl( ) in the security parameter : Adv A ( ) ≤ negl( ) As in [22], our security definition above implies forward secrecy. Specifically, our freshness definition (Definition 4) allows Test queries to an instances, for which the long term secret key has been revealed by a Corrupt query (or is partnered with a instance that has be queried Corrupt) as long as the adversary has not asked a Send query to any of these instances (or their partners) after the Corrupt query.

Building on a Group-Theoretic Assumption
As already indicated, we construct our group key establishment protocol in two steps: In Section 3.1 we describe a two-party solution, which subsequently is lifted to an n-party solution by means of the protocol compiler in [22].

A Two-Party Solution
On the cryptographic side, our two-party solution mainly builds on three technical tools: • A non-interactive non-malleable commitment scheme C, satisfying the following requirements: -It is perfectly binding in the sense that every commitment can be decommitted to at most one value.

-
It is non-malleable for multiple commitments. This means that an adversary who knows commitments to a polynomial sized set of values ν, will not be able to output commitments to a polynomial sized set of values β related to ν in a meaningful way. It is well-known that in the CRS model such a commitment scheme can be implemented by means of any IND-CCA2 secure public key encryption scheme, for instance.
. We further use another public value v 1 , fulfilling the same requirement as v 0 for deriving the session key (this can also be included in the CRS-see [28] for more details).
Our protocol builds on [21], and for the security proof we have to assume that the underlying group G (respectively, the family of groups G = G( ), indexed by the security parameter) satisfies a number of conditions. Besides assuming products and inverses of group elements to be computable by efficient (ppt) algorithms, we further assume G to have a ppt computable canonical representation of elements. The latter allows us to identify group elements with their canonical representation. Furthermore, as in [21], we need three algorithms to perform the computations occurring in a protocol execution: • DomPar, the domain parameter generation algorithm, is a (stateless) ppt algorithm that, upon input of the security parameter 1 , outputs a finite sequence S of elements in G. The subgroup of G spanned by S, S , will be publicly known. Note that, for the special case of applying our framework to a DDH-assumption, S specifies a public generator of a cyclic group. • SamAut, the automorphism group sampling algorithm, is a (stateless) ppt algorithm that, upon input of the security parameter 1 and a sequence S output by DomPar, returns a description of an automorphism φ on the subgroup S , so that both φ and φ −1 can be efficiently evaluated. For example, for a cyclic group, φ could be given as an exponent, or for an inner automorphism the conjugating group element could be specified. • SamSub, the subgroup sampling algorithm, is a (stateless) ppt that, upon input of the security parameter 1 and a sequence S output by DomPar, returns a word x(S) representing an element x ∈ S . Intuitively, SamSub chooses a random x ∈ S , so that it is hard to recognize x if we know elements of x's orbit under Aut( S ). Thus, our protocol requires an explicit representation of x in terms of the generators S.
With this notation, we can now define a decision problem, whose supposed difficulty will be essential for our security proof. As usual, with the notation o ← A(i) we describe that algorithm A upon receiving input i outputs o: Definition 6 (Decision Automorphism Application). Suppose that we have fixed a quadruple (G, DomPar, SamAut, SamSub). Then the decision automorphism application (DAA) assumption states that for all ppt algorithms A the advantage function Adv DAA Example 1 (Building on decision Diffie-Hellman). Let G be a finite cyclic group and S := g a prime order subgroup with generator g of order q. If we let SubSam choose uniformly at random an exponent x ∈ {1, . . . , q − 1} and SamAut uniformly at a random exponent φ ∈ {1, . . . , q − 1}, then the DAA problem just described can be recognized as polynomial-time equivalent to a decision Diffie-Hellman (DDH) problem: "DDH solution ⇒ DAA solution": When facing, the DAA problem, we obtain as input a tuple (g, g y , (g φ i , g xφ i ) i=1,2 ) where either y = x, or y has been chosen uniformly at random from {1, . . . , q − 1}-independently of x and the φ i s. Given a DDH oracle, we just query it with (g, g y , g φ 1 , g xφ 1 ) to see with non-negligible success probability which is the case. "DDH solution ⇐ DAA solution": When facing the DDH problem, we obtain as input a tuple (g, g φ 1 , g x , g y ), where either y = φ 1 x mod q, or y has been chosen uniformly at random from {1, . . . , q − 1}-independently of x and φ 1 . Choosing another random φ 2 ∈ {1, . . . , q − 1}, we can compute the input (g φ 1 , g y , (( g needed for a DAA attacker. Running a successful DAA attacker with this input, we immediately obtain the desired DDH attacker. A two-party key establishment protocol building on the DAA assumption is presented in Figure 1. The figure describes the operations to be performed by instance Π s i i of U i . For the sake of readability we name the users trying to establish a common key as U 0 and U 1 , and here, as in the sequel, we often omit making explicit the identifiers s i of the instances Π s i i involved in the protocol execution and just write sid i instead of sid s i i , for instance. The common reference string is denoted by ρ, and for a commitment to a value x involving random choices r we write C ρ (x; r). Finally, S denotes the subgroup generators which are to be fixed prior to the protocol execution by means of DomPar (and may also be included in the CRS ρ).
In the subsequent section we prove the following result: Proposition 1 (Security of the Two-Party Protocol). Assume that for each ppt time algorithm A, its advantage Adv Sig A of achieving an existential forgery under the adaptive chosen-message attack for the underlying signature scheme, and Adv DAA A , its advantage of solving DAA, can be bounded by a negligible function (in ). Then the protocol in Figure 1 is a correct and secure two-party key establishment protocol fulfilling key integrity.
In Figure 2, we describe the group key establishment protocol obtained from a given two party group key establishment protocol 2-AKE via the compiler from [22]. We note here that given the result of Proposition 1, we can apply [22, Theorem 1] (which, as noted by Nam et al. in [29] is only valid if the underlying two party construction fulfills integrity) to obtain our desired security result: Corollary 1 (Security of the n-Party Protocol). Denoting the two-party key establishment protocol in Figure 1 by 2-AKE, the protocol described in Figure 2 is a secure group key establishment fulfilling key integrity.

Round 1:
Initialization: For i = 0, 1 the variables of involved oracles Π s i i are set as pid i := {U 0 , U 1 }, SamSub(1 , S). Computation: User U i , for i = 0, 1 chooses a random r i and constructs a commitment

Round 2:
Computation: User U i , i = 0, 1, computes φ 1−i (x i ) and a signature σ i of (U i , φ 1−i (x i )) (using the representation of x i = x i (S) in terms of the generators S and the images φ i (S) of the subgroup generators).  Thus, each user U i holds two keys − → K i , ← − K i . shared with U i+1 respectively U i−1 and (non-secret) corresponding session identifiers − → sid i , ← − sid i .

Round 1:
Computation: Each U i computes and chooses a random r i to compute a commitment C i = C ρ (U i , X i ; r i ).
Each U i checks that X 0 ⊕ X 1 ⊕ · · · ⊕ X n−1 = 0 and the correctness of the commitments.
Computation: Each U i sets K i := ← − K i and computes the n − 1 values

Security Analysis for the Two-Party Case: Proof of Proposition 1
Correctness and Integrity. Due to the collision-resistance of the family F , all oracles that accept with identical session identifier use the same index value UH(K) and therewith also obtain the same session key and have identical pid i -values with overwhelming probability. Security. Let q s and q t denote the (polynomially bounded) number of adversarial queries to the Send and Test oracle, respectively.
We consider a simulator simulating all oracles and instances for the adversary. The proof is thus set up following a sequence of experiments or games, where from game to game the simulator's behavior deviates from the previous in a certain controlled way. We follow standard notation and we denote by Adv(A, G i ) the advantage of the adversary when confronted with Game i and by Succ(A, G i ) the success probability of A winning in Game i. As usual, the security parameter will be denoted denoted by .
Game 0. All oracles are simulated as defined in the model. Thus, Adv(A, G 0 ) is exactly Adv A and Succ(A, G 0 ) is the probability of violating the security of our key exchange protocol. Game 1. In this game, the simulator keeps a list with entries (i, M, σ M ) for every message M and corresponding signature σ M he has produced and returned to the adversary A in a Round 2 message following a Send query.
By Forge we denote the event that A queries the Send oracle with a message M containing a valid signature σ M of an uncorrupted principal U i and with (i, M, σ M ) not being contained in the simulator's list. If the event Forge occurs, we abort the simulation and take the adversary A for being successful in breaking the security of the protocol. Thus, Lemma 1. If the signature scheme used in the above protocol is existentially unforgeable under adaptive chosen-message attacks, then P(Forge) is negligible: P(Forge) ≤ |P | · Adv Sig A .
Proof. Any ppt adversary A provoking the event Forge can be turned into an attacker against the underlying signature scheme by means of our simulator: The simulator obtains the public verification key PK and access to a signing oracle. In the initialization phase of the protocol, the simulator assigns the key PK uniformly at random to one of the at most |P | users the adversary can involve. Whenever during the subsequent simulation a signature for this user has to be generated, the simulator queries the signing oracle. If A comes up with a message/signature pair that is not stored in the simulator's list, the simulator returns this message as existential forgery. If A does not come up with such a message, the simulator outputs ⊥. Having chosen the party U i uniformly at random, the simulator's success probability for an existential forgery is at least 1/|P | · P(Forge), and we get P(Forge) ≤ |P | · Adv Sig A .
Thus, from Equation (1), we get Game 2. Now the simulation of the Test oracle is modified, so that, on input of a fresh instance, it will always output an element selected uniformly at random in the key space. Thus, Adv(A, G 2 ) = 0.
Suppose that A is able to distinguish between Game 2 and Game 1. We construct an attacker D, that breaks the DAA assumption and uses A as a black-box. The attacker D will start by setting up the instances with key pairs for the signature scheme and receive a DAA-instance as a challenge. Further, D will choose an index a ∈ {1, . . . , q t } uniformly at random and select two values u, v ∈ {1, . . . , q s } chosen independently and uniformly at random subject to the condition u = v. Then the adversary A is started. D will simulate the model as in Game 1 except for the uth and vth instance activated by the adversary A and the answers to the Test query. For the uth and vth instances activated by A, the messages will be constructed from the DAA challenge. If these two instances do not end up in the same session, D aborts the simulation and starts anew. The same happens, if A does not query his ath Test query to one of these two instances.
D will simulate the Test oracle as follows: The first a − 1 queries of Test will be answered with the real session key, in the ath query, D will return the challenge, and from query a + 1 on, D will always answer with a random element.
By a standard hybrid argument, D will win the challenge in 1/q t of the cases where A distinguished Game 1 and Game 2. Excluding the necessary aborts (namely, if the instances that were chosen were not those used in the ath query of Test), we have: Combining Equations (2) and (3) yields the desired negligible upper bound for Adv A .

Conclusions
Our discussion evidences the possibility of meaningfully integrating tools from group theory and cryptography. Unfortunately, so far we cannot provide a concrete non-abelian example, but a concrete instance of our protocol can be derived by means of the decision Diffie-Hellman assumption. We hope, however, that the modular approach taken above facilitates the design of group key establishment schemes building on group-theoretic tools and fertilizes the exchange of ideas between group theory and cryptography.
Author Contributions: All authors contributed equally to this paper, and were cooperatively involved in conceptualization, investigation, formal analysis and writing. All authors have read and agreed to the published version of the manuscript.