Building Group Key Establishment on Group Theory: A Modular Approach

Abstract

A group key establishment protocol is presented and proven secure in the common reference string mode. The protocol builds on a group-theoretic assumption, and a concrete example can be obtained with a decision Diffie–Hellman assumption. The protocol is derived from a two-party solution by means of a protocol compiler presented by Abdalla et al. at TCC 2007, evidencing the possibility of meaningfully integrating cryptographic and group-theoretic tools in cryptographic protocol design. This compiler uses a standard ring configuration, where all users behave symmetrically, exchanging keys with their left and right neighbor, which are later combined to yield a shared group key.

1. Introduction

Cryptography is the science of handling, storing, transmitting, and processing information securely, even in the presence of adversaries. For centuries, cryptographic techniques were developed for diplomatic or military scenarios, while nowadays individuals and institutions (often obliviously) make use of cryptographic tools every day. As a complex discipline, cryptography builds upon physics, mathematics, and different research areas within computer science. Mathematics are the main source of tools for cryptographic developments, in which, security is often demonstrated using the hardness of well understood mathematical problems. This paper is concerned with the construction of a widely used cryptographic tool, a group key exchange, using group theory as a base. Key exchange allows a number of users to establish a common secret value which will be subsequently used to secure their communication. Such cryptographic tools are often constructed from number theoretical problems (described in finite cyclic groups), and a challenging research question is whether secure constructions can be derived from different problems arising in group theory.

In recent years, not only due to the advent of quantum computation, significant efforts have been made to identify new mathematical platforms for implementing cryptographic schemes. One of the explored candidate platforms is the theory of finitely presented groups, where, in particular, a number of works on key establishment have been published. The first constructions in this direction where published about twenty years ago [1,2,3], and different approaches towards secure constructions have been explored regularly, such as [4,5,6,7,8,9], and the more recently [10]. Unfortunately, most of the proposed protocols have not been analyzed in a modern cryptographic security model (like [11,12,13,14,15,16]), and only few group-theoretic constructions with a rigorous security analysis seem to be known. This lack of formalism has resulted in weaknesses being overlooked (see, for instance, [17]).

One approach to facilitate the synergy between group-theoretic and cryptographic tools is the identification of general constructions that under suitable group-theoretic conditions yield an (efficient) cryptographic scheme with provable security guarantees. As examples for research along this line of thought, proposals for constructing IND-CCA secure asymmetric encryption schemes can be mentioned [18,19]. Also, constructions for building provably secure group key establishment schemes have been proposed (cf. [20,21]), but identifying practical non-abelian instances still appears to be a challenging problem. In this contribution, we build on [21], and try to extend and simplify their approach in the following sense:

• Instead of the random oracle model, we use the common reference string model. An (expected) price we pay for this, is the need of a decisional assumption instead of a computational one that is used in [21].
• Instead of setting out for a group key establishment directly, we suggest a construction for the two-party case and thereafter apply a protocol compiler of Abdalla et al. [22].

In terms of round complexity, we lose some efficiency through the modular design approach we chose. On the other hand, this modular design approach illustrates how an integration of group-theoretic and cryptographic tools can look like. Moreover, we obtain a comparatively clear group-theoretic condition which hopefully stimulates further research on finding concrete non-abelian instances. Concrete examples of our protocol can be derived from a decision Diffie–Hellman assumption, but we hope that in subsequent work also concrete non-abelian instances can be identified.

2. Preliminaries: Security Model and Protocol Goals

To explore the security of our protocol, we adopt the model used by Abdalla et al. [22], which can be traced back to [23,24,25,26,27]. Both to formulate our two-party solution and to use the “2-to-n compiler” from [22], we assume a common reference string (CRS) to be available that encodes the following information:

• Two values $v_0$, $v_1.$ These will be the input for a pseudorandom function at the time of computing the session identifier and session key;
• The information necessary to implement a non-interactive and non-malleable commitment scheme (see Section 3.1 for further details);
• Two elements, chosen independently and uniformly at random, each taken from a family of universal hash functions (one as needed for the compiler in [22] and one for our two-party solution as detailed in Section 3.1).

This is similar to the constructions for password-authenticated key establishment in [24,27].

2.1. Communication Model and Adversarial Capabilities

As usual, we model protocol participants as probabilistic polynomial time (ppt) Turing machines (all our proofs hold for both uniform and non-uniform machines). We denote by $\mathcal{P}$ the total set of users which is assumed to be of polynomial size and by $\mathcal{U}=\{U_0,\dots ,U_{n-1}\}\subseteq \mathcal{P}$ the set of protocol participants. To enable authentication among the protocol participants, we assume that an existentially unforgeable signature scheme is available with all signing keys being chosen independently in a trusted initialization phase. The verification keys are assumed to be distributed in a trusted initialization phase, prior to the protocol execution.

2.1.1. Protocol Instances

We allow each protocol participant $U_i\in \mathcal{U}$ to execute polynomially many protocols instances in parallel. Each single instance ${\Pi }_i^{s_i}$ may be understood as a process executed by participant $U_i$. We will denote by ${\Pi }_i^{s_i}$ ($s_i\in \mathbb{N}$) the $s_i-th$ instance of user $U_i\in \mathcal{U}$, and the following seven variables are assigned to each instance:

${\mathsf{used}}_i^{s_i}$

will indicate whether this instance is or has been used for a protocol run. The ${\mathsf{used}}_i^{s_i}$ flag is set through a protocol message received by the corresponding instance due to a call to the $\mathsf{Send}$ oracle (see below);

${\mathsf{state}}_i^{s_i}$

stores the state information needed during the protocol execution;

${\mathsf{term}}_i^{s_i}$

indicates if the execution has terminated;

${\mathsf{sid}}_i^{s_i}$

denotes a session identifier (which may be public) which may be later use as identifier for the session key ${\mathsf{sk}}_i^{s_i}$ (in particular, the adversary is thus allowed to learn session identifiers);

${\mathsf{pid}}_i^{s_i}$

stores the user identities that ${\Pi }_i^{s_i}$ aims at establishing a key with. This set includes $U_i$ himself;

${\mathsf{acc}}_i^{s_i}$

indicates that the protocol instance completed a protocol successfully. That is, whether the involved user accepted the session key or not;

${\mathsf{sk}}_i^{s_i}$

stores a distinguished null value in the beginning. After a session key is accepted by ${\Pi }_i^{s_i},$ this session key replaces the null value.

We refer to a paper of Bellare et al. [14] for more details on the usage of these variables.

2.1.2. Communication Network

The network is considered to be fully asynchronous and under complete control of the adversary. Arbitrary point-to-point connections among users are available, but the adversary may delay, eavesdrop, insert, and delete messages at will.

2.1.3. Adversarial Capabilities

We restrict to adversaries $\mathcal{A}$ running in probabilistic polynomial time, whose capabilities are made explicit through the four oracles listed below. These oracles formalize the interaction between $\mathcal{A}$ and the protocol instances run by the users. For the description of the $\mathsf{Test}$ oracle, we denote by b a bit that is chosen uniformly at random.

Send(U_i, s_i, M)

This oracle sends a message M to instance ${\Pi }_i^{s_i}$ and returns the message generated by this instance. In case the instance ${\Pi }_i^{s_i}$ is previously unused and the message $M\subseteq \mathcal{P}$ contains a set of user identities, the ${\mathsf{used}}_i^{s_i}$-flag is set, ${\mathsf{pid}}_i^{s_i}$ initialized with ${\mathsf{pid}}_i^{s_i}:=\left\{U_i\right\}\cup M$. ${\Pi }_i^{s_i}$ initiates the protocol with the first message which is returned.

Reveal(U_i, s_i)

This outputs the computed key of the instance stored in ${\mathsf{sk}}_i^{s_i}$.

Test(U_i, s_i)

If the corresponding session key is defined (i. e., ${\mathsf{acc}}_i^{s_i}=\mathsf{true}$ and ${\mathsf{sk}}_i^{s_i}\ne$ null) and instance ${\Pi }_i^{s_i}$ is fresh (see Definition 4), $\mathcal{A}$ can execute this oracle query at any time when being activated. Then, if $b=0$ the session key ${\mathsf{sk}}_i^{s_i}$ is returned, while if $b=1$ a uniformly chosen random session key is returned. An arbitrary number of $\mathsf{Test}$ queries is allowed for the adversary $\mathcal{A}$, but once the $\mathsf{Test}$ oracle returned a value for an instance ${\Pi }_i^{s_i}$, the same value will be returned for all instances partnered with ${\Pi }_i^{s_i}$ (see Definition 3).

Corrupt(U_i)

This oracle models forward secrecy, as this query will output the secret signing key of user $U_i$.

2.2. Goals of a Key Establishment Protocol: Correctness, Integrity, and Security

We assume that an instance ${\Pi }_i^{s_i}$ always accepts the session key constructed at the end of a protocol run if no deviation from the protocol specification has occurred. The subsequent definition of correctness captures the protocol goal that, if the adversary is passive, all users involved in the same protocol session should come up with the same session key. By $\mathcal{A}$ being passive, we mean that $\mathcal{A}$ must not use the $\mathsf{Corrupt}$ oracle, and may query the $\mathsf{Send}$ oracle for the purpose of executing honest protocol executions only.

Definition 1

(Correctness). A group key establishment protocol $\mathsf{P}$ is correct , if in the presence of a passive adversary $\mathcal{A}$ the following holds: for all $i,j$ with both ${\mathsf{sid}}_i^{s_i}={\mathsf{sid}}_j^{s_j}$ and ${\mathsf{acc}}_i^{s_i}={\mathsf{acc}}_j^{s_j}=\mathsf{true}$, we have ${\mathsf{sk}}_i^{s_i}={\mathsf{sk}}_j^{s_j}\ne$ null and ${\mathsf{pid}}_i^{s_i}={\mathsf{pid}}_j^{s_j}$.

Unlike correctness, the concept of integrity imposes no restrictions on the adversary’s behavior:

Definition 2

(Key Integrity). A correct group key establishment protocol fulfills key integrity, if all instances of users that have accepted with the same session identifier ${\mathsf{sid}}_j^{s_j}$ hold with overwhelming probability identical session keys ${\mathsf{sk}}_j^{s_j}$ and identical partner identifiers ${\mathsf{pid}}_j^{s_j}$.

Finally, for defining security, we detail our interpretation of partnering and freshness:

Definition 3

(Partnering). Instances ${\Pi }_i^{s_i}$ and ${\Pi }_j^{s_j}$ are partnered if ${\mathsf{pid}}_i^{s_i}={\mathsf{pid}}_j^{s_j}$, ${\mathsf{sid}}_i^{s_i}={\mathsf{sid}}_j^{s_j}$, and ${\mathsf{acc}}_i^{s_i}={\mathsf{acc}}_j^{s_j}=\mathsf{true}$.

The idea of freshness is to characterize those instances where the adversary does not know the secret session key for trivial reasons. In particular, note that after revealing a session key from instance ${\Pi }_i^{s_i}$, the session keys of all instances partnered with ${\Pi }_i^{s_i}$ are known, too:

Definition 4

(Freshness). An instance ${\Pi }_i^{s_i}$ is called fresh provided that none of the following condition holds:

• For some$U_j\in {\mathsf{pid}}_i^{s_i}$a query$\mathsf{Corrupt}\left(U_j\right)$was executed before a query of the form$\mathsf{Send}(U_k,s_k,\ast )$has taken place where$U_k\in {\mathsf{pid}}_i^{s_i}$.
• The adversary queried$\mathsf{Reveal}(U_j,s_j)$with${\Pi }_i^{s_i}$and${\Pi }_j^{s_j}$being partnered.

Now the advantage ${\mathsf{Adv}}_{\mathcal{A}}\left(\ell \right)$ of a probabilistic polynomial time adversary $\mathcal{A}$ in attacking a key establishment protocol $\mathsf{P}$ is the function

$${\mathsf{Adv}}_{\mathcal{A}}:=|2·{\mathsf{Succ}}_{\mathcal{A}}-1|$$

in the security parameter ℓ. Here, ${\mathsf{Succ}}_{\mathcal{A}}$ denotes the probability that $\mathcal{A}$ queries $\mathsf{Test}$ only on fresh instances and correctly outputs the bit b used by the $\mathsf{Test}$ oracle while preserving the freshness of all instances queried to $\mathsf{Test}$.

Definition 5.

We say that an authenticated group key establishment protocol$\mathsf{P}$is secure , if the following inequality holds for every probabilistic polynomial time adversary $\mathcal{A}$ some negligible function $\mathrm{negl}\left(\ell \right)$ in the security parameter ℓ: ${\mathsf{Adv}}_{\mathcal{A}}\left(\ell \right)\le \mathrm{negl}\left(\ell \right)$

As in [22], our security definition above implies forward secrecy. Specifically, our freshness definition (Definition 4) allows $\mathsf{Test}$ queries to an instances, for which the long term secret key has been revealed by a $\mathsf{Corrupt}$ query (or is partnered with a instance that has be queried $\mathsf{Corrupt}$) as long as the adversary has not asked a $\mathsf{Send}$ query to any of these instances (or their partners) after the $\mathsf{Corrupt}$ query.

3. Building on a Group-Theoretic Assumption

As already indicated, we construct our group key establishment protocol in two steps: In Section 3.1 we describe a two-party solution, which subsequently is lifted to an n-party solution by means of the protocol compiler in [22].

3.1. A Two-Party Solution

On the cryptographic side, our two-party solution mainly builds on three technical tools:

• A non-interactive non-malleable commitment scheme $\mathcal{C}$, satisfying the following requirements:

  –

  It is perfectly binding in the sense that every commitment can be decommitted to at most one value.

  –

  It is non-malleable for multiple commitments. This means that an adversary who knows commitments to a polynomial sized set of values $\nu$, will not be able to output commitments to a polynomial sized set of values $\beta$ related to $\nu$ in a meaningful way. It is well-known that in the CRS model such a commitment scheme can be implemented by means of any IND-CCA2 secure public key encryption scheme, for instance.

• A family of universal hash functions $\mathcal{U}\mathcal{H}$ mapping triples consisting of two elements from G and a ${\mathsf{pid}}_i^{s_i}$-value onto a superpolynomial sized set ${\{0,1\}}^L$. A universal hash function $\mathrm{UH}$ will be selected by the CRS from this family.
• A collision-resistant pseudorandom function family $\mathcal{F}={\left\{F^{\ell }\right\}}_{\ell \in \mathbb{N}}$(see Katz and Shin [28]). We assume $F^{\ell }={\left\{F_{\eta }^{\ell }\right\}}_{\eta \in {\{0,1\}}^L}$ to be indexed by ${\{0,1\}}^L$ and further denote by $v_0=v_0\left(\ell \right)$ a publicly known value such that no ppt adversary can find two different indices $\lambda \ne {\lambda }^{\prime }\in {\{0,1\}}^L$ such that $F_{\lambda }\left(v_0\right)=F_{{\lambda }^{\prime }}\left(v_0\right)$. We further use another public value $v_1,$ fulfilling the same requirement as $v_0$ for deriving the session key (this can also be included in the CRS—see [28] for more details).

Our protocol builds on [21], and for the security proof we have to assume that the underlying group G (respectively, the family of groups $G=G\left(\ell \right)$, indexed by the security parameter) satisfies a number of conditions. Besides assuming products and inverses of group elements to be computable by efficient (ppt) algorithms, we further assume G to have a ppt computable canonical representation of elements. The latter allows us to identify group elements with their canonical representation. Furthermore, as in [21], we need three algorithms to perform the computations occurring in a protocol execution:

• $\mathsf{DomPar}$, the domain parameter generation algorithm, is a (stateless) ppt algorithm that, upon input of the security parameter $1^{\ell }$, outputs a finite sequence S of elements in G. The subgroup of G spanned by S, $\langle S\rangle$, will be publicly known. Note that, for the special case of applying our framework to a DDH-assumption, S specifies a public generator of a cyclic group.
• $\mathsf{SamAut}$, the automorphism group sampling algorithm, is a (stateless) ppt algorithm that, upon input of the security parameter $1^{\ell }$ and a sequence S output by $\mathsf{DomPar}$, returns a description of an automorphism $\varphi$ on the subgroup $\langle S\rangle$, so that both $\varphi$ and ${\varphi }^{-1}$ can be efficiently evaluated. For example, for a cyclic group, $\varphi$ could be given as an exponent, or for an inner automorphism the conjugating group element could be specified.
• $\mathsf{SamSub}$, the subgroup sampling algorithm, is a (stateless) ppt that, upon input of the security parameter $1^{\ell }$ and a sequence S output by $\mathsf{DomPar}$, returns a word $x\left(S\right)$ representing an element $x\in \langle S\rangle$. Intuitively, $\mathsf{SamSub}$ chooses a random $x\in \langle S\rangle$, so that it is hard to recognize x if we know elements of x’s orbit under $\mathrm{Aut}(\langle S\rangle )$. Thus, our protocol requires an explicit representation of x in terms of the generators S.

With this notation, we can now define a decision problem, whose supposed difficulty will be essential for our security proof. As usual, with the notation $o\leftarrow \mathsf{A}\left(i\right)$ we describe that algorithm $\mathsf{A}$ upon receiving input i outputs o:

Definition 6

(Decision Automorphism Application). Suppose that we have fixed a quadruple $(G,\mathsf{DomPar},\mathsf{SamAut},\mathsf{SamSub})$. Then the decision automorphism application (DAA) assumption states that for all ppt algorithms $\mathcal{A}$ the advantage function ${\mathsf{Adv}}_{\mathcal{A}}^{\mathsf{DAA}}={\mathsf{Adv}}_{\mathcal{A}}^{\mathsf{DAA}}\left(\ell \right):=$

$$\begin{array}{r}\left|\mathrm{Pr}\left(\mathcal{A}(S,x,{({\varphi }_i\left(S\right),{\varphi }_i\left(x\right))}_{i=1,2})=0\left|\begin{array}{ll}S\leftarrow \mathsf{DomPar}\left(1^{\ell }\right),& x\leftarrow \mathsf{SamSub}(1^{\ell },S),\\ {({\varphi }_i\leftarrow \mathsf{SamAut}(1^{\ell },S))}_{i=1,2}\end{array}\right.\right)\right.-\\ \mathrm{Pr}\left(\mathcal{A}(S,r,{({\varphi }_i\left(S\right),{\varphi }_i\left(x\right))}_{i=1,2})=0\left|\begin{array}{ll}S\leftarrow \mathsf{DomPar}\left(1^{\ell }\right),& x\leftarrow \mathsf{SamSub}(1^{\ell },S),\\ {({\varphi }_i\leftarrow \mathsf{SamAut}(1^{\ell },S))}_{i=1,2},& r\leftarrow \mathsf{SamSub}(1^{\ell },S)\end{array}\right)\right|\end{array}$$

is negligible.

Example 1

(Building on decision Diffie–Hellman). Let G be a finite cyclic group and $S:=\langle g\rangle$ a prime order subgroup with generator g of order q. If we let $\mathsf{SubSam}$ choose uniformly at random an exponent $x\in \{1,\dots ,q-1\}$ and $\mathsf{SamAut}$ uniformly at a random exponent $\varphi \in \{1,\dots ,q-1\}$, then the DAA problem just described can be recognized as polynomial-time equivalent to a decision Diffie–Hellman (DDH) problem:

“DDH solution ⇒ DAA solution”:

When facing, the DAA problem, we obtain as input a tuple$(g,g^y,{(g^{{\varphi }_i},g^{x{\varphi }_i})}_{i=1,2})$where either$y=x$, or y has been chosen uniformly at random from$\{1,\dots ,q-1\}$—independently of x and the${\varphi }_i$s. Given a DDH oracle, we just query it with$(g,g^y,g^{{\varphi }_1},g^{x{\varphi }_1})$to see with non-negligible success probability which is the case.

“DDH solution ⇒ DAA solution”:

When facing the DDH problem, we obtain as input a tuple$(g,g^{{\varphi }_1},g^x,g^y)$, where either$y={\varphi }_{1}x\mathrm{mod}q$, or y has been chosen uniformly at random from$\{1,\dots ,q-1\}$—independently of x and${\varphi }_1$. Choosing another random${\varphi }_2\in \{1,\dots ,q-1\}$, we can compute the input

$$(g^{{\varphi }_1},g^y,((\underset{=(g^{{\varphi }_1}{)}^{{\varphi }_1^{-1}}}{\underbrace{g}},\underset{={\left(g^{{\varphi }_{1}x}\right)}^{{\varphi }_1^{-1}}}{\underbrace{g^x}}),(\underset{={\left(g^{{\varphi }_1}\right)}^{{\varphi }_1^{-1}{\varphi }_2}}{\underbrace{g^{{\varphi }_2}}},\underset{={\left(g^{{\varphi }_{1}x}\right)}^{{\varphi }_1^{-1}{\varphi }_2}}{\underbrace{{\left(g^x\right)}^{{\varphi }_2}}}))$$

needed for a DAA attacker. Running a successful DAA attacker with this input, we immediately obtain the desired DDH attacker.

A two-party key establishment protocol building on the DAA assumption is presented in Figure 1. The figure describes the operations to be performed by instance ${\Pi }_i^{s_i}$ of $U_i$. For the sake of readability we name the users trying to establish a common key as $U_0$ and $U_1$, and here, as in the sequel, we often omit making explicit the identifiers $s_i$ of the instances ${\Pi }_i^{s_i}$ involved in the protocol execution and just write ${\mathsf{sid}}_i$ instead of ${\mathsf{sid}}_i^{s_i}$, for instance. The common reference string is denoted by $\rho$, and for a commitment to a value x involving random choices r we write $C_{\rho }(x;r)$. Finally, S denotes the subgroup generators which are to be fixed prior to the protocol execution by means of $\mathsf{DomPar}$ (and may also be included in the CRS $\rho$).

In the subsequent section we prove the following result:

Proposition 1

(Security of the Two-Party Protocol). Assume that for each ppt time algorithm $\mathcal{A}$, its advantage ${\mathsf{Adv}}_{\mathcal{A}}^{\mathsf{Sig}}$ of achieving an existential forgery under the adaptive chosen-message attack for the underlying signature scheme, and ${\mathsf{Adv}}_{\mathcal{A}}^{\mathsf{DAA}},$ its advantage of solving DAA, can be bounded by a negligible function (in ℓ). Then the protocol in Figure 1 is a correct and secure two-party key establishment protocol fulfilling key integrity.

In Figure 2, we describe the group key establishment protocol obtained from a given two party group key establishment protocol $\mathsf{2}-\mathsf{AKE}$ via the compiler from [22]. We note here that given the result of Proposition 1, we can apply [22, Theorem 1] (which, as noted by Nam et al. in [29] is only valid if the underlying two party construction fulfills integrity) to obtain our desired security result:

Corollary 1

(Security of the n-Party Protocol). Denoting the two-party key establishment protocol in Figure 1 by $\mathsf{2}-\mathsf{AKE}$, the protocol described in Figure 2 is a secure group key establishment fulfilling key integrity.

3.2. Security Analysis for the Two-Party Case: Proof of Proposition 1

Correctness and Integrity. Due to the collision-resistance of the family $\mathcal{F}$, all oracles that accept with identical session identifier use the same index value $\mathrm{UH}\left(K\right)$ and therewith also obtain the same session key and have identical ${\mathsf{pid}}_i$-values with overwhelming probability.

Security. Let $q_s$ and $q_t$ denote the (polynomially bounded) number of adversarial queries to the $\mathsf{Send}$ and $\mathsf{Test}$ oracle, respectively.

We consider a simulator simulating all oracles and instances for the adversary. The proof is thus set up following a sequence of experiments or games, where from game to game the simulator’s behavior deviates from the previous in a certain controlled way. We follow standard notation and we denote by $\mathsf{Adv}(\mathcal{A},G_i)$ the advantage of the adversary when confronted with Game i and by $\mathsf{Succ}(\mathcal{A},{\mathsf{G}}_{\mathsf{i}})$ the success probability of $\mathcal{A}$ winning in Game i. As usual, the security parameter will be denoted denoted by ℓ.

Game 0. All oracles are simulated as defined in the model. Thus, $\mathsf{Adv}(\mathcal{A},G_0)$ is exactly ${\mathsf{Adv}}_{\mathcal{A}}$ and $\mathsf{Succ}(\mathcal{A},G_0)$ is the probability of violating the security of our key exchange protocol.

Game 1. In this game, the simulator keeps a list with entries $(i,M,{\sigma }_M)$ for every message M and corresponding signature ${\sigma }_M$ he has produced and returned to the adversary $\mathcal{A}$ in a Round 2 message following a $\mathsf{Send}$ query.

By $\mathsf{Forge}$ we denote the event that $\mathcal{A}$ queries the $\mathsf{Send}$ oracle with a message M containing a valid signature ${\sigma }_M$ of an uncorrupted principal $U_i$ and with $(i,M,{\sigma }_M)$ not being contained in the simulator’s list. If the event $\mathsf{Forge}$ occurs, we abort the simulation and take the adversary $\mathcal{A}$ for being successful in breaking the security of the protocol. Thus,

$$|\mathsf{Succ}(\mathcal{A},G_1)-\mathsf{Succ}(\mathcal{A},G_0)|\le P\left(\mathsf{Forge}\right)$$

(1)

Lemma 1.

If the signature scheme used in the above protocol is existentially unforgeable under adaptive chosen-message attacks, then$P\left(\mathsf{Forge}\right)$is negligible:$P\left(\mathsf{Forge}\right)\le \left|\mathcal{P}\right|·{\mathsf{Adv}}_{\mathcal{A}}^{\mathsf{Sig}}$.

Proof. 

Any ppt adversary $\mathcal{A}$ provoking the event $\mathsf{Forge}$ can be turned into an attacker against the underlying signature scheme by means of our simulator: The simulator obtains the public verification key $PK$ and access to a signing oracle. In the initialization phase of the protocol, the simulator assigns the key $PK$ uniformly at random to one of the at most $\left|\mathcal{P}\right|$ users the adversary can involve. Whenever during the subsequent simulation a signature for this user has to be generated, the simulator queries the signing oracle.

If $\mathcal{A}$ comes up with a message/signature pair that is not stored in the simulator’s list, the simulator returns this message as existential forgery. If $\mathcal{A}$ does not come up with such a message, the simulator outputs ⊥. Having chosen the party $U_i$ uniformly at random, the simulator’s success probability for an existential forgery is at least $1/\left|\mathcal{P}\right|·P\left(\mathsf{Forge}\right)$, and we get $P\left(\mathsf{Forge}\right)\le \left|\mathcal{P}\right|·{\mathsf{Adv}}_{\mathcal{A}}^{\mathsf{Sig}}$. □

Thus, from Equation (1), we get

$$|\mathsf{Adv}(\mathcal{A},G_1)-\mathsf{Adv}(\mathcal{A},G_0)|\le \mathrm{negl}\left(\ell \right)$$

(2)

Game 2. Now the simulation of the $\mathsf{Test}$ oracle is modified, so that, on input of a fresh instance, it will always output an element selected uniformly at random in the key space. Thus, $\mathsf{Adv}(\mathcal{A},G_2)=0.$

Suppose that $\mathcal{A}$ is able to distinguish between Game 2 and Game 1. We construct an attacker D, that breaks the DAA assumption and uses $\mathcal{A}$ as a black-box. The attacker D will start by setting up the instances with key pairs for the signature scheme and receive a DAA-instance as a challenge. Further, D will choose an index $a\in \{1,\dots ,q_t\}$ uniformly at random and select two values $u,v\in \{1,\dots ,q_s\}$ chosen independently and uniformly at random subject to the condition $u\ne v$. Then the adversary $\mathcal{A}$ is started. D will simulate the model as in Game 1 except for the $u\mathrm{th}$ and $v\mathrm{th}$ instance activated by the adversary $\mathcal{A}$ and the answers to the $\mathsf{Test}$ query. For the $u\mathrm{th}$ and $v\mathrm{th}$ instances activated by $\mathcal{A}$, the messages will be constructed from the DAA challenge. If these two instances do not end up in the same session, D aborts the simulation and starts anew. The same happens, if $\mathcal{A}$ does not query his $a\mathrm{th}$$\mathsf{Test}$ query to one of these two instances.

D will simulate the $\mathsf{Test}$ oracle as follows: The first $a-1$ queries of $\mathsf{Test}$ will be answered with the real session key, in the $a\mathrm{th}$ query, D will return the challenge, and from query $a+1$ on, D will always answer with a random element.

By a standard hybrid argument, D will win the challenge in $1/q_t$ of the cases where $\mathcal{A}$ distinguished Game 1 and Game 2. Excluding the necessary aborts (namely, if the instances that were chosen were not those used in the $a\mathrm{th}$ query of $\mathsf{Test}$), we have:

$$|\mathsf{Adv}(\mathcal{A},G_2)-\mathsf{Adv}(\mathcal{A},G_1)|\le q_s^2{q}_t{\mathsf{Adv}}^{\mathsf{DAA}}$$

(3)

Combining Equations (2) and (3) yields the desired negligible upper bound for ${\mathsf{Adv}}_{\mathcal{A}}$.

4. Conclusions

Our discussion evidences the possibility of meaningfully integrating tools from group theory and cryptography. Unfortunately, so far we cannot provide a concrete non-abelian example, but a concrete instance of our protocol can be derived by means of the decision Diffie–Hellman assumption. We hope, however, that the modular approach taken above facilitates the design of group key establishment schemes building on group-theoretic tools and fertilizes the exchange of ideas between group theory and cryptography.