ID-based group password-authenticated key exchange

Abstract

Password-authenticated key exchange (PAKE) protocols are designed to be secure even when the secret key used for authentication is a human-memorable password. In this paper, we consider PAKE protocols in the group scenario, in which a group of clients, each of them shares his password with an "honest but curious" server, intend to establish a common secret key (i.e., a group key) with the help of the server. In this setting, the key established is known to the clients only and no one else, including the server. Each client needs to remember the password only while the server keeps passwords in addition to private keys related to its identity. Towards our goal, we present a compiler that transforms any group key exchange (KE) protocol which is secure against a passive eavesdropping to a group PAKE which is secure against an active adversary who controls all communications in the network. This compiler is built on a group KE protocol, an identity-based encryption (IBE) scheme, and an identity-based signature (IBS) scheme. It adds only two rounds and O(1) communication (per client) to the original group KE protocol. As long as the underlying group KE protocol, IBE scheme and an IBS scheme have provable security without random oracles, the group PAKE constructed by our compiler can be proven to be secure without random oracles. © 2009 Springer-Verlag Berlin Heidelberg.