Protocols for authenticated key exchange (AKE) allow parties within an insecure network to establish a common session key which can then be used to secure their future communication. It is fair to say that group AKE is currently less well understood than the case of two-party AKE; in particular, attacks by malicious insiders --- a concern specific to the group setting --- have so far been considered only in a relatively "ad-hoc" fashion. The main contribution of this work is to address this deficiency by providing a formal, comprehensive model and definition of security for group AKE which automatically encompasses insider attacks. We do so by defining an appropriate ideal functionality for group AKE within the universal composability (UC) framework. As a side benefit, any protocol secure with respect to our definition is secure even when run concurrently with other protocols, and the key generated by any such protocol may be used securely in any subsequent application.In addition to proposing this definition, we show that the resulting notion of security is strictly stronger than the one proposed by Bresson, et al. (termed "AKE-security"), and that our definition implies all previously-suggested notions of security against insider attacks. We also show a simple technique for converting any AKE-secure protocol into one secure with respect to our definition.

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	Y. Amir, Y. Kim, C. Nita-Rotaru, J. Schultz, J. Stanton, and G. Tsudik. Exploring Robustness in Group Key Agreement. ICDCS 2001.
	2	Mihir Bellare , Phillip Rogaway, Entity Authentication and Key Distribution, Proceedings of the 13th Annual International Cryptology Conference on Advances in Cryptology, p.232-249, August 22-26, 1993
	3	Mihir Bellare , Phillip Rogaway, Provably secure session key distribution: the three party case, Proceedings of the twenty-seventh annual ACM symposium on Theory of computing, p.57-66, May 29-June 01, 1995, Las Vegas, Nevada, United States  [doi>10.1145/225058.225084]
	4	Mihir Bellare , Ran Canetti , Hugo Krawczyk, A modular approach to the design and analysis of authentication and key exchange protocols (extended abstract), Proceedings of the thirtieth annual ACM symposium on Theory of computing, p.419-428, May 24-26, 1998, Dallas, Texas, United States  [doi>10.1145/276698.276854]
	5	M. Bellare, D. Pointcheval, and P. Rogaway. Authenticated Key Exchange Secure Against Dictionary Attacks. Eurocrypt 2000.
	6	Simon Blake-Wilson , Don Johnson , Alfred Menezes, Key Agreement Protocols and Their Security Analysis, Proceedings of the 6th IMA International Conference on Cryptography and Coding, p.30-45, December 17-19, 1997
	7	Emmanuel Bresson , Olivier Chevassut , David Pointcheval , Jean-Jacques Quisquater, Provably authenticated group Diffie-Hellman key exchange, Proceedings of the 8th ACM conference on Computer and Communications Security, November 05-08, 2001, Philadelphia, PA, USA  [doi>10.1145/501983.502018]
	8	Emmanuel Bresson , Olivier Chevassut , David Pointcheval, Provably Authenticated Group Diffie-Hellman Key Exchange - The Dynamic Case, Proceedings of the 7th International Conference on the Theory and Application of Cryptology and Information Security: Advances in Cryptology, p.290-309, December 09-13, 2001
	9	Emmanuel Bresson , Olivier Chevassut , David Pointcheval, Dynamic Group Diffie-Hellman Key Exchange under Standard Assumptions, Proceedings of the International Conference on the Theory and Applications of Cryptographic Techniques: Advances in Cryptology, p.321-336, May 02, 2002
	10	Ray Bird , Inder S. Gopal , Amir Herzberg , Philippe A. Janson , Shay Kutten , Refik Molva , Moti Yung, Systematic Design of Two-Party Authentication Protocols, Proceedings of the 11th Annual International Cryptology Conference on Advances in Cryptology, p.44-61, August 11-15, 1991
	11	Christian Cachin , Reto Strobl, Asynchronous group key exchange with failures, Proceedings of the twenty-third annual ACM symposium on Principles of distributed computing, July 25-28, 2004, St. John's, Newfoundland, Canada  [doi>10.1145/1011767.1011820]
	12	R. Canetti, Universally Composable Security: A New Paradigm for Cryptographic Protocols, Proceedings of the 42nd IEEE symposium on Foundations of Computer Science, p.136, October 14-17, 2001
	13	Ran Canetti , Hugo Krawczyk, Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels, Proceedings of the International Conference on the Theory and Application of Cryptographic Techniques: Advances in Cryptology, p.453-474, May 06-10, 2001
	14	Ran Canetti , Hugo Krawczyk, Universally Composable Notions of Key Exchange and Secure Channels, Proceedings of the International Conference on the Theory and Applications of Cryptographic Techniques: Advances in Cryptology, p.337-351, May 02, 2002
	15	R. Canetti and T. Rabin. Universal Composition with Joint State. Crypto 2003.
	16	Z. Cheng, L. Vasiu, and R. Comley. Pairing-Based One-Round Tripartite Key Agreement Protocols. Available at http://eprint.iacr.org/2004/079.
	17	H.-Y. Chien. Comments: Insider Attack on Cheng et al.'s Pairing-Based Tripartite Key Agreement Protocols. Available at http://eprint.iacr.org/2005/013.
	18	W. Diffie and M. Hellman. New Directions in Cryptography. IEEE Trans. Info. Theory 22(6): 644--654 (1976).
	19	Whitfield Diffie , Paul C. Van Oorschot , Michael J. Wiener, Authentication and authenticated key exchanges, Designs, Codes and Cryptography, v.2 n.2, p.107-125, June 1992  [doi>10.1007/BF00124891]
	20	X. Du, Y. Wang, J. Ge, and Y. Wang. An Improved ID-Based Authenticated Group Key Agreement Scheme. Available at http://eprint.iacr.org/2003/260.
	21	M. Fischlin. Pseudorandom Function Tribe Ensembles Based on One-Way Permutations: Improvements and Applications. Eurocrypt '99.
	22	Oded Goldreich , Shafi Goldwasser , Silvio Micali, How to construct random functions, Journal of the ACM (JACM), v.33 n.4, p.792-807, Oct. 1986  [doi>10.1145/6490.6503]
	23	J. Katz and M. Yung. Scalable Protocols for Authenticated Group Key Exchange. Crypto 2003. Full version available at http://www.cs.umd.edu/~jkatz/papers.html.
	24	Gavin Lowe, A Hierarchy of Authentication Specifications, Proceedings of the 10th Computer Security Foundations Workshop (CSFW '97), p.31, June 10-12, 1997
	25	B. Pfitzmann, M. Steiner, and M. Waidner. A Formal Model for Multi-Party Group Key Agreement. Technical Report RZ-3383 (#93419), IBM Research.
	26	Birgit Pfitzmann , Michael Waidner, A Model for Asynchronous Reactive Systems and its Application to Secure Message Transmission, Proceedings of the 2001 IEEE Symposium on Security and Privacy, p.184, May 14-16, 2001
	27	Shahrokh Saeednia , Reihaneh Safavi-Naini, Efficient Identity-Based Conference Key Distribution Protocols, Proceedings of the Third Australasian Conference on Information Security and Privacy, p.320-331, July 01, 1998
	28	K. Shim. Cryptanalysis of Al-Riyami-Paterson's Authenticated Three Party Key Agreement Protocols. Available at http://eprint.iacr.org/2003/122.
	29	V. Shoup. On Formal Models for Secure Key Exchange. Available at http://eprint.iacr.org/1999/012.
	30	M. Steiner. Secure Group Key Agreement. PhD Thesis, Universitat des Saarlandes, 2002. Available at http://www.semper.org/sirene/publ/Stei_02.thesis-final.pdf.
	31	H.-M. Sun and B.-T. Hsieh. Security Analysis of Shim's Authenticated Key Agreement Protocols from Pairings. Available at http://eprint.iacr.org/2003/113.
	32	Q. Tang and C.J. Mitchell. Rethinking the Security of Some Authenticated Group Key Agreement Schemes. Available at http://eprint.iacr.org/2004/348.
	33	Fangguo Zhang , Xiaofeng Chen, Attack on an ID-based authenticated group key agreement scheme from PKC 2004, Information Processing Letters, v.91 n.4, p.191-193, 31 August 2004  [doi>10.1016/j.ipl.2004.04.008]