This is the full version of the extended abstract which appears in Advances in Cryptology – Proceedings of ASIACRYPT ’02 (1 – 5 december 2002, Queenstown, New-Zealand) Y. Zheng Ed. Springer-Verlag, LNCS 2501, pages 497–514.

Group Diffie-Hellman Key Exchange Secure Against Dictionary Attacks
E. Bresson1 , O. Chevassut2 , and D. Pointcheval1
1 ´ Ecole normale sup´rieure, 75230 Paris Cedex 05, France e http://www.di.ens.fr/∼{bresson,pointche}, {Emmanuel.Bresson,David.Pointcheval}@ens.fr. 2 Lawrence Berkeley National Laboratory, Berkeley, CA 94720, USA, http://www.itg.lbl.gov/∼chevassu, OChevassut@lbl.gov.

Abstract. Group Diffie-Hellman schemes for password-based key exchange are designed to provide a pool of players communicating over a public network, and sharing just a human-memorable password, with a session key (e.g, the key is used for multicast data integrity and confidentiality). The fundamental security goal to achieve in this scenario is security against dictionary attacks. While solutions have been proposed to solve this problem no formal treatment has ever been suggested. In this paper, we define a security model and then present a protocol with its security proof in both the random oracle model and the ideal-cipher model.

1

Introduction

Group Diffie-Hellman schemes for password-based key exchange are designed to provide a pool of players, communicating over a public network, and holding a shared human-memorable password with a session key to be used to implement secure multicast sessions. A human-memorable password pw is a (short) string chosen from a relatively small dictionary to be easily memorized and typed-in by a human. Consider mission-critical applications such as emergency rescue and military operations [18, 19, 21], or even commercial applications like conferencing/meeting [1, 19] and personal networking [5, 13], where a (small) group of people collaborate. These applications operate in a highly mobile environment characterized by the