Private group communication : two perspectives and a unifying solution
- Author(s): Panjwani, Saurabh Kumar
- et al.
Private communication in groups of users is a security problem that is relevant in a host of real-world applications like pay-per-view, secure online conferencing and the protection of content on digital media. Despite a long history of research on the topic, there exists a fundamental dichotomy in the literature in the manner in which the problem is modeled and security analysis of protocols conducted. Most of the existing protocols for the problem have been analyzed using a simple "symbolic'' model of computation, one in which cryptographic primitives are treated as ideal objects and adversarial behavior defined using a fixed set of inference rules. Some others have been approached using a more detailed computational model, wherein security is based on complexity assumptions (like the existence of one-way functions) and proven using very careful probabilistic analysis. The two approaches have their individual merits but are in conflict with each other: while the method of the computational approach is more realistic, security proofs in the symbolic approach are far easier to produce and to verify. This thesis reconciles the two approaches and proposes a methodology for analyzing protocols that is symbolic in nature, and still powerful enough to guarantee security against arbitrary computationally-bounded entities. We define a large class of protocols for private group communication, and provide syntactic condition on protocols in this class such that any protocol that satisfies these conditions, and meets the symbolic definition of security, is guaranteed to be secure in the computational model as well. Such an implication enables us to conduct security analysis of protocols (falling within our class) symbolically, and simultaneously reap the benefits of computational security analysis. As an illustration, we apply our methodology to the security analysis of four existing protocols for group privacy, two of which were not known to be computationally secure prior to our work. An important contribution of this thesis is a new technique to prove security of group privacy protocols in the presence of computational adversaries who can corrupt protocol participants in an adaptive manner. We show that if one suitably restricts the length of encryption chains (sequences of ciphertexts of the form EK₁(K₂), EK₂(K₃), EK₃(K₄),...) generated in protocol executions, then security of a protocol against adaptive corruptions follows almost immediately from its security in the symbolic model. Prior to our work, all techniques to proving adaptive security of privacy protocols involved either restricting the security model severely (for example, by requiring all users to be stateless or using non-standard, and inefficient, ways to implement the encryption operation