Protocol Conf-2

Though the protocol Conf-1 is round-efficiency, it does not provide forward secrecy. In protocol Conf-2, we add an extra round to exchange a temporary random public key. In this way, our protocol can provide forward secrecy.

Protocol. Let U = {U₁, . . . , Un} be the initial participant set, and each participant Ui, 1 ≤ i ≤ n, knows U. Without loss of generality, we assume that U1 is the initiator who calls for a conference for the set U and sets the session token ST. Before executing this protocol, each participant are given a public key and private key pair by running algorithm Gen, and the key pair (P Ki, SKi) = (yi, xi) satisfies yi = g^xi mod p . Let h be a collision-resistant hash function, which is used in the modified ElGamal signature scheme, and it always computed involving with session token ST, which is unique for each conference session to prevent the replay attack.

In this protocol, each participant Ui first selects a random value vi and compute his temporal public key Yi = y_i^vi mod p, then transfers this key to the other participants along with its signature. After all participants can authenticate the new public key, then the set of participants in conference using this temporal public key to run Conf-1. We formalize this protocol in Figure 4.2.

Security Analysis. For security, we prove that protocol Conf-2 meets all the security requirements defined in previous chapter. First of all, we show that this protocol is validity, fairness, and fault tolerance against malicious

– System parameters are the same as Conf-1.

The participant Ui does the following four steps:

Step 1. Temporal Public Key Exchange

(d) If participant Uj’s message passes the check in previous two steps, then add Uj to honest participant set Ui. (e) Compute the conference key sk of session SID, where

sk = Y

j∈U_i

cj mod p = g^{kj,1+···+kj,m}, ∀j ∈ Ui

Figure 4.2: Protocol Conf-2

participants in Lemma 4. Then we follow Bellare and Rogaway’s model to prove its authentication and indistinguishability in Lemma 5 and Lemma 6 respectively. Finally, conclude our proofs in Theorem 3. The forward secrecy is achieved by using the fs-fresh oracle definition, and we will explain them later.

Lemma 4 (Fault tolerance, Validity and Fairness) All honest partici-pants who follow the protocol compute a common conference key with an over-whelming probability no matter how many participants are malicious. Fur-thermore, the common conference key is determined by the honest participants unbiasedly.

Proof. In this protocol, all user can authenticate the temporal public keys, since we use a the modified ElGamal signature scheme to sign the temporal key. When the temporal keys are authenticated, the rest steps are identical to the protocol Conf-1, thus its fault tolerance, validity and fairness can be

proved similarly. 2

Here, we also follow Bresson et al. [12] to divide the proof into two cases, the adversary A breaks our protocol either by forging a signature with respect to some participant’s signing key, or without forging a signature. For authen-tication, we show that if A gains her advantage by forging a signature, we use A to construct a signature forging algorithm F against signature scheme S, by guessing which participant that A will choose to producing a forgery during the protocol runs. For indistinguishability, if A could break the proto-col without altering the content of the flows (i.e. forging a signature of some

messages), then we can construct an algorithm D to solve an instance of the DDH problem.

For forward secrecy, we use the different definition on fresh oracle, which called fs-fresh as we mentioned in section 3.2. In this definition, the adversary A can make a Corrupt query on U after asking a Test query on U , and since the query Corrupt(U ) only returns participant U ’s long-lived secret key, it will not disclose the information of session key established previously in forward secure setting.

Lemma 5 (Authentication) Assume the random oracle model. If an out-sider A can impersonate as a legal participant Ui by forging his signature with a non-negligible advantages ǫ within time t, being allowed to query the signing oracle qs times. Then we can use A to construct a signature forging algorithm F against signature scheme S, which succeeds with a non-negligible advantages ǫ/n within time t^′ ≤ t + qsT (k).

Proof. We use A to construct a forging algorithm F for the signature scheme S. Given some participant’s public key e in signature scheme S and accessed to a signing oracle for the corresponding secret key d. The successful F must output a valid signature² (m, σ) for some message m, which was not asked to the signing oracle previously. The forger F does as following:

1. Setup

(a) Randomly choose a participant U^′ ∈ U.

(b) For participant Ui = U^′, assign the given e as his public key yi.

2i.e. S.Ver(e, m, σ) = 1

(c) For other participants Ui 6= U^′, runs key generating function Gen of protocol to assign user Ui’s key pair (yi, xi), where yi = g^xi.

2. F runs A as subroutine

F answers A’s queries as follows, and maintains a list H for hash queries.

– Send(Ui, s, m) : F outputs what he should output, follows the protocol.

When he needs to generate the signature of partial secret Sig(g^ki) for selected user Ui = U^′, he queries the signing oracle. Otherwise, he can sign by himself because he owns all keys.

– Reveal(Ui, s) : returns sk that Π^s_Ui was involved.

– Corrupt(Ui) : If Ui = U^′ then F fails, else returns participant Ui’s long-lived secret key xi.

– h(m) : If (m, h(m)) is not in F’s list H, returns a random string r and adds (m, r) to the list, else returns message m’s corresponding hash value.

3. Output

During the execution of A, if A makes a query Send( · , (m, σ)), where σ is a valid signature on m, respect to yi for Ui = U^′, and m was not queried to signing oracle previously, then F outputs (m, σ) as his forgery. Otherwise, when A terminates, the forger F fails.

At the beginning, we assume that A can forge a signature with a non-negligible advantages ǫ within time t. And the probability of this forgery respected to our chosen participant U^′ is at least 1/n. Thus the forger F will succeed with probability Succ^cmaS (F) ≥ ǫ/n, and the running time is t^′ ≤ t + qsT (k), where T (k) is the running of querying a signing oracle. 2

Lemma 6 (Indistinguishability) Assume the random oracle model. If an adversary A could break the protocol without altering the content of the flows, with advantages at least ǫ within time t. Then we can construct an algorithm D to solve an instance of the DDH problem with advantages ǫ/n within time t^′ ≤ t + qhT (k).

D answers A’s queries as follows, and maintains a list H for hash queries.

– Send(Ui, s, m) : If the query is executed step 1 or step 2 , D would follow protocol. Otherwise, does following steps

i. If Ui = U^′, then set ci = u₂, else random ki ∈ Zq and set ci = g^ki. ii. If Ui = U^′, then set ui,j = u3 for Uj = U^′′ and ui,j = u^r₂^jvj for

Uj 6= U^′, U^′′, else set ui,j = Y_j^ki, for all j 6= i.

iii. Forges the NIPVS by hash oracle. Randomly selects (c, w) and sets H(gkY1k · · · kYnkui,1k · · · kui,nkY₁^wu^c_i,1k · · · kY_n^wu^c_i,n) = c in list H.

iv. If Ui = U^′′, D needs to forge the signature of ci, he randomly selects a ∈ Zq and b ∈ Z_q^∗, then returns (ri, si) = (g^ay_i^b, −rib⁻¹), and set H(SID, ri, u2) = −riab⁻¹ in list H. Otherwise he can sign by himself because he generates all other participants’ key.

– Reveal(Ui, s) : Returns sk that Π^s_Ui was involved. Though D does not adds (m, r) to the list, else returns message m’s corresponding hash value.

3. Output

Eventually, adversary A will output a guess b^′, and wins the game if b = b^′. If adversary A wins, then the distinguisher D outputs b, otherwise output a random bit b^′′ ∈ {0, 1}.

Initially, we assume that break the protocol without altering the content of the flows, with advantages at least ǫ within time t. Then the probability that D gives the random sk is 1/2. The probability that adversary A uses messages sent to U^′′ distinguishing real sk is at least 1/n. Thus the distinguisher D will succeed with probability Succ^DDH(D) ≥ 1/2 + ǫ/n , and the running time is t^′ ≤ t + qhT (k), where T (k) is the running of querying a hash oracle. 2

Theorem 3 Assume the random oracle model and broadcast channel. The protocol Conf-1 meets all security requirements: Authentication, Validity, Fairness, Fault tolerance, Indistinguishability, and forward secrecy.

Proof. Firstly we show the protocol is validity, fairness, and fault tolerance in Lemma 4. Then its authentication proved in Lemma 5, and finally the indistinguishability is proved in Lemma 6. And the forward secrecy is achieved by using the fs-fresh definition on oracle, which allows Corrupt queries after asking a Test query on some user U . Thus we can conclude that the protocol

meets all security requirements as mentioned. 2