In 1976, Diffie and Hellman [10] proposed a key establishment protocol which enabled two participants to establish a common key using their own se-cret information and some other publicly exchanged information. After that, there have been efforts to extend two-party Diffie-Hellman key exchange to group setting [13, 8, 19]. Ingemaresson et al. [13] proposed the first confer-ence key establishment protocol which is denoted conferconfer-ence key distribution system, CKDS. In this system, the nodes who want to participate in the conference are connected in a ring so that node i always sends messages to node i + 1 and node n − 1 sends messages to node 0. Figure 1.1 shows this CKDS setting. Based on this setting, the authors proposed a CKDS of order 2 in the beginning and then generalized it to order j, 2 < j ≤ n. In their CKDS of order 2, the session key is a symmetric function of degree two which has the form gP0≤i,j≤n−1,i6=jrirj, where ri, i ∈ [1, n], is a secret value chosen
Figure 1.1: CKDS setup
randomly by node i. However, this particular system is insecure because the information exchanged by the nodes makes it possible for a passive adver-sary to compute the key. Besides, their system needs n − 1 rounds for all participants to establish a group key and hence it is very inefficient for large scale participants.
In [19], Steiner et al. extended the Diffie-Hellman key exchange to n-party case naturally. These key agreement protocols are GDH.1, GDH.2, and GDH.3. The main feature of these protocols is that they are all asyn-chronous protocols. This means that any participants can send messages whenever they like. The main drawback of GDH.1 is its relatively large number of rounds. It requires 2(n − 1) rounds for n participants. In order to reduce the number of rounds in GDH.1, the authors modified the protocol as GDH.2. An example of four participants is shown in Figure 1.2. The number marked on each edge stands for the order of the rounds. In GDH.2 it only requires n rounds to compute the common group key. However, in GDH.1
Figure 1.2: Message flow in GDH.2
and GDH.2 each participant Ui requires i + 1 exponentiations, and the com-putational burden increases as the group size grows. In order to reduce the computational overhead of each participant, the authors proposed GDH.3.
In GDH.3 it only requires constant exponentiations for all participants and has the same communicational efficiency as in GDH.2. The security of these three protocols is based on DH assumption.
Although [19] deals with node join and node leave operations, it does not consider entity authentication. So it is not secure against active adversaries.
In [1], Ateniese et al. modified GDH.2 in [19] and proposed authenticated GDH.2 (A-GDH.2) and strong authenticated GDH.2 (SA-GDH.2). In their schemes, before the protocol execution each pair of participants has to estab-lish a DH key which is used to provide entity authentication. In A-GDH.2, each participant Ui computes a DH key with Un, thus each pair of (Ui, Un) can authenticate each other. However, if Un is not trusted, participants may not agree on the same group key. An example of four participants is shown in Figure 1.3. The number marked on each edge stands for the order of the
Figure 1.3: Message flow in A-GDH.2
rounds. Essentially Figure 1.3 is the same as Figure 1.2 except that the last round messages contain long-term keys Kin in the exponents. SA-GDH.2 makes an arbitrary pair of (Ui, Uj), i 6= j, authenticate each other. Both A-GDH.2 and SA-A-GDH.2 provide perfect forward secrecy (PFS) and resistance to passive known-key attacks. PFS is a property that ensures that compro-mise of a long-term key cannot result in the comprocompro-mise of past session keys and it is important in an authenticated group key agreement protocol. The member join and member leave procedures are also provided in A-GDH.2 and SA-GDH.2, and they are similar to those in GDH.2 except that each message in the broadcast flow contains long-term keys in the exponent.
In [6], Bresson et al. developed the first formal security model for an authenticated conference key agreement protocol. They model instances of players via oracles available to the adversary through queries. The queries are available to use at any time to allow modeling attacks involving mul-tiple instances of players activated concurrently and simultaneously by the adversary. The two modes of corruptions, which are weak-corruption model and strong-corruption model, are modeled. In the weak-corruption model, a
corruption only reveals the long-lived key (LL-key) of player U. However in the strong-corruption model, a corruption not only reveals the LL-key of U but also all internal data that his instances did not explicitly erase. In order to model these two modes of corruption, they consider the presence of two cryptographic devices, secure coprocessors and smart cards, which are made available to the adversary through queries. Before their work, there had been little formal security analysis [9, 18]. They modified the protocols in [7] and [5] to obtain a protocol which is referred to as AKE1+ secure against strong corruptions. Their security theorem does not need a random oracle assumption [3] and thus holds in the standard model.
The above protocols mentioned are generalized from the Diffie-Hellman key exchange protocol. Burmester and Desmedt [8] presented a notable re-sult. They proposed several conference key agreement protocols based on var-ious types of network connections. In their broadcast channel based scheme, the session key is a cyclic function (of the indices of the users) of degree two which has the form gr1r2+r2r3+···+rnr1, where ri ∈ [1, n] is a secret value chosen randomly by node i. Their unauthenticated conference key agreement pro-tocol based on broadcast channel requires only two rounds and is very com-municational efficient. Based on the Diffie-Hellman (DH) assumption, their protocols are proven secure against a passive adversary. For data origin au-thentication they use an interactive public key auau-thentication scheme which is proven secure based on discrete logarithm (DL) assumption. Combining the interactive data origin authentication scheme with the unauthenticated conference key agreement protocol makes the conference key agreement pro-tocol provably secure against malicious active adversaries based on the DH assumption. However, [13] and [8] did not provide member join and member leave procedures.
In [2], Becker and Wille derived a lower bound of only one round for multi-party contributory key agreement protocols. However, no generalized Diffie-Hellman key exchange is able to meet this bound. They left as an open problem whether any contributory key agreement scheme can meet this bound. There are some group key agreement protocols [4, 23] proposed after Becker and Wille, and they only require constant rounds.
In [23], the authors proposed two group key agreement protocols which are proved to have fault-tolerance, correctness, fairness, authentication, and no useful information leakage and require only one round. The main feature of [23] is that non-interactive proof systems (NIPVS) and non-interactive proof systems with authentication (NIAPVS) are used. In their proposed protocols, fault-tolerance and authentication can be achieved by using either NIPVS and digital signature or NIAPVS. Their protocols are secure against passive and active adversaries under the random oracle model. They also modified Protocol 3 in [8] to obtain a protocol with fault-tolerance.
In [4], Boyd and Nieto pointed out that in [23] the session token (ST) is used to prevent replay attacks and unless the ST is agreed beforehand their protocols cannot be completed in one round. They proposed a protocol which requires only one round on the side. Their protocol is proved secure in Bellare and Rogaway’s model [3]. However, both [23] and [4] do not provide forward secrecy.
In [22] the author proposed a conference key agreement protocol with both forward secrecy and fault tolerance. Before this work, [14] proposed a protocol with forward secrecy and [21] proposed a protocol with fault toler-ance. However, [14] and [21] do not provide both forward secrecy and fault tolerance.
The remainder of this paper is organized as follows. Chapter 2
intro-duces some tools we use in our protocol. Chapter 3 describes the problem and the security requirements of a group key agreement protocol. Chapter 4 gives an overview and describes details of our secure group key agreement protocol. The security analysis and the performance analysis are discussed in Chapter 5 and Chapter 6. Finally, we give a conclusion and future works in Chapter 7.
Chapter 2
Preliminaries
In this chapter we introduce some tools used in our protocol.
2.1 (t, n)-threshold Secret Sharing Scheme
The goal of a secret sharing scheme is to share a secret s among n parties so that each one Pi keep a share si for 1 ≤ i ≤ n. A coalition of some of the parties is able to recover s.
Shamir proposed a (t, n)-threshold secret sharing scheme in 1979 [16].
In their scheme a threshold t is set. Each t of the n shares are sufficient to recover s. It is impossible to do so from t − 1 or fewer shares. The scheme comprises two parts : secret sharing and secret recovery.
• Secret sharing :
Given a secret s ∈ Zq, a threshold t, and a number n, randomly select a (t − 1)-degree polynomial
f (x) = Xt−1
i=1
aixi+ s (mod q)
and compute are groups of prime order this implies that if P is a generator of G1
then ˆe(P, P ) is a generator of G2. 3. Computable:
There is an efficient algorithm to compute ˆe(P, Q) for all P, Q ∈ G1.
2.3 Proof of Equal Logarithm
In our group key agreement protocol we use non-interactive proof of knowledge of the common logarithm r of y = gr ∈ Z∗ and y = gr ∈ Z∗. It