有效減少通訊回合數且向前安全的會議金鑰建立協定

全文

(1)國立交通大學資訊科學系碩士論文. 有效減少通訊回合數且向前安全的會議金鑰建立協定. Round-Efficient Conference Key Agreement Protocols with Forward Secrecy. 研究生：李振魁指導教授：曾文貴. 教授. 中華民國九十三年六月.

(2) 有效減少通訊回合數且向前安全的會議金鑰建立協定 Round-Efficient Conference Key Agreement Protocols with Forward Secrecy. 研究生：李振魁. Student ：Chen-Kuei Lee. 指導教授：曾文貴. Advisor：Dr. Wen-Guey Tzeng. 國立交通大學資訊科學系碩士論文. A Thesis Submitted to Department of Computer and Information Science College of Electrical Engineering and Computer Science National Chiao Tung University in partial Fulfillment of the Requirements for the Degree of Master in Computer and Information Science June 2004 Hsinchu, Taiwan, Republic of China. 中華民國九十三年六月.

(3) Round-Efficient Conference Key Agreement Protocols with Forward Secrecy Student: Chen-Kuei Lee. Advisor: Dr. Wen-Guey Tzeng. Department of Computer and Information Science National Chiao Tung University. Abstract A conference key agreement protocol allows a group of participants to establish a common secret key distributively, such that all their communications afterward are encrypted by the key. By this way, the participants can communicate securely over an open network. We propose two provably forward secure conference key agreement protocols under the broadcast channel model. Also, we prove its security under the Bellare-Rogaway model. The adversary that attacks our protocols can be either passive or active. A passive adversary tries to learn the conference key by listening to the communication of participants, while an active adversary tries to impersonate as a legal participant or disrupt conference key establishment among the honest participants. Further, in our protocol, we would like to focus on both round efficiency and forward secrecy.. Key words: Conference Key, Round-efficient, Forward-secure. i.

(4) 有效減少通訊回合數且向前安全的會議金鑰建立協定. 學生：李振魁. 指導教授：曾文貴博士. 國立交通大學資訊科學學系﹙研究所﹚碩士班. 摘要. 當一群使用者想要在公開的網路上安全的召開會議、傳送訊息時，他們需要一把共享的金鑰來對所傳送的訊息加密，以免遭到竊聽。而會議金鑰建立協定，就是用來建立此一共享金鑰的方法。在金鑰建立的過程中，我們須確保其正確性及隱密性。在有部分惡意參與者從中傳送不正確訊息的情況下，其它的參與者仍要可以正確的建立金鑰。同時我們也保證，不合法的使用者無法從金鑰建立的過程中所交換的訊息，得知會議的金鑰。此外，我們希望會議金鑰的建立具有向前安全的性質，也就是若使用者的私密金鑰遭到竊取，並不會影響到之前所建立的會議金鑰的安全性。除了正確、安全之外，金鑰建立時的效率也是很重要的考量，所以我們希望能儘量減少其通訊的回合數。因此在本篇論文中，我們提出了兩個能有效減少通訊回合數且具向前安全性質的會議金鑰建立協定，並且完整的證明其安全性。. 關鍵詞：會議金鑰、有效減少回合數、向前安全. ii.

(5) 誌. 謝. 在此感謝我的指導老師曾文貴教授，在我碩士班兩年的學習過程中，不只讓我在學業上受益良多，更在生活上以及言行上給我許多教導。此外，我要感謝口試委員，交大資工系蔡錫鈞教授和清大資工系孫宏民教授，在論文上給予我許多良好的建議和指導，讓我的論文更加完善。除此之外我要感謝實驗室同學，尚宸、兆儀、坤杉和佩琳的幫忙，實驗室學長成康、惠龍和季穎學姊的指導，以及實驗室學弟妹們在精神方面的鼓勵。最後，我要感謝我的家人，不論在精神或物質上都給予我極大的支持，讓我在無後顧之憂的情況下可以順利完成學業。在此，謹以此文獻給我所有我想要感謝的人。. iii.

(6) Contents 1 Introduction. 1. 1.1. Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 2. 1.2. Previous Works . . . . . . . . . . . . . . . . . . . . . . . . . . .. 3. 1.3. Organization. 4. . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 2 Preliminaries. 6. 2.1. Assumptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 6. 2.2. Basic Schemes . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 9. 2.3. Zero Knowledge Proof System . . . . . . . . . . . . . . . . . . . 13. 3 Our Models. 16. 3.1. Communication Model . . . . . . . . . . . . . . . . . . . . . . . 16. 3.2. Security Model . . . . . . . . . . . . . . . . . . . . . . . . . . . 17. 3.3. Security Requirements . . . . . . . . . . . . . . . . . . . . . . . 22. 4 The New Protocols. 24. 4.1. Protocol Conf-1 . . . . . . . . . . . . . . . . . . . . . . . . . . . 25. 4.2. Protocol Conf-2 . . . . . . . . . . . . . . . . . . . . . . . . . . . 33. 4.3. Protocol Conf-3 . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 iv.

(7) 5 Conclusion. 48. 5.1. Comparison . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48. 5.2. Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50. v.

(8) List of Tables 3.1. Queries available to the adversary . . . . . . . . . . . . . . . . . 18. 4.1. Symbols and Notions . . . . . . . . . . . . . . . . . . . . . . . . 24. 5.1. Security Comparison of Conference Key Agreement Protocols. 5.2. Efficiency Comparison of Conference Key Agreement Protocols . 49. vi. . 49.

(9) List of Figures 4.1. Protocol Conf-1 . . . . . . . . . . . . . . . . . . . . . . . . . . 26. 4.2. Protocol Conf-2 . . . . . . . . . . . . . . . . . . . . . . . . . . 34. 4.3. Protocol Conf-3 . . . . . . . . . . . . . . . . . . . . . . . . . . 42. vii.

(10) Chapter 1 Introduction A conference key protocol allows a group of participants to establish a common secret key such that all their communications afterward are encrypted by the key. Consequently, the participants can communicate securely over an open network. The conference key protocol can be broadly divided into key distribution and key agreement protocols [27]. In key distribution protocols, a key is selected by a chairman and then securely transmitted to the other participants. In key agreement protocols, all participants contribute information to compute a common shared key. In this thesis, we will propose two provably forward secure conference key agreement protocols under the broadcast channel model, which assures all sent messages can be received intact. The adversary that attacks our protocols can be either passive or active. A passive adversary (eavesdropper) tries to learn the conference key by listening to the communication of participants, while an active adversary (impersonator and malicious participant) tries to impersonate as a legal participant or disrupt conference key establishment among the honest 1.

(11) participants. Besides, communication efficiency of a conference key protocol is also an important issue. It usually concerned with the number of messages that been sent and received during a protocol, and the number of rounds in the protocol. In our protocols, we would like to focus on both round efficiency and forward secrecy.. 1.1. Motivation. To communicate with other people over the network has become a trend due to the conveniences and economic benefits provided by Internet. Many people start to exchange messages or hold conferences over the network so that the participants have a long distance relationship can communicate with each other easily. There are already many applications provide such service, like the Internet Relay Chat (IRC), NetMeeting, or MSN Messenger. But these applications usually use a centralized server to control or forward the messages during the meeting, therefore every participant must connect to the server to join the conference. Once the server fails, all conferences will be interrupted. To solve this disadvantage, we may want a distributed approach, such that the conference can be held without much help from the server. Participants can use the existential Internet infrastructure to broadcast the messages over the open network, instead of forwarding the messages by a single server. But in this case, everyone joins the multicast group may receive the broadcasted messages. If we want to provide the security and privacy of the conference, we must use some techniques to encrypt the messages sent over the network. 2.

(12) The Conference Key Agreement Protocol can provide such functionality by distributively generating a secret key from the participants of the conference. In the Conference Key Agreement Protocol, the secret key used to encrypt the messages is contributed by every participant, instead of being designated by a central server or chairman. Thus, no participant can influence the final secret key. However, we must avoid the case that if some participants want to break the establishing process of the secret key by sending malicious message, so we include the concept of Publicly Verifiable Secret (PVS), which is a zero knowledge proof system, and can be used to provide checking for message consistency in our protocol.. 1.2. Previous Works. Conference Key Agreement. There have been a lot of researches on conference key agreement protocols. Most of these protocols are based on generalization of Diffie and Hellman’s famous key exchange protocol [16]. For instance, Ingemarsson, Tang and Wong [21] give a set of protocols, and Steiner, Tsudik and Waidner [29] also propose three protocols. None of their basic protocols provide authentication of the participants. Thus, these protocols are not secure against active attacks. Though Ateniese et al. [1, 2] propose two methods to make one of the protocols of Steiner et al. provide authenticated group key agreement, Pereira and Quisquater [28] have described a number of potential attacks. Burmester and Desmedt [13] proposed a round-efficient protocol which provides forward secrecy and costs only two rounds to establish the conference 3.

(13) key. However, their protocol can not resist the attack of malicious participants. Later, Just and Vaudenay [24] modified the protocol in [13] to provide authentication, and recently Choi et al. [15] transform the protocol in [13] into ID-based version which works in elliptic curve groups. The protocol of Joux [23] is the only currently known group key agreement protocol that can be completed in a single round and still provide forward secrecy, but their protocol can only work with three parties. In terms of fault tolerance, most proposed protocols except [26, 30] do not have this capability, so a malicious participant can easily spoil the conference by making other participants to compute different conference key.. Provable security for protocols. Another important contribution in cryptographic protocol research is the first mathematical security proof of a simple entity authentication protocol proposed by Bellare and Rogaway [4]. Though their work discuss only the two-party case, many authors extend the same idea to include public-key base key transport [6], key agreement protocol [7], password-based protocol [3, 9], and conference key protocols [12, 10, 11].. 1.3. Organization. The remainder of this thesis is organized as follows. The next chapter reviews some preliminaries and basic techniques. Chapter 3 describes the communication model and the security model, and defines security properties of a conference key agreement protocol. Chapter 4 gives a formal proof of a protocol proposed by Tzeng and Tzeng based on the security definitions of Bellare 4.

(14) and Rogaway, and also presents two new forward secure conference key agreement protocols with their proofs. Finally, chapter 5 gives the comparison of new protocols with existed one, and then concludes.. 5.

(15) Chapter 2 Preliminaries In this chapter, we would like to introduce some assumptions that support the security of our protocols. We also describe the general notations of an encryption scheme, signature scheme, and forward secure version of these schemes. Finally, we review the concept of zero knowledge proof system. Then use this tool to construct the Publicly Verifiable Secret (PVS) protocol, which we will use in our protocol.. 2.1. Assumptions. We will remind two algorithmic assumptions in this section — Discrete Logarithm Assumption (DLA) and Decisional Diffie-Hellman Assumption (DDHA). We use the following setting for these two assumptions: – p : a large prime number that is 2q + 1, where q is also a large prime. – g : a generator for the subgroup Gq of all quadratic residues in Zp∗ .. 6.

(16) – x ∈R S denote that x is chosen from the set S uniformly and independently.. Discrete Logarithm Assumption (DLA) The discrete logarithm (DL) problem is to compute x ≡ logg y (mod p) from given (y, g, p), where p = 2q + 1, g is a generator of Gq and y ∈R Gq . In general, we assume that DL problem is computationally infeasible. Thus, we have the following formal description of DLA. Assumption 1 (Discrete Logarithm Assumption) There is no probabilistic polynomial time algorithm that can solve any significant portion of instances of x ≡ logg y (mod p), where p = 2q + 1, p and q are both prime, g is a generator for the subgroup Gq of all quadratic residues in Zp∗ and y ∈R Gq . That is, assume Rn be the set of n-bit prime p = 2q + 1, for any probabilistic polynomial time algorithm A, for any large enough prime n, for any k > 0,. Pr. p ∈Rn , g,y ∈Gq. £. ¤ A(y, g, p ) = logg y mod p ≤ 1/nk .. Decisional Diffie-Hellman Assumption (DDHA) The Decisional Diffie-Hellman (DDH) problem is to distinguish the following two probability ensembles R = {Rn } and D = {Dn },. 7.

(17) – Rn = (g, p , g x mod p , g y mod p , g z mod p ), where - p is a randomly chosen n-bit prime with p = 2q + 1 and q is also a prime. - g is a randomly chosen generator of order-q subgroup Gq of Zp∗ . - x, y, z are chosen uniformly and independently from Zq∗ . – Dn = (g, p , g x mod p , g y mod p , g xy mod p ), where - p is a randomly chosen n-bit prime with p = 2q + 1 and q is also a prime. - g is a randomly chosen generator of order-q subgroup Gq of Zp∗ . - x and y are chosen uniformly and independently from Zq∗ . In cryptology, we assume that probability ensembles R and D are not polynomially distinguishable. Therefore, we have the following assumption. Assumption 2 (Decisional Diffie-Hellman Assumption) Let p = 2q + 1, p and q are both primes, g is a generator for the subgroup Gq of all quadratic residues in Zp∗ and x, y, z ∈R Gq − {1}. Then the following two random-variable tuples Dn = (g, p , g x , g y , g xy ) and Rn = (g, p , g x , g y , g z ) are computationally indistinguishable. That is, for any probabilistic polynomial time algorithm A, for any large enough prime n, for any k > 0,. | Pr [A(Rn ) = 1] − Pr [A(Dn ) = 1]| ≤ 1/nk .. 8.

(18) 2.2. Basic Schemes. In the new protocol that we will present later, we reduce its security to the underlaying public key encryption and signature schemes. So we describe the general notations of an encryption scheme, signature scheme, and forward secure version of these schemes here.. Secure Encryption Scheme Let k be the security parameter.. A public key encryption scheme C =. (E.Gen, E.Enc, E.Dec) consists of three algorithms. – The key generation algorithm E.Gen is a polynomial time probabilistic algorithm, which on input 1k , output a pair (e, d) of matching public and private keys, respectively. – The encryption algorithm E.Enc(·) is a polynomial time probabilistic algorithm, which takes a public key e and a message m chosen from a message space M associated to e, and returns a ciphertext c. We denote this as c ← E.Enc(e, m). – The decryption algorithm E.Dec(·) is a polynomial time deterministic algorithm, which takes a private key d and a ciphertext c, and returns the corresponding plaintext m. We denote this as m ← E.Dec(d, c) and assume E.Dec(d, E.Enc(e, m)) = (m) for every (e, d) ← E.Gen(1k ). We use the security definition called semantic security that proposed by Goldwasser and Miicali [18]. For any probabilistic polynomial time adversary 9.

(19) A, he plays the IND-CCA game with the challenger. We define the advantage of the adversary playing the IND-CCA game as AdvA (k) = 2 Pr [b′ = b] − 1. We say that the encryption scheme C is secure if the adversary’s advantage is negligible.. Secure Signature Scheme Let k denote the security parameter.. A digital signature scheme S =. (S.Gen,S.Sig,S.Ver) consists of three algorithms. – The key generation algorithm S.Gen is a polynomial time probabilistic algorithm, which on input 1k , output a pair (e, d), where e is the (public) verification key and d is the corresponding (private) signing key. – The signing algorithm S.Sig(·) is a polynomial time probabilistic algorithm, which takes a signing key d and a message m chosen from a message space M , and outputs a signature σ. We denote this as σ ← S.Sig(d, m). – The verification algorithm S.Ver(·) is a polynomial time deterministic algorithm, which takes a verification key e, a message m and its corresponding signature σ, and outputs 1 if the signature is valid, otherwise outputs 0. We assume that S.Ver(e, m, S.Sig(d, m)) = 1 for every (e, d) ← S.Gen(1k ). We say a signature scheme is secure if it is computationally infeasible for any adversary to forge a signature on any message (existential forgery) even under adaptive chosen-message attacks [20]. 10.

(20) Forward Secure PKI Forward Secure Encryption Scheme Let k denote the security parameter, N be the total number of time periods. A public-key key-evolving encryption scheme F E = (FE.Gen,FE.Upd,FE.Enc,FE.Dec) consists of four algorithms. – The key generation algorithm FE.Gen is a polynomial time probabilistic algorithm, which on input 1k and N , output a public key P K and an initial secret key SK0 . – The key update algorithm FE.Upd(·) is a polynomial time probabilistic algorithm, which takes a public key P K and an index i < N of the current time period, and the associated secret key SKi , and returns the secret key SKi+1 for the following time period. This is denoted as SKi+1 ← FE.Upd(P K, i, SKi ) – The encryption algorithm FE.Enc(·) is a polynomial time probabilistic algorithm, which takes a public key P K, an index i ≤ N of a time period, and a message m, and returns a ciphertext c. We denote this as c ← FE.Enc(P K, i, m). – The decryption algorithm FE.Dec(·) is a polynomial time deterministic algorithm, which takes a public key P K, an index i ≤ N of the current time period, the associated secret key SKi , and a ciphertext c, returns the corresponding plaintext m.. This. is denoted as m ← FE.Dec(P K, i, SKi , c), and we assume that FE.Dec(P K, i, SKi , FE.Enc(P K, i, m)) = (m) for any index i ∈ [0, N ), and for every (P K, SK0 ) ← FE.Gen(1k , N ). 11.

(21) We use the security notion of forward-secure against chosen-ciphertext attacks (fs-CCA) proposed in [14]. The advantage of the adversary playing the fs-CCA game is defined as AdvA (k) = 2 Pr [b′ = b] − 1. We say that the publickey key-evolving encryption scheme FE is secure if the adversary’s advantage is negligible.. Forward Secure Signature Scheme Let k denote the security parameter, N be the total number of time periods. A public-key key-evolving digital signature scheme F S = (FS.Gen,FS.Upd,FS.Sig,FS.Ver) consists of four algorithms. – The key generation algorithm FS.Gen is a polynomial time probabilistic algorithm, which on input 1k and N , and outputs a public key P K and an initial secret key SK0 . – The key update algorithm FE.Upd(·) is a polynomial time probabilistic algorithm, which takes an index i < N of the current time period, and the associated secret key SKi , and returns the secret key SKi+1 for the following time period. This is denoted as SKi+1 ← FS.Upd(i, SKi ) – The signing algorithm FS.Sig(·) is a polynomial time probabilistic algorithm, which takes a signing key SKi , an index i ≤ N of a time period, and a message m, and returns a signature σ for time period i. We denote this as (i, σ) ← FS.Sig(SKi , i, m). – The verification algorithm FS.Ver(·) is a polynomial time deterministic algorithm, which takes a public key P K, a candidate signature (i, σ), 12.

(22) and a message m, then outputs 1 if the signature is valid, otherwise outputs 0. We assume that FS.Ver(P K, m, FS.Sig(SKi , m)) = 1 for every message m and time period i ∈ [0, N ).. 2.3. Zero Knowledge Proof System. In a Conference Key Agreement Protocol, since we can not assume that all participants are honest, we must provide some methods to avoid the malicious participants sending invalid messages to interfere the key agreement procedure. The concept of zero knowledge proof system proposed by Goldwasser et al. [19] can achieve this goal. Zero knowledge proofs are proofs that gives a conviction and reveals nothing about the validity of the assertion being proven. It must satisfy the properties: completeness, soundness, and zero knowledge. Further, we can use this tool to construct a Publicly Verifiable Secret (PVS) protocol, which one user can send a secret to the other participants while everyone can verify that all participants receive the same secret. In this section, we review the PVS protocol presented by Tzeng and Tzeng [31], and give a more general form of PVS protocol that use any secure encryption scheme.. Publicly Verifiable Secret Protocol (PVS) Assume that (xi , yi ) is the private and public key pair of participant Ui . If participant Ui wants to send to secret gik mod q to all the other participants in a public verifiable way, he broadcasts ui,j = yjki mod p , for i ≤ j ≤ n, where ki ∈R Zq . Another participant Uj can obtain the shared secret g ki mod p from. 13.

(23) −1. Ui by computing (Ui,j )xj mod p . The PVS proof system shows that – logy1 ui,1 ≡ logy2 ui,2 ≡ · · · ≡ logyn ui,n (mod p) , and – Ui knows the exponent ki = logyj ui,j (mod p) , for 1 ≤ j ≤ n. with negligible error probability 1/2t according to security parameter t. The PVS proof system is: 1. P → V : bj = yjr mod p , 1 ≤ j ≤ n, where r ∈R Zq ; 2. V → P : c ∈R [0..2t − 1] ; 3. P → V : w = r − cki mod q ; 4. V checks whether bj = yjw · uci,j mod p , 1 ≤ j ≤ n. Theorem 1 ([31]) Assume the DLA. The PVS proof system above is complete, sound and zero knowledge.. Non-interactive PVS We want a proof system to provide fault tolerance in our protocol, but for efficiency we want it to be non-interactive. We give some basic ideas of the noninteractive proof system in the following. In a non-interactive proof system, the prover P produces a string to meet all the properties of an interactive proof system without interacting with the verifier V . Hence, we need a collision resistant hash function H to replace the verifier’s role in the original interactive proof system (i.e. generating the challenge c). We achieve this goal by applying well known technique proposed by Feige et al. [17]. We describe the noninteractive PVS (NIPVS) used later as follows: 14.

(24) – The prover Ui randomly selects r ∈ Zq , and computes c = H(gky1 k · · · kyn kui,1 k · · · kui,n ky1r k · · · kynr ), where k is the concatenation operation of strings. – The prover Ui sets w = r − cki , and sends (c, w) as his proof. – The verifier checks (c, w) sent by Ui for NIPVS satisfies c = H(gky1 k · · · kyn kui,1 k · · · kui,n ky1w uci,1 k · · · kynw uci,n ), then he can assure that logy1 ui,1 ≡ logy2 ui,2 ≡ · · · ≡ logyn ui,n (mod p) , which means all participants receive the same secret g ki .. Zero Knowledge Proof for any NP Problem Based on standard intractability assumptions, it is already known how to construct a non-interactive zero knowledge proof for any NP-set [25]. Thus, we can assume that we can find a non-interactive zero knowledge proof for the following problem. More generally, if we assume that the secure encryption scheme exists, and again, if the participant Ui wants to send the secret value gik mod q to all the other participants in a public verifiable way. Then he broadcasts ui,j = Enc(yj , g ki ) , for i ≤ j ≤ n, where ki ∈R Zq . We can use the PVS proof system to shows that – Dec(y1 , ui,1 ) ≡ Dec(y2 , ui,2 ) ≡ · · · ≡ Dec(yn , ui,n ) , and – Ui knows the secret g ki = Dec(yj , ui,j ) , for 1 ≤ j ≤ n. And, we use NIP(Consistence of g ki ) to denote this proof system in our protocol. 15.

(25) Chapter 3 Our Models We introduce the communication model and the security model used in our protocol as well as the precise security requirement of a conference key agreement protocol as follows.. 3.1. Communication Model. The communication model we use later for distributed security was first proposed by Bellara and Rogaway [4, 5], who give a formal specification on entity authentication and authenticated key distribution protocols. We will use its refined version [3], which is more suitable for the multi-party environment.. Protocol Participants. In this communication model, we have a finite and nonempty set ID = {U1 , . . . , UN } of all users in system, and the total number of users N is polynomial in the security parameter k. Each user has an unique identifier U from the set ID, where user U ∈ ID is named by a 16.

(26) fixed length string, and a group of users who want to establish a conference key is called the set of participants.. Communication Environment. In our communication model, all users are connected by a broadcast network, which is an unauthenticated broadcast channel, and there is no private channel existed between users. All messages sent cannot be altered, blocked or delayed, that is, the adversary faithfully relays flows between participants. Nevertheless, the attacker can inject malicious messages. For simplicity, we assume that the network is fully synchronous, which means all users send their messages to the other recipients (or receive messages from the other senders) simultaneously in a single round.. Long-Lived Keys. Each user in system has a long-lived secret key, and a corresponding public key, obtained at the beginning of the protocol using a key distribution algorithm Gen. The system also has a public directory that can be accessed by everyone, which contains the system’s public parameters and each user’s public key.. 3.2. Security Model. For security, we assume that all communication among interacting parties are controlled by the adversary. The main idea is to model instances of users via oracles available to the adversary, modeling various kinds of attacks by appropriate queries to these oracles, having some notion of partnering, and requiring semantic security of the session key via Test queries. 17.

(27) Adversary. The adversary A is a probabilistic polynomial-time Turing machine that controls all the communications during the protocol runs, and does this by interacting with a set of oracles. Oracle ΠUs represents the actions of participant U in the protocol run indexed by instance s, each participant may run many instances at the same time, and interactions with the adversary are called oracle queries. We now explain each query that is available to the adversary, and summarize it in Table 3.1. (1) Send(U, s, m) — This query allows the adversary to send message m to oracle ΠUs . The oracle runs the protocol normally, and sends back the response. If the received message m is not of the expected format, the oracle may simply halt. Otherwise, the adversary can know whether the oracle accepts the session key or not, as well as the session ID and the partner ID. The adversary can use this query to initiate a new protocol instance by sending a special message m=Init to a participant. This query models the possibility of an adversary A causing an instance to come into existence in the real-world, for that instance to receive communications faked by A, and to respond what a honest participant does in protocol.. Send(U, s, m) Send message m to oracle ΠUs Reveal(U, s). Reveal session key accepted by ΠUs. Corrupt(U ). Reveal the long-lived secret key hold by U. Test(U, s). Ask a challenge to distinguish session key accepted by ΠUs. Table 3.1: Queries available to the adversary. 18.

(28) (2) Reveal(U, s) — This query models the adversary’s ability to get session keys. In real-world, the session key might be lost for many kinds of reasons, like hacking or cryptoanalysis, thus loss of a session key should not be damaging to other sessions. If an oracle ΠUs has accepted, holding some session key sk, then this query returns sk to the adversary. We call an oracle is opened if it has been the object of a Reveal query. (3) Corrupt(U ) — This query tries to model the insider attacks by adversary, as the dishonest participant tries to disrupt the process of key agreement in real-world. This query returns the oracle’s long-lived key to the adversary, thus the adversary can then control the behavior of participant U . We call a participant is corrupted if it has been the object of a Corrupt query. (4) Test(U, s) — Once the oracle ΠUs has accepted, holding a session key sk, then the adversary can ask for a challenge to distinguish sk from a random key. The oracle will flips a coin b, if b = 1 then sk is returned, otherwise a random string drawn from the same distribution as session key is returned. This query is asked just once by the adversary. (5) h(m) — Finally, this is a collision-resistant ideal hash function, which is used in random oracle model. Not only the adversary, but the protocol and the long-lived key generator may depend on this hash function. To avoid the replay attack, we always compute it involve with session ID SID ( or session token ST ). Oracle Partnering. There are various ways to define partner oracles in Bellare-Rogaway model. In this thesis, we use the adaptations from [3]. Fix 19.

(29) a protocol P , an adversary A, and during the protocol execution, we say that ′. oracles ΠUi and ΠUi ′ are partnered if both oracles accepted, holding the same session key, session ID and partner ID. In our protocol, we assume that the partner ID is the concatenation of each user’s identifier U in set of participants U. Thus, we define the partnering of a set of oracles formally as follow. Definition 3 A set of oracles are partnered if the following conditions hold: – They agree on the same set of participants U ⊆ ID. – They have accepted with the same sk, SID and PID.. Oracle Status. As we mention above, we call an oracle is opened if it has been the object of a Reveal query, and we call an oracle is corrupted if it has been the object of a Corrupt query. Besides, during the protocol runs, an oracle may accept at any time, which means the oracle has hold a particular session key (sk), session ID (SID) and partner ID (PID). The session key sk is used to protect the following communication during conference. The SID is an identifier which can be used to uniquely name the sequence of conference session established by a participant, while the PID names the set of participants which the instance believes it has just communicate with. The SID and PID are not secret, so the adversary can know these information. Oracle also has a status called terminate, which means oracle has what it wants, and won’t send any further messages. An instance may wish to accept now, and terminate later. As in real-world, a participate believes he is now holding a correct session key, but before using that key, he may want to wait for a confirmation message to terminate. 20.

(30) Freshness. We have two notions of freshness — with and without forward secrecy, both depend on the status of oracle. Their formal definition are as follows. Definition 4 (Basic Freshness) We say that an oracle ΠUs is fresh at end of its execution if: – ΠUs has accepted with set of participants Π ∗ . – ΠUs and all other oracles in Π ∗ are unopened. – All participants within Π ∗ are uncorrupted. Definition 5 (Freshness with forward secrecy) We say that an oracle ΠUs is fs-fresh at end of its execution if: – ΠUs has accepted with set of participants Π ∗ . – ΠUs and all other oracles in Π ∗ are unopened. – All participants within Π ∗ are uncorrupted before Test query.. Security. We define the security of the protocol by the following game played by adversary A and a set of oracles ΠUs for some U = {U1 , . . . , Un }. At first, the key generation function Gen will assign the long-lived private key to each user and publish the system security parameters, as well as all user’s public key. Then adversary A(1k ) starts interacting with oracles and making any queries of Send, Reveal, or Corrupt. At some stage during execution, A does a Test query on a fresh (or fs-fresh) oracle ΠUs to get a return challenge sk ′ . Then the adversary may continue to make other queries. Finally, he terminates and 21.

(31) outputs a bit b′ . If the adversary guesses that sk ′ is the corresponding session key which ΠUs is involved, then outputs b′ = 1, else outputs b′ = 0, and we say that the adversary wins the game if b′ = b. Assume Success be the event that A wins the game, his advantage is AdvA (k) = 2 Pr [Success] − 1.. 3.3. Security Requirements. From [31, 8], we can summarize that a conference key agreement protocol should meet the following requirements: – Authentication: an outsider of set of participants cannot impersonate as a legal participant. – Validity: in the presence of a benign adversary, all honest partner oracles accept the same session key. – Fairness: the session key should be determined unbiasedly by all honest participants together. – Fault tolerance: no coalition of malicious participants can spoil the conference by making honest participants compute different session key. – Indistinguishability: for every probabilistic polynomial time adversary A, the advantage AdvA (k) to distinguishing test keys is negligible. – Forward secrecy: exposure of the long-lived secret key does not enable an adversary to break the session key established at any prior time. Then we derived a formal definition of secure conference key agreement protocol, and the version that with forward secrecy. 22.

(32) Definition 6 We say that a protocol P is a secure conference key agreement protocol if the following properties are satisfied: Authentication, Validity, Fairness, Fault tolerance, and Indistinguishability. Definition 7 A protocol P is a forward secure conference key agreement protocol if the following properties are satisfied: Authentication, Validity, Fairness, Fault tolerance, Indistinguishability, and Forward secrecy.. 23.

(33) Chapter 4 The New Protocols We start to describe three conference key agreement protocols. First one is an adaptation from Tzeng and Tzeng’s protocol [31], and then two new protocols with forward secrecy will be presented. Some notions and symbols used throughout our protocols are provided in Table 4.1.. Symbol. Description. P A U ΠUs SKi (xi ) P Ki (yi ) SID PID ST sk. The protocol The adversary The set of participants involved in protocol The s-th instance of participant U Long-lived (secret) key of user Ui Public key of user Ui Session ID Partner ID Session token Session key (Conference key). Table 4.1: Symbols and Notions. 24.

(34) 4.1. Protocol Conf-1. Protocol. Let U = {U1 , . . . , Un } be the initial participant set, and each participant Ui , 1 ≤ i ≤ n, knows U. Without loss of generality, we assume that U1 is the initiator who calls for a conference for the set U and sets the session token ST. Before executing this protocol, each participant are given a public key and private key pair by running algorithm Gen, and the key pair (P Ki , SKi ) = (yi , xi ) satisfies yi = g xi mod p . Let h be a collision-resistant hash function, which is used in the modified ElGamal signature scheme, and it always computed involving with session token ST, which is unique for each conference session to prevent the replay attack. In our protocol, each participant Ui first select a random value ki and compute his partial secret g ki mod p, then transfers this secret to the other participants by sending ui,j = yjki mod p, 1 ≤ j ≤ n, thus ensure that only the participant Uj ∈ U can extract the partial secret g ki mod p using his secret key xi . Ui also sends NIPVS(g, y1 , . . . , yn , ui,1 , . . . , ui,n ) to convincing the other participants that all the other participants receive the same partial secret, along with the signature (ri , si ) of his partial secret for authentication. After receiving messages from the other participants, Ui starts to check whether each participant Uj , j 6= i, sends the valid messages and authenticates Uj ’s identity. If the check fails, Ui excludes Uj from the set of honest participants. Finally, Ui computes the conference key according to the set of honest participants. We now formalize our protocol in Figure 4.1.. 25.

(35) – System parameters are g, p , q, and hash function h(·) – Each participant Ui holds his secret key xi , and can access all other participants public keys yj , for 1 ≤ j ≤ n.. The participant Ui does the following two steps: Step 1. Message Sending (a) Randomly select ki , Ri ∈ Zq . (b) Broadcast ui,j = yjki mod p, for all j 6= i. (c) Broadcast NIPVS(g, y1 , . . . , yn , ui,1 , . . . , ui,n ). (d) Broadcast signature of partial secret, Sig(g ki ) = (ri , si ) where ri = g Ri mod p and si = Ri−1 ( h(SID, ri , g ki ) − ri xi ) mod q. Step 2. Conference Key Computing −1. (a) Compute cj = (uj, i )xi mod p, for all j 6= i. (b) Check (rj , sj ) is the correct signature1 of cj , for all j 6= i. (c) Verify NIPVS(g, y1 , . . . , yn , uj,1 , . . . , uj,n ). (d) If participant Uj ’s message passes the check in previous two steps, then add Uj to honest participant set U i . (e) Compute the conference key sk of session SID, where Y sk = cj mod p = g kj,1 +···+kj,m , ∀j ∈ U i j∈Ui 1. r. s. Set zj = h(SID, ri , g ki ), and check whether g zj = yj j rj j .. Figure 4.1: Protocol Conf-1. 26.

(36) Security Analysis. For security, we prove that protocol Conf-1 meets all the security requirements defined in previous chapter, except for the forward secrecy. First of all, we show that this protocol is validity, fairness, and fault tolerance against malicious participants in Lemma 1. Then we follow Bellare and Rogaway’s model closely to prove its authentication and indistinguishability in Lemma 2 and Lemma 3 respectively. Last, we conclude our proofs in Theorem 2. Lemma 1 (Fault tolerance, Validity and Fairness [31]) All honest participants who follow the protocol compute a common conference key with an overwhelming probability no matter how many participants are malicious. Furthermore, the common conference key is determined by the honest participants unbiasedly. Proof.. For fault tolerance, we show that all honest participants will com-. pute the same honest participant set in a high probability.. Because all. users only connected with broadcast network in our model, every participant receives the same messages. If a malicious participant Ui wants to send (y1 , . . . , yn , ui,1 , . . . , ui,n ) such that not all logyj ui,j , 1 ≤ j ≤ n, are equal, the probability that he can construct NIPVS(g, y1 , . . . , yn , ui,1 , . . . , ui,n ) is at most T /q, which is negligible, where T is Ui ’s runtime. Using this tool, all honest participants can exclude the malicious participants with high probability, and an honest participant who follow the protocol would be accepted by other honest participants as “honest” with high probability, too. Thus, any honest participant will not be excluded by any other honest participants, and any ma27.

(37) licious participant who tries to cheat other participants to accept a different partial secret will be excluded by all honest participants. Eventually, all honest participants who follow our protocol will compute the same honest participant set with high probability. For validity, we show that all honest participants compute the same conference key. Since we provide fault tolerance in our protocol, each honest participant Ui would compute the same participant set U i , for 1 ≤ i ≤ m, then Ui −1. uses his private key xi to compute the partial key cj = (uj, i )xi = g kj mod p, for all j 6= i. Therefore, all users in honest participant set derive the same session key with an overwhelming probability. For fairness, our session key is the multiplication of all partial key ci , for 1 ≤ i ≤ m, no one can biased this value since each honest participant choose ki uniformly and independently over Zq . Thus, no honest participants can bias the session key in our protocols.. 2. Among many extensions of Bellare and Rogaway’s model, we follow Bresson et al. [12] to divide the proof into two cases, the adversary A breaks our protocol either by forging a signature with respect to some participant’s signing key, or without forging a signature. For authentication, we show that if A gains her advantage by forging a signature, we use A to construct a signature forging algorithm F against signature scheme S, by guessing which participant that A will choose to producing a forgery during the protocol runs. For indistinguishability, if A could break the protocol without altering the content of the flows (i.e. forging a signature of some messages), then we can construct an algorithm D to solve an instance of the DDH problem.. 28.

(38) Lemma 2 (Authentication) Assume the random oracle model. If an outsider A can impersonate as a legal participant Ui by forging his signature with a non-negligible advantages ǫ within time t, being allowed to query the signing oracle qs times. Then we can use A to construct a signature forging algorithm F against signature scheme S, which succeeds with a non-negligible advantages ǫ/n within time t′ ≤ t + qs T (k). Proof. We use A to construct a forging algorithm F for the signature scheme S. Given some participant’s public key e in signature scheme S and accessed to a signing oracle for the corresponding secret key d. The successful F must output a valid signature1 (m, σ) for some message m, which was not asked to the signing oracle previously. The forger F does as following: 1. Setup (a) Randomly choose a participant U ′ ∈ U. (b) For participant Ui = U ′ , assign the given e as his public key yi . (c) For other participants Ui 6= U ′ , runs key generating function Gen of protocol to assign user Ui ’s key pair (yi , xi ), where yi = g xi . 2. F runs A as subroutine F answers A’s queries as follows, and maintains a list H for hash queries. – Send(Ui , s, m) : F outputs what he should output, follows the protocol. When he needs to generate the signature of partial secret Sig(g ki ) for selected user Ui = U ′ , he queries the signing oracle. Otherwise, he can sign by himself because he owns all keys. – Reveal(Ui , s) : returns sk that ΠsUi was involved. 1. i.e. S.Ver(e, m, σ) = 1. 29.

(39) – Corrupt(Ui ) : If Ui = U ′ then F fails, else returns participant Ui ’s longlived secret key xi . – h(m) : If (m, h(m)) is not in F’s list H, returns a random string r and adds (m, r) to the list, else returns message m’s corresponding hash value. 3. Output During the execution of A, if A makes a query Send( · , (m, σ)), where σ is a valid signature on m, respect to yi for Ui = U ′ , and m was not queried to signing oracle previously, then F outputs (m, σ) as his forgery. Otherwise, when A terminates, the forger F fails. At the beginning, we assume that A can forge a signature with a nonnegligible advantages ǫ within time t. And the probability of this forgery respected to our chosen participant U ′ is at least 1/n. Thus the forger F will succeed with probability Succcma S (F) ≥ ǫ/n, and the running time is t′ ≤ t + qs T (k), where T (k) is the running of querying a signing oracle.. 2. Lemma 3 (Indistinguishability) Assume the random oracle model. If an adversary A could break the protocol without altering the content of the flows, with advantages at least ǫ within time t. Then we can construct an algorithm D to solve an instance of the DDH problem with advantages ǫ/n within time t′ ≤ t + qh T (k). Proof.. Given an instance of the DDH problem (g, p , u1 , u2 , u3 ), we show. that the algorithm D can distinguish the input (g, p , u1 , u2 , u3 ) ∈ Dn from (g, p , u1 , u2 , u3 ) ∈ Rn with non-negligible advantages, while runs A as subroutine. It does as following: 30.

(40) 1. Setup (a) Randomly choose two participants U ′ , U ′′ ∈ U. (b) For participant Ui = U ′′ , assign the given u1 as his public key yi . (c) For other participants Ui 6= U ′′ , assigns user Ui ’s key pair as follows: random ri ∈ Zq , and set (yi , xi ) = (g ri , ri ), thus his key pair is in correct form yi = g xi . 2. D runs A as subroutine D answers A’s queries as follows, and maintains a list H for hash queries. – Send(Ui , s, m) : D does following steps i. If Ui = U ′ , then set ci = u2 , else random ki ∈ Zq and set ci = g ki . r. ii. If Ui = U ′ , then set ui,j = u3 for Uj = U ′′ and ui,j = u2j for Uj 6= U ′ , U ′′ , else set ui,j = yjki , for all j 6= i. iii. Forges the NIPVS by hash oracle. Randomly selects (c, w) and sets H(gky1 k · · · kyn kui,1 k · · · kui,n ky1w uci,1 k · · · kynw uci,n ) = c in list H. iv. If Ui = U ′′ , D needs to forge the signature of ci , he randomly selects a ∈ Zq and b ∈ Zq∗ , then returns (ri , si ) = (g a yib , −ri b−1 ), and set H(SID, ri , u2 ) = −ri ab−1 in list H. Otherwise he can sign by himself because he generates all other participants’ key. – Reveal(Ui , s) : Returns sk that ΠsUi was involved. Though D does not know Ui ’s secret key when Ui = U ′′ , he can compute the session key sk from other participants under his control. – Corrupt(Ui ) : If Ui = U ′′ then D fails, else returns participant Ui ’s longlived secret key xi .. 31.

(41) – Test(Ui , s) : Flips a coin b ∈ {0, 1}. If b = 1 then returns the sk = Q u2 · g kj , for j ∈ U i , else returns a random string drawn from the same distribution as session key. – h(m) : If (m, h(m)) is not in F’s list H, returns a random string r and adds (m, r) to the list, else returns message m’s corresponding hash value. 3. Output Eventually, adversary A will output a guess b′ , and wins the game if b = b′ . If adversary A wins, then the distinguisher D outputs b, otherwise output a random bit b′′ ∈ {0, 1}. At the beginning, we assume that break the protocol without altering the content of the flows, with advantages at least ǫ within time t. And the probability that D gives the random sk is 1/2. The probability that adversary A uses messages sent to U ′′ distinguishing real sk is at least 1/n. Thus the distinguisher D will succeed with probability SuccDDH (D) ≥ 1/2 + ǫ/n , and the running time is t′ ≤ t + qh T (k), where T (k) is the running of querying a hash oracle.. 2. Theorem 2 Assume the random oracle model and broadcast channel. The protocol Conf-1 meets all security requirements: Authentication, Validity, Fairness, Fault tolerance, and Indistinguishability. Proof. Firstly we show the protocol is validity, fairness, and fault tolerance in Lemma 1. Then its authentication proved in Lemma 2, and finally the indistinguishability is proved in Lemma 3. Thus we can conclude that the protocol meets all security requirements as mentioned. 32. 2.

(42) 4.2. Protocol Conf-2. Though the protocol Conf-1 is round-efficiency, it does not provide forward secrecy. In protocol Conf-2, we add an extra round to exchange a temporary random public key. In this way, our protocol can provide forward secrecy.. Protocol. Let U = {U1 , . . . , Un } be the initial participant set, and each participant Ui , 1 ≤ i ≤ n, knows U. Without loss of generality, we assume that U1 is the initiator who calls for a conference for the set U and sets the session token ST. Before executing this protocol, each participant are given a public key and private key pair by running algorithm Gen, and the key pair (P Ki , SKi ) = (yi , xi ) satisfies yi = g xi mod p . Let h be a collision-resistant hash function, which is used in the modified ElGamal signature scheme, and it always computed involving with session token ST, which is unique for each conference session to prevent the replay attack. In this protocol, each participant Ui first selects a random value vi and compute his temporal public key Yi = yivi mod p, then transfers this key to the other participants along with its signature. After all participants can authenticate the new public key, then the set of participants in conference using this temporal public key to run Conf-1. We formalize this protocol in Figure 4.2.. Security Analysis. For security, we prove that protocol Conf-2 meets all the security requirements defined in previous chapter. First of all, we show that this protocol is validity, fairness, and fault tolerance against malicious 33.

(43) – System parameters are the same as Conf-1.. The participant Ui does the following four steps: Step 1. Temporal Public Key Exchange (a) Randomly select Ri′ ∈ Zq and vi ∈ Zq∗ . (b) Broadcast Yi = yivi mod p. (c) Broadcast signature of temporal key, Sig(Yi ) = (ri′ , s′i ) ′ where ri′ = g Ri mod p and s′i = Ri′−1 ( h(SID, ri′ , Yi ) − ri′ xi ) mod q. Step 2. Temporal Public Key Verification (a) Check (rj′ , s′j ) is the correct signature of Yj , for all j 6= i. Step 3. Message Sending (a) Randomly select ki , Ri ∈ Zq . (b) Broadcast ui,j = Yjki mod p, for all j 6= i. (c) Broadcast NIPVS(g, Y1 , . . . , Yn , ui,1 , . . . , ui,n ). (d) Broadcast signature of partial secret, Sig(g ki ) = (ri , si ) where ri = g Ri mod p and si = Ri−1 ( h(SID, ri , g ki ) − ri xi ) mod q. Step 4. Conference Key Computing (a) Compute cj = (uj, i )(xi vi ). −1. mod p, for all j 6= i.. (b) Check (rj , sj ) is the correct signature of cj , for all j 6= i. (c) Verify NIPVS(g, Y1 , . . . , Yn , uj,1 , . . . , uj,n ). (d) If participant Uj ’s message passes the check in previous two steps, then add Uj to honest participant set U i . (e) Compute the conference key sk of session SID, where Y sk = cj mod p = g kj,1 +···+kj,m , ∀j ∈ U i j∈Ui. Figure 4.2: Protocol Conf-2 34.

(44) participants in Lemma 4. Then we follow Bellare and Rogaway’s model to prove its authentication and indistinguishability in Lemma 5 and Lemma 6 respectively. Finally, conclude our proofs in Theorem 3. The forward secrecy is achieved by using the fs-fresh oracle definition, and we will explain them later. Lemma 4 (Fault tolerance, Validity and Fairness) All honest participants who follow the protocol compute a common conference key with an overwhelming probability no matter how many participants are malicious. Furthermore, the common conference key is determined by the honest participants unbiasedly. Proof. In this protocol, all user can authenticate the temporal public keys, since we use a the modified ElGamal signature scheme to sign the temporal key. When the temporal keys are authenticated, the rest steps are identical to the protocol Conf-1, thus its fault tolerance, validity and fairness can be proved similarly.. 2. Here, we also follow Bresson et al. [12] to divide the proof into two cases, the adversary A breaks our protocol either by forging a signature with respect to some participant’s signing key, or without forging a signature. For authentication, we show that if A gains her advantage by forging a signature, we use A to construct a signature forging algorithm F against signature scheme S, by guessing which participant that A will choose to producing a forgery during the protocol runs. For indistinguishability, if A could break the protocol without altering the content of the flows (i.e. forging a signature of some 35.

(45) messages), then we can construct an algorithm D to solve an instance of the DDH problem. For forward secrecy, we use the different definition on fresh oracle, which called fs-fresh as we mentioned in section 3.2. In this definition, the adversary A can make a Corrupt query on U after asking a Test query on U , and since the query Corrupt(U ) only returns participant U ’s long-lived secret key, it will not disclose the information of session key established previously in forward secure setting. Lemma 5 (Authentication) Assume the random oracle model. If an outsider A can impersonate as a legal participant Ui by forging his signature with a non-negligible advantages ǫ within time t, being allowed to query the signing oracle qs times. Then we can use A to construct a signature forging algorithm F against signature scheme S, which succeeds with a non-negligible advantages ǫ/n within time t′ ≤ t + qs T (k). Proof. We use A to construct a forging algorithm F for the signature scheme S. Given some participant’s public key e in signature scheme S and accessed to a signing oracle for the corresponding secret key d. The successful F must output a valid signature2 (m, σ) for some message m, which was not asked to the signing oracle previously. The forger F does as following: 1. Setup (a) Randomly choose a participant U ′ ∈ U. (b) For participant Ui = U ′ , assign the given e as his public key yi . 2. i.e. S.Ver(e, m, σ) = 1. 36.

(46) (c) For other participants Ui 6= U ′ , runs key generating function Gen of protocol to assign user Ui ’s key pair (yi , xi ), where yi = g xi . 2. F runs A as subroutine F answers A’s queries as follows, and maintains a list H for hash queries. – Send(Ui , s, m) : F outputs what he should output, follows the protocol. When he needs to generate the signature of partial secret Sig(g ki ) for selected user Ui = U ′ , he queries the signing oracle. Otherwise, he can sign by himself because he owns all keys. – Reveal(Ui , s) : returns sk that ΠsUi was involved. – Corrupt(Ui ) : If Ui = U ′ then F fails, else returns participant Ui ’s longlived secret key xi . – h(m) : If (m, h(m)) is not in F’s list H, returns a random string r and adds (m, r) to the list, else returns message m’s corresponding hash value. 3. Output During the execution of A, if A makes a query Send( · , (m, σ)), where σ is a valid signature on m, respect to yi for Ui = U ′ , and m was not queried to signing oracle previously, then F outputs (m, σ) as his forgery. Otherwise, when A terminates, the forger F fails. At the beginning, we assume that A can forge a signature with a nonnegligible advantages ǫ within time t. And the probability of this forgery respected to our chosen participant U ′ is at least 1/n. Thus the forger F will succeed with probability Succcma S (F) ≥ ǫ/n, and the running time is t′ ≤ t + qs T (k), where T (k) is the running of querying a signing oracle.. 37. 2.

(47) Lemma 6 (Indistinguishability) Assume the random oracle model. If an adversary A could break the protocol without altering the content of the flows, with advantages at least ǫ within time t. Then we can construct an algorithm D to solve an instance of the DDH problem with advantages ǫ/n within time t′ ≤ t + qh T (k). Proof.. Given an instance of the DDH problem (g, p , u1 , u2 , u3 ), we show. that the algorithm D can distinguish the input (g, p , u1 , u2 , u3 ) ∈ Dn from (g, p , u1 , u2 , u3 ) ∈ Rn with non-negligible advantages, while runs A as subroutine. It does as following: 1. Setup (a) Randomly choose two participants U ′ , U ′′ ∈ U. (b) For participant Ui = U ′′ , assign the given u1 as his public key yi . (c) For other participants Ui 6= U ′′ , assigns user Ui ’s key pair as follows: random ri ∈ Zq , and set (yi , xi ) = (g ri , ri ), thus his key pair is in correct form yi = g xi . 2. D runs A as subroutine D answers A’s queries as follows, and maintains a list H for hash queries. – Send(Ui , s, m) : If the query is executed step 1 or step 2 , D would follow protocol. Otherwise, does following steps i. If Ui = U ′ , then set ci = u2 , else random ki ∈ Zq and set ci = g ki . r vj. ii. If Ui = U ′ , then set ui,j = u3 for Uj = U ′′ and ui,j = u2j. for. Uj 6= U ′ , U ′′ , else set ui,j = Yjki , for all j 6= i. iii. Forges the NIPVS by hash oracle. Randomly selects (c, w) and sets H(gkY1 k · · · kYn kui,1 k · · · kui,n kY1w uci,1 k · · · kYnw uci,n ) = c in list H. 38.

(48) iv. If Ui = U ′′ , D needs to forge the signature of ci , he randomly selects a ∈ Zq and b ∈ Zq∗ , then returns (ri , si ) = (g a yib , −ri b−1 ), and set H(SID, ri , u2 ) = −ri ab−1 in list H. Otherwise he can sign by himself because he generates all other participants’ key. – Reveal(Ui , s) : Returns sk that ΠsUi was involved. Though D does not know Ui ’s secret key when Ui = U ′′ , he can compute the session key sk from other participants under his control. – Corrupt(Ui ) : If Ui = U ′′ then D fails, else returns participant Ui ’s longlived secret key xi . – Test(Ui , s) : Flips a coin b ∈ {0, 1}. If b = 1 then returns the sk = Q u2 · g kj , for j ∈ U i , else returns a random string drawn from the same distribution as session key. – h(m) : If (m, h(m)) is not in F’s list H, returns a random string r and adds (m, r) to the list, else returns message m’s corresponding hash value. 3. Output Eventually, adversary A will output a guess b′ , and wins the game if b = b′ . If adversary A wins, then the distinguisher D outputs b, otherwise output a random bit b′′ ∈ {0, 1}. Initially, we assume that break the protocol without altering the content of the flows, with advantages at least ǫ within time t. Then the probability that D gives the random sk is 1/2. The probability that adversary A uses messages sent to U ′′ distinguishing real sk is at least 1/n. Thus the distinguisher D will succeed with probability SuccDDH (D) ≥ 1/2 + ǫ/n , and the running time is t′ ≤ t + qh T (k), where T (k) is the running of querying a hash oracle. 39. 2.

(49) Theorem 3 Assume the random oracle model and broadcast channel. The protocol Conf-1 meets all security requirements: Authentication, Validity, Fairness, Fault tolerance, Indistinguishability, and forward secrecy. Proof. Firstly we show the protocol is validity, fairness, and fault tolerance in Lemma 4. Then its authentication proved in Lemma 5, and finally the indistinguishability is proved in Lemma 6. And the forward secrecy is achieved by using the fs-fresh definition on oracle, which allows Corrupt queries after asking a Test query on some user U . Thus we can conclude that the protocol meets all security requirements as mentioned.. 4.3. 2. Protocol Conf-3. In previous section, we use an extra round to exchange the temporal public key to provide forward secrecy. In this section we will combine the forward-secure PKI with previous protocol Conf-1 to achieve forward secrecy. We describe our motivation as follows. Since we use the public-key cryptosystem in our protocol, in the working flows, all users must connect to a trusted Certification Authority (CA) to confirm the validity of other participants’ public keys before performing key agreement. Moreover, since many forward secure cryptosystem have been proposed (e.g. [14, 22]), we can assume that our system provides such functionality. Therefore, we can use CA as a token service server (TSS) , when we queries the Certificate Revocation List (CRL) from CA, it issues the common session token ST simultaneously. Thus all conference participants can update their keys to the same time period. 40.

(50) Protocol. Let U = {U1 , . . . , Un } be the initial participant set, and each participant Ui , 1 ≤ i ≤ n, knows U. Without loss of generality, we assume that U1 is the initiator who calls for a conference for the set U and register U along with SID to the TSS. Before executing this protocol, each participant are given a public key and private key pair which can be update periodically, which are provided by forward secure PKI. At the beginning, each participant Ui updates his secret key to the time period ST, which he gets from the TSS. Then he runs similar step as protocol Conf-1, except for encrypting and signing the partial secret using the corresponding key of time period ST. After he computes the session sk, he must update the secret key again (i.e. update his key to time period ST + 1). This step is important to our forward secrecy property, because once the participant’s key is obtained by attacker, the updated key prevents the attacker to trace back the encryption key we used in conference key agreement. We describe the detail of this protocol in Figure 4.3.. Security Analysis. For security, we prove that protocol Conf-3 meets all the security requirements defined in previous chapter. Again, we show that this protocol is validity, fairness, and fault tolerance against malicious participants in Lemma 7. Then prove its authentication and indistinguishability in Lemma 8 and Lemma 9 respectively. Finally, conclude our proofs in Theorem 4.. 41.

(51) – System parameters are g, p , q, and hash function h(·) – Each participant Ui holds his secret key xi(t) , which can be updated to corresponding time period t, and can access all other participants public keys yj , for 1 ≤ j ≤ n. – Before each conference starts, all participants must connect to the Token Service Server (TSS) , to get the session token ST.. The participant Ui does the following two steps: Step 1. Message Sending (a) Update key xi(t) to the time period ST, i.e. xi(ST ) . (b) Randomly select ki ∈ Zq . (c) Broadcast ui,j = FE.Enc(yj , ST, g ki ), for all j 6= i. (d) Broadcast NIP(Consistence of g ki ). (e) Broadcast si = FS.Sig(xi(ST ) , ST, (ui,1 , . . . , ui,n , ST)). Step 2. Conference Key Computing (a) Compute cj = FS.Dec(yi , ST, xi(ST ) , uj, i ), for all j 6= i. (b) Check FS.Ver(yj , (uj,1 , . . . , uj,n , ST), sj ) = 1, for all j 6= i. (c) Verify NIP(Consistence of g kj ). (d) If participant Uj ’s message passes the check in previous two steps, then add Uj to honest participant set U i . (e) Compute the conference key sk of session SID, where Y sk = h( cj mod p , SID,ST), ∀j ∈ U i j∈Ui. (f) Update key xi(ST ) to the next time period, i.e. xi(ST +1) .. Figure 4.3: Protocol Conf-3. 42.

(52) Lemma 7 (Fault tolerance, Validity and Fairness) All honest participants who follow the protocol compute a common conference key with an overwhelming probability no matter how many participants are malicious. Furthermore, the common conference key is determined by the honest participants unbiasedly. Proof. In this protocol, all arguments about its validity and fairness are similar to lemma 1. For fault tolerance, we use an generic form of non-interactive proof (NIP) system to prove the consistence of the partial secret that participant sent. We can design a NIP based on what kind of forward secure encryption scheme we use, because based on standard intractability assumptions, it is known how to construct a non-interactive zero-knowledge proof for any NP-set [25]. Once we has the NIP, the fault tolerance is guaranteed as we explain in lemma 1.. 2. As previous proof for protocol Conf-2, we assume that the adversary A breaks our protocol either by forging a signature with respect to some participant’s signing key, or without forging a signature. For authentication, we show that if A gains her advantage by forging a signature, we use A to construct a signature forging algorithm F against a forward secure signature scheme FS, by guessing which participant that A will choose to producing a forgery during the protocol runs. For indistinguishability, if A could break the protocol without altering the content of the flows (i.e. forging a signature of some messages), then we can construct an algorithm X against the underlying forward secure encryption scheme FE in the multi-user setting.. 43.

(53) Lemma 8 (Authentication) Assume the random oracle model. If an outsider A can impersonate as a legal participant Ui by forging his signature with a non-negligible advantages ǫ within time t, being allowed to query the signing oracle qs times. Then we can use A to construct a signature forging algorithm F against forward secure signature scheme FS, which succeeds with a non-negligible advantages ǫ/n within time t′ ≤ t + qs T (k). Proof. We use A to construct a forging algorithm F for the forward secure signature scheme F S. Given some participant’s public key e in signature scheme S and accessed to a signing oracle for the corresponding secret key d. The successful F must output a valid signature3 (m, σ) for some message m, which was not asked to the signing oracle previously. The forger F does as following: 1. Setup (a) Randomly choose a participant U ′ ∈ U. (b) For participant Ui = U ′ , assign the given e as his public key yi . (c) For other participants Ui 6= U ′ , runs key generating function Gen of protocol to assign user Ui ’s key pair (yi , xi(t) ), where t = 0 at initially. 2. F runs A as subroutine F answers A’s queries as follows, and maintains a list H for hash queries. – Send(Ui , s, m) : F outputs what he should output, follows the protocol. When he needs to generate the signature of partial secret FS.Sig( · ) for selected user Ui = U ′ , he queries the signing oracle. Otherwise, he can sign by himself because he owns all keys. 3. i.e. FS.Ver(e, m, σ) = 1. 44.

(54) – Reveal(Ui , s) : returns sk that ΠsUi was involved. – Corrupt(Ui ) : If Ui = U ′ then F fails, else returns participant Ui ’s longlived secret key xi(t) , for some time period t. – h(m) : If (m, h(m)) is not in F’s list H, returns a random string r and adds (m, r) to the list, else returns message m’s corresponding hash value. 3. Output During the execution of A, if A makes a query Send( · , (m, σ)), where σ is a valid signature on m, respect to yi for Ui = U ′ , and m was not queried to signing oracle previously, then F outputs (m, σ) as his forgery. Otherwise, when A terminates, the forger F fails. At the beginning, we assume that A can forge a signature with a nonnegligible advantages ǫ within time t. And the probability of this forgery respected to our chosen participant U ′ is at least 1/n. Thus the forger F will succeed with probability SuccSf s−cma (F) ≥ ǫ/n, and the running time is t′ ≤ t + qs T (k), where T (k) is the running of querying a signing oracle.. 2. Lemma 9 (Indistinguishability) Assume the random oracle model. If an adversary A could break the protocol without altering the content of the flows, with advantages at least ǫ within time t. Then we can construct an algorithm X against the underlying forward secure encryption scheme FE in the multi-user setting with ǫ/nqh within time t′ ≤ t + qh T (k). Proof. Given an instance of fs-CCA Game in multi-user setting as follows: – public keys e1 , . . . , en−1 generated by algorithm Gen. – two random string m1 and m2 . 45.

(55) – ciphertexts C1 = FE.Enc(e1 , T, mb ), . . . , Cn−1 = FE.Enc(en−1 , T, mb ) for some fixed time period T , and b ∈R {0, 1}. The goal of X is to guess whether b = 0 or b = 1 with non-negligible advantages, while runs A as subroutine. It does as following: 1. Setup (a) Randomly choose a participant U1 , . . . , Un ∈ U. (b) For participant U1 , . . . , Un−1 , assign the given ei as his public key yi . (c) For other participants in U, assigns their encryption key pair by FE.Gen, but for simplicity, we exclude them in protocol runs except Un . (d) For all participants in U, assigns user’s signing key pair using FS.Gen 2. X runs A as subroutine X answers A’s queries as follows, and maintains a list H for hash queries. – Send(Ui , s, m) : D does following steps i. If ST = T and Ui = Un , then set ui,j = Cj for 1 ≤ j ≤ n − 1, and set else ui,j = FE.Enc(ej , T, m0 ). Otherwise, just follows the protocol. ii. Forges the NIP( · ) by hash oracle if necessary. – Reveal(Ui , s) : Since we model the session key as the output of random oracle, we only need to return a random string or the corresponding value if the key revealed previously. – Corrupt(Ui ) : If Ui 6= Un then X fails, else returns participant Un ’s long-lived secret key xi(t) for some time period. – Test(Ui , s) : returns a random string sk, which is selected from the distribution of session key. 46.

(56) – h(m) : If (m, h(m)) is not in F’s list H, returns a random string r and adds (m, r) to the list, else returns message m’s corresponding hash value. 3. Output Eventually, adversary A terminates and output a guess b′ . X determinates what should guess using the random oracles’s hash list H. He checks all queries made by A of the form h = ( z, SID,ST). If there exist an entry Q such that z = m0 · cj mod p , for all 1 ≤ j ≤ n, then X returns his guess b′′ = 0, else returns b′′ = 1. At the beginning, we assume that A can break the protocol without altering the content of the flows, with advantages at least ǫ within time t. Thus the f s−CCA algorithm X will succeed with probability Succm−F E (X ) ≥ ǫ/nqh , where qh. is the number of hash queries made by adversary, and the running time is t′ ≤ t + qh T (k), where T (k) is the running of querying a hash oracle.. 2. Theorem 4 Assume the random oracle model and broadcast channel. The protocol Conf-1 meets all security requirements: Authentication, Validity, Fairness, Fault tolerance, Indistinguishability, and forward secrecy. Proof.. We have argued that the protocol is validity, fairness, and fault. tolerance in Lemma 7. Then its authentication is described in Lemma 8, and the indistinguishability is proved in Lemma 9. Finally, we note that the forward secrecy is implicit in breaking scheme FE and FS in the last two lemmas. Thus we can say that the protocol meets all above security requirements.. 47. 2.

(57) Chapter 5 Conclusion We have presented two new round-efficient conference key agreement protocols and provided the proofs of their security. Both of these protocols meet all our security requirements. In the following section, some proposed conference key agreement protocols are compared with ours in terms of efficiency and security. Finally, we give our conclusions and discuss some future works.. 5.1. Comparison. Since our protocols are focus on forward secrecy and round efficiency, we compare them with some existed conference key agreement protocols in this section. For security, we consider the properties: authentication, fairness, forward secrecy, and fault tolerance. It’s summarized in Table 5.1.. 48.

(58) Protocol. auth.. fairness. forward secrecy. fault tolerance. Conf-1. Yes. Yes. No. Yes. Conf-2. Yes. Yes. Yes. Yes. Conf-3. Yes. Yes. Yes. Yes. BD94 [13]. No. Yes. Yes. No. TT00 [31]. Yes. Yes. No. Yes. BM03 [8]. Yes1. Yes. No. No. Table 5.1: Security Comparison of Conference Key Agreement Protocols. For efficiency, we analyze the performance of the protocols in terms of communication rounds and messages complexity. We compare them in Table 5.2.. Protocol. rounds. broadcasts. messages size2. total messages. Conf-1. 1. 1. O(n). O(n2 ). Conf-2. 2. 2. O(n). O(n2 ). Conf-3. 1. 1. O(n). O(n2 ). BD94 [13]. 2. 2. O(1). O(n). TT00 [31]. 1. 1. O(n). O(n2 ). BM03 [8]. 1. 1. O(1). O(n). Table 5.2: Efficiency Comparison of Conference Key Agreement Protocols. 1 2. It will suffer from replay attack. It counts number of messages that one participant sent.. 49.

(59) 5.2. Conclusion. We have proposed two new conference key agreement protocols, which used different approach to achieve the forward secrecy. Both of these protocols have been proved secure under Bellare and Rogaway’s model and meet the security requirements: authentication, validity, fairness, fault tolerance, indistinguishability and forward secrecy. Though protocol Conf-2 adds an extra round to provide forward secrecy, it can still be done in constant rounds, and as efficient as the well known protocol proposed by Burmester and Desmedt [13]. Our original aim is finally realized in protocol Conf-3, which combines the forward secure encryption scheme, forward secure signature scheme, and uses a trusted Token Service Server. It needs only a single round to complete the key agreement, and also provides forward secrecy. Since we do not assume that all participants are honest, we use the Publicly Verifiable Secret protocol to ensure that all participants send out consistent partial secrets to other participants. This seems to be the major disadvantage of our protocols, because of the message complexity become O(n2 ) for n participants. Therefore, it would be interesting to find a single round protocol that meets all our security requirements and costs only O(n) messages complexity. Besides, it remains an open problem that whether it is possible to construct a multi-party contributory conference key agreement protocol which completes in single round and also provides forward secrecy, while without the help of the underlying forward secure schemes.. 50.