ISSN 2319-8133 (Online)
An Authenticated and Secure Group Key Transfer Protocol with Circulant Matrices
Shruti Nathani
1and B. P. Tripathi
21,2
Department of Mathematics,
Govt. N.P.G. College of Science, Raipur (C.G.), INDIA.
email: [email protected], [email protected] Corresponding author: [email protected]
(Received on: November 17, 2018) ABSTRACT
Recently, many group key transfer (GKT) protocols based on Shamir's secret sharing(SSS) are proposed. In traditional, GKT protocols, first all the group members shall register themselves into a key generation center (KGC) and also at the time of registration they have to share their long-term secret password with KGC. Then KGC randomly selects a group key and securely distribute it to all authorized group members. But in many conventional GKT protocols, to generate and recover the secret group key, key generation centre (KGC) and each group member needs to compute a t-degree interpolating polynomial. In 2016, Hsu et al. gave a new and efficient GKT protocol. In their scheme information related to group key was hidden using Vandermonde matrix and to distribute the group key efficiently they employed linear secret sharing scheme on Vandermonde matrix. Inspire from Hsu et al. in this paper we present an authenticated and secure GKT protocol based on SSS with circulant matrices. Because of using circulant matrices from the point of communication and computational complexity, our protocol becomes more efficient and robust. Also, all the important security features in group communication are handle in our protocol.
Keywords: Circulant matrices, computation efficient, group key transfer protocol, secret sharing.
1. INTRODUCTION
Cryptographic protocols which deals with a group of participants are called group key
establishment protocols. With the rapid development of group oriented applications (such as group video conferences, e-learning, network communications etc.), group key establishment protocols has been studied extensively in the literature. Group key establishment protocols are often divided into two types: group key transfer protocols and group key agreement protocols
2. Key transfer protocols rely on a mutually trusted key generation centre (KGC) to select session keys and then transport session keys to all communication entities secretly. Most often, KGC encrypts session keys under another secret key shared with each entity during registration. In key agreement protocols, all communication entities are involved to determine session keys.
In general, group key transfer protocols are more efficient then group key agreement protocols because in group key transfer protocols, a trusted KGC handles most key distribution tasks
6.
In the past few years a large amount of research work on group key transfer protocol has been published extensively in the literatures. Secret sharing scheme which was first introduced by Blakley
4and Shamir
1in 1979, has been used in construction of group key transfer protocols from many years. Secret sharing has become one of the most basic building blocks in modern cryptographic research literature. In 2010, Harn and Lin
5proposed a first authenticated GKT based on SSS. This novel GKT protocol provide confidentiality and authentication, but to distribute and recover the secret group key, KGC and each group member has to compute a t-degree interpolating polynomial. From the point of computational and communication storage this approach is become too intensive. To overcome this drawbacks recently, in 2016, Hsu et al.
2gave a new and efficient GKT protocol. In their scheme information related to group key was hidden by Vandermonde matrix and to distribute the group key efficiently they employed linear secret sharing scheme on Vandermonde matrix.
In general this protocol drastically reduces the computation load of each group member.
In this paper we propose an efficient, secure and authenticated group key transfer protocol based on secret sharing scheme using circulant matrices. Some unique features of our proposed GKT protocol are listed below :
1. In our protocol we present an efficient computation of group keys, where group keys are generated and distributed by a mutually trusted KGC and it takes much less time than other group key transfer protocol.
2. In the proposed scheme, we use circulant matrix as a tool. Information related to group keys is hidden using circulant matrices. Thus each participating group member and KGC has to calculate only first row of the matrix. This gives us also much less computational complexity.
3. Group key is authenticated by each user and KGC. Also authentication has been done by only one message in the whole proposed protocol.
2. PRELIMINARIES A. Secret Sharing
In a secret sharing scheme, a secret S is divided into n shares and shared among a set
of n shareholders by a mutually trusted dealer in such a way that authorized subset of
shareholders can reconstruct the secret but unauthorized subset of share holders can not determine the secret. If any unauthorized subset of shareholders can not obtain any information about the secret, then the scheme is called perfect.
2B. Circulant Matrix
3A Circulant matrix is a square matrix where, given the first row, the successive rows are obtained by cyclically right shifting the present row by one element. Thus the row of a circulant matrix of size ( × ) is obtained by cyclically right shifting the ( − 1) row by one position, for = 2 , given the first row. Let the first row be the row vector, [ (1), (2), … . . , ( − 1), ( )]. Then the circulant matrix C is obtained as
) 1 ( )
3 ( )
2 (
) 1 (
) 1 ( )
(
) ( )
2 ( )
1 (
c c
c
n c c
n c
n c c
c C
The most important property of circulant matrices is they are multiplicatively commutative.
C. SSS based on Circulant matrix
Suppose we take a group of n participants (1 ≤ ≤ ) and is the private secret of each user (1 ≤ ≤ ). So, in SSS based on circulant matrices there are share holders
= { , ,
,⋯ , } and a mutually trusted keygeneration center KGC. Actually, this scheme consist of two algorithms:
Share generation Algorithms
KGC first picks all the shared secrets ′ of each user and form circulant matrices {[ ], [ ], ⋯ , [ ]} of each user (1 ≤ ≤ ).
( 1,
2 , , )
1 3
2
1 1
2 1
n i i
i
i i
i
n i i
n i
n i i
i
i
Circ x x x
x x
x
x x
x
x x
x
C
and then calculate shares of each user (1 ≤ ≤ ) by computing
[ ]
, ,⋯ =
Thus, this algorithm outputs with a list of share { , , ⋯ , }.
Secret Reconstruction Algorithm
This algorithm takes all n shares { , ,
,⋯ , }. Each participating member has long term private key and public vector → = (
,, ⋯ )as inputs and outputs the secret
= + + ⋯ +
by computing each product
= , , ⋯ , . ( ,
,⋯ ),
for each , 1 ≤ ≤ .
3. PROPOSED PROTOCOL
We assume that there are members in a group {1,2, ⋯ , }. The detail steps are as follows:
User Registration
Each user is required to register at the KGC for subscribing the key distribution service. The KGC keeps tracking all the registered users and removing any unsubscribed users.
During the registration each user shares his/her long term secret ∈ with KGC in a secure manner. KGC publishes ℎ(. ) .
Group Key Generation and Distribution
Suppose a group of members { , , ⋯ } and the shared secrets are , , ⋯ , . The key generation and distribution process contains five steps.
1. The initiator sends a key generation request to KGC with a list of group members as { , , ⋯ , }.
2. KGC broadcast the list of group members { , , ⋯ , } as response.
3. Upon receiving the response from the KGC, each participating group member { } selects a random number ∈ and send it to KGC.
4. KGC randomly selects a group key ∈ ( ≠ ∑ ). Now KGC computes the secret of each user by computing the product
[ ]
, ,⋯ =
i t
t i i
i
x x Circ r r r s
x
Circ (
1,
2, , ). (
1,
2, , )
1 3
2
1 1
2 1
i i
i
t i i
t i
t i i
i
x x
x
x x
x
x x
x
1 3
2
1 1
2 1
r r
r
r r
r
r r
r
t t
t
=
Here, is also a circulant matrix. After computing the secret of each user , KGC also computes theadditional values , 1 ≤ ≤ ,
such that = − , where = ( , , ⋯ )
and the value of
) , ,
, , , , , ,
( K
GU
1U
tr
1r
tu
1,u
th
Auth
At last, KGC broadcast { ℎ, } for = 1 to all group member.
5. Now each participating group member , for = 1 knowing their corresponding public value , is able to compute the product
[ ]
, ,⋯ =
and recover the group key by computing
= ( + ) which is of the form
= ( , , ⋯ )
Afterwards, each (1 ≤ ≤ ), computes
) , , , , , , , , ,
( 1 1 1
*
t t
t
G U U r r u u
K h
Auth
,
and then checks the hash value , ℎ = ℎ
∗.
If this result is correct then each group user , (1 ≤ ≤ ) authenticates the group key is sent from KGC.
4. AN EXAMPLE
In our example, we suppose a group of 5 users {
,, , , } want to generate a secure group communication.
User Registration
During the registration each user , 1 ≤ ≤ 5, shares his/her long term secret ∈ with KGC. Suppose shares = 2, shares = 4, shares = 1, shares = 8 and shares = 10 in a secure manner. KGC publishes ℎ(. ).
Group Key Generation and Distribution
1. Suppose (initiator) sends a key generation request to KGC with a list of group members as {
,, , }.
2. KGC broadcast the list of group members {
,, , , } as a response.
3. Upon receiving the response from the KGC, each participating group member selects a random number.
Suppose selects = 2, selects = 3, selects = 5, selects = 7 and
selects = 1 and send it to KGC.
4. Now KGC randomly selects a group key = 100. To compute the secrets of each user , first KGC has to make circulant matrices of each participated group user {
,, , , } with their corresponding shared secret value
10 ,
8 , 1 , 4 ,
2
2 3 4 51
x x x x
x .
That is,
).
100000 , 10000 , 1000 , 100 , 10 ( ) 10 , 10 , 10 , 10 , 10 (
) 32768 , 4096 , 512 , 64 , 8 ( ) 8 , 8 , 8 , 8 , 8 (
) 1 , 1 , 1 , 1 , 1 ( ) 1 , 1 , 1 , 1 , 1 (
), 1024 , 256 , 64 , 16 , 4 ( ) 4 , 4 , 4 , 4 , 4 (
), 32 , 16 , 8 , 4 , 2 ( ) 2 , 2 , 2 , 2 , 2 (
5 4 3 2 1 5
5 4 3 2 1 4
5 4 3 2 1 3
5 4 3 2 1 2
5 4 3 2 1 1
Circ Circ
C
Circ Circ
C
Circ Circ
C
Circ Circ
C
Circ Circ
C
Therefore,
= [ ] ( , , , , ),
= (2,4,8,16,32) (2,3,5,7,1),
= (240,294,278,122,182).
= [ ] ( , , , , ),
= (4,16,64,256,1024) (2,3,5,7,1),
= (4824,7020,7620,1836,3252).
= [ ] ( , , , , ),
= (1,1,1,1,1) (2,3,5,7,1),
= (18,18,18,18,18).
= [ ] ( , , , , ),
= (8,64,512,4096,32768) (2,3,5,7,1)
= 122448 , 193176 , 234728 , 42872 , 80840 .
= [ ] ( , , , , )
= (10,100,1000,10000,100000) (2,3,5,7,1)
= 357120 , 571230 , 712350 , 123570 , 235710 . Now KGC computes the five additional values,
= − = (100, 100 , 100 , 100 , 100 ) − (240,294,278,122,182)
= (−140,9706,999722,99999878, 9999999818).
= − = (100, 100 , 100 , 100 , 100 ) − (4824,7020,7620,1836,3252)
= (−4724,2980,992380,99998164,9999996748).
= − = (100, 100 , 100 , 100 , 100 ) − (18,18,18,18,18).
= (82,9982,999982,99999982, 999999999982).
= −
= (100, 100 , 100 , 100 , 100 ) − 122448 , 193176 , 234728 , 42872 , 80840
= (−122348, −183176,765272,99957128,9999919160)
= −
= (100, 100 , 100 , 100 , 100 ) −
357120 , 571230 , 712350 , 123570 , 235710
= (−357020, −561230,287650,99876430,9999764290).
And the value of
ℎ = ℎ = 100, { , , , , }, , , , , , , , , , . Thus, KGC broadcast { ℎ, , , , , } to all the group members.
5. At last to compute the common group key, each participating group member
,1 ≤ ≤ 5, has to solve the equation
= ( + ), 1 ≤ ≤ 5;
Where ( 1 ≤ ≤ 5), are the public values broadcast by the KGC and (1 ≤ ≤ 5) are the private secrets of each user . Also each user (1 ≤ ≤ 5), knowing the random challenges (1 ≤ ≤ 5). Hence , each participating group user
,is now able to compute the common secret group key by computing which is of theform
= , , , , .
Therefore, User computes,
= [ ] ( , , , , ),
= (2,4,8,16,32) (2,3,5,7,1),
= (240,294,278,122,182).
So, = ( + )
= (−140,9706,999722,99999878, 9999999818) + (240,294,278,122,182)
= (100,10000,1000000,100000000,10000000000)
= (100, 100 , 100 , 100 , 100 )
Thus, = 100.
User computes,
= [ ] ( , , , , ),
= (4,16,64,256,1024) (2,3,5,7,1),
= (4824,7020,7620,1836,3252).
So,
= ( + )
= (−4724,2980,992380,99998164,9999996748) + (4824,7020,7620,1836,3252)
= (100,10000,1000000,100000000,10000000000)
= (100, 100 , 100 , 100 , 100 )
Thus, = 100.
User computes,
= [ ] ( , , , , ),
= (1,1,1,1,1) (2,3,5,7,1),
= (18,18,18,18,18).
So,
= ( + )
= (82,9982,999982,99999982,9999999982) + (18,18,18,18,18)
= (100,10000,1000000,100000000,10000000000)
= (100, 100 , 100 , 100 , 100 )
Thus, = 100.
User computes,
= [ ] ( , , , , ),
= (8,64,512,4096,32768) (2,3,5,7,1)
= (122448,193176,234728,42872, 80840) So,
= ( + )
= (−122348, −183176,765272,99957128,9999919160) + (122448,193176, 234728,42872,80840)
