Key Distribution Scheme
Vanesa Daza, Javier Herranz,Carles Padro and GermanSaez
Dept. MatematicaAplicadaIV,UniversitatPolitecnicadeCatalunya
C.JordiGirona,1-3,ModulC3,CampusNord,08034Barcelona,Spain
e-mail: fvdaza,jherranz,matcpl,germang @ma t.upc .es
Abstract
In[16],Naor,PinkasandReingoldintroducedschemesinwhichsome
groups of servers distributekeys among a set of users in a distributed
way. They gave some specic proposals both inthe unconditional and
inthe computationalsecurity framework. Their computationallysecure
schemeisbasedontheDecisionalDiÆe-HellmanAssumption. Thismodel
assumessecure communicationbetweenusers and servers. Furthermore
itrequiresuserstodosomeexpensivecomputationsinordertoobtaina
key.
Inthis paperwemodify the modelintroduced in[16 ], requiring
au-thenticatedchannelsinsteadofassumingtheexistenceofsecurechannels.
Ourmodel makesthe user's computationseasier, because most
compu-tations ofthe protocol are carriedout by servers,keeping toamore
re-alisticsituation. Wepropose abasicscheme,thatmakesuseofElGamal
cryptosystem,andthattsinwiththismodelinthecaseofapassive
ad-versary. Wethenaddzero-knowledgeproofsandveriablesecretsharing
to prevent fromthe action of anactive adversary. We consider general
structures(notonlythethresholdones)forthosesubsets ofserversthat
can provide a key to a user and for those tolerated subsets of servers
thatcanbecorruptedbytheadversary. Wendnecessarycombinatorial
conditionsonthesestructuresinordertoprovidesecuritytoourscheme.
1 Introduction
When agroup of users wish to communicate securely overinsecure channels,
either symmetric or public key cryptosystems are used. Public key schemes
presentsomedrawbacksbothfrom thecommunicationandthecomputational
pointof view. On theother hand, whensymmetric algorithmsare considered
in order to solve this problem, thequestion is then how to set upan eÆcient
mentofthesecretkeyswasintroducedin[17]byNeedhamandSchroeder. This
ideaof a Key DistributionCenter wasformalized in [3]. This model presents
somedrawbacks. A singleserverthat is in chargeof the distribution of keys
to a group of users presents someweak points. It is a possible bottleneck of
thesystemand itmust be trusted. Amongtheproposedsolutionsin order to
remove thisdrawback,the useof Distributed KeyDistribution Centers is one
ofthemostaccepted.
The model in which the task of asingle serveris distributed among a set
of servers, the Distributed Key Distribution Center model, was introduced
in [16]. Schemes tting this model are called Distributed Key Distribution
Schemes. Somespecicrealizationswereproposedbothintheinformation
the-oreticmodel, where no limitsin the computationalpower ofan adversaryare
assumed, and in the computationally secure framework, where the
computa-tionalcapabilityofanadversaryis bounded.
With regard to the information theoretic point of view some studies have
beendonesincethen: in [5]anexhaustivestudyontheamountofinformation
neededto set up and manage such a system waspresented. They considered
threshold accessstructures, thatis, thosesets ofserversthat areauthorizedto
providekeyshaveatleasttservers(tisthethreshold). Afterwards,in[6]itwas
extendedtoamodelconsideringgeneralaccessstructures. Moreover,arelation
between distributed key distribution schemes and secretsharing schemes was
shown.
However,in this paperwefocusoncomputationally securedistributed key
distribution schemes. Previously, in [16] such a scheme was proposed, based
on the Decisional DiÆe-Hellman Assumption [11], as an application of their
scheme for evaluating a pseudo-random function in a distributed way. This
schemeassumessecurecommunicationbetweenusersandservers. Moreover,it
requiresusersto dosomeexpensivecomputationsin ordertogetakey.
Weproposeanewmodelfordescribingdistributedkeydistributionschemes,
wherethesecure channelassumption isweakenedto anauthenticatedchannel
assumption. Weprovideanexplicitconstructionrealizingthismodel. Theuse
of the homomorphic properties of the ElGamal cryptosystem [12] allows the
serverstocarryoutmostcomputationsoftheprotocol. Notethatthisfactts
witha morerealworldoriented situation. Thebasicschemeis secure against
apassive adversary which cancorrupt someset ofserversand obtainalltheir
secretinformation, but can notforce them to change theircorrect role in the
protocol. Those subsetsof serversthat canbecorruptedby theadversaryare
given by an adversary structureA, which must bemonotone decreasing: if a
set ofserversB
1
2A can be corrupted, and B
2 B
1
, then theset of servers
B
2
2Acanbecorrupted,too.
Butwewantourschemetobesecureevenunderthemostpowerfulattacks.
Inthis case, in which we acceptthe presence of an active adversary which is
abletoalterthebehaviorofthecorruptedplayersduringtheprotocol,wemust
addsomemechanismsin orderto maintainthesecurityandthecorrectnessof
Inallcases,weconsidergeneraladversaryandaccessstructuresinthesetof
servers,notonlythethresholdones. Thatis,thosesubsetsofdishonestservers
tolerated bythe systemaswell asthose subsetsof serversthat can provide a
validkeytoauserarenotnecessarilydenedaccordingtotheircardinality. This
generalframeworkmodelizessituationsinwhichserversdonothaveallthesame
powerorthe samesusceptibilityto becorrupted. Westatethe combinatorial
conditions that these structures must satisfy if we want our schemes to run
securely.
Organizationofthepaper. InSection2wereviewsomecryptographictools
thatwewillneedthroughouttherestofthepaper,suchasElGamalencryption
orbasicsonzero-knowledgeproofs,andwealsopresentthemodelofdistributed
keydistributionschemesdescribedin[16]. InSection3weexplainsecretsharing
schemes for general access structures, and how they can be used by a set of
participantstojointlygeneratearandomsecretsharedvalue. InSection4we
proposeanewmodelinordertominimizeusers'computationsandwepropose
a distributed key distribution scheme for this model, computationally secure
againstbothpassiveandactiveadversaries. Wegiveanexplicitconstructionfor
thepassivecase,basedonthehomomorphicpropertiesofElGamalencryption
scheme. Then, weintroduceallthetechniquesthat weusein orderto provide
robustnessfor theactivecaseto ourproposal. Allourresultsconsider general
structures,notonlythresholdones. Finally,inSection 5weconcludethework
summarizingourcontributionand futureresearch.
2 Preliminaries
In this section we describe some cryptographictools that we will need later
on. Wewill alsoexplainthemodelof computationallysecureDistributedKey
DistributionSchemesintroducedin [16].
2.1 ElGamal Encryption
In [12], ElGamal proposed a public-key probabilistic encryption scheme. We
explainhereanspecicversionofthisscheme,butitcanbegeneralizedtowork
inanynite cyclicgroup(see[15],Section 8.4.2,forexample).
Thepublicparametersoftheschemearetwolargeprimespandq,suchthat
qjp 1, and a generatorg of the multiplicative subgroupof Z
p
with order q.
EveryuserU generatesbothhispublicandprivatekeysbychoosingarandom
element x 2 Z
q
and computing y = g x
modp. The public key of user U is
(p;q;g;y)andhis privatekeyisx.
If a user wants to encrypt a message m 2 Z
p
for user U, he chooses a
randomelement2Z
q
,andcomputesr=g
modpands=my
modp. The
ciphertextofmessagemthat issenttouserU isc=(r;s).
m = sr x
modp
The semantic securityof ElGamal cryptosystemis equivalentto the
Deci-sionalDiÆe-HellmanAssumption[11]. Oneofthemost usefulfeatures ofthis
encryptionschemesisits homomorphic property: ifc
i =(r
i ;s
i
)isaciphertext
correspondingtotheplaintextm
i
,fori=1;2thenc=(r
1 r
2 ;s
1 s
2
)isa
cipher-textcorrespondingto plaintextm=m
1 m
2
. This propertyis theone weneed
fortheencryptionschemethatwewillusein ourproposalofanewdistributed
andcomputationallysecurekeydistributionscheme.
2.2 Zero-Knowledge Proofs of Knowledge
Azero-knowledgeproofofknowledgeallowsaprovertodemonstrateknowledge
ofasecretwhile revealingno informationaboutit to theverierof theproof,
otherthan thementionedknowledgeand what theverierwasabletodeduce
priortotheprotocolrun. Zero-knowledgeprotocolsareexamplesofinteractive
proof systems, in which a prover and a verier exchange multiple messages,
typicallydependenton randomnumberswhichtheymaykeepsecret. Inthese
systems, there are securityrequirements for boththe prover and the verier:
fortheprover,securitymeansthattheprotocolshouldbezero-knowledge,that
is,theveriergainsnoinformationonthesecret;fortheverier,itmeansthat
theprotocol should beaproofof knowledge: completeandsound. Intuitively,
thesetwoconditionsmeanthat,withoverwhelmingprobability,ahonestverier
acceptsaproofifandonlyiftheproverisalsohonest. See[15], Section10.4.1,
foracomprehensivedenitionoftheseconcepts.
Interactiveproofsystemscanbetransformedintonon-interactiveprotocols,
followingthetechniquesandideasof[14]and[19]. Thesecurityofsuch a
non-interactivesystem is argued by showing that the plain interactiveprotocol is
secureandthenreplacingtheverierwithacollisionresistantandrandomhash
function;thisapproachhasbeenformalizedastherandomoraclemodel[2].
In thecontextof this paper, we are specially interested in zero-knowledge
proofsof the validityof statementsaboutdiscrete logarithms. This topic has
beendeeplystudiedinworkssuchas[8,9]. Wewillusenotationintroducedby
CamenischandStadler[9]: forinstance,thestatement
PK f(;): A=g
1 g
2
^ B=g
3 g
denotesazero-knowledgeproofof knowledgeofvaluesand suchthat A=
g
1 g
2
and B = g
3
. By convention, Greek letters (;;:::) denote quantities
whoseknowledge isbeingproved, whileallotherparametersareknownto the
verier(inthiscase,thevaluesA;B;g
1 ;g
2 ;g
3 ).
2.3 PreviousComputationalDistributedKeyDistribution
Schemes
In[16]itwasintroducedthenotionofDistributedKeyDistributionSchemesin
1 n
usersU = fU
1 ;:::;U
m
g(they also referredto them asclients). Each userU
hasprivatecommunicationwithatleast tservers. LetC 2 U
afamilyofsets
ofusers,theconferences,whowantto communicatesecurelyamong them.
Initialization: Each server S
i
receives a share
i
of some random secret
, sharedamong the serversby meansof Shamir secretsharing scheme. The
generation of these values can be performed by either a central authority or
jointlybyagroupofservers.
Regular Operation: ifauserU in aconferenceC 2C needsthekeyofthis
conference,heproceeds asfollows:
HecontactstserversS
1 ;:::;S
t
andasksthemforthekeyoftheconference
C. EachconferenceC isrelatedtoapublicvalueh
C .
EachserverS
i
,fori=1;:::;t,veriesthattheuserisallowedtoaskfor
that keyand, if so,computesthevalueh
i
C
andsends itto him through
theirprivatechannel.
Afterreceivingtheinformationfromtheservers,theuserisableto
com-putetheconferencekey
C
asfollows:
C =h
C =
Q
t
i=1 (h
i
C )
i
,where
i
aretheLagrangeinterpolationcoeÆcients.
3 Secret Sharing Schemes and Distributed
Gen-eration of a Random Secret Shared Value
Inasecret sharing scheme,adealerdistributes sharesof asecretvalueamong
aset of playersP =fP
1 ;:::;P
n
gin such away that only authorizedsubsets
of players (those in the called access structure) can recover the secret value
from theirshares, whereasnon-authorized subsetsdo notobtainany
informa-tion about the secret. The access structure is usually noted . It must be
monotoneincreasing, i.e. anysubsetcontainingan authorizedsubsetwill also
beauthorized.
Secret sharingschemes were introduced independently by Shamir[21] and
Blakley[4]in 1979. Shamirproposed athreshold scheme,i.e. subsetsthat can
recoverthesecretarethosewithatleasttmembers(tisthethreshold). Other
works haveproposed schemesrealizingmoregeneralstructures, such asvector
space secretsharing schemes[7]. An accessstructure isrealizableby such a
scheme dened in anite eld Z
q
, for someprime q, if there exists apositive
integerr and afunction :P [fDg ! (Z
q )
r
such that W 2 if andonly
if (D)2h (P
i )i
Pi2W
. Here D denotes aspecial entity(real ornot), outside
the set P. If a dealer wants to distribute a secret value x 2 Z
q
, he takes a
randomelementv2(Z
q )
r
,suchthatv (D)=x. Theshare ofaparticipant
P
i
2P isx
i
=v (P
i )2Z
q
(D)= Pi2W W i (P i
), for some W
i 2Z
q
. Inorder to recoverthe secret,
theplayersofW compute
X Pi2W W i x i = X Pi2W W i v (P i ) = v
X Pi2W W i (P i
) = v (D) = x modq:
Simmons,JacksonandMartin[22]introducedlinearsecretsharingschemes,
thatcanbeseenasvectorspacesecretsharingschemesinwhicheachplayercan
beassociatedwithmorethanonevector. Theyprovedthatanyaccessstructure
canberealized byalinearsecretsharingscheme(in general,the construction
theyproposedresultsin anineÆcientsecretsharingscheme). Fromnowonin
ourwork,wewillconsideranypossibleaccessstructure ,sowewillknowthat
thereexistsalinearsecretsharingschemerealizingthisstructure. Forsimplicity,
however, we will suppose that this scheme is a vector space onedened by a
function overZ
q
. See [24]foracomprehensiveintroductiontosecretsharing
schemes.
In many protocols, it is interesting to avoid the presence of a dealer who
knowsall thesecret information ofthe system. Therole of the dealer canbe
distributedamong theplayers,aslongasthesecretischosenatrandom. This
distributed protocol must be protectedagainst thepresence of some coalition
ofplayerscorruptedbyanadversary. Themonotonedecreasingfamilyofthese
tolerated coalitions of corrupted servers is the adversary structure A. If the
adversaryispassive,theonlyrequiredconditionis \A=;,andthedistributed
generationofarandomsecretvaluecanbeperformedbyanyauthorizedsubset
A2 , asfollows:
Each playerP
i
2A chooses at randoma valuek
i 2Z
q
, and distributes
it among all players in P, using the corresponding vector space secret
sharing scheme. That is, P
i
chooses a random vector v
i 2 (Z q ) r such that v i
(D) = k
i
. Then P
i
sends to each player P
j
in P his share
k ij =v i (P j
). Thegeneratedrandomsecretwill bex= P
i2A k
i .
EachplayerP
j
2P computeshisshareofthesecretxasx
j = P i2A k ij .
In eect, suppose that an authorized subset of players W 2 wants to
recover the secret x. We know that there exist values f W j g j2W such that (D)= P j2W W j (P j
). ThenplayersinW canobtainthesecretxfromtheir
shares: X j2W W j x j = X j2W W j X i2A k ij = X j2W X i2A W j v i (P j )= X i2A v i X j2W W j (P j )= = X i2A v i (D)= X i2A k i =x
Wedenoteanexecutionofthisdistributedprotocol,inthepassiveadversary
scenario,withthefollowingexpression:
(x
1 ;:::;x
n )
(P; ;A)
protocols. Veriablesecretsharingschemeswereintroducedinordertotolerate
this kind of situations. The two most used veriable secret sharing schemes
arethe proposalsof Pedersen [18]and Feldman [13], which arebothbasedon
Shamir'ssecretsharingscheme. Whereasthesecurityofsecretsharingschemes
is unconditional, that is, subsets that are not in the access structure do not
obtainanyinformationaboutthesecret,independentlyoftheircomputational
capability,thesecurityofsomeveriablesecretsharingschemesisbasedonsome
computationalassumption; for instance, Feldman's scheme is secureassuming
thatthediscretelogarithmprobleminsomeniteeldis hard.
Now weexplain adistributed generation of arandom secret value, shared
among players in P according to the access structure , and secure against
the action of an activeadversary who can corrupt a subset of players in the
adversarystructureA. ItmustbeperformedbyasubsetRofplayerssatisfying
thatforallB2A,wehaveR B2 . Wedenoteby=( ;A)themonotone
increasingfamily formed bythose subsetsR . This familyis notempty ifand
onlyifA c
, where A c
=fP B jB 2Ag. Ineect, P 2if andonly if
forallB2AwehavethatP B2 ,andthisisequivalentto A c
.
Inthe thresholdcase, where =fW P : jWj tgand theadversary
structureisusuallytakenasA=fBP : jBj<tg,wehavethat=fR
P : jR j2t 1g. Thisfamilyisnotemptyifandonlyifn2t 1.
Theprotocolforgeneratingarandomsecretvalueinadistributedwaycan
beperformedbyasubsetR2asfollows:
Each playerP
i
2R chooses at random avaluek
i 2Z
q
, and distributes
it among all players in P, using the following (veriable) vector space
secret sharing scheme (it is ageneralization of the threshold scheme of
Feldman [13]). Letq andpbelargeprimessuchthatqjp 1. Let~gbea
generatorofamultiplicativesubgroupofZ
p
withorderq.
P
i
chooses a random vectorv
i = (v
(1)
i
;:::;v (r)
i
) 2 (Z
q )
r
such that v
i
(D)=k
i
. ThenP
i
sendstoeachplayerP
j
inP hissharek
ij =v
i (P
j ).
HealsomakespublicthecommitmentsV
i` =~g
v (`)
i
,for1`r.
Each player P
j
2 P veries the correctnessof his share k
ij
by checking
that
~ g k
ij
= r
Y
`=1 (V
i` )
(P
j )
(`)
Ifthischeckfails, P
j
makespublicacomplaintagainstP
i .
If player P
i
2 R receives complaints from players that form a subset
thatisnotinA,heisrejected. Otherwise,P
i
makespublicthesharesk
ij
correspondingtotheplayersthathavecomplainedagainsthim. Ifanyone
ofthesepublishedsharesdonotsatisfythepreviousvericationequation,
P
i
tionphase. Due to thedenition of thestructure ,wehavethat Qual
belongsto .
The generated random secretwill be x = P
i2Qual k
i
. Note that, since
Qual 2 , we have that Qual 2= A, and so any subset in A cannot
ob-tainthe secretx from theirinitial secretvalues k
i
. Each playerP
j 2 P
computeshisshareofthesecretx asx
j =
P
i2Qual k
ij .
Anauthorizedsubsetofplayerscouldobtainthevalueofxfromtheirshares
exactlyin thesamewayexplainedforthepassivecase.
Note that thevaluesD
j =~g
x
j
canbepublicly computed byall playersas
follows:
D
j =~g
P
i2Qual kij
= Y
i2Qual ~ g
kij
= Y
i2Qual r
Y
`=1 (V
i` )
(Pj) (`)
Wedenotetheoutputofthisprotocolwiththeexpression:
(x
1 ;:::;x
n )
(P; ;A)
! (x;~g;fD
j g
1jn )
4 Our Computational Secure Distributed Key
Distribution Scheme
In[16] a construction basedon the decisional DiÆe-Hellman assumption was
presented. However,this proposal requires auserto computeO(t)
exponenti-ationsinorder toobtainakey(wheretistheminimumnumberofserversthe
usermustcontactwith)whereasaservershouldcomputeonlyasingle
exponen-tiationinordertohelpauser. Thismaynotcorrespondtorealsituations,where
it is possible to takeprot of the computational powerof theservers. Thus,
weareinterestedin aschememinimizing thecomputationaleortoftheuser.
Next wewill set upthe new model of computationally secure distributed key
distributionschemethatwewillusefrom nowon. Afterwards,wewillpresent
an explicitconstruction based on ElGamal encryption. We will take into
ac-countbothpassiveandactiveadversaries. Whenwedescribetheprotocol,rst,
wewill consider apassiveadversary, andlater on,wewill note which changes
shouldbemadeintheprotocoltoprovidesecurityagainstanactiveadversary.
4.1 Setting up the model
Let U = fU
1 ;:::;U
m
g be a set of m users and S = fS
1 ;:::;S
n
g a set of n
servers. Let 2 S
beageneralmonotoneincreasingaccessstructure, formed
bythosesubsetsofserversthatareallowedtorecoverasecretfromtheirshares;
andletA2 S
beageneralmonotonedecreasingadversarystructure, formed
bythose subsetsofdishonestserversthat thesystemisabletotolerate. These
twostructuresmustsatisfyA\ =;. Forsimplicity,weassumethattheaccess
thereexist apositiveintegerrandafunction :S[fDg !(Z
q
) suchthat
A2 ifandonlyif (D)2h (S
i )i
S
i 2A
.
Let C 2 U
be a family of sets of users (conferences). Every user in a
conferenceneedsto knowtheconferencekeyin ordertocommunicatesecurely
with other members of the conference. Let R 2 S
be the family of sets of
serversthat a user must contact with in order to obtain the conference key.
ThisfamilyRmustbemonotoneincreasing,andwillbedierentdependingon
thekind of adversary(passiveoractive) that weconsider. We saythat aset
ofserversinRis robust. Wedivide adistributed keydistributionschemeinto
threedierentphases:
InitializationPhase. Weassumethattheinitializationphaseisperformedby
arobustsubsetofservers,thatjointlyperformsthegenerationofsharesf
i g
i2S
of a random value, realizing the access structure , by using the protocols
explainedin Section3. Eachserverhasashare
i
ofandanysetthatis not
in canobtainnoinformationofthisrandomsecretvalue.
Key Request and Computational Phase. A userU
j
in aconferenceC 2
C contacts with a robust subset of servers A 2 R asking for the key of the
conferenceC,whichwewillcall
C
. EveryserverS
i
2Achecksformembership
ofU
j
in C. Ifhe belongs to, serverS
i
computesashareof theconferencekey
using
i
and a value related with the conference C. Afterwards, server S
i
encrypts his shareof the keyby meansof asuitablehomomorphic encryption
scheme withthe public key of userU
j
. Thecontacted groupof serversA, by
usinghomomorphicpropertiesoftheusedcryptosystem,isabletocomputean
encryption ofthe conferencekey
C
from theencryptions of theshares of the
key.
Key Delivery Phase. Either a single server in A or the whole set A
(de-pendingonthebehavioroftheadversary,passiveoractive,respectively)sends
the computed result to user U
j
throughan authenticated channel. Using his
privatekey,theuserwillbeableto decryptthismessageobtainingin thisway
theconferencekey.
4.2 Our Proposal for the Passive Adversary Case
NowweproposeamethodtoconstructaDistributedKeyDistributionScheme
computationallysecure against apassive adversarywho corrupts serverson a
subsetin A, followingthe model introduced in Section 4.1. We use ElGamal
cryptosystem[12], andtakeprotfromitshomomorphicproperties.
Wehaveanaccessstructure ,suchthatthecondition \A=;holds. In
thispassivecase,wehavethatthefamilyofrobustsubsetsisR= . Letpand
q be two largeprimes such that qjp 1. Let H be ahash function (collision
andpre-imageresistant)that inputsaconferencein C andoutputsanelement
in Z
p
. We assume that each user U
j
has a public ElGamal key (p;q;g;y
j )
correspondingtoaprivatekeyx
j 2Z
q
; that is,y
j =g
x
j
modp,whereg isan
elementwithorderqin Z
p
AsubsetinR= jointlyperformsthepassiveversionoftheprotocolinSection
3forthegenerationofarandomsharedsecret,whichresultsin
( 1 ;:::; n ) (S; ;A) ! where; i 2Z q arerandom.
Key Requestand Computational Phase
A user U
j
in aconference C 2 C asks for the conference key
C
to a robust
subset of servers A 2 R. These servers check the membership of the user
in the conference and perform the following distributed encryption protocol.
Note that A 2 R = is an authorized set of servers and we are assuming
thatthe accessstructure isrealizedby avectorspacesecretsharingscheme
dened bythefunction . Thus, there exist valuesf A i g Si2A in Z q such that (D)= P S i 2A A i (S i
)andso= P S i 2A A i i
modq(inthethresholdcase,
thesevaluesf A
i g
Si2A
wouldbetheLagrangeinterpolationcoeÆcients). Servers
inAproceedasfollows:
Each server S
i
2 A applies the hash function H to the conference C,
obtainingh
C
=H(C)2Z
p
. The conferencekeywill be
C =h C . Then each S i
2A encryptsthevalueh
i
C
modpusingtheElGamalpublickey
ofuserU
j
,whichis(p;q;g;y
j
). Thatis:
{ ServerS
i
choosesarandomelement
i 2Z
q .
{ Hecomputesr
i =g
i
modpands
i =h i C y i j modp.
{ ServerS
i
broadcaststheciphertextc
i =(r i ;s i ).
NoweachserverS
i
2Acanmputetheencryption(r;s)oftheconference
key C =(h C ) asfollows: r = Y S i 2A r A i i = (g) P S i 2A A i i modp s = Y Si2A s A i i = (h C ) P S i 2A A i i (y j ) P S i 2A A i i = h C (y j ) P S i 2A A i i modp
Sincetheelementsf
i g
S
i 2A
arerandom,wehavethattheelement P Si2A A i i
isalsorandom,andso(r;s)isavalidElGamalencryptionofthemessage
h
C
. Wealso notethat theresultingciphertext(r;s)doesnotdependon
theauthorizedsubsetA2 that hasbeenconsidered.
Key Delivery Phase
Theciphertextc=(r;s)issentbysomeserverS
i
2AtouserU
j
,whodecrypts
it(heistheonlyonewhocandothis)andobtainsautomaticallytheconference
NextwewillconsideranadversarywhocorruptsserversonasubsetinA,inan
activeway;thatis,thosecorruptedserversmaynotfollowtheprotocolproperly.
Thecondition \A =; is still necessary, of course. In this active scenario,
the family R of robust subsets of servers will be R = ( ;A) dened as in
Section3. NotethattheconditionA c
isnecessaryandsuÆcientinorderto
makesurethatthefamilyRisnotempty(again,thejusticationisexplained
inSection3).
Thefollowingchangesmustbeintroducedin eachoneofthephases:
InitializationPhase
Werequirearobustsubsetofserverstoperformthis phase. Theyjointly
gen-eratearandom sharedsecret, usingveriablesecretsharing(see Section3) to
detectcorruptedservers:
( 1 ;:::; n ) (S; ;A)
! (;g;~ fD
i g
1in )
where~g isanelementwithorder qinZ
p and D
i =g~
i
arethepublic
commit-mentsassociatedwiththeshares
i
'softhesecretvalue.
Note that although theadversarycorruptsatolerated set of servers,these
corrupted serverswill bedetected; theremaining serversof the robustsubset
willbelongto theaccess structure ,becauseofthedenitionofthefamilyR,
andtheywill abletonishtheprotocol correctly.
Key Requestand Computational Phase
Nowauser must askfor aconferencekey
C
to arobust subsetA of servers.
Afterthis,everyserverS
i
inAbroadcasts aciphertextc
i =(r
i ;s
i
)ofitsshare
h i
C
oftheconferencekeyasin thepassivecase.
We must dealwith the caseof corrupted serverswho want to boycott the
system,bybroadcastingaciphertext~c
i =(~r
i ;~s
i
)whichdoesnotcorrespondto
theplaintexth i
C .
Wewilldetectthesecorruptedserversifweimposethemtodoadetermined
proofofknowledge. Afterthejointgenerationof thesecretsharedvalue,all
serversknowpubliccommitmentsD
i =g
i
tothevalue
i
,for1in. Each
server,afterbroadcastingc
i =(r
i ;s
i
),mustprovethatheknowsvalues
i and
i
such that D
i = g i , r i = (g) i and s i =(h C ) i (y j ) i
. The rest of servers
will play the role of a verier in this non-interactiveproof of knowledge. So,
followingthenotationofSection 2.2,eachservermustperform:
PKf(
i ;
i ): D
i =g i ^ r i =g i ^ s i =(h C ) i (y j ) i g whereD i ;r i ;s i ;g;g
;h
C
;gareelementsknowntotheveriers. Wepresentnow
aprotocoltoachievethisnon-interactiveproofofknowledge;itissimilartothe
onethatappearsin[1],andusesstandardtechniquesintroducedbyCamenisch
[8], Stadler[23] and Camenisch and Stadler[9]. In the random oraclemodel,
TheproofPKf(;): A=g
1
^ B =g
2
^ C =g
3 g
4
gis asfollows: let
`kbetwosecurityparametersand ^
H :f0;1g
!f0;1g k
beahashfunction.
Theproverdoesthefollowing:
1. Generate2`numbersu
1 ;:::;u
` andv
1 ;:::;v
`
atrandomin Z
q
2. Compute,for1i`, thevaluest
i =g ui 1 , t 0 i =g vi 2 andt 00 i =g ui 3 g vi 4
3. Computec= ^
H(A;B;C ;g
1 ;g 2 ;g 3 ;g 4 ;t 1 ;:::;t
` ;t
0
1 ;:::;t
0
` ;t
00
1 ;:::;t
00
` )
4. Compute,for1i`
ifc[i]=0thenw
i =u i andw 0 i =v i
ifc[i]=1thenw
i =u i andw 0 i =v i
5. Theproofofknowledgeisthetuple(c;w
1 ;:::;w
` ;w
0
1 ;:::;w
0
` )
Theverieroftheproofmustdothefollowing:
1. Compute,for1i`
ifc[i]=0then ~ t i =g wi 1 , ~ t 0 i =g w 0 i 2 and ~ t 00 i =g wi 3 g w 0 i 4
ifc[i]=1then ~ t i =Ag w i 1 , ~ t 0 i =Bg w 0 i 2 and ~ t 00 i =Cg w i 3 g w 0 i 4
2. Computec 0
= ^
H(A;B;C ;g
1 ;g 2 ;g 3 ;g 4 ; ~ t 1 ;:::; ~ t ` ; ~ t 0 1 ;:::; ~ t 0 ` ; ~ t 00 1 ;:::; ~ t 00 ` )
3. Ifc 0
=c,thenaccepttheproof;otherwise,reject theproof.
Each serverS
i
veriesthe proofspublished by therest of servers,until he
obtainsacceptedpartial ciphertextsfrom asubset ofserversin . Noticethat
thissubsetin alwaysexists,becauseof thedenitionof thefamilyR. Then
S
i
canuse the correct valuesc
j =(r
j ;s
j
) corresponding to serversS
j in this
subsetin tocompute, exactlyin thesamewayaswehaveshownin Section
4.2,anencryption(r;s)oftheconferencekey
C =h
C
,usingthehomomorphic
propertiesofElGamalcryptosystem.
Key Delivery Phase
Eachserverin A sendstheencryption of theconferencekeyto userU
j . After
receivingthesemessages,userU
j
selectsfrom thewhole listof values,theone
which is sent by all the servers of a subset that is not in A. This implies
thatthereexistsatleastonehonestserverinthissubset(otherwise,thesubset
would be in A),and sothecorresponding ciphertextmust bethecorrect one.
U
j
decrypts itby meansof his private key,obtainingin this waythe required
Notethat,althoughElGamalcryptosystemisprobabilistic,allthehonestservers
obtainthesameciphertext(r;s)oftherequestedconferencekey,becauseofthe
deterministicwayinwhich theymustcalculatethisciphertextfromthe
proba-bilisticciphertexts(r
i ;s
i ).
Inthe caseof apassiveadversary,all serversfollow theprotocolcorrectly.
So,ausercouldaskasingleserverforthekeyinsteadofanentirerobustsubset.
Thisserverwillthencontactwitharobustsubset,andtheprotocolwillfollow
as we explain in Section 4.2. In the active case, this is not possible because
theusersdonotknowwhichserversarehonest,thustheycouldask wronglya
corruptedserver,whocouldboycotttheprotocol.
Thefact thatwedenoteasrobustthesubsetsofserversthat canprovidea
validconferencekeytoauserisnotaccidental. Wedenetheserobustsubsets
insuchawaythattheirmemberscanexecutetheprotocolcorrectlyevenifthey
containsomesubsetofplayerscorrupted bytheadversary. Roughlyspeaking,
thatisthedenitionofarobustdistributedprotocol,andforthisreasonweuse
theterminologyofrobustsubsets.
And last but notleast, note that in some way, the model wepropose can
be rewritten as aMulti-partyprotocol. Indeed, theprotocol in which servers
computeshares of theencryption of aconference keyfrom their shares of the
randomsecretvalue tsin aMulti-party framework. This couldbeused in
ordertoprovesecuritypropertiesoftheprotocol bymeansofusingtechniques
ofCanetti[10]toprovesecurityin Multi-partyprotocols.
5 Conclusion
Inthis paperwe introducea newmodel for distributing keysin a distributed
wayinthecomputationallysecureframework,andwedesignaprotocolrealizing
it. Thismodelminimizesthecomputationsthat everyuserhastocarryoutin
orderto obtainakey, and transmitsthem to theservers,which are supposed
to have more powerful computational resources. In order to t this protocol
intoarealorientedscenarioweintroducetechniquestoprovidesecurityagainst
both passive and active adversaries who can corrupt some groups of servers.
We consider general structures, not only threshold ones, for both subsets of
serversthat canprovidea valid key to auser and subsetsof servers that can
becorruptedbytheadversary. Wendthecombinatorialconditionsthatthese
structuresmustsatisfyifwewantourschemeto runsecurely.
In our model, we require secure and authenticated channels among the
serversonlyintheinitialization phase. Intherestofphases,serversonlyneed
an authenticated broadcastchannel among them. In the communication
be-tweenauser and a server,authenticated channels are needed, but notsecure
ones, because the information that servers send to users is encrypted. This
lastpointisanimprovementwithrespecttothemodelin [16],becausein that
proposalaswellasin[16]),ifthesecretsharingschemesthatserversusein the
initializationphasearepublicly veriable(see[23, 20] forthedetails). Theuse
ofthese schemes, however, reducesthe eÆciency of thedistributed generation
ofarandomsecretsharedvaluein Section3.
In the passive case, a user only needs to decrypt a value (basically, one
exponentiation)inordertoobtaintherequestedkey. Recallthatintheproposal
of [16] each user had to computeO(t) exponentiations to get thekey. In the
activecase,hemustinadditioncomparealistofvaluesanddetectthecorrect
ciphertext. Butthese operationsarealwaysnecessaryif weconsider anactive
adversary,becausetheusermustverifyin somewaywhichof theinformations
thathereceivescomefromacorruptedserverandare, therefore,incorrect.
Someinterestingquestionsarisefromthiswork: rstofall,itmustbedened
in a formal way all security requirements that must satisfy adistributed key
distributionschemeandprovethesecurityofourschemebasedonthissecurity
model. Maybe the strategy is to see these schemes as Multi-Partyprotocols,
andapplythesecurityresultsof Canetti[10]in thisscenario. Itwould bealso
interestingtocheckifothercryptosystemscouldtinwithourmodel,andifso,
tostudytheeÆciencyoftheconsequentschemes. Likewise,someothersecurity
requirementssuchas proactivityorresharingwouldbedesirable.
References
[1] G. Ateniese, D. Song and G. Tsudik. Quasi-eÆcient revocation in group
signatures.Proc.ofSixthInternationalFinancialCryptographyConference
(2002).
[2] M. Bellare and P. Rogaway. Random oracles are practical: a paradigm
for designingeÆcientprotocols.First ACM ConferenceonComputerand
CommunicationsSecurity p.62-73(1993).
[3] M. BellareandP. Rogaway.Provablysecure session keydistribution: the
threepartycase.Proc.27thAnnualSymposiumonthe Theoryof
Comput-ing, ACM,1995.
[4] G.R.Blakley.Safeguardingcryptographickeys.ProceedingsoftheNational
ComputerConference,AmericanFederationofInformation.Processing
So-cietiesProceedings48p. 313-317(1979).
[5] C. Blundo and P. D'Arco. Unconditionally secure
dis-tributed key distribution schemes. Preprint available at
http://www.dia.unisa.it/paodar.dir
[6] C. Blundo, P. D'Arco, V. Dazaand C. Padro.Bounds and constructions
forunconditionallysecuredistributedkeydistributionschemeswithgeneral
accessstructures.Proc.oftheInformationSecurityConference(ISC2001).
Combin.Comput.9p. 105-113(1989).
[8] J.Camenisch.Groupsignatureschemesandpaymentsystemsbasedonthe
discretelogarithmproblem.PhDthesis,ETHZurich.Diss.ETHNo.12520
(1998).
[9] J. Camenisch and M.Stadler. EÆcientgroupsignature schemes for large
groups. Advances in Cryptology: CRYPTO'97, LNCS 1294,
Springer-Verlag,p. 410-424(1997).
[10] R.Canetti. Security and composition of multi-party cryptographic
proto-cols. JournalofCryptology13(1)p. 143-202,(2000).
[11] W.DiÆeandM.E.Hellman.Newdirectionsincryptography.IEEETrans.
Inform. Theory,IT-22, 6p. 644-654(1976).
[12] T. ElGamal.Apublickeycryptosystemandasignatureschemebasedon
discretelogarithms.IEEETransactionsonInformationTheory 31p.
469-472(1985).
[13] P.Feldman.Apracticalschemefornon-interactiveveriablesecretsharing.
Proceedingsofthe28thIEEESymposiumontheFoundationsofComputer
Science. IEEEPress,p. 427-437(1987).
[14] A. Fiat andA. Shamir.Howto proveyourself: practicalsolutionto
iden-tication and signatureproblems. Advances in Cryptology: CRYPTO'86,
LNCS263,Springer,p.186-194(1987).
[15] A.J.Menezes,P.C.vanOorschotandS.A.Vanstone.HandbookofApplied
Cryptography.CRCPressInc.,BocaRaton(1997).
[16] M.Naor,B.PinkasandO.Reingold.Distributedpseudo-randomfunctions
andKDCs.AdvancesinCryptology: Eurocrypt'99,LNCS1592,
Springer-Verlag,p. 327-346(1999).
[17] R.M.NeedhamandM.D.Schroeder.Usingencryptionforauthentication
in largenetworks of computers. Communications of the ACM, vol. 21 p.
993-999(1978).
[18] T.P. Pedersen.Non-interactiveand information-theoreticsecureveriable
secretsharing.AdvancesinCryptology: CRYPTO'91,LNCS576,
Springer-Verlag,p. 129-140(1991).
[19] C. Schnorr. EÆcient identication and signatures for smart cards.
Ad-vancesinCryptology:CRYPTO'89,LNCS435,Springer-Verlag,p.239-252
(1989).
[20] B. Schoenmakers.A simplepublicly veriable secretsharing scheme and
itsapplicationstoelectronicvoting.AdvancesinCryptology: CRYPTO'99,
p.612-613(1979).
[22] G.J.Simmons,W.JacksonandK.Martin.Thegeometryofsecretsharing
schemes.Bulletin oftheICA 1p.71-88(1991).
[23] M.Stadler.Publiclyveriablesecretsharing.AdvancesinCryptology:
Eu-rocrypt'96,LNCS1070,Springer-Verlag,p.190-199(1996).
[24] D.R.Stinson. Cryptography: TheoryandPractice.CRCPressInc.,Boca