Multi Decryption Key Agreement in Dynamic Peer Group

(1)

2017 2nd International Conference on Computer, Network Security and Communication Engineering (CNSCE 2017) ISBN: 978-1-60595-439-4

Multi Decryption Key Agreement in Dynamic Peer Group

Jian ZHOU

1,2

and Li-yan SUN

1

School of Management Science and Engineer, Anhui University of Finance & Economics, Anhui, 233041, China,

2

Computer School, Beijing University of Post and Telecommunications, Beijing 100083, China

Keywords: Asymmetric group key agreement protocol, Multi decryption key protocol, Group communication, Distributed networks.

Abstract. Ever since multi decryption key agreement was first proposed in 2002, there have been efforts to extend its simplicity and elegance to group communication, it has some advantages in rekeying comparing to symmetric key group key management schemes. Notable solutions have been proposed by OMGKM, AGKA and AKGM. In this paper, we consider a class of protocols that we call natural extensions of multi decryption key to the n-party case for distributed networks. Two novel and practical protocols are put forwards and are compared with the exiting protocols, the proposed protocols are optimal with respect to protocol security and efficiency.

Introduction

In distribute system or networks [1,2], there is not a powerful entity to support security strategy, every member play same role in the security management .Since group key management [3] is the cornerstone of secure group communication [4], it has naturally received a lot of attention. According to the relationship between encryption key and decryption key, group key agreement can be categorize into symmetric group key agreement [5,6]and asymmetric group key agreement [7,8],Recently, the asymmetric group key protocol [9,10]is suggested based on threshold cryptography and bilinear pair [11,12], every member still contributes part of key material to agree a shared encryption key but an independence decryption key is assigned for each of them [13], so a decryption key doesn’t breakdown other members’ decryption key and the decryption capability isn’t bound to the encryption capability. So asymmetric group key agreement protocol has a wide application foreground in group commination networks, such as deep space network [14], tolerated delay network [15], opportunity network [16]. The main motivating factor is the increasing popularity of various types of group communication applications and the need of doing it securely. In this paper we consider a class of protocols that we call “natural” extensions of the multi decryption key agreement. We define a generic protocol of this class and prove its security with the premise that n-party Diffie-Hellman decision problem is hard. Therefore, the result allows us to craft a number of protocols without having to be concerned for their individual security. In particular, we present three new protocols, each optimal with respect to certain aspects of protocol efficiency.

Generic n-Party DH Key Agreement Protocol

Notation

Table 1. Some Notations.

n Number of participates in the protocol

, ,

i j k Indices of group members (ranging from 1 to n)

i

M The i-th group member; i∈[1, ]n q Order of the algebraic group

(2)

i

N Random exponent generated by group member M_i

,

S T Subsets of {N₁,...,N_n}

i

α

∑

Sum of all elements in a subset{ }_ai i

α

∏

Product of all elements in a subset{ }ai n

K Group key shared among n members.

Generic Protocol

Our propose protocol is based on DH protocol, so we review 2-party DH protocol and multi-party DH protocol. The 2-party multi encryption key is extended to n parties. In the 2-party case, all participants agree a priori on a cyclic group, G of order q, and a generator αof this group G, for each key

exchange ,each member , M_i choses randomly a value N_i∈G.In the 2-party case, M_i sends

(mod ) i

N

p

α to M_j and computes the common encryption key

{ N Ni j(mod ), Ni(mod ), Nj(mod )}

PK= a p a p a p , for appropriately chosen G it is reasonable to assume that

an adversary observing ( '

(mod ) i

N

p

α , '

(mod ) j

N

p

α ) cannot distinguish PK from a random value y∈G.All

our protocols are based on distributive computing a subset of {α ∏S|S⊂{N N₁, ,...,Nn}}form 1 n

i i N

α∏= ,

any member M_i can easily compute the shared encryption key PK={α∏S|S⊂{N N₁, ,...,N_n}}.

Asymmetric Independence Group Key Agreement Protocol

AIKGA.1

The protocol depicted is quite simple and straight-forward. It consists of two stages: up-flow and down-flow. The purpose of the up-flow is to collect contributions from all group members to

construct a public encryption key. As shown in the figure 5, M_ireceives a collection

1 1 1 1 j i j i

j j i i j j C C = = − − = = −

∑ ∑ _of

intermediate values. The task of each M_ion the up-flow is to compute 1

i j j N

α∏= _{by raising}

1 1 i j j N α − =

∏ _{, the}

highest numbered incoming intermediate value –to the power ofN_i , append it to the incoming flow

and forward all toM_i₊₁ , for example , M₄receives the set _{αN1_,αN2_,αN3_,αN N1 2_, αN N1 3_,αN N2 3_,αN N N1 2 3_}and

forwards to M₅ _{α α α α αN1_, N2_, N3_, N4_, N N1 2_,αN N1 3_,αN N1 4_,αN N2 3_,αN N2 4_,αN N3 4 _,αN N N1 2 3_,αN N N1 2 4_,αN N N1 3 4_, _αN N N2 3 4_,_αNN N N1 2 3 4_}

.

To summarize the up-flow stage, each group member M_i performs

1 1 1 1

j i j i j j i i j j C C = = − − = = −

∑ ∑ _{exponentiation}

according to the order and an up-flow message between M_iand M_i₊₁contains 1

1

1 1

i j i j

i i

j C j C

+ + = − =

∑

intermediate values.

The final transaction in the up-flow stage takes place when the highest-numbered group member

receivers the up-flow message and computes { }S_i which is the intended group public encryption key

PK

1 2

1 3 1

1 2

1 2 3 1 2 4 2 1

1 2 1

2 3

...

{ (mod ), (mod ),..., (mod )}

...

{ (mod )}

n

n n

n n n

n

N

N N

N N N N

N N

N N N N N N N N N

N N N

S p p p

S p

α α α

α − − −  ₌  ₌  =    ₌ 

After obtaining{ }Si , Mninitiates the down-flow stage. In this final stage. In this final stage each

i

M performs 1

1 1

i N i

N

i C

= − − =

∑

exponentiations, for example , assuming n=4, M₃ receives a down-flow

(3)

compute _PK₌_{α α α α αN1_, N2_, N3_, N4_, N N1 2_,αN N1 3_,αN N1 4_,αN N2 3_,αN N2 4_,αN N3 4_,αN N N1 2 3_,αN N N1 2 4_,αN N N1 3 4_,αN N N2 3 4_,αN N N N1 2 2 4_} , THEN, it

selects parts of values _{αN1_,αN3_,αN4_,αN N1 3_,αN N1 4_,αN N3 4_,αN N N1 3 4_}to 2

M . (In general, the size of a

down-flow message keeps unchanged on each link; a message between and includes 1

1 1

i N _i

N

i C

= − − =

∑

intermediate values. )

[image:3.612.200.385.518.611.2]

In summary, has following characteristics:

Table 2. Key agreement AIKGA.1 cost.

Rounds: 2(n−1)

Messages : 2(n−1)

Up-flow message size:

1

j i j i j

C size

=

×

∑

Down-flow message size:

1 1 1

j n j n j

C size

= − − =

×

∑

Exponentiations per M_i:

1

1 1 1

1 1

j i j i

i N

j j i

i i i N

j j

C C C

= = −

= − − = − = =

− +

∑

The main of drawback is relatively large number of rounds in establishing a shared key, at the same time, impose no special communication requirements, i.e., no broadcasting or synchronization is necessary.

AIKGA.2

In order to reduce the number of rounds in AIKG.1, we modify the protocol, the up-flow stage is still used to collect contributions from all group members; the only change is that each now has to compose intermediate values and one cardinal value containing exponents.

For example, assuming n=4, M₄ receivers a set_{α α α αN1_, N2_, N3_, N N1 2_,αN N1 3_,αN N2 3_,αN N N1 2 3_} and sends a set

3 1 3 2 3 3 4 1 2 3 1 3 4 2 3 4 1 2 4 1 2 1 4 2 4 1 2 4

{ ,α α α α αN N, N, N, NN,αN N,αN N,αN N,αN N,αN N,αNN N,αNN N,αNN N,αN N N} to M₁,M₂and M₃.

The cardinal value in this example is αN N N N1 2 3 4_{, by the time the up-flow reaches} n

M , the cardinal

value becomes αN N N1 2 3...Nn−1_, n

M is thus the first group member to compute the encryption key PK .

also as the first group member to compute the encryption key , M_ncomputes the last batch of

intermediate values.

In the second stage M_n broadcasts the intermediate values to all group members.

AIKG.2 has the following characteristics.

Rounds: n

Message: n

Up-flow message size:

1 j i j i j

C size

=

×

∑

Down-flow message size: 1

1

j n j n j

C size

= −

=

×

∑

Exponentiations per M_i: 1 1

1 1

1

j i j i

j j

i i

j j

C C

= = − − = =

− +

∑

In AIKG.2 more so than in AIKG.1, the highest-indexed group member M_n plays a special role by

having to broadcast the last round of intermediate values. The main advantage of AIKG.2 is due to its low number of protocol rounds; AIKG.2 rounds as opposed to almost twice as many in AIKG.1

AIKGA.3

In the certain environments, it is desirable to minimize the amount of computation performed by each group member, and every member plays a same function in agreeing shared key. Obviously, the

memberM_n takes on more task than other members, so as to it attracts more attention from attacker,

(4)

There is a strictly order among member in protocol AIKGA.1 and AIKGA.2, the sequence relation makes the protocol can’t tolerate the damage of any member in the key agreement, the defect makes the protocol only applicable to networks having small scale and stable channels.

In order to address these concerns we construct a protocol that is quite different .1/2. The protocol consists of n stages. In every stages, every member computes an intermediate values set with its

secret valueN_i, and broadcast the intermediate values set to all other members.

In the first stage, each member broadcasted _αNi(mod )_p to all members; in the second stage, each

member saves{_αNi(mod ),_{p i}_∈[1, ]}_n , and computes {αN Ni j(mod ), ,p i j∈[1, ],n i≠ j} , _{ N Ni j_{(mod )}} p

α is

broadcasted to all members; in the third stage, each member saves{ N Ni j(mod ), [1, ]}

p i n

α ∈ , and

computes 1 2 3

1 2 3 1 2 3

{ N N Ni i i(mod ), , , [1, ], }

p i i i n i i i

α ∈ ≠ ≠ , _{ N N Ni1 i2 i3_{(mod )}}

p

α is broadcasted to all members;

according to the law , in the final stage, each member saves

1

{ (mod )}

n i i

N p α

− =

∑

, and computes

1

{ (mod )} n

i iN _p

α∏= ,those value set is saved.

AIKG.3 has the following characteristics.

Round n

Message n

message size

1

n i

n

_∏

C ×size Exponentiations per M_i ₁n i

n

C

∏

Security Analysis

Obviously the { }P_i can be expressed by another set { }S_i , it is affirmative to crack the { }P_i to get the decryption key if the { }S_i is cracked successfully.

1 2

1 3 1 2 3 1

1 2

1 2 0

1

2

... ...

mod

{ mod , mod ,..., mod }

{ mod , mod ,..., mod , mod ,..., mod }

...

{ mod }

n

n n n

i n

t

x

x x

x x x x x x x x

x x

x x x x n

S p

S p p p

S p p p p p

S p

α

α α α

α α α α α

α

−

 ₌



=

 

=

  

 ₌



Since p is a prime number, all non-zero elements of Z_p have a multiplicative inverse modulo p,

mod

i j i x x x x

p

α =α iff xxi =x xj imodp iff x=xjmodp. According to S1 and S2, the probability that

an attackerderives any element of the { }x_i with selecting a random number x is ,

1 2

(( )x )

r

P S =S 1

2

1

( x xi mod x xi j mod )

n r n C

P p p

C α α

−

= = 1 2

(C_n 1) / (C_n |G|)

= − ×

When|G|=ρ, p =NandN >>n, we have_ρ_{= Θ}(2 )N _{. So:}

1 2

(( )x )

r

P P =P 1 2 1

(C_n 1) / (C_n |G|)

nρ

= − × = ≤negl N( )

Where negl n( ) is a negligible function. Similarly, assume that the attacker cracks the any element of

(5)

1

(( )x )

r i i

P S₋ =S 1 2 1 1 2 1

1

... ...

1

( j j ji mod j j ji j mod )

i

x x x x x x x x n

r i n C

P p p

C α α

− −

−

= = 1

1

j n j ρ

< ×

− + ≤negl N( )

Above all, any PPT attacker can not get any useful information on the decryption key set { }x_i

according to the public encryption key{ }P_i .

Summary

In conclusion, we have defined a class of “nature” extensions of multi encryption key protocol to the n-party group communication, three concrete group key distribution protocols are introduced, they have different computation coat, message cost and network load. At last, the security of our proposed protocol is proved based on decision DH hard problem. However, there remain some items for future work. Our protocols do not provide authentication for participates. Another issue to address is dynamic key operations for member joining, leaving and fusion. Finally, the performance should be further improved

Acknowledgement

This work is supported by the National Science Foundation Project of P.R. China (No. 61402001) . Jian Zhou et al. are very grateful to the National Science Foundation of China (NSFC) for the support.

References

[1] Sloman M, Kramer J. Distributed systems and computer networks[J]. 1987:173-178.

[2] Janson P, Molva R. Security in open networks and distributed systems[J]. Computer Networks & Isdn Systems, 1991, 22(5):323-346.

[3] Harney H. Group key management protocol (GKMP) architecture[J]. RFC, 1997.

[4] Challal Y, Seba H. Group Key Management Protocols: A Novel Taxonomy[J]. International Journal of Information Technology, 2005(1).

[5] Burmester M, Desmedt Y. A secure and efficient conference key distribution system[C], The Workshop on Advances in Cryptology-Eurocrypt. DBLP, 1994:275-286.

[6] Steiner M, Tsudik G, Waidner M. Di e-hellman key distribution extended to groups[C], in Proceedings of the 3rd ACM conference on Computer and communications security. 1996.

[7] Diffie W, Hellman M E. New directions in cryptography[J]. IEEE Transactions on Information Theory, 1976, 22(6):644-654.

[8] Bouassida M S, Chrisment I, Festor O. Group Key Management in MANETs[J]. International Journal of Network Security, 2008, 6(1).

[9] Qianhong W, Yi M, Willy S, Bo Q, Josep D F. Asymmetric Group Key Agreement[C], EUROCRYPT '09 Proceedings of the 28th Annual International Conference on Advances in Cryptology: the Theory and Applications of Cryptographic Techniques, 2009:153-170.

[10] Lei Z, Qianhong W, Bo Q, Josep D F. Asymmetric group key agreement protocol for open

networks and its application to broadcast encryption[J], Computer Networks,

2011,65(15):3246-3255.

(6)

[12] Liao P, Hui X L, Qingqi P, Yi L. A Public Key Encryption Scheme with One-Encryption and Multi-Decryption[J], Chinese Journal Of Computers, 2012,35(5):1059-1067.

[13] Chiou G H, Chen W T. Secure Broadcast using Secure Lock [J]. IEEE Transactions on Software Engineering, August 1989, 15(8):929-934.

[14] Weber W J, Cesarone R J, Abraham D S, et al. Transforming the deep space network into the Interplanetary Network[J]. Acta Astronautica, 2006, 58(8):411-421.

[15] He C, Huang N N, Feng G. Network coding based routing scheme for resource constrained delay tolerate networks[C]// International Conference on Computational Problem-Solving. 2012:40-45.