An efficient fault-tolerant group key agreement protocol

Computer Communications 33 (2010) 890–895

Contents lists available at ScienceDirect

Computer Communications journal homepage: www.elsevier.com/locate/comcom

An efficient fault-tolerant group key agreement protocol Jianjie Zhao a,*, Dawu Gu b, Yali Li a a b

School of Information Security Engineering, Shanghai Jiao Tong University, Shanghai 200240, People’s Republic of China Department of Computer Science and Engineering, Shanghai Jiao Tong University, Shanghai 200240, People’s Republic of China

a r t i c l e

i n f o

Article history: Received 15 May 2009 Received in revised form 24 December 2009 Accepted 5 January 2010 Available online 13 January 2010 Keywords: Cryptography Group key agreement Fault-tolerance Security Efficiency

a b s t r a c t Group key agreement (GKA) is a mechanism important for establishing a session key used to encrypt and/ or decrypt sensitive messages transmitted to an intended group of receivers in an open network. An efficient group key agreement protocol capable of fault-tolerance named efficient GKA (EGKA) is proposed in this paper. EGKA is not only resistant to DoS attacks, replay attacks, man-in-the-middle attacks and common modulus attacks but also achieves forward secrecy. The efficiency analysis shows that EGKA is more efficient than previous fault-tolerant GKA protocols mentioned in our paper. Moreover, the long-term keys of participants can be reused which reduce the computational burden of the server. Ó 2010 Elsevier B.V. All rights reserved.

1. Introduction In recent years, the advent of the network and related security techniques makes possible the timely communication such as in multi-media conferences, distributed simulations, multi-user games and replicated servers for people even though they are located at different places in the world. To prevent outsiders from obtaining conference content which sometimes are confidential or sensitive, a general method is encryption of messages with a shared key among participants. Up until now, two kinds of protocols for generating a secure shared key are generally used: group key distribution (GKD) [1–5] and group key agreement (GKA) [6–19]. In the former protocol, a key distributor establishes a key and then securely distributes it to every participant. The advantages of GKD are simplicity and low computational and communication costs. It requires, however, a key distributor that must in itself be a trusted third party (TTP). In contrast, GKA protocol allows its participants to establish the session key. This means that GKA does not require TTP in the agreement process nor a secure channel with which to distribute the key and participants need not trust each other even though GKA is relatively complex and requires high computational and communication costs compared with GKD. Our focus is an improved GKA protocol in terms of both efficiency and security. There are number of basic GKA protocols focused on security and efficiency, notably: BD [6], STR [7,8], GDH [9] and TGDH [10]. However, all of these protocols simplify the security problem by assuming a passive adversary. To protect against active adver* Corresponding author. Tel.: +86 021 54745402. E-mail addresses: [email protected], [email protected] (J. Zhao). 0140-3664/$ - see front matter Ó 2010 Elsevier B.V. All rights reserved. doi:10.1016/j.comcom.2010.01.001

saries, authenticated versions of the above protocols were later constructed, e.g. [11–13]. On the other hand, simple GKA protocols do not exhibit the faulttolerance property, that is, they cannot assure key creation if malicious participants disrupt the key agreement process. To overcome this drawback, fault-tolerant GKA protocols [10,20–24] were developed to assure that all malicious participants are excluded from the set of participants and that no honest participants are excluded. Tzeng [20] proposes a polynomial-based method to realize fault-tolerance which requires that each participant create n n-power polynomials, where n is the number of participants, this process results in massive computational cost. To solve this problem, Tseng [21] proposes a communication-efficient GKA protocol that enjoys the fault-tolerance and forward secrecy with a constant message size and round efficiency. The recent result is given by Huang et al. [22], their protocol can filter out malicious participants at the beginning of the key agreement process and with lower computational cost than Tseng. In this paper, we propose a new fault-tolerant GKA protocol named efficient GKA (EGKA) with lower computational cost and average communication cost than all three fault-tolerant GKA protocols mentioned in [20–22]. In addition to an advantage in efficiency, EGKA enjoys the following key features:  Resistance to many types of attacks. We show that EGKA resists DoS attacks, replay attacks, man-in-the-middle attacks and common modulus attacks. In addition, EGKA exhibits forward secrecy property that the leakage of long-term key of a participant does not compromise the security of the session key established by that participant before leakage occurred.

J. Zhao et al. / Computer Communications 33 (2010) 890–895

 Fault-tolerance capability. The goal of fault-tolerance is to exclude malicious participants from the set of participants. This capability provides such assurance that honest participants are able to acquire a session key even if there are several malicious participants trying to disrupt the key establishment process.  Simple clustering-based framework for EGKA. In order to scale EGKA to a large-scale network, we construct a clustering-based framework for EGKA based on Hietalahti’s protocol [25]. Following this construction, all members in the large-scale network are divided into clusters, and all the members in a cluster perform EGKA to get the cluster key. After this, all the cluster-heads perform AT-GDH [26] to get the group key. A detailed description can be found in Section 4.  Multi-use property. Every honest participant in EGKA can repeatedly use its long-term key which reduces the computational burden of the server. The remainder of this paper is organized as follows: the security goal of GKA protocols and some definitions used in this paper are described in Section 2. In Section 3 we propose our EGKA protocol. A simple clustering framework to help EGKA handle in large-scale network is provided in Section 4. In Section 5, we analyze feasibility and security of EGKA protocol; we also compare computational cost and communication cost among Tzeng, Tseng, Huang et al. and EGKA in this section. Finally, we summarize our findings.

2. Preliminaries In this section, we describe the basic security goal of GKA protocols, and illustrate how the efficiency of EGKA is measured. 2.1. Security goal Two types of adversaries can exist in any group key agreement protocol: passive and active. A passive adversary is not a legitimate participant and eavesdrops on the key agreement process. An active adversary is a malicious participant with aims to disrupt a session data exchange, inject unauthenticated or bogus traffic, block a session process, masquerade as another participant in order to join the session, or initiate and operate a bogus session. Broadly speaking, the security goal of GKA protocol is to protect the privacy, integrity, availability and authenticity of the key agreement process. In more specific terms, a secure protocol should be able to resist DoS attacks, replay attacks, man-in-the-middle attacks, forgery attacks and to achieve the forward secrecy. The following two sets of criteria are used to evaluate security and efficiency of our EGKA protocol (Section 5). 2.2. General security indicators Three general security indicators have been chosen for EGKA here. 1. Forward secrecy. Informally, forward secrecy property means that the compromise of a long-term key cannot result in the compromising of a previously established conference key. This property is included in many key agreement protocols and standards [13,17,21,27,28]. 2. Fault-tolerance. The aim of fault-tolerance property is to exclude any malicious participants from the set of participants. That means that all the honest participants following the protocol are still able to compute the conference key even if there are several malicious participants trying to disrupt the establishment process.

891

3. Resistance to common modulus attack. This attack occurs once RSA cryptosystem is used improperly. For instance, let N ¼ pq be the product of two large primes, let s; f be the two integers satisfying s  f ¼ 1moduðNÞ where uðNÞ ¼ ðp  1Þðq  1Þ. In some practical applications, to avoid generating a different modulus N i ¼ pi qi for each participant U i in U ¼ fU 1 ; U 2 ;    ; U n g, the server wishes to fix N once and for all. The same N is used by all participants. A server could provide participant U i with a unique pair ðsi ; fi Þ and U j with ðsj ; fj Þ. For a malicious participant U i , it can use its pair ðsi ; fi Þ to factorize N, once it knows N ¼ pq it can compute uðNÞ and obtain fj using sj . This observation shows that RSA modulus should never be used by more than one participant. 2.3. Communication cost We measure the communication cost of the group key agreement protocol by the following standards. Consult [13] for complete details. 1. Round complexity. Number of rounds before the protocol terminates. 2. Message complexity. The maximum number of messages sent by each participant. We consider the message complexity in both the point-to-point and broadcast models. In the point-to-point model each message sent to a different participant is counted separately, while in the broadcast model we assume that sending the same message to multiple parties incurs the same cost as sending that message to a single participant. We stress, however, that our defined broadcast model is used only for the wireless network; in wired environments, the message broadcasted to multiple parties should be counted independently. 3. Message size. The maximum number of bits communicated by any single participant. For example, participant f U i broadcasts e BÞ e B e G e is the cyclic group with order e ð A; e 2 G; the message ð A; ~), then the message size is 2jq ~j. q 3. The proposed protocol-EGKA The proposed protocol is composed of five phases: registration, sub-key distribution and commitment, sub-key recovery and verification, fault detection and session key computation. We assume that our protocol will run in a static network, i.e., group membership is determined in advance and all members have been authorized to participate in group communication prior to execution. We first introduce notations that will be used throughout the paper. U ¼ fU 1 ; U 2 ; . . . ; U n g: the initial set of participants that want to generate a session key. Each U i for 1 6 i 6 n, knows the set U; S: the trusted server, which shall help each participant U i to register in registration phase; IDi : identity of the participant U i ; hðMÞ: collision-free one-way hash function applied to message M; T i : system clock time of U i to detect a delay; K i : sub-key of U i which will be transmitted to other participants for session key computation; k: concatenation operator which combines two values into one. For example, for eight-bit values a and b, the result of ðakbÞ is a 16-bit value; v ji : the result that U j judges honesty of U i ; SK: session key of the protocol.

892

J. Zhao et al. / Computer Communications 33 (2010) 890–895

3.1. Registration phase All the participants must register with the trusted server to become legal participants before the session key agreement. Taking U i as an example, S will perform the following operations: 1. Randomly select two large primes, pi and qi , and compute N i ¼ pi  qi . Both pi and qi should satisfy the same properties as the two primes used in RSA cryptosystem would prevent others from factoring N i efficiently; 2. Randomly select an integer si from the interval ½2; N i  as U i ’s secret key, compute fi to make si  fi  1ðmoduðN i ÞÞ, where uðNi Þ is the Euler phi-function and si ; uðNi Þ should be prime to each other. The server should ensure that si – sj for all U i – U j for the security of the proposed scheme; 3. Use some kind of secure out-of-band channel (e.g., e-mail) to deliver si to U i ; 4. Publish the values ffi ; N i g. 3.2. Sub-key distribution and commitment phase Without loss of generality, the initiator incites the protocol by initializing U ¼ fU 1 ; U 2 ; . . . ; U n g. In order to hide its ephemeral sub-key K i from leaking while distributing it to other participants, U i executes the following steps: 1. Compute Ri ¼ ðK i Þsi modN i ; 2. Compute Iij ¼ ðRi kIDi Þfj modN j for U j ði – jÞ and hi ¼ hðK i kT i Þ; 3. Publish Mi ¼ fT i ; hi ; Ii1 ; . . . ; Iiði1Þ ; Iiðiþ1Þ ; . . . ; Iin g. 3.3. Sub-key recovery and verification phase After receiving Mi from U i , each participant U j does the following for j – i: 1. Check whether or not T i is in a reasonable scope. If this holds, U j runs the following steps. Otherwise, U j claims that U i is faulty; 0 2. Compute R0i kIDi ¼ ðIij Þsj modN j ,read  Ri and IDi , then use the cor0 0 fi responding fi to recover K i ¼ Ri modN i ; 0 0 3. Compute hi ¼ hðK 0i kT i Þ and verify the equation hi ¼ hi . If the equation is satisfied, broadcast v ji ¼ success, or else, broadcast v ji ¼ failure. In a word, after sub-key recovery and verification phase is completed, there are three probable results:

v ji ¼ success. That means all the participants are honest, then all the participants execute the session key computation phase directly; 2. v ji ¼ failure and U i is the real malicious participant; 3. v ji ¼ failure and U j is the malicious participant. In this case, U j tries to cheat honest participants into excluding the honest participant U i .

1.

If

2. On receiving Ri and K i from U i , each participant U k ðk – iÞ executes the following procedure to detect fault: (1) Compute ðRi kIDi Þfk modN k and verify ðRi kIDi Þfk  Iik ðmodN k Þ, since U i is the only one that knows the secret key si and can compute the correct Iik , if ðRi kIDi Þfk – Iik ðmodN k Þ; U i must be the malicious participant; 00 (2) Compute hi ¼ hðK i kT i Þ and compare it with hi in Mi . If all the equations in (1), (2) are satisfied, set U j as a malicious participant, otherwise, set U i as a malicious participant. 3. Remove all the malicious participants from U by other participants and restart the protocol. 3.5. Session key computation phase When malicious participants are excluded from U, without loss of generality, each honest member of the set U 0 ¼ fU 01 ; U 02 ; . . . ; U 0m g calculates the conference key

SK ¼ K 01 þ K 02 þ . . . þ K 0m : After U i (any honest participant) obtains the conference key SK, it destroys its ephemeral sub-key K i .

4. Scalability of EGKA Beyond the fulfillment of the basic key establishment, the efficiency of a GKA protocol should scale well so as to remain practical even when the number of participants is large. In a large-scale network, it is difficult to manage the key agreement process if all the members participate in creating a common key. A method to solve this problem is to build a hierarchical topology. In each level, all members are divided into clusters. Clusters are supposed to have more stable internal connections due to the large amount of links between members in a same cluster and clustering may bring the necessary scalability into key establishment in very large networks. Protocols that rely on the clustering method are [25,29–31]. These recent works consider different cluster sizes and are based on either two-party agreements or on other GKA protocols. A very recent work proposed by Hietalahti [25] provides a solution that uses the BD protocol [6] with each cluster and then invokes ATGDH protocol [26] by employing a spanning tree of members. As far as we know, Hietalahti’s work is an efficient approach to realize key agreement in a large-scale network. In this section, we present a simple framework that helps EGKA handle a large network. Our framework is based on Hietalahti’s work and EGKA protocol. When the group key is being established, the large network maintains a hierarchical topology, at which elected cluster-heads at the lower level become members of the next higher level. The goal of placement clustering is to efficiently establish cluster keys. Once the hierarchial structure of the network has been constructed, we apply the key agreement protocol to establish the group key. We outline our approach as follows:

v ji ¼ failure, participants execute the following phase.

3.4. Fault detection phase The purpose of this phase is to detect the real adversary using the following procedure: 1. On receiving v ji ¼ failure, each participant waits for the fault detection message Ri and K i from U i . If no one can receive the message from U i in a valid period, set U i as a malicious participant;

1. Members in the network construct a hierarchical structure with a clustering mechanism; 2. In each cluster, the members run our EGKA protocol to establish a cluster secret key;While each cluster has a common secret key, a certain member of each cluster is elected as the clusterhead to execute the step 3. The election of cluster-heads has been a topic of many papers [32,33]. 3. Cluster-heads represent their respective clusters and use the cluster keys to establish a group key with other cluster-heads by AT-GDH protocol (readers can see the description of this

J. Zhao et al. / Computer Communications 33 (2010) 890–895

protocol in the Appendix A). After AT-GDH protocol run, cluster-heads broadcast the last received message in their clusters respectively so that other members can calculate the group key. Suppose there are c clusters and each cluster contains n members. The amount of modular exponentiations in EGKA protocol is OðnÞ1 and AT-GDH (with cluster-heads) OðclogcÞ. The total number of modular exponentiations is OðnÞ þ OðclogcÞ. According to the complexity theoretic analysis in [25], this framework is efficient when the number of clusters are large. 5. Discussion In this section, we show that how an honest participant recovers the sub-key of another honest participant through the feasibility analysis. Then we show that EGKA is secure against existing attacks by performing security analysis. Besides being secure, a good GKA protocol should also be efficient; we compare the efficiency of EGKA with three fault-tolerant GKA protocols in Section 5.3. 5.1. Feasibility analysis We analyze the feasibility of recovery of sub-key K i in Section 3.3. If all the parameters are correct, using the public message M i of U i ; U j can recover K i of U i by computing R0i kIDi ¼ ðIij Þsj modN j  f and K 0i ¼ R0i i modN i ¼ ðK i Þsi fi modN i ¼ K i . 5.2. Security analysis Prior to the security analysis, we assume that the server S is trustworthy. It is a reasonable assumption because a participant only becomes legal after registering private information with the server. As described in Section 2, there are two types of attacks: passive and active. A passive attack aims to obtain secret information, such as the long-term key, sub-key or session key, by eavesdropping on the communication process without disrupting participants. In contrast, an active attacker also aims to disrupt participants in addition to seeking secret information. We present possible attacks against EGKA and show that none of these attacks can threaten the security of EGKA. 5.2.1. Resistance to passive attacks A passive adversary hopes to get the long-term key si and/or K i of U i utilizing passive attacks, but the following two-part analysis proves that the adversary can not gain access to si and K i . 1. The adversary cannot derive the long-term key si . The adversary tries to derive the long-term key si of U i from the public information fi and Ri . However, it is impossible. As we know, si  fi  1ðmoduðN i ÞÞ and all participants cannot factorize N i , so the adversary cannot own si from this equation. In addition, Ri ¼ ðK i Þsi modN i , in the fault detection phase, if U i is declared faulty, U i has to distribute Ri and K i , the adversary uses these two values and N i to derive si from Ri ¼ ðK i Þsi modN i . The operation is regarded as a discrete logarithm, which is a hard problem in polynomial time. 2. The adversary cannot derive the sub-key K i . Since hi ¼ hðK i kT i Þ and hðÞ is a one-way function, this attack is invalid.

1

We will provide the detailed analysis for computational cost in Section 5.3.

893

5.2.2. Resistance to active attacks EGKA resists five types of active attacks and has the forward secrecy capability. 1. Resistance to replay attack. The adversary attempts to resend the previous key agreement message M i of U i , but it is impossible since M i contains the time stamp T i , the other participants can verify the validity of T i by computing hi ¼ hðK i kT i Þ. 2. Resistance to man-in-the-middle attack. We assume that the adversary (may be a legitimate participant) with two valid     key pairs soi ; fio and soj ; fjo want to initiate the man-in-themiddle attack. To achieve this goal, the adversary chooses K oi   and K oj randomly and computes Ioij and Ioji using soi ; fio and   n o soj ; fjo . Then, it publishes Moi ¼ T i ; hi ; Ii1 ;    ; Ioij ;    ; Iin and n o M oj ¼ T j ; hj ; Ij1 ; . . . ; Ioji ; . . . ; Ijn , where Iij and Iji are replaced by Ioij and Ioji . In the sub-key recovery and verification phase,     0 0 U j ðU i Þ computes K 0i K 0j and hi hj using the public value   0 0 fi ðfj Þ to verify the equation hi ¼ hi hj ¼ hj . Since   fi – fio fj – fjo , the equation does not follow. 3. Resistance to forgery attack. To exclude an honest participant U j from the participant set, the malicious (legitimate) participant U i can send v ij ¼ failure. However, it is impossible because of the fault detection phase. In this case, U j sends Rj and K j to other participants and they will prove U j ’s honesty. Meanwhile, the malicious U i is excluded from the honest participants. 4. Resistance to DoS attack. An adversary that has a DoS type effect can send incorrect values in the key agreement process to block the communication network. According to the protocol principle, each participant U i is allowed to publish messages at most three times. The first time is to broadcast the message Mi , and the second is v ij . If someone else doubts its honesty, it will broadcast the fault detection messages Ri and K i . Therefore, according to the principle of EGKA, the adversary is not allowed to initiate the DoS attack. 5. Resistance to common modulus attack. In the registration phase of EGKA, the server S chooses different security parameters for different participants, this principle avoids the ‘‘common modulus attack” introduced in Section 2. 6. Forward secrecy. This is another important security property that ensures damage confinement in the case of secrecy leakages, and a main motivation for the use of GKA protocols. To show that EGKA achieves forward secrecy, we consider an adversary that corrupts U i and finds the long-term key si , it corrupts Rj kIDj ¼ ðIji Þsi modN i and K j ¼ ðRj Þfj modN j , where j – i. If the adversary obtains K i , it can recover SK. However, the session key established by U i is guaranteed to remain secure since U i will destroy its ephemeral sub-key K i after it obtains the conference key SK and there is no other pieces of public information to obtain K i . In this way, EGKA achieves forward secrecy. These security properties ensure the fault-tolerance of EGKA, meaning two capabilities: 1. Malicious participant U j wants to cheat honest participants into excluding an honest participant to disrupt the establishment a conference key will be excluded. 2. No honest participants will be excluded from the set of participants. Moreover, since the long-term keys of participants need not be revealed, all the participants can use their own long-term keys repeatedly.

894

J. Zhao et al. / Computer Communications 33 (2010) 890–895

Table 1 Comparison of computational cost. Item

Tzeng’s protocol [20]

Tseng’s protocol [21]

Huang et al.’s protocol [22]

EGKA

Registration phase Sub-key distribution phase (per participant) Sub-key computation and verification phase (per participant) Fault detection phase (per participant) Total (per participant)

nT EXP ðn þ 2ÞT EXP 4nT EXP 5T EXP ð5n þ 7ÞT EXP

nT EXP ð4n þ 1ÞT EXP ð5n  6ÞT EXP 0 ð9n  5ÞT EXP

nT EXP ðn þ 2ÞT EXP 4nT EXP 5T EXP ð5n þ 7ÞT EXP

0 nT EXP 2ðn  1ÞT EXP 1T EXP ð3n  1ÞT EXP

5.3. Efficiency analysis

Moreover, EGKA’s computational cost is also lower than that of Tseng’s protocol.

Beyond the security of the system, the efficiency of the protocol has always been an important issue when designing GKA systems. From a conceptual perspective, we are interested in two major efficiency aspects: computational cost and communication cost (round complexity, message complexity and message size). In calculating the computational cost, we consider the cost of modular exponentiation, since it is the most costly computational process. In the communication cost, we use the definitions described in Section 2.3. We compare EGKA with GKA protocols described in [20–22]. Like EGKA, these protocols were chosen for comparison because they are fault-tolerant and PKI-based; both Tseng [21] and Huang [22] use the time stamps for maintaining the freshness of messages. In addition, the definition of forward secrecy in Tseng and Huang is the same as ours. Although all of them were declared efficient, we see from Tables 1 and 2 that EGKA is more efficient than they are. 5.3.1. Computational cost analysis Denote T EXP to be the time for the modular exponentiation. As we can see from Table 1, EGKA requires only ð3n  1Þ modular exponentiations for each participant which is less than Tzeng [20] ð5n þ 7Þ , Tseng [21] ð9n  5Þ and Huang et al. [22] ð5n þ 7Þ. In addition, the server of EGKA need not operate any modular exponentiation in the registration phase while n modular exponentiations are needed in the three other protocols. 5.3.2. Communication cost analysis We measure the communication cost by the round complexity, message complexity and message size. Round complexity and message complexity are easy to calculate. In measuring the message size, we use t to denote the size of a single group. In Tzeng’s protocol, each participant U i broadcasts ðxij ; ai ; ci ; di Þ for 1 6 i; j 6 n, the message size is ðn þ 3Þt. In Tseng’s protocol, U i broadcasts ðxi ; Ai ; Bi Þ and ðzi ; ai ; bi ; di Þ, the message size is 7t. Similarly, the message sizes of Huang’s protocol and EGKA are ðn þ 2Þt and ðn þ 1Þt, respectively. The conclusion we’d like to draw from this comparison is seen in Table 2. Compared with Tzeng [20] and Huang [22], EGKA has a similar message size and message complexity. EGKA’s advantage is in computational cost. In addition, Tzeng’s protocol does not possess forward secrecy which leaves the protocol vulnerable to potential attacks. While Tseng’s protocol [21] is efficient in message size, EGKA has a significant advantage regarding the message complexity.

6. Conclusion Fault-tolerance capability assures that the participants in GKA protocols would receive accurate information by which to establish a session, even if there are some malicious participants who want to disrupt the establishment process of the session key. In this paper, we present a novel framework for a fault-tolerant group key agreement protocol named EGKA. Our approach is more efficient compared with three other GKA protocols mentioned in our paper. Each participant can reuse its long-term key to reduce the computational burden of the server. We should point out that EGKA does not provide the key confirmation property, that is, EGKA does not provide any assurance to one participant that other participants complete the session or compute the session key. This is a drawback applies to any 2-round public key based protocol [34]. The lack of key confirmation assurance is not a threat to the privacy or authenticity of communications protected with the session key. Some considerations deserve further study. First, although EGKA has an obvious advantage in computational cost, its communication cost is still similar to its rival protocols. We plan to investigate GKA protocols with the aim of lowering its communication cost. Second, in an ad hoc network where the membership is dynamic, a static group key agreement is not always enough, the secret key needs to be updated so that the members cannot access data sent before they join the group, or, similarly, the data sent after they leave the group. Moreover, due to environmental factors, groups need to be merged or partitioned. Constructing GKA protocols suitable for dynamic ad hoc networks is another problem worthy of further study. Acknowledgement The authors are grateful to the editor and two anonymous reviewers for valuable suggestions which improved the paper. Also, they would like to thank Nicole Kwoh for helping them to improve the language of this paper. This work is supported by the 863 Hi-tech Research and Development Program of China (2006AA01Z405). Appendix A. AT-GDH protocol The AT-GDH protocol [26] was proposed in 2001. This protocol takes two rounds of broadcasts to calculate the common group key and does so by employing a spanning tree.

Table 2 Comparison of communication cost. Item

Tzeng’s protocol [20]

Tseng’s protocol [21]

Huang et al.’s protocol [22]

EGKA

A.1. Initialization phase

Round complexity Message complexity Message size

1 2 ðn þ 3Þt

2 n 7t

2 2 ðn þ 2Þt

2 2 ðn þ 1Þt

Let G be a finite cyclic group of order q and a be a generator of G. The participants are assumed to pick their secret exponents from Z q at random. The function u : G ! Z q is a bijection. In AT-GDH

J. Zhao et al. / Computer Communications 33 (2010) 890–895

protocol, the participants are identified by their universal address in their spanning tree. cx is the number of x’s children. h is the height of the tree. A.2. Round 1 For all members x ¼ y:i with cx ¼ 0 1. x selects a random kx 2 Z q ; 2. x ! y : akx . A.3. Round 2 For all members x with cx – 0 1. x selects a random ex 2 G; 2. x waits to receive akx:j for all j ¼ 1; . . . ; cx ; 3. x calculates kx ¼ uðKðx; cx ÞÞ from Kðx; 0Þ ¼ ex and Kðx; jÞ ¼ akx:j uðKðx;j1ÞÞ for j ¼ 1; . . . ; cx ; 4. x ! y : akx . A.4. Round h þ l; ðl ¼ 1; . . . ; hÞ For each member x:i on level l x ! x  i : M xi , where M xi ¼ hMx ; auðKðx;i1ÞÞ ; akxðiþ1Þ ; akxðiþ2Þ ; akxcx i with M being empty. The resulting common key is Kð; c Þ ¼ k .Note: The AT-GDH protocol does not contain group key management mechanisms, and the number of rounds this protocol needs to gather and distribute the blinded keys is twice the height of the tree. References [1] I. Ingermarsson, C. Wong, A conference key distribution system, IEEE Transactions on Information Theory 28 (5) (1982) 714–720. [2] I. Chung, W. Choi, Y. Kim, M. Lee, The design of conference key distribution system employing a symmetric balanced incomplete block, Information Processing Letters 81 (6) (2002) 313–318. [3] Y. Cai, Y. Wang, Identity-based conference key distribution protocol with user anonymity, Chinese Journal of Electronics 16 (1) (2007) 179–181. [4] X. Yi, C.K. Siew, C.H. Tan, Y. Ye, A secure conference scheme for mobile communications, IEEE Transactions on Wireless Communication 2 (6) (2003) 1168–1177. [5] L.B. Oliveira, H.C. Wong, A.A.F. Loureiro, R. Dahab, On the design of secure protocols for hierarchical sensor networks, International Journal of Security and Networks 2 (3/4) (2007) 216–227. [6] M. Burmester, Y. Desmedt, A secure and efficient conference key distribution system, in: EUROCRYPT 1994, Lecture Notes in Computer Science, vol. 950, Springer, Berlin, pp. 275–286. [7] Y. Kim, A. Perrig, G. Tsudik, Group key agreement efficient in communication, IEEE Transactions of Computers 53 (7) (2004) 905–921. [8] D. Steer, L. Strawczynski, W. Diffie, M. Wiener, A secure audio teleconference system, in: CRYPTO 1988, Lecture Notes in Computer Science, vol. 403, Springer, Berlin, pp. 520–528. [9] M. Steiner, G. Tsudik, M. Waidner, Key agreement in dynamic peer groups, IEEE Transactions on Parallel and Distributed Systems 11 (8) (2000) 769–780. [10] Y. Kim, A. Perrig, G. Tsudik, Simple and fault-tolerant key agreement for dynamic collaborative groups, in: Seventh ACM Conference on Computer and Communications Security, New York, 2000, pp. 235–244.

895

[11] E. Bresson, O. Chevassut, D. Pointcheval, Provably authenticated group DiffieHellman key exchange-the dynamic case, in: ASIACRYPT 2001, Lecture Notes in Computer Science, vol. 2248, Springer, Berlin, pp. 290–309. [12] E. Bresson, O. Chevassut, D. Pointcheval, J. Quisquater, Provably authenticated group Diffie-Hellman key exchange, in: Eighth ACM Conference Computer and Communications Security, New York, 2001, pp. 255–264. [13] J. Katz, M. Yung, Scalable protocols for authenticated group key exchange, Journal of Cryptology 20 (1) (2007) 85–113. [14] N. Wang, S. Fang, A hierarchical key management scheme for secure group communications in mobile ad hoc networks, Journal of Systems and Software 80 (10) (2007) 1667–1677. [15] C. Chang, H. Tsai, P. Chang, A collaborative conference key agreement scheme by using an intermediary node, in: ICCIT 2007, Gyeongbuk, 2007, pp. 54–59. [16] W. Kim, E. Ryu, J. Im, K. Yoo, New conference key agreement protocol with user anonymity, Computer Standards and Interfaces 27 (2) (2005) 185–190. [17] Y. Tseng, An improved conference-key agreement protocol with forward secrecy, Informatica 16 (2) (2005) 275–284. [18] S. Jarecki, J. Kim, G. Tsudik, Robust group key agreement using short broadcasts, in: 14th ACM Conference on Computer and Communications Security, New York, 2007, pp. 411–420. [19] E. Bresson, M. Manulis, Malicious participants in group key exchange: key control and contributiveness in the shadow of trust, in: ATC 2007, Lecture Notes in Computer Science, vol. 4610, Springer, Berlin, pp. 395–409. [20] W. Tzeng, A secure fault-tolerant conference key agreement protocol, IEEE Transactions on Computers 51 (4) (2002) 373–379. [21] Y. Tseng, A communication-efficient and fault-tolerant conference-key agreement protocol with forward secrecy, Journal of Systems and Software 80 (7) (2007) 1091–1101. [22] K. Huang, Y. Chung, H. Lee, F. Lai, T. Chen, A conference key agreement protocol with fault-tolerant capability, Computer Standards and Interfaces 31 (2) (2009) 401–405. [23] S. Lee, J. Kim, S. Hong, Security weakness of Tseng’s fault-tolerant conferencekey agreement protocol, Journal of Systems and Software 82 (7) (2009) 1163– 1167. [24] A. Abdel-Hafez, A. Miri, L. Orozco-Barbosa, Scalable and fault-tolerant key agreement protocol for dynamic groups, International Journal of Network Management 16 (3) (2006) 185–202. [25] M. Hietalahti, A clustering-based group key agreement protocol for ad hoc networks, Electronic Notes in Theoretical Computer Science 192 (2) (2008) 43–53. [26] M. Hietalahti, Efficient key agreement for ad hoc networks, Master’s Thesis, Helsinki University of Technology, Department of Computer Science and Engineering, Espoo, Finland, 2001. [27] ANSI, 2001 ANSI X9.63., 2001, Public key cryptography for the financial services industry: key agreement and key transport using Elliptic Curve cryptography, ANSI. [28] M. Bellare, D. Pointcheval, P. Rogaway, Authenticated key exchange secure against dictionary attacks, in: EUROCRYPT 2000, Lecture Notes in Computer Science, vol. 1807, Springer, Berlin, pp. 139–155. [29] H. Shi, M. He, Z. Qin, Authenticated and communication efficient group key agreement for clustered ad hoc networks, in: CANS 2006, Lecture Notes in Computer Science, vol. 4301, Springer, Berlin, pp. 73–89. [30] A. Abdel-Hafez, A. Miri, L. Oronzo-Barbosa, Authenticated group key agreement protocols for ad hoc wireless networks, International Journal of Network Security 4 (1) (2007) 90–98. [31] E. Klaoudatou, E. Konstantinou, G. Kambourakis, S. Gritzalis, A clusterbased framework for the security of medical sensor environments, in: 6th International Conference on Trust, Privacy and Security in Digital Business, Lecture Notes in Computer Science, vol. 5695, Springer, Berlin, pp. 52–62. [32] D.J. Baker, A. Ephremides, J.A. Flynn, The design and simulation of a mobile radio network with distributed control, IEEE Journal on Selected Areas in Communications 2 (1) (1984) 226–237. [33] E.M. Belding-Royer, Hierarchical routing in ad hoc mobile networks, Wireless Communication and Mobile Computing 2 (5) (2002) 515–532. [34] H. Jeni, HMQV: a high-performance secure Diffie-Hellman protocol, in: CRYPTO 2005, Lecture Notes in Computer Science, vol. 3621, Springer, Berlin, 2005, pp. 546–566.