- Email: [email protected]
Anonymous conference key distribution systems based on the discrete logarithm problem
Computer Communications 22 (1999) 749–754
Research note
Anonymous conference key distribution systems based on the discrete logarithm problem Y.-M. Tseng, J.-K. Jan* Institute of Applied Mathematics, National Chung Hsing University, Taichung, 402 Taiwan Received 29 June 1998; accepted 22 January 1999
Abstract In 1997, Wu [T.C. Wu, Conference key distribution system with user anonymity based on algebraic approach, IEE Proc. Comput. Digit. Tech. 144(2) (1997) 145–148] proposed a conference key distribution system (CKDS) with user anonymity using algebraic operations. User anonymity is, in which the identities of participants in a conference are anonymous to each other, except for the chairperson. In this article, two CKDSs with user anonymity are proposed. One is a modified one of the Wu’s scheme that uses simple interpolating properties of polynomials to replace the algebraic approach. Both the Wu’s original scheme and our modified one require a one-way hash function to hide the identities of participants and to protect each participant’s common key shared with the chairperson. Both schemes also use the one-way hash function to provide the authentication for the chairperson. Moreover, we propose another scheme which does not use a one-way hash function, but also achieve the same purposes. Compared to the Wu’s scheme, both our schemes require less computing time. The security of the proposed CKDSs is based on the difficulty of computing the discrete logarithm problem as well as the one-way hash cryptographic function assumption. Both schemes are secure against impersonation and conspiracy attacks. 䉷 1999 Elsevier Science B.V. All rights reserved. Keywords: Cryptography; Conference key distribution system; User anonymity; One-way hash function; Discrete logarithm
1. Introduction A common session key needs to be shared between two users to establish a secret communication over an insecure channel. In 1976, Diffie and Hellman [1] proposed a secure key distribution system (KDS) for distributing the common session key. The common session key can be determined either by user, based on his own secret key and the partner’s public key. However, it is only suitable for a point-to-point situation. If three or more users want to communicate in order to hold a secure conference, a common conference key must be shared among all of the users. The concept of conference key distribution was first proposed by Ingemarrsson et al. [2]. A secure conference key distribution system (CKDS) must guarantee that all and only participants of the conference share a common conference key which can be used to hold a secure conference. Most of the previously proposed CKDSs [2–5] do not have the following feature for privacy, the identities of the principals participating in a conference are hidden from
* Corresponding author. E-mail address: [email protected] (J.-K. Jan)
other non-attending users. For some situations, however, the identities of participants should be anonymous to each other in order to protect the participant from the influence of other participants. This is the main purpose of user anonymity. These CKDSs do not have the feature of user anonymity, except for the secure lock scheme in [6]. Unfortunately, the computational complexity of the secure lock scheme is inefficient for practical applications. In 1997, Wu [7] proposed a CKDS with user anonymity based on an algebraic approach. The security of the proposed CKDS is based on the security of the Diffie–Hellman [1] and the oneway hash [8] cryptographic assumptions. In this article, based on the same cryptographic assumptions as the Wu’s CKDS, we shall propose a modified CKDS with user anonymity using the simple interpolating properties of polynomials. Therefore, the same as the Wu’s scheme, the modified scheme also requires a one-way hash function to protect each participant’s common key shared with the chairperson and to hide the identities of the participants. Moreover, we propose another scheme that uses a novel approach without using a one-way hash function to achieve the purpose of user anonymity and provide the authentication for the chairperson. Both our schemes require less computing time as compared to the Wu’s scheme. We
0140-3664/99/$ - see front matter 䉷 1999 Elsevier Science B.V. All rights reserved. PII: S0140-366 4(99)00034-1
750
Y.-M. Tseng, J.-K. Jan / Computer Communications 22 (1999) 749–754
also show that the proposed schemes can withstand impersonation and conspiracy attacks as described in [9]. The remainder of this article is organized as follows: in Section 2, we review briefly the Wu’s scheme. The two proposed schemes will be described in Sections 3 and 4, respectively, along with the security analysis. In Section 5, we present the performance for our schemes and compare them with the previous work. Section 6 gives our conclusions.
Step 5 Step 6
During the conference key recovery stage, each Ui in the system receives the message M and performs the conference key recovery procedures. Only Ui 僆 A can recover the conference key CK using the following steps: Step 1
2. Review of the Wu’s conference key distribution system The scheme is divided into three stages. The first stage is the system set-up stage. Each secure transaction for the conference key distribution consists of two stages: the distribution stage performed by the chairperson and the recovery stage performed by each participant in a conference. During the system set-up stage, the system chooses and publishes a large prime number p such that p ⫺ 1 has a large prime factor. Let q be a prime divisor of p ⫺ 1 and g be a generator with order q in GF(p). Let m be the number of principals in the system and IDi be the identity of the principal Ui. By using the Diffie–Hellman scheme [1], the system assigns a secret key xi 僆 Zq * and computes the public key yi gxi mod p for each Ui, where 1 ⱕ i ⱕ m. Then, gives the secret key xi to Ui in a confidential way. During the conference key distribution stage, assume that UC is the chairperson and A {Ui 兩i 1…; n; n ⬍ m} is the set of attending members. UC performs the following steps for distributing a conference key shared by the principals in A: Step 1 Step 2
Step 3
Step 4
Compute the common secret key shared with each Ui 僆 A as kci yxi c mod p. Get a timestamp T from the system and compute hi H kci 储IDC 储IDi 储T储m, where 1 ⱕ i ⱕ n; 储 denotes concatenation and H(X) is a one-way hash function with a fixed-length output string of bits as specified in [8]. Randomly select a conference key CK 僆 Zq *, and solve a1 ; a2 ; …; and an from the following equation system: 8 > a1 × h1 ⫹ a2 × h21 ⫹ … ⫹ an × hn1 CK mod q > > > > > < a1 × h2 ⫹ a2 × h22 ⫹ … ⫹ an × hn2 CK mod q : .. > > > . > > > : a1 × hn ⫹ a2 × h2n ⫹ … ⫹ an × hnn CK mod q 1 Let W Z ⫺CK ⫹ a1 × z ⫹ a2 × z2 ⫹ … ⫹ an × zn mod q and compute W 1; W 2; …; and W(n).
Compute the characteristic value for CK at timestamp T as V H CK储IDC 储T. Finally, broadcast the message M {IDC ; W 1; W 2; …; W n; V; T}:
Step 2 Step 3
First verify the expiration of the received timestamp T. If it is invalid, terminate the recovery stage. Compute the common secret key shared with UC as kic yxci mod p. Compute hi H kic 储IDC 储IDi 储T储m and solve CK from the following equation system:
8 > a1 × hi ⫹ a2 × h2i ⫹ … ⫹ an × hni CK mod q > > > > > < a1 × 1 ⫹ a2 × 12 ⫹ … ⫹ an × 1n W 1 ⫹ CK mod q > > > > > > :
.. .
:
a1 × n ⫹ a2 × n2 ⫹ … ⫹ an × nn W n ⫹ CK mod q 2
Step 4
Ui checks the attendees of the conference by verifying that H CK储IDC 储T V:
The security of the Wu’s CKDS is based on the difficulty of computing the discrete logarithm problem and the one-way hash function cryptographic assumption that has been demonstrated in the literature [7]. In the proposed CKDS, in order to reduce the computational complexity, each user require extra storage for maintaining additional n ⫺ 1 common secret keys. However, this is impractical.
3. The modified scheme The modified CKDS is also divided into three stages. The three stages are the same as the stages of the CKDS proposed by Wu, except for Steps 3 and 4 in the key distribution stage and Step 3 in the key recovery stage. The detailed modifications are presented as follows: During the conference key distribution stage, replace Steps 3 and 4 of the Wu’s scheme with the following Step 3. Meanwhile, the broadcast message in Step 6 also needs to be modified. Step 3
Randomly select a conference key CK 僆 Zq *, and construct a polynomial with degree n using n
Y.-M. Tseng, J.-K. Jan / Computer Communications 22 (1999) 749–754
points hi ; CK as P X
n Y
751
CKDS can also insure that the identities of participants are anonymous to one another.
x ⫺ hi ⫹ CK mod q
i1
xn ⫹ cn⫺1 xn⫺1 ⫹ … ⫹ c1 x ⫹ c0 mod q; 3 so that cn⫺1 ; cn⫺2 ; …; c1 ; c0 僆 Zq *. broadcasts the message Step 6 UC {IDC ; V; T; cn⫺1 ; cn⫺2 ; …; c1 ; c0 }:
M
During the conference key recovery stage, each Ui in the system receives the message M and performs the conference key recovery procedures. The modified scheme will operate exactly as described in the Wu’s scheme, with the exception of the following modification. Step 3 of the conference key recovery procedures in the Wu’s scheme is modified as follows: Step 3
Compute hi H kic 储IDC 储IDi 储T储m and recover the conference key CK by evaluating P hi using Horner’s rule [10] as follows: P hi hi n ⫹ cn⫺1 hi n⫺1 ⫹ … ⫹ c1 hi ⫹ c0 mod q
CK mod q: 4
In the following, let us discuss the security of our modified scheme. Fundamentally, the security of the scheme is based on the same cryptographic assumptions as the Wu’s CKDS, we only discuss the security of the polynomial. Attack 1: A non-attending principal wishes to derive the same CK from the broadcast message M. Obviously, the non-attending principal can obtain the polynomial with degree n as P X xn ⫹ cn⫺1 xn⫺1 ⫹ … ⫹ c1 x ⫹ c0 mod q from the broadcast message M. Any nonattending user Uj can recover the correct CK from the earlier equation only if he knows the valid hi that satisfies P hi CK mod q. However, the polynomial P(X) is specified by UC using valid his and the non-attending user can calculate a valid kci and then acquire hi only if he knows the secret keys xc or xi. However, to compute xc and xi from yc and yi, respectively are equivalent to the difficulty of computing the discrete logarithm problem. Hence, any non-attending user cannot obtain the same CK from the broadcast message M. Attack 2: A participant wishes to derive other participants’ identities. For the participant Ui, he may try to find the roots of the equation: P x CK mod q to derive the shared key hjs of the other participants, where 1 ⱕ j ⱕ n; j 苷 i. However, to compute the common keys kcj and to reveal their identities from the shared keys hj is based on the one-way hash cryptographic assumption as well as the difficulty of computing the discrete logarithm problem. Therefore, our modified
4. The scheme without using a one-way hash function In the Wu’s scheme and our modified one, both require a one-way hash function to protect each participant’s common key shared with the chairperson and to hide the identities of participants. Both schemes also use the oneway hash function to provide the authentication for the chairperson. In this section, we will propose another scheme that uses a novel approach to achieve the same. It ensures that the main security of this scheme is based on the difficulty of computing the discrete logarithm problem. The scheme is divided into three stages. The first stage is the same as the system set-up stage of the CKDS proposed by Wu. Each secure transaction for the conference key distribution also consists of two stages: the distribution stage and the recovery stage. The detailed descriptions are presented as the following subsections. 4.1. Conference key distribution stage Assume that UC is the chairperson and A {Ui 兩i 1…n; n ⬍ m} is the set of the attending members. UC performs the following steps for distributing a conference key shared by the participants in A: Step 1
Step 2
Randomly choose an integer r in Zq * and get a time-sequence T from the system and compute A gr mod p;
5
B r ⫹ H T储A·xc mod q:
6
Compute the common secret key shared by each Ui 僆 A as kci yri mod p;
Step 3 Step 4
1 ⱕ i ⱕ n:
7
Randomly select a conference key CK 僆 Zp *. Construct a polynomial with degree n using n points kci ; CK as P X
n Y
x ⫺ kci ⫹ CK mod p
i1
xn ⫹ cn⫺1 xn⫺1 ⫹ … ⫹ c1 x ⫹ c0 mod p; 8 Step 5
so that cn⫺1 ; cn⫺2 ; …; c1 ; c0 僆 Zp *. UC then broadcasts the message {A; B; T; cn⫺1 ; cn⫺2 ; …; c1 ; c0 }:
M
Although Step 1 in the aforementioned steps used a oneway hash function, it is only provided for protecting from the replaying attack.
752
Y.-M. Tseng, J.-K. Jan / Computer Communications 22 (1999) 749–754
4.2. Conference key recovery stage Once the message M is received by any user Ui in the system, Ui performs the conference key recovery procedure. Only Ui 僆 A can recover the correct CK by the following steps: Step 1
Step 2
First verify the expiration of the received timestamp T. If T is an invalid timestamp, terminate the following recovery steps. Compute H T储A and check whether the following equation holds: mod p: gB ⬅ A·yH T储A c
Step 3
9
Compute the common secret key shared with UC as kic Axi mod p; where kic Axi mod p gxi r mod p yri mod p kci : 10
Step 4
Recover the conference key CK by evaluating P kic using Horner’s rule [10] as follows: P kic kic n ⫹ cn⫺1 kic n⫺1 ⫹ … ⫹ c1 kic ⫹ c0 mod p CK mod p:
11
From the before descriptions, it can be seen that participants can verify the chairperson’s identify directly from the received ciphertext and recover the valid conference key CK. 4.3. Security analysis It is clear that the security of the proposed CKDS is based on the difficulty of computing the discrete logarithm problem [1]. The one-way hash function is only provided for protecting from the replaying attack. If the aforementioned assumptions can be solved in a reasonable amount of time, anyone can impersonate the chairperson who distributes the conference key. In the following, we show some possible attacks on our CKDS. Attack 1: A non-attending user of this conference wishes to derive the same CK from the broadcast message M. Obviously, by the message M, the non-attending user can obtain the polynomial with degree n as P X xn ⫹ cn⫺1 xn⫺1 ⫹ … ⫹ c1 x ⫹ c0 mod p. Any nonattending user Uj can recover the correct CK from the earlier equation only if he knows the valid kci that satisfies P kci CK mod p. However, the polynomial P(X) is specified by UC using valid kcis and the non-attending user can calculate a valid kci only if he knows the secret keys xi or the random integer r. However, to compute r and xi from A and yi, respectively, are equivalent to the difficulty of computing the discrete logarithm problem. Hence, any non-attending
user cannot obtain the same CK from the broadcast message M. Attack 2: An opponent wants to impersonate the chairperson UC by replaying the previous broadcast message or forging the message. If the impersonator broadcasts the previous message sent by UC, it will not be successful because of the invalid timestamp. The expiration of T will be effectively verified by Step 1 of the conference key recovery stage. As for an impersonation attack by forging the message, the impersonator must forge the UC’s signature only if he knows the secret key xcs. However, to compute xc from yc is equivalent to the difficulty of computing the discrete logarithm problem. Attack 3: Conspiratorial participants wish to derive the chairperson’s secret information. With our CKDS, the chairperson broadcasts the message to all intended users. Each user can obtain the polynomial with degree n as P X xn ⫹ cn⫺1 xn⫺1 ⫹ … ⫹ c1 x ⫹ c0 mod p and each participant can derive the common key shared with the chairperson to compute the valid CK. However, the polynomial P(X) does not contain any secret information about the chairperson’s secret information. Moreover, although each user can obtain the broadcast message M, as showed in Attack 2 they cannot obtain the secret key xc from the authenticated information (A, B) or the public information yc. Attack 4: A participant of the conference wishes to derive other participants’ common keys shared with the chairperson and their identities. For the participant Ui, he may try to find the roots of equation: P x CK in modulus p to derive the common key kcjs, where 1 ⱕ j ⱕ n; j 苷 i. However, the common key is different in the next time. Moreover, to reveal their identities from the kcj is only if he knows the secret keys xi or the random integer r. As shown in Attack 1, to compute r and xi from A and yi, respectively are also equivalent to the difficulty of computing the discrete logarithm problem. Therefore, our CKDS can insure that the identities of participants are anonymous to one another, and even anonymous to the non-attending principals.
5. Performances and comparisons Now, we discuss the performance and total number of transmitted messages for our schemes and compare it to the Wu’s CKDS. For convenience, the following notations are used to analyze the computational complexities of the Wu’s CKDS and our schemes: TH is the time for executing the adopted one-way hash function H; TMPY is the time for modular multiplication; TEXP is the time for modular exponentiation; TINV is the time for modular inverse. Note that the time for computing modular addition is ignored, because it is much smaller than TH, TMPY, TEXP and TINV. Consider the total number of messages required to
Y.-M. Tseng, J.-K. Jan / Computer Communications 22 (1999) 749–754
753
Table 1 Efficiency of the Wu’s CKDS and our CKDSs
Our first CKDS Our second CKDS Wu’s CKDS
Key distribution stage
Key recovery stage
n × TEXP ⫹ n ⫹ 1 × TH ⫹ n × n ⫺ 1=2 × TMPY n ⫹ 1 × TEXP ⫹ TH ⫹ n × n ⫺ 1=2 ⫹ 1 × TMPY n × TEXP ⫹ n ⫹ 1 × TH ⫹ TINV ⫹ n3 ⫹ 3 × n2 ⫺ n × TMPY
TEXP ⫹ 2 × TH ⫹ n ⫺ 1 × TMPY 3 × TEXP ⫹ TH ⫹ n × TMPY TEXP ⫹ 2 × TH ⫹ TINV ⫹ 3 × n2 ⫺ n × TMPY
broadcast for the conference key distribution stage. In the conference key distribution stage of the Wu’s CKDS, the chairperson broadcasts n ⫹ 3 messages (i.e. {IDC ; W 1; W 2; …; W N; V; T}: As for our improvement, the same number of messages (i.e. {IDC ; V; T; cn⫺1 ; cn⫺2 ; …; c1 ; c0 } are required for transmission. The messages IDC, V and T of the Wu’s CKDS and our modified CKDS are identical. As for our new scheme without using a one-way function, the same number of messages (i.e. M {A; B; T; cn⫺1 ; cn⫺2 ; …; c1 ; c0 } are also required for transmission. Meanwhile, the bit-length of each coefficient in the polynomial P(X) for our two CKDSs are less than q and p, respectively. First consider the time complexity for constructing the polynomial P P(X). Assume that the polynomial P X D X nij⫹1 x ⫺ kci ⫹ CK mod p with degree n is acquired, where Pj D(X) with degree j is obtained Next, P X by evaluating i1 x ⫺ kci mod p. P D 0 X nij⫹2 x ⫺ kci ⫹ CK mod p, where D 0 X with degree j ⫹ 1 is obtained by evaluating D 0 X D X × x ⫺ kci mod p. Multiplication P D(X) by x ⫺ kci requires j multiplications. Hence n⫺1 j1 j n × n ⫺ 1=2 modular multiplications are required in total. For our first CKDS, let n be the number of participants in a conference. The chairperson UC performs the conference key distribution stage. The chairperson computes the common secret key kci shared with each participant Ui, 1 ⱕ i ⱕ n. n × TEXP are required in this step. Then, a timestamp T is acquired and hi (1 ⱕ i ⱕ n) are computed, which requires n × TH. Next, the chairperson constructs the interpolating polynomial P X; n × n ⫺ 1=2 × TMPY are required. Finally, the characteristic value V is computed, which requires TH. So the conference key distribution stage requires n × TEXP ⫹ n ⫹ 1 × TH ⫹ n × n ⫺ 1=2 × TMPY in total. Upon receiving the messages {IDC ; V; T; cn⫺1 ; cn⫺2 ; …; c1 ; c0 }, each user Ui (1 ⱕ i ⱕ n) computes the common secret key kic shared with the chairperson after checking the validity of T and evaluates hi, which requires TEXP ⫹ TH. Then, Ui obtains the conference key CK by using Horner’s rule to evaluate P hi mod q, which requires (n ⫺ 1) × TMPY. Next, each participant Ui computes and checks V, which requires TH. Hence each participant performs the conference key recovery stage which requires TEXP ⫹ 2 × TH ⫹ n ⫺ 1 × TMPY in total. For our second CKDS, UC first computes (A,B) which requires TEXP ⫹ TMPY ⫹ TH. Next, the chairperson computes the common secret key kci shared with each participant Ui,
1 ⱕ i ⱕ n. n × TEXP are required in this step. Finally, the chairperson constructs the interpolating polynomial P X; n × n ⫺ 1=2 × TMPY are required. Thus, the conference key distribution stage requires n ⫹ 1 × TEXP ⫹ TH ⫹ n × n ⫺ 1=2 ⫹ 1 × TMPY in total. Upon receiving the message M, each participant Ui 1 ⱕ i ⱕ n authenticates the chairperson and computes the common secret key kic shared with the chairperson after checking the validity of T, which requires 3TEXP ⫹ TH ⫹ TMPY . Then, Ui obtains the conference key CK by using Horner’s rule to evaluate P hi mod p, which requires n ⫺ 1 × TMPY . Hence each participant performs the conference key recovery stage which requires 3 × TEXP ⫹ TH ⫹ n × TMPY in total. The computational complexity of the Wu’s CKDS has been demonstrated in the literature [7]. Comparisons of the performance for the conference key distribution stage and the conference key recovery stage of our scheme and the Wu’s scheme, respectively, are presented in Table 1. From comparisons given in Table 1, our schemes are more efficient than the Wu’s scheme. 6. Conclusions We have presented two CKDSs with user anonymity. In our first CKDS, we used the simple interpolating properties of polynomials to replace the algebraic approach in the Wu’s scheme. The second scheme was not used in the one-way hash function to achieve the purpose of user anonymity and to protect each participant’s common key shared with the chairperson. In comparison with the Wu’s CKDS for computational complexity, we demonstrated that our schemes have the better performance. We have demonstrated that the proposed schemes are secure against impersonation and conspiracy attacks.
References [1] W. Diffie, M.E. Hellman, New directions in cryptography, IEEE Trans. Info. Theory 22 (6) (1976) 644–654. [2] I. Ingemaresson, T.D. Tang, C.K. Wong, A conference key distribution system, IEEE Trans. Info. Theory 28 (5) (1982) 714–720. [3] S. Hirose, K. Ikeda, A conference distribution system for the start configuration based on the discrete logarithm problem, Inf. Process. Lett. 62 (4) (1997) 189–192. [4] M.S. Hwang, W.P. Yang, Conference key distribution schemes for secure digital mobile communications, IEEE J. Sel. Areas Comm. 13 (2) (1995) 416–420.
754
Y.-M. Tseng, J.-K. Jan / Computer Communications 22 (1999) 749–754
[5] T. Hwang, J.L. Chen, Identity-based conference key broadcast systems, IEE Proc. Comput. Digit. Tech. 141 (1) (1994) 57–60. [6] C.H. Lin, C.C. Chang, R.C.T. Lee, A conference key broadcasting system using sealed locks, Inf. Syst. 17 (4) (1992) 323–328. [7] T.C. Wu, Conference key distribution system with user anonymity based on algebraic approach, IEE Proc. Comput. Digit. Tech. 144 (2) (1997) 145–148.
[8] R.C. Merkle, One way hash functions and DES, in: Proceedings of CRYPTO, 1989, pp. 218–238. [9] A. Simbo, S. Kawamura, Cryptanalysis of several conference key distribution systems, in: Proceedings of AISACRYP, 1991, pp. 265–276. [10] E. Horowitz, S. Sahni, Fundamentals of Computer Algorithms, Computer Science Press, Rockville, MD, 1978.
Research note
Anonymous conference key distribution systems based on the discrete logarithm problem Y.-M. Tseng, J.-K. Jan* Institute of Applied Mathematics, National Chung Hsing University, Taichung, 402 Taiwan Received 29 June 1998; accepted 22 January 1999
Abstract In 1997, Wu [T.C. Wu, Conference key distribution system with user anonymity based on algebraic approach, IEE Proc. Comput. Digit. Tech. 144(2) (1997) 145–148] proposed a conference key distribution system (CKDS) with user anonymity using algebraic operations. User anonymity is, in which the identities of participants in a conference are anonymous to each other, except for the chairperson. In this article, two CKDSs with user anonymity are proposed. One is a modified one of the Wu’s scheme that uses simple interpolating properties of polynomials to replace the algebraic approach. Both the Wu’s original scheme and our modified one require a one-way hash function to hide the identities of participants and to protect each participant’s common key shared with the chairperson. Both schemes also use the one-way hash function to provide the authentication for the chairperson. Moreover, we propose another scheme which does not use a one-way hash function, but also achieve the same purposes. Compared to the Wu’s scheme, both our schemes require less computing time. The security of the proposed CKDSs is based on the difficulty of computing the discrete logarithm problem as well as the one-way hash cryptographic function assumption. Both schemes are secure against impersonation and conspiracy attacks. 䉷 1999 Elsevier Science B.V. All rights reserved. Keywords: Cryptography; Conference key distribution system; User anonymity; One-way hash function; Discrete logarithm
1. Introduction A common session key needs to be shared between two users to establish a secret communication over an insecure channel. In 1976, Diffie and Hellman [1] proposed a secure key distribution system (KDS) for distributing the common session key. The common session key can be determined either by user, based on his own secret key and the partner’s public key. However, it is only suitable for a point-to-point situation. If three or more users want to communicate in order to hold a secure conference, a common conference key must be shared among all of the users. The concept of conference key distribution was first proposed by Ingemarrsson et al. [2]. A secure conference key distribution system (CKDS) must guarantee that all and only participants of the conference share a common conference key which can be used to hold a secure conference. Most of the previously proposed CKDSs [2–5] do not have the following feature for privacy, the identities of the principals participating in a conference are hidden from
* Corresponding author. E-mail address: [email protected] (J.-K. Jan)
other non-attending users. For some situations, however, the identities of participants should be anonymous to each other in order to protect the participant from the influence of other participants. This is the main purpose of user anonymity. These CKDSs do not have the feature of user anonymity, except for the secure lock scheme in [6]. Unfortunately, the computational complexity of the secure lock scheme is inefficient for practical applications. In 1997, Wu [7] proposed a CKDS with user anonymity based on an algebraic approach. The security of the proposed CKDS is based on the security of the Diffie–Hellman [1] and the oneway hash [8] cryptographic assumptions. In this article, based on the same cryptographic assumptions as the Wu’s CKDS, we shall propose a modified CKDS with user anonymity using the simple interpolating properties of polynomials. Therefore, the same as the Wu’s scheme, the modified scheme also requires a one-way hash function to protect each participant’s common key shared with the chairperson and to hide the identities of the participants. Moreover, we propose another scheme that uses a novel approach without using a one-way hash function to achieve the purpose of user anonymity and provide the authentication for the chairperson. Both our schemes require less computing time as compared to the Wu’s scheme. We
0140-3664/99/$ - see front matter 䉷 1999 Elsevier Science B.V. All rights reserved. PII: S0140-366 4(99)00034-1
750
Y.-M. Tseng, J.-K. Jan / Computer Communications 22 (1999) 749–754
also show that the proposed schemes can withstand impersonation and conspiracy attacks as described in [9]. The remainder of this article is organized as follows: in Section 2, we review briefly the Wu’s scheme. The two proposed schemes will be described in Sections 3 and 4, respectively, along with the security analysis. In Section 5, we present the performance for our schemes and compare them with the previous work. Section 6 gives our conclusions.
Step 5 Step 6
During the conference key recovery stage, each Ui in the system receives the message M and performs the conference key recovery procedures. Only Ui 僆 A can recover the conference key CK using the following steps: Step 1
2. Review of the Wu’s conference key distribution system The scheme is divided into three stages. The first stage is the system set-up stage. Each secure transaction for the conference key distribution consists of two stages: the distribution stage performed by the chairperson and the recovery stage performed by each participant in a conference. During the system set-up stage, the system chooses and publishes a large prime number p such that p ⫺ 1 has a large prime factor. Let q be a prime divisor of p ⫺ 1 and g be a generator with order q in GF(p). Let m be the number of principals in the system and IDi be the identity of the principal Ui. By using the Diffie–Hellman scheme [1], the system assigns a secret key xi 僆 Zq * and computes the public key yi gxi mod p for each Ui, where 1 ⱕ i ⱕ m. Then, gives the secret key xi to Ui in a confidential way. During the conference key distribution stage, assume that UC is the chairperson and A {Ui 兩i 1…; n; n ⬍ m} is the set of attending members. UC performs the following steps for distributing a conference key shared by the principals in A: Step 1 Step 2
Step 3
Step 4
Compute the common secret key shared with each Ui 僆 A as kci yxi c mod p. Get a timestamp T from the system and compute hi H kci 储IDC 储IDi 储T储m, where 1 ⱕ i ⱕ n; 储 denotes concatenation and H(X) is a one-way hash function with a fixed-length output string of bits as specified in [8]. Randomly select a conference key CK 僆 Zq *, and solve a1 ; a2 ; …; and an from the following equation system: 8 > a1 × h1 ⫹ a2 × h21 ⫹ … ⫹ an × hn1 CK mod q > > > > > < a1 × h2 ⫹ a2 × h22 ⫹ … ⫹ an × hn2 CK mod q : .. > > > . > > > : a1 × hn ⫹ a2 × h2n ⫹ … ⫹ an × hnn CK mod q 1 Let W Z ⫺CK ⫹ a1 × z ⫹ a2 × z2 ⫹ … ⫹ an × zn mod q and compute W 1; W 2; …; and W(n).
Compute the characteristic value for CK at timestamp T as V H CK储IDC 储T. Finally, broadcast the message M {IDC ; W 1; W 2; …; W n; V; T}:
Step 2 Step 3
First verify the expiration of the received timestamp T. If it is invalid, terminate the recovery stage. Compute the common secret key shared with UC as kic yxci mod p. Compute hi H kic 储IDC 储IDi 储T储m and solve CK from the following equation system:
8 > a1 × hi ⫹ a2 × h2i ⫹ … ⫹ an × hni CK mod q > > > > > < a1 × 1 ⫹ a2 × 12 ⫹ … ⫹ an × 1n W 1 ⫹ CK mod q > > > > > > :
.. .
:
a1 × n ⫹ a2 × n2 ⫹ … ⫹ an × nn W n ⫹ CK mod q 2
Step 4
Ui checks the attendees of the conference by verifying that H CK储IDC 储T V:
The security of the Wu’s CKDS is based on the difficulty of computing the discrete logarithm problem and the one-way hash function cryptographic assumption that has been demonstrated in the literature [7]. In the proposed CKDS, in order to reduce the computational complexity, each user require extra storage for maintaining additional n ⫺ 1 common secret keys. However, this is impractical.
3. The modified scheme The modified CKDS is also divided into three stages. The three stages are the same as the stages of the CKDS proposed by Wu, except for Steps 3 and 4 in the key distribution stage and Step 3 in the key recovery stage. The detailed modifications are presented as follows: During the conference key distribution stage, replace Steps 3 and 4 of the Wu’s scheme with the following Step 3. Meanwhile, the broadcast message in Step 6 also needs to be modified. Step 3
Randomly select a conference key CK 僆 Zq *, and construct a polynomial with degree n using n
Y.-M. Tseng, J.-K. Jan / Computer Communications 22 (1999) 749–754
points hi ; CK as P X
n Y
751
CKDS can also insure that the identities of participants are anonymous to one another.
x ⫺ hi ⫹ CK mod q
i1
xn ⫹ cn⫺1 xn⫺1 ⫹ … ⫹ c1 x ⫹ c0 mod q; 3 so that cn⫺1 ; cn⫺2 ; …; c1 ; c0 僆 Zq *. broadcasts the message Step 6 UC {IDC ; V; T; cn⫺1 ; cn⫺2 ; …; c1 ; c0 }:
M
During the conference key recovery stage, each Ui in the system receives the message M and performs the conference key recovery procedures. The modified scheme will operate exactly as described in the Wu’s scheme, with the exception of the following modification. Step 3 of the conference key recovery procedures in the Wu’s scheme is modified as follows: Step 3
Compute hi H kic 储IDC 储IDi 储T储m and recover the conference key CK by evaluating P hi using Horner’s rule [10] as follows: P hi hi n ⫹ cn⫺1 hi n⫺1 ⫹ … ⫹ c1 hi ⫹ c0 mod q
CK mod q: 4
In the following, let us discuss the security of our modified scheme. Fundamentally, the security of the scheme is based on the same cryptographic assumptions as the Wu’s CKDS, we only discuss the security of the polynomial. Attack 1: A non-attending principal wishes to derive the same CK from the broadcast message M. Obviously, the non-attending principal can obtain the polynomial with degree n as P X xn ⫹ cn⫺1 xn⫺1 ⫹ … ⫹ c1 x ⫹ c0 mod q from the broadcast message M. Any nonattending user Uj can recover the correct CK from the earlier equation only if he knows the valid hi that satisfies P hi CK mod q. However, the polynomial P(X) is specified by UC using valid his and the non-attending user can calculate a valid kci and then acquire hi only if he knows the secret keys xc or xi. However, to compute xc and xi from yc and yi, respectively are equivalent to the difficulty of computing the discrete logarithm problem. Hence, any non-attending user cannot obtain the same CK from the broadcast message M. Attack 2: A participant wishes to derive other participants’ identities. For the participant Ui, he may try to find the roots of the equation: P x CK mod q to derive the shared key hjs of the other participants, where 1 ⱕ j ⱕ n; j 苷 i. However, to compute the common keys kcj and to reveal their identities from the shared keys hj is based on the one-way hash cryptographic assumption as well as the difficulty of computing the discrete logarithm problem. Therefore, our modified
4. The scheme without using a one-way hash function In the Wu’s scheme and our modified one, both require a one-way hash function to protect each participant’s common key shared with the chairperson and to hide the identities of participants. Both schemes also use the oneway hash function to provide the authentication for the chairperson. In this section, we will propose another scheme that uses a novel approach to achieve the same. It ensures that the main security of this scheme is based on the difficulty of computing the discrete logarithm problem. The scheme is divided into three stages. The first stage is the same as the system set-up stage of the CKDS proposed by Wu. Each secure transaction for the conference key distribution also consists of two stages: the distribution stage and the recovery stage. The detailed descriptions are presented as the following subsections. 4.1. Conference key distribution stage Assume that UC is the chairperson and A {Ui 兩i 1…n; n ⬍ m} is the set of the attending members. UC performs the following steps for distributing a conference key shared by the participants in A: Step 1
Step 2
Randomly choose an integer r in Zq * and get a time-sequence T from the system and compute A gr mod p;
5
B r ⫹ H T储A·xc mod q:
6
Compute the common secret key shared by each Ui 僆 A as kci yri mod p;
Step 3 Step 4
1 ⱕ i ⱕ n:
7
Randomly select a conference key CK 僆 Zp *. Construct a polynomial with degree n using n points kci ; CK as P X
n Y
x ⫺ kci ⫹ CK mod p
i1
xn ⫹ cn⫺1 xn⫺1 ⫹ … ⫹ c1 x ⫹ c0 mod p; 8 Step 5
so that cn⫺1 ; cn⫺2 ; …; c1 ; c0 僆 Zp *. UC then broadcasts the message {A; B; T; cn⫺1 ; cn⫺2 ; …; c1 ; c0 }:
M
Although Step 1 in the aforementioned steps used a oneway hash function, it is only provided for protecting from the replaying attack.
752
Y.-M. Tseng, J.-K. Jan / Computer Communications 22 (1999) 749–754
4.2. Conference key recovery stage Once the message M is received by any user Ui in the system, Ui performs the conference key recovery procedure. Only Ui 僆 A can recover the correct CK by the following steps: Step 1
Step 2
First verify the expiration of the received timestamp T. If T is an invalid timestamp, terminate the following recovery steps. Compute H T储A and check whether the following equation holds: mod p: gB ⬅ A·yH T储A c
Step 3
9
Compute the common secret key shared with UC as kic Axi mod p; where kic Axi mod p gxi r mod p yri mod p kci : 10
Step 4
Recover the conference key CK by evaluating P kic using Horner’s rule [10] as follows: P kic kic n ⫹ cn⫺1 kic n⫺1 ⫹ … ⫹ c1 kic ⫹ c0 mod p CK mod p:
11
From the before descriptions, it can be seen that participants can verify the chairperson’s identify directly from the received ciphertext and recover the valid conference key CK. 4.3. Security analysis It is clear that the security of the proposed CKDS is based on the difficulty of computing the discrete logarithm problem [1]. The one-way hash function is only provided for protecting from the replaying attack. If the aforementioned assumptions can be solved in a reasonable amount of time, anyone can impersonate the chairperson who distributes the conference key. In the following, we show some possible attacks on our CKDS. Attack 1: A non-attending user of this conference wishes to derive the same CK from the broadcast message M. Obviously, by the message M, the non-attending user can obtain the polynomial with degree n as P X xn ⫹ cn⫺1 xn⫺1 ⫹ … ⫹ c1 x ⫹ c0 mod p. Any nonattending user Uj can recover the correct CK from the earlier equation only if he knows the valid kci that satisfies P kci CK mod p. However, the polynomial P(X) is specified by UC using valid kcis and the non-attending user can calculate a valid kci only if he knows the secret keys xi or the random integer r. However, to compute r and xi from A and yi, respectively, are equivalent to the difficulty of computing the discrete logarithm problem. Hence, any non-attending
user cannot obtain the same CK from the broadcast message M. Attack 2: An opponent wants to impersonate the chairperson UC by replaying the previous broadcast message or forging the message. If the impersonator broadcasts the previous message sent by UC, it will not be successful because of the invalid timestamp. The expiration of T will be effectively verified by Step 1 of the conference key recovery stage. As for an impersonation attack by forging the message, the impersonator must forge the UC’s signature only if he knows the secret key xcs. However, to compute xc from yc is equivalent to the difficulty of computing the discrete logarithm problem. Attack 3: Conspiratorial participants wish to derive the chairperson’s secret information. With our CKDS, the chairperson broadcasts the message to all intended users. Each user can obtain the polynomial with degree n as P X xn ⫹ cn⫺1 xn⫺1 ⫹ … ⫹ c1 x ⫹ c0 mod p and each participant can derive the common key shared with the chairperson to compute the valid CK. However, the polynomial P(X) does not contain any secret information about the chairperson’s secret information. Moreover, although each user can obtain the broadcast message M, as showed in Attack 2 they cannot obtain the secret key xc from the authenticated information (A, B) or the public information yc. Attack 4: A participant of the conference wishes to derive other participants’ common keys shared with the chairperson and their identities. For the participant Ui, he may try to find the roots of equation: P x CK in modulus p to derive the common key kcjs, where 1 ⱕ j ⱕ n; j 苷 i. However, the common key is different in the next time. Moreover, to reveal their identities from the kcj is only if he knows the secret keys xi or the random integer r. As shown in Attack 1, to compute r and xi from A and yi, respectively are also equivalent to the difficulty of computing the discrete logarithm problem. Therefore, our CKDS can insure that the identities of participants are anonymous to one another, and even anonymous to the non-attending principals.
5. Performances and comparisons Now, we discuss the performance and total number of transmitted messages for our schemes and compare it to the Wu’s CKDS. For convenience, the following notations are used to analyze the computational complexities of the Wu’s CKDS and our schemes: TH is the time for executing the adopted one-way hash function H; TMPY is the time for modular multiplication; TEXP is the time for modular exponentiation; TINV is the time for modular inverse. Note that the time for computing modular addition is ignored, because it is much smaller than TH, TMPY, TEXP and TINV. Consider the total number of messages required to
Y.-M. Tseng, J.-K. Jan / Computer Communications 22 (1999) 749–754
753
Table 1 Efficiency of the Wu’s CKDS and our CKDSs
Our first CKDS Our second CKDS Wu’s CKDS
Key distribution stage
Key recovery stage
n × TEXP ⫹ n ⫹ 1 × TH ⫹ n × n ⫺ 1=2 × TMPY n ⫹ 1 × TEXP ⫹ TH ⫹ n × n ⫺ 1=2 ⫹ 1 × TMPY n × TEXP ⫹ n ⫹ 1 × TH ⫹ TINV ⫹ n3 ⫹ 3 × n2 ⫺ n × TMPY
TEXP ⫹ 2 × TH ⫹ n ⫺ 1 × TMPY 3 × TEXP ⫹ TH ⫹ n × TMPY TEXP ⫹ 2 × TH ⫹ TINV ⫹ 3 × n2 ⫺ n × TMPY
broadcast for the conference key distribution stage. In the conference key distribution stage of the Wu’s CKDS, the chairperson broadcasts n ⫹ 3 messages (i.e. {IDC ; W 1; W 2; …; W N; V; T}: As for our improvement, the same number of messages (i.e. {IDC ; V; T; cn⫺1 ; cn⫺2 ; …; c1 ; c0 } are required for transmission. The messages IDC, V and T of the Wu’s CKDS and our modified CKDS are identical. As for our new scheme without using a one-way function, the same number of messages (i.e. M {A; B; T; cn⫺1 ; cn⫺2 ; …; c1 ; c0 } are also required for transmission. Meanwhile, the bit-length of each coefficient in the polynomial P(X) for our two CKDSs are less than q and p, respectively. First consider the time complexity for constructing the polynomial P P(X). Assume that the polynomial P X D X nij⫹1 x ⫺ kci ⫹ CK mod p with degree n is acquired, where Pj D(X) with degree j is obtained Next, P X by evaluating i1 x ⫺ kci mod p. P D 0 X nij⫹2 x ⫺ kci ⫹ CK mod p, where D 0 X with degree j ⫹ 1 is obtained by evaluating D 0 X D X × x ⫺ kci mod p. Multiplication P D(X) by x ⫺ kci requires j multiplications. Hence n⫺1 j1 j n × n ⫺ 1=2 modular multiplications are required in total. For our first CKDS, let n be the number of participants in a conference. The chairperson UC performs the conference key distribution stage. The chairperson computes the common secret key kci shared with each participant Ui, 1 ⱕ i ⱕ n. n × TEXP are required in this step. Then, a timestamp T is acquired and hi (1 ⱕ i ⱕ n) are computed, which requires n × TH. Next, the chairperson constructs the interpolating polynomial P X; n × n ⫺ 1=2 × TMPY are required. Finally, the characteristic value V is computed, which requires TH. So the conference key distribution stage requires n × TEXP ⫹ n ⫹ 1 × TH ⫹ n × n ⫺ 1=2 × TMPY in total. Upon receiving the messages {IDC ; V; T; cn⫺1 ; cn⫺2 ; …; c1 ; c0 }, each user Ui (1 ⱕ i ⱕ n) computes the common secret key kic shared with the chairperson after checking the validity of T and evaluates hi, which requires TEXP ⫹ TH. Then, Ui obtains the conference key CK by using Horner’s rule to evaluate P hi mod q, which requires (n ⫺ 1) × TMPY. Next, each participant Ui computes and checks V, which requires TH. Hence each participant performs the conference key recovery stage which requires TEXP ⫹ 2 × TH ⫹ n ⫺ 1 × TMPY in total. For our second CKDS, UC first computes (A,B) which requires TEXP ⫹ TMPY ⫹ TH. Next, the chairperson computes the common secret key kci shared with each participant Ui,
1 ⱕ i ⱕ n. n × TEXP are required in this step. Finally, the chairperson constructs the interpolating polynomial P X; n × n ⫺ 1=2 × TMPY are required. Thus, the conference key distribution stage requires n ⫹ 1 × TEXP ⫹ TH ⫹ n × n ⫺ 1=2 ⫹ 1 × TMPY in total. Upon receiving the message M, each participant Ui 1 ⱕ i ⱕ n authenticates the chairperson and computes the common secret key kic shared with the chairperson after checking the validity of T, which requires 3TEXP ⫹ TH ⫹ TMPY . Then, Ui obtains the conference key CK by using Horner’s rule to evaluate P hi mod p, which requires n ⫺ 1 × TMPY . Hence each participant performs the conference key recovery stage which requires 3 × TEXP ⫹ TH ⫹ n × TMPY in total. The computational complexity of the Wu’s CKDS has been demonstrated in the literature [7]. Comparisons of the performance for the conference key distribution stage and the conference key recovery stage of our scheme and the Wu’s scheme, respectively, are presented in Table 1. From comparisons given in Table 1, our schemes are more efficient than the Wu’s scheme. 6. Conclusions We have presented two CKDSs with user anonymity. In our first CKDS, we used the simple interpolating properties of polynomials to replace the algebraic approach in the Wu’s scheme. The second scheme was not used in the one-way hash function to achieve the purpose of user anonymity and to protect each participant’s common key shared with the chairperson. In comparison with the Wu’s CKDS for computational complexity, we demonstrated that our schemes have the better performance. We have demonstrated that the proposed schemes are secure against impersonation and conspiracy attacks.
References [1] W. Diffie, M.E. Hellman, New directions in cryptography, IEEE Trans. Info. Theory 22 (6) (1976) 644–654. [2] I. Ingemaresson, T.D. Tang, C.K. Wong, A conference key distribution system, IEEE Trans. Info. Theory 28 (5) (1982) 714–720. [3] S. Hirose, K. Ikeda, A conference distribution system for the start configuration based on the discrete logarithm problem, Inf. Process. Lett. 62 (4) (1997) 189–192. [4] M.S. Hwang, W.P. Yang, Conference key distribution schemes for secure digital mobile communications, IEEE J. Sel. Areas Comm. 13 (2) (1995) 416–420.
754
Y.-M. Tseng, J.-K. Jan / Computer Communications 22 (1999) 749–754
[5] T. Hwang, J.L. Chen, Identity-based conference key broadcast systems, IEE Proc. Comput. Digit. Tech. 141 (1) (1994) 57–60. [6] C.H. Lin, C.C. Chang, R.C.T. Lee, A conference key broadcasting system using sealed locks, Inf. Syst. 17 (4) (1992) 323–328. [7] T.C. Wu, Conference key distribution system with user anonymity based on algebraic approach, IEE Proc. Comput. Digit. Tech. 144 (2) (1997) 145–148.
[8] R.C. Merkle, One way hash functions and DES, in: Proceedings of CRYPTO, 1989, pp. 218–238. [9] A. Simbo, S. Kawamura, Cryptanalysis of several conference key distribution systems, in: Proceedings of AISACRYP, 1991, pp. 265–276. [10] E. Horowitz, S. Sahni, Fundamentals of Computer Algorithms, Computer Science Press, Rockville, MD, 1978.