DDH-based group key agreement in a mobile environment

The Journal of Systems and Software 78 (2005) 73–83 www.elsevier.com/locate/jss

DDH-based group key agreement in a mobile environment

q

Junghyun Nam *, Jinwoo Lee, Seungjoo Kim, Dongho Won School of Information and Communication Engineering, Sungkyunkwan University, 300 Chunchun-dong, Jangan-gu, Suwon, Gyeonggi-do 440-746, Republic of Korea Received 8 June 2004; received in revised form 13 October 2004; accepted 26 October 2004 Available online 8 December 2004

Abstract A group key agreement protocol is designed to efficiently implement secure multicast channels for a group of parties communicating over an untrusted, open network by allowing them to agree on a common secret key. In the past decade many problems related to group key agreement have been tackled and solved (diminished if not solved), and recently some constant-round protocols have been proven secure in concrete, realistic setting. However, all forward-secure protocols so far are still too expensive for small mobile devices. In this paper we propose a new constant-round protocol well suited for a mobile environment and prove its security under the decisional Diffie–Hellman assumption. The protocol meets simplicity, efficiency, and all the desired security properties.
2004 Elsevier Inc. All rights reserved. Keywords: Group key agreement; Mobile device; Multicast; DDH assumption

1. Introduction Over the past several years there has been a tremendous surge of interest in mobile computing. Advances in the power of mobile devices, such as personal digital assistants (PDAs), smart phones and handheld computers, have opened tempting new opportunities for a broad range of communities and institutions. With prices reducing and functionality increasing, it is expected that these network-enabled devices will play major roles in the promotion of both personal and business productivity. It is clear, thus, that the next generation of communication networks will include rapid deployments of independent mobile users.

q This work was supported by Electronics and Telecommunications Research Institute (ETRI) for the third author under Contract 02012004-0027, and by the University IT Research Center Project for the remaining authors. * Corresponding author. Tel.: +82 31 290 5695; fax: +82 31 290 5696. E-mail address: [email protected] (J. Nam).

0164-1212/$ - see front matter
2004 Elsevier Inc. All rights reserved. doi:10.1016/j.jss.2004.10.024

Although mobile devices are of increasing importance in every aspect of our daily lives, security is still a major limiting factor for their full adoption. Despite all the work conducted over many decades, the implementation of strong protection in a mobile environment is nontrivial (Borisov et al., 2001). Security solutions targeted for more traditional networks are often not directly applicable to wireless networks due to a marked difference in computing resources between mobile and stationary hosts. Typical examples are protocols for group key agreement, which are designed to efficiently implement secure multicast channels for a group of parties communicating over a public network by providing them with a shared secret key called a session key. Although some constant-round protocols for group key agreement have been proposed (Burmester and Desmedt, 1994; Katz and Yung, 2003; Bresson and Catalano, 2004), they are still too costly to be practical for applications involving mobile devices with limited computing resources; in these protocols, the computational cost of each group member increases significantly as group size

74

J. Nam et al. / The Journal of Systems and Software 78 (2005) 73–83

grows. Other constant-round protocols (Boyd and Nieto, 2003; Bresson et al., 2003), while they require only a fixed amount of computation for all but one group member, do not provide perfect forward secrecy (Diffie et al., 1992); i.e., in these protocols, past session keys are compromised by loss of some underlying information at the present time. It is this observation that prompted the present work aimed at designing an efficient group key agreement protocol not only meeting strong notions of security, but also well suited for a mobile environment. The mobile computing architecture we visualize is asymmetric in the sense of computational capabilities of participants. That is, the protocol participants consist of a stationary server and a cluster of mobile devices; the stationary server (also called application server or service provider) with sufficient computational power and mobile devices (also called clients) with limited computational resources wish to reach an agreement for a common session key. An asymmetric mobile environment is common in a number of applications such as Internet stock quotes, audio and music delivery, payper-view TV, software updates, and so on (Bhargava et al., 1995; Huang and Garcia-Molina, 2001; Phan et al., 2002; Lim and Kim, 2004). Security mechanisms for the protection of data transmission are essential in many of these applications, i.e., data of common interest should only be exchanged among an exclusive group of users (Bresson et al., 2003; Yeh and Sun, 2004; Zhang et al., 2004). From the viewpoint of the session key creation, key establishment protocols can be broadly subdivided into two categories: key transport protocols and key agreement protocols. In key transport protocols (e.g., ‘‘Star Based System’’ of Burmester and Desmedt (1994)), the session key is created by one party and securely transmitted to other parties. In key agreement protocols, more than one party contributes information to generate the common session key. In this paper we focus on contributory key agreement protocols in which the session key is derived as a function of contributions provided by all parties. In contributory key agreement protocols, a correctly behaving party is assured that as long as his contribution is chosen at random, even a coalition of all other parties will not be able to have any means of controlling the final value of the session key. Therefore, it is often recommended to use contributory key agreement to prevent some parties having any kind of advantage over the others (Mitchell et al., 1998; Ateniese et al., 2000; Horn et al., 2002). Moreover, most key transport protocols (Wong et al., 1998; Wallner et al., 1999; Perrig et al., 2001), while they focus on minimizing the cost of the rekeying operations associated with group updates, lack the important security property: perfect forward secrecy. Thus, once an underlying key is exposed, there is nothing to prevent an adversary with

the key from accessing privileged information communicated in earlier sessions. 1.1. Related work The original idea of extending the 2-party Diffie– Hellman scheme (Diffie and Hellman, 1976) to the multi-party setting dates back to the classical paper of (Ingemarsson et al., 1982), and is followed by many works (Steer et al., 1988; Burmester and Desmedt, 1994; Just and Vaudenay, 1996; Becker and Wille, 1998; Kim et al., 2000; Steiner et al., 2000; Tzeng and Tzeng, 2000; Kim et al., 2001) offering various levels of complexity. However, research on provably-secure group key agreement in concrete, realistic setting is fairly new. It is only recently that (Bresson et al., 2001a,b, 2002a) have presented the first group key agreement protocols proven secure in a well-defined security model which builds on earlier model of (Bellare et al., 2000). The initial work (Bresson et al., 2001b) assumes that group membership is static, whereas later works (Bresson et al., 2001a; Bresson et al., 2002a) focus on the dynamic case which we do not deal with here. But one drawback of their scheme is that its round complexity is linear in the number of group members. Consequently, as group size grows large, this scheme becomes impractical particularly in a wide area network with high communication latency. More recently, Katz and Yung (2003) have proposed the first constant-round group key agreement protocol that has been proven secure in the security model of Bresson et al. (2001b). They provide a formal proof of security for the two-round protocol of Burmester and Desmedt (1994), and introduce a one-round compiler that transforms any group key agreement protocol secure against a passive adversary into one that is secure against an active adversary. In this protocol all group members behave in a completely symmetric manner; i.e., in a group of size n, each member sends one broadcast message per round, and performs three modular exponentiations, Oðn log nÞ modular multiplications, O(n) signature verifications, and two signature generations. While this protocol is very efficient in general, the full symmetry negatively impacts on the overall performance of the protocol in a mobile environment similar to our setting; as the number of users grows, the computational cost of a mobile device increases quite rapidly since modular multiplications and signature verifications add up. Most recently, Bresson and Catalano (2004) have introduced another fully-symmetric protocol which requires two rounds of communication. Interestingly, unlike previous approaches, they construct the protocol by combining the properties of the ElGamal encryption scheme (ElGamal, 1985) with standard secret sharing techniques (Shamir, 1979). However, with increasing

J. Nam et al. / The Journal of Systems and Software 78 (2005) 73–83

number of users, the complexity of the protocol becomes beyond the capabilities of a small mobile device. The protocol presented by Boyd and Nieto (2003) completes only in a single round of communication and is provably secure in the random oracle model (Bellare and Rogaway, 1993). But unfortunately, this protocol does not achieve forward secrecy even if its round complexity is optimal; it still remains an open problem to find a one-round group key agreement protocol providing forward secrecy. Another constant-round protocol that does not achieve forward secrecy has been shown in Bresson et al. (2003). Although this protocol is designed to provide an efficient key exchange method between a powerful server and a cluster of low-power mobile devices, it has recently been found to be flawed (Nam et al., 2004). In common with our protocol, these protocols (Boyd and Nieto, 2003; Bresson et al., 2003) are computationally asymmetric; one distinct user performs O(n) computations whereas the other users perform only a constant amount of computation. 1.2. Our contribution Our group key agreement protocol is provably secure against a powerful active adversary who controls all communication flows in the network and even executes an unbounded number of concurrent instances of the protocol. We provide a rigorous proof of security under the well-known Decisional Diffie–Hellman (DDH) assumption in a formal security model which improves that of Bresson et al. (2001b). In addition, in contrast to other asymmetric protocols (Boyd and Nieto, 2003; Bresson et al., 2003), our group key agreement protocol also provides perfect forward secrecy; i.e., disclosure of long-term secret keys does not compromise the security of previously established session keys. Despite meeting all these strong notions of security, our construction is surprisingly simple and provides a practical solution for group key agreement in the asymmetric mobile environment. In a protocol execution involving mobile devices as participants, a bottleneck arises when the number of public-key cryptography operations that a mobile device has to perform increases substantially as group size grows. It is therefore of prime importance for a group key agreement protocol to offer a low, fixed amount of computations to its mobile participants. To this end our protocol shifts much of the computational burden to the application server with sufficient computational power. By allowing this computational asymmetry among protocol participants, our protocol reduces the computational cost of a mobile device to two modular exponentiations (plus one signature generation and verification) without respect to the number of participants. In addition our group key agreement protocol is very efficient in terms of the number of communication

75

rounds; it requires only three rounds of communication among participants. Keeping the number of communication rounds constant is critical for efficient and scalable group key agreement particularly over a wide area network, where the dominant source of delay is the communication time spent in the network rather than the computational time needed for cryptographic operations (Amir et al., 2002; Kim et al., 2001). As an additional contribution, we significantly improve on the compiler proposed by Katz and Yung (2003). We prove the security of the compiler against a stronger and more realistic adversary who has an additional ability to freely obtain any short-term secret information used by a protocol participant. Furthermore, we greatly simplifies the security proof of the Katz and Yung
s compiler, without sacrificing the generality and the efficiency of security reduction (see Section 5). The remainder of this paper is organized as follows. In Section 2, we begin with a description of our security model for group key agreement protocols. In Section 3, we first define the security of a group key agreement protocol and then describe the underlying assumptions on which the security of our protocol rests. Finally, we present a two-round group key agreement protocol secure against a passive adversary and a three-round group key agreement protocol secure against an active adversary in Sections 4 and 5, respectively.

2. The model In this section we refine the formal security model which has been widely used in the literature (Bresson et al., 2001a,b, 2002a,b; Katz and Yung, 2003; Boyd and Nieto, 2003) to analyze group key agreement protocols. In particular, we incorporate strong corruption (Bellare et al., 2000) into the security model in a different way than the previous approaches by allowing an adversary to ask one additional query, Dump, and we modify the definition of freshness according to the refined model. Section 5 shows that our approach leads to a much simpler way to prove the security of the compiler presented by Katz and Yung (2003). 2.1. Participants Let U ¼ fU 1 ; . . . ; U n g be a set of n users who wish to participate in a group key agreement protocol P, where users U1, . . . , Un1 are clients (mobile devices) and user Un is the application server (service provider). The number of users, n, is polynomially bounded in the security parameter k. Users may execute the protocol multiple times concurrently and thus each user can have many instances called oracles. We use Psi to denote instance s of user Ui. In initialization phase, each user U i 2 U obtains a long-term public/private key pair (PKi, SKi)

76

J. Nam et al. / The Journal of Systems and Software 78 (2005) 73–83

by running a key generation algorithm Gð1k Þ. The set of public keys of all users is assumed to be known a priori to all parties including the adversary A. 2.2. Partners Loosely stated, the partners of oracle Psi (denoted PIDsi ) is the set of all the instances that should compute the same session key as Psi in an execution of the protocol. Before defining PIDsi formally, we first define the session ID for oracle Psi which we denote by SIDsi . In a protocol execution, let M si;j denote the concatenation of all messages sent and received by oracle Psi to and from user Uj. Then we define SIDsi as SIDsi ¼ fM si;j j j 2 ½1; n n figg: Let ACCsi be a variable that is TRUE if Psi has computed a session key, and FALSE otherwise. Then, using the session ID defined above, PIDsi is defined as follows: PIDsi ¼ fPtj j ðSIDsi \ SIDuk 62 f;; feggÞ ^ ðSIDuk \ SIDtj 62 f;; feggÞ ^ ðACCsi ¼ ACCuk ¼ ACCtj ¼ TRUEÞ; for some Puk g; where e denotes the empty string. Note that in the above definition of PIDsi , it is possible that Psi ¼ Puk . Therefore, the conjunction simply says that oracle Ptj is a partner of oracle Psi if SIDsi \ SIDtj 62 f;; fegg and ACCsi ¼ ACCtj ¼ TRUE, or they share a same partner. All SIDs and PIDs are public and hence available to the adversary A. 2.3. Adversary Along with a set of protocol participants, the model also includes the adversary A who controls all communication flows in the network. The adversary interacts with users through the following various queries, each of which captures a capability of the adversary. • ExecuteðUÞ. This query returns a transcript of an honest protocol execution among instances of the users in U. • SendðPsi ; mÞ. This query sends message m to oracle Psi . When oracle Psi receives the message m, it proceeds as specified in the protocol; the oracle updates its state, and generates and sends out a response message as needed. The response message, if any, is returned to the adversary A. A query of the form Send(Psi , ‘‘start’’) allows adversary A to initiate an execution of the protocol. • RevealðPsi Þ. This query returns the session key K computed by oracle Psi if ACCsi is TRUE, modelling the adversary
s capability to obtain some session keys.

• Corrupt(Ui). The long-term private key SKi of user Ui is returned in response to this query which is considered to deal with forward secrecy. • DumpðPsi Þ. This query returns all short-term secret values used by oracle Psi , modelling the adversary
s capability to embed a Trojan horse or other form of malicious code into a system and then log all the session-specific information of the victim. But, neither the session key K computed by Psi nor the long-term private key SKi are returned. • TestðPsi Þ. This query is asked only once when the adversary A wants to attempt to distinguish the real session key K from a random fake key, modelling the semantic security of the session key K. To answer the query, one flips a secret coin b, and returns the real session key K if b = 1, or else a random string chosen from {0, 1}‘ if b = 0, where ‘ is the length of the session key to be distributed in the protocol. This query can be made only if oracle Psi is fresh, the definition of which will be given below. While the Dump query is similar to the Session-state reveal query used in Canetti and Krawczyk (2001), there is a technical difference between two queries. The Session-state reveal query can be asked only to obtain the internal state of an incomplete session, whereas the Dump query allows the adversary to obtain the recording of local history of an either incomplete or complete session. Definition 1. If ACCsi ¼ TRUE, let Psi be the set of all oracles that have contributed key material to the session key computed by Psi . Then, oracle Psi is said to be fresh if all of the following conditions hold: (1) ACCsi ¼ TRUE. (2) No one in PIDsi has been asked a Reveal query (note that Psi 2 PIDsi unless PIDsi 6¼ ;). (3) No one in U has been asked a Corrupt query before the adversary
s Send queries, or all corruptions, if any, have occurred after the number of partners of Psi ; j PIDsi j, has become equal to n. (4) No one in Psi has been asked a Dump query. Definition 2. An adversary is called active if it makes all the queries above, and is called passive if it makes only five of them: Execute, Reveal, Corrupt, Dump, and Test.

3. Security definitions In this section we first define the security of a group key agreement protocol and then describe the cryptographic assumptions on which the security of our protocol is based.

J. Nam et al. / The Journal of Systems and Software 78 (2005) 73–83

3.1. Group key agreement The security of a group key agreement protocol P is defined in terms of the probability of the adversary A succeeding at distinguishing a real session key established in an execution of P from a random fake key. More precisely, the security is defined in the following context. The adversary A executes the protocol exploiting as much parallelism as possible and any queries allowed in the security model. During executions of the protocol, the adversary A, at any time, asks a Test query to a fresh oracle, gets back an ‘-bit string as the response to this query, and at some later point, outputs a bit b 0 as a guess for the hidden bit b. Let CG (Correct Guess) be the event that b 0 = b. Then we define the advantage of A in attacking protocol P to be AdvA;P ðkÞ ¼ 2  Pr½CG  1: We say that protocol P is secure against an adversary A if AdvA;P ðkÞ is negligible. Furthermore, we say that protocol P is a secure group key agreement protocol if it is secure against all probabilistic polynomial time adversaries A.

77

to distinguish between the distributions of (gx, gy, gxy) and (gx, gy, gz). More formally, if we define Advddh G ðAÞ as x y xy Advddh G ðAÞ ¼j Pr½Aðg; g ; g ; g Þ ¼ 1

 Pr½Aðg; gx ; gy ; gz Þ ¼ 1 j; we say that the DDH assumption holds in G if Advddh G ðAÞ is negligible for any probabilistic polynomial time adversary A. We denote by Advddh G ðtÞ the maximum value of Advddh ðAÞ over all adversaries A running in G time at most t.

4. A two-round group key agreement protocol In this section, we introduce an efficient two-round protocol P1 for group key agreement which is provably secure against a passive adversary under the DDH assumption. Combining this protocol with the compiler presented in the next section results in a three-round protocol for group key agreement which is provably secure against an active adversary. 4.1. Description of P1

3.2. Signature scheme A digital signature scheme C ¼ ðG; S; VÞ is defined by the following triple of algorithms: • A probabilistic key generation algorithm G, on input 1k, outputs a pair of matching public and private keys (PK, SK). • A signing algorithm S is a (possibly probabilistic) polynomial time algorithm that, given as input a message m and a key pair (PK, SK), outputs a signature r of m. • A verification algorithm V is a (usually deterministic) polynomial time algorithm that on input (m, r, PK), outputs 1 if r is a valid signature of the message m with respect to PK, and 0 otherwise.

We assume that the public parameters G and g, as defined in Section 3.3, are known in advance to all parties. As depicted in Fig. 1, the protocol P1 runs in two rounds, one with n  1 unicasts and the other with a single broadcast, as follows: Round 1. Each client (mobile device) Ui 5 Un chooses a random ri 2 Zq , computes zi ¼ gri , and sends mi = (Ui, zi) to the application server (service provider) Un, who chooses random r, rn 2 Zq and computes z = gr and xn ¼ grrn . Round 2. Having computed Y X ¼ xi i2½1;n

We denote by SuccA;C ðkÞ the probability of an adversary A succeeding with an existential forgery under adaptive chosen message attack (Goldwasser et al., 1988). We say that a signature scheme C is secure if SuccA;C ðkÞ is negligible for any probabilistic polynomial time adversary A. We denote by SuccC(t) the maximum value of SuccA;C ðkÞ over all adversaries A running in time at most t. 3.3. DDH assumption Let G ¼ hgi be any finite cyclic group of prime order q and let x, y, z be randomly chosen elements in Zq . Informally, the DDH assumption is that it is difficult

Fig. 1. Protocol execution.

78

J. Nam et al. / The Journal of Systems and Software 78 (2005) 73–83

and the set Y ¼ fy i j 1 6 i 6 n  1g; where xi ¼ zri and y i ¼ X  x1 i , the server Un broadcasts mn = (Un, z, Y) to the entire group. Key computation. Upon receiving the broadcast, each client Ui 5 Un computes X ¼ y i  zri . All users in U compute their session key as K = H(Y, X), where H is a oneway hash function modelled as a random oracle in the security proof. 1 Suppose, for example, that U ¼ fU 1 ; U 2 ; U 3 ; U 4 g. Then the application server U4 receives fgr1 ; gr2 ; gr3 g from clients, and broadcasts gr and Y ¼ fgrðr2 þr3 þr4 Þ ; grðr1 þr3 þr4 Þ ; grðr1 þr2 þr4 Þ g. All users in U compute the same key: K = H(Y, X), where X ¼ grðr1 þr2 þr3 þr4 Þ . Note that in the protocol above, the application server does not need to wait for the last message from clients before it can start to perform the computation; i.e., upon receiving each message mi, the server can compute xi and x1 i . Furthermore, if precomputations are possible, all the exponentiations in the first round can be performed off-line and thus, only one exponentiation per client is required to be done on-line. 4.2. Security result Theorem 1. Let A be a passive adversary attacking protocol P1, running in time t and making qex Execute queries. Then we have 0 AdvA;P 1 ðkÞ 6 2qex  Advddh G ðt Þ;

where t 0 = t + O(nqex texp), with texp being the time required to compute an exponentiation in G. Proof. Assume that A can guess the hidden bit b correctly with probability 1/2 + . Then we construct from A a distinguisher D that solves the DDH problem in G with probability /qex. Before describing the construction of D, let us first define the following two distributions: 9 8 r1 ; . . . ; rn ; r2R Zq ; > > > > > > > r1 rn r > > > z ¼ g ; . . . ; z ¼ g ; z ¼ g ; > > 1 n = < rr1 rrn ; Real ¼ ðT ; KÞ j x1 ¼ g ; . . . ; xn ¼ g ; > > > > > > X ¼ x1    xn ; > > > > > > : 1 ; y 1 ¼ X  x1 ; . . . ; y ¼ X  x n1 1 n1

Rand ¼

> > > > > > > :

where T = (z, z1, . . . ,zn1, y1, . . . ,yn1) and K = H(y1, . . . , yn1, X). h Lemma 1. Let A0 be an algorithm that, given (T, K) coming from one of the two distributions Real and Rand, runs in time t and outputs 0 or 1. Then we have j Pr½A0 ðT ; KÞ ¼ 1 j ðT ; KÞ Real

0  Pr½A ðT ; KÞ ¼ 1 j ðT ; KÞ 6

Advddh G ðt

Rand j

þ ð4n  6Þtexp Þ:

Proof. We prove the lemma by using the random selfreducibility of the DDH problem. Consider the following distribution, which is constructed from the triple 0 ðgr ; gr2 ; gr r2 Þ 2 G3 : 9 r1 ;a3 ;b3 ;...;an ;bn 2R Zq ; > > > > > z1 ¼ g r 1 ; z2 ¼ g r 2 ; > > r1 a3 þr2 b3 r1 an þr2 bn r > > ;...;zn ¼ g ; z ¼ g ;> z3 ¼ g = rr1 r0 r2 ; Dist ¼ ðT ;KÞ j x1 ¼ g ; x2 ¼ g ; > > > > rr1 a3 þr0 r2 b3 rr1 an þr0 r2 bn > > ¼ g ;...;x ¼ g ; x > > 3 n > > > > > > > > X ¼ x 1 xn ; > > > > ; : 1 1 y 1 ¼ X x1 ;...;y n1 ¼ X xn1 8 > > > > > > > > > > <

0

where T and K are as defined above. If ðgr ; gr2 ; gr r2 Þ is a Diffie–Hellman triple (i.e., r = r 0 ), we have Dist  Real 0 since xi ¼ zri for all i 2 [1,n]. If instead ðgr ; gr2 ; gr r2 Þ is a random triple, it is clear that Dist  Rand. h Lemma 2. For any (computationally unbounded) adversary A, we have Pr½AðT ; K b Þ ¼ b j ðT ; K 1 Þ

Rand; ‘

f0; 1g ;

K0

b

f0; 1g ¼ 1=2:

Proof. In experiment Rand, the transcript T constrains the values si by the following n  1 equations: logg y 1 ¼ s1 þ

1 But, the random oracle H is not necessary for the security proof of our protocol. The use of the random oracle in computing the session key K is just one way to generate a random string deterministically, and is considered for meeting efficiency needs on the mobile device side. Indeed, our protocol can also be proven secure in the standard model if the random oracle H is replaced by a pseudo-random function (Goldreich et al., 1986). Lemma 2 of Section 4.2 would then hold only for computationally bounded adversaries.

9 r1 ; . . . ; rn ; r; s1 ; . . . ; sn 2R Zq ; > > > z1 ¼ g r 1 ; . . . ; zn ¼ g r n ; z ¼ g r ; > > > > = s1 sn x1 ¼ g ; . . . ; xn ¼ g ; ; > X ¼ x1    xn ; > > 1 > > y 1 ¼ X  x1 1 ; . . . ; y n1 ¼ X  xn1 > > ;

8 > > > > > > > < ðT ; KÞ j

logg y 2 ¼ s2 þ

n X i¼1 n X

si ; si ;

i¼1

.. . logg y n1 ¼ sn1 þ

n X i¼1

si :

J. Nam et al. / The Journal of Systems and Software 78 (2005) 73–83

Since T does not constrain the Pn values si any further and since the equation logg X ¼ i¼1 si is not expressible as a linear combination of the n  1 equations above, we have that the value of X is independent of T. This implies that Pr½AðT ; X b Þ ¼ b j ðT ; X 1 Þ X0

G;

Rand; b

f0; 1g ¼ 1=2:

Then, since H is a random oracle (but see footnote 1), the statement of Lemma 2 immediately follows. h Armed with the two lemmas above, we now give the details of the construction of the distinguisher D. Assume without loss of generality that A makes its Test query to an oracle activated by the dth Execute query. The distinguisher D begins by choosing a random d 2 {1, . . . ,qex} as a guess for the value of d. D then invokes A and simulates the queries of A. D answers all the queries from A in the obvious way, following the protocol exactly as specified, except if a query is the dth Execute query. In this latter case, D slightly deviates from the protocol, by embedding the DDH problem instance given as input into the transcript as follows. 0 Given a triple ðgr ; gr2 ; gr r2 Þ 2 G3 , D generates (T, K) according to the the distribution Dist and answers the dth Execute query of A with T. The distinguisher D aborts and outputs a random bit if d 5 d. Otherwise, D answers the Test query of A with K. At some later point, when A terminates and outputs its guess b 0 , D 0 outputs 1 if b = b 0 , and 0 otherwise. If ðgr ; gr2 ; gr r2 Þ is a Diffie–Hellman triple, then, by Lemma 1, Dist  Real and thus, by assumption, Pr[b = b 0 ] = 1/2 + . If instead 0 ðgr ; gr2 ; gr r2 Þ is a random triple, Dist  Rand and thus, by Lemma 2, Pr[b = b 0 ] = 1/2. Finally, since Pr[d = d] = 1/qex, we obtain

79

5.1. Review of Katz and Yung’s compiler Without loss of generality, we assume that the dth message sent by an instance Psi during execution of protocol P1 has the form Uikdk*. The idea of the compiler is to choose a nonce for each instance in the first round in order to uniquely identify instances of each user, and to use these nonces in signing and verifying the messages in subsequent rounds. In this way, the adversary would never be able to relay messages between instances holding different sets of nonces, as long as neither nonce repetition nor signature forgery occur. More precisely, the compiler constructs protocol P2 from protocol P1 as follows: (1) During the initialization phase, each user U i 2 U performs the initialization process needed for the protocol P1, including any long-term key generation, and generates the signing public/private keys (PKi, SKi) by running the key generation algorithm Gð1k Þ. (2) Each user Ui chooses an instance identifier (IID) /i 2 R{0, 1}k and broadcasts Uik0k/i. Having received all the n  1 IIDs from other users, each instance Psi sets Usi ¼ ffU i ; /i g j 1 6 i 6 ng. (3) The users in U now proceed as specified in the protocol P1, but signing outgoing messages and verifying the correctness of received messages as follows: • Whenever instance Psi is supposed to send mi = Uikdk* as part of protocol P1, the instance generates the signature ri of dk  kUsi and sends m0i ¼ U i kdk  kri instead of mi. • Upon receiving message m0j ¼ U j kdk  krj from Uj, instance Psi verifies that: (1) U j 2 U, (2) d is the next sequence number for messages from Uj, and (3) VPK j ðdk  kUsi ; rj Þ ¼ 1. (4) The users in U compute their session key as in protocol P1.

Advddh G ðDÞ ¼ =qex ; which immediately yields the statement of Theorem 1.

5. A three-round group key agreement protocol In this section we transform a protocol P1 secure against a passive adversary into a protocol P2 secure against an active adversary by applying the compiler presented by Katz and Yung (2003). We first review the Katz–Yung
s one-round compiler and then reduce the security of protocol P2 to the security of protocol P1. Due to the refined model given in Section 2, our security proof is much simpler than the corresponding proof provided in Katz and Yung (2003) even in the presence of a stronger adversary (see the beginning of Section 5.2).

In Table 1, we compare the performance of our three-round protocol with that of the protocol presented by Katz and Yung (2003) (as already mentioned, the protocol of Katz and Yung, in its basic form, is essentially the protocol of Burmester and Desmedt (1994)). As for computational costs, the table lists the amount of computation performed per user. To the best of our knowledge, the protocol of Katz and Yung is the most efficient one among forwardsecure group key agreement protocols published up to date. However, as group size increases, the efficiency of their protocol deteriorates quite rapidly since both signature verifications, modular multiplications and broadcasts add up. As easily can be seen from the table, our protocol is well suited for client–server applications where clients have restricted computational capabilities.

80

J. Nam et al. / The Journal of Systems and Software 78 (2005) 73–83

Table 1 Complexity comparison with the protocol of Katz and Yung (2003) Rounds Katz–Yung

3

Our protocol

3

Unicasts

n1

Broadcasts

Exp.

Sig.

Ver.

3n

3 þOðn log nÞa 2 (O(n) for Un)

2

O(n)

1

1 (O(n) for Un)

n+1

Notes. Exp: exponentiation, Sig: signature generation, Ver: signature verification. a Oðn log nÞ: the number of modular multiplications.

5.2. Security result The task of proving the compiler secure can be significantly simplified in our adjusted model. This is mainly due to the Dump query which allows the adversary to obtain any short-term secret information used by an instance. In the security model used by Katz and Yung (2003), the difficulty of providing a security proof lies in the fact that the adversary can ask a Corrupt query to obtain a private signing key, and then send arbitrary—but still valid—messages of its choice to an instance. The problem in this case is that the actions of the instance cannot or not easily be simulated without appropriate internal data used by that instance at earlier stage. In our security model, the Dump query comes to play a key role in solving this potential problem with the simulation and thus in simplifying the security proof provided in Katz and Yung (2003). Theorem 2. Let A2 be an active adversary attacking protocol P2, running in time t and making qex Execute queries and qse Send queries. Let AdvP 1 ðt0 ; qex þ qnse Þ be the maximum advantage in attacking protocol P1, where the maximum is over all passive adversaries that run in time t 0 and make qex þ qnse Execute queries. Then we have  q AdvA2 ;P 2 ðkÞ 6 AdvP 1 t0 ; qex þ se þ n  SuccC ðt0 Þ n 2 q þq q þ se k ex se ; 2 where t0 ¼ t þ Oðnqex þ qse ÞtP 1 , with tP 1 being the time required for execution of P1 by any party. Proof. The proof of the theorem proceeds by constructing from A2 a passive adversary A1 attacking protocol P1. Before describing the details of the construction, we first bound the probability of the event, Forge, that A2 outputs a valid forgery with respect to the public key PKi of some user U i 2 U before making the query Corrupt(Ui). h Lemma 3. Pr[Forge] 6 n Æ SuccC(t 0 ), where t 0 is as in Theorem 2. Proof. We build from A2 a signature forger F against the signature scheme C. The goal of the forger F, given as input a public key PK and access to a signing oracle associated with this key, is to output a valid forgery

(m,r) with respect to PK, i.e., VPK ðm; rÞ ¼ 1 such that r was not previously output by the signing oracle as a signature on the message m. The forger F begins by choosing at random a user U f 2 U, and setting PKf to PK. For all other users, F honestly generates a public/private key pair by running the key generation algorithm Gð1k Þ. Also, F performs the initialization process needed for protocol P1. F then runs adversary A2 as a subroutine, simulating the queries from A2 as follows: • ExecuteðUÞ=RevealðPsi Þ=DumpðPsi Þ=TestðPsi Þ. These queries are answered in the obvious way. • SendðPsi ; mÞ. If i 5 f, F knows all the private keys of Ui, and hence can answer the queries following the protocol exactly as specified. If instead i = f, then F does not have the private signing key of Ui. Nevertheless, F can obtain signatures of any messages it wants by accessing the signing oracle associated with PK. • Corrupt(Ui). If i 5 f, F simply hands the long-term private keys of Ui which was generated by F itself. If instead A2 corrupts Ui = Uf, then F halts and outputs ‘‘fail’’. The simulation provided above is perfectly indistinguishable from the real execution unless adversary A2 makes the query Corrupt(Uf). Throughout this simulation, F monitors each Send query from A2 , and checks if it includes a valid message/signature pair (m, r) with respect to PK. If no such query is made until A2 stops, then F halts and outputs ‘‘fail’’. Otherwise, F outputs (m,r) as a valid forgery with respect to PK. Lemma 3 directly follows from the fact that this latter case occurs with probability Pr[Forge]/n. h We now describe the construction of the passive adversary A1 in detail. After generating a public/private key pair (PKi, SKi) for each U i 2 U, the adversary A1 invokes A2 and simulates the queries of A2 as follows. ExecuteðUÞ: A1 issues its own Execute query to get a transcript T1 of an execution of P1. A1 then generates a transcript T2 of an execution of P2, by choosing random /1, . . . ,/n 2 {0, 1}k, signing the messages in T1 as specified in P2, and prepending {Uik0k/i}16i6n to this signed transcript. Finally, A1 returns T2 as the answer to the Execute query of A2 , sets U = {{Ui,/i}j1 6 i 6 n}, and

J. Nam et al. / The Journal of Systems and Software 78 (2005) 73–83

adds (U, T1) into a list L which is maintained by A1 to link a simulated execution of P2 to an execution of P1. SendðPsi ; mÞ: If m = ‘‘start’’, A1 chooses a random /i 2 {0, 1}k and returns Uik0k/i to A2 . After receiving all the expected IIDs in the first round, A1 defines Usi as per protocol specification. If A1 needs to return some message m0i in response to this Send query, we have the following two cases: • If no one in U has been asked a Corrupt query before this Send query, A1 checks the list L to see if there exists an entry of the form ðUsi ; T 1 Þ. If so, then A1 generates the message m0i from the message mi in T1 and returns it to adversary A2 . Otherwise, A1 first obtains a transcript T1 of an execution of P1 by making an Execute query and then proceeds as in the former case. A1 adds the pair ðUsi ; T 1 Þ to the list L for future use. • Now, suppose that some user in U has been asked a Corrupt query before this Send query. Note that in this case, the adversary A2 may have signed and sent arbitrary messages of its choice to Psi . Therefore, the adversary A1 has to simulate the action of Psi without help of any fixed transcript of an execution of P1. But, A1 can overcome this difficulty by asking its own Dump and Corrupt queries. First, A1 finds a pair ðUsi ; T 1 Þ in the list L and makes a Dump query to the Ui
s instance activated by the Execute query that resulted in the transcript T1. Next, A1 asks the query Corrupt(Ui) to obtain long-term private keys of user Ui if any are defined as part of protocol P1. Now, with all the short-term and long-term secret values obtained via the Dump and Corrupt queries, A1 should be able to simulate the action of Psi and thus form the response message m0i on its own. DumpðPsi Þ: Let T1 be the transcript such that s ðUi ; T 1 Þ 2 L. Then, A1 makes a Dump query to the Ui
s instance activated by the Execute query that resulted in the transcript T1, and simply forwards the output of this Dump query. Corrupt(Ui): This query is answered in the obvious way.

81

(2) Suppose the opposite. Let T1 be the transcript such that ðUsi ; T 1 Þ 2 L. Then, A1 asks a Reveal query to the Ui
s instance activated by the Execute query that resulted in the transcript T1, and forwards the result of this Reveal query to adversary A2 . TestðPsi Þ: A1 finds a pair ðUsi ; T 1 Þ 2 L, asks a Test query to one of the instances activated by the Execute query that resulted in T1, and returns the ‘-bit string received as a response to its Test query. Before quantifying the advantage of A1 in attacking the protocol P1, we first need to define the event Same. Let Same be the event that a same IID is used by a user to identify two different instances, one activated by a Send query and the other activated by either an Execute or a Send query. Then, a straightforward calculation shows that Pr½Same 6

q2se þ qse qex : 2k

ð1Þ

During the simulation above, A1 simply aborts and outputs a random bit if Same or Forge occurs. Otherwise, A1 outputs whatever A2 does. Note that as long as neither Same nor Forge occur, the simulation provided by A1 is perfectly indistinguishable from a real execution of P2, and in a particular session, A2 is limited to send messages generated by A1 from one same transcript of an execution of P1. This implies that PrA1 ;P 1 ½CG ¼ PrA2 ;P 2 ½CG ^ Forge ^ Same

1 þ Pr½Forge _ Same : 2 A straightforward probability calculation shows that AdvA2 ;P 2 ðkÞ ¼ 2  PrA2 ;P 2 ½CG  1 ¼ 2  PrA2 ;P 2 ½CG ^ Forge

þ 2  PrA2 ;P 2 ½CG ^ Forge  1 6 2  Pr½Forge þ 2  PrA2 ;P 2 ½CG ^ Forge  1 ¼ 2  Pr½Forge

þ 2  PrA2 ;P 2 ½CG ^ Forge ^ Same

þ 2  PrA2 ;P 2 ½CG ^ Forge ^ Same  1:

RevealðPsi Þ: As can be seen from the way A1 handles Execute and Send queries of A2 , the session key of Psi is unavailable to A1 unless some Dump queries or Corrupt queries have been asked by A2 . However, this Reveal query can be answered as follows:

Applying Eq. 2 to this gives

(1) Suppose that either the query DumpðPsi Þ has been asked or some user in U has been asked a Corrupt query before Psi receives its last incoming message. Then the adversary A1 already has all the information needed to compute the appropriate session key and can therefore return it to A2 .

Since Pr½Forge _ Same P Pr½Forge þ Pr½CG ^ Forge ^ Same , it follows that:

AdvA2 ;P 2 ðkÞ 6 2  Pr½Forge

þ 2  PrA2 ;P 2 ½CG ^ Forge ^ Same

 Pr½Forge _ Same þ 2  PrA1 ;P 1 ½CG  1:

AdvA2 ;P 2 ðkÞ 6 AdvA1 ;P 1 ðkÞ þ Pr½Forge

þ PrA2 ;P 2 ½CG ^ Forge ^ Same

6 AdvP 1 ðt0 Þ þ Pr½Forge þ Pr½Same :

82

J. Nam et al. / The Journal of Systems and Software 78 (2005) 73–83

Combined with Lemma 3 and Eq. 1, this immediately yields the desired statement of Theorem 2.

6. Conclusion In this paper we have proposed an efficient group key agreement protocol well suited for wireless networks consisting of a cluster of mobile devices with limited computational resources and a stationary server with sufficient computational power. The protocol achieves perfect forward secrecy and has been proven secure against an active adversary under the decisional Diffie– Hellman assumption. We have also modified the standard security model to consider a stronger and more realistic adversary, and in this adjusted model, have greatly simplified the security proof of the compiler provided by Katz and Yung (2003).

Acknowledgment The authors thank the anonymous referees for many insights and precious criticism.

References Amir, Y., Kim, Y., Nita-Rotaru, C., Tsudik, G., 2002. On the performance of group key agreement protocols. In: Proceedings of 22nd IEEE Conference on Distributed Computing Systems, pp. 463–464. Full version available from: . Ateniese, G., Steiner, M., Tsudik, G., 2000. New multiparty authentication services and key agreement protocols. IEEE Journal on Selected Areas in Communications 18 (4), 628–639. Becker, K., Wille, U., 1998. Communication complexity of group key distribution. In: Proceedings of 5th ACM Conference on Computer and Communications Security (CCS
98), pp. 1–6. Bellare, M., Pointcheval, D., Rogaway, P., 2000. Authenticated key exchange secure against dictionary attacks. In: Eurocrypt
00, Lecture Notes in Computer Science 1807, pp. 139–155. Bellare, M., Rogaway, P., 1993. Random oracles are practical: a paradigm for designing efficient protocols. In: Proceedings of 1st ACM Conference on Computer and Communications Security (CCS
93), pp. 62–73. Bhargava, B., Annamalai, M., Pitoura, E., 1995. Digital library services in mobile computing. ACM SIGMOD Record 24 (4), 34– 39. Borisov, N., Goldberg, I., Wagner, D., 2001. Intercepting mobile communications: The insecurity of 802.11. In: Proceedings of 7th ACM Conference on Mobile Computing and Networking (MobiCom
01), pp. 180–189. Boyd, C., Nieto, J.M.G., 2003. Round-optimal contributory conference key agreement. In: Proceedings of 6th International Workshop on Practice and Theory in Public Key Cryptography (PKC
03), Lecture Notes in Computer Science, 2567, pp. 161– 174. Bresson, E., Catalano, D., 2004. Constant round authenticated group key agreement via distributed computation. In: Proceedings of 7th

International Workshop on Practice and Theory in Public Key Cryptography (PKC
04), Lecture Notes in Computer Science 2947, pp. 115–129. Bresson, E., Chevassut, O., Essiari, A., Pointcheval, D., 2003. Mutual authentication and group key agreement for low-power mobile devices. In: Proceedings of the 5th IFIP-TC6 International Conference on Mobile and Wireless Communications Networks (MWCN
03), pp. 59–62. Bresson, E., Chevassut, O., Pointcheval, D., 2001a. Provably authenticated group Diffie–Hellman key exchange—the dynamic case. In: Asiacrypt
01, Lecture Notes in Computer Science, 2248, pp. 290– 309. Bresson, E., Chevassut, O., Pointcheval, D., 2002a. Dynamic group Diffie–Hellman key exchange under standard assumptions. In: Eurocrypt
02, Lecture Notes in Computer Science, 2332, pp. 321– 336. Bresson, E., Chevassut, O., Pointcheval, D., 2002b. Group Diffie– Hellman key exchange secure against dictionary attacks. In: Asiacrypt
02, Lecture Notes in Computer Science, 2501, pp. 497– 514. Bresson, E., Chevassut, O., Pointcheval, D., Quisquater, J.-J., 2001b. Provably authenticated group Diffie–Hellman key exchange. In: Proceedings of 8th ACM Conference on Computer and Communications Security (CCS
01), pp. 255–264. Burmester, M., Desmedt, Y., 1994. A secure and efficient conference key distribution system. In: Eurocrypt
94, Lecture Notes in Computer Science, 950, pp. 275–286. Canetti, R., Krawczyk, H., 2001. Analysis of key-exchange protocols and their use for building secure channels. In: Eurocrypt
01, Lecture Notes in Computer Science, 2045, pp. 453–474. Diffie, W., Hellman, M.E., 1976. New directions in crypto graphy. IEEE Transactions on Information Theory 22 (6), 644– 654. Diffie, W., Oorschot, P., Wiener, M., 1992. Authentication and authenticated key exchanges. Designs, Codes, and Cryptography 2 (2), 107–125. ElGamal, T., 1985. A public key cryptosystem and a signature scheme based on discrete logarithms. IEEE Transactions on Information Theory 31 (4), 469–472. Goldreich, O., Goldwasser, S., Micali, S., 1986. How to construct random functions. Journal of the Association for Computing Machinery (JACM) 33 (4), 792–807. Goldwasser, S., Micali, S., Rivest, R., 1988. A digital signature scheme secure against adaptive chosen-message attacks. SIAM Journal of Computing 17 (2), 281–308. Horn, G., Martin, K.M., Mitchell, C.J., 2002. Authentication protocols for mobile network environment value-added services. IEEE Transactions on Vehicular Technology 51 (2), 383–392. Huang, Y., Garcia-Molina, H., 2001. Publish/subscribe in a mobile environment. In: Proceedings of 2nd ACM International Workshop on Data Engineering for Wireless and Mobile Access (MobiDE
01), pp. 27–34. Ingemarsson, I., Tang, D., Wong, C., 1982. A conference key distribution system. IEEE Transactions on Information Theory 28 (5), 714–720. Just, M., Vaudenay, S., 1996. Authenticated multi-party key agreement. In: Asiacrypt
96, Lecture Notes in Computer Science, 1163, pp. 36–49. Katz, J., Yung, M., 2003. Scalable protocols for authenticated group key exchange. In: Crypto
03, Lecture Notes in Computer Science, 2729, pp. 110–125. Kim, Y., Perrig, A., Tsudik, G., 2000. Simple and fault-tolerant key agreement for dynamic collaborative groups. In: Proceedings of 7th ACM Conference on Computer and Communications Security (CCS
00), pp. 235–244.

J. Nam et al. / The Journal of Systems and Software 78 (2005) 73–83 Kim, Y., Perrig, A., Tsudik, G., 2001. Communication-efficient group key agreement. In: Proceedings of International Federation for Information Processing (IFIP SEC
01), pp. 229–244. Lim, S.-H., Kim, J.-H., 2004. Real-time broadcast algorithm for mobile computing. The Journal of Systems and Software 69 (2), 173–181. Mitchell, C.J., Ward, M., Wilson, P., 1998. Key control in key agreement protocols. Electronics Letters 34, 980–981. Nam, J., Kim, S., Won, D., Attacks on Bresson–Chevassut– Essiari–Pointcheval
s group key agreement scheme for low-power mobile devices. In: Cryptology ePrint Archive, Report 2004/251. Perrig, A., Song, D., Tygar, J.D., 2001. ELK, a new protocol for efficient large-group key distribution. In: Proceedings of the IEEE Symposium on Security and Privacy pp. 247–262. Phan, T., Huang, L., Dulan, C., 2002. Challenge: Integrating mobile wireless devices into the computational grid. In: Proceedings of 8th ACM Conference on Mobile Computing and Networking (MOBICOM
02), pp. 23–28. Shamir, A., 1979. How to share a secret. Communications of the ACM 22 (11), 612–613. Steer, D.G., Strawczynski, L., Diffie, W., Wiener, M., 1988. A secure audio teleconference system. In: Crypto
88, Lecture Notes in Computer Science, 403, pp. 520–528. Steiner, M., Tsudik, G., Waidner, M., 2000. Key agreement in dynamic peer groups. IEEE Transactions on Parallel and Distributed Systems 11 (8), 769–780. Tzeng, W.-G., Tzeng, Z.-J., 2000. Round-efficient conference key agreement protocols with provable security. In: Asiacrypt
00, Lecture Notes in Computer Science 1976, pp. 614–627. Wallner, D., Harder, E., Agee, R., 1999. Key management for multicast: Issues and architectures. Request for Comments (Informational) 2627, Internet Engineering Task Force. Wong, C., Gouda, M., Lam, S., 1998. Secure group communications using key graphs. In: Proceedings of the ACM SIGCOMM
98 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communication, pp. 68–79.

83

Yeh, H.-T., Sun, H.-M., 2004. Password-based user authentication and key distribution protocols for client–server applications. The Journal of Systems and Software 72 (1), 97–103. Zhang, J., Varadharajan, V., Mu, Y., 2004. Securing XML document sources and their distribution. In: Proceedings of 18th IEEE Conference on Advanced Information Networking and Applications (AINA
04), pp. 562–567. Junghyun Nam received the B.E. degree in Information Engineering from Sungkyunkwan University, Korea, in 1997 and the M.S. degree in Computer Science from University of Louisiana, Lafayette, in 2002. He is currently a Ph.D. candidate of Computer Engineering in Sungkyunkwan University. His current research interest is in the area of cryptography, particularly regarding the design of secure multi-party protocols. Jinwoo Lee received the B.E. degree in Information & Communication Engineering from Sungkyunkwan University, Korea, in 2003. He has recently completed his Master
s course work in Computer Engineering at Sungkyunkwan University. At present his research interest focuses on secure multicasting and broadcasting technology. Seungjoo Kim is a professor of School of Information and Communication Engineering of Sungkyunkwan University in Korea. His main research areas are cryptology and information security. He received his B.E., M.E., and Ph.D. degrees in Information Engineering from Sungkyunkwan University in 1994, 1996, and 1999 respectively. He joined KISA (Korea Information Security Agency) in December 1998 and remained until February 2004. In addition, since 2002, he has worked as an IT standard expert on behalf of Korea. Dongho Won received his B.E., M.E., and Ph.D. degrees from Sungkyunkwan University in 1976, 1978, and 1988, respectively. After working at ETRI (Electronics & Telecommunications Research Institute) from 1978 to 1980, he joined Sungkyunkwan University in 1982, where he is currently Professor of School of Information and Communication Engineering. His interests are on cryptology and information security. Especially, in the year 2002, he was occupied the president of KIISC (Korea Institute of Information Security & Cryptology).