- Email: [email protected]
On the security of Wu and Yeh's conference key distribution system
Research notes
On the security of Wu and Yeh’s conference key distribution system Tzonelih
Hwang, Narn-Yih
Lee, Chih-Hung
In 1993, Wu and Yeh proposed a conference key distribution system based on cross-product operation on row vectors over the Galois Field GF(P). In this research note, we show that an opponent who knows the ID of a member in the conference can compute the conference key without knowing any secret from the system. Furthermore, we suggest a modified scheme to avoid this attack. Keywords: conference key distribution system, cross-product, ID-based, Lagrange interpolating polynomial, public key
In modern computer networks, solutions to distributing common keys between pairs of individuals for the purpose of secure communication are currently inadequate. With the holding of large conferences using networks, the secure distribution of a conference key among a group of intended principals has now become more and more important. Any principal inside the conference needs to get a correct conference key so that he can communicate with other legal principals securely. On the other hand, principals not in the conference are not allowed to compute the conference key. In 1982, Ingemarson et al.’ proposed a conference key distribution system (CKDS) based on the DiffieHellman scheme. In 1988, Lu et aL2 proposed a CKDS
based on the Lagrange interpolating polynomial. Recently, Koyama and 0hta3 and Okamoto and Tanaka4 constructed a CKDS by using the concept of an identity-based public key system. However, their systems involve large computations to reconstruct the conference keys from each principal’s secret key. In 1993, Wu and Yeh5 proposed a new scheme using crossproduct. They claimed that their scheme requires less storage space and is more secure and efficient in computing conference keys than previous work. In this paper, we show that Wu and Yeh’s scheme is not secure enough, and also propose ways to construct a more secure CKDS. Institute of Information Engineering, National Cheng-Kung University, Tainan, Taiwan, ROC Paper received: 23 September 1993: revised paper received: 17 June I994
978
Wang and Ming-Yung
Ko
WU AND YEH’S CKDS In this section, we review Wu and Yeh’s scheme. First,, we review the mathematical background of crossproduct.
Definitions and propositions Definition 1 The cross-product of m - 1 linearly independent m-dimensional row vectors VI, v2,...,vm-1 over GF(P) is defined as follows..
VI x V2 x . . . x V,_l(modP)
VI3
v14
...
Vim
VII
V23
V24
...
V2m
V21
,.-., 1 Vminl,3
Vm-I,4
...
Vm - 1,m
VII
V]2
...
VI,,-1
V21
v22
...
V2,m-I
Vm-I,1
I
(mod p>
VPI,1
Vm-I,2
...
Vm-l,m-I
2 Let A be an m x 2 matrix, m B 2, such that any two row vectors of A form a nonsingular matrix. VI, V2 are two three-dimensional row vectors. I$
Proposition
=A
VI v2
ModPI
(>
then Ki x VI (or V2) = c( VI x VI), for i = 1,2, . . . , m, where c is a constant.
0140-3664/95/$09.50 0 199%Elsevief Science B.V. All rights reserved computer communications volume 18 number 12 december 1995
Wu and Yeh’s conference
Proposition 3 Let V1 vectors and VI x V2 dl # 0. Let Ki x VI (or i= 1,2,. . . , m, where Ki the inverse qf dl (i.e. d,‘)
and
V2 be three-dimensional (mod P) = (dl, dz, dj), where V2) (mod P) = (eii, ei2, eis) for is as defined in Proposition 2. If over GF(P) exists, then.
1. The inverse of eil (i.e. e;‘) over GF(P) exists. (mod P), 2. (dzdi ’ , djd,‘) = (e;ze,‘, ei3e;‘) i= 1,2 ,..., m.
for
Wu and Yeh’s CKDS Assume there are n users in the system. Without loss of generality, let IDo be the chairman of a group of m + 1 intended principals IDo, IDI, ID2, . . . , ID,,,, who want to have a secure conference. Let P be a large prime and a be a primitive element over GF(P). Both P and c( are known to all principals. Let xi and y; be the secret key and public key, respectively, owned by the IDi, where yi = ax’ (mod P). The key distribution process of the chairman IDo is as follows. Algorithm 1 Step 1: Randomly
choose two three-dimensional row vectors V1 and V2 over GF(P), which are linearly independent, e.g.: VI =
(VII, h2rV13)
and
v2 =
key distribution
system: T Hwang et al.
Algorithm 2 Step 1: Compute Wit= F,(ZDi) (mod P) for t = 1,2,3. Step 2:
If ~1;~= 0, for all t, then stop. This implies that ZDi is an illegal principal for the conference.
Step 3: Compute zi = yg’ (mod P). Step 4:
Compute ki, = wil z;’ (mod P), fort = 1,2,3, where zi’ is the inverse of zi over GF(P).
Step 5:
and Let & = (k,i 3ki2, ki3) (eii, e;l, e,3) = Ki x V; (mod P).
Step 6:
Reconstruct
the conference
compute CK
key
by
CK = (ei2 . e,‘, ei3 e; ‘) (mod P).
ATTACK ON WU AND YEH’S SCHEME Proposition 4 Let K = (kl, k2, k3) be a three-dimensional vector, K’ = cK (mod P), where c is a constant and W = (w,, ~2, w3) is another three-dimensional vector. Let (al, a?, a3) = K x Wand (bl, b2,bJ) = K’ x W, where both a,’ and br’ exist. Then (azay’, a3a;‘) = (b2b;‘, b3b;‘) (mod P). Proof
According to Definition 1:
K’ x W = (/I,, !I?, h3)
= (1::
(V21rV22, v23)
(mod P)
~~~.~~
~~l,~~i
iiI>(modP)
such that: vl2v23 #
vl3v22 (mod
p)
Step 2: Compute
VI x V, (mod P) = (dl, d2, d3).
Step 3:
a conference key CK such that (mod P).
Compute
= c(K x l+‘)(modP) = c(~I, ~2,~3)(mod f’)
CK = (d2d11, d3d;‘) Step 4:
Randomly choose a secret m x 2 matrix A, where any two row vectors of A form a nonsingular matrix. Then, compute the key matrix K as:
= (cq, ~72,cu3)mod P) so: (b&l,
bib;‘)
= ((CQ)
(CL2,)m', (CQ)
(CO,)-') (mod
= ((~a*). (a;‘~-‘), (ca3) (a;‘~‘))
(mod P)
= (~2 a;‘, u3 a;‘) (mod P)
0
Theorem 5 The conference key of Wu and Yeh ‘s scheme can be computed by anyone who knows the ID of a legal principal in the conference.
where K; = (kil, ki2, ki3). Step 5:
P)
Construct the interpolation polynomials F,(x), for t = 1,2,3, over GF(P) by interpolating on the points:
Proof If the opponent knows conference, then he can compute:
that
ZD; is in the
UJ,,= Ft(lQ) (mod P) for t = 1, 2, 3, according to Algorithm 2. So he obtains:
where Yi, = y’” . kit (mod P) (i = 1,2,. . . , m; t = 1,2,3), and: (IDi, 0) wherej=mf Step 6:
Ki = (wii, wi2,wi3) = (k:, 1k:p k:,) = (kil
l,m+2
,..., n-
1.
z,, kr3
z;) (mod P)
= z, (k;i, k2, kd (mod PI
Publish VI and F,(x), for t = 1,2,3.
= ch,
The conference key derivation process of the legal principal IDi is described in the following algorithm:
computer
z,,ki2
k2, kid (mod PI
= CKi(mod P) where c = zi is a constant.
communications
volume
18 number
12 december
1995
979
Wu and Yeh’s conference
key distribution
system: T Hwang et al.
Then, he computes K: x V, = cKi x V, (mod P). Let (e’, , eh, &;) = Ki x V, and (e,,ez,ej) = K; x V,. By proposition 4, an intruder can compute the conference key as: CK=(ez.e,
-I, ej .e;‘)
= (ek cl,- ’ , e; e;- ’
The attack proposed in Theorem illustrated by the following example.
5 can also be
Example Let P = 31 and CI= 7. Assume that there are four users IDo, ID,, ID2, ID3 in the system, and IDo, ID, and ID1 want to have a secret conference. For simplicity, we assume that ID, = 1, IDI = 2 and ID3 = 3. The pairs of secret and public keys kept by IDo, ID,, ID1 and ID3 are (XO,YO)
=
(3,2),
(XI,YI)
=
(9,8),
(x~,Yz) = (11,201
and
respectively. Following Wu and Yeh’s scheme, the chairman ID0 randomly selects two vectors VI = (2,4,7) and V, = (1,3,5), and computes: @3,Y3)
=
(lO,-w,
VI x V2(mod31) = (2,4,7) x (1,3,5)(mod31)
MODIFIED SCHEME Knowing the weak point of Wu and Yeh’s scheme, in this section we propose a modified scheme that aims to avoid the proposed attack. Let n be the smallest integer such that 2” > P, and Q be a prime such that Q > 2”. Following Steps (lt(4) of Wu and Yeh’s scheme, the chairman IDo, in Step 5, constructs the polynomials F,(x), for t = 1,2,3 over GF(Q), by interpolating on the points (IDi, Yir), where Yi,=(y;‘“modP)$k;, and i=1,2 ,..., m,t= 1,2,3. The symbol ‘$’ denotes the bit-by-bit Exclusive OR operation. Step 6 is the same as in Wu and Yeh’s scheme. The fact that the opponent cannot compute the conference key of the modified scheme by using the attack in Theorem 5 should be clear. It should be noted here that the degree of F,(x) in the newly modified scheme is m - 1, whereas the degree of F((x) in Wu and Yeh’s scheme is n - 2, where m denotes the number of users in the conference and n is the total number of users in the system. Thus, the new scheme is more efficient than Wu and Yeh’s scheme in broadcasting messages. We use the following example to illustrate the newly modified scheme.
= (30,28,2) (mod 31) Then, ID0 computes CK as:
Example
CK = (28 x 30-l, 2 x 30-l) (mod 3 1) = (3,29)
Following
Next, chairman ID0 computes a key matrix K containing two row vectors K, and KZ for ID, and ID2 by using a randomly selected matrix A =
K=(tl)=(i
:) (f
as:
and
K2 = (8,20,3)
F,(x)=9xZ+x+9 Fz(x) = 18x2 + 25x + 11
3mod31)$26=(l [::g,,,,,,,,,,,;~2,~)
F3(x) = 28x + 19 (mod 37) A legal principal ID, can computing K, first as follows: KI
=
=(Fl(l)$(83mod31),F2(l)~(83mod31), Fj( 1) $ (S3 mod 3 1)) =(23$16,31@16,10$16)
= (3,29) (mod 31)
= (7,15,26)
volume
18 number
12 december
reconstruct
(kll,h2,kl3)
= (17 x 2,30 x 2) (mod31)
communications
10)
Then, chairman IDo constructs polynomials F,(x) over GF(Q), for t = 1,2,3. In this example, we assume that n = 5 and Q = 37:
(17 x 16-‘,30 x 16-l) (mod31)
computer
have
F2(x) = 28x + 3 (mod 37)
ID,
is a member in the conference, an M?,,= F,(l) (mod31) = 19, can get w,3 = F3(1) (mod 31) = 23, and WI2 = F2(1) (mod 31) = 13. Next, he computes (e;, , e’,,, e’,,) = (mod31) = (19,23,13) x (2,4,7) (WI], WI29 WI31 x VI (mod 3 1) = (16, 17,30) (mod 3 1). By proposition 4, the opponent can obtain:
980
we
F,(x) = 24x + 36 (mod 37)
F3@) = 16x2+7x+21
CK=
Example,
‘mod31)$15 = (1 31) ii: F203mod 31) @?20) =‘(2 22)
Then, the chairman ID0 constructs polynomials F,(x), for t = 1,2,3, by applying the secret key of ID0 and public keys y$ of the legal principals ID, and IDI as:
Knowing opponent
earlier
3mod31)@7 = (1 23) ~::~203mod31)@8)~(2 10)
r: :)(mod31)
so: Kl = (7, 15,26)
the
VI x Vz = (30,28,2) (mod 31) and CK = (3,29). Then ID0 computes K, = (7,15,26) and K2 = (8,20,3). Instead of multiplying K, and K2 by zi, he uses an Exclusive OR operation to form two points on Fr(x), such as:
1995
CK
by
Wu and Yeh’s conference
key distribution
system: T Hwang et al.
ACKNOWLEDGEMENTS
Thus: K, x I’, = (7,15,26) x (2,4,7)
The authors wish to thank the referees of this paper for their useful comments. This paper is supported by the National Science Council of ROC under contract number NSC 83-0408-E-006-043.
= (1,3,29) CK = (3 x l-l,29
x I-‘)
= (3,29)
REFERENCES 1
CONCLUSIONS In this paper, we investigate the security of Wu and Yeh’s conference key distribution system based on cross-product. We have shown that their scheme is not secure enough because an opponent can obtain the conference key without knowing any secret information of the system. Instead, we propose a modified scheme to avoid this attack. The modified scheme is more efficient than Wu and Yeh’s scheme.
computer
3
4
5
Ingemarson, I, Tang, D T and Wong, C K ‘A conference key distribution system, IEEE Trans. Infor. Theory, Vol 28 No 5 (1982) pp 714720 Lu, E H, Hwang, W Y and Lee, J Y ‘A conference key distribution system based on Lagrange interpolation polynomial’, Proc. 7th Ann. Joint Cocf. IEEE Camp. Comm. Sot., Singapore (1988)pp 1092-I 094 Koyama, K and Ohta, K ‘Identity-based conference key distribution system in broadcasting networks’, Elecfr. Letr, Vol28, No 5 (1987)pp 6477649 Okamoto, E and Tanaka, K ‘Key distribution system based on identification information’, IEEE J. Selected Areas in Comm., Vol7 No 4 (1989) pp 481485 Wu, T C and Yeh, Y S ‘A conference key distribution system based on cross-product’, Comput. Math. Applic., Vol 25 No 4 (1993) pp 3946
communications
volume
18 number
12 december
1995
981
On the security of Wu and Yeh’s conference key distribution system Tzonelih
Hwang, Narn-Yih
Lee, Chih-Hung
In 1993, Wu and Yeh proposed a conference key distribution system based on cross-product operation on row vectors over the Galois Field GF(P). In this research note, we show that an opponent who knows the ID of a member in the conference can compute the conference key without knowing any secret from the system. Furthermore, we suggest a modified scheme to avoid this attack. Keywords: conference key distribution system, cross-product, ID-based, Lagrange interpolating polynomial, public key
In modern computer networks, solutions to distributing common keys between pairs of individuals for the purpose of secure communication are currently inadequate. With the holding of large conferences using networks, the secure distribution of a conference key among a group of intended principals has now become more and more important. Any principal inside the conference needs to get a correct conference key so that he can communicate with other legal principals securely. On the other hand, principals not in the conference are not allowed to compute the conference key. In 1982, Ingemarson et al.’ proposed a conference key distribution system (CKDS) based on the DiffieHellman scheme. In 1988, Lu et aL2 proposed a CKDS
based on the Lagrange interpolating polynomial. Recently, Koyama and 0hta3 and Okamoto and Tanaka4 constructed a CKDS by using the concept of an identity-based public key system. However, their systems involve large computations to reconstruct the conference keys from each principal’s secret key. In 1993, Wu and Yeh5 proposed a new scheme using crossproduct. They claimed that their scheme requires less storage space and is more secure and efficient in computing conference keys than previous work. In this paper, we show that Wu and Yeh’s scheme is not secure enough, and also propose ways to construct a more secure CKDS. Institute of Information Engineering, National Cheng-Kung University, Tainan, Taiwan, ROC Paper received: 23 September 1993: revised paper received: 17 June I994
978
Wang and Ming-Yung
Ko
WU AND YEH’S CKDS In this section, we review Wu and Yeh’s scheme. First,, we review the mathematical background of crossproduct.
Definitions and propositions Definition 1 The cross-product of m - 1 linearly independent m-dimensional row vectors VI, v2,...,vm-1 over GF(P) is defined as follows..
VI x V2 x . . . x V,_l(modP)
VI3
v14
...
Vim
VII
V23
V24
...
V2m
V21
,.-., 1 Vminl,3
Vm-I,4
...
Vm - 1,m
VII
V]2
...
VI,,-1
V21
v22
...
V2,m-I
Vm-I,1
I
(mod p>
VPI,1
Vm-I,2
...
Vm-l,m-I
2 Let A be an m x 2 matrix, m B 2, such that any two row vectors of A form a nonsingular matrix. VI, V2 are two three-dimensional row vectors. I$
Proposition
=A
VI v2
ModPI
(>
then Ki x VI (or V2) = c( VI x VI), for i = 1,2, . . . , m, where c is a constant.
0140-3664/95/$09.50 0 199%Elsevief Science B.V. All rights reserved computer communications volume 18 number 12 december 1995
Wu and Yeh’s conference
Proposition 3 Let V1 vectors and VI x V2 dl # 0. Let Ki x VI (or i= 1,2,. . . , m, where Ki the inverse qf dl (i.e. d,‘)
and
V2 be three-dimensional (mod P) = (dl, dz, dj), where V2) (mod P) = (eii, ei2, eis) for is as defined in Proposition 2. If over GF(P) exists, then.
1. The inverse of eil (i.e. e;‘) over GF(P) exists. (mod P), 2. (dzdi ’ , djd,‘) = (e;ze,‘, ei3e;‘) i= 1,2 ,..., m.
for
Wu and Yeh’s CKDS Assume there are n users in the system. Without loss of generality, let IDo be the chairman of a group of m + 1 intended principals IDo, IDI, ID2, . . . , ID,,,, who want to have a secure conference. Let P be a large prime and a be a primitive element over GF(P). Both P and c( are known to all principals. Let xi and y; be the secret key and public key, respectively, owned by the IDi, where yi = ax’ (mod P). The key distribution process of the chairman IDo is as follows. Algorithm 1 Step 1: Randomly
choose two three-dimensional row vectors V1 and V2 over GF(P), which are linearly independent, e.g.: VI =
(VII, h2rV13)
and
v2 =
key distribution
system: T Hwang et al.
Algorithm 2 Step 1: Compute Wit= F,(ZDi) (mod P) for t = 1,2,3. Step 2:
If ~1;~= 0, for all t, then stop. This implies that ZDi is an illegal principal for the conference.
Step 3: Compute zi = yg’ (mod P). Step 4:
Compute ki, = wil z;’ (mod P), fort = 1,2,3, where zi’ is the inverse of zi over GF(P).
Step 5:
and Let & = (k,i 3ki2, ki3) (eii, e;l, e,3) = Ki x V; (mod P).
Step 6:
Reconstruct
the conference
compute CK
key
by
CK = (ei2 . e,‘, ei3 e; ‘) (mod P).
ATTACK ON WU AND YEH’S SCHEME Proposition 4 Let K = (kl, k2, k3) be a three-dimensional vector, K’ = cK (mod P), where c is a constant and W = (w,, ~2, w3) is another three-dimensional vector. Let (al, a?, a3) = K x Wand (bl, b2,bJ) = K’ x W, where both a,’ and br’ exist. Then (azay’, a3a;‘) = (b2b;‘, b3b;‘) (mod P). Proof
According to Definition 1:
K’ x W = (/I,, !I?, h3)
= (1::
(V21rV22, v23)
(mod P)
~~~.~~
~~l,~~i
iiI>(modP)
such that: vl2v23 #
vl3v22 (mod
p)
Step 2: Compute
VI x V, (mod P) = (dl, d2, d3).
Step 3:
a conference key CK such that (mod P).
Compute
= c(K x l+‘)(modP) = c(~I, ~2,~3)(mod f’)
CK = (d2d11, d3d;‘) Step 4:
Randomly choose a secret m x 2 matrix A, where any two row vectors of A form a nonsingular matrix. Then, compute the key matrix K as:
= (cq, ~72,cu3)mod P) so: (b&l,
bib;‘)
= ((CQ)
(CL2,)m', (CQ)
(CO,)-') (mod
= ((~a*). (a;‘~-‘), (ca3) (a;‘~‘))
(mod P)
= (~2 a;‘, u3 a;‘) (mod P)
0
Theorem 5 The conference key of Wu and Yeh ‘s scheme can be computed by anyone who knows the ID of a legal principal in the conference.
where K; = (kil, ki2, ki3). Step 5:
P)
Construct the interpolation polynomials F,(x), for t = 1,2,3, over GF(P) by interpolating on the points:
Proof If the opponent knows conference, then he can compute:
that
ZD; is in the
UJ,,= Ft(lQ) (mod P) for t = 1, 2, 3, according to Algorithm 2. So he obtains:
where Yi, = y’” . kit (mod P) (i = 1,2,. . . , m; t = 1,2,3), and: (IDi, 0) wherej=mf Step 6:
Ki = (wii, wi2,wi3) = (k:, 1k:p k:,) = (kil
l,m+2
,..., n-
1.
z,, kr3
z;) (mod P)
= z, (k;i, k2, kd (mod PI
Publish VI and F,(x), for t = 1,2,3.
= ch,
The conference key derivation process of the legal principal IDi is described in the following algorithm:
computer
z,,ki2
k2, kid (mod PI
= CKi(mod P) where c = zi is a constant.
communications
volume
18 number
12 december
1995
979
Wu and Yeh’s conference
key distribution
system: T Hwang et al.
Then, he computes K: x V, = cKi x V, (mod P). Let (e’, , eh, &;) = Ki x V, and (e,,ez,ej) = K; x V,. By proposition 4, an intruder can compute the conference key as: CK=(ez.e,
-I, ej .e;‘)
= (ek cl,- ’ , e; e;- ’
The attack proposed in Theorem illustrated by the following example.
5 can also be
Example Let P = 31 and CI= 7. Assume that there are four users IDo, ID,, ID2, ID3 in the system, and IDo, ID, and ID1 want to have a secret conference. For simplicity, we assume that ID, = 1, IDI = 2 and ID3 = 3. The pairs of secret and public keys kept by IDo, ID,, ID1 and ID3 are (XO,YO)
=
(3,2),
(XI,YI)
=
(9,8),
(x~,Yz) = (11,201
and
respectively. Following Wu and Yeh’s scheme, the chairman ID0 randomly selects two vectors VI = (2,4,7) and V, = (1,3,5), and computes: @3,Y3)
=
(lO,-w,
VI x V2(mod31) = (2,4,7) x (1,3,5)(mod31)
MODIFIED SCHEME Knowing the weak point of Wu and Yeh’s scheme, in this section we propose a modified scheme that aims to avoid the proposed attack. Let n be the smallest integer such that 2” > P, and Q be a prime such that Q > 2”. Following Steps (lt(4) of Wu and Yeh’s scheme, the chairman IDo, in Step 5, constructs the polynomials F,(x), for t = 1,2,3 over GF(Q), by interpolating on the points (IDi, Yir), where Yi,=(y;‘“modP)$k;, and i=1,2 ,..., m,t= 1,2,3. The symbol ‘$’ denotes the bit-by-bit Exclusive OR operation. Step 6 is the same as in Wu and Yeh’s scheme. The fact that the opponent cannot compute the conference key of the modified scheme by using the attack in Theorem 5 should be clear. It should be noted here that the degree of F,(x) in the newly modified scheme is m - 1, whereas the degree of F((x) in Wu and Yeh’s scheme is n - 2, where m denotes the number of users in the conference and n is the total number of users in the system. Thus, the new scheme is more efficient than Wu and Yeh’s scheme in broadcasting messages. We use the following example to illustrate the newly modified scheme.
= (30,28,2) (mod 31) Then, ID0 computes CK as:
Example
CK = (28 x 30-l, 2 x 30-l) (mod 3 1) = (3,29)
Following
Next, chairman ID0 computes a key matrix K containing two row vectors K, and KZ for ID, and ID2 by using a randomly selected matrix A =
K=(tl)=(i
:) (f
as:
and
K2 = (8,20,3)
F,(x)=9xZ+x+9 Fz(x) = 18x2 + 25x + 11
3mod31)$26=(l [::g,,,,,,,,,,,;~2,~)
F3(x) = 28x + 19 (mod 37) A legal principal ID, can computing K, first as follows: KI
=
=(Fl(l)$(83mod31),F2(l)~(83mod31), Fj( 1) $ (S3 mod 3 1)) =(23$16,31@16,10$16)
= (3,29) (mod 31)
= (7,15,26)
volume
18 number
12 december
reconstruct
(kll,h2,kl3)
= (17 x 2,30 x 2) (mod31)
communications
10)
Then, chairman IDo constructs polynomials F,(x) over GF(Q), for t = 1,2,3. In this example, we assume that n = 5 and Q = 37:
(17 x 16-‘,30 x 16-l) (mod31)
computer
have
F2(x) = 28x + 3 (mod 37)
ID,
is a member in the conference, an M?,,= F,(l) (mod31) = 19, can get w,3 = F3(1) (mod 31) = 23, and WI2 = F2(1) (mod 31) = 13. Next, he computes (e;, , e’,,, e’,,) = (mod31) = (19,23,13) x (2,4,7) (WI], WI29 WI31 x VI (mod 3 1) = (16, 17,30) (mod 3 1). By proposition 4, the opponent can obtain:
980
we
F,(x) = 24x + 36 (mod 37)
F3@) = 16x2+7x+21
CK=
Example,
‘mod31)$15 = (1 31) ii: F203mod 31) @?20) =‘(2 22)
Then, the chairman ID0 constructs polynomials F,(x), for t = 1,2,3, by applying the secret key of ID0 and public keys y$ of the legal principals ID, and IDI as:
Knowing opponent
earlier
3mod31)@7 = (1 23) ~::~203mod31)@8)~(2 10)
r: :)(mod31)
so: Kl = (7, 15,26)
the
VI x Vz = (30,28,2) (mod 31) and CK = (3,29). Then ID0 computes K, = (7,15,26) and K2 = (8,20,3). Instead of multiplying K, and K2 by zi, he uses an Exclusive OR operation to form two points on Fr(x), such as:
1995
CK
by
Wu and Yeh’s conference
key distribution
system: T Hwang et al.
ACKNOWLEDGEMENTS
Thus: K, x I’, = (7,15,26) x (2,4,7)
The authors wish to thank the referees of this paper for their useful comments. This paper is supported by the National Science Council of ROC under contract number NSC 83-0408-E-006-043.
= (1,3,29) CK = (3 x l-l,29
x I-‘)
= (3,29)
REFERENCES 1
CONCLUSIONS In this paper, we investigate the security of Wu and Yeh’s conference key distribution system based on cross-product. We have shown that their scheme is not secure enough because an opponent can obtain the conference key without knowing any secret information of the system. Instead, we propose a modified scheme to avoid this attack. The modified scheme is more efficient than Wu and Yeh’s scheme.
computer
3
4
5
Ingemarson, I, Tang, D T and Wong, C K ‘A conference key distribution system, IEEE Trans. Infor. Theory, Vol 28 No 5 (1982) pp 714720 Lu, E H, Hwang, W Y and Lee, J Y ‘A conference key distribution system based on Lagrange interpolation polynomial’, Proc. 7th Ann. Joint Cocf. IEEE Camp. Comm. Sot., Singapore (1988)pp 1092-I 094 Koyama, K and Ohta, K ‘Identity-based conference key distribution system in broadcasting networks’, Elecfr. Letr, Vol28, No 5 (1987)pp 6477649 Okamoto, E and Tanaka, K ‘Key distribution system based on identification information’, IEEE J. Selected Areas in Comm., Vol7 No 4 (1989) pp 481485 Wu, T C and Yeh, Y S ‘A conference key distribution system based on cross-product’, Comput. Math. Applic., Vol 25 No 4 (1993) pp 3946
communications
volume
18 number
12 december
1995
981