a constant rounds group key agreement protocol without using hash functions

8
Received 12 November 2007 Revised 28 January 2009 Copyright © 2009 John Wiley & Sons, Ltd. Accepted 1 February 2009 A constant rounds group key agreement protocol without using hash functions Hua Zhang* ,† , Qiao-yan Wen, Jie Zhang and Wen-min Li State key Laboratory of Networking and Switching Technology, Beijing University of Posts and Telecommunications, Beijing 100876, China SUMMARY It is important to encrypt and authenticate messages sent over networks to achieve security. Network users must therefore agree upon encryption keys and authentication keys. The authenticated Diffie–Hellman key agreement protocol is used to provide authentication in communication systems. In this paper we present a group key agree- ment protocol without using one-way hash functions that are based on the DDH problem. The protocol achieves efficiency in both communication and computation aspects. We analyzed the security in the security model formal- ized by Bresson et al. Copyright © 2009 John Wiley & Sons, Ltd. 1. INTRODUCTION A key establishment protocol is a process by which a shared secret key becomes available to participating entities. Key establishment may be subdivided into key transport and key agreement. In a key transport protocol, one entity creates or otherwise obtains a secret value, and securely transfers it to other entities. In a group key agreement protocol, a shared secret is derived as a function of information contributed by or associated with all the parties in one group, such that no party in the group can predetermine the resulting value. As the first practical solution to the key agreement problem, the Diffie–Hellman key agreement protocol enables two parties, never having met in advance or shared keying material, to establish a shared secret by exchanging messages over an open channel [1]. The security of this protocol is based on the assumption of the discrete logarithm arithmetic and the Diffie–Hellman decision problem. An authenticated Diffie–Hellman key agreement protocol is used to provide authentication in com- munication systems. In order to provide a good key, besides key authentication and key confirmation, a number of desirable security attributes have been identified for key agreement protocols [2–4], such as known-session key security, forward secrecy, no key compromise impersonation, no unknown key share and no key control. The security of such a protocol is based on the weakest of the cryptographic assump- tions on which the protocol is based [5]. If a protocol can be constructed using one cryptographic assump- tion, it would be at least as secure as that with multiple assumptions. In 1995, Menezes et al. [6] proposed the first key agreement protocol that used a signature for the Diffie–Hellman public key without using a one-way hash function. In 2003, Zhou et al [7] presented an improved key agreement protocol without using a one-way hash function based on Harn and Lin’s protocol [8]. In addition to security, we must consider efficiency. In 1994 Burmester and Desmedt presented a much more efficient key agreement protocol (BD) in the group setting that requires only two rounds [9]. The INTERNATIONAL JOURNAL OF NETWORK MANAGEMENT Int. J. Network Mgmt 2009; 19: 457–464 Published online 27 March 2009 in Wiley InterScience (www.interscience.wiley.com) DOI: 10.1002/nem.720 *Correspondence to: Hua Zhang, State key Laboratory of Networking and Switching Technology, Beijing University of Posts and Telecommunications, Beijing 100876, China E-mail: [email protected]

Upload: hua-zhang

Post on 15-Jun-2016

213 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: A constant rounds group key agreement protocol without using hash functions

Received 12 November 2007Revised 28 January 2009

Copyright © 2009 John Wiley & Sons, Ltd. Accepted 1 February 2009

A constant rounds group key agreement protocol

without using hash functions

Hua Zhang*,†, Qiao-yan Wen, Jie Zhang and Wen-min Li

State key Laboratory of Networking and Switching Technology, Beijing University of Posts and Telecommunications, Beijing 100876, China

SUMMARY

It is important to encrypt and authenticate messages sent over networks to achieve security. Network users must therefore agree upon encryption keys and authentication keys. The authenticated Diffi e–Hellman key agreement protocol is used to provide authentication in communication systems. In this paper we present a group key agree-ment protocol without using one-way hash functions that are based on the DDH problem. The protocol achieves effi ciency in both communication and computation aspects. We analyzed the security in the security model formal-ized by Bresson et al. Copyright © 2009 John Wiley & Sons, Ltd.

1. INTRODUCTION

A key establishment protocol is a process by which a shared secret key becomes available to participating entities. Key establishment may be subdivided into key transport and key agreement. In a key transport protocol, one entity creates or otherwise obtains a secret value, and securely transfers it to other entities. In a group key agreement protocol, a shared secret is derived as a function of information contributed by or associated with all the parties in one group, such that no party in the group can predetermine the resulting value. As the fi rst practical solution to the key agreement problem, the Diffi e–Hellman key agreement protocol enables two parties, never having met in advance or shared keying material, to establish a shared secret by exchanging messages over an open channel [1]. The security of this protocol is based on the assumption of the discrete logarithm arithmetic and the Diffi e–Hellman decision problem.

An authenticated Diffi e–Hellman key agreement protocol is used to provide authentication in com-munication systems. In order to provide a good key, besides key authentication and key confi rmation, a number of desirable security attributes have been identifi ed for key agreement protocols [2–4], such as known-session key security, forward secrecy, no key compromise impersonation, no unknown key share and no key control. The security of such a protocol is based on the weakest of the cryptographic assump-tions on which the protocol is based [5]. If a protocol can be constructed using one cryptographic assump-tion, it would be at least as secure as that with multiple assumptions. In 1995, Menezes et al. [6] proposed the fi rst key agreement protocol that used a signature for the Diffi e–Hellman public key without using a one-way hash function. In 2003, Zhou et al [7] presented an improved key agreement protocol without using a one-way hash function based on Harn and Lin’s protocol [8].

In addition to security, we must consider effi ciency. In 1994 Burmester and Desmedt presented a much more effi cient key agreement protocol (BD) in the group setting that requires only two rounds [9]. The

INTERNATIONAL JOURNAL OF NETWORK MANAGEMENTInt. J. Network Mgmt 2009; 19: 457–464Published online 27 March 2009 in Wiley InterScience (www.interscience.wiley.com) DOI: 10.1002/nem.720

*Correspondence to: Hua Zhang, State key Laboratory of Networking and Switching Technology, Beijing University of Posts and Telecommunications, Beijing 100876, China†E-mail: [email protected]

Page 2: A constant rounds group key agreement protocol without using hash functions

458 H. ZHANG ET AL.

Copyright © 2009 John Wiley & Sons, Ltd. Int. J. Network Mgmt 2009; 19: 457–464 DOI: 10.1002/nem

protocol is unauthenticated. The authors provided the security proof later [10]. Katz and Yung investi-gated in detail the security of a variant of the BD protocol for unauthenticated group key agreement and proposed a scalable compiler that transforms a secure unauthenticated group key agreement protocol into a secure authenticated group key agreement protocol, preserving forward secrecy of the original protocol [11]. They adopted the security model as formalized by Bresson et al. [12] for security analysis.

We present an effi cient constant rounds group key agreement protocol, which we call CRGKA, which is provably secure. The proof of our protocol makes use of the security model formalized by Bresson et al. for security analysis and the security of our protocol reduces to the decisional Diffi e–Hellman (DDH) assumption.

The rest of the paper is organized as follows. In Section 2 we present the security model, security nota-tions for a key agreement protocol and computational assumptions. In Section 3 we presented the con-struction of our group key agreement and follow this with a proof of security and the effi ciency of our key agreement protocol. Finally, we conclude the paper.

2. DEFINITIONS

In this section we present the security model, security notation and security assumption.

2.1 Security model

The model described in this section is based on previous work [13–15].

ParticipantsLet {Uii= 1, . . . , n} be the set of participants.

InitializationDuring this phase, which is conducted before the fi rst execution of the key agreement protocol, the master secret key xi of the participants and the global parameters are generated by algorithm Setup. CA issues certifi cates for the participants. Each participant obtains its public and private keys.

Protocol executionThe interaction between an adversary and the participants only occurs via oracle queries, which model the adversary capabilities in a real attack. During the execution of the protocol, the adversary may create several instances of a participant and several instances of the same participant may be active at any given time. Let b be a bit chosen uniformly at random. Normally, the security of a protocol is related to the adversary’s ability. The abilities are formally modeled by queries issued by adversaries. We assume that a probabilistic polynomial time adversary A can control the communications completely and make queries to any instance. The list of queries that A can make are summarized below:

• Execute (U1, . . . , Un): This query executes a protocol among the instances (ΠiUi

)1≤i≤n, and outputs the transcript of the execution. A gets the complete transcripts of all the messages sent during the pro-tocol execution.

• Send (Ui, M): This query allows the adversary A to send a message M to the instance Ui, and A gets back the reply generated by Ui upon the receipt of message M. Since protocols in the group setting may wait for messages from multiple parties before generating any reply, we write Send (Ui, M1, . . . , Mn) to denote sending messages M1, . . . , Mn to this instance.

• Reveal (Ui): This query models the misuse of session keys by a participant. It returns the session key held by Ui.

• Corrupt (Ui) : This query allows the adversary A to get the long-term private key of Ui. However, A does not get the internal data of any instance of Ui.

Page 3: A constant rounds group key agreement protocol without using hash functions

A CONSTANT ROUNDS GROUP KEY AGREEMENT PROTOCOL 459

Copyright © 2009 John Wiley & Sons, Ltd. Int. J. Network Mgmt 2009; 19: 457–464 DOI: 10.1002/nem

• Test (Ui, t): This query tries to capture the adversary’s ability to tell apart a real session key from a random one. Let b be a bit chosen uniformly at random. It returns the session key if b = 1 or a random key of the same size if b = 0. We suppose that the adversary can ask the query just once.

• Sign: In the event, A signs a message by guessing the private key and sends the signature. If the signature is valid, it returns bs = 1, otherwise bs = 0. The event models the forgery attack.

We defi ne an adversary as a passive adversary if it can only make the Execute query, and as an active adversary if it can make other queries besides Execute.

2.2 Security notations for a key agreement protocol

Let IDSi be the session identifi er of a participant instance Ui. It is a function of all the messages sent and received by Ui. The partner identifi er idi of a participant instance Ui is a set of the participants whom Ui intends to establish a session key with.

Defi nition 1: Partnering. Two instance Ui and Uj are partnered if and only if IDSi= IDSj and idi= idj.

Defi nition 2: Freshness. We say that an instance Ui is fresh if the instance goes into an accepted state after receiving the last expected protocol message and no Reveal has been asked to Ui and to its partner.

Defi nition 3: Protocol security. We denote the advantage of the adversary A attacking the protocol as AdvA(k)= 2 · Pr[Succ] − 1. We say a group key agreement protocol is a secure group key agreement (KA) protocol if it is secure against a passive adversary; that is, for any PPT (probability polynomial time) passive adversary A, AdvA(k) is negligible. We say a key agreement protocol is a secure authenticated group key agreement (KA) protocol if it is secure against an active adversary; that is, for any PPT active adversary A, AdvA(k) is negligible.

Defi nition 4: Authentication. A key agreement protocol is said to provide authentication if a participant can assure that only the intended participants can compute the session key.

Defi nition 5: Forward secrecy. Forward secrecy means that an adversary gets a negligible advantage concerning previously established session keys when making a Corrupt query.

2.3 Computational assumptions

Defi nition 6: Decisional Diffi e–Hellman (DDH) assumption. Assume G is a multiplicative cycle group of order p, where p is a large prime number. The decisional DH problem is to distinguish between (b, b a, b b, b ab) and (b, b a, b b, b c) for random b ∈G, where a b c Zp, , *∈ . An algorithm A is said to solve the DDH

problem with an advantage of ξ, if Pr A

A

a b ab

a b c

β β β ββ β β β

ξ, , ,

Pr , , ,

( ) =[ ]−

( ) =[ ]≤

1

1. The advantage function for the group

G is defi ned as AdvGDDH = ξ.

Defi nition 7: Parallel decisional Diffi e–Hellman (PDDH) assumption. [16] We defi ne two distributions:

PDDHnx x x x x x x x

n R qg g g g g x x Zn n n n* , , , , , , , ,= ∈{ }−1 1 2 1 11� � �

PDDHnx x y x y

n n R qg g g g g x x y y Zn n n$ , , , , , , , , , ,= ∈{ }−1 1 11 1� � � �

The PDDHn problem is to distinguish between PDDHn* and PDDH$n. The advantage function for the

group G is defi ned as AdvGPDDHn. For any group Gand any integer n, the PDDHn and the DDH problems

are equivalent. Let time bound be T, AdvGDDH(T) ≤ AdvG

PDDHn(T) ≤ nAdvGDDH(T).

Page 4: A constant rounds group key agreement protocol without using hash functions

460 H. ZHANG ET AL.

Copyright © 2009 John Wiley & Sons, Ltd. Int. J. Network Mgmt 2009; 19: 457–464 DOI: 10.1002/nem

Defi nition 8: Discrete logarithm (DL) assumption. [17] Assume G is a multiplicative cycle group of order p, where p is a large prime number. For ga mod p, it is diffi cult to determine a Zp∈ *. An algorithm A is said to solve the DL problem with an advantage of s, if A can determine a with a probability that is no more than s. The advantage function for the group G is defi ned as AdvG

DL= s.

3. KEY AGREEMENT PROTOCOL

In this section we will present an effi cient key agreement protocol in the group setting that requires only two rounds. Table 1 lists the primary symbols used in the protocol.

3.1 CRGKA

The protocol that we call CRGKA involves a CA that will issue Certi for Ui, and n participants {Ui, i = 1, . . . , n}.

SetupThe CA issues a certifi cation Certi for Ui. Ui‘s secret key is xi, and the public key is Yi = gxi mod p.

InteractionWhen n participants {Ui, i = 1, . . . , n} wish to establish a session key, they proceed as follows, where the indices are taken modulo n, so that participant U0 is Un and participant Un+1 is U1:

1. Each participantUi, 1 ≤ i ≤ n, chooses a random a Zi p∈ * and set ri = gai mod p. Ui computes si = Yiai − (ri + Yi)xi(mod p − 1), Ui broadcasts d i = (ri, si, Certi).

2. After receiving all other participants’ messages, for 1 ≤ j ≤ n, each participant Ui computes Yj′ =

(Yj)rj+Yjgsj mod p. If any Yj′ ≠ r iYj, the protocol will be aborted. Otherwise, for 1 ≤ i ≤ n, let g

rr

ii

i

= +

1

1

,

each participant Ui computes Zi = (gi)ai, and si′ = xi − (Zi + Yi)(xi + ai) (mod p − 1). Then Ui broadcasts di′ = (Zi, si′, Certi).

3. For 1 ≤ j ≤ n, each participant Ui computes Yj″ = (rjYj)Zj+Yj(g)sj′ mod p, after receiving all other partici-pants’ messages. If any Yj″ ≠ Yj, the protocol will be aborted. Otherwise, each participant Ui com-putes their session key Ki = (ri)naiZi

n−1Zi+n−2

1 . . . Zi+n−2 mod p.

If all the participants Ui follow the above steps, they will agree upon the same session key K = ga1 a2 +a2 a3 +. . .+an a1 mod p.

3.2 Security proof

In this section, we will show that the protocol is secure in the model as described in Section 2.1. Our protocol is based on the DDH assumption. In other words, if there is an active adversary who has

Symbol Meaning

Certi Ui’s certifi cationg A primitive element of Gxi Ui’s long-term secret keyYi= gxi mod p Ui’s long-term public keya Zi p∈ * Ui’s ephemeral secret key ri= gai mod p Ui’s ephemeral public key

Table 1. The meanings of symbols

Page 5: A constant rounds group key agreement protocol without using hash functions

A CONSTANT ROUNDS GROUP KEY AGREEMENT PROTOCOL 461

Copyright © 2009 John Wiley & Sons, Ltd. Int. J. Network Mgmt 2009; 19: 457–464 DOI: 10.1002/nem

non-negligible probability of breaking the protocol, then he also has non-negligible probability of break-ing the DDH assumption.

Theorem 1. The above protocol is secure against an active adversary under the DDH assumption in the standard model. Concretely, AdvA ≤ 2n2 · s 2 · qex · AdvG

DDH, where qex is the number of Execute queries.

Proof. Assume A is an adversary that can obtain an advantage in breaking CRGKA. We fi rst consider the case that the adversary makes only one Send query, one Execute query and two Sign queries, then extend this to the case that A makes multiple Execute queries. Let n be the number of participants chosen by the adversary A. The distribution of the transcript T and the resulting group session key K is given by

params g Cert= ← [ ] ← = =[ , *, mod , , , , ]GF p x Z Y g p i ni p ix

ii 1�

Real

a a Z r g p r g p

sn p

ai

an

i

i

=

← = ==

1 1 11, , *; mod , , mod ; , , ;� � �Cert Cert

YY a r Y x p r s

grr

Z g

i i i i i i i i i

ii

ii i

− +( ) −( ) = ( )

= =+

mod ; , , ;

,

1

1

1

δ Cert

(( ) = ( )

′ = − +( ) +

aiNew i

xn

i i i i i

i ip Y g p

s x Z Y x

mod , mod ; , , ;Cert Cert1�

aa p Z s Y

T r r s s Z

i i i i iNew i

n n

( ) −( ) ′ = ′( )=

mod ; , , ;

, , ; , , ;

1

1 1

δ , Cert

� � 11 1 1 1

1 2 2 3

, , ; , , ; , , ; , , ;� � � �Z Y Y s s

K g

n New nNew n n

a a a a

′ ′

= +

Cert Cert++ +

� a an p1 mod ;

We fi rst consider the distributions Fake1 defi ned as follows:

Fake

a a Z b b Z

r g p

n p n n p

a b

1

1 1 1

11 1

=

← ←

= ( ), , *; , , ; , , *;

mod

� � �Cert Cert

,, , mod ;

mod , , , , ;

� r g p

s S p S G r s

s Y a r

na

i i i

n== − ∈ = ( )= −

1 1 1 1 1 1 11 δ Cert

ii i i i i i i

ni

i

i

Y x p r s i

grr

grr

+( ) −( ) = ( ) ≠

= = +

mod , , , , ;

, ,

1 1

12 1

δ Cert

�−− −

= = ( ) = ( )1

1

11 1 1

1 1, , ; mod , , mod ; , ,� � �gr

rZ g p Z g pn

n

a bn n

an Cert Cerrt

Cert

n

i i i i

s S p S G r s

s x Z Y

;

mod , , , , ;1 1 1 1 1 1 11′ = ′ − ′ ∈ ′ = ′( )′ = − +( )

δ

xx a p Z s i

T r r s s

i i i i i i

n n

+( ) −( ) ′ = ′( ) ≠

=

mod ; , , ;

, , ; , , ;

1 1

1 1

δ , Cert

� � ZZ Z s s

K g

n n n

a a b a a a a bn

1 1 1

1 2 1 2 3 1 1

, , ; , , ; , , ;

mo

� � ��

′ ′

= + + +

Cert Cert

dd ;p

Page 6: A constant rounds group key agreement protocol without using hash functions

462 H. ZHANG ET AL.

Copyright © 2009 John Wiley & Sons, Ltd. Int. J. Network Mgmt 2009; 19: 457–464 DOI: 10.1002/nem

In the same way, we can defi ne Fake2, . . . , Faken as follows:

Fake

a a Z b b Z

r g p

n p n n p

a b

2

1 1 1

11 1

=

← ←

= ( ), , *; , , ; , , *;

mod

� � �Cert Cert

,, mod , mod , , mod ;

mod ,

r g p r g p r g p

s S p s S

a b an

an2 3

3= ( ) = == − =

1 2

1 1 2 21

mmod , , , , , , , , ;p S S G r s r s

s Y ri i i

− ∈ = ( ) = ( )= −

1 1 2 1 1 1 1 2 2 2 2δ δCert Cert

++( ) −( ) = ( ) ≠

= = +

Y x p r s i

grr

grr

i i i i i i

ni

i

i

mod , , , , ;

, ,

1 1

12 1

δ Cert

�11

1

1

1 1 2 21 1 2 2

, , ;

mod , mod , ,

gr

r

Z g p Z g p Z g

nn

a b a bn n

an

=

= ( ) = ( ) = ( )−

mmod ; , , ;

mod , , , , ,

p

s S p S S G r s

nCert Cert

Cer

1

1 1 1 2 1 1 11

′ = ′ − ′ ′ ∈ ′ = ′δ tt Cert1 2 2 2 2

1

( ) ′ = ′( )′ = − +( ) +( ) −( ) ′

, , , ;

mod ;

δ

δ

r s

s x Z Y x a pi i i i i i i == ′( ) ≠

= ′ ′

Z s i

T r r s s Z Z s s

i i i

n n n n

, , ;

, , ; , , ; , , ; , , ;

, Cert

C

1

1 1 1 1� � � � eert Cert1

1 2 1 2 3 1 1

, , ;

mod ;

��

n

a a b a a a a bK g pn=

+ + +

Fake

a a Z r g p r g p

n

n pa b

na bn n

=

← = =1 1 11 1, , *; mod , , mod ; , ,� � �Cert Certnn n p

i i i i i i i

n

b b Z

s S p S G r s

grr

; , , *;

mod , , , , ;

,

1

12

1

←= − ∈ = ( )

=

δ Cert

,, , , ; mod , , modgrr

gr

rZ g p Z gi

i

in

n

a bn n

a bn n= = = ( ) = ( )+

− −

1

1

1

11 1

1 1� � pp

s S p S G Z s

T

n

i i i i i i i

; , , ;

mod , , , ;

Cert Cert

, Cert

1

1

′ = ′ − ′ ∈ ′ = ′( )=

δ

rr r s s Z Z s s

K g

n n n n n

a a b

1 1 1 1 1

1 2 1

, , ; , , ; , , ; , , ; , , ;� � � � �′ ′

=

Cert Certbb a a b b a a b bn n p2 2 3 2 3 1 1+ + +

� mod ;

First, we consider the case that A makes one Sign query. In the event, A forges r1 and s1. Then A can get Y1′ = (r1′)Y1(Y1)r1′+Y1gs1′ mod p = g(a1b1)Y1+x(r1′+Y1)+s1′ mod p, r1

Y1 = ga1Y1 mod p. A can forge s1 that satisfi es Y1′ = Y1 with probability s = Pr(bs = 1). In the same way, A can forge Z1 and s1′ with probability s = Pr(bs = 1). Obviously, A can forge r1, s1, Z1 and s1′ with probability s2 = Pr(bs = 1) · Pr(bs = 1). Assume that A makes a Corrupt query. A gets no internal data of any instance of Ui. Thus A can forge r1, s1, Z1 and s1′ with probability s2.

Let AdvGPDDHn = x′. Assume that A made qse times Send queries and qex times Execute queries. Then A

randomly chooses (T, K) to make a Test query and gets b′. A can distinguish K = ga1a2b1+a2a3+. . .+ana1b1 mod p from K = ga1a2+a2a3+. . .+ana1 mod p with probability x′, where x ≤ x′ ≤ nx. Hence A can correctly guess b = b′ with probability x′. The remaining steps continue in the same way and we obtain

Pr ; ; , Pr ; ; ( , )T Real K Real A T K T Fake K Fake A T K← ← ( ) =[ ]− ← ← =[ ] ≤ ′1 11 1 ξ ;;

Pr T Fake K Fake A T K T Fake K Fake A T K← ← ( ) =[ ]− ← ← ( ) =[ ] ≤1 1 2 21 1; ; , Pr ; ; , ′′ξ ;

Pr ; ; , Pr[ ; ; ,T Fake K Fake A T K T Fake K Fake A T Kn n n n← ← ( ) =[ ] − ← ← ( )− −1 1 1 == ≤ ′1] ξ

Page 7: A constant rounds group key agreement protocol without using hash functions

A CONSTANT ROUNDS GROUP KEY AGREEMENT PROTOCOL 463

Copyright © 2009 John Wiley & Sons, Ltd. Int. J. Network Mgmt 2009; 19: 457–464 DOI: 10.1002/nem

Combining the above equations, we obtain the following:

Pr PrT Real K Real A T K T Fake K Fake A T K nn n← ← ( ) =[ ]− ← ← ( ) =[ ] ≤ ′; ; , ; ; ,1 1 ξξ ;

Adv Pr Succ PrPDDHA

n b b n= [ ]− = = ′[ ]− = ′2 1 2 1 2 ξ

Thus we can obtain AdvA ≤ 2n · AdvAsign · qes · AdvAPDDHn. Expanding this, we obtain AdvA ≤ 2n2 · s2 · qex · AdvG

DDH.

3.3 Effi ciency

The effi ciency of a protocol is related to the costs of communication and computation. Communication cost includes the number of rounds and total messages transmitted through the network during a pro-tocol execution. The number of rounds is a critical concern in practical environments where the number of group members is large.

CommunicationThe number of rounds required is two and the number of messages sent per participant is six.

Computation

Each participant computes three (full-length) modular exponentiations andn n2

232

3+ −

modular mul-

tiplications. Additionally, each participant should perform two signature generations and 2n − 2 signa-ture verifi cations.

4. CONCLUSIONS

We proposed a two-round authenticated group key agreement protocol. The protocol does not need any hash function. We proved that our protocol is secure against an active adversary under the assumption of DDH. The forward security is not addressed in the paper. We hope to prove that our protocol achieves forward security according to the defi nition in the paper in future work. CRGKA is effi cient and fully symmetric. Our protocol can be viewed as a variant of the BD protocol.

ACKNOWLEDGEMENTS

This work was supported by the National High Technology Research and Development Program of China, Grant No. 2006AA01Z419, the Major Research Plan of the National Natural Science Foundation of China, Grant No. 90604023, and the Natural Science Foundation of Beijing, Grant No. 4072020.

REFERENCES

1. Diffi e W, Hellman M. New directions in cryptography. IEEE Transactions on Information Theory 1976; 22(6): 644–654.

2. Blake-Wilson S, Johnson D, Menezes A. Key agreement protocols and their security analysis. In Proceedings of the Sixth IMA International Conference on Cryptography and Coding. LNCS 1355. Springer: Berlin, 1997; 30–45.

3. Blake-Wilson S, Menezes A. Authenticated Diffi e–Hellman key agreement protocols. In 5th Annual Workshop on Selected Areas in Cryptography (SAC’98). LNCS 1556. Springer: Berlin, 1998; 339–361.

4. Law L, Menezes A, Qu M et al. An effi cient protocol for authenticated key agreement. Technical Report CORR 98–05, Department of C&O, University of Waterloo, Canada, 1998.

Page 8: A constant rounds group key agreement protocol without using hash functions

464 H. ZHANG ET AL.

Copyright © 2009 John Wiley & Sons, Ltd. Int. J. Network Mgmt 2009; 19: 457–464 DOI: 10.1002/nem

5. Harn L, Hsin WJ, Mehta M. Authenticated Diffi e–Hellman key agreement protocol using a single cryptographic assumption. IEE Proceedings in Communications 2005; 152(4): 404–410.

6. Menezes A, Qu JM, Vanstone SA. Some key agreement protocols providing implicit authentication. In 2nd Work-shop in Selected Areas in Cryptography, Ottawa, Canada, May 1995.

7. Zhou HS, Fan L, Li JH. Remarks on unknown key-share attack on authenticated multiple-key agreement proto-col. Electronics Letters 2003; 39(17): 1248–1249.

8. Harn L, Lin HY. Authenticated key agreement without using one-way hash functions. Electronics Letters 2001; 37(10): 629–630.

9. Burmester M, Desmedt Y. A secure and effi cient conference key distribution system. In Proceedings of Eurocrypt 1994. LNCS 950. Springer: Berlin, 1995; 275–286.

10. Burmester M, Desmedt Y. A secure and scalable group key exchange system. Information Processing Letters 2005; 94(3): 137–143.

11. Katz J, Yung M. Scalable protocols for authenticated group key exchange. In Proceedings of CRYPTO 2003. LNCS 2729. Springer: Berlin, 2003; 110–125.

12. Bresson E, Chevassut O, Pointcheval D. Dynamic group Diffi e-Hellman key exchange under standard assump-tions. In Proceedings of EUROCRYPT 2002. LNCS 2332. Springer: Berlin, 2002; 321–336.

13. Zhou L, Susilo W, Mu Y. Effi cient ID-based authenticated group key agreement from bilinear pairings. In MSN 2006. LNCS 4325. Springer: Berlin, 2006; 521–532.

14. Bellare M, Pointcheval D, Rogaway P. Authenticated key exchange secure against dictionary attacks. In Proceed-ings of EUROCRYPT 2000. LNCS 1807. Springer: Berlin, 2000; 139–154.

15. Abdalla M, Pointcheval D. A scalable password-based group key exchange protocol in the standard model. In ASIACRYPT 2006. LNCS 4284. Springer: Berlin, 2006; 332–347.

16. Abdalla M, Bresson E, Chevassut O et al. Password-based group key exchange in a constant number of rounds. In International Workshop on Practice and Theory in Public Key Cryptography (PKC 2006), New York, April 2006.

17. Ke Z, Sun Q. Number Theory Teaching Materials. Higher Education Publisher, Beijing, 2002; 145.

AUTHORS’ BIOGRAPHIES

Hua Zhang (1978– ), female, she received the B.S. and M.S. degrees from Xidian University, Xi'an, China, in 2002 and 2005, respectively, and received the Ph.D degrees from Beijing University of Posts and Telecommunications. Now she is working at Beijing University of Posts and Telecommunications. Her research interests include Cryptog-raphy and Information security.

Qiao-yan Wen (1959– ), female, Professor, she is working at Beijing Unviersity of Posts and Telecommunication. Her research interests include Cryptography and Information security.

Jie Zhang (1970– ), female, Associate Professor, she is working at Beijing University of Posts and Telecommunica-tions. Her research interests include Cryptography.

Wen-min Li (1983– ), female, she received the B.S. and M.S. degrees in Mathematics from Shaanxi normal Unviersity, Xi'an, China, in 2004 and 2007, respectively. Now she is a Ph.D candidate in Beijing University of Posts and Telecom-munications. Her research interests include Cryptography and Information security.