An improved conferenceâkey agreement protocol for dynamic groups ...

SECURITY AND COMMUNICATION NETWORKS Security Comm. Networks 2015; 8:1347–1359 Published online 11 August 2014 in Wiley Online Library (wileyonlinelibrary.com). DOI: 10.1002/sec.1089

RESEARCH ARTICLE

An improved conference-key agreement protocol for dynamic groups with efficient fault correction 1 ˘ Orhan Ermis¸ 1 *, Serif ¸ Bahtityar2 , Emin Anarim3 and M. Ufuk Çaglayan 1

˘ Computer Networks Research Laboratory-NETLAB, Department of Computer Engineering, Bogaziçi University, 34342, Bebek, Istanbul, Turkey 2 Progress R&D Center, Provus A MasterCard Company, 34396, Si ¸ sli, ¸ Istanbul, Turkey 3 ˘ Department of Electrical and Electronics Engineering, Bogaziçi University, 34342, Bebek, Istanbul, Turkey

ABSTRACT The pervasive usage of the Internet has made secure group communications a significant issue. Conference-key agreement protocols provide secure group communications with lower computational cost. Providing key agreements and updates of dynamic groups in an efficient manner is a significant challenge for conference-key agreement protocols. Auxiliary key agreement operations are needed to solve the challenge. In this paper, we propose an improved conference-key agreement protocol, called Dynamic Conference-Key Agreement Protocol, that consists of Initial Conference-Key Agreement Protocol and Auxiliary Conference-Key Agreement operations. Dynamic Conference-Key Agreement Protocol has operations to handle dynamic groups. The proposed protocol has better fault correction and provides the same security level with the existing ones. Copyright © 2014 John Wiley & Sons, Ltd. KEYWORDS Initial Conference Key Agreement Protocol; Auxiliary Conference Key Agreement Operations; forward secrecy; fault tolerance; dynamic groups; key freshness *Correspondence ˘ Orhan Ermis, ¸ Computer Networks Research Laboratory-NETLAB, Department of Computer Engineering, Bogaziçi University, 34342, Bebek, Istanbul, Turkey E-mail: [email protected]

1. INTRODUCTION The societies have been connected more than ever with the evolution of communication technologies, such as the Internet. It is possible for participants of a group to organize a conference meeting without assembling together with the rapid developments of the Internet. However, providing the security for the communications of the conference is a challenging issue. Cryptographic algorithms are used to overcome the issue. These algorithms are useful when a common key among participants is fresh. The freshness is accomplished by using conference-key establishment protocols to generate or update the key for each session. Key establishment protocols are categorized as key distribution and key agreement. The key distribution protocols may need a centralized authority, such as a member in the network or a trusted third party, to distribute a conference key to participants. Key agreement protocols enable all participants in the meeting to calculate a shared key. These protocols are used according to the

Copyright © 2014 John Wiley & Sons, Ltd.

type of network and the duration of the communications. For instance, in the conference networks, short-term keys are used for each session of decentralized and distributed networks. Therefore, key agreement protocols are more suitable for conference networks. One important property for the security of conferencekey agreement protocols is fault tolerance, which is first used in [1]. Then, numerous implementations of faulttolerance property for group communications were proposed [2–6]. Fault-tolerance property is used to prevent true calculation of the conference key from malicious participants in a session. When a malicious attempt of a participant is detected, this entity is marked as a malicious participant and is removed from the conference session. Later, the protocol has to be re-executed with the rest of the participants to provide the key freshness because it is designed for static groups. However, the performance of the protocol degrades with the overhead of re-execution. Therefore, additional operations are needed to update the conference key without re-executing the protocol. Such

1347

An improved CKAP for dynamic groups with efficient fault correction

operations are known as dynamic group operations [7–9]. Although the protocols in [7–9] provide fault-tolerance and dynamic group operations, they suffer from the forward secrecy, which was proposed in [10] and adopted to the conference-key agreement protocols in [5] as an extended protocol of [1]. This property is used to protect against the compromise of former and subsequent conference keys of a protocol, if the long-term key of a participant is compromised, which is our motivation for this paper with the performance degradation in static setting. In this paper, we propose the improved conferencekey agreement protocol, called Dynamic Conference-Key Agreement Protocol (DCKAP). DCKAP uses a modified form of Tseng’s protocol [5] as Initial ConferenceKey Agreement Protocol (ICKAP) and has new Auxiliary Conference-Key Agreement (ACKA) operations for dynamic group management. DCKAP has better fault correction with respect to Tseng’s protocol. Because the security of the Tseng’s protocol is preserved and the key freshness is guaranteed with ACKA operations, DCKAP is resistant against known attacks. The rest of the paper is organized as follows. In the next section, the general mathematical definitions are given. Section 3 is about the related works on conference-key agreement protocols and their dynamic group applications. In Section 4, we introduce the DCKAP. Security and performance analyses are in Section 5. The study concludes in the Section 6.

2. PRELIMINARIES In this section, we give general definitions and properties of conference-key agreement protocols. Definition 1. Participant, participant set and their properties: Each conference participant is an entity and denoted as Ui . The participant list is represented as hU1 , U2 , : : : , Un i. The list is circular so that Un+i = Ui for some positive 1 i n. Each participant knows all participants and the order of the participants. Participants in a conference session can be categorized in two groups. If a participant fully follows the protocol, it is called a honest participant, or if a participant tries to cheat other participants to miscalculate, the key is called a malicious participants. Definition 2 (Forward confidentiality [11]). Subsequent conference keys cannot be obtained by participants who left the conference session. Definition 3 (Backward confidentiality [11]). Former conference keys cannot be obtained by participants who joined to the conference session. 1348

O. Ermis¸ et al.

Definition 4 (Key freshness). If a conference-key agreement protocol achieves both backward confidentiality and forward confidentiality, then the key generated by using this protocol is called fresh.

3. OVERVIEW OF CONFERENCE-KEY EXCHANGE PROTOCOLS The key exchange protocol is first reported in [12]. However, this protocol designed only for two participants to agree on a common key. Later, in [13], the first conferencekey distribution protocol is proposed on the basis of the assumption in Diffie and Hellman key exchange. Because they are the milestones of multi-party security in cryptography, there exist various implementations of conference/group key exchange protocols in the literature. A more detailed work on key agreement protocols from twoparty key agreement to multi-party key agreement is given in [14]. In Table I, the comparison of the previously proposed protocols and our proposed protocol is listed with respect to the important features of conference-key agreement protocols. Criteria used to compare protocol properties in Table I are as follows: (i) Authentication: If the protocol contains a mechanism to detect whether the participant is a member of the conference or not, then this protocol is called an authenticated protocol. Otherwise, it is called non-authenticated protocol. (ii) Fault tolerance: This property is used to detect the faulty broadcast messages during the communication of participants. If there exist a fault, then the owner of the message is marked as possible malicious participant. In fault detection and correction steps, the faulty messages are re-verified. According to this verification, the participant is excluded from the set of participants. (iii) Forward secrecy: This property is used to protect the conference key against compromises of produced conference keys, such as the compromise of participant’s long-term key. (iv) Dynamic settings: The protocols are compared according to the dynamic group operations. The numbers given for each protocol are the total number of operations per protocol. There exist four dynamic group operations in the literature, single or mass join, single or mass leave, merging groups, dividing groups into sub-groups. (v) Key freshness: This criterion is used to deduce the generated key is a fresh or not. As seen in Table I, we have compared DCKAP with other protocols in the literature. According to these comparisons, only DCKAP provides all of the basic security properties of conference-key agreement protocols with Security Comm. Networks 2015; 8:1347–1359 © 2014 John Wiley & Sons, Ltd. DOI: 10.1002/sec

O. Ermis¸ et al.


Table I. Comparison of protocol properties. Protocols

Burmester and Desmedt (1994) [15] Steiner et al. (1996) [16] Li and Pieprzyk (1999)[17] Tzeng and Tzeng (2000)[18] Foss (2000) [19] Horng (2001) [20] Tzeng (2002)[1] Boyd and Nieto (2003)[21] Shi et al. (2004) [4] Tseng (2005) [5] Steiner et al. (2005) [8] Tseng (2007) [11] Chang et al. (2007) [22] Katz and Yung (2007) [23] Huang et al. (2009) [3] Wu et al. (2009) [24] Wang (2012) [25] Zhao et al. [6] Cheng et al. (2013)[7] Chung (2013)[26] DCKAP

Authenticated

Fault tolerance

Forward secrecy

Number of dynamic operations

Key freshness

Yes No Yes Yes Yes No Yes Yes Yes Yes Yes Yes No Yes Yes Yes Yes Yes Yes Yes Yes

No No Yes Yes No No Yes Yes Partial Yes No Yes Partial No Yes Yes Yes Yes Yes No Yes

No No No No No Yes No No No Yes No Yes No Yes No No No Yes No Yes Yes

NA NA NA NA 2 NA NA NA 1 NA NA 2 NA NA NA NA NA NA 2 2 4

No No Yes Yes Yes Yes Yes Yes Yes Yes No No Partial Yes Yes Yes Yes Yes Yes Yes Yes

DCKAP, Dynamic Conference-Key Agreement Protocol.

dynamic group operations. On the other hand, some of the protocols given in Table I have similar properties as DCKAP. Protocols in [19,26] do not provide faulttolerance property and may fail to protect the true calculation of the conference key if a malicious attempt occurs. Protocols in [7,19] do not provide forward secrecy. In these protocols, the distribution of the sub-key is realized by using the key pair that was distributed by the server. For this reason, if any of the key pair of a participant is compromised, the group keys that are generated by this key pair are compromised. In case of the dynamic group operations, [7] and [26] only provide mechanism for join and leave operations. Therefore, if merge and divide condition arises, the total effort for updating the conference key is almost equal to the effort executing the protocol for the whole participant set. Because there is no arbitrary operation defined, the protocol in [19] does not provide efficient solution for leave and divide operations rather than reexecuting the protocol. Detailed performance analysis of further operations is given in the subsequent sections.

4. A DYNAMIC CONFERENCE-KEY AGREEMENT PROTOCOL In this section, we present DCKAP. DCKAP consists of two parts, the ICKAP and ACKA operations. Definition 5 (Public parameters). The DCKAP uses the following public parameters on the basis of [5] as an Security Comm. Networks 2015; 8:1347–1359 © 2014 John Wiley & Sons, Ltd. DOI: 10.1002/sec

extended definition in [27], in which the decisional Diffie– Hellman (DDH) is believed to be intractable. p = 2q + 1, where both p and q are large prime numbers. n o g is a generator for sub-group Gq = i2 |i 2 Zp* . M is the time-stamp against replay attack. H is a Hash function. V is an n n verification matrix and is used to determine the result of verifications. Each entry of this matrix can be either ‘failure’ or ‘success’. Definition 6 (Long-term keys). Each participant, Ui , has a public–private key pair: xi 2 Zq* is the private key, and only the participant Ui knows the private key. yi is the public key and calculated as yi = gxi modp. 4.1. Initial conference-key agreement protocol This section introduces the improved version of the protocol in [5]. The sub-key generation of Tseng’s protocol is modified to handle ACKA operations and efficient fault correction. Definition 7 (The Verification Matrix). Let U = {U1 , U2 , : : : , Un } be the set of participants. During the execution of the protocol, participant Uj , which has at least one verification matrix entry Vi,j =‘failure’, for 1 i n 1349

O. Ermis¸ et al.


and i ¤ j, is defined as potential malicious participant until its malicious behavior is proved in fault detection and correction step. Otherwise, the participant is defined as honest participant. Steps of the ICKAP are as follows: Step 1. Temporary public-key distribution: Step 1.1. Each participant Ui 2 U randomly selects a short-term secret keys ti and vi 2 Zq* . Step 1.2. Then, Ui computes and broadcasts the following parameters: Ti = gti mod p Ai = gvi mod p Bi = v–1 (H(Ti , M) – Ai xi ) qmod q

Step 2. Secret distribution and commitment: Upon receiving all (Tj , Aj , Bj )(1 j n, j ¤ i), Step 2.1 Each participant Ui checks that Tj is really issued by Uj by using the equation Aj Bj gH(T,M) = yj Aj mod p. Step 2.2 Then, Ui validates whether Tj is the generator of sub-group Gq , by using 2 Tj q p – 1 and Tj mod p. Step 2.3 If these two checks hold, the sub-key is generated by using Ki = gti ti+1 mod p mod q. Ri 2 Zq and Si 2 Zq* are randomly selected. Step 2.4 Otherwise, Ui broadcasts Vk,j =‘failure’, and go to step 4 for fault detection and correction. Step 2.5 Ui constructs a polynomial hi (x) (over n that passes points Z q ) with degree j, TjRi mod p mod q , (1 j n), and (0, Ki ) by Ui . Then, Ui computes and broadcasts the following:

!i,j = hi (n + j) mod q, 1 j n ˛i = gRi mod p i = gSi mod p

Step 3.1 Each participant Ui uses his or her shortterm secret key ti to reconstruct the polynomial h0j (x) (over Zq ) with degree n that passes points (n + l, !j,l ), 1 l n, and i, ˛jti mod p mod p . Step 3.2 Let Kj0 = h0 (0) mod q. Then, Ui checks H Kj0 ,M g

j ıj

whether = yj j mod p holds or not. If the verifications are hold, Ui broadcasts Vk,j =‘success’. Otherwise, Ui broadcasts Vk,j =‘failure’, and go to step 4 for fault detection and correction.

Step 4. Fault detection and correction: The broadcast messages of participants are verified in both temporary public-key distribution, and secret distribution and commitment steps. According to these verifications, for each broadcast messages, the fault detection and correction is applied. Each participant pair Ui and Uj are marked as possible malicious participants if there exists a value Vi,j =‘failure’ in the verification matrix. The broadcast messages of possible malicious participants are re-verified by honest participants. The rules for fault detection is as follows: Step 4.1 Any participant Uk that broadcasts a message Vk,j =‘failure’ cannot be the verifier in the second control of the broadcast message of Uj whether it is honest or not. Step 4.2 Any participant Uj with verification value Vk,j =‘failure’, after the re-verification of broadcast messages by honest participant Ul , where 1 l n and l ¤ i ¤ j, the verification result is still Vl,j =‘failure’, is removed from U . Otherwise, Uk is removed from U . Step 4.3 For each removed malicious participant Uj , Uj–1 (if it is not malicious participant) randomly selects and re-executes the DCKAP from step 1. According to the new broadcast messages, Uj–2 re-executes the DCKAP from step 2. Step 5. Conference-key computation: After the execution of fault detection and correction step, malicious participants are removed from the conference session. Each participant calculates the conference key according to the new set of participants, U 0 = {U1 , U2 , : : : , Um }, as follows:

ıi = Si–1 (H(Ki , M) – i xi ) mod q Step 3. Sub-key computation and verification: Upon receiving !j,l , 1 l n, and ˛j , 1350

K 0 = (K1 K2 Km–1 Km mod p) mod q = gt1 t2 +t2 t3 ++tm–1 tm +tm t1 mod p mod q Security Comm. Networks 2015; 8:1347–1359 © 2014 John Wiley & Sons, Ltd. DOI: 10.1002/sec

O. Ermis¸ et al.


In case of an update in the conference key, participants may re-execute ICKAP to generate new temporary keys. Because the temporary private keys are selected randomly, such operations are called re-randomization. The formal definition of re-randomization is as follows: Definition 8 (Re-randomization). Let Ui 2 U be the participant that has already involved into the execution t of ICKAP with temporary public–private key pair g i mod p, ti . The re-execution of ICKAP by Ui to obtain 0 new key pair gti mod p, ti0 , where ti ¤ ti0 , is called re-randomization. Tseng’s protocol was designed for static groups. So, any modification that occurs in the participant set (i.e. fault correction) results with the re-execution of the protocol. If the participant set changes frequently, then the participants spend most of their time for protocol execution. Then, the performance of the protocol decreases. In DCKAP, Tseng’s protocol has been modified. The short-term secret genera tion is realized by the equation Ki = gti ti+1 mod p instead of using random selection. The modified equation provides a relationship among consecutive participants. By using this assumption, it is possible to update the conference key without re-executing the protocol. So, in DCKAP, any single change causes at most two protocol re-executions, which provides better performance in the fault-correction step. Further details are given in Section 6. In order to provide better performance in fault correction, this approach can be extended to other dynamic group operations, which are defined as ACKA operations throughout the paper. 4.2. Auxiliary conference-key agreement operations Dynamic group operations are used to update the conference key of a session without re-executing the protocol for each participant in the set of participants. In this study, these operations are called ACKA operations, which provide the following functionalities: (i) participant join; (ii) participant leave; (iii) merge conference sessions; and (iv) divide a session into sub-conference sessions. For each possible modification in the participant set, at least one participant re-randomizes the sub-secret by re-executing ICKAP. Details of ACKA operations are given in the following sub-sections. 4.2.1. Join operation. Participant join operation is used to handle the mass and single join of new participants into the previously established conference session. Let m 1 be the number of joining participants for the participant set U = {U1 , U2 , : : : , Un }. Then, the resulting participant set is U = {U1 , U2 , : : : , Un–1 , Un , Un+1 , : : : , Un+m–1 , Un+m }. Procedure for join operation is as follows: Security Comm. Networks 2015; 8:1347–1359 © 2014 John Wiley & Sons, Ltd. DOI: 10.1002/sec

Step J.1. Ui 2 {U1 , U2 , : : : , Un–1 } broadcasts the messages of steps 1 and 2 of previous DCKAP execution. The participant Un–1 only broadcasts its message in step 1, (Tn–1 , An–1 , Bn–1 ). Step J.2. Ui 2 {Un , Un+1 , : : : , Un+m } executes step 1 in ICKAP. So, Un re-randomizes its temporary key, and all participants Ui 2 {Un+1 , : : : , Un+m } generate their temporary 0 public keys such as gtn , gtn+1 , gtn+2 , : : : , gtn+m , respectively. Then, each participant Ui 2 {Un+1 , : : : , Un+m } broadcasts the new messages, (Ti , Ai , Bi ) for n i n + m. Step J.3. After the verification of the first step is completed, if no fault occurs, each Ui 2 {Un–1 , Un , Un+1 , : : : , Un+m } executes step 2 in ICKAP. The participant Un–1 has to execute this step, because the participant Un re-randomized its temporary key in the previous step. So, the participants in {Un–1 , Un , Un+1 , : : : , Un+m } have the corre0 sponding sub-secrets, gtn–1 tn mod p mod q, 0 gtn tn+1 mod p mod q, gtn+1 tn+2 mod p mod q, , gtn+m–1 tn+m mod p mod q. At the end of this step, each participant Ui 2 {Un–1 , : : : , Un+m } broadcasts the messages (!i,1 , !i,2 , !i,3 , : : : , !i,n–1 , !i,n , !i,n+1 , : : : , !i,m+n–1 , !i,m+n , ˛i , i , ıi ). Step J.4. Then, if no error occurs during the verification of the second broadcast messages, each participant Ui 2 {U1 , U2 , : : : , Un+m } calculates the conference key as follows: K 0 = K1 K2 Kn0 Kn+m mod p mod q 0 0 = gt1 t2 ++tn–1 tn +tn tn+1 ++tm+n t1 mod p mod q

4.2.2. Leave operation. This operation is used to re-randomize the conference key in case of a single or mass leave. By using this operation, it is possible to update the key without re-executing ICKAP for each participant in the session. If the set U 0 = {U1 , : : : , Um }, where U 0 U and |U 0 | 1, is the set of leaving participants, then procedure for leave operation is as follows: Step L.1. If |U | – |U 0 | < 2, cancel the conference key computation. Step L.2. For each participant Uj–1 2 U 0 : Step L.2.1. If Uj is the leaving participant, Uj–1 2 U – U 0 re-executes step 1 in ICKAP. Then, Uj–1 2 U – U 0 generates a new temporary key as gtj–1 mod p and broadcasts the new step 1 message (Ti , Ai , Bi ). 1351

O. Ermis¸ et al.


Step L.2.2. Otherwise, if Uj+1 is the leaving participant, Uj–1 waits for the rerandomization in step L.2.1. If no fault occurs in the verification of new broadcast messages, then each Uj and Uj–1 2 U – U 0 execute step 2 of ICKAP, generate the new sub-secret values according to the new temporary keys and broadcast the messages (!i,j , ˛i , i , ıi ). Step L.3. Upon receiving the new broadcast messages, if no faults are detected, all of the participants in the modified set, U – U 0 , calculate the conference key by using new sub-key values as given in ICKAP. 4.2.3. Merge operation. Merging conference sessions is another dynamic group operation for the conference-key agreement protocols. Assume that there exist k sessions, where k > 2 that participants of each session agreed on a key by using ICKAP. If these sessions are merged to form a bigger session, then by using the following procedure, the conference key is re-randomized: Let U = {U1 , U2 , : : : , Uk } be the set of participant sets to be merged. Each participant Ui 2 U does the following: Step M.1. If Ui is the last participant of any participant set Uj , where 1 j k, then this participant re-executes step and broadcasts 1 of ICKAP the message Ti0 , A0i , B0i . Step M.2. Otherwise, each Ui just broadcasts the messages that he or she generated in his or her previous sessions. Step M.3. If no fault occurs for the broadcast messages, then in the execution in step 2 of ICKAP, if the participant Ui 2 Ut is located just before the last participant or if it is located as the last participant in its participant lists, then this participant executes step 2 of ICKAP. Step M.4. Otherwise, each participant broadcasts the existing step 2 messages of the previous execution of ICKAP. Step M.5. In case of malicious attempt detection, the fault detection and correction procedure is applied for each new broadcast message. Step M.6. Finally, all honest participants calculate the conference key by using the new sub-keys and by following step 5 of ICKAP. 4.2.4. Divide operation. The last dynamic group operation is the dividing conference session into sub-sessions. In this operation, the set of participant of a session is divided into sub-sets. The procedure is as shown in the succeeding text: 1352

Assume that U1 , U2 , : : : , Uk is the set of participants after division. Each participant Ui 2 Uj , where 1 j k, does the following: Step D.1. Each participant Ui controls the participant Ui+1 and Ui+2 in U before division. Step D.1.1. If they are in the same session after division, then Ui does nothing. Step D.1.2. If Ui 2 Uj and Ui+1 2 Ut , where t ¤ j, then Ui re-executes ICKAP from step 1. Step D.1.3. If Ui+2 2 Uj and Ui , Ui+1 2 Ut , where t ¤ j, then Ui re-executes ICKAP from step 2. Step D.2. If any fault occurs during the execution of the procedure, then the fault detection and correction step (step 4 of ICKAP) is applied. Step D.3. At the end of the dividing operation, honest participants calculate the conference key according to their sessions.

5. SECURITY ANALYSIS In this section, we give the security analysis of DCKAP. First, we show that ICKAP, together with ACKA operations, provides the same security properties and the same resistance against known attacks in [1] and [5]. Moreover, we prove that ACKA operations are resistant against the attack proposed in [28]. 5.1. Correctness, fault tolerance and forward secrecy The correctness property is used to show that if all of the participants follow the protocol, then each participant calculates the correct key as mentioned in [1]. The DCKAP provides the correctness property for the participant set U = {U1 , U2 , : : : , Un } as follows. Theorem 9 (Correctness). If all of the participants in U fully follow the protocol, then the key computed by ICKAP is common. Proof. Each Uj 2 U can verify the broadcast messages (Ti , Ai , Bi , M) of Ui in Step 2 of ICKAP by using the verAj Bj

q

ification equations gH(Tj ,M) = yj Aj , Tj mod p = 1 and 2 Tj p. Because Ai , H(Tj , M) 2 Zq is unique, a received temporary key Ti must be the same for all participants. After the verification of the temporary key, each Uj computes the sub-secret Kj = gtj tj+1 mod p mod q and broadcasts the message (!j,1 , !j,2 , !j,3 , : : : , !j,n , ˛j , j , ıj ). Then, each Uk 2 (U) computes and verifies the Kj for each participant as described in step 3 of ICKAP. Because H(Ki , M) 2 Zq is unique fixed i and ıi , all participants Security Comm. Networks 2015; 8:1347–1359 © 2014 John Wiley & Sons, Ltd. DOI: 10.1002/sec

O. Ermis¸ et al.


compute the same Ki . Thus, the conference key computed by the participants is common. In the case of ACKA operations, we assume that there exists a correct conference key, which was generated by using ICKAP. The updated key as a result of ACKA operation is correct based on the following corollary as follows. Corollary 10 (Correctness for ACKA operations). If all participants, including the new participants in join and merge operations, are honest and the conference key was correctly calculated by ICKAP, then the correctness is preserved after ACKA operations. Proof. Assume that U = {U1 , U2 , : : : , Un } is the set of participants. Then, participants that execute ICKAP perform the following operations: Join: Each new participant Ui 2 {Un+1 , : : : , Un+m } and Un execute ICKAP from step 1, and the participant Un–1 executes ICKAP from step 2. Leave: For each leaving participant Ui , the participant Ui–1 executes ICKAP from step 1, and the participant Ui–2 executes ICKAP from step 2. Merge: Let U = {U1 , U2 , : : : , Uk } be the conference sessions to be merged; the last participants of each session execute ICKAP from step 1. The participants that are located just before the last participant of each session execute ICKAP from step 2. Divide: For each participant Ui 2 U , if Ui is not in the same session with Ui+1 after the division operaiton, then Ui re-executes ICKAP from step 1. Otherwise, if Ui and Ui+1 2 Uk and Ui+2 … Uk after the divide operation, then Ui re-executes ICKAP from step 2. Because for fixed Ai , H(Tj , M) 2 Zq is unique and for fixed i and ıi , H(Ki , M) 2 Zq is unique, all of the participants compute the same updated key. Thus, the correctness property is preserved for ACKA operations. Another important property for the security analysis of DCKAP is the fault tolerance. The fault tolerance is used to detect and correct the malicious attempt during the execution of a conference-key agreement protocol and is defined in [1]. Tzeng also proposed a detailed analysis for the protocol, which is in the same study. For this analysis, we extend the same assumption for two broadcast messages. Theorem 11 (Fault tolerance). A conference-key agreement protocol has fault-tolerance property if the following two conditions do not hold: (i) A malicious participant can cheat the honest participants by sending wrong key values, and Security Comm. Networks 2015; 8:1347–1359 © 2014 John Wiley & Sons, Ltd. DOI: 10.1002/sec

(ii) A malicious participant can cheat the honest participants by identifying an honest participant as a possible malicious participant. Proof. For the first case, assume that the participant Ui is a malicious participant. If Ui tries to cheat other participants in step 1 of ICKAP, then the broadcast messages (Ti , Ai , Bi , M) are verified by other participants in the sesq i Bi sion with gH(Ti ,M) = yA i Aj mod p, Ti mod p = 1 and 2 Ti p. If the Ti value of Uj is wrong, for all participants, at least one of the aforementioned check cannot hold. If Ui tries to cheat in step 2 of ICKAP, the broadcast , ˛i , i , ıi ), is verified by message, (!i,1 , !i,2 , !i,3 , :: : , !i,n 0

other participants with gH Ki ,M = yi i iıi mod p. If the Ki value of Ui is wrong, for all participants, the aforementioned check cannot hold. If any malicious attempt of Ui is detected for either its first or second broadcast message, this participant is marked as possible malicious participant by using the verification matrix, Vj,i =‘failure’ for all 1 j n and i ¤ j. Thus, it is not possible to cheat participants by sending wrong key values in ICKAP. If a participant Ui is marked as Vj,i =‘failure’ by participant Uj and there exists a contrary value for some participant Uk as Vk,i =‘success’, this participant’s broadcast messages are re-verified by other participant Ul . According to the re-verification, if Ui is malicious, then this participant will be excluded from the key computation. Otherwise, Uj will be excluded. Thus, it is not possible to identify an honest participant as malicious participant in ICKAP. Because these two conditions hold, ICKAP satisfies the fault-tolerance property. The aforementioned proof shows that if a key agreement protocol has fault detection and correction step for broadcast messages, then the fault-tolerance property is provided. The same condition holds for ACKA operations. There exists at most four types of broadcast messages according to the definitions of ACKA operations: Existing broadcast messages of a participant, New broadcast messages of an existing participant after re-randomization, New broadcast messages of a newly joining participant after its first protocol execution, and Existing broadcast message for step 1 and new broadcast message for step 2 if the subsequent participant is re-randomizing. Because fault detection and correction step executes for all cases listed earlier, ACKA operations provide fault tolerance. The last security property in this section is the forward secrecy. Forward secrecy is used to protect the conference key against compromises of produced conference keys, such as the compromise of participant’s long-term key. To show that DCKAP provides forward secrecy, we will extend Theorem 2 in [5] as follows. 1353

O. Ermis¸ et al.


Theorem 12 (Forward secrecy). The DCKAP provides forward secrecy under the difficulty of discrete logarithm problem. Proof. Assume that adversary A has the long-term key, xi of any participant Ui and A can obtain Ki from either (i , ıi ) or Ti and Ti+1 by using the messages obtained in any of ICKAP or ACKA operations. For the first case, ıi = Si–1 (H(Ki , M) – i xi ) mod q. It can be easily seen that ıi has two unknown variables Si and Ki . Therefore, it is computationally difficult to compute Si by solving i = gSi mod p because this is the discrete logarithm probti lem. For the second case, solving either t tTi = g mod p or t i i+1 i+1 Ti+1 = g mod p to obtain Ki = g mod p mod q is also discrete logarithm problem. So, A faces the difficulty of discrete logarithm problem again. Hence, DCKAP satisfies the forward secrecy property.

5.2. Passive attacks In case of passive attacks, the attacker, who is not a member of the group, tries to obtain information from broadcast messages by eavesdropping the communication among participants without knowing the secrets xi and Ki for any participant Ui . Tseng extended the proof in [1], which is based on adopting the DDH assumption for eavesdropping attack. According to this assumption, the transcripts of broadcast messages for any participant, Ui , are (Ti , Ai , Bi ) and (!i,1 , !i,2 , !i,3 , : : : , !i,n , ˛i , i , ıi ). We show that the real view (Ti , Ai , Bi , !i,1 , !i,2 , !i,3 , : : : , !i,n , ˛i , i , ıi ) and the attacker’s simulated view 0 , ! 0 , ! 0 , : : : , ! 0 , ˛ 0 , 0 , ı 0 on random Ti0 , A0i , B0i , !i,1 i,n i i i i,2 i,3 0 2 Z (1 variables ti0 2 Zq* , v0i 2 Zq* , B0i 2 Zq* , !i,j q

j

n), R0i

2

Zq , Si0

indistinguishable, 0

2 Zq* , ıi0 where Ti0 =

2 Zq are computationally 0

0

gti mod p, A0i = gvi mod p

and i0 = gSi mod p. The same transcripts and the corresponding assumptions hold for DCKAP, but our protocol differentiates with that of Tseng in the generation of Ki . Instead of randomly selecting the value, we use ti Ki = gti ti+1 mod p mod q = Ti+1 mod p mod q. We know that the transcripts for both protocols are the same and xi long-term private keys of any Ui are also secret. If we show that the Ki of any Ui is also secret, then we can make the same assumption in [5] for the security of DCKAP against passive attacks. In [27], Boneh defined some examples of cyclic groups, which DDH is shown to be intractable. One such group is given in Definition 5 (public parameters) as p = 2q+1, q be large primes andog be the generator for the cyclic sub-group n 2 Gq = i |i 2 Zp* . According to this construction, the following two probability distributions are computationally indistinguishable: gti , gti+1 , gti ti+1 , where ti and ti+1 are randomly and independently chosen from Zq. 1354

gti , gti+1 , gc , where ti , ti+1 and c are randomly and independently chosen from Zq. In other words, for any eavesdropper, E, the sub-secret, Ki , looks like a random variable in Gq . Hence, Ki is also secret for any E. Then, our problem, which is the computational indistinguishability of attackers view and the original view, is the same problem as in Tseng’s protocol. See the security against passive attacks in [5] for further details. 5.3. Active attacks Another attack type for conference-key agreement protocols is the active attacks. The most known active attack is the impersonation attack or impersonator’s adaptively chosen message attack. In this case, the attacker tries to impersonate the legal participant, Ui , by obtaining the temporary and long-term key from signatures. The random oracle model in [29] is adopted to prove the security of signature schemes or key exchange protocols against this attack. According to the random oracle assumption in [30], the one way hash functions are accepted as a true random functions. In this analysis, we also concentrate on the broadcast messages (Ti , Ai , Bi ) and (!i,1 , !i,2 , !i,3 , : : : , !i,n , ˛i , i , ıi ) to show that they are existentially unforgeable. The first part of this analysis is proved in Theorem 1 in [5]. Because our protocol uses the same structure for temporary key distribution step (step 1) of ICKAP, we prove that the improved version also provides the existentially unforgeable property. Note that the Ki of Ui can also be calculated by Ui+1 . However, the verification of !i,j values, for 1 j n, can be realized by H K 0 ,M

j ıj

j g = yj j mod p. The equation together with the i and ıi parameter states that if any malicious adversary, MA, tries to impersonate the participant Ui , then MA has to obtain the long-term secret key, xi . The following theorem shows that DCKAP is secure against the impersonation attack.

Theorem 13. Any malicious adversary MA cannot compute the valid !i of any user Ui in the random oracle model because the discrete logarithm problem is intractable. Proof. Assume that ˛i , i and ıi as a signature of !i,j , where 1 j n. Then the proof follows from the forking lemma in [29]. Under the random oracle model, H(Ki , M) is an independent random variable from Ki and M. Suppose that MA without knowing Ki or Ui+1 with knowing Ki can impersonate Ui to sign Ki = gti ti+1 with a non-negligible probability . For any (!i , M), the MA can generate two valid signatures (˛i , i , ıi ) and ˛i , i , ıi0 , where ˛i = gRi mod p, i = gSi mod p, ıi = Si–1 (H(Ki , M) – i xi ) mod q, and ıi0 = Si–1 H 0 (Ki , M) – i xi mod q. Therefore, it is computationally difficult to obtain xi by solving equations ıi and ıi0 under the random oracle model, because the discrete logarithm problem is computationally difficult. Security Comm. Networks 2015; 8:1347–1359 © 2014 John Wiley & Sons, Ltd. DOI: 10.1002/sec

O. Ermis¸ et al.


5.4. Key freshness The major vulnerability of dynamic groups is shown in [28]. They proposed several attack scenarios for the protocol in [11]. According to these scenarios, if none of the sub-keys are refreshed after the modification of participant set, it is possible to retrieve former and subsequent conference keys. So, the forward confidentiality properties are violated. The following lemmas show that our protocol provides security against these attack scenarios. Lemma 14. Under the difficulty of computing the discrete logarithm problem, leave operation does not violate the forward confidentiality. Proof. Let U = {U1 , U2 , U3 , : : : , Un } be the set of participants before the divide operation. Assume that a leaving participant, Ui , can obtain the update key, K 0, after leaving. Let K = gt1 t2 +:::+ti–1 ti +ti ti+1 +:::+tn t1 mod p mod before leave operation. Let K 0 = q be the0 key 0 gt1 t2 +:::+ti–2 ti–1 +ti–1 ti+1 +:::+tn t1 mod p mod q be the updated key. The gti–2 ti–1 +ti–1 ti +ti ti+1 part of K is replaced 0 0 gti–2 ti–1 +ti–2 ti–1 in the leave operation. Therefore, it is computationally difficult to compute new key by using the old 0 key K by solving the equation Ki–2 = gti–2 ti–1 mod p 0 mod q or Ki–1 = gti–1 ti+1 mod p mod q because this is the discrete logarithm problem.

Lemma 15. Under the difficulty of computing the discrete logarithm problem, divide operation does not violate the forward confidentiality. Proof. Let U = {U1 , U2 , U3 , : : : , Un } be the set of before the divide operation. Let K = t participants g 1 t2 +:::+tk–1 tk +tk tk+1 +:::+tn t1 mod p mod q. Assume that the set divided into two sub-sets as U1 = {U1 , U2 , : : : Uk } and U2 = {Uk+1 , Uk+2 , : : : Uk }. Let Ui 2 U1 try to obtain the updated key of U2 . Un re-randomizes the temporary 0 key tn as tn , then the updated key of U2 will be K2 = 0

0

gtk tk+1 +:::+tn–1 tn +tn tk mod p mod q. Therefore, it is computationally difficult to obtain the conference key of U2 without knowing tn0 , because this is the discrete logarithm problem.

Lemma 16. Under the difficulty of discrete logarithm problem, join operation does not violate the backward confidentiality. Proof. Let U = {U1 , U2 , U3 , : : : , Un } be the set of participants before the join operation and Un+1 be the joining participant. Let K = gt1 t2 +:::+tn–1 tn +tn t1 mod p mod q, 0 0 and let K 0 = gt1 t2 +:::+tn–1 tn +tn tn+1 +tn+1 t1 mod p mod q be the updated key before and after join operation, respectively. The g+tn–1 tn +tn t1 is the updated part of K. So, the Security Comm. Networks 2015; 8:1347–1359 © 2014 John Wiley & Sons, Ltd. DOI: 10.1002/sec

joining participant Ui can obtain the old key by using 0 the the equation Kn = t tnew key K if participant solves n 1 g mod p mod q or Kn–1 = gtn–1 tn mod p mod q to obtain tn . Therefore, it is computationally difficult to compute tn by solving Kn , and Kn–1 is computationally difficult because this is the discrete logarithm problem.

Lemma 17. Under the difficulty of computing the discrete logarithm problem, merge operation does not violate the forward confidentiality. Proof. Assume that U1 = {U1 , U2 , : : : Uk } and U2 = {Uk+1 , Uk+2 , : : : Uk } are the two conference sessions to t1 t2 +:::+tk–1 tk +tk t1 mod p mod q = g be merged, and K 1 and K2 = gtk+1 tk+2 +:::+tn–1 tn +tn tk+1 mod p mod q are the corresponding conference keys, respectively. Also, assume that U = {U1 , U2 , U3 , : : : , Un } is the set of the merge operation. Then, K = participants0 after t1 t2 +:::+tk–1 tk +tk0 tk+1 +:::+tn–1 tn +tn0 t1 mod p mod q. Ui 2 g U1 tries to obtain the key K2 of U2 by using K, but the temporary key tn is re-randomized as tn0 during the merge operation. Therefore, it is computationally difficult to compute the K2 without knowing the tn0 because this is the discrete logarithm problem.

These four lemmas show that if there exists any modification in the set of participants, then the conference key is updated by re-randomizing at least one of the secret short-term keys. So, the forward confidentiality and backward confidentiality properties are preserved after these operations. Thus, the following theorem holds. Theorem 18. Under the difficulty of computing discrete logarithm problem, a conference key is updated by using ACKA operations, which is always fresh. Proof. Lemmas 14 and 15 show that ACKA operations provide the forward confidentiality, and Lemmas 16 and 17 proved that the forward confidentiality is also satisfied. Because both forward and backward confidentialities are satisfied under the difficulty of discrete logarithm problem, ACKA operations always produce fresh keys. On the other hand, let U = {U1 , U2 , U3 , : : : , Un } be the set of participant and K = t t +:::+t n–1 tn +tn t1 mod p mod q be the corresponding g12 key. Suppose that ACKA operations do not provide the key freshness. Also suppose that the participant Ui leaves the session for a while and then joins the session later. Because the resulting set of participant is the same, the resulting key must be the same. However, after the leave operation, the conference key will be 0 +t0 t t1 t2 +:::+tn–2 tn–1 0 1 n–1 mod p mod q for the set K = g U 0 = {U1 , U2 , U3 , : : : , Un–1 }. When the Un joins the 00 session again, for U = {U001 , U200, U3 , : : : , Un },the key t t will be K 00 = g 1 2 +:::+tn–2 tn–1 +tn–1 tn +tn t1 mod p mod q. 1355

O. Ermis¸ et al.


Table II. Comparison for total fault-correction costs. Protocols Tzeng’s protocol Tseng’s protocol DCKAP

Computation costs (5m2

+ 2m)TEXP (5m2 + 5m)TEXP (10m + 7)TEXP

Message length

Communications cost

m((m + 1)|q| + 2|p|) m((m + 2)|q| + 4|p| + |T|) (2m + 3)|q| + 6|p| + |T|

m 2m 3


After these operations, the U 00 = U but K 00 ¤ K, hence the contradiction. As a result, DCKAP provides the same security with Tzeng’s protocol and Tseng’s protocol. Because ACKA operations provide backward confidentiality and forward confidentiality, DCKAP provides key freshness.

6. PERFORMANCE ANALYSIS In this section, we give the performance analysis of DCKAP. The performance analysis of DCKAP is based on the performance analysis of ICKAP and ACKA operations. During the analysis of DCKAP, we use the communications cost, message length and the computation cost as our performance criteria. The detailed definitions of these criteria are given in the succeeding text: Communications cost is used to represent the total number of messages exchanged to calculate conference key by each participant. The message length corresponds to the total number of length of parameters in a broadcast messages. Because all of the equations in the broadcast messages are modular operations, the message length of a parameter is calculated as the cardinality of the bit representation of the modular base. For instance, the length of the temporary public key Ti = gti mod p is |p| bits. In case of the computation cost, we only consider the modular exponentiation operations. The computation cost for a modular exponentiations is denoted by TEXP . In addition to the aforementioned general performance analysis criteria, we use the number of protocol executions for ACKA operations and fault-correction step of ICKAP. The number of protocol executions is the total number of participants who execute ICKAP while updating the conference key. The performance comparison of ICKAP with Tseng’s protocol is as follows. ICKAP and Tseng’s protocol have constant communications cost. There exist two rounds for communication in ICKAP and Tseng’s protocol. In case of computation cost, ICKAP differs only in the secret distribution and commitment step with Tseng’s protocol. The computation cost of Tseng’s protocol is (5n – 2)TEXP . In ICKAP, only the time for modular exponential opera1356

tions is increased by one, (5n – 1)TEXP , which is a minor difference. Finally, because there exists no difference for the parameters of broadcast messages, the message length is the same as Tseng’s protocol, (n + 2)|q| + 4|p| + |T|. Because DCKAP is designed for the dynamic groups, it provides better performance updating the conference key from fault-tolerant point of view. Tseng’s protocol only works on static groups. Hence, if any modification occurs in the participant set, then each participant in the updated set of participants executes ICKAP. Set modification can occur either to exclude malicious participants or in ACKA operations. The comparisons for fault correction is given in Table II, where m is the number of participants in the set after the malicious participants are excluded. The fault-correction operations are used by ICKAP to exclude the malicious participant from the set of participants. Assume that there exists k malicious participants in U and m – k 2. For each malicious participant Ui , the honest participant Ui–1 re-executes ICKAP from step 1, and the participant Ui–2 re-executes ICKAP from step 2. Then, for each malicious participant, there exists one execution of ICKAP from step 1 and one execution from step 2. Therefore, the protocol execution cost for fault correction of ICKAP is O(1) for each malicious participant. Because Tseng’s protocol does not provide an efficient fault-correction mechanism, all of the participants have to re-execute the protocol to update the key. The protocol execution cost for fault correction of Tseng’s protocol is O(m) for each malicious participant. The performance analysis of DCKAP based on the ACKA operations is as follows. Assume that m is the number of participants in the session U . The performance analysis for ACKA operations is given in the succeeding text: Join operation: Assume that k 1 is the number of new participants of the session. During the participant join procedure, k + 1 participants execute ICKAP from step 1 and the participant, which is located before the last participant, Um–1 , executes ICKAP from step 2. Because there exists k + 1 full executions and the join operation has constant execution complexity, the execution cost of join operation is (k + 1) O(1) = O(k). Because the computation cost of ICKAP is (5n – 1)TEXP , the complexity of join operation is O(kn), where n is the number of participants in the conference session before join operation and n m. Security Comm. Networks 2015; 8:1347–1359 © 2014 John Wiley & Sons, Ltd. DOI: 10.1002/sec

O. Ermis¸ et al.


Table III. Comparison of protocols according to protocol execution cost for dynamic group operations. Operations Join Leave Merge Divide

Protocol 1 [19]

Protocol 2 [7]

Protocol 3 [26]

DCKAP

O(k) NA O(k) NA

O(k) O(k) NA NA

O(k (m + k)) O(k (m – k)) NA NA

O(k) O(k) O(k) O(k),

for k joining participants for k leaving participants for k sessions for k sessions


Leave operation: Assume that k 1 is the number of leaving participant for m – k 2. Then, if all leaving participants are ordered consecutively as Ui+1 , Ui+2 , : : : , Ui+k , then only Ui re-executes ICKAP from step 1 and Ui–1 executes ICKAP from step 2, which is the best case for leave operation with O(1) execution cost. Otherwise, for each leaving participant Ui+1 , Ui re-executes the protocol and Ui–1 executes the protocol from step 2. There exists at most k re-executions of ICKAP. Then, the execution cost is O(k). Regarding the modular exponentiations of ICKAP, the complexity of leave operation is O(kn) for n m. Merge operation: Assume that there exists k sessions and each session has m participants. According to the definition of merge operation, only the last participant for each session re-executes ICKAP, and also participants before the last participants execute ICKAP from step 2, which means that the merge operation also has constant protocol execution complexity. Therefore, the protocol execution cost of merge operation is k O(1) = O(k), and overall complexity of merge operation is O(k2 m). Divide operation: Let k be the number of sub-sessions after division, and each session has m participants. If the participants of the same sub-session are ordered consecutively, then there exist m re-executions of ICKAP and m executions of ICKAP from step 2, which is the best case complexity with O(k). Otherwise, for each participant pair Ui and Ui+1 , if they belong to different sessions, Ui re-executes ICKAP and Ui–k executes ICKAP from step 2. This case is the worst case complexity for protocol executions with O(k m). The complexity of divide operation, including the computational cost of ICKAP, is O(km) and O(k2 m) for the best case and the worst case, respectively.

Assume that U1 = {U1 , U2 , : : : Uk } and U2 = {Uk+1 , Uk+2 , : : : Un }, where U1 \ U2 = Ø, are the two sessions to be merged and t tconference 1 2 +:::+tk–1 tk +tk t1 mod p mod q, and let K = = g K 1 2 t t +:::+t t +t t n–1 n n k+1 mod p mod q be the correg k+1 k+2 sponding conference keys. Because protocols 2 and 3 do not provide merge operation, either they simulate these operations by using leave and join operations or they execute their initial key agreement protocols for U1 [ U2 . In both cases, the computation cost of key update is higher than protocol 1 and DCKAP. In case of the divide operation, the worst case complexity of protocol execution cost of ACKA is O(km), where k is the number of sessions and m is the number of participants for each session. In addition, the best case cost for DCKAP is O(k). Protocols 1, 2 and 3 do not provide arbitrary divide operation; therefore, they are not comparable with DCKAP. Assume that U 1 , U2 , : : : Un } is the set to t=t {U be divided and K = g 1 2 +t2 t3 +:::+tn–1 tn +tn tk+1 mod p mod q is the corresponding conference key. If the session is divided into two sub-sessions as U1 = {U1 , U2 , : : : Uk } and U2 = {Uk+1 , Uk+2 , : : : Un }, then protocols 2 and 3 have to execute their initial key agreement protocols because they do not provide divide operations. For protocol 1, it is possible to divide U into U1 and U2 by reverse execution of the protocol. However protocol 1 is restricted in dividing the set of participants in arbitrary manner. Therefore, it provides only re-execution for leave and divide operations. Moreover, the number of communication rounds is logn in protocol 1, which is constant in DCKAP. As a result, DCKAP has better performance in case of fault correction and ACKA operations.

7. CONCLUSION In Table III, we present the comparison of protocols [7,19,26] and ACKA according to protocol execution cost for dynamic group operations. For convenience, protocols in [7,19,26] are named as protocol 1, protocol 2 and protocol 3, respectively. As seen in Table III, only DCKAP provides all of the dynamic group operations. Protocols 2 and 3 do not provide divide and merge operations. It is also given that protocol 1 does not have an efficient operation for leave and divide rather than re-executing the protocol. The detailed analysis for comparisons is as follows: Security Comm. Networks 2015; 8:1347–1359 © 2014 John Wiley & Sons, Ltd. DOI: 10.1002/sec

In this paper, we proposed an improved conference-key agreement protocol for dynamic groups, called DCKAP. It uses a modified form of Tsengs protocol as ICKAP and has new ACKA operations to provide dynamic group management. We analyzed proposed protocol regarding the security and performance. The analysis show that DCKAP withstands the known passive and active attacks for conference-key agreement protocols such as eavesdropping and impersonation. In addition, DCKAP preserves 1357


correctness, fault-tolerance and forward secrecy properties. Furthermore, the protocol is also secure against known-key attack scenario for ACKA operations. Thus, DCKAP has better fault correction with respect to Tseng’s protocol.

Acknowledgements This work is supported by the Turkish State Planning Organization (DPT) under the TAM Project, number 2007K120610, and EUREKA ITEA2 Project ADAX with project number 10030.

12.

13.

14.

15.

REFERENCES 1. Tzeng WG. A secure fault-tolerant conference-key agreement protocol. IEEE Transactions on Computers 2002; 51: 373–379. 2. Cheng JC, Laih CS. Conference key agreement protocol with non-interactive fault-tolerance over broadcast network. International Journal of Information Security 2009; 8: 37–48. 3. Huang KH, Chung YF, Lee HH, Lai F, Chen TS. A conference key agreement protocol with fault-tolerant capability. Computer Standards and Interfaces 2009; 31: 401–405. 4. Shi T, Guo Y, Ma J. A fault-tolerant and secure multiconference-key agreement protocol, In: Proceedings of International Conference of Communications, Circuits and Systems, Chengdu, China, 2004; 18–21. 5. Tseng YM. An improved conference-key agreement protocol with forward secrecy. Informatica, Lithuania Academy of Sciences 2005; 16: 275–284. 6. Zhao J, Gu D, Li Y. An efficient fault-tolerant group key agreement protocol. Computer Communications 2010; 33: 890–895. 7. Cheng ZY, Liu Y, Chang CC, Guo C. A fault-tolerant group key agreement protocol exploiting dynamic setting. International Journal of Communication Systems 2013; 26: 259–275. 8. Steiner M, Tsudik G, Waidner M. Key agreement in dynamic peer groups. IEEE Transactions on Parallel and Distributed Systems 2000; 11: 769–780. 9. Yi X. Authenticated key agreement in dynamic peer groups. Theoretical Computer Science 2004; 326: 363–382. 10. Diffie W, van Oorschot PC, Wiener MJ. Authentication and authenticated key exchanges. Design, Codes and Cryptography 1992; 2: 107–125. 11. Tseng YM. A communication-efficient and faulttolerant conference-key agreement protocol with for1358

16.

17.

18.

19.

20.

21.

22.

23.

O. Ermis¸ et al.

ward secrecy. The Journal of Systems and Software 2007; 80: 1091–1101. Diffie W, Hellman ME. New directions in cryptography. IEEE Transactions on Information Theory 1976; 22: 644–654. Ingemarsson I, Tang DT, Wong CK. A conference key distribution system. IEEE Transactions on Information Theory 1982; 28: 714–719. Dutta R, Barua R. Overview of key agreement protocols. IACR Eprint Archive, 2005; 1–46. http://eprint. iacr.org/2005/289 [Accessed on 4 October 2005]. Burmester M, Desmedt Y. A secure and efficient conference key distribution system (extended abstract), in: Proceedings of EUROCRYPT ’94, Workshop on the Theory and Application of Cryptographic Techniques, Perugia, Italy, 1994; 275–286. Steiner M, Tsudik G, Waidner M. Diffie-Hellman key distribution extended to groups, CCS ’96 Proceedings of the 3rd ACM Conference on Computer and Communications Security, New Delhi, India, 1996; 31–37. Li CH, Pieprzyk J. Conference key agreement from secret sharing, Australasian Conference on Information Security and Privacy - ACISP 1999, Wollongong, NSW, Australia, 1999; 64–76. Tzeng WG, Tzeng ZJ. Round-efficient conference key agreement protocols with provable security, in: Proceedings of the 6th International Conference on the Theory and Application of Cryptology and Information Security: Advances in Cryptology, ASIACRYPT ’00, Kyoto, Japan, 2000; 614–628. Foss JA. An efficient secure authenticated group key exchange algorithm for large and dynamic groups, in: Proceedings of 23rd National Information Systems Security Conf. (NISSC ’00), MD, USA, 2000; 254–266. Horng G. An efficient and secure protocol for multiparty key establishment. The Computer Journal 2001; 44: 463–470. Boyd C, Nieto JMG. Round-optimal contributory conference key agreement, in: Proceedings of the 6th International Workshop on Theory and Practice in Public Key Cryptography: Public Key Cryptography, PKC ’03, Florida, USA, 2003; 161–174. Chang CC, Tsai HC, Chang PY. A collaborative conference key agreement scheme by using an intermediary node, in: Proceedings of the 2007 International Conference on Convergence Information Technology, Gyeongju, Korea, 2007; 54–59. Katz J, Yung M. Scalable protocols for authenticated group key exchange. Journal of Cryptology 2007; 20: 85–113.

Security Comm. Networks 2015; 8:1347–1359 © 2014 John Wiley & Sons, Ltd. DOI: 10.1002/sec

O. Ermis¸ et al.


24. Wu Q, Mu Y, Susilo W, Qin B, Domingo-Ferrer J. Asymmetric group key agreement. In Advances in Cryptography - EUROCRYPT 2009, vol. 5479, LNCS. Springer: Cologne, Germany; 153–170. 25. Wang Z. Improvement on the fault-tolerant group key agreement protocol of Zhao et al. Security Communication Networks 2012, DOI: 10.1002/sec.414. 26. Chung YF. The design of authentication key protocol in certificate-free public key cryptosystem. Security Communication Networks 2013, DOI: 10.1002/sec.924. 27. Boneh D. The decision Diffie-Hellman problem, in: PANTS-III Proceedings of the Third International

Security Comm. Networks 2015; 8:1347–1359 © 2014 John Wiley & Sons, Ltd. DOI: 10.1002/sec

Symposium on Algorithmic Number Theory, Portland, USA, 1998; 48–63. 28. Lee S, Kim J, Hong SJ. Security weakness of Tseng’s fault-tolerant conference key agreement protocol. The Journal of Systems and Software 2009; 82: 1163–1167. 29. Pointcheval D, Stern J. Security arguments for digital signatures and blind signatures. Journal of Cryptography 2000; 13: 361–396. 30. Bellare M, Rogaway P. Random oracles are practical: a paradigm for designing efficient protocols, in: Proceedings of the 1st ACM Conference on Computer and Communications Security, CCS ’93, VA, USA, 1993; 62–73.

1359

An improved conferenceâkey agreement protocol for dynamic groups ...

An improved conferenceâkey agreement protocol for dynamic groups ...

An improved conferenceâkey agreement protocol for dynamic groups ...

An improved conferenceâkey agreement protocol for dynamic groups ...