Design of Secure Group Key Agreement Protocol using Elliptic Curve Cryptography Priyanka laiswal, Abhimanyu Kumar, Sachin Tripathi Department of Computer Science & Engineering Indian School of Mines, Dhanbad-826004, Jharkhand, India [email protected], [email protected], [email protected]

Abstract-

Secure

group

communication

is

an

important

research area in the field of cryptography and network security, because the group communication like electronic conferences, video chatting, video games etc. are rapidly increasing. Group key agreement protocols allow all members of the group to agree on the same session key which is used later for secure group communication.

The design of secure group key agreement

protocol can be very critical for achieving security goals. Many group key agreement protocols have been established for wired and wireless group communication. This paper proposes an ECC (Elliptic Curve Cryptography) based authenticated group key agreement protocol for wireless scenario. The proposed protocol uses the concepts of elliptic curve cryptography to minimize the computation

overheads

and

AES

(Asymmetric

Encryption

Standards) to maintain efficiency. The proposed protocol consists of a set of users and a trusted server, where server and the user contribute to create the group key. The performance and security analysis shows that the proposed protocol is secure against passive and active attack and performs better in terms of computation and

communication cost from

other related

protocols.

Keywords-Group Key Agreement; Secure Communication; Elliptic Curve Cryptography.

I.

INTRODUCTION

The popularity of the Internet is rapidly increasing as it supports many collaborative groupware applications such as online chatting, video games, e-Iearning, e-commerce distributed simulation etc. These applications support reliable services and provide ordered message delivery [1]. A reliable group connnunication system can provide an integrated platform for basic security services such as data confidentiality, integrity, message and entity authentication etc. These services are impossible without secure and efficient group key management protocol. So group key management is very necessary for efficient group key agreement. Key agreement protocol allows all the members of the group to agree upon a common session key which allows them to communicate with each other in a secure manner through an insecure network [2]. Generally a group key agreement protocol comes under following three group key management schemes: (1) Centralized,(2) Distributed and (3) Contributory. A centralized group key management is a simple type of key management protocol as it involves a central authority (single entity) or (may be a small set of entities) that generates and distributes keys to group members through a secure channel. 978-1-4799-5958-7114/$31.00 ©2014 IEEE

This is appropriate in many cases since most of the scenario offer continued secure operation within a single platform consisting of source. In distributed type of group key agreement protocol every member of the group can generate the group key independently. In contrast, in contributory group key agreement protocol, every member of the group equally contributes to derive the group key. Group key agreement is an important cryptographic technique over public networks for providing secure communication in the collaborative applications. Over the past few years, many groupware agreement protocols have been proposed, however not all of them can meet the security as well as efficiency requirement simultaneously. Therefore, we propose a new group key agreement protocol for wireless network. The proposed protocol uses the concepts of elliptic curve cryptography to design the protocol because it takes minimum time in calculations for generation of group key. The proposed protocol performs better than other existing related protocol as it takes less computational overloads, the round of the protocol is constant for any number of group users, the protocol is also safe from various attacks. The rest of this paper is organized as follows. Section II discusses the related work of the group key protocols. Section III provides the preliminaries such as description of finite fields, Elliptic Curve, Elliptic Curve Discrete Logarithm Problem (ECDLP) and Elliptic Curve Diffie Hellman (ECDH). Section IV discusses about the group key generation protocol. Section V provides the performance and security analysis of the proposed protocol. Section VI concludes the proposed protocol. II.

RELATED WORK

Many papers have been proposed on group key agreement protocols [3, 4, 5] for designing secure groupware communication. These protocols consists of set of group members to exchange or establish a group key for secure communication within the group. There are many group key agreement protocols that are providing security using Group Diffie Hellman as in [6, 7, 10]. These agreement protocols take more connnunication and computation efforts than the protocols using elliptic curve cryptography [7]. Many round efficient group key agreement protocols have also been proposed [10, 8]. Some of them are constant round protocols.

[n the round efficient protocols, the number of rounds is constant whenever the number of users is increased. In 1982 Ingemarsson et al. [8] proposed the first group key agreement protocol known as ING protocol, many GKA protocol [3,6] follows that work, have been proposed. Many multi party key agreement protocols are proposed in the literature for wired as well as for the wireless group key environment. Some of them are based on centralized approach which have a special node that acts as a central server to manage the group key and some are based on distributed and contributory [[,11] groupware key agreement protocols. In contributory group key agreement protocol all members of the group contribute to design the group key. In centralized group key management, there is only one trusted entity responsible for managing the entire group. Hence the group controller need not depend on any auxiliary entity for key distribution. Kumar et al. [4] presented a cost effective region based group key agreement protocol in which participants are divided into region based on the preference of the participants.

B.

E(Fp) denotes an elliptic curve E over a prime finite field Fp defined by an equation 3 with the y2 mod p = (x + ax + b) mod p where a,b E Fp Let the symbol

discriminant the point on

�

= (4a 3 + 27b 2)mod p"* 0 (for

E (Fp)

including an extra point

non singularity) 0

called point at

infinity of the curve, that forms an abelian group a groupG={(x,y) : x,Y E Fp and x,Y E E (Fp )} u {O} with the following addition rules. •

Identity: There is an identity element 0 in the group such that P+O=0+ P =P for allpE E(Fp).

•

Negativity:

P (X,Y) E E(Fp)

If

(X,y)+(x,-y)=0, The point negative of P , denoted as -P . •

Point

addition:

Let

thenP+Q=R, where

Aydos et al. [9] describes an authenticated group key agreement protocol for wireless communication which is based on elliptic curve digital signature algorithm (ECDSA) and provides certain security services such as non repudiation, anonymity, certificate, expiration mechanism etc. Kar et al. [[0] presents a password based multiparty key exchange protocol using elliptic curve discrete logarithm problem, where design of the protocol is based on polynomial interpolation.

III.

Elliptic curve overfinitefield E(Fp)

(x,-y)

then IS

P(X1,Yl),Q(X2 ,Y2 )E RE

E(Fp) and

called

E(Fp) ,

co-ordinate

x3 =A2 -XI -x 2 Y2 -YI ,1, ,1, and Y3= (x1,x3) -Yl where = . X2 -XI (x3'Y3) of R is

•

calculated as

Point doubling: Let P(xl,Yl) E

E(Fp),

where

P"* -P and

PRELIMINARIES

Finite Field of order p (Fp ) For a given prime,p, we define the finite field order p , as the set Zp of integers {O,I,2, ..,p-l} with the following arithmetic operations modulo p.

A.

C.

Elliptic Curve Discrete Logarithm Problem (E C DLP) For a given elliptic curve

E

defined over a finite fieldFp

if the point P,QE E(Fp) then, find the integer

a ,bE Fp , then a+b=r , is known as addition modulo p , when a +b is divided by p and o ::; r ::; p -1 , where r is the remainder.

•

Addition: [f

•

a ,bE Fp thena. b =s , is known as multiplication modulo p, when a. b is divided by p and 0 ::; s ::; p -1, where s is the remainder.

•

Inversion: The inverse of a modulo p in finite fieldFp

Multiplication: [f

is denoted as

a-I,

for which. a.c =1.

which is the unique integer c

E

Fp

,

LE Z ;

such that Q = LP .The integer L is called the discrete logarithm of Q to base P, denoted L=logpQ.

D. Elliptic Curve Diffie Hellma n (E C DH) Elliptic Curve Diffie Hellman is an elliptic curve variant of the standard Diffie Hellman algorithm, it is based on the additive elliptic curve group. ECDH is an anonymous key agreement protocol that allows two parties, each having an elliptic curve public private key pair to establish a shared secret over an insecure channel. The shared secret may be directly used as a session key or better to design another session key from the shared secret key which can then used to encrypt subsequent communication using a symmetric key cryptosystem.

E.

Key Agreement Protocol

A key agreement protocol is a set of rules and regulations to establish a cryptographic session key for participants, over a public network, whereas more than two participants are involved in generating group key. One of the first and most popular key agreement protocol is Diffie Hellman key exchange protocol, which is mostly used in many applications area. Another direction in this research area is to generalize the two party key agreements into multi party key agreement and group key agreement schemes. IV.

Round 1: I) Each client randomly selects an integer

2)

as K1

I) Select a finite field 2) Define

an

initializes and selects some

F

p

elliptic

curve

4)

the =

d 1 *Rl

=

(k;x, k; y ) , where O:S.i'Sn-i,

first =

client

2)

(k 1x, k 1 y ) and so on.

Each client then sends (lD;, C; ,R;) to the Server.

receiving (lD;, C; ,R;) ,

The Server uses

k,x

=

server

d, * R;

4)

If each user is valid user then server further proceed and choose a random number w, E Z; and computes

Po fj P2

5) Publish E p (a,b), Ek(. ), Dk (.) and Q .

=

w, +Ro for Co w, +Rl for Cl

=

=

W ,'

+R2 for C2

PCn-l) 5)

=

w, +RCn

-l)

for C(n-I) .

The Server then encrypts

C,o Ekox(Ro, Po,S,) CII Ek1x(Rl' fj,S,,) C,2 Ek2x(R2,P2'S,) =

=

=

p

The authenticated key agreement phase

In this phase server authenticate all clients, then clients contribute to generate a session key called group key. This phase is partitioned into two rounds, which are as bellow.

computes

(k;x ,k ; y) .

The Server checks R;, if the decrypted R; is same as the previous R; that was sent from each client then S confirms that users are valid user, otherwise S aborts the protocol and sends authentication failed message to all clients.

4) Select a public point Q of order n over an elliptic

B.

=

as a decryption key to

curve.

CO,CI, have their private/public key pairs dr/Uo, d/UI, and (S) have d/[J, respectively. Note that Uo=do*Q, UI=dl*Q and Us=d,*Q where ,*, denotes the point multiplication over E ( a,b) [7].

to

3)

3) Select a secure symmetric encryption/decryption algorithm respectively denoted as Ek() IDk( ) as AES (Advanced Encryption Standard), where k denotes the symmetric key.

server

key

compute (R; ,W; ) = DkiX (C;).

F p'

6) Each client register to the server (S) to generate their private keys and public keys over E p ( a,b) , such as client

computes

After that each client randomly selects an integer Wi E Z;" to compute W; W; * Q and uses

Round 2: I) After

equation

ax + b(mod p ) with the order n over 2 F p,p > 3 and (4a 3 + 27b ) ;toO(m od p ) [7].

to

* U S ,where O:S.i'Sn-i

their x coordinates as an encryption compute C; = EkiX (R; ,W; ) , where O:S.i'Sn-i.

over a large odd prime p

E p ( a,b) = x3 + where a,b E

d j * Rj

=

k,x and k" for all clients K ;

(S)

Zp*

=

A. The initialization Phase

In this phase the server parameters as below.

r I

E

Each client then computes key coordinates (x and y coordinates) K j

3)

=

Z;, is a multiplicative group.

and

PROPOSED GROUP KEY AGREEMENT PROTOCOL

In this part we propose a new group key agreement protocol for secure group communication over networks. The proposed protocol is authenticated and based on elliptic curve cryptography. Let C = (Co, C], C2,...,C(n-l)) be the set of clients and S is a trusted server. They contribute to generate the group key. The proposed protocol is partitioned into two phases first is called as initialization phase and after that the group key generation phase. The generation of the proposed protocol is given below.

R1 = rI * UI and .ok

compute

rj

C,Cn-l)

Ek(n-l)x(RCn-I),PCn-l)'S, ) "n l Where S, is L. ;=-o Wi . =

6)

it sends CIO to Co, Csi to CI and so on, 7)

After receiving

each user uses

C,;

k;x

as a

(R;, � )= D Kix (Cli ) then decrypted R; is the same as R, that

decryption key to compute each client check

8)

V, PERFORMANCE AND

After that server sends C" to all respective clients as

they have, then clients confirms that they are authenticated by the server. Then each client computes the common session key as

This section analyses the perfonnance of the proposed work in terms of communication and computation cost perspectives. Table.) shows the performance comparisons of the protocol with some other existing protocols.

A. Performance Analysis •

Computation Cost: The Comparison of computation cost between the proposed work and the other related scheme is given below in tablel.The result shows that the proposed protocol is more effective than the related protocol, the computation cost for each client in the proposed protocol is 2PA+4PM+2SE whereas the related protocols have more commutation cost. The computation cost of the server for each client is also better than the existing protocols.

•

Communication Cost: The communication cost required by the presented protocol is 2n whereas the related protocols required more communication cost.

-I + S " I K, = F., +Rl +S, I K, =P2 +R2- +S,

K - 1D +R 0 ,, - 0

Client Co computes Client Cj computes Client C2 computes

Client C(n-I) computes Ks =PCn

-I -l) + RCn-l) + S,

In the proposed protocol each client equally contributes to compute the session (agreement) key with the help of trusted server. Figure 1 shows the diagrammatic representation of the proposed protocol.

SECURITY ANALYSIS

Table, I, The Performance comparison with other existing protocols Protocol

Userls

Server

Select an integer ri compute Ri =

r * ,

E

Zq

eacb client

Computation

cost required by the server

Communicati

Round

on cost

Is

for each client

*

U, , R, =

r * ,

U, ,

and Ki =di *R, = (kix,k,v) Randomly select an integer Wi uses Kix to compute

Computation

cost required by

E

Zq

*

C, = EkiV (Ri,W,) , (ID"c"RJ �

Computes K, = d,

*

R , = (k,x,k,y) ,

Proposed

4PM+2PA+2SE

IPM+IPA+2 SE

2n

2

Kar et aL [10]

6PM+!PA+!H

3PM+!PA+! H

n"+2n

2

Yonglian g et aL [5]

3PM+IPA+ 3SE +2H

2PM+IPA+2 SE+2H

3n

3

Aydos et a1.[9]

6PM+2PA+2SE +IH

5PM+2PA+2 SE+IH

4n

3

Computes (R"W,)= DkiV(C,) ,

Check the decrypted

C,

, if true,

choose a random number compute Pi = W, Compute C" =

+

lV, '

Ri ' where 0 � i � 11 -I ,

EKiV (Ri,Pi ,S,)

for all user,

where $, is I;';(;W,

C" = Ek (R"P"S, )

...

v.v

Check weather the decrypted R, is same as original one, if they are same then compute

K, = P,

Fig, I, The Proposed protocol abstract

,

+ R -l +

S,

'

Note: PM: Point Multiplication, SE: Symmetric encryption, PA: Point Addition, H: Hash Function B.

Security Analysis and Discussion

•

The security of the proposed protocol depends on the hardness of elliptic curve discrete logarithm problem.

Authenticated Group Key Agreement Protocol--- Let {Mo,Mj,oo.,Mn_d be all the messages, that are exchanged between members where n is the number of messages and {M'o,M'j,oo.,M'(n_l)}are all the messages modified by an active adversary. Suppose (Ko, Kj,oo.,K(n_l)} is the session key list where K; is computed by U . However K; cannot be computed by an adversary, because the security of the session key depends on the hardness of ECDLP and asymmetric key encryption. If adversary cannot compute a session K E{Ko,

Kj,...,K(n-I)}, the authenticated. •

group

key

agreement

protocol

is

If the elliptic curve discrete logarithm problem is hard, the proposed protocol is authenticated.

Suppose that the adversary wants to intercept the transmitted messages (ID;, C;, R;) and wants to find out IDb R; and C;. Then adversary modified these values like ID; to IDj, R; to RJ rJ * U J and CI Ek (RJ ,WI) and send it to the server. " In the transmitted messages, C; is encrypted from the key value k;x which is only known to server and the authorized clients. If the key value of client and server is not same then server aborts the protocol otherwise it continues its operations. Due to hardness of the discrete logarithm problem the adversary cannot be calculate r ; from r; * U ; and r; * U ,and ,.

cannot find WS' Therefore the adversary cannot calculate the session key. So, this protocol is authenticated group key agreement protocol. The Proposed protocol is safe from Man-- in -the middle attack.

Assume that an adversary wants to perform man- in- the middle attack, and then the attacker wants to find out the session key. Then the attacker firstly find out the key components that are W; w; * Q and replaces it with the other =

forged component as WJ

=

wJ * Q and send it to the server, but

the server had already W; in an encrypted form which was encrypted by the client asEkiX(R;,W;) . When eavesdropper

uses another key such as kjx to encrypt the information like Eki (R;,W;) and send it to the server then server checks that x which key has been used by the client, if it is not same as previous key, then the Server find out that the given (acquired) message is forged and not sent by an appropriate client/user. After receiving the message from eavesdropper, the server will discard the session. Suppose that an attacker captures the transmitted message (ID; ,C;, RJ and it wants to calculate the value of ID;, Cb R; but he would not be calculate this because the proposed protocol uses elliptic curve cryptography. Attacker also cannot calculate C; because it is encrypted with AES symmetric key encryption. The attacker then calculates a session key as n-l

p. '+R . '+ " j j L.J

Direct Server attack: The proposed protocol is also safe from direct server attack since it uses AES and ECC that makes the database more secure.

•

Full Forward Secrecy: The adversary cannot calculate the group key because he receives only a generating point on the elliptic curve that is calculated from the random secret. The adversary cannot find the session key due to the hardness of ECDLP. Therefore, the proposed work achieves full forward secrecy from both sides. VI.

ACKNOWLEDGEMENT

This work is supported by UGC (University Grant Commission), Govt. of India under project No. UGC(77)/2012-13/316/CSE . We would like to thank UGC for the support in this research work. REFERENCES [I]

K. Muthumayil, V.Rajamani, S. Manikandan, M. Buvana "A Group Key Agreement Protocol based on Stability and Power using ECC, " 2011 International conference on Emerging Trends in Electrical and Computer Technology, 20II, pp. 1051-1056.

[2]

Z. Liehuang, L. Lejian, L. Wenzhuo, Z. Zijian, "An Authenticated Constant Round Group Key Agreement Protocol Based on Elliptic IJCSNS International Journal of Computer Curve Cryptography, " Science and Network Security, vol.6 No.8B, pp. 131-134, August 2006.

[3]

Y.Wang, B.Ramamurthy and X. Zou, "The performance of Elliptic Curve Based Group Diffie Hellman Protocol for Secure Group Proceedings of IEEE Communication over Ad Hoc Networks, " International Conference on Communications, vol. 5, pp. 2243-2248, 2006.

[4]

K. Kumar, J. N. Begum, V. Sumathy, "A Novel Approach towards Cost Effective Region- Based Group Key Agreement Protocol for Secure Group Communication, "lnternational Journal of Computer Science and Information Security, vol. 8(2), pp. 65-74, 2010.

Assume that an attacker want to communicate among client and

server

then

he

can

obtain R;

=

r;

* U; ,R;

=

r;

* U,. ,

Ek (R;, W; ). If the attacker wants to decrypt the W, i from " C; , the attacker must use ds However d, is the server private key and it is impossible to find the server private value from C;

=

•

CONCLUSION

A secure group key agreement protocol design is an important research area to provide secure services among a group of users with limited computational capabilities. For secure group communication, user authentication and key agreement are very necessary. In the proposed group key agreement protocol user obtains a session/common key from a trusted third party and with the help of that session key they communicate with each other securely and effectively. Elliptic curve cryptography is used in the proposed protocol because it provides higher security than RSA in terms of computation cost and reduces communication loads. This paper presents efficient and secure group key agreement protocol based on ECC, which accomplishes most desired security goals, e.g. replay attack, full forward secrecy, man-in middle attack etc. The result of the proposed protocol shows that it is well suited for mobile devices with limited computirlg ability.

Wi which is not the actual session key.

The proposed protocol is safe from outsider attack.

d, * Q . The attacker will face the

•

;=0

•

=

ECDLP. Thus the outsider attack is infeasible for the proposed protocol.

=

=

•

server public key U,

[5]

L. Yongliang, W. Gao, H. Yao, X. Yu, "Elliptic Curve Cryptography Based Wireless Authentication Protocol, " International Journal of Network Security, vol. 5(3), pp. 327-337, 2007.

[6]

Y.-M. Tseng, "A Resource Constrained group key agreement protocol for imbalanced wireless networks, " Journal of Computers and Security, vol. 26(4), pp. 331-337, 2007.

[7]

D. Hankerson, A. Menezes, S.Vanstone, " Guide To Elliptic Curve Cryptography, " Springer Professional Computing , ISBN-13: 9780387952734, Edition: 2004th.

[8]

I. Ingemarsson, D. Tang and C. Wang, "A conference key distribution system, " IEEE Transactions on Information Theory, vol. 28 (5), pp. 714 -720, September 1982.

[9]

M. Aydos, B. Sunar, C.K. Koc, "An Elliptic Curve Cryptography based Authentication and Key Agreement Protocol for Wireless Communication, " 2nd International Workshop on Discrete Algorithms and Methods for Mobile Computing and Communication, Dallas, Texas, Oct30, 1998.

[10] 1. Kar, B. Majhi, M. S. Anwar, "An Efficient Password Security of Multiparty Key Exchange Protocol using Secret Sharing based on ECDLP, " 2nd International Conference on Computer Engineering and Technology(ICCET), vol.3, pp. 78-81, 2010.

Abstract-

Secure

group

communication

is

an

important

research area in the field of cryptography and network security, because the group communication like electronic conferences, video chatting, video games etc. are rapidly increasing. Group key agreement protocols allow all members of the group to agree on the same session key which is used later for secure group communication.

The design of secure group key agreement

protocol can be very critical for achieving security goals. Many group key agreement protocols have been established for wired and wireless group communication. This paper proposes an ECC (Elliptic Curve Cryptography) based authenticated group key agreement protocol for wireless scenario. The proposed protocol uses the concepts of elliptic curve cryptography to minimize the computation

overheads

and

AES

(Asymmetric

Encryption

Standards) to maintain efficiency. The proposed protocol consists of a set of users and a trusted server, where server and the user contribute to create the group key. The performance and security analysis shows that the proposed protocol is secure against passive and active attack and performs better in terms of computation and

communication cost from

other related

protocols.

Keywords-Group Key Agreement; Secure Communication; Elliptic Curve Cryptography.

I.

INTRODUCTION

The popularity of the Internet is rapidly increasing as it supports many collaborative groupware applications such as online chatting, video games, e-Iearning, e-commerce distributed simulation etc. These applications support reliable services and provide ordered message delivery [1]. A reliable group connnunication system can provide an integrated platform for basic security services such as data confidentiality, integrity, message and entity authentication etc. These services are impossible without secure and efficient group key management protocol. So group key management is very necessary for efficient group key agreement. Key agreement protocol allows all the members of the group to agree upon a common session key which allows them to communicate with each other in a secure manner through an insecure network [2]. Generally a group key agreement protocol comes under following three group key management schemes: (1) Centralized,(2) Distributed and (3) Contributory. A centralized group key management is a simple type of key management protocol as it involves a central authority (single entity) or (may be a small set of entities) that generates and distributes keys to group members through a secure channel. 978-1-4799-5958-7114/$31.00 ©2014 IEEE

This is appropriate in many cases since most of the scenario offer continued secure operation within a single platform consisting of source. In distributed type of group key agreement protocol every member of the group can generate the group key independently. In contrast, in contributory group key agreement protocol, every member of the group equally contributes to derive the group key. Group key agreement is an important cryptographic technique over public networks for providing secure communication in the collaborative applications. Over the past few years, many groupware agreement protocols have been proposed, however not all of them can meet the security as well as efficiency requirement simultaneously. Therefore, we propose a new group key agreement protocol for wireless network. The proposed protocol uses the concepts of elliptic curve cryptography to design the protocol because it takes minimum time in calculations for generation of group key. The proposed protocol performs better than other existing related protocol as it takes less computational overloads, the round of the protocol is constant for any number of group users, the protocol is also safe from various attacks. The rest of this paper is organized as follows. Section II discusses the related work of the group key protocols. Section III provides the preliminaries such as description of finite fields, Elliptic Curve, Elliptic Curve Discrete Logarithm Problem (ECDLP) and Elliptic Curve Diffie Hellman (ECDH). Section IV discusses about the group key generation protocol. Section V provides the performance and security analysis of the proposed protocol. Section VI concludes the proposed protocol. II.

RELATED WORK

Many papers have been proposed on group key agreement protocols [3, 4, 5] for designing secure groupware communication. These protocols consists of set of group members to exchange or establish a group key for secure communication within the group. There are many group key agreement protocols that are providing security using Group Diffie Hellman as in [6, 7, 10]. These agreement protocols take more connnunication and computation efforts than the protocols using elliptic curve cryptography [7]. Many round efficient group key agreement protocols have also been proposed [10, 8]. Some of them are constant round protocols.

[n the round efficient protocols, the number of rounds is constant whenever the number of users is increased. In 1982 Ingemarsson et al. [8] proposed the first group key agreement protocol known as ING protocol, many GKA protocol [3,6] follows that work, have been proposed. Many multi party key agreement protocols are proposed in the literature for wired as well as for the wireless group key environment. Some of them are based on centralized approach which have a special node that acts as a central server to manage the group key and some are based on distributed and contributory [[,11] groupware key agreement protocols. In contributory group key agreement protocol all members of the group contribute to design the group key. In centralized group key management, there is only one trusted entity responsible for managing the entire group. Hence the group controller need not depend on any auxiliary entity for key distribution. Kumar et al. [4] presented a cost effective region based group key agreement protocol in which participants are divided into region based on the preference of the participants.

B.

E(Fp) denotes an elliptic curve E over a prime finite field Fp defined by an equation 3 with the y2 mod p = (x + ax + b) mod p where a,b E Fp Let the symbol

discriminant the point on

�

= (4a 3 + 27b 2)mod p"* 0 (for

E (Fp)

including an extra point

non singularity) 0

called point at

infinity of the curve, that forms an abelian group a groupG={(x,y) : x,Y E Fp and x,Y E E (Fp )} u {O} with the following addition rules. •

Identity: There is an identity element 0 in the group such that P+O=0+ P =P for allpE E(Fp).

•

Negativity:

P (X,Y) E E(Fp)

If

(X,y)+(x,-y)=0, The point negative of P , denoted as -P . •

Point

addition:

Let

thenP+Q=R, where

Aydos et al. [9] describes an authenticated group key agreement protocol for wireless communication which is based on elliptic curve digital signature algorithm (ECDSA) and provides certain security services such as non repudiation, anonymity, certificate, expiration mechanism etc. Kar et al. [[0] presents a password based multiparty key exchange protocol using elliptic curve discrete logarithm problem, where design of the protocol is based on polynomial interpolation.

III.

Elliptic curve overfinitefield E(Fp)

(x,-y)

then IS

P(X1,Yl),Q(X2 ,Y2 )E RE

E(Fp) and

called

E(Fp) ,

co-ordinate

x3 =A2 -XI -x 2 Y2 -YI ,1, ,1, and Y3= (x1,x3) -Yl where = . X2 -XI (x3'Y3) of R is

•

calculated as

Point doubling: Let P(xl,Yl) E

E(Fp),

where

P"* -P and

PRELIMINARIES

Finite Field of order p (Fp ) For a given prime,p, we define the finite field order p , as the set Zp of integers {O,I,2, ..,p-l} with the following arithmetic operations modulo p.

A.

C.

Elliptic Curve Discrete Logarithm Problem (E C DLP) For a given elliptic curve

E

defined over a finite fieldFp

if the point P,QE E(Fp) then, find the integer

a ,bE Fp , then a+b=r , is known as addition modulo p , when a +b is divided by p and o ::; r ::; p -1 , where r is the remainder.

•

Addition: [f

•

a ,bE Fp thena. b =s , is known as multiplication modulo p, when a. b is divided by p and 0 ::; s ::; p -1, where s is the remainder.

•

Inversion: The inverse of a modulo p in finite fieldFp

Multiplication: [f

is denoted as

a-I,

for which. a.c =1.

which is the unique integer c

E

Fp

,

LE Z ;

such that Q = LP .The integer L is called the discrete logarithm of Q to base P, denoted L=logpQ.

D. Elliptic Curve Diffie Hellma n (E C DH) Elliptic Curve Diffie Hellman is an elliptic curve variant of the standard Diffie Hellman algorithm, it is based on the additive elliptic curve group. ECDH is an anonymous key agreement protocol that allows two parties, each having an elliptic curve public private key pair to establish a shared secret over an insecure channel. The shared secret may be directly used as a session key or better to design another session key from the shared secret key which can then used to encrypt subsequent communication using a symmetric key cryptosystem.

E.

Key Agreement Protocol

A key agreement protocol is a set of rules and regulations to establish a cryptographic session key for participants, over a public network, whereas more than two participants are involved in generating group key. One of the first and most popular key agreement protocol is Diffie Hellman key exchange protocol, which is mostly used in many applications area. Another direction in this research area is to generalize the two party key agreements into multi party key agreement and group key agreement schemes. IV.

Round 1: I) Each client randomly selects an integer

2)

as K1

I) Select a finite field 2) Define

an

initializes and selects some

F

p

elliptic

curve

4)

the =

d 1 *Rl

=

(k;x, k; y ) , where O:S.i'Sn-i,

first =

client

2)

(k 1x, k 1 y ) and so on.

Each client then sends (lD;, C; ,R;) to the Server.

receiving (lD;, C; ,R;) ,

The Server uses

k,x

=

server

d, * R;

4)

If each user is valid user then server further proceed and choose a random number w, E Z; and computes

Po fj P2

5) Publish E p (a,b), Ek(. ), Dk (.) and Q .

=

w, +Ro for Co w, +Rl for Cl

=

=

W ,'

+R2 for C2

PCn-l) 5)

=

w, +RCn

-l)

for C(n-I) .

The Server then encrypts

C,o Ekox(Ro, Po,S,) CII Ek1x(Rl' fj,S,,) C,2 Ek2x(R2,P2'S,) =

=

=

p

The authenticated key agreement phase

In this phase server authenticate all clients, then clients contribute to generate a session key called group key. This phase is partitioned into two rounds, which are as bellow.

computes

(k;x ,k ; y) .

The Server checks R;, if the decrypted R; is same as the previous R; that was sent from each client then S confirms that users are valid user, otherwise S aborts the protocol and sends authentication failed message to all clients.

4) Select a public point Q of order n over an elliptic

B.

=

as a decryption key to

curve.

CO,CI, have their private/public key pairs dr/Uo, d/UI, and (S) have d/[J, respectively. Note that Uo=do*Q, UI=dl*Q and Us=d,*Q where ,*, denotes the point multiplication over E ( a,b) [7].

to

3)

3) Select a secure symmetric encryption/decryption algorithm respectively denoted as Ek() IDk( ) as AES (Advanced Encryption Standard), where k denotes the symmetric key.

server

key

compute (R; ,W; ) = DkiX (C;).

F p'

6) Each client register to the server (S) to generate their private keys and public keys over E p ( a,b) , such as client

computes

After that each client randomly selects an integer Wi E Z;" to compute W; W; * Q and uses

Round 2: I) After

equation

ax + b(mod p ) with the order n over 2 F p,p > 3 and (4a 3 + 27b ) ;toO(m od p ) [7].

to

* U S ,where O:S.i'Sn-i

their x coordinates as an encryption compute C; = EkiX (R; ,W; ) , where O:S.i'Sn-i.

over a large odd prime p

E p ( a,b) = x3 + where a,b E

d j * Rj

=

k,x and k" for all clients K ;

(S)

Zp*

=

A. The initialization Phase

In this phase the server parameters as below.

r I

E

Each client then computes key coordinates (x and y coordinates) K j

3)

=

Z;, is a multiplicative group.

and

PROPOSED GROUP KEY AGREEMENT PROTOCOL

In this part we propose a new group key agreement protocol for secure group communication over networks. The proposed protocol is authenticated and based on elliptic curve cryptography. Let C = (Co, C], C2,...,C(n-l)) be the set of clients and S is a trusted server. They contribute to generate the group key. The proposed protocol is partitioned into two phases first is called as initialization phase and after that the group key generation phase. The generation of the proposed protocol is given below.

R1 = rI * UI and .ok

compute

rj

C,Cn-l)

Ek(n-l)x(RCn-I),PCn-l)'S, ) "n l Where S, is L. ;=-o Wi . =

6)

it sends CIO to Co, Csi to CI and so on, 7)

After receiving

each user uses

C,;

k;x

as a

(R;, � )= D Kix (Cli ) then decrypted R; is the same as R, that

decryption key to compute each client check

8)

V, PERFORMANCE AND

After that server sends C" to all respective clients as

they have, then clients confirms that they are authenticated by the server. Then each client computes the common session key as

This section analyses the perfonnance of the proposed work in terms of communication and computation cost perspectives. Table.) shows the performance comparisons of the protocol with some other existing protocols.

A. Performance Analysis •

Computation Cost: The Comparison of computation cost between the proposed work and the other related scheme is given below in tablel.The result shows that the proposed protocol is more effective than the related protocol, the computation cost for each client in the proposed protocol is 2PA+4PM+2SE whereas the related protocols have more commutation cost. The computation cost of the server for each client is also better than the existing protocols.

•

Communication Cost: The communication cost required by the presented protocol is 2n whereas the related protocols required more communication cost.

-I + S " I K, = F., +Rl +S, I K, =P2 +R2- +S,

K - 1D +R 0 ,, - 0

Client Co computes Client Cj computes Client C2 computes

Client C(n-I) computes Ks =PCn

-I -l) + RCn-l) + S,

In the proposed protocol each client equally contributes to compute the session (agreement) key with the help of trusted server. Figure 1 shows the diagrammatic representation of the proposed protocol.

SECURITY ANALYSIS

Table, I, The Performance comparison with other existing protocols Protocol

Userls

Server

Select an integer ri compute Ri =

r * ,

E

Zq

eacb client

Computation

cost required by the server

Communicati

Round

on cost

Is

for each client

*

U, , R, =

r * ,

U, ,

and Ki =di *R, = (kix,k,v) Randomly select an integer Wi uses Kix to compute

Computation

cost required by

E

Zq

*

C, = EkiV (Ri,W,) , (ID"c"RJ �

Computes K, = d,

*

R , = (k,x,k,y) ,

Proposed

4PM+2PA+2SE

IPM+IPA+2 SE

2n

2

Kar et aL [10]

6PM+!PA+!H

3PM+!PA+! H

n"+2n

2

Yonglian g et aL [5]

3PM+IPA+ 3SE +2H

2PM+IPA+2 SE+2H

3n

3

Aydos et a1.[9]

6PM+2PA+2SE +IH

5PM+2PA+2 SE+IH

4n

3

Computes (R"W,)= DkiV(C,) ,

Check the decrypted

C,

, if true,

choose a random number compute Pi = W, Compute C" =

+

lV, '

Ri ' where 0 � i � 11 -I ,

EKiV (Ri,Pi ,S,)

for all user,

where $, is I;';(;W,

C" = Ek (R"P"S, )

...

v.v

Check weather the decrypted R, is same as original one, if they are same then compute

K, = P,

Fig, I, The Proposed protocol abstract

,

+ R -l +

S,

'

Note: PM: Point Multiplication, SE: Symmetric encryption, PA: Point Addition, H: Hash Function B.

Security Analysis and Discussion

•

The security of the proposed protocol depends on the hardness of elliptic curve discrete logarithm problem.

Authenticated Group Key Agreement Protocol--- Let {Mo,Mj,oo.,Mn_d be all the messages, that are exchanged between members where n is the number of messages and {M'o,M'j,oo.,M'(n_l)}are all the messages modified by an active adversary. Suppose (Ko, Kj,oo.,K(n_l)} is the session key list where K; is computed by U . However K; cannot be computed by an adversary, because the security of the session key depends on the hardness of ECDLP and asymmetric key encryption. If adversary cannot compute a session K E{Ko,

Kj,...,K(n-I)}, the authenticated. •

group

key

agreement

protocol

is

If the elliptic curve discrete logarithm problem is hard, the proposed protocol is authenticated.

Suppose that the adversary wants to intercept the transmitted messages (ID;, C;, R;) and wants to find out IDb R; and C;. Then adversary modified these values like ID; to IDj, R; to RJ rJ * U J and CI Ek (RJ ,WI) and send it to the server. " In the transmitted messages, C; is encrypted from the key value k;x which is only known to server and the authorized clients. If the key value of client and server is not same then server aborts the protocol otherwise it continues its operations. Due to hardness of the discrete logarithm problem the adversary cannot be calculate r ; from r; * U ; and r; * U ,and ,.

cannot find WS' Therefore the adversary cannot calculate the session key. So, this protocol is authenticated group key agreement protocol. The Proposed protocol is safe from Man-- in -the middle attack.

Assume that an adversary wants to perform man- in- the middle attack, and then the attacker wants to find out the session key. Then the attacker firstly find out the key components that are W; w; * Q and replaces it with the other =

forged component as WJ

=

wJ * Q and send it to the server, but

the server had already W; in an encrypted form which was encrypted by the client asEkiX(R;,W;) . When eavesdropper

uses another key such as kjx to encrypt the information like Eki (R;,W;) and send it to the server then server checks that x which key has been used by the client, if it is not same as previous key, then the Server find out that the given (acquired) message is forged and not sent by an appropriate client/user. After receiving the message from eavesdropper, the server will discard the session. Suppose that an attacker captures the transmitted message (ID; ,C;, RJ and it wants to calculate the value of ID;, Cb R; but he would not be calculate this because the proposed protocol uses elliptic curve cryptography. Attacker also cannot calculate C; because it is encrypted with AES symmetric key encryption. The attacker then calculates a session key as n-l

p. '+R . '+ " j j L.J

Direct Server attack: The proposed protocol is also safe from direct server attack since it uses AES and ECC that makes the database more secure.

•

Full Forward Secrecy: The adversary cannot calculate the group key because he receives only a generating point on the elliptic curve that is calculated from the random secret. The adversary cannot find the session key due to the hardness of ECDLP. Therefore, the proposed work achieves full forward secrecy from both sides. VI.

ACKNOWLEDGEMENT

This work is supported by UGC (University Grant Commission), Govt. of India under project No. UGC(77)/2012-13/316/CSE . We would like to thank UGC for the support in this research work. REFERENCES [I]

K. Muthumayil, V.Rajamani, S. Manikandan, M. Buvana "A Group Key Agreement Protocol based on Stability and Power using ECC, " 2011 International conference on Emerging Trends in Electrical and Computer Technology, 20II, pp. 1051-1056.

[2]

Z. Liehuang, L. Lejian, L. Wenzhuo, Z. Zijian, "An Authenticated Constant Round Group Key Agreement Protocol Based on Elliptic IJCSNS International Journal of Computer Curve Cryptography, " Science and Network Security, vol.6 No.8B, pp. 131-134, August 2006.

[3]

Y.Wang, B.Ramamurthy and X. Zou, "The performance of Elliptic Curve Based Group Diffie Hellman Protocol for Secure Group Proceedings of IEEE Communication over Ad Hoc Networks, " International Conference on Communications, vol. 5, pp. 2243-2248, 2006.

[4]

K. Kumar, J. N. Begum, V. Sumathy, "A Novel Approach towards Cost Effective Region- Based Group Key Agreement Protocol for Secure Group Communication, "lnternational Journal of Computer Science and Information Security, vol. 8(2), pp. 65-74, 2010.

Assume that an attacker want to communicate among client and

server

then

he

can

obtain R;

=

r;

* U; ,R;

=

r;

* U,. ,

Ek (R;, W; ). If the attacker wants to decrypt the W, i from " C; , the attacker must use ds However d, is the server private key and it is impossible to find the server private value from C;

=

•

CONCLUSION

A secure group key agreement protocol design is an important research area to provide secure services among a group of users with limited computational capabilities. For secure group communication, user authentication and key agreement are very necessary. In the proposed group key agreement protocol user obtains a session/common key from a trusted third party and with the help of that session key they communicate with each other securely and effectively. Elliptic curve cryptography is used in the proposed protocol because it provides higher security than RSA in terms of computation cost and reduces communication loads. This paper presents efficient and secure group key agreement protocol based on ECC, which accomplishes most desired security goals, e.g. replay attack, full forward secrecy, man-in middle attack etc. The result of the proposed protocol shows that it is well suited for mobile devices with limited computirlg ability.

Wi which is not the actual session key.

The proposed protocol is safe from outsider attack.

d, * Q . The attacker will face the

•

;=0

•

=

ECDLP. Thus the outsider attack is infeasible for the proposed protocol.

=

=

•

server public key U,

[5]

L. Yongliang, W. Gao, H. Yao, X. Yu, "Elliptic Curve Cryptography Based Wireless Authentication Protocol, " International Journal of Network Security, vol. 5(3), pp. 327-337, 2007.

[6]

Y.-M. Tseng, "A Resource Constrained group key agreement protocol for imbalanced wireless networks, " Journal of Computers and Security, vol. 26(4), pp. 331-337, 2007.

[7]

D. Hankerson, A. Menezes, S.Vanstone, " Guide To Elliptic Curve Cryptography, " Springer Professional Computing , ISBN-13: 9780387952734, Edition: 2004th.

[8]

I. Ingemarsson, D. Tang and C. Wang, "A conference key distribution system, " IEEE Transactions on Information Theory, vol. 28 (5), pp. 714 -720, September 1982.

[9]

M. Aydos, B. Sunar, C.K. Koc, "An Elliptic Curve Cryptography based Authentication and Key Agreement Protocol for Wireless Communication, " 2nd International Workshop on Discrete Algorithms and Methods for Mobile Computing and Communication, Dallas, Texas, Oct30, 1998.

[10] 1. Kar, B. Majhi, M. S. Anwar, "An Efficient Password Security of Multiparty Key Exchange Protocol using Secret Sharing based on ECDLP, " 2nd International Conference on Computer Engineering and Technology(ICCET), vol.3, pp. 78-81, 2010.