Identity based Authenticated Group Key Agreement Protocol Divya Nalla, K.C.Reddy

1

AILab, Dept of Computer/Info. Sciences, University of Hyderabad, Gachibowli, Hyderabad, 500046, India [email protected] , [email protected]

Abstract. An important and popular trend in modern computing is to convert traditional centralized services into distributed services spread across multiple systems and networks. One-way function trees can be used to extend two-party Key Agreement protocols to n-party protocols. Tree-based Group Diffie-Hellman [17] is one such protocol. This paper proposes the first Identity based Group Key Agreement protocol by extending the Identity based two-party Authenticated Key Agreement protocol [13] using the One-way function trees. A new function called the transformation function is defined, which is required in generating keys at any level from a lower level key in the key tree. The new protocol provides complete forward and backward secrecy. Authentication is implicit in this protocol, whereas it has to be explicitly dealt with in other Key Agreement protocols. ID-AGKA protocol is more advantageous for systems without a deployed PKI.

Key words: Key Agreement, group Key Agreement, elliptic curves, Weil pairing, cryptography, Identity based, ID-based, Diffie-Hellman, Key Agreement Protocols, key trees, one-way function trees.

1. Introduction Asymmetric Key Agreement Protocols are multi-party protocols in which entities exchange public information allowing them to create a common secret key with that information. This secret key is known only to those parties which are involved in the key generation and which cannot be determined by any external entity. An important and popular trend in modern computing is to convert traditional centralized services into distributed services spread across multiple systems and networks. Many of these newly distributed and other inherently collaborative applications need secure communication. However, security mechanisms for collaborative, Dynamic Peer Groups (DPGs) tend to be both expensive and unexpectedly complex. A huge number of two party key agreement protocols have been proposed [2]. The situation where three or more parties share a secret is often called Conference Keying [9]. Boneh and Franklin [7] and Cocks [5] have proposed two Identity based (ID-based) encryption systems which allow the replacement of a Public Key Infrastructure (PKI) with a system where the public key of an entity is given by its identity, and a Key Generation Center (KGC) helps in generating the private key. Cocks' system is based on the Quadratic Residue theorem whereas Boneh and Franklin's system is based on the Weil Pairing. A two pass Identity based (ID-based) Authenticated key agreement protocol based on Weil pairing has been proposed in [13]. Joux [1] proposed a tripartite generalisation of the Diffie-Hellman protocol using the Weil and Tate pairings. Joux's protocol for tripartite Key Agreement has been modified in [15] to provide authentication by including certificates. Tripartite ID-based authenticated key agreement protocols are proposed in [8]. One-Way function trees (OFTs) can be used to compute a tree of keys. The keys are computed up the tree, from the leaves to the root. The bottom-up use of OFTs for group keying was first proposed by Sherman in [6], though the idea of using OFTs is not a new one. Merkle [10] proposed an authentication method based on such trees. Fiat and Naor [12] used a one-way function in a top-down fashion in their group keying method for the purpose of reducing the storage requirements of information theoretic group key management. 1

The author is currently associated with Center for Distributed Learning (APSCHE), IIITcampus, Gachibowli, Hyderabad, 500046, India

Any two party key agreement protocol satisfying some specific properties [6] can be extended to an nparty key agreement protocol using one-way function trees. Tree-based Group Diffie-Hellman (TGDH) [17] is one such protocol which extends the Diffie-Hellman protocol to a group key agreement protocol using one-way function trees. Appendix D provides a comparison [16] of TGDH with other contributory group key agreement protocols STR [16], BD [9], and GDH.3 [11] resulting in a conclusion that TGDH protocol works best in both LAN and WAN settings compared to these protocols i.e., more communication efficient. Hence, using the approach of TGDH for group membership operations is more advantageous. This paper extends the Identity based two-party authenticated key agreement protocol to an authenticated group key agreement protocol, using the one-way function trees to generate the first ID-based group key agreement protocol. The extension is not as obvious as it seems to be. In TGDH protocol, the key generated at one level is directly used to generate the key for the next level since it only needs to do modular exponentiation of the key with the blinded key of the sibling node. But in the new protocol, the key generated by the ID-based authenticated key agreement protocol has to be transformed into some value, that can be used to calculate the key at the next level. Hence, a new function called the transformation function is defined to do this operation. Single or multiple join and leave operations are common in group communication. Coping with group partitions (multiple member leave) and merges (multiple member join) is considered to be a crucial component of group key agreement. Hence these issues are also dealt in the new protocol. The main advantage of this protocol over TGDH is that this protocol is ID-based. Authentication is implicit in this ID-based protocol, and hence this protocol can be named Identity-based Authenticated Group Key Agreement protocol (ID-AGKA). The protocol has the novel property that the key generation center is able to recover the agreed session keys from the message flows and its secret key s. And hence, this allows for an efficient ID-based escrow facility. This would enable law enforcement agencies to decrypt messages encrypted with the group keys, after having obtained the necessary warrants. If this property is not desired, or, if a single KGC is not desirable, multiple KGCs can be used where each one of them generates a part of the private key. These parts are then combined by the user to obtain his/her private key. The paper is organised as follows. The next section gives insight into Identity based public-key cryptosystems. Section 3 describes the One-way function trees and the tree based group Diffie-Hellman protocol. The Weil pairing is defined in section 4. The new ID-based group key agreement protocol is discussed in section 5. Section 6 discusses the security properties of the new protocol, and section 7 concludes the paper. Appendix A lists out the advantages of an ID-based system, Appendix B describes the two-party ID-based authenticated key agreement protocol. The desirable group key agreement protocol properties are listed in Appendix C. Appendix D provides the comparison of TGDH with other contributory key agreement protocols.

2. Identity-based Public Key Cryptosystem Problems with the traditional Public Key Crypto systems (PKCs) are the high cost of the infrastructure needed to manage and authenticate public keys, and the difficulty in managing multiple communities. Whilst ID-based PKC will not replace the conventional Public Key Infrastructures (PKIs), it offers easier alternative solutions to some of these problems. In ID-based PKC, everyone's public keys are predetermined by information that uniquely identifies them, such as their email address. This concept was first proposed by Shamir [4]. Shamir's original motivation for ID-based encryption was to simplify certificate management in e-mail systems. When Alice sends mail to Bob at [email protected] she simply encrypts her message using the public key string [email protected] There is no need for Alice to obtain Bob's Public Key Certificate. When Bob receives the encrypted mail he contacts the KGC. He authenticates himself to the KGC and obtains his private key from the KGC. Bob can then read his e-mail. Unlike the existing secure e-mail infrastructure, Alice can send encrypted mail to Bob even if Bob has not yet setup his Public Key Certificate. It should be noted that key escrow is inherent in ID-based systems since the KGC knows Bob's private key. For various reasons, this makes implementation of the technology much easier, and delivers some added information security benefits. ID-based PKC remained a theoretical concept until [5] and [7] were proposed.

An ID-based system requires a trusted KGC. The KGC generates the private keys of the entities in the group using the public key, which in turn is based on the identity of the entity. Since a single authority for key generation may present an obvious point of compromise or system failure, and it can masquerade as any given entity, it is split into two or more cooperating parties. The authorities perform a one-time set-up in order to share the system secrets in a secure manner. The user proves itself to each authority. Each authority then returns its part of the private key. The user combines these parts to obtain his private key. This provides more security as the private key remains split until use. We can also have n-authorities in the system wherein no n-1 of them can generate a key or compromise the system. With traditional PKI, sending the message implies that the recipient can read it since the private key must exist. This is not true in ID-based PKC. In ID-based PKC, the system (rather than the user / sender) determines whether the recipient is able to read a particular message. Another advantage is that, since the associated private key doesn't necessarily exist, these conditions need not be pre-arranged and can be ephemeral down to a single transaction. ID-based PKI has simple procedure of managing public key list, it has advantages such as automatic key escrow/recovery [7]. Also when the whole ID-based scheme is used by one user, it can be applied for delegation of duties [7] on encryption and proxy signatures in signature. Sometimes key escrow may not be desirable. Also, the key generation center is required to be a trusted authority, and there is computational overhead using pairings (for ID-based encryption and key agreement). Despite these debating issues, the ID-based scheme has many useful applications such as email system, Intranet PKI, and mobile PKI ID-based two party key agreement protocol has been proposed by Smart [13]. This paper extends this protocol to an n-party protocol.

3. One-way Function Trees This section discusses the One-way function trees (OFTs), and the OFT algorithm for key establishment in dynamic groups [6]. Diffie-Hellman(DH) protocol is extended to a group key agreement protocol using OFTs [17]. From this section, it can be concluded that, any two-party key agreement protocol can be extended to an n-party key agreement protocol. 3.1 Notations N Mi h T BKi* p, q

– number of group members – i-th group member; i ∈ { 1, 2,…… N} – height of the tree – v-th node at level l in a tree – A subtree rooted at node – set of Mi s blinded keys – prime integers

G

– unique subgroup of Z p of order q

*

A → B : m - A sends message m to B A → * : m - A broadcasts message m The root is located at level 0 and the lowest leaves are at level h. Each node is associated with the key k and the blinded key BK (explained later) 3.2 One-way function tree (OFT) algorithm for key establishment One-Way function trees can be used to compute a tree of keys. The keys are computed up the tree, from the leaves to the root. The bottom-up use of OFTs for group keying, was first proposed by Sherman in [6]. In an OFT, the group manager maintains a binary tree, each node x of which is associated with two cryptographic keys, a node key kx and a blinded key kx' = g (kx). The blinded node key is computed from the

node key using a one-way function g; it is blinded in the sense that computing kx from kx’ is a computationally Hard problem. Interior nodes of the tree has exactly two leaves. Every leaf of the tree is associated with a group member. The group manager assigns a randomly chosen key to each member, securely communicates this key to the member (using an external secure channel), and sets the node key of the member's leaf to the member's key. The interior node keys are defined by the rule kx = f(g(kleft(x)), g(kright(x))) ……………..(Rule1) where left(x) and right(x) denote the left and right children of the node x. The function g is a one-way function and the function f is a mixing function. Property 1: The function g is one-way, given g(x), it is computationally infeasible to find x with any non-negligible probability. Property 2: Given a sequence x0 , x1 , ……. , xl-1 , it is computationally infeasible to find kl with any nonnegligible probability, where ki+1 = f(xi, g(ki)), and k0 is chosen at random, for any l less than some value lmax. Property 1 makes it impossible to find a node key kx given the blinded key kx' = g (kx). Property 2 makes it impossible for a member who has left the group, whose distance to the root is less than lmax , to find any node key. When a new member is added to the group, or an existing member of the group leaves, the key values of some of the members change, to change the group key. The security of the system depends on the fact that each member's knowledge about the current state of the key tree is limited by the following invariant: System invariant: Each member knows the unblinded node keys on the path from its node to the root, and the blinded node keys that are siblings to its nodes on the path to the root, and no other blinded or unblinded keys. Definition: The OFT method is secure if it is computationally infeasible for an adversary to compute any unblinded node key with non-negligible probability [6]. Thus, from the above properties, and the rule for defining the interior node keys, the group key computed using OFTs satisfies the group key secrecy property, and provides complete forward and backward secrecy (defined in Appendix C). The algorithm provides complete forward and backward secrecy: newly admitted members cannot read previous messages, and members deleted from the group cannot read future messages. Any key agreement protocol in which the key is computed using the rule (Rule 1 defined above, where f and g satisfy the above properties) can use the OFT method to support group key agreement. In the OFT method, the functions f and g can be any functions which satisfy the above properties. These functions are replaced by the DH protocol (where we use modular exponentiation function for both f and g), and the TGDH protocols are generated. This is discussed in the next subsection. Similarly, these functions can be replaced by the ID-based two-party key agreement protocol to obtain an ID-based group key agreement protocol. But this cannot be done directly. Some functions are required in between key computations for different levels. These functions are defined and the ID-based two-party key agreement protocol is extended to IDAGKA in section 5. 3.3 Tree-based Group Diffie-Hellman Protocol (TGDH) Key trees have been suggested in the past for centralised group key distribution systems. TDGH [17] protocols make use of key trees in fully distributed contributory key agreement. Key trees are used in fully distributed contributory key agreement. The concept of a key manager does not exist here. Hence, the members select random secret values for themselves. The root is located at level 0 and the lowest levels are at level h. Binary trees are used here and hence every node is either a leaf or a parent of two nodes. The nodes are denoted by where 0 ≤ v ≤ 2l − 1 since each level l hosts at most 2l nodes. Each node is associated with the key k and the blinded key (Bkey) BK = f (k) where the function f(k) = αk mod p. Assuming a leaf node hosts the member Mi , the node has Mi's session random key K. Furthermore, the member Mi at node knows every key along the path from to , referred to as the key-path and denoted KEYi*. Every key k is computed recursively as follows:

k = ( BK < l +1,2 v +1> ) = ( BK ) =α

k

k

k k

mod p mod p

mod p

= f ( k , k< l +1,2 v +1> )

COi*

Co-path is the set of siblings of each node in the key-path of member Mi. Consequently, every member Mi at leaf node can derive the group secret k from all Bkeys on the co-path COi* and its session random k.. A group key can be computed from any member's secret share (i.e., any leaf value) and all Bkeys on the co-path to the root. For a point-to-point session, the costs of session establishment and key distribution are incurred just once, at the beginning of the session. A group session, on the other hand, may persist for a relatively long time with members joining and leaving the session. After a join, the new member should not come to know the old group keys, and after a leave, the member should not be able to compute future group keys. Large groups whose members join and leave frequently pose a problem since the keys have to be computed frequently. Hence, there is the need for concentration on issues of frequent changes, and the associated scalability problem for large groups. In TGDH, in case of an additive change (join or merge), all group members identify a unique sponsor. This sponsor is responsible for updating its secret key share, computing affected [key, Bkey] pairs and broadcasting all Bkeys of the new tree to the rest of the group. The common criteria for sponsor selection is determined by the tree maintenance criteria [17]. ID-AGKA protocol proposed in this paper follows the same approach as the TGDH protocols in dealing with these issues. A complete Group Key Agreement solution should support adjustments to the group key for any membership change in the group. There can be four types of membership changes: Join, Leave, Merge (multiple join or addition of groups), Partition (multiple leaves or splitting a group into smaller groups). TGDH protocol suite addresses these four types of membership changes.

4. The Weil Pairing The modified Weil pairing which forms the basis for the ID-based Key Agreement protocols is defined here. Definition: Let G be a subgroup of the group of points on the Elliptic curve E over the finite field Fq . Let the order of G be denoted by l and define k to be the smallest integer such that l / qk –1 (this implies that there exists a unique subgroup of Fq* of order l). k

In practical implementations we will require k to be small and so we will usually take E to be a super singular curve over Fq The modified Weil pairing [13] is a map eˆ : G × G → Fq* which satisfies the following properties: k

1.

Bilinear eˆ( P1 + P2 , Q ) = eˆ( P1 , Q ).eˆ( P2 , Q ) eˆ( P, Q1 + Q2 ) = eˆ( P, Q1 ).eˆ( P, Q2 ) i.e., eˆ( aP, bQ ) = eˆ( P, Q ) ab where a, b ∈ Z q*

2.

Non-Degenerate There exists a P∈G such that eˆ( P, P ) ≠ 1 3. Computable: One can compute eˆ( P, Q ) in polynomial time. The non-degeneracy defined here does not hold for the standard Weil Pairing e( P, Q ) . A more comprehensive description is provided in [6].

5. ID-based Authenticated Group Key Agreement (ID-AGKA) This section discusses the protocol for Authenticated Group Key Agreement. Knowing the advantages of an ID-based system, it would be advantageous to have ID-based key agreement protocols. Smart [13] proposed an ID-based two party authenticated key agreement protocol. ID-based tripartite key agreement protocols are proposed in [8]. Extending the same to a group of n parties would be desirable. Also, authentication is implicit in ID-based protocols, whereas it has to be explicitly dealt with in other key agreement protocols. As seen in section 3.2, the ID-based Authenticated Key Agreement protocol [13] can be extended to an n-party ID-based Authenticated Group Key Agreement protocol (ID-AGKA). Key trees are used in fully distributed contributory key agreement. Binary trees are used in this case. The leaves in the tree represent the members of the group, and every other node is a parent of two child nodes. The key associated with this node represents the common key for its two child nodes. The same rule applies to all the non-leaf nodes in the tree. Thus the key associated with the root node becomes the group key, or the common key for all the members in the group. 5.1 Assumptions Suppose G is a subgroup of an Elliptic curve for which the modified Weil Pairing eˆ maps into the finite field Fq . The following properties are assumed. k

• •

qk is large enough to make solving discrete logarithms in a finite field infeasible Elliptic curve contains a large prime subgroup of order l such that solving discrete logarithms in the subgroup of order l is also infeasible.

•

Let V: Fq

• •

* k

→ {0, 1}* is the key derivation function [13]. Such functions can be readily found in a

number of documents. A function H: {0, 1}* → G is also assumed. It denotes a cryptographic hash function. It is generally used to compute the public keys of the members using their identities (which are binary strings). Another hash function H' : {0, 1}* → {0, 1}* is defined. Another important function is defined, which is required to extend the two-party ID-based protocol to a group key agreement protocol is a transformation function ft defined as ft : Fq* → Z q* . This function is applied over the keys associated with the intermediate nodes, to k

obtain a value, which can be used as the ephemeral private key for the next higher level. 5.2 System Settings The Key Generation Center chooses a secret key s ∈ {1,….. l-1} The KGC produces a random P∈G and computes PKGC =[s]P. Then the KGC publishes (P, PKGC) When a user with identity ID wishes to obtain a public/private key pair, the public key is given by QID = H (ID) And the KGC computes the private key SID = [s] QID The (public, private) key pair of the user is given by (QID ,SID) This calculation can be performed using multiple key generation centers, each generating a part of the private key. These are combined by the user to obtain his/her private key. 5.3 Protocol Figure 1 shows an example of a key tree. Computation of the group key for this tree is as follows.

First, A and B compute the common key associated with node by using the ID-based authenticated key agreement protocol by Smart [13]. The two party authenticated ID-based key agreement protocol is described in Appendix B. *

A and B choose random values, a, b ∈ Z q , and exchange the values TA = T< 2,0 > = [ a ]P and TB = T< 2,1> = [ b ] P

respectively. These two values are called the ephemeral (temporary) public values of A and

B whereas, a, and b are their ephemeral private keys.

Fig. 1.

The key computed by A is k AB = k = eˆ([ a ]QB , PKGC ).eˆ( S A , TB ) = eˆ (QB ,[ s ]P ) .eˆ([ s ]QA ,[b ]P ) a

= eˆ (QB , P ) .eˆ(QA , P ) as

bs

= eˆ (QB , TA ) .eˆ(QA , TB ) s

s

= eˆ([ s ]QB ,[ a ]P ).eˆ([b]QA ,[ s ]P ) = eˆ([b]QA , PKGC ).eˆ( S B , TA ) = k BA

Thus, A can compute the key associated with its parent node if it knows the identity of B: QB and the ephemeral public key of B: TB . The pair (Q , T ) is called the blinded key or Bkey of B. Similarly, C and D also compute the key associated with the node . These computations are shown in table 1. B

A The public key QA is sent to the KGC to get the private key S A = [ s ]QA selects a random value a ∈ Z q* compute TA = [ a ]P Exchange TA and TB TA = [ a ]P

B

B The public key QB is sent to the KGC to get the private key S B = [ s ]QB selects a random value b ∈ Z q* compute TB = [b]P

C The public key QC is sent to the KGC to get the private key SC = [ s ]QC selects a random value c ∈ Z q* compute TC = [c ]P

compute TD = [ d ]P

TC = [c ]P TB = [b]P

eˆ([ a ]QB , PKGC ).eˆ( S A , TB ) = kAB

D The public key QA is sent to the KGC to get the private key S D = [ s ]QD selects a random value d ∈ Z q*

eˆ([b]QA , PKGC ).eˆ( S B , TA ) = kBA

TD = [ d ]P eˆ([c ]QD , PKGC ).eˆ( SC , TD )

eˆ([ d ]QC , PKGC ).eˆ( S D , TC )

= kCD

= k DC

Table 1.

The value kAB or kCD is never used directly as a cryptographic key for the purpose of encryption. Instead, such special-purpose sub-keys are derived from the group secret, eg. by setting Key=V(k).

The secret key associated with the node , Key = V ( k ) . Thus, the secret key at each node would be a binary string. A function ft : Fq* → Z q* is applied over the value k to obtain k ' ∈ Z q* . A, k

B and C, D compute k ' and k ' respectively. These two values act as the ephemeral private values at this level. These values are used to compute the keys at the next higher level. At this level, each node requires a public and a private key pair. The public key is obtained by adding the public values of its two children, and taking the hash of that value. The public value is then sent to the KGC to obtain its private counterpart. AB The public key QAB= QBA=H' (QA+QB )is sent to the KGC to get the private key S AB = [ s ]QAB Compute kAB’ = ft (kAB)

CD The public key QCD=QDC= H' (QC+QD )is sent to the KGC to get the private key SCD = [ s ]QCD Compute kCD’ = ft (kCD) '

Compute TCD = [kCD ]P

'

Compute TAB = [ k AB ]P Exchange TAB and TCD '

TAB = [ k AB ]P '

TCD = [ kCD ]P '

'

eˆ([ k AB ]QCD , PKGC ).eˆ( S AB , TCD )

eˆ([ kCD ]QAB , PKGC ).eˆ( SCD , TAB )

Table 2.

The node will have a public value Q = H ′(Q< 2 ,0 > + Q< 2 ,1> ) or QAB = H ′(QA + QB ) . The KGC computes the private key SAB or S = [ s ]Q from Q. At node , A does these computations and computes the key at using the identity at the node , Q or QCD, and the ephemeral public key at , T or TCD (as shown in table 2). The pair (Q , T ) is the Bkey of . A and B compute ' k ABCD = eˆ([ k AB ]QCD , PKGC ).eˆ( S AB , TCD ) '

= eˆ([ kCD ]QAB , PKGC ).eˆ( SCD , TAB ) = kCDAB which is computed by C and D.

A can compute the group key, i.e., the key at the root node, if it knows every key along the path from to , referred to as the key-path in section 3, and every Bkey along its Co-path (set of all siblings of all the nodes on the key path) {, }. Similarly, each member in the group can compute the group key if it knows all the blinded keys along its Co-path. For any node in the key tree, the key is given by V(k) where k = eˆ([ k< l +1,2 v > ']Q< l +1,2 v +1> , PKGC ).eˆ( S< l +1,2 v > , T< l +1,2 v +1> ) = eˆ(Q , P )

s . k '

.eˆ(Q< l +1,2 v > , P )

s .k '

= eˆ(Q , Tk ' ) s .eˆ(Q< l +1,2 v > , Tk ' ) s = eˆ([ k ']Q< l +1,2 v > , PKGC ).eˆ( S< l +1,2 v +1> , T< l +1,2 v > )

and k< x , y > ' = ft ( k< x , y > ) . Assuming an n-party group {M1, M2, …….Mn }, every member Mi at leaf node can derive the group secret k from all the secret keys on the key path, and all the Bkeys on its Co-path. Thus, every key computation involves two Elliptic curve scalar multiplications and two Weil pairings.

It can be noted that, instead of including the identity of the node QID in the Bkey, if the KGC knows the key tree structure, it can compute the identities associated with all the nodes in the key tree and send the required secret keys to the corresponding nodes when requested. This would reduce some of the redundant computations. In figure 1, to compute the key associated with the node , the identity QAB = H' (QA + QB) is required. This value is computed by A and B separately, to compute kAB and kBA respectively. This computation can be done only once by the KGC instead of being computed twice by both the members. This computation of the Identities associated with the nodes becomes more redundant at higher levels in the key tree i.e., the same value may have to be computed by more members. Hence computation of the identities associated with the non-leaf nodes by the KGC would be a desirable property. Single or multiple Join or leave operations are common in a group communication. These situations have to be taken care of in a group key agreement solution. The basic idea here is that after any group membership event, every member unambiguously adds or removes some nodes related with the event, and validates all the keys and blinded keys related with the affected nodes. A special group member (the sponsor) then, computes the keys and blinded keys and broadcasts the new key tree to the group. The sponsor and the insertion location (in the case of an additive event) are decided by the tree management policy [17]. 5.4 Adding or deleting a member in the key tree Firstly, whenever a user Mn+1 wants to join the existing group {M1, M2, …….Mn}, it broadcasts a join request (containing its Bkey) to all the group members. Every member then updates the key tree by adding the new member node and the intermediate node (new member is added at the rightmost shallowest node to maintain the tree height). When a new member joins the group, an existing leaf node x is split, the member associated with x is now associated with left(x) and the new member is associated with the right(x). The new member would be having a new long term public/private key pair (private key obtained from the KGC using his ID as public key) and a new ephemeral public/private key pair. The old member should change his ephemeral public key (by choosing a new ephemeral private key), since its former sibling knows its old blinded key, and could use this information in collusion with another member in the group to find an unblinded key that is not on his path to the root. This member is called the sponsor. The sponsor, after updating the tree, computes the group key since it knows all the necessary blinded keys. After computing the group key, the sponsor broadcasts the new tree, which contains the blinded keys which have been changed after the join. The whole tree information has to be sent to the new member. When the member associated with the node y is removed from the group, the member assigned to the sibling of y is reassigned to the parent p of y and given a new leaf key value (ephemeral key). If the sibling s of y is the root of a subtree, then p becomes s, moving the subtree closer to the root, and one of the leaves of this subtree is given a new ephemeral key (so that the deleted member no longer knows the blinded key associated with the root of the subtree). The sponsor in this case is the rightmost leaf node of the subtree rooted at the leaving member's sibling node. The sponsor picks up a new secret share, computes all keys on its key path up to the root, and broadcasts the new set of blinded keys to the group which allows all members to recompute the new group key.

Fig. 2. Join operation

Fig. 3. Leave operation 5.5 Merge and Partition Suppose there are two merging groups. In the first round, each sponsor (the rightmost member of each group) broadcasts its tree (with all Bkeys) to the other group after updating the secret share of the sponsor and relevant information (key, Bkey) pairs up to the root node. Upon receiving these messages, all members can uniquely and independently determine how to merge the trees by tree management policy [17]. The merge position is the rightmost shallowest node, which does not increase the tree height. If the two trees have the same height, we join one tree to the root node of the other tree. The rightmost member of the subtree rooted at the merge point becomes the sponsor of the key update operation. The sponsor, then, takes on the role of computing the keys, and the blinded keys and broadcast the entire tree with the blinded keys to all the other members. All the members now have the complete set of blinded keys, which allows them to compute all the keys on their key path. A partition in the key tree would be as follows. In the first round, each member updates its view of the key tree by deleting all leaf nodes associated with partitioned members and (recursively) their parent nodes. All leaving nodes are sorted by depth order. Starting at the deepest level, each pair of leaving siblings is collapsed into its parent, which is then marked as leaving. This node is then re-inserted into the leaving nodes list. The above is repeated until all leaving nodes are processed, i.e., there are no more leaving nodes that can be collapsed. The resulting tree has a number of leaving (leaf) nodes but every such node has a remaining sibling node. Each of these sibling nodes becomes a sponsor. Each sponsor now computes the keys and Bkeys on the key-path as far up the tree as possible. Then, each sponsor broadcasts the set of new Bkeys. Upon receiving the new broadcast, each member checks whether the message contains new Bkeys. This procedure iterates until all members obtain the group key. To prevent reuse of the old group keys, one of the remaining members (the shallowest rightmost sponsor) changes its key share. In the first protocol round, the shallowest rightmost sponsor changes its share.

6. Security Analysis This section analyses the security properties and communication and computation costs for join, leave, merge, and partition protocols of ID-AGKA, comparing with the TGDH protocol. In case of a join or a merge operation, the sponsor selects a new key, so that its former siblings who know its blinded key could not use this information in collision with another members in the group to find the group key. Similarly, even in a leave or a partition operation, the sponsor selects a new ephemeral key before broadcasting the changed Bkeys to the other group members. Thus, the protocol maintains both forward secrecy and backward secrecy. Implicit key authentication is provided in the protocol as it is ID-based. The protocol is contributory since each party equally contributes to the group key. The message flows are similar for all the group membership operations (join, leave, merge, and partition) in both TGDH and ID-AGKA protocols, as both the protocols use the same approach. Communication wise, ID-AGKA incurs more cost in the sense that every time a secret key is required for a node, the identity (ID) associated with that node is sent to the KGC, and the KGC sends back the secret key

for that ID. This cost can be reduced by giving the key tree information to the KGC, and, as described earlier in section 5.3, the KGC would compute the identities for the intermediate nodes and send all the secret keys related to a single member at once. This would increase the responsibility and the computations at the KGC. The computation cost would definitely be different in both the protocols since the base protocol used is different for both the protocols. Weil pairings, and scalar multiplications over elliptic curves are the basic computations in ID-AGKA whereas TGDH uses modular exponentiations. In ID-AGKA protocol, every key computation involves two elliptic curve scalar multiplications, and two Weil pairings. Computation of blinded keys involves one elliptic curve multiplication. Whereas in TGDH, computation of the blinded key costs one modular exponentiation, and computation of the key also costs one exponentiation. Since evaluating a Weil pairing is a costly operation, this protocol would be an expensive one. Computation cost would not be a constraint in the present world as the computational costs are decreasing day by day. In ID-AGKA, the cost increases, but with an improved security since Elliptic curves provide high security with smaller key lengths [3]. ID-based systems require a trusted KGC. One major attribute of the ID-AGKA protocol is that it is an ID-based system, and does not require computation of signatures, or verifications. ID-based systems simplify key management procedures in certificate-based PKI. However, TGDH requires a deployed PKI so as to authenticate the long- term public keys. In a traditional PKI deployed system, any member wishing to join a group is required to obtain a certificate from the certifying authority, whereas in an ID-based system, this is not required. New users can join the group at any time, and get a private key at that point of time from the KGC. Thus, ID-based systems allow more dynamism. This is another advantage of IDAGKA. Having studied the advantages of the ID-AGKA protocol, even though the cost increases when compared to TGDH, it would be more desirable to incorporate ID-AGKA protocol for improved security. And also, the initial cost of deploying a PKI is null in ID-AGKA protocol.

7. Conclusions and future work A key establishment protocol using one-way function trees is proposed in [6]. It is shown in section 3 that any key agreement function satisfying some given properties can be extended to a group key agreement protocol using one-way function trees. The tree-based group Diffie-Hellman protocol is explained and the four membership change operations (join, leave, merge and partition) are studied for this protocol. The first ID-based group key agreement protocol is proposed based on the two-party ID-based authenticated key agreement protocol [13] and the one-way function trees. A new transformation function is defined, which is required in generating keys at any level, from a lower level key in the key tree. The protocol has been analysed for performance and it is found that the base computation and communication costs are slightly more than TGDH, but at the same time with an advantage of increased security and saving the cost of deploying a PKI. Key authentication is also provided implicitly in the protocol as it is ID-based which is not the case with TGDH. Also, ID-AGKA protocol is seen to be more dynamic as it is ID-based and not certificate based. The protocol has to be implemented and tested against various other existing group key agreement protocols.

References 1. 2. 3.

A. Joux.: A one round protocol for tripartite Diffie-Hellman. In W. Bosma, editor, Proceedings of Algorithmic Number Theory Symposium. ANTS IV, volume 1838 of Lecture notes in Computer Science , pages 385-394, Springer-Verlag, 2000. A. Menezes, P.C. Van Oorschot, and S. Vanstone.: Handbook of Applied Cryptography. CRC Press, Boca Raton, 1997 A. Menezes.: Elliptic Curve Public Key Cryptosystems, Kluwer Academic Publishers, 2001.

4. 5. 6. 7. 8. 9.

10. 11. 12. 13. 14. 15. 16. 17.

A. Shamir.: Identity based cryptosystems and signature schemes. Advances in Cryptology – Proceedings of Crypto'84. C. Cocks.: An Identity based encryption scheme based on quadratic residues. Cryptography and Coding, 2001. D.A. McGrew and A.T. Sherman.: Key establishment in large dynamic groups using one-way function trees. Manuscript, 1998. D. Boneh and M. Franklin.: Identity-based encryption from the Weil Pairing. In Advances in Cryptology – CRYPTO 2001, Springer-Verlag LNCS 2139, 213-229, 2001. Divya Nalla, K.C. Reddy.: ID-based tripartite Key Agreement protocol from pairings, Submitted . M. Burmester and Y. Desmedt.: A secure and efficient conference Key distribution system. In A. De Santis, editor, Advances in Cryptology EUROCRYPT '94, Workshop on the theory and Application of Cryptographic Techniques, volume 950 of Lecture notes in Computer Science, pages 275-286, Springer-Verlag, 1995. Merkle, Ralph.C. Secrecy.: Authentication and public-key cryptosystems, Technical Report No. 1979-1, information systems laboratory, Stanford University (Palo Alto, CA, 1979). M. Steiner, G. Tsudik, and M. Waidner.: Key agreement in Dynamic Peer Groups, IEEE Transactions on Parallel and Distributed Systems, August 2000. Fiat, Amor, and Moni Naor: Broadcast encryption, in Advances in Cryptology: Proceedings of Crypto 93, D.R.Stinson, ed., LNCS 773, Springer-Verlag (1993), 481-491. N.P. Smart.: An Identity based authenticated Key Agreement protocol based on the Weil Pairing. Cryptology ePrint Archive, Report 2001/111, 2001. http://eprint.iacr.org/. R. Sakai, K. Ohgishi, and M. Kasahara: Cryptosystems based on pairings. In SCIS 2000, 2000. Sattam S. Al-Riyami, Kenneth G. Paterson: Authenticated Three Party Key Agreement Protocols from Pairings, Information security group, Royal Holloway, University of London, March 2002. Y. Kim, A. Perrig, and G. Tsudik: Communication-efficient group key agreement. In Information systems Security, Proceedings of the 17th International Information Security Conference IFIP SEC'01, 2001. Y. Kim, A. Perrig, and G. Tsudik.: Simple and fault tolerant key agreement for dynamic collaborative groups, in Proceedings of 7th ACM Conference on Computer and Communications Security, pp. 235-244, ACM Press, November 2000.

Appendix A A. Applications of ID-based encryption The original motivation for ID-based encryption is to simplify certificate management in e-mail systems i.e., to help the deployment of PKI. Several other applications are shown below. A.1 Revocation of Public Keys Public Key Certificates contain a preset expiration date. In an ID-based system key expiration can be done having Alice encrypt e-mail sent to Bob using the public Key: "[email protected] || current-year". In doing so Bob can use his private Key during the current year only. Note that unlike the existing traditional PKI, Alice does not need to obtain a new certificate from Bob every time Bob refreshes his certificate. The public Key can be made [email protected] || current-date so that the private Key needs to be refreshed every day. Key revocation would be simpler in this scenario. A.2 Delegation of decryption capabilities Another application for ID-based systems is delegation of decryption capabilities. Two examples can be considered. In both these applications the user Bob plays the role of a KGC. Bob generates his own IDbased system parameters (his public Key) and his own master Key. Bob obtains certificate from a CA for his public Key. When Alice wishes to send mail to Bob, she first obtains Bob's public Key from Bob's Public Key Certificate. Note that Bob is the only one who knows his master Key and hence there is no Key escrow with this setup.

1.

2.

Delegation to a laptop: Suppose Alice encrypts mail to Bob using the current date as the ID-based encryption parameter. Suppose Bob goes on trip for 3 days. Normally, Bob would put the private key on his laptop and if the laptop is stolen his private Key is compromised. But in ID-based system, Bob could simply install three private Keys corresponding to the three days on his laptop. If the laptop is stolen, only those three Keys are compromised. Delegation of duties: Suppose Alice encrypts mail to Bob using the subject line as the ID-based encryption Key. Bob can decrypt the mail using his master Key. Now, suppose Bob has several assistants each responsible for a different task. Bob gives one private key to each of his assistants depending on their responsibility. Each assistant could then decrypt only those messages whose subject line falls within its responsibilities, but it cannot decrypt messages intended for other assistants. Note that here Alice obtains a single public Key to send mail with any subject line of her choice.

Appendix B B. ID-based two party Authenticated Key Agreement Protocol B.1 Protocol Suppose two users A and B wish to agree on a Key. We denote the private keys of these users by S A = [ s ]QA and S B = [ s ]QB respectively, which have been obtained from the Key Generation Center (KGC) by sending their identities QA and QB. Each user generates an ephemeral private key, say a and b. The data flows of the protocol are as follows. A → B : TA = [ a ]P ; B → A : TB = [b ]P User A then computes k A = eˆ([ a ]QB , PKGC ).eˆ( S A , TB ) and user B computes k B = eˆ([b ]QA , PKGC ).eˆ( S B , TA ) k A = k B = k AB = eˆ([ a ]QB + [b ]QA ,[ s ]P ) Hence the shared secret depends on the identities QA, QB of the two parties, the secret Key s of the Key generation center and the two ephemeral Keys a, b. The KGC can thus compute the key kAB from the message flows and the secret key s, and hence the ID-based escrow facility is possible. The protocol requires each party to compute two elliptic curve multiplications and two Weil pairings and provides the following security properties: • Known Key security • Forward secrecy: Note, however that compromise of the Key generation centre’s long term secret s will allow anyone to compute the Key via s s eˆ(QB , TA ) .eˆ(QA , TB ) To get rid of the "escrow" property of Smart's protocol, the non-interactive key agreement protocol [14] can be used, where the protocol messages are: A → B : [ a ]P ; B → A : [b ] P s

s

And the common key computed is = hash ( abP , eˆ(QA , QB ) ) . The value of eˆ(QA , QB ) can be precomputed before the protocol begins. Using this protocol instead of Smart's key agreement protocol reduces the number of computations. But this protocol is vulnerable to man-in-the-middle attack. Hence we prefer using Smart’s protocol in defining our n-party protocol.

Appendix C C. Group Key Agreement protocol properties: A group Key Agreement protocol is required to have the following properties assuming that a group key is changing. Group Key secrecy, Forward secrecy, Backward secrecy, Key Independence, Key Freshness, Contributory, Implicit Key Authentication, Key Integrity Some more desirable properties of a Key Agreement Protocol are: low communication overhead, minimal number of passes and rounds, and role symmetric (messages transmitted and computations performed by all the entities have the same structure). Two important computational attributes also have to be considered for the Key Agreement Protocol: computation overhead and the ability to perform Precomputation. It may be desirable that some computations may be done offline (i.e., pre-computed or computed during the protocol run).

Appendix D D. Performance Analysis The following table summarises the communication and computation costs [16] of the four protocols STR [15], BD [8], and GDH.3 [10].

GDH

TGDH

Join Leave Merge Partition Join Leave Merge Partition

STR

BD

Join Leave Merge Partition Join Leave Merge Partition

Communication Rounds Messages 4 n+3 1 1 m+3 n+2m+1 1 1 2 3 1 1 log2k 2k +1 2h min (log2p,h) 2 3 1 1 2 k+1 1 1 2 2n+2 2 2n-2 2 2n+2m 2 2n-2p

n - number of members in the group k – number of merging groups

Exponentiations n+3 n-1 n+2m+1 n-p 3h/2 3h/2 3h/2

Computation Signatures 4 1 m+3 1 2 1 log2k +1

Verifications n+3 1 n+2m+1 1 3 1 log2k

3h

min(log2p,h)

min(log2p,h)

4 3n/2 + 2 3m+1 3n/2 + 2 3 3 3 3

2 1 2 1 2 2 2 2

3 1 3 1 n+3 n+1 n+m+2 n-p+2

h – height of the key tree p – number of members partitioned from a group of n members.

1

AILab, Dept of Computer/Info. Sciences, University of Hyderabad, Gachibowli, Hyderabad, 500046, India [email protected] , [email protected]

Abstract. An important and popular trend in modern computing is to convert traditional centralized services into distributed services spread across multiple systems and networks. One-way function trees can be used to extend two-party Key Agreement protocols to n-party protocols. Tree-based Group Diffie-Hellman [17] is one such protocol. This paper proposes the first Identity based Group Key Agreement protocol by extending the Identity based two-party Authenticated Key Agreement protocol [13] using the One-way function trees. A new function called the transformation function is defined, which is required in generating keys at any level from a lower level key in the key tree. The new protocol provides complete forward and backward secrecy. Authentication is implicit in this protocol, whereas it has to be explicitly dealt with in other Key Agreement protocols. ID-AGKA protocol is more advantageous for systems without a deployed PKI.

Key words: Key Agreement, group Key Agreement, elliptic curves, Weil pairing, cryptography, Identity based, ID-based, Diffie-Hellman, Key Agreement Protocols, key trees, one-way function trees.

1. Introduction Asymmetric Key Agreement Protocols are multi-party protocols in which entities exchange public information allowing them to create a common secret key with that information. This secret key is known only to those parties which are involved in the key generation and which cannot be determined by any external entity. An important and popular trend in modern computing is to convert traditional centralized services into distributed services spread across multiple systems and networks. Many of these newly distributed and other inherently collaborative applications need secure communication. However, security mechanisms for collaborative, Dynamic Peer Groups (DPGs) tend to be both expensive and unexpectedly complex. A huge number of two party key agreement protocols have been proposed [2]. The situation where three or more parties share a secret is often called Conference Keying [9]. Boneh and Franklin [7] and Cocks [5] have proposed two Identity based (ID-based) encryption systems which allow the replacement of a Public Key Infrastructure (PKI) with a system where the public key of an entity is given by its identity, and a Key Generation Center (KGC) helps in generating the private key. Cocks' system is based on the Quadratic Residue theorem whereas Boneh and Franklin's system is based on the Weil Pairing. A two pass Identity based (ID-based) Authenticated key agreement protocol based on Weil pairing has been proposed in [13]. Joux [1] proposed a tripartite generalisation of the Diffie-Hellman protocol using the Weil and Tate pairings. Joux's protocol for tripartite Key Agreement has been modified in [15] to provide authentication by including certificates. Tripartite ID-based authenticated key agreement protocols are proposed in [8]. One-Way function trees (OFTs) can be used to compute a tree of keys. The keys are computed up the tree, from the leaves to the root. The bottom-up use of OFTs for group keying was first proposed by Sherman in [6], though the idea of using OFTs is not a new one. Merkle [10] proposed an authentication method based on such trees. Fiat and Naor [12] used a one-way function in a top-down fashion in their group keying method for the purpose of reducing the storage requirements of information theoretic group key management. 1

The author is currently associated with Center for Distributed Learning (APSCHE), IIITcampus, Gachibowli, Hyderabad, 500046, India

Any two party key agreement protocol satisfying some specific properties [6] can be extended to an nparty key agreement protocol using one-way function trees. Tree-based Group Diffie-Hellman (TGDH) [17] is one such protocol which extends the Diffie-Hellman protocol to a group key agreement protocol using one-way function trees. Appendix D provides a comparison [16] of TGDH with other contributory group key agreement protocols STR [16], BD [9], and GDH.3 [11] resulting in a conclusion that TGDH protocol works best in both LAN and WAN settings compared to these protocols i.e., more communication efficient. Hence, using the approach of TGDH for group membership operations is more advantageous. This paper extends the Identity based two-party authenticated key agreement protocol to an authenticated group key agreement protocol, using the one-way function trees to generate the first ID-based group key agreement protocol. The extension is not as obvious as it seems to be. In TGDH protocol, the key generated at one level is directly used to generate the key for the next level since it only needs to do modular exponentiation of the key with the blinded key of the sibling node. But in the new protocol, the key generated by the ID-based authenticated key agreement protocol has to be transformed into some value, that can be used to calculate the key at the next level. Hence, a new function called the transformation function is defined to do this operation. Single or multiple join and leave operations are common in group communication. Coping with group partitions (multiple member leave) and merges (multiple member join) is considered to be a crucial component of group key agreement. Hence these issues are also dealt in the new protocol. The main advantage of this protocol over TGDH is that this protocol is ID-based. Authentication is implicit in this ID-based protocol, and hence this protocol can be named Identity-based Authenticated Group Key Agreement protocol (ID-AGKA). The protocol has the novel property that the key generation center is able to recover the agreed session keys from the message flows and its secret key s. And hence, this allows for an efficient ID-based escrow facility. This would enable law enforcement agencies to decrypt messages encrypted with the group keys, after having obtained the necessary warrants. If this property is not desired, or, if a single KGC is not desirable, multiple KGCs can be used where each one of them generates a part of the private key. These parts are then combined by the user to obtain his/her private key. The paper is organised as follows. The next section gives insight into Identity based public-key cryptosystems. Section 3 describes the One-way function trees and the tree based group Diffie-Hellman protocol. The Weil pairing is defined in section 4. The new ID-based group key agreement protocol is discussed in section 5. Section 6 discusses the security properties of the new protocol, and section 7 concludes the paper. Appendix A lists out the advantages of an ID-based system, Appendix B describes the two-party ID-based authenticated key agreement protocol. The desirable group key agreement protocol properties are listed in Appendix C. Appendix D provides the comparison of TGDH with other contributory key agreement protocols.

2. Identity-based Public Key Cryptosystem Problems with the traditional Public Key Crypto systems (PKCs) are the high cost of the infrastructure needed to manage and authenticate public keys, and the difficulty in managing multiple communities. Whilst ID-based PKC will not replace the conventional Public Key Infrastructures (PKIs), it offers easier alternative solutions to some of these problems. In ID-based PKC, everyone's public keys are predetermined by information that uniquely identifies them, such as their email address. This concept was first proposed by Shamir [4]. Shamir's original motivation for ID-based encryption was to simplify certificate management in e-mail systems. When Alice sends mail to Bob at [email protected] she simply encrypts her message using the public key string [email protected] There is no need for Alice to obtain Bob's Public Key Certificate. When Bob receives the encrypted mail he contacts the KGC. He authenticates himself to the KGC and obtains his private key from the KGC. Bob can then read his e-mail. Unlike the existing secure e-mail infrastructure, Alice can send encrypted mail to Bob even if Bob has not yet setup his Public Key Certificate. It should be noted that key escrow is inherent in ID-based systems since the KGC knows Bob's private key. For various reasons, this makes implementation of the technology much easier, and delivers some added information security benefits. ID-based PKC remained a theoretical concept until [5] and [7] were proposed.

An ID-based system requires a trusted KGC. The KGC generates the private keys of the entities in the group using the public key, which in turn is based on the identity of the entity. Since a single authority for key generation may present an obvious point of compromise or system failure, and it can masquerade as any given entity, it is split into two or more cooperating parties. The authorities perform a one-time set-up in order to share the system secrets in a secure manner. The user proves itself to each authority. Each authority then returns its part of the private key. The user combines these parts to obtain his private key. This provides more security as the private key remains split until use. We can also have n-authorities in the system wherein no n-1 of them can generate a key or compromise the system. With traditional PKI, sending the message implies that the recipient can read it since the private key must exist. This is not true in ID-based PKC. In ID-based PKC, the system (rather than the user / sender) determines whether the recipient is able to read a particular message. Another advantage is that, since the associated private key doesn't necessarily exist, these conditions need not be pre-arranged and can be ephemeral down to a single transaction. ID-based PKI has simple procedure of managing public key list, it has advantages such as automatic key escrow/recovery [7]. Also when the whole ID-based scheme is used by one user, it can be applied for delegation of duties [7] on encryption and proxy signatures in signature. Sometimes key escrow may not be desirable. Also, the key generation center is required to be a trusted authority, and there is computational overhead using pairings (for ID-based encryption and key agreement). Despite these debating issues, the ID-based scheme has many useful applications such as email system, Intranet PKI, and mobile PKI ID-based two party key agreement protocol has been proposed by Smart [13]. This paper extends this protocol to an n-party protocol.

3. One-way Function Trees This section discusses the One-way function trees (OFTs), and the OFT algorithm for key establishment in dynamic groups [6]. Diffie-Hellman(DH) protocol is extended to a group key agreement protocol using OFTs [17]. From this section, it can be concluded that, any two-party key agreement protocol can be extended to an n-party key agreement protocol. 3.1 Notations N Mi h T BKi* p, q

– number of group members – i-th group member; i ∈ { 1, 2,…… N} – height of the tree – v-th node at level l in a tree – A subtree rooted at node – set of Mi s blinded keys – prime integers

G

– unique subgroup of Z p of order q

*

A → B : m - A sends message m to B A → * : m - A broadcasts message m The root is located at level 0 and the lowest leaves are at level h. Each node is associated with the key k and the blinded key BK (explained later) 3.2 One-way function tree (OFT) algorithm for key establishment One-Way function trees can be used to compute a tree of keys. The keys are computed up the tree, from the leaves to the root. The bottom-up use of OFTs for group keying, was first proposed by Sherman in [6]. In an OFT, the group manager maintains a binary tree, each node x of which is associated with two cryptographic keys, a node key kx and a blinded key kx' = g (kx). The blinded node key is computed from the

node key using a one-way function g; it is blinded in the sense that computing kx from kx’ is a computationally Hard problem. Interior nodes of the tree has exactly two leaves. Every leaf of the tree is associated with a group member. The group manager assigns a randomly chosen key to each member, securely communicates this key to the member (using an external secure channel), and sets the node key of the member's leaf to the member's key. The interior node keys are defined by the rule kx = f(g(kleft(x)), g(kright(x))) ……………..(Rule1) where left(x) and right(x) denote the left and right children of the node x. The function g is a one-way function and the function f is a mixing function. Property 1: The function g is one-way, given g(x), it is computationally infeasible to find x with any non-negligible probability. Property 2: Given a sequence x0 , x1 , ……. , xl-1 , it is computationally infeasible to find kl with any nonnegligible probability, where ki+1 = f(xi, g(ki)), and k0 is chosen at random, for any l less than some value lmax. Property 1 makes it impossible to find a node key kx given the blinded key kx' = g (kx). Property 2 makes it impossible for a member who has left the group, whose distance to the root is less than lmax , to find any node key. When a new member is added to the group, or an existing member of the group leaves, the key values of some of the members change, to change the group key. The security of the system depends on the fact that each member's knowledge about the current state of the key tree is limited by the following invariant: System invariant: Each member knows the unblinded node keys on the path from its node to the root, and the blinded node keys that are siblings to its nodes on the path to the root, and no other blinded or unblinded keys. Definition: The OFT method is secure if it is computationally infeasible for an adversary to compute any unblinded node key with non-negligible probability [6]. Thus, from the above properties, and the rule for defining the interior node keys, the group key computed using OFTs satisfies the group key secrecy property, and provides complete forward and backward secrecy (defined in Appendix C). The algorithm provides complete forward and backward secrecy: newly admitted members cannot read previous messages, and members deleted from the group cannot read future messages. Any key agreement protocol in which the key is computed using the rule (Rule 1 defined above, where f and g satisfy the above properties) can use the OFT method to support group key agreement. In the OFT method, the functions f and g can be any functions which satisfy the above properties. These functions are replaced by the DH protocol (where we use modular exponentiation function for both f and g), and the TGDH protocols are generated. This is discussed in the next subsection. Similarly, these functions can be replaced by the ID-based two-party key agreement protocol to obtain an ID-based group key agreement protocol. But this cannot be done directly. Some functions are required in between key computations for different levels. These functions are defined and the ID-based two-party key agreement protocol is extended to IDAGKA in section 5. 3.3 Tree-based Group Diffie-Hellman Protocol (TGDH) Key trees have been suggested in the past for centralised group key distribution systems. TDGH [17] protocols make use of key trees in fully distributed contributory key agreement. Key trees are used in fully distributed contributory key agreement. The concept of a key manager does not exist here. Hence, the members select random secret values for themselves. The root is located at level 0 and the lowest levels are at level h. Binary trees are used here and hence every node is either a leaf or a parent of two nodes. The nodes are denoted by where 0 ≤ v ≤ 2l − 1 since each level l hosts at most 2l nodes. Each node is associated with the key k and the blinded key (Bkey) BK = f (k) where the function f(k) = αk mod p. Assuming a leaf node hosts the member Mi , the node has Mi's session random key K. Furthermore, the member Mi at node knows every key along the path from to , referred to as the key-path and denoted KEYi*. Every key k is computed recursively as follows:

k = ( BK < l +1,2 v +1> ) = ( BK ) =α

k

k

k k

mod p mod p

mod p

= f ( k , k< l +1,2 v +1> )

COi*

Co-path is the set of siblings of each node in the key-path of member Mi. Consequently, every member Mi at leaf node can derive the group secret k from all Bkeys on the co-path COi* and its session random k.. A group key can be computed from any member's secret share (i.e., any leaf value) and all Bkeys on the co-path to the root. For a point-to-point session, the costs of session establishment and key distribution are incurred just once, at the beginning of the session. A group session, on the other hand, may persist for a relatively long time with members joining and leaving the session. After a join, the new member should not come to know the old group keys, and after a leave, the member should not be able to compute future group keys. Large groups whose members join and leave frequently pose a problem since the keys have to be computed frequently. Hence, there is the need for concentration on issues of frequent changes, and the associated scalability problem for large groups. In TGDH, in case of an additive change (join or merge), all group members identify a unique sponsor. This sponsor is responsible for updating its secret key share, computing affected [key, Bkey] pairs and broadcasting all Bkeys of the new tree to the rest of the group. The common criteria for sponsor selection is determined by the tree maintenance criteria [17]. ID-AGKA protocol proposed in this paper follows the same approach as the TGDH protocols in dealing with these issues. A complete Group Key Agreement solution should support adjustments to the group key for any membership change in the group. There can be four types of membership changes: Join, Leave, Merge (multiple join or addition of groups), Partition (multiple leaves or splitting a group into smaller groups). TGDH protocol suite addresses these four types of membership changes.

4. The Weil Pairing The modified Weil pairing which forms the basis for the ID-based Key Agreement protocols is defined here. Definition: Let G be a subgroup of the group of points on the Elliptic curve E over the finite field Fq . Let the order of G be denoted by l and define k to be the smallest integer such that l / qk –1 (this implies that there exists a unique subgroup of Fq* of order l). k

In practical implementations we will require k to be small and so we will usually take E to be a super singular curve over Fq The modified Weil pairing [13] is a map eˆ : G × G → Fq* which satisfies the following properties: k

1.

Bilinear eˆ( P1 + P2 , Q ) = eˆ( P1 , Q ).eˆ( P2 , Q ) eˆ( P, Q1 + Q2 ) = eˆ( P, Q1 ).eˆ( P, Q2 ) i.e., eˆ( aP, bQ ) = eˆ( P, Q ) ab where a, b ∈ Z q*

2.

Non-Degenerate There exists a P∈G such that eˆ( P, P ) ≠ 1 3. Computable: One can compute eˆ( P, Q ) in polynomial time. The non-degeneracy defined here does not hold for the standard Weil Pairing e( P, Q ) . A more comprehensive description is provided in [6].

5. ID-based Authenticated Group Key Agreement (ID-AGKA) This section discusses the protocol for Authenticated Group Key Agreement. Knowing the advantages of an ID-based system, it would be advantageous to have ID-based key agreement protocols. Smart [13] proposed an ID-based two party authenticated key agreement protocol. ID-based tripartite key agreement protocols are proposed in [8]. Extending the same to a group of n parties would be desirable. Also, authentication is implicit in ID-based protocols, whereas it has to be explicitly dealt with in other key agreement protocols. As seen in section 3.2, the ID-based Authenticated Key Agreement protocol [13] can be extended to an n-party ID-based Authenticated Group Key Agreement protocol (ID-AGKA). Key trees are used in fully distributed contributory key agreement. Binary trees are used in this case. The leaves in the tree represent the members of the group, and every other node is a parent of two child nodes. The key associated with this node represents the common key for its two child nodes. The same rule applies to all the non-leaf nodes in the tree. Thus the key associated with the root node becomes the group key, or the common key for all the members in the group. 5.1 Assumptions Suppose G is a subgroup of an Elliptic curve for which the modified Weil Pairing eˆ maps into the finite field Fq . The following properties are assumed. k

• •

qk is large enough to make solving discrete logarithms in a finite field infeasible Elliptic curve contains a large prime subgroup of order l such that solving discrete logarithms in the subgroup of order l is also infeasible.

•

Let V: Fq

• •

* k

→ {0, 1}* is the key derivation function [13]. Such functions can be readily found in a

number of documents. A function H: {0, 1}* → G is also assumed. It denotes a cryptographic hash function. It is generally used to compute the public keys of the members using their identities (which are binary strings). Another hash function H' : {0, 1}* → {0, 1}* is defined. Another important function is defined, which is required to extend the two-party ID-based protocol to a group key agreement protocol is a transformation function ft defined as ft : Fq* → Z q* . This function is applied over the keys associated with the intermediate nodes, to k

obtain a value, which can be used as the ephemeral private key for the next higher level. 5.2 System Settings The Key Generation Center chooses a secret key s ∈ {1,….. l-1} The KGC produces a random P∈G and computes PKGC =[s]P. Then the KGC publishes (P, PKGC) When a user with identity ID wishes to obtain a public/private key pair, the public key is given by QID = H (ID) And the KGC computes the private key SID = [s] QID The (public, private) key pair of the user is given by (QID ,SID) This calculation can be performed using multiple key generation centers, each generating a part of the private key. These are combined by the user to obtain his/her private key. 5.3 Protocol Figure 1 shows an example of a key tree. Computation of the group key for this tree is as follows.

First, A and B compute the common key associated with node by using the ID-based authenticated key agreement protocol by Smart [13]. The two party authenticated ID-based key agreement protocol is described in Appendix B. *

A and B choose random values, a, b ∈ Z q , and exchange the values TA = T< 2,0 > = [ a ]P and TB = T< 2,1> = [ b ] P

respectively. These two values are called the ephemeral (temporary) public values of A and

B whereas, a, and b are their ephemeral private keys.

Fig. 1.

The key computed by A is k AB = k = eˆ([ a ]QB , PKGC ).eˆ( S A , TB ) = eˆ (QB ,[ s ]P ) .eˆ([ s ]QA ,[b ]P ) a

= eˆ (QB , P ) .eˆ(QA , P ) as

bs

= eˆ (QB , TA ) .eˆ(QA , TB ) s

s

= eˆ([ s ]QB ,[ a ]P ).eˆ([b]QA ,[ s ]P ) = eˆ([b]QA , PKGC ).eˆ( S B , TA ) = k BA

Thus, A can compute the key associated with its parent node if it knows the identity of B: QB and the ephemeral public key of B: TB . The pair (Q , T ) is called the blinded key or Bkey of B. Similarly, C and D also compute the key associated with the node . These computations are shown in table 1. B

A The public key QA is sent to the KGC to get the private key S A = [ s ]QA selects a random value a ∈ Z q* compute TA = [ a ]P Exchange TA and TB TA = [ a ]P

B

B The public key QB is sent to the KGC to get the private key S B = [ s ]QB selects a random value b ∈ Z q* compute TB = [b]P

C The public key QC is sent to the KGC to get the private key SC = [ s ]QC selects a random value c ∈ Z q* compute TC = [c ]P

compute TD = [ d ]P

TC = [c ]P TB = [b]P

eˆ([ a ]QB , PKGC ).eˆ( S A , TB ) = kAB

D The public key QA is sent to the KGC to get the private key S D = [ s ]QD selects a random value d ∈ Z q*

eˆ([b]QA , PKGC ).eˆ( S B , TA ) = kBA

TD = [ d ]P eˆ([c ]QD , PKGC ).eˆ( SC , TD )

eˆ([ d ]QC , PKGC ).eˆ( S D , TC )

= kCD

= k DC

Table 1.

The value kAB or kCD is never used directly as a cryptographic key for the purpose of encryption. Instead, such special-purpose sub-keys are derived from the group secret, eg. by setting Key=V(k).

The secret key associated with the node , Key = V ( k ) . Thus, the secret key at each node would be a binary string. A function ft : Fq* → Z q* is applied over the value k to obtain k ' ∈ Z q* . A, k

B and C, D compute k ' and k ' respectively. These two values act as the ephemeral private values at this level. These values are used to compute the keys at the next higher level. At this level, each node requires a public and a private key pair. The public key is obtained by adding the public values of its two children, and taking the hash of that value. The public value is then sent to the KGC to obtain its private counterpart. AB The public key QAB= QBA=H' (QA+QB )is sent to the KGC to get the private key S AB = [ s ]QAB Compute kAB’ = ft (kAB)

CD The public key QCD=QDC= H' (QC+QD )is sent to the KGC to get the private key SCD = [ s ]QCD Compute kCD’ = ft (kCD) '

Compute TCD = [kCD ]P

'

Compute TAB = [ k AB ]P Exchange TAB and TCD '

TAB = [ k AB ]P '

TCD = [ kCD ]P '

'

eˆ([ k AB ]QCD , PKGC ).eˆ( S AB , TCD )

eˆ([ kCD ]QAB , PKGC ).eˆ( SCD , TAB )

Table 2.

The node will have a public value Q = H ′(Q< 2 ,0 > + Q< 2 ,1> ) or QAB = H ′(QA + QB ) . The KGC computes the private key SAB or S = [ s ]Q from Q. At node , A does these computations and computes the key at using the identity at the node , Q or QCD, and the ephemeral public key at , T or TCD (as shown in table 2). The pair (Q , T ) is the Bkey of . A and B compute ' k ABCD = eˆ([ k AB ]QCD , PKGC ).eˆ( S AB , TCD ) '

= eˆ([ kCD ]QAB , PKGC ).eˆ( SCD , TAB ) = kCDAB which is computed by C and D.

A can compute the group key, i.e., the key at the root node, if it knows every key along the path from to , referred to as the key-path in section 3, and every Bkey along its Co-path (set of all siblings of all the nodes on the key path) {, }. Similarly, each member in the group can compute the group key if it knows all the blinded keys along its Co-path. For any node in the key tree, the key is given by V(k) where k = eˆ([ k< l +1,2 v > ']Q< l +1,2 v +1> , PKGC ).eˆ( S< l +1,2 v > , T< l +1,2 v +1> ) = eˆ(Q , P )

s . k '

.eˆ(Q< l +1,2 v > , P )

s .k '

= eˆ(Q , Tk ' ) s .eˆ(Q< l +1,2 v > , Tk ' ) s = eˆ([ k ']Q< l +1,2 v > , PKGC ).eˆ( S< l +1,2 v +1> , T< l +1,2 v > )

and k< x , y > ' = ft ( k< x , y > ) . Assuming an n-party group {M1, M2, …….Mn }, every member Mi at leaf node can derive the group secret k from all the secret keys on the key path, and all the Bkeys on its Co-path. Thus, every key computation involves two Elliptic curve scalar multiplications and two Weil pairings.

It can be noted that, instead of including the identity of the node QID in the Bkey, if the KGC knows the key tree structure, it can compute the identities associated with all the nodes in the key tree and send the required secret keys to the corresponding nodes when requested. This would reduce some of the redundant computations. In figure 1, to compute the key associated with the node , the identity QAB = H' (QA + QB) is required. This value is computed by A and B separately, to compute kAB and kBA respectively. This computation can be done only once by the KGC instead of being computed twice by both the members. This computation of the Identities associated with the nodes becomes more redundant at higher levels in the key tree i.e., the same value may have to be computed by more members. Hence computation of the identities associated with the non-leaf nodes by the KGC would be a desirable property. Single or multiple Join or leave operations are common in a group communication. These situations have to be taken care of in a group key agreement solution. The basic idea here is that after any group membership event, every member unambiguously adds or removes some nodes related with the event, and validates all the keys and blinded keys related with the affected nodes. A special group member (the sponsor) then, computes the keys and blinded keys and broadcasts the new key tree to the group. The sponsor and the insertion location (in the case of an additive event) are decided by the tree management policy [17]. 5.4 Adding or deleting a member in the key tree Firstly, whenever a user Mn+1 wants to join the existing group {M1, M2, …….Mn}, it broadcasts a join request (containing its Bkey) to all the group members. Every member then updates the key tree by adding the new member node and the intermediate node (new member is added at the rightmost shallowest node to maintain the tree height). When a new member joins the group, an existing leaf node x is split, the member associated with x is now associated with left(x) and the new member is associated with the right(x). The new member would be having a new long term public/private key pair (private key obtained from the KGC using his ID as public key) and a new ephemeral public/private key pair. The old member should change his ephemeral public key (by choosing a new ephemeral private key), since its former sibling knows its old blinded key, and could use this information in collusion with another member in the group to find an unblinded key that is not on his path to the root. This member is called the sponsor. The sponsor, after updating the tree, computes the group key since it knows all the necessary blinded keys. After computing the group key, the sponsor broadcasts the new tree, which contains the blinded keys which have been changed after the join. The whole tree information has to be sent to the new member. When the member associated with the node y is removed from the group, the member assigned to the sibling of y is reassigned to the parent p of y and given a new leaf key value (ephemeral key). If the sibling s of y is the root of a subtree, then p becomes s, moving the subtree closer to the root, and one of the leaves of this subtree is given a new ephemeral key (so that the deleted member no longer knows the blinded key associated with the root of the subtree). The sponsor in this case is the rightmost leaf node of the subtree rooted at the leaving member's sibling node. The sponsor picks up a new secret share, computes all keys on its key path up to the root, and broadcasts the new set of blinded keys to the group which allows all members to recompute the new group key.

Fig. 2. Join operation

Fig. 3. Leave operation 5.5 Merge and Partition Suppose there are two merging groups. In the first round, each sponsor (the rightmost member of each group) broadcasts its tree (with all Bkeys) to the other group after updating the secret share of the sponsor and relevant information (key, Bkey) pairs up to the root node. Upon receiving these messages, all members can uniquely and independently determine how to merge the trees by tree management policy [17]. The merge position is the rightmost shallowest node, which does not increase the tree height. If the two trees have the same height, we join one tree to the root node of the other tree. The rightmost member of the subtree rooted at the merge point becomes the sponsor of the key update operation. The sponsor, then, takes on the role of computing the keys, and the blinded keys and broadcast the entire tree with the blinded keys to all the other members. All the members now have the complete set of blinded keys, which allows them to compute all the keys on their key path. A partition in the key tree would be as follows. In the first round, each member updates its view of the key tree by deleting all leaf nodes associated with partitioned members and (recursively) their parent nodes. All leaving nodes are sorted by depth order. Starting at the deepest level, each pair of leaving siblings is collapsed into its parent, which is then marked as leaving. This node is then re-inserted into the leaving nodes list. The above is repeated until all leaving nodes are processed, i.e., there are no more leaving nodes that can be collapsed. The resulting tree has a number of leaving (leaf) nodes but every such node has a remaining sibling node. Each of these sibling nodes becomes a sponsor. Each sponsor now computes the keys and Bkeys on the key-path as far up the tree as possible. Then, each sponsor broadcasts the set of new Bkeys. Upon receiving the new broadcast, each member checks whether the message contains new Bkeys. This procedure iterates until all members obtain the group key. To prevent reuse of the old group keys, one of the remaining members (the shallowest rightmost sponsor) changes its key share. In the first protocol round, the shallowest rightmost sponsor changes its share.

6. Security Analysis This section analyses the security properties and communication and computation costs for join, leave, merge, and partition protocols of ID-AGKA, comparing with the TGDH protocol. In case of a join or a merge operation, the sponsor selects a new key, so that its former siblings who know its blinded key could not use this information in collision with another members in the group to find the group key. Similarly, even in a leave or a partition operation, the sponsor selects a new ephemeral key before broadcasting the changed Bkeys to the other group members. Thus, the protocol maintains both forward secrecy and backward secrecy. Implicit key authentication is provided in the protocol as it is ID-based. The protocol is contributory since each party equally contributes to the group key. The message flows are similar for all the group membership operations (join, leave, merge, and partition) in both TGDH and ID-AGKA protocols, as both the protocols use the same approach. Communication wise, ID-AGKA incurs more cost in the sense that every time a secret key is required for a node, the identity (ID) associated with that node is sent to the KGC, and the KGC sends back the secret key

for that ID. This cost can be reduced by giving the key tree information to the KGC, and, as described earlier in section 5.3, the KGC would compute the identities for the intermediate nodes and send all the secret keys related to a single member at once. This would increase the responsibility and the computations at the KGC. The computation cost would definitely be different in both the protocols since the base protocol used is different for both the protocols. Weil pairings, and scalar multiplications over elliptic curves are the basic computations in ID-AGKA whereas TGDH uses modular exponentiations. In ID-AGKA protocol, every key computation involves two elliptic curve scalar multiplications, and two Weil pairings. Computation of blinded keys involves one elliptic curve multiplication. Whereas in TGDH, computation of the blinded key costs one modular exponentiation, and computation of the key also costs one exponentiation. Since evaluating a Weil pairing is a costly operation, this protocol would be an expensive one. Computation cost would not be a constraint in the present world as the computational costs are decreasing day by day. In ID-AGKA, the cost increases, but with an improved security since Elliptic curves provide high security with smaller key lengths [3]. ID-based systems require a trusted KGC. One major attribute of the ID-AGKA protocol is that it is an ID-based system, and does not require computation of signatures, or verifications. ID-based systems simplify key management procedures in certificate-based PKI. However, TGDH requires a deployed PKI so as to authenticate the long- term public keys. In a traditional PKI deployed system, any member wishing to join a group is required to obtain a certificate from the certifying authority, whereas in an ID-based system, this is not required. New users can join the group at any time, and get a private key at that point of time from the KGC. Thus, ID-based systems allow more dynamism. This is another advantage of IDAGKA. Having studied the advantages of the ID-AGKA protocol, even though the cost increases when compared to TGDH, it would be more desirable to incorporate ID-AGKA protocol for improved security. And also, the initial cost of deploying a PKI is null in ID-AGKA protocol.

7. Conclusions and future work A key establishment protocol using one-way function trees is proposed in [6]. It is shown in section 3 that any key agreement function satisfying some given properties can be extended to a group key agreement protocol using one-way function trees. The tree-based group Diffie-Hellman protocol is explained and the four membership change operations (join, leave, merge and partition) are studied for this protocol. The first ID-based group key agreement protocol is proposed based on the two-party ID-based authenticated key agreement protocol [13] and the one-way function trees. A new transformation function is defined, which is required in generating keys at any level, from a lower level key in the key tree. The protocol has been analysed for performance and it is found that the base computation and communication costs are slightly more than TGDH, but at the same time with an advantage of increased security and saving the cost of deploying a PKI. Key authentication is also provided implicitly in the protocol as it is ID-based which is not the case with TGDH. Also, ID-AGKA protocol is seen to be more dynamic as it is ID-based and not certificate based. The protocol has to be implemented and tested against various other existing group key agreement protocols.

References 1. 2. 3.

A. Joux.: A one round protocol for tripartite Diffie-Hellman. In W. Bosma, editor, Proceedings of Algorithmic Number Theory Symposium. ANTS IV, volume 1838 of Lecture notes in Computer Science , pages 385-394, Springer-Verlag, 2000. A. Menezes, P.C. Van Oorschot, and S. Vanstone.: Handbook of Applied Cryptography. CRC Press, Boca Raton, 1997 A. Menezes.: Elliptic Curve Public Key Cryptosystems, Kluwer Academic Publishers, 2001.

4. 5. 6. 7. 8. 9.

10. 11. 12. 13. 14. 15. 16. 17.

A. Shamir.: Identity based cryptosystems and signature schemes. Advances in Cryptology – Proceedings of Crypto'84. C. Cocks.: An Identity based encryption scheme based on quadratic residues. Cryptography and Coding, 2001. D.A. McGrew and A.T. Sherman.: Key establishment in large dynamic groups using one-way function trees. Manuscript, 1998. D. Boneh and M. Franklin.: Identity-based encryption from the Weil Pairing. In Advances in Cryptology – CRYPTO 2001, Springer-Verlag LNCS 2139, 213-229, 2001. Divya Nalla, K.C. Reddy.: ID-based tripartite Key Agreement protocol from pairings, Submitted . M. Burmester and Y. Desmedt.: A secure and efficient conference Key distribution system. In A. De Santis, editor, Advances in Cryptology EUROCRYPT '94, Workshop on the theory and Application of Cryptographic Techniques, volume 950 of Lecture notes in Computer Science, pages 275-286, Springer-Verlag, 1995. Merkle, Ralph.C. Secrecy.: Authentication and public-key cryptosystems, Technical Report No. 1979-1, information systems laboratory, Stanford University (Palo Alto, CA, 1979). M. Steiner, G. Tsudik, and M. Waidner.: Key agreement in Dynamic Peer Groups, IEEE Transactions on Parallel and Distributed Systems, August 2000. Fiat, Amor, and Moni Naor: Broadcast encryption, in Advances in Cryptology: Proceedings of Crypto 93, D.R.Stinson, ed., LNCS 773, Springer-Verlag (1993), 481-491. N.P. Smart.: An Identity based authenticated Key Agreement protocol based on the Weil Pairing. Cryptology ePrint Archive, Report 2001/111, 2001. http://eprint.iacr.org/. R. Sakai, K. Ohgishi, and M. Kasahara: Cryptosystems based on pairings. In SCIS 2000, 2000. Sattam S. Al-Riyami, Kenneth G. Paterson: Authenticated Three Party Key Agreement Protocols from Pairings, Information security group, Royal Holloway, University of London, March 2002. Y. Kim, A. Perrig, and G. Tsudik: Communication-efficient group key agreement. In Information systems Security, Proceedings of the 17th International Information Security Conference IFIP SEC'01, 2001. Y. Kim, A. Perrig, and G. Tsudik.: Simple and fault tolerant key agreement for dynamic collaborative groups, in Proceedings of 7th ACM Conference on Computer and Communications Security, pp. 235-244, ACM Press, November 2000.

Appendix A A. Applications of ID-based encryption The original motivation for ID-based encryption is to simplify certificate management in e-mail systems i.e., to help the deployment of PKI. Several other applications are shown below. A.1 Revocation of Public Keys Public Key Certificates contain a preset expiration date. In an ID-based system key expiration can be done having Alice encrypt e-mail sent to Bob using the public Key: "[email protected] || current-year". In doing so Bob can use his private Key during the current year only. Note that unlike the existing traditional PKI, Alice does not need to obtain a new certificate from Bob every time Bob refreshes his certificate. The public Key can be made [email protected] || current-date so that the private Key needs to be refreshed every day. Key revocation would be simpler in this scenario. A.2 Delegation of decryption capabilities Another application for ID-based systems is delegation of decryption capabilities. Two examples can be considered. In both these applications the user Bob plays the role of a KGC. Bob generates his own IDbased system parameters (his public Key) and his own master Key. Bob obtains certificate from a CA for his public Key. When Alice wishes to send mail to Bob, she first obtains Bob's public Key from Bob's Public Key Certificate. Note that Bob is the only one who knows his master Key and hence there is no Key escrow with this setup.

1.

2.

Delegation to a laptop: Suppose Alice encrypts mail to Bob using the current date as the ID-based encryption parameter. Suppose Bob goes on trip for 3 days. Normally, Bob would put the private key on his laptop and if the laptop is stolen his private Key is compromised. But in ID-based system, Bob could simply install three private Keys corresponding to the three days on his laptop. If the laptop is stolen, only those three Keys are compromised. Delegation of duties: Suppose Alice encrypts mail to Bob using the subject line as the ID-based encryption Key. Bob can decrypt the mail using his master Key. Now, suppose Bob has several assistants each responsible for a different task. Bob gives one private key to each of his assistants depending on their responsibility. Each assistant could then decrypt only those messages whose subject line falls within its responsibilities, but it cannot decrypt messages intended for other assistants. Note that here Alice obtains a single public Key to send mail with any subject line of her choice.

Appendix B B. ID-based two party Authenticated Key Agreement Protocol B.1 Protocol Suppose two users A and B wish to agree on a Key. We denote the private keys of these users by S A = [ s ]QA and S B = [ s ]QB respectively, which have been obtained from the Key Generation Center (KGC) by sending their identities QA and QB. Each user generates an ephemeral private key, say a and b. The data flows of the protocol are as follows. A → B : TA = [ a ]P ; B → A : TB = [b ]P User A then computes k A = eˆ([ a ]QB , PKGC ).eˆ( S A , TB ) and user B computes k B = eˆ([b ]QA , PKGC ).eˆ( S B , TA ) k A = k B = k AB = eˆ([ a ]QB + [b ]QA ,[ s ]P ) Hence the shared secret depends on the identities QA, QB of the two parties, the secret Key s of the Key generation center and the two ephemeral Keys a, b. The KGC can thus compute the key kAB from the message flows and the secret key s, and hence the ID-based escrow facility is possible. The protocol requires each party to compute two elliptic curve multiplications and two Weil pairings and provides the following security properties: • Known Key security • Forward secrecy: Note, however that compromise of the Key generation centre’s long term secret s will allow anyone to compute the Key via s s eˆ(QB , TA ) .eˆ(QA , TB ) To get rid of the "escrow" property of Smart's protocol, the non-interactive key agreement protocol [14] can be used, where the protocol messages are: A → B : [ a ]P ; B → A : [b ] P s

s

And the common key computed is = hash ( abP , eˆ(QA , QB ) ) . The value of eˆ(QA , QB ) can be precomputed before the protocol begins. Using this protocol instead of Smart's key agreement protocol reduces the number of computations. But this protocol is vulnerable to man-in-the-middle attack. Hence we prefer using Smart’s protocol in defining our n-party protocol.

Appendix C C. Group Key Agreement protocol properties: A group Key Agreement protocol is required to have the following properties assuming that a group key is changing. Group Key secrecy, Forward secrecy, Backward secrecy, Key Independence, Key Freshness, Contributory, Implicit Key Authentication, Key Integrity Some more desirable properties of a Key Agreement Protocol are: low communication overhead, minimal number of passes and rounds, and role symmetric (messages transmitted and computations performed by all the entities have the same structure). Two important computational attributes also have to be considered for the Key Agreement Protocol: computation overhead and the ability to perform Precomputation. It may be desirable that some computations may be done offline (i.e., pre-computed or computed during the protocol run).

Appendix D D. Performance Analysis The following table summarises the communication and computation costs [16] of the four protocols STR [15], BD [8], and GDH.3 [10].

GDH

TGDH

Join Leave Merge Partition Join Leave Merge Partition

STR

BD

Join Leave Merge Partition Join Leave Merge Partition

Communication Rounds Messages 4 n+3 1 1 m+3 n+2m+1 1 1 2 3 1 1 log2k 2k +1 2h min (log2p,h) 2 3 1 1 2 k+1 1 1 2 2n+2 2 2n-2 2 2n+2m 2 2n-2p

n - number of members in the group k – number of merging groups

Exponentiations n+3 n-1 n+2m+1 n-p 3h/2 3h/2 3h/2

Computation Signatures 4 1 m+3 1 2 1 log2k +1

Verifications n+3 1 n+2m+1 1 3 1 log2k

3h

min(log2p,h)

min(log2p,h)

4 3n/2 + 2 3m+1 3n/2 + 2 3 3 3 3

2 1 2 1 2 2 2 2

3 1 3 1 n+3 n+1 n+m+2 n-p+2

h – height of the key tree p – number of members partitioned from a group of n members.