AN EFFICIENT GROUP KEY AGREEMENT PROTOCOL FOR
HETEROGENEOUS ENVIRONMENT
Mounita Saha and Dipanwita RoyChowdhury
Department of Computer Science and Engineering, Indian Institute of Technology, Kharappur, India
Keywords:
Group key agreement, Heterogeneous environment, Hierarchical key agreement, Provable security.
Abstract:
Secure group communication in heterogeneous environment is gaining popularity due to the advent of wireless
and ubiquitous computing. Although a number of protocols for group key agreement have been proposed, most
of them are not applicable in heterogeneous environment where a number of computationally limited nodes
coexist with one or more computationally efficient nodes. Among the few existing protocols, where some
fail to satisfy the key agreement properties, some are unable to handle the agreement for dynamic group. In
this work, we propose a constant round group key agreement protocol for heterogeneous environment using
polynomial interpolation. The protocol ensures both communication and computation efficiency by shifting
the major computation load on powerful users, achieves true contributory key agreement property and dynamic
handling of user join and leave. The security of the protocol has been analyzed under formal model. Finally we
have extended the protocol to hierarchy, offering more scalability without affecting the security and efficiency.
The comparison result shows considerable improvement in protocol efficiency compared to the existing ones.
1 INTRODUCTION
The key establishment problem has been widely stud-
ied in the literature. However, due to the changing
scenario of communication applications, it still con-
tinues to be an active area of research. The addition
of certain protocol properties desired in certain situa-
tions and some extra assumptions about the network
setup and security infrastructure have opened up new
challenges for the key establishment problem. Key
establishment is generally classified into two classes:
key transport, where one of the users chooses the key
and key agreement, where all the users contribute to
the computation of the key.
In recent times, as different group oriented appli-
cations proliferate in modern computingenvironment,
the design of an efficient key agreement protocol for
group has received much attention in the literature.
One focus area in group key establishment is design-
ing protocols for heterogeneous environment where
user nodes with different computation capabilities co-
exist. Typically in a heterogeneous environment, a
number of user nodes have limited computation capa-
bility, whereas one or more users have more compu-
tation capability. The example of such environment is
mobile networks and ubiquitous computing environ-
ment.
On the contrary to a common initial impression,
secure group communication is not a simple exten-
sion of secure two-party communication. Beyond the
fulfillment of security requirements, a large number
of the existing group key agreement protocols suffer
from lack of efficiency. Protocol efficiency and scal-
ability in group key establishment is of great concern
due to the direct relation of the number of partici-
pants to computation and communication complexity.
It can be noted that, one desirable property of GKA
in heterogeneous environment is to ensure computa-
tion and communication efficiency for the low power
users.
In this work, we present a truly contributory group
key agreement protocol for heterogeneous environ-
ment where a number of resource constrained users
are connected to one/more powerful users. Unlike the
previous protocols which are based on Diffie-Hellman
scheme, our protocol design uses non-Diffie Hell-
man technique and achieves better computation and
communication efficiency. We also present a proof
of security of the protocol in random oracle model.
Designing protocols in hierarchy is a technique em-
ployed to increase efficiency and scalability of group
key agreement (GKA) protocols. We, thus have ex-
tended the protocol to a more scalable hierarchical so-
lution.
182
Saha M. and Roy Chowdhury D. (2009).
AN EFFICIENT GROUP KEY AGREEMENT PROTOCOL FOR HETEROGENEOUS ENVIRONMENT.
In Proceedings of the International Conference on Security and Cryptography, pages 182-189
DOI: 10.5220/0002226101820189
Copyright
c
SciTePress
1.1 Related Work
The original idea of extending the 2-party key estab-
lishment to the multi-party setting dates back to the
classical paper of Ingermarsson et al. (I. Ingermars-
son and Wong, 1982), and is followed by many works
(Tzeng and Tzeng, 2000; G. Ateniese and Tsudik,
2000; Becker and Wille, 1998). However, all these
approaches simply assume a passive adversary, or
only provide an informal/non-standard security anal-
ysis for an active adversary. Also, in the earlier proto-
cols, the round complexity is linear in the number of
group members.
The first constant round protocol secure against
passive adversary was given in (Burmester and
Desmedt, 1994). More recently, based on this, Katz
and Yung (Katz and Yung, 2003) have proposed the
first constant-round protocol for authenticated group
key agreement that has been proven secure against an
active adversary. The protocol requires three rounds
of communication and achieves provable security un-
der the Decisional Diffie-Hellman assumption in the
standard model. While the protocol is very efficient
in general, this full symmetry negatively impacts the
protocol performance in a heterogeneous scenario.
In (Boyd and Nieto, 2003) Boyd and Nieto have
introduced a one-round group key agreement proto-
col which is provably secure in the random oracle
model. This protocol is computationally asymmet-
ric. In recent times Bresson et al. have proposed a
number of group key agreement protocols (E. Bres-
son and Quisquater, 2001; Bresson and Catalano,
2004; E. Bresson and Pointcheval, 2004) and have
given the first provable security model for security
analysis of group key agreement protocol. Bresson
and Catalano (Bresson and Catalano, 2004) have pre-
sented a provably-secure protocol which completes
in two rounds of communication. Interestingly, un-
like previous approaches, they construct the proto-
col by combining the properties of the ElGamal en-
cryption scheme with standard secret sharing tech-
niques. However, this protocol suffers from a signif-
icant communication overhead both in terms of the
number of messages sent and the number of bits com-
municated throughout the protocol. In (E. Bresson
and Pointcheval, 2004) another constant round pro-
tocol was proposed which is suitable for low power
mobile devices. Nam et.al has shown an attack on it
(J. Nam and Won, 2005b). Then in (J. Nam and Won,
2005c), Nam et al. proposed a group key agreement
protocol for an imbalanced network that provides for-
ward secrecy. In their protocol, the computation time
for a mobile node is two modular exponential opera-
tions. They adopted the Katz and Yung scalable com-
piler to transform their two-round protocol into an au-
thenticated group key agreement protocol with three
rounds. However, Tseng (Tseng, 2007) later showed
that the protocol is not a real group key agreement
protocol as the users cannot confirm that their con-
tribution was involved in establishing the group key.
(Tseng, 2007) also proposed a group key agreement
for resource constrained environment which is secure
against passive adversary.
1.2 Our Contribution
The main contribution of this work is to design a con-
tributory group key agreement protocol in heteroge-
neous communication environment. Unlike the pre-
vious protocols, the proposed protocol at the same
time achieves mutual authentication, completes in 2
round and provides very low computation and com-
munication overhead for the low-power users. The
design goals of a protocol for authentication and key
agreement depends on a number of assumptions like
the user node capabilities, the communication model
setup, i.e. how the users are connected to each other.
Network
Center
(U0)
U4
U5
U1
U2
U3
Figure 1: System model.
The system model that we consider for this work
is shown in figure 1. It consists of a cluster of n mo-
bile hosts or users with limited computational power
U = {U
1
, U
2
, . . . , U
n
}, and a computationally efficient
node U
0
. The participants communicate with the U
0
to establish a common conference key among them-
selves. The users do not communicate among them-
selves. All the communications are through U
0
.
The contributions of the work can be summarized
as follows:
1. Asymmetric computation: In a heterogeneous en-
vironment, the computational requirement by the
low power nodes can become one major bottle-
neck if the amount of computation increases with
number of users. In our work, we follow an asym-
metric computation pattern and fix the amount of
AN EFFICIENT GROUP KEY AGREEMENT PROTOCOL FOR HETEROGENEOUS ENVIRONMENT
183
computation required by the host nodes to a con-
stant value. The major computation burden that
increases with the number of users are shifted to
one/more computationally powerful node.
2. Verifiability of contribution: In the literature,
some protocols (E. Bresson and Pointcheval,
2004; J. Nam and Won, 2005c; J. Nam and Won,
2005a) have been proposed for server based con-
tributory key agreement both for general and hi-
erarchical layout. However, as pointed out in
(Tseng, 2007), none of them assure the user about
its participation in key construction and thus user
is not able to distinguish between a random key or
an actual key. We note that, the contributory key
agreement is meaningful only when the users ver-
ify that their contributions are indeed utilized in
key construction. In the proposed work, users are
able to verify the utilization of their contributions.
3. Efficiency in computation: We reduce the number
of expensive operations required to be performed
by each user. Specifically we remove the com-
putationally expensive exponentiation operations
and limit the online operations of the users to a
single linear function. All other operations are
performed offline.
4. Dynamic join and leave : We consider the users
to be completely dynamic i.e. allow the users to
leave or join the group within a protocol session.
5. Formal security analysis: Compared to the num-
ber of cryptographic protocols proposed in the lit-
erature, security of very few of them have been
proved under a formal model. In this work, apart
from informal analysis of protocol goals, we pro-
vide the security guarantee of the protocols under
provable security model.
2 USER-VERIFIABLE
CONTRIBUTORY KEY
AGREEMENT
In this section, we present the proposed group key
agreement protocol.
The following notations are used for the protocol
descriptions.
U : The set of users U
i
, i (1, n)
U
0
: The leader having higher resources
ID
i
: The unique identity of user U
i
U
G
p
: Cyclic group of order p
g : Generator of group G
p
H : A collision free hash function
τ : A secure signature scheme
pr
i
, pu
i
: Signature key pair for user U
i
C
i
: A counter shared between user U
i
and U
0
The public parameters G
p
and g, defined here,
are assumed to be known to all the participants in
advance. The hash function H and the signature
scheme τ is also known to all. Each group mem-
ber in protocol is having an unique identity ID
i
. The
protocol is defined in an asymmetric setting consist-
ing of a powerful node U
0
and a set of group users
(U
1
, U
2
, . . . , U
n
). The U
0
has a (private,public) key
pair (pr
0
, pu
0
) for encryption-decryption and signa-
ture. Each user U
i
also has a set of signing and veri-
fying key pair (pr
i
, pu
i
) for signature generation and
verification. Each user U
i
, i [1, n], shares a counter
C
i
with U
0
. The C
i
is included for freshness and in-
cremented at each communication session.
2.1 Proposed Protocol
Step 1: Preparing user contribution and signa-
ture
Each user U
i
with identity ID
i
chooses its con-
tribution (x
i
) randomly. Let C
i
be the current
value of counter for user U
i
. The values of
(ID
i
||ID
0
||x
i
||C
i
) are then encrypted with U
0
s
public key. Here || denotes the concatenation op-
eration.
e
i
= {ID
i
||ID
0
||x
i
||C
i
}
pu
0
U
i
also takes a signature sig
i
of (ID
i
||ID
0
||x
i
||C
i
)
using it’s private signature key.
sig
i
= τ
pr
i
(ID
i
||ID
0
||x
i
||C
i
)
Each user then sends e
i
, sig
i
to the U
0
.
U
i
U
0
: e
i
, sig
i
All these operations can be performed offline. The
advantage of using counter over timestamp is that
the operations involving the counter can be per-
formed offline.
Step 2: Receipt of user message and verification
at U
0
The U
0
receives all the messages and decrypts
them. It then verifies all the signatures of the cor-
responding users. It also checks the validity of the
counter C
i
and accepts if the signatures are valid.
Step 3: Computation of secret by U
0
The pair of identity and random value (ID
i
, x
i
) re-
ceived from each user is taken as it’s contribution
to construct the key. U
0
also selects a random
number x
0
G
p
as its contribution. The secret is
constructed by interpolating all the contributions
SECRYPT 2009 - International Conference on Security and Cryptography
184
into a polynomial. The n + 1 values of (ID
i
, x
i
)
are taken as (n + 1) input points to the interpola-
tion algorithm. As, all the identities of the users
are distinct, a distinct polynomial will be obtained
from the fresh input. Let the coefficients of the
resulting polynomial be a
0
, a
1
, . . . , a
n
. Thus the
polynomial is as follows:
A(x) = a
0
+ a
1
x+ a
2
x
2
+ . . . + a
n
x
n
The secret value is constructed as
K = (a
0
||a
1
||. . . ||a
n
).
Step 4:Computation of reply message from U
0
For each user U
i
, U
0
computes a one way hash
H (ID
i
, ID
0
, x
i
, C
i
) over the identity ID
i
, ID
0
,
counter C
i
and contribution x
i
. Then the secret
value K is bitwise XORed with this hash value to
obtain a value P
i
as follows:
P
i
= K H (ID
i
||ID
0
||C
i
||x
i
)
If length of K is more than the hash output, it can
be sent in multiple fragments.
LetY = {P
i
|i = 1...n}, U
0
takes a signature sig
0
of
the values (ID
0
, Y, U) using its private signature
key.
sig
0
= τ
pr
0
(ID
0
, Y, U)
The U
0
finally creates a broadcast message M =
{Y, U, sig
0
} and broadcasts M to all the users.
Step 5:Secret key computation & Verification
at users end
Each user U
i
will receive the U
0
s messages and
verify the signature of U
0
. Then the user obtains
the value of H (ID
i
, ID
0
, x
i
, C
i
). This value can be
calculated by the user offline. The shared secret
will be calculated by the user as follows:
P
i
H (ID
i
, ID
0
, x
i
, C
i
)
= K H (ID
i
, ID
0
, x
i
, C
i
) H (ID
i
, ID
0
, x
i
, C
i
)
= K
If K is sent fragmented, the user has to obtain all
the fragments in a similar manner and combine
them to get the secret.
The users can now verify whether the secret is
constructed using their contributions. If the con-
tribution x
i
of user U
i
is used, then the relation
A(ID
i
) = x
i
should be true. The verification is
done in the following way: After receiving the co-
efficients user U
i
will compute the following
a
0
+ a
1
ID
i
+ a
2
ID
2
i
+ . . . + a
n
ID
n
i
If this value is equal to x
i
, the user knows his/her
contribution was used in key construction. Ac-
cording to Horners rule, this computation can be
written as
a
0
+ a
1
ID
i
+ a
2
ID
2
i
+ . . . + a
n
ID
n
i
=a
0
+ ID
i
(a
1
+ ID
i
(a
2
+ ID
i
(. . . )))
This way, the verification requires only n multipli-
cations.
Finally, the shared secret key for conference is
computed by all the users as Key = F (K, U),
where F is a predefined one-way function.
2.2 Dynamic Handling of User Join and
Leave
When a conference session is in progress, users may
be allowed to join or leave. In some applications it
may not be desirable that a new joining user under-
stands the content of previous conversations. Simi-
larly, it is also not desirable that a leaving user con-
tinues to understand the ongoing conversation. Thus,
ensuring the security of the conference while allow-
ing dynamic join and leave is essential. In the pro-
posed protocol, the security of the secret key while
maintaining dynamic join/leave is maintained in the
following way.
User Join
When a new user U
new
joins, it the sends its share
(ID
new
, x
new
) to U
0
. The set of users is updated as
U = U ID
new
. U
0
also refreshes its contribution to
(ID
0
, x
0
) using a new random value x
0
G
p
. Then the
shared secret is computed and distributed as described
in steps 3 to 5 in key agreement.
User Leave
When an existing user U
old
leaves, U
0
discards its
share (ID
old
, x
old
). The set of users is updated as
U = U ID
old
. U
0
also refreshes its contribution to
(ID
0
, x
0
) using a new value x
0
. Then the shared secret
is computed and distributed as described in steps 3 to
5 in key agreement.
It can be noted that, as one group member joins
or leaves, it’s corresponding contribution point is
added/discarded. The U
0
s contribution also changes.
So, whenever there is a change in membership, atleast
two points of the secure polynomial change and its
value is refreshed. Now, from the property of polyno-
mial interpolation, it is known that, if 1 out of (n+1)
points on a n degree polynomial is changed, the poly-
nomial changes in an unpredictable way. This is in-
formation theoretically true. Thus, secrecy of the pre-
vious (new) key from new (former) group members is
maintained.
Figure 2 demonstrates one instance of the
Key Agreement scheme of proposed protocol.
2.3 Security Analysis
The proposed protocol has the security properties of
key freshness, key confidentiality and mutual authen-
AN EFFICIENT GROUP KEY AGREEMENT PROTOCOL FOR HETEROGENEOUS ENVIRONMENT
185
User nUser 1
Network Center (NC)
....
User 2
x
1
Z
q
x
2
Z
q
x
n
Z
q
sig
1
= τ(ID
1
, ID
0
, x
i
, C
i
) sig
2
= τ(. . . ) sig
n
= τ(. . . )
{ID
1
, ID
0
, x
1
, C
1
}
pu
s
, sig
1
{ID
2
, ..}
pu
s
, sig
2
{ID
n
, ..}
pu
s
, sig
n
A(x) = a
0
+ a
1
x+ a
2
x
2
+ ..a
n
x
n
K = a
0
||a
1
||. . . ||a
n
P
1
= K H (x
i
, . . . ) P
2
= K H (x
i
) P
n
= K H (x
i
, . . . )
Y = P1||P2||. . . ||Pn sig
0
= τ
pr
0
(ID
0
, Y, U)
M = (Y, sig
0
, U)
K = P
1
H (ID
1
, ID
0
, x
1
, C
1
)
K = . . . K = . . .
Verifyx
1
= a
0
+ a
1
ID
1
+ . . .
Verifyx
2
= .. Verifyx
n
= ..
Key = F(K, U)
Key = (. . .) Key = (. . .)
Figure 2: Proposed Conference Key Agreement Protocol.
tication. Also true contributiveness of the key is
achieved as no participant can predetermine the key
or influence the key. An informal analysis shows that
it is resistant to common attacks such as replay, im-
personation, unknown key share and collusion.
The prime motivation of the proposed protocol is
to reduce the computational overhead from the users.
Thus, we have deliberately not considered the perfect
forward secrecy. However this property can be eas-
ily achieved by associating a Diffie-Hellman key ex-
change.
The advantage of taking identities ID
i
as x coordi-
nate values of polynomialinterpolation is that they are
unique. However, if the identities of users are known
to each other, an user may be able to obtain the contri-
butions of other users. Although this knowledge does
not help a new/former user to deduce the old/new key,
it may not be desirable in some applications. In that
case, instead of using ID
i
directly as the x coordinate
value, the H(ID
i
, x
i
) value can be used. As the one
way hash is assumed to be collision free, this method
will still produce unique values for x coordinates. Al-
ternatively, the counter valuesC
i
known between user
and U
0
can also be used for x coordinates.
We now present the security analysis of the proto-
col in formal model.
The Security Model
The first formal model for security analysis of group
key agreement protocols was given by Bressonet al
(E. Bresson and Pointcheval, 2004). We also use a
similar game based security model widely used in lit-
erature.
The protocol participants are a set U =
(U
0
, U
1
, . . . , U
n
) of all users that can participate in the
key agreement protocol. Each user can simultane-
ously participate in different protocols sessions. Thus
an instance of user U
i
in protocol session s is repre-
sented by the oracle Π
s
i
. Each user U
i
U obtains a
private-public key pair (pr
i
, pu
i
) for signature gener-
ation/verification.
The partner ID of an user U
i
in session s is the
set of all users who compute the same key as the user
U
i
in that session. The partner ID is defined using
session ID. The session ID is defined in terms of the
messages exchanged among the users in a session.
The detail definition of session identity is given in the
(E. Bresson and Pointcheval, 2004).
The Adversary
The adversary A is active and assumed to have control
over all communication flows in the network. The ad-
versary communicates with the users through a num-
ber of queries, each of which represent a capability of
the adversary. The queries are as follows.
Send(U
i
, s, m): Models the ability of A to send
message m to user U
i
. The adversary gets back
from his query, the response that the userU
i
would
have generated on processing the message m. If
the message m is not in expected format, the or-
acle would halt. If the oracle accepts, rejects or
simply halts, the reply will indicate that. If the
message m = NULL, a new session would be ini-
tiated. An oracle is said to have accepted, if it has
obtained/computed a session key and accepted it.
Reveal(U
i
): If an oracle Π
s
i
accepts and holds a
SECRYPT 2009 - International Conference on Security and Cryptography
186
session key K , then the adversary A can use the
reveal query to obtain the session key held by the
oracle.
Corrupt(U
i
): When the adversary sends a corrupt
query to an user U
i
, the internal state information,
that the user holds is revealed. Also, the long term
secret key of user U
i
is replaced by a value K of
the adversary’s choice.
Test(U
i
): Once an oracle Π
s
i
has accepted a ses-
sion key K
ij
, the adversary can ask a single Test
query. In reply to this query, a random bit b is cho-
sen. If b = 0 the session key is returned, otherwise
a random string is returned from the same distri-
bution as the session keys. The advantage of the
adversary to distinguish the session key from the
random key is taken as the basis of determining
security of the protocol.
Security Definitions
Now we define the security assumptions for the pro-
posed key agreement protocol within the security
model given above. The detailed definitions can be
found in (E. Bresson and Pointcheval, 2004; J. Nam
and Won, 2005c; Boyd and Nieto, 2003).
Freshness
Freshness captures the intuitive fact that a session
key is not obviously known to the adversary. A
session key is fresh if it has been accepted by an
uncorrupted oracle and the oracle or any of its
partners are not subjected to the reveal or corrupt
query.
Authenticated group key agreement
The security of an authenticated group key agree-
ment protocol P is defined by a game G(A , P )
between the computationally bound adversary A
and protocol P . The adversary A executes the
protocol P and executes all the queries described
in the security model, as many times as she
wishes. A wins the game, if at any time it asks
a single Test query to a fresh user and gets back a
l-bit string as the response to the query. At a later
point of time it outputs a bit b
as a guess for the
hidden bit b. Let GG (Good Guess) be the event
that b = b
, i.e. the adversary A , correctly guesses
the bit b. Then we define the advantage of A in
attacking P , as
Adv
P
A
(k) = 2.Pr[GG] 1
We say that a group key agreement scheme P is
secure if Adv
P
A
(k) is negligible for any probabilis-
tic polynomial time adversary A .
Secure Signature Scheme
The security notion for a signature scheme is that
it is computationally infeasible for an adversary to
produce a valid forgery σ with respect to any mes-
sage m under (adaptive) chosen message attack
(CMA). A signature scheme τ(G , S , V ) is (t, q, ε)
secure if there is no adversary whose probabil-
ity in mounting an existential forgery under CMA
within time t after making q queries is greater
than ε(negligible). The probability is denoted as
Succ
τ
(A ).
Secure encryption scheme
A public-key encryption scheme PE = (K;E;D)
consists of three algorithms: A key generation al-
gorithm K giving a pair (e;d) of matching public
and private keys, an encryption algorithm E, and
a decryption algorithm D.
The encryption scheme PE is secure if the ad-
versary’s advantage is negligible. We denote the
probability as Succ
enc
(A ).
Thus, we have defined the security model for the
protocol definition. In the next section, we proceed to
describe the detail of the proposed protocol.
Proof
We now analyze the security of the protocol as the
probability that an adversary can some information on
the key and gain some advantage against the authen-
ticated key agreement (AKE) security. Let denote the
probability as Adv
ake
P
. Let A be the adversary against
the AKE security of the protocol making at most q
s
send quires and q
h
hash queries (to hash oracles H
and F). Let A plays the game G
0
against the proto-
col.
We now incrementally define a series of games
such that each subsequent game has some additional
properties. Let b is the bit involved in the Test query
and b
be the guess output by the adversary. Then,
Win
i
denote the event in game G
i
when b = b
. In
each game, we simulate the protocol and consider the
adversary to attack the protocol. Finally we relate all
of them to obtain the probability of Win
0
.
Let all the queries are answered by a simulator X.
It maintains two tables. In the table S, it maintains
the transcript of all sessions initiated by it. Also, a
list L
H
is maintained to answer the queries to the hash
oracles. n is the number of users.
Game G
0
: This is the real attack. The X generates a
pair of signing/verification key and the U
0
is given a
pair of public-private key. It answers all queries of the
adversary in accordance of the protocol.
Game G
1
: Let Forge be an event that A asks for a
send query to the U
0
such that the verification of the
signature is correct and m
was not previously out-
put by a client as an answer to another send query.
It means that A is sending a message that it has pro-
duced itself. Such an event can be detected by X as it
AN EFFICIENT GROUP KEY AGREEMENT PROTOCOL FOR HETEROGENEOUS ENVIRONMENT
187
Figure 3: Comparison of communication.
Table 1: Comparison with existing protocols.
Protocol User U
0
round Message Dyn Auth Verif PS
(J. Nam and Won, 2005c) 2Ex,1sig,1Sv (n+ 1)Ex,1Sig, n Sv 2 n1(u),1(b) Y Y N Y
(Boyd and Nieto, 2003) 1D, 1Sv (n 1)E,1Sig 1 n(b) N N N Y
(E. Bresson and Pointcheval, 2004) 2Ex, (n 1)Ex 2 n 1(u),1(b) Y N N Y
(Hwang and Chang, 2003) 1Ex,1E 1Ex,nD 4 2+ 3(n 1) Y Y N N
(Y. Jiang and Shen, 2006) 1Ex,1E 1Ex,nD 4 2+ 3(n 1) Y Y N N
Proposed 1S,1Sv (n 1)D,1Sig, n Sv 2 n 1(u),1(b) Y Y Y Y
Ex:exponentiation Sig: Signature Sv: Signature verification E: encryption D: decryption u:unicast b:broadcast
maintains a table of all protocol transcripts generated
by itself. In this case, X aborts the game and outputs
b
randomly.
The event Forge occurs when A was successful
to make an existential forgery against the signature
scheme for one of the participants. The probability
of this event is thus n Succ
τ
(A ), where Succ
τ
(A )
is the success probability of signature forgery against
the signature scheme τ, given some public key PK.
The game is identical to G
0
except when Forge
occurs. Thus,
Pr(Win
1
) Pr(Win0) n Succ
τ
(A ))
Game G
2
: Let Enc be the event when the adversary
makes a hash oracle query involving some (ID
i
, x
i
)
and the same hash query was asked by the a protocol
participant (user or U
0
). This can be checked from
the list of hash that is maintained. If such an event
occurs it means, adversary has been able to attack the
encryption scheme.
The probability of success against the encryption
scheme after making q
s
queries is q
s
Succ
enc
(A ).
The game is identical to G
1
except when enc occurs.
Thus the total winning probability of the game
Pr(Win
2
) Pr(Win1) q
s
Succ
enc
(A ))
Combining all the results, we obtain
Pr(Win
0
) N Succ
τ
(A ) + q
s
Succ
enc
(A ) Thus,
according to our security assumptions, the probability
of the polynomially bound adversary to win the game
is negligible.
2.4 Performance Analysis
In this subsection we present a performance compar-
ison of the proposed protocol with the existing ones.
The performance of an authenticated group key agree-
ment protocol is examined based on both its computa-
tion and communication requirements. The computa-
tion requirement is assessed by the number of major
operations performed. The communication require-
ment is measured by counting the number of rounds,
messages and bits to be communicated.
Communication Requirement. In figure 3, we per-
form a comparison of the communication require-
ment of the proposed protocol with (J. Nam and Won,
2005c). The comparison is based on the number of
bits required to be transmitted by powerful user U
0
versus the number of users. The signatures and hash
values are assumed to be 256 bit whereas the cyclic
group of public key system is taken 1024 bit. It can
be noted that the proposed protocol requires much
lesser number of bits to be transmitted from the pow-
erful node to the users and the difference grows with
increasing number of users. The difference in the
proposed protocol is achieved by using non-Diffie-
Hellman based key computation technique.
Computation Requirement. Table 1 shows a com-
parison of the proposed work with respect to existing
similar works. Here first two columns show the com-
putation requirements of user and U
0
respectively.
Next two columns show the number of rounds and
SECRYPT 2009 - International Conference on Security and Cryptography
188
messages required to complete the protocol transac-
tions. The next column (dynamic) denotes whether
the protocol is dynamic or not, Auth denotes whether
authentication is provided and Verif denotes user ver-
ifiability and PS denotes provably secure.
The table shows that the proposed protocol, in-
spite of offering the verifiability and mutual authen-
tication property, is comparable to the existing works.
Apart from (Boyd and Nieto, 2003), the rest of the
protocols also use 2 exponentiations. The (Boyd and
Nieto, 2003), despite being computation efficient uses
n broadcasts which is expensive. In the proposed
protocol, most of the computations performed by the
users, i.e. encryption, hash computation and signa-
ture can be computed offline. Thus only a bit-wise xor
is the main operation to be performed online. More-
over, the offline computations are also less expensive
as the user performs a hash computation and one pub-
lic key encryption which is not expensive as a public
key (3 16 bit) is short.
3 CONCLUSIONS
In this work we have provided an efficient and scal-
able solution for true-contributory group key agree-
ment in an heterogeneous environment, which con-
sists of both nodes with limited and relatively higher
computational resources. The protocol transfers most
of the computation and communication load to the
powerful node, whereas the only online computation
performed by a low power user is a single XOR com-
putation.
REFERENCES
Becker, K. and Wille, U. (1998). Communication com-
plexity of group key distribution. In In Proc. of 5th
ACM Conf. on Computer and Communications Secu-
rity, pages 1–6.
Boyd, C. and Nieto, J. (2003). Round-optimal contributory
conference key agreement. In In Proc. of PKC2003,
LNCS 2567, pages 161–174.
Bresson, E. and Catalano, D. (2004). Constant round au-
thenticated group key agreement via distributed com-
putation. In In Proc. of 7th International Workshop
on Practice and Theory in Public Key Cryptography
(PKC’04), LNCS 2947, pages 115–129.
Burmester, M. and Desmedt, Y. (1994). A secure and effi-
cient conference key distribution system. In In Proc.
of Eurocrypt’94, LNCS 950, pages 275–286.
E. Bresson, O. Chevassut, A. E. and Pointcheval, D. (2004).
Mutual authentication and group key agreement for
low-power mobile devices. In Computer Communi-
cations, volume 27, pages 1730–1737.
E. Bresson, O. Chevassut, D. P. and Quisquater, J.-J. (2001).
Provably authenticated group diffie-hellman key ex-
change. In In Proc. of 8th ACM Conf. on Computer
and Communications Security, pages 255–264.
G. Ateniese, M. S. and Tsudik, G. (2000). New multiparty
authentication services and key agreement protocols.
In IEEE Journal on Selected Areas in Communica-
tions, volume 18, pages 628–639.
Hwang, K. and Chang, C. (2003). A self-encryption mecha-
nism for authentication of roaming and teleconference
services. In IEEE Transaction on Wireless Communi-
cations, volume 2, pages 400–407.
I. Ingermarsson, D. T. and Wong, C. (1982). A conference
key distribution system. In IEEE Trans. on Informa-
tion Theory, volume 28, pages 714–720.
J. Nam, S. K. and Won, D. (2005a). Secure group commu-
nications over combined wired and wireless networks.
In Proc. of TrustBus, Lecture Notes in Computer Sci-
ence, volume 3592, pages 90–99.
J. Nam, S. K. and Won, D. (2005b). A weakness in
the bresson-chevassut-essiari-pointcheval’s group key
agreement scheme for low-power mobile devices. In
IEEE Communications letters, volume 9, pages 429–
431.
J. Nam, J. Lee, S. K. and Won, D. (2005c). Ddh-based
group key agreement in a mobile environment. In
Journal of Systems and Software, volume 78, pages
73–83.
Katz, J. and Yung, M. (2003). Scalable protocols for authen-
ticated group key exchange. In In Proc. of Crypto’03,
pages 110–125.
Tseng, Y. (2007). A resource-constrained group key agree-
ment protocol for imbalanced wireless networks. In
Computers and Security, volume 26, pages 331–337.
Tzeng, W. and Tzeng, Z.-J. (2000). Round-efficient confer-
ence key agreement protocols with provable security.
In In Proc. of Asiacrypt’00, LNCS 1976, pages 614–
627.
Y. Jiang, C. Lin, M. S. and Shen, X. S. (2006). A self-
encryption authentication protocol for teleconference
services. In International Journal of Security and Net-
works, volume 1, pages 198 – 205.
AN EFFICIENT GROUP KEY AGREEMENT PROTOCOL FOR HETEROGENEOUS ENVIRONMENT
189