class of protocols that we call natural extensions of Diffie-. Hellman to the n-party case. ... Permission to make digital/hard copies of all or part of this material for personal or ..... Stage 4 (Broadcast): Round n + 1. Figure 3: Group Key Distribution: GDH.3. In order to ..... The Digital Signature Standard Proposed By N'IST. CACM ...
Diffie-Hellman
Key Distribution
Extended to Group Communication
Michael Steiner Gene Tsudik Michael Waidner IBM Ziirich Research Laboratory CH-8803 Riischlikon, Switzerland {sti,gts,wmi}@zurich.ibm.com Abstract
2
Ever since a-party Diffie-Hellman key exchange was first proposed in 1976, there have been efforts to extend its simplicity and elegance to a group setting. Notable solutions have been proposed by Ingemarsson et al. (in 1982) and Burmester/Desmedt (in 1994). In this paper, we consider a class of protocols that we call natural extensions of DiffieHellman to the n-party case. After demonstrating the security of the entire class based on the intractability of the Diffie-Hellman problem we introduce two novel and practical protocols and compare them to the previous results. We argue that our protocols are optimal with respect to certain aspects of protocol complexity.
2.1
1
Generic
n-Party
Diffie-Hellman
Notation
The following notation
i, j,; Mi q
ct Ni S,‘T II(S) h-n
Introduction
It has been almost twenty years since Diffie-Hellman (DH) a-party key exchange was first proposed in [l]. In the meantime, there have been many attempts to extend its elegance and simplicity to the group setting. The main motivating factor is the increasing popularity of various types of groupware applications and the need of doing it securely. Since key distribution is the cornerstone of secure group communication, it has naturally received a lot of attention. (See, for example: [2], [3], [4], [5], [6], [7], [8], [9].) Unfortunately some of the results are of only theoretical interest, while the security of some others remains unproven. In this paper we consider a class of protocols that we call “natural” extensions of the 2-party Diffie-Hellman key exchange. We define a generic protocol of this class and prove its security; provided, of course, that the a-party DiffieHellman decision problem is hard. This result allows us to craft a number of protocols without having to be concerned for their individual security. In particular, we present three new protocols, each optimal with respect to certain aspects of protocol efficiency. This paper is organized as follows. We begin in section 2 by defining a generic group Diffie-Hellman protocol and proving its security. We then introduce three new group key distribution protocols in Sections 3.1-3.4 and discuss their relative merits and drawbacks. Next, in Section 4, we briefly review some notable previous results. The paper concludes with the summary/comparison of all current solutions and some directions for future work.
2.2
Key Distribution
is used throughout
the paper:
number of participants in the protocol indices of group members (ranging in [l, n]) a-th group member; i E [l, n] order of the algebraic group exponentiation base; generator in the algebraic group delimited by q random exponent generated by group member Mi subsets of {Nl,...,N,,} product of all elements in subset S group key shared among n members (we also use K when n is obvious)
Generic
Protocol
We consider a family of protocols that we refer to as “natural” extensions of the original, 2-party Diffie-Hellman key exchange [l] to n parties. Like in the 2-party case, ail participants Ml,. . . , M, agree a priori on a cyclic group, G, of order q, and a generator, Q, of this group G. For each key exchange, each member, Mi, chases randomly a value Ni E G. In the a-party case, Mi sends aNi to MS-i and computes the common key K = (CXNa-i)Ni. For appropriately chosen G (see below) it is reasonable to assume that an adversary observing (aN1, aNQ) cannot distinguish I< from a random value y E G. All our protocols are based on distributively computing a subset of {,ncs)l S C {Nl, . . . , Nn}} From crN1”‘Ni-lNi+l”‘Nn, member Mi can easily compute the shared key I< = Q~~“‘~“. We call the protocol that reveals all these subsets the generic n-party DH protocol. Before presenting our protocols, we will prove that this generic protocol is secure. In this context, security means: if a P-party key is indistinguishable from a random value, the same is true for n-party keys. Obviously, this will prove the security of all of o$ protocols at once. 2.3
.Permission to make digital/hard copies of all or part of this material for personal or classroom use is granted without fee provided that the copies are not made or distributed for profit or commercial advantage, tie. COPYright notice, the title of the publication and its date appear, and notlce 1s. given hat copyright is by permission of the ACM, h. TO COPY olhe~l% to republish, lo post on servers or to redistribute to lists, requires specific
Security
of the Generic
Protocol
Let k be a security parameter. All algorithms receive k as first input, implicitly, and will be polynomially bounded by k. even if the input itself is not bounded. For concreteness, we consider a specific class of algebraic groups for which it is commonly assumed that the 2-party key is computationally indistinguishable from a random value: On input A, algorithm gen chases randomly a pair (q, a) such that q has length k bit, q and q’ = 2q + 1 are both prime, and a generates the unique subgroup G of ni, of
permission and/or fee. CCS ‘96, New Delhi, India Q 1996 ACM 0-89791-829-0196/03..$3.50
31
order Q. Groups of this type are used, e.g., in [lo] and [ll]. The indistinguishability of the a-party key is considered, e.g., in [12]. For (q,a) t gen(k), n E bJ, and X = (Nl,. . . , Nn) for Ni E Z,, let . &xu(q,a, n, X) := the ordered set of all #il”‘Nim all proper subsets {il, . . . , im} of (1,. . . , n},
0 K(q,a,n,X)
for
:= QNl...Nn.
If (q, a) are obvious from the context, we omit them in view0 and K(). Note that uiew(n,X) is exactly the view of an adversary in the generic n-party DH-protocol, where the final secret key is K(n, X). Let the following two random variables be defined by generating (q, cry)t gen(k) and choosing X randomly from (n,)“:
B,,x~~,J~ follows from An--l~polrDn--l: Assume that odu distinguishes B, and C,, and (ignoring a necessary permutation in order) let: (uiew(n - 1, (c, X)), y) be an instance for A,,-Iz~~I~ D,-1 (i.e., the problem is to decide whether y = 1C(n - 1, (c,X)).) We produce an instance for adu by choosing Nl, N2 randomly, and computing (uiew(n - l,(Ni,X)),I((n - 1, (Ni, X))) based on those vdues in uiew(n - 1, (c, X)) that do not contain c as an e:up* nent. The rest follows as in the last case. C,.,M,,~,.D,, follows from A~NN~~~~D~,almost exactly like the first statement. The only difference is that we do not choose y randomly, but as IC(n - 1, (w, X)). Cl 3
a D,,:= (uiew(n, X), I
