Hindawi Publishing Corporation

EURASIP Journal on Wireless Communications and Networking Volume 2008, Article ID 271989, 9 pages doi:10.1155/2008/271989

Research Article

Constructing UC Secure and Constant-Round Group Key Exchange Protocols via Secret Sharing

Chunjie Cao,1,2 Chao Yang,1 Jianfeng Ma,1 and Sangjae Moon3

1 Key Laboratory of Computer Networks and Information Security, Xidian University, Xi'an 710071, China

2 No.36 Research Institute of China Electronic Technology Corporation (CETC), Jiaxing, Zhejiang 314033, China

3 Mobile Network Security Technology Research Center, Kyungpook National University, Daeyu 702701, South Korea

Correspondence should be addressed to Chunjie Cao, chunjie.cao@gmail.com Received 10 June 2007; Revised 30 October 2007; Accepted 30 April 2008 Recommended by Mohamed Hossam Ahmed

Group key exchange (GKE) is one of the basic building blocks in securing group communication. A number of solutions to GKE problem have been proposed, but most of them are not scalable and require a number of rounds linear with the number of group members. We present a method of constructing constant-round and identity-based protocol via secret sharing for GKE within universally composability (UC) framework. The resultant protocol focuses on round efficiency and three rounds of communication are required. The protocol allows the batch verification of messages signed by all other group participants. Moreover, compared with other identity-based protocols, the key generation center (KGC) in our protocol is not always online.

Copyright © 2008 Chunjie Cao et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

1. INTRODUCTION

In many modern group-oriented and distributed applications, such as distributed simulation, multiuser games, and collaborative tools, scalable and reliable group communication is one of the critical problems. Regardless of the concrete applications environment, security services are necessarily required to provide communication privacy and integrity, which are impossible without secure and efficient key distribution. A group key exchange (GKE) protocol allows a group of participants to establish a common session key which is used to protect the sensible information.

Among the existing authentication systems, asymmetric technologies such as public key infrastructure (PKI) and identity-based (ID-based) system are commonly adopted. The concept of ID-based cryptosystem was firstly proposed by Shamir [1]. Such a scheme has a unique property that a user's public key can be easily calculated from his identity, while the private key can be calculated by a trusted authority called key generation center (KGC). In a typical PKI system, a user should apply for his public key certificate from a certificate authority (CA) and other partners can use this certificate to authenticate the user. In an ID-based system, however, the partner only needs the public identity of the user, such as email address. Thus, compared with certificate-

based PKI system, an ID-based system greatly simplifies the procedure of key management.

Communication security is a very important issue when we design a group key exchange protocol in peer group. Only recently have Bresson, Chevassut, Pointcheval, and Quisquater (BCPQ) given the first provably secure model and protocol [2-4] for group key exchange setting. Their protocol is based on the protocol of Steiner et al. [5], and requires n rounds to establish a key among a group of n users. The BCPQ model is an important step and very helpful in analyzing and designing group key exchange protocols.

1.1. Related works

1.1.1. Group key exchange

A number of studies [5-21] have considered the problem of extending the two-party Diffie-Hellman (DH) protocol [22] to the multiparty setting. A class of generic n-party DH protocols is defined in [5] and extended to provide implicit key authentication in [17], and one practical protocol of which is A-GDH.2. A tree-based DH group key exchange protocol has been proposed by Kim et al. [16, 23] which is shown to be secure against passive adversaries. Also several papers have attempted to establish ID-based authenticated key exchange

protocol. Joux presented a one-round tripartite key exchange protocol [10] using pairings. But it is vulnerable to "man-in-the-middle" attack. Zhang et al. [14] proposed a new ID-based authenticated three-party key exchange protocol, in which the authenticity is assured by a special signature scheme from pairing. Recently, an ID-based group key exchange protocol which uses the one-way function trees and a pairing is proposed by Reddy and Nalla [7] with informal security analysis. Barua et al. [6] introduced an ID-based multiparty key exchange scheme which uses ternary trees. But the protocols of Reddy and Barua have [log2n] and [log3n] communications rounds, respectively, and are not scalable. Wang and Wu [21] proposed an efficient ID-based multicast scheme which needs a group controller. However, in this paper, we will focus on the peer groups and contributory key exchange.

There are two kinds of famous constant-round group key agreement protocols, one is based on the BD scheme which was proposed by Burmester and Desmedt [13], and the other is based on secret sharing scheme. In PKC'04, Choi et al. [8] presented an efficient ID-based group key exchange schemes from bilinear pairings which is an authenticated bilinear variant of BD scheme, but soon found to be flawed by Zhang and Chen [24]. Tzeng and Pieprzyk and Li [25, 26] have shown how secret sharing scheme can be exploited as a building block in group key establishment. Bresson and Catalano proposed a practical and simple group key exchange scheme which combines the ElGamal encryption scheme and the secret sharing technique [19]. Nevertheless, in the protocol of Pieprzyk and Li [26], confidence in fresh of the key depends on a random value supplied by a trusted third party, and this protocol does not provide forward secrecy. Also the scheme [25] of Tzeng lacks forward secrecy.

1.1.2. Provable security for protocols

The basic idea of proving the security of a protocol in a model in which the parties have a random oracle and then instantiating that oracle with an appropriate cryptographic primitive originates in [27,28]. In 1993, Bellare and Rogaway [29] proposed a formal model for proving security of protocols in a two-party setting. A modular approach is presented by Bellare et al. [30] to design and analyze key exchange protocols. The modularity is achieved by applying an authenticator to protocols which have been proven secure in a much simplified adversarial setting where authentication of communication links is not required. Based on these works, Bresson et al. (BCPQ) defined a sound formalization [3] for the authenticated group DH key exchange and provided provably secure protocols within this model. We refer to protocols secure in BCPQ model as AKE-secure. But AKE-secure does not take into account any notion of protection against "insider attack," and AKE-secure protocols may be completely insecure against attacks by malicious insiders. Katz and Shin [31] proposed a solution within the universally composability (UC) framework [32, 33] which can guarantee the security of a protocol when it runs concurrently with other protocols.

1.2. Our contribution

The purpose of this paper is to present a method of constructing UC-secure constant-round ID-based group key exchange protocols. The resultant protocol is round efficient and only needs three rounds. It allows the batch verification of messages signed by all other group participants, which greatly improves computational efficiency. In addition, the protocol is a contributory key exchange, hence it does not impose a heavy computational burden on a particular party. The most important is that the new protocol is UC-secure and most secret sharing schemes could be adopted to construct our protocol.

2. PRELIMINARIES

2.1. Admissible bilinear map [34]

Let Gi be a cyclic additive group of prime order q and G2 be a cyclic multiplicative group of same order q. Let P be an arbitrary generator of G1. We assume that discrete logarithm problem in both G1 and G2 are intractable. A map e: G1 X G1 G2 satisfying the following properties is called an admissible bilinear map:

(i) bilinearity: e(aP, bQ) = e(P, Q)ab VP, Q e G1 and

a, b e Z* q

(ii) nondegeneracy: if P is a generator of G1, then e(P, P) is a generator of G2, that is, e(P,P) = 1,

(iii) computability: there exists an efficient algorithm to compute e(P, Q) VP, Q e G1.

2.2. Computational DH (CDH) problem in G1

Input: (P, aP, bP) for some a, b e Z*. Output: abP.

The success probability of any probabilistic polynomial time adversary A in solving CDH problem in G1 is defined to be:

SuccADH = Pr ob[A(P, aP, bP, abP) = 1 : a, b e Z*].

CDH assumption

There exists no algorithm running in expected polynomial time, which can solve the CDH problem with nonnegligible probability. Namely, for any probabilistic polynomial time (PPT) adversary A, SuccADH is negligible.

2.3. Aggregate signature

In the construction of our authenticated protocol, we use the bilinear aggregate signature scheme firstly introduced by Boneh et al. [35]. But the base signature scheme is the ID-based bilinear signature scheme proposed by Hess [36].

An aggregate signature scheme is a digital signature that supports aggregation. Concretely, given n signatures on n distinct messages from n distinct participants, it is possible

to aggregate all these signatures into a single short signature. This single signature and the n original messages will convince the verifier that participant u indeed signed message m,. The aggregate signature scheme is formally denoted as A = {G,K,Sig, Ver,ASig, AVer}, where {G,K,Sig,Ver} is a standard digital signature scheme, which is called the base signature scheme. Here G is a randomized system parameters generator algorithm, K is a randomized key generation algorithm, Sig is a randomized signing algorithm, and Ver is a deterministic algorithm. The aggregation signature algorithm and the aggregation verification algorithm are, respectively, ASig and AVer. The aggregate signature is generated as follows:

5 = ASig( 5i, 52,..., 8n),

where 5, is the signature of message m, relative to public key PK, and 5 is the single aggregate signature. The verification is done by checking whether

Aver(PK^PK2,... ,PK; m1, m2,..., mn; ASig(5i, 52,..., 5n)) = 1.

Note that we set the co-GDH gap groups are equivalent, so the computational co-DH and decisional co-DH problems [37] reduce to the standard CDH and DDH problems [35].

3. THE MODEL

The model described in this section is a static group security model extended from one of Bresson et al. [4] which follows the approach of Bellare and Rogaway [29, 38, 39].

3.1. Adversarial model

Let U = {U1, U2,..., Un} and ID = {IDi,ID2, ...,ID„} be a set of n users and their identities, respectively. Each user Uj has a unique identity ID;, which is known to all the other users, and all these identities are distinct. Each user can execute the protocol multiple times with different partners: this is modeled by allowing each user an unlimited number of instances with which to execute the protocol. We denote instance t of U;, called an oracle, as n; for an integer t <E N.

3.1.1. Initialization

In this phase, each user U; <E U gets his long-term public and private keys. ID-based protocol requires the following initialization phase:

(1) the KGC randomly chooses a secret key s <E Zq as master key, then computes, and publishes Ppub = sP,

(2) when each user with identity ID wants to obtain public/private key pair, the KGC uses its master secret key s to compute the corresponding private key SID and transmits it to the user through a secure channel.

3.1.2. Queries

Normally, the security of a protocol is related to the adversary's ability, which is formally modeled by queries issued by the adversary. We assume that a probabilistic polynomial time adversary A can completely control the communications and make queries to any instance. We now explain the capability that each kind of query captures.

(i) Extract (ID;): this query allows the adversary to get the long-term private key corresponding to ID;, where ID; <£ ID.

(ii) Send (f[t, M): this query allows the adversary to make the user ID; run the protocol normally and send message M to instance n ; which will return a reply.

(iii) Reveal (nt): this query models the adversary's ability to find session group keys. If an oracle has accepted, holding a session key K, then K is returned to the adversary. Note that we say that an oracle accepts when it has enough information to compute a session key. At any time, an oracle can accept and it accepts at most once in executing an operation. As soon as an oracle accepts in executing an operation, the session key is defined.

(iv) Corrupt (ID;): this query models the attacks revealing the long-term private key S;. This does not output any internal data of ID;.

(v) Test (f[t): this query models the semantic security of a session key. This query is allowed only once by the adversary. A random bit b is chosen, if b = 1, then the session key is returned, otherwise a random value is returned.

In this model, we consider two types of adversaries according to their attack types. The attack types are simulated by the queries issued by the adversaries. A passive adversary is allowed to issue "Reveal," "Corrupt," and "Test" queries, while an active adversary is additionally allowed to issue "Send" and "Extract" queries.

3.2. Security notions

Definition 1 (partner IDS). Partner identities for instance nI which consist of the users (including ID; himself) with whom nt intends to establish a session key. Partner identities of instance nt are denoted by pid (nt).

Definition 2 (session IDS). The session ID is the unique identity of a session, which is denoted by sid (nt). To achieve the goal of UC-security, we follow [30, 33] in assuming that sid is provided by some higher-level protocol when the GKE protocol is first initiated.

Definition 3 (freshness). An oracle is called fresh (or holds a fresh key) if the following two conditions are satisfied. First, nobody in U has ever been asked for a "Corrupt" query from the beginning of the game. Second, in the current operation execution, nt has accepted and neither U; nor his partners have been asked for a "Reveal" query.

Fss-gke proceeds as follows, running on security parameter k, with players U1,..., Un, and an ideal adversary S. Initialization: upon receiving (sid, pid, new-session) from player U; for the first time (where pid is a set of at least two distinct user identities containing UO, record (sid, pid, UO, and send this to S. In addition, if there are already |pid| - 1 recorded tuples (sid, pid, Uj) for Uj e pid \ {U;}, then store (sid, pid, Initialized) and send this to S.

Secret Distribution: upon receiving a message (Share, sid, pid, U;) from U;, where there is a recorded tuple (sid, pid, Initialized), do the following:

(i) if all U e pid are uncorrupted, choose ki {0,1} and compute P; = g(ki), where g is a function that can generate |pid| - 1 secret shares. Afterward record (shared, sid, pid, Ui, P;) and send it to all players and S. If there are already |pid| - 1 recorded tuples (shared, sid, pid, Ui, P;,) then store (sid, pid, SecretDistributed) and send this to S,

(ii) if U; is corrupted, wait for S to send k[, P[ and then record (shared, sid, pid, U;, P').

Key Generation: upon receiving a message (KeyGeneration) from S where there is a recorded tuple (sid, pid, SecretDistributed), do the following:

(i) if all U e pid are uncorrupted, compute key = f (k1, k2,..., k|pid|-1), finally, store (sid, pid, key),

(ii) if any of the U e pid are corrupted, send the corresponding secret k; to S, wait for S to send a message (SecretKey, key') and then store (sid, pid, key ).

Key Delivery: if S sends a message (deliverKey, U;), where there is a recorded tuple (sid, pid, key) and U; e pid, then send (sid, pid, key) to player U;.

Player Corruption: if S corrupts U; e pid where there is a recorded tuple (sid, pid, key) and message (sid, pid, key) has not yet been sent to U;, then the adversary is given key. Otherwise, S is given nothing.

Algorithm 1: Secret sharing-based GKE ideal functionality FSS-GKE.

Let F be a collision-resistant pseudorandom function, and assume that v0, v1 {0,1 }k are publicly known and v0 = v1. Initialization Phase: each player U; generates long-term verification/signing keys (PK;; SK;) (in addition to any keys needed for n). The Protocol: players run protocol n. If U; would terminate without accepting in n, then it terminates without accepting in n'. Otherwise, if Ui would accept in protocol n with output (sid;, pid;, key;), this player performs the following additional steps:

(i) U; computes ack; = F(key, v0) and sk; = F(key;, v1). Next, U; erases all its local state except for ack;; sk;, sid;, and pid;. Then, Ui computes a signature o; = Sign(SKi,(U;; sidi,pidi, acki)) and sends the message (U;; Oi) to all players in pidi,

(ii) upon receipt of |pidi| - 1 messages (Uj;Oj) from all other players Uj e pidi \ {Ui}, U; checks that Verify (PKj, (Uj; sidj, pid j ,ackj), Oj) = 1 VUj e pidi. If all verifications are successful, then U; accepts and erases its internal state, and outputs (sidi, pidi, ski). Otherwise, U; terminates without accepting.

Algorithm 2: AKE — UC compiler.

Definition 4 (authenticated key exchange security (AKE security)). We say that event Succ occurs if the adversary issues "Test" query to a fresh oracle and correctly guesses the bit b (distinguishing the key from a random string). The advantage of an adversary A in attacking protocol P is defined as AdvA(k) = |2Pr[Succ] - 1|.

A protocol P is AKE secure, if the following two properties are satisfied:

(i) consistency: in the presence of an adversary, all partner oracles accept the same key,

(ii) Secrecy: for any PPT adversary A, Adv^(k) is negligible. '

Definition 5 (perfect forward secrecy). A protocol provides perfect forward secrecy if an adversary does not get nonneg-ligible knowledge information about session keys previously established when making "Corrupt" queries to all group

members. We define Adv^(f, qs, qh) to be the maximal advantage of any active adversary attacking protocol P, running in time t and making qs "Send" queries and qh "Hash" queries.

Note that we do not define any notion of explicit authentication or, equivalently, confirmation that the other members of the group have computed the common key. However, explicit authentication in our protocol can be achieved at little additional cost. Previous work [4] shows how to achieve explicit authentication for any group authenticated key exchange protocol using one additional round and minimal extra computation.

4. UNIVERSAL COMPOSABLE GKE PROTOCOLS

VIA SECRET SHARING

In this section, we introduce the ideal functionality for group key exchange protocol via secret sharing within the UC

Round1. Initialization: each participant Ui picks randomly ri, r[ e Z*, computes, and broadcasts (sid, Oi = riP, O' = r'P). Round 2. Secret Distribution: on receiving Oj with the correct sid, each participant Ui picks randomly Ki e Zq and computes a polynomial fi(x) = Ki + ai1x + a¡2x2 + ■■■ + ain-1xn-1 passing points (j, H3(riOj)), 1 < j < n, j = i and (0, Ki). Then computes

Pij = fi(n + j), 1 < j < n, j = i;

Pi = PiillPi2ll ■ ■ ■ \\P>n; O = O1HO2II On,

O' = O1IO2I ■ ■ ■ IIOn;

hi = H2 (Pi IIOIIO'II Ki II sidllpid);

Si = riPpub + hiSi

and broadcasts (sid, Pi, Si). Round 3. Key Confirmation

On receiving (Pj;, Si) with correct sid, 1 < l < n, l = j = i, each participant Ui computes polynomial fj'(x) ofdegreen that passes (n + i, Pjl) and (i, H3(riOj)). Then Ui computes Kij = f(0) and checks

e( XSj, p) = ^ = (Oj + hjQj), Ppu^ •

If the above aggregate signature is verified successfully, Ui computes

keyi == H4(K1 + K2 + ■■■ + Kn); acki = H4(keyi, v0); ski = H4(keyi, v1), h' = H2 (IDi I acki I sid I pid); S' = r'PpUb + h 'S i and broadcasts (sid, ID i, S').

When receiving |pid| - 1 messages from other participants, Ui verifies the aggregate signature as above. If the verification is successful, Ui accepts with (sid,pid, ski).

Algorithm 3: The UC-secure GKE protocol ID-SS.

framework [32, 33]. Then, we show that an AKE-secure GKE protocol based on secret sharing can be compiled to be a UC-secure protocol by applying the compiler (depicted in Algorithm2 proposed by Katz and Shin [31]. Our secret sharing-based GKE ideal functionality FSS-GKE is depicted in Algorithm 1. In the following, we assume that (1) the underlying group communication system is resistant to fail-stop failures, which means that the system should provide a consistent membership view to all group members and reliable and causally ordered multicasts; (2) unicast and multicast are reliable. We assume that any user can broadcast messages to others in the broadcast network.

In ACM CCS 2005, Katz and Shin proposed a compiler and [31] for GKE protocol, where an AKE-secure GKE protocol n can be compiled to be a UC-secure protocol n'. To construct our UC-secure and constant-round GKE protocol via secret sharing, this compiler is involved in our protocol and is a key component. The compiler is depicted in Algorithm 2.

Theorem 1 (see [31]). If n is an AKE-secure GKE protocol, then applying the AKE UC compiler to n results in a UC-secure protocol n'.

From Theorem 1, we can get the following corollary.

Corollary 1. If n is an AKE-secure GKE protocol based on secret sharing, then applying the AKE — UC compiler to n results in a UC-secure protocol n'.

5. THE PROTOCOL ID-SS

To construct the UC-secure ID-based GKE protocol via secret sharing, we are motivated by the scheme of Shamir [1]. The resultant protocol is denoted as ID-SS. We assume that there exists an authenticated secure channel between the user and KGC for the distribution of the long-term private key.

System setup

Given the security parameter q, the KGC chooses groups G1 and G2 of prime order q, a generator P of G1, and a bilinear map e: G1 X G2 — G2. Let H1: {0,1}* — G1 be a map-to-point hash function, H2: G1 X Zq X {0,1}* X {0,1}* — Zq, H3: G1 — Zq be other two hash functions, and H4 be a key derivation function. H1, H2, H3, and H4 are considered as random oracles. Also the KGC randomly selects v0, v1 ^ {0,1}q, the master secret key s e Zq and computes Ppub = sP e G1 that is made public. Then KGC publishes the following system parameters:

{e, Gi, G2, q,P, Ppub, Hi, H2, H3, H4, Vq, vj.

Extract

Given a public identity ID e {0,1}*, the KGC computes QiD = H1(ID) e G1 and associated private key SID = sQID e Gi that is transmitted to the user.

Let U = {U1, U2,..., Un} be a set of users who want to establish a common session key and ID; be the identity of Uj. Then the public and private key pair of U, is (ID,, S, = sQ,). Now we describe the protocol in Algorithm 3.

6. SECURITY ANALYSIS OF THE PROTOCOL ID-SS

Theorem2. Suppose that the hash functions H1, H2, H3,and H4 are random oracles. Then the protocol ID-SS is an AKE-secure protocol providing perfect forward secrecy under the CDH assumption. Concretely,

AdVD"SS(f, qs, qh) < 2 ■ n■ Succr°rgeryA (t) + 2 •l-qh- Succ$DH(t).

Proof. Firstly, we prove the correctness of the protocol. In other words, if all users follow the process of the protocol, they can compute a common group key. Because of TjOj = TjTjP = TjOj, user U, can compute the polynomial fj(x) passing (n + l, Pji), 1 < l < n and (i, TjOj) according to the messages related to user Uj. Then U, computes Kj = fj (0). By verifying aggregate signature S, U, can check whether Kj is correct or not. So all participants can derive the same group key K = H4(K1 + K2 + ■■■ + Kn).

Secondly, we prove that the protocol is a GK secure protocol in the presence of an adversary A,

(1) assuming that A modifies the flows, then we build a forger r,

(2) assuming that A does not modify the flows, then we build a CDH-solver □

Forger r

Assume that A breaks the protocol ID-SS by forging a signature at least with the probability f. We can construct a forger r that generates a valid message pair (ID, m, S) from A. r receives ID as the input and accesses a (public) signing oracle. r randomly picks i e [1, n] and honestly generates all other public and private keys for the system. However, for user Uj, r sets ID as Uj's public key. Then r starts running A as a subroutine and answers the oracle queries made by A as follows:

(i) when A makes "Send (*, m)" queries, r responds in a straightforward way. When A makes "Send (*, m, S)" queries, r responds in a straightforward way using long-term keys to sing the flows except if A makes the query of the form "Send (n), m, S)." If this occurs, r goes through the signing oracle and stores the response in a variable a,

(ii) when A makes a "Reveal" query, r gives the session key to A,

(iii) when A makes a "Corrupt" query, r answers in a straightforward way except if A makes the query of "Corrupt (ID)". If this occurs, r stops and outputs "Fail,"

(iv) when A makes a "Hash" query, r answers as a random oracle in a straightforward way,

(v) when A makes a "Test" query, since all the accepted session keys are known from "Reveal" queries, the query can be answered with the correct session key.

If A has already issued the query of "Send (nj, m, S)," where S is a valid signature on m with respect to ID and (m, S) e a, then r stops and outputs (m, S) as a forgery. Otherwise, r simply aborts. So the probability SuccForgeryA (t) of r outputting a forgery is the product of the probability that A generates a valid signature and the probability that A correctly guesses the value of i:

ForgeryA

CDH-attacker ¥

Next, we assume that A breaks the protocol ID-SS without generating a forgery of signature. Thus from A, we can construct a CDH-attacker ^ that breaks the protocol by solving an instance ofthe CDH problem.

Let l be an upper bound on the number of sessions invoked by A, then ^ randomly chooses and y e [1, l] representing a guess that as to which query of A activates the instance for which A will ask its "Test" query.

^ receives an instance (P, aP, and bP) of the CDH problem as input and randomly selects i, j e [1, n].

Then ^ starts running A as a subroutine and answers the oracle queries made by A. We now describe the simulation of the oracle queries of A in detail.

(i) When A makes a "Send (*, m)" query, ^ proceeds as in protocol ID-SS using a random value except if the query is "Send (n;, m)" or "Send (nj, m)" query in the yth session. If this occurs, ^ sets O, = aP, Oj = bp. When A makes "Send (*, m,S)" queries, ^ responds in a straightforward way using long-term keys to sing the flows except if the query is "Send (n,, m, S)" or "Send (nj, m, S)" query in the yth session. If this occurs, ^ responds using a random value and long-term keys to sing the flows,

(ii) when A makes a "Corrupt query," ^ answers with the corresponding long-term private key in a straightforward way,

(iii) when A makes a "Reveal query," ^ answers in a straightforward way except if the session key is of the yth session. In the latter case, ^ stops and outputs "Fail,"

(iv) when A makes a "Hash query," ^ answers as a random oracle in a straightforward way,

(v) when A makes a "Test query," ^ answers with a random string.

Since ^ knows all the keys except for one execution of ID-SS, this simulation is perfectly indistinguishable from an execution of the real protocol ID-SS.

At some stage, A completes and returns a value b'. The probability that ^ correctly guesses on which session key A

will make the "Test query" is the probability that ^ correctly guesses the value y. That is ^ = l/l.

Let ask H be the event that A makes a "Hash query" on (Kl + K2 + ■ ■ ■ + Kn) and Forge be the event that A forges a signature with regard to some participant's long-term public key. We emphasize that, in the random oracle model, A cannot get any advantage on a random value without asking for it. The success probability of ^ is the probability that A asks the correct value to the hash oracle multiplied by the probability that ^ correctly chooses the "Hash query" and multiplied by the probability that ^ correctly guesses the value y. That is:

Suc4DH

Pr[ask H] qH ■ i '

Finally, we have:

Pr [b = b'\

= Pr [b = b' | Forge] Pr[Forge] + Pr [b = b' I -Forge] Pr[-Forge]

< Pr [b = b' I Forge]

+ Pr [b = b' I -Forge] Pr[-Forge]

< f + Pr [b = b' I -Forge] Pr[-Forge]

< f+Pr[-Forge A ask H]Pr[ b = b' I -Forge A ask H] +Pr[-ForgeA-ask H]Pr[b = b' I -ForgeA-ask H]

= f+Pr [b = b' I-ForgeAask H\Pr[-ForgeAask H

< f + Pr[-Forge A ask H] + ^

< f Pr[ask H ] + ^ •

Then from the definition AdvA(k) = |2Pr[Succ] - 11 and above three equations, we can get the result as follows:

AdvAD-SS( t, qs, qh) < 2 ■ n ■ Succr°rgeryA (t) +2 ■ ■ qh ■ Succ$DH (t)•

We next show that the authentication scheme A is secure against existential forgery on adaptively chosen ID attack.

Lemma 1. Let Gl be an additive group with order q and the map-to-point hash function Hl be a random oracle. We assume that the PPT forger A breaks the bilinear aggregate signature scheme A for an adaptively chosen ID with advantage eo and running time t0. Suppose that A makes at most qHl queries to the hash function Hl. Then from A, we can construct a PPT

forger B for a given ID with advantage e0 < el(l - l/q)/qHl and running time tl < t0.

Lemma 2. Let the hash function Hl, H2 be random oracles. Suppose that B is a PPT forger for a given ID with advantage el > l0qHl(qs + qH2)/(q - l) and running time tl. Suppose that B makes at most qHl, qH2, qs, and qex queries to the Hl, H2, "Send" and "Extract" oracles, respectively. Then from B, we can construct a PPT attacker C that can solve the CDH problem within time t2 < l20686qH2 tl/el.

The security analysis of Lemmas l and 2 is similar to that of [8], for space limitation, we omit the proof of them. Then, we can directly obtain the following theorem from the above two lemmas.

Theorem 3. Let Hl, H2 be random oracles. Then the bilinear aggregate signature scheme A on Gl is secure against existential forgery on adaptively chosen ID attack under the CDH assumption.

Then from Theorem 2 and Corollary l, we deduce the following theorem.

Theorem 4. Suppose that the hash functions Hi, H2, H3,and H4 are random oracles. Then the protocol ID-SS is UC-secure.

7. CONCLUSION

In this paper, a method of constructing UC secure and constant-round GKE protocol was presented. It allows modular design and analysis of the GKE protocol and the resultant protocol only needs three communication rounds to compute a common group key. Moreover, most secret sharing schemes could be adopted to construct UC secure and constant-round GKE protocol according to our method.

The efficiency of protocols with UC security is usually low for their high security rank. As future work, we plan to formally examine the possibility of extending this security model to improve the performance of protocols by analyzing the relation between security and efficiency under UC framework.

ACKNOWLEDGMENTS

This work was supported in part by the National High Technology Research and Development Program of China (2007AA01Z429, 2007AA01Z405), and the National Natural Science Foundation of China (60573036, 60503012, 60702059).

REFERENCES

[l] A. Shamir, "Identity-based cryptosystems and signature schemes," in Proceedings of the 4th Annual International Cryptology Conference (CRYPTO '84), vol. l96 of Lecture Notes in Computer Science, pp. 47-53, Santa Barbara, Calif, USA, August l984.

[2] E. Bresson, O. Chevassut, and D. Pointcheval, "Prov-ably authenticated group Diffie-Hellman key exchange— the dynamic case," in Proceedings of the 7th International Conference on the Theory and Application of Cryptology and Information Security (ASIACRYPT '01), vol. 2248 of Lecture Notes in Computer Science, pp. 290-309, Gold Coast, Australia, December 2001.

[3] E. Bresson, O. Chevassut, and D. Pointcheval, "Dynamic group Diffie-Hellman key exchange under standard assumptions," in Proceedings of the 21st Annual International Conference on the Theory and Applications of Cryptographic Techniques (Eurocrypt '02), vol. 2332 of Lecture Notes in Computer Science, pp. 321-336, Amsterdam, The Netherlands, April-May 2002.

[4] E. Bresson, O. Chevassut, D. Pointcheval, and J.-J. Quisquater, "Provably authenticated group Diffie-Hellman key exchange," in Proceedings of the 8th ACM Conference on Computer and Communications Security (CCS '01), pp. 255-264, Philadelphia, Pa, USA, November 2001.

[5] M. Steiner, G. Tsudik, and M. Waidner, "Diffie-Hellman key distribution extended to group communication," in Proceedings of the 3rd ACM Conference on Computer and Communications Security (CCS '96), pp. 31-37, New Delhi, India, March 1996.

[6] R. Barua, R. Dutta, and P. Sarkar, "Extending Joux's protocol to multi party key agreement," in Proceedings of the 4th International Conference on Cryptology in India (INDOCRYPT '03), vol. 2904 of Lecture Notes in Computer Science, pp. 205-217, New Delhi, India, December 2003.

[7] K. C. Reddy and D. Nalla, "Identity based authenticated group key agreement protocol," in Proceedings of the 3rd International Conference on Cryptology in India (INDOCRYPT '02), vol. 2551 of Lecture Notes in Computer Science, pp. 215-233, Hyderabad, India, December 2002.

[8] K. Y. Choi, J. Y. Hwang, and D. H. Lee, "Efficient ID-based group key agreement with bilinear maps," in Proceedings of the 7th International Workshop on Theory and Practice in Public Key Cryptography (PKC '04), vol. 2947 of Lecture Notes in Computer Science, pp. 130-144, Singapore, March 2004.

[9] C. Cao, J. Ma, and S. Moon, "Provable efficient certificateless group key exchange protocol," Wuhan University Journal of Natural Sciences, vol. 12, no. 1, pp. 41-45, 2007.

[10] A. Joux, "A one round protocol for tripartite Diffie-Hellman," in Proceedings of the 4th International Symposium on Algorithmic Number Theory (ANTS '00), vol. 1838 of Lecture Notes in Computer Science, pp. 385-394, Leiden, The Netherlands, July 2000.

[11] M. Steiner, G. Tsudik, and M. Waidner, "Key agreement in dynamic peer groups," IEEE Transactions on Parallel and Distributed Systems, vol. 11, no. 8, pp. 769-780, 2000.

[12] I. Ingemarsson, D. T. Tang, and C. K. Wong, "A conference key distribution system," IEEE Transactions on Information Theory, vol. 28, no. 5, pp. 714-720, 1982.

[13] M. Burmester and Y. Desmedt, "A secure and efficient conference key distribution system," in Proceedings of the Workshop on the Theory and Application of Cryptographic Techniques (Eurocrypt '94), vol. 950 of Lecture Notes in Computer Science, pp. 275-286, Perugia, Italy, May 1994.

[14] F. Zhang, S. Liu, and K. Kim, "ID-based one round authenticated tripartite key exchange protocol with pairings," Cryptology ePring Archive, Report 2002/122, 2002.

[15] K. Becker and U. Wille, "Communication complexity of group key distribution," in Proceedings of the 5th ACM Conference on Computer and Communications Security (CCS '98), pp. 1-6, San Francisco, Calif, USA, November 1998.

[16] Y. Kim, A. Perrig, and G. Tsudik, "Simple and fault-tolerant key agreement for dynamic collaborative groups," in Proceedings of the 7th ACM Conference on Computer and Communications Security (CCS '00), pp. 235-244, Athens, Greece, November 2000.

[17] G. Ateniese, M. Steiner, and G. Tsudik, "New multiparty authentication services and key agreement protocols," IEEE Journal on Selected Areas in Communications, vol. 18, no. 4, pp. 628-639, 2000.

[18] C. K. Wong, M. Gouda, and S. S. Lam, "Secure group communications using key graphs," IEEE/ACM Transactions on Networking, vol. 8, no. 1, pp. 16-30, 2000.

[19] E. Bresson and D. Catalano, "Constant round authenticated group key agreement via distributed computation," in Proceedings of the 7th International Workshop on Theory and Practice in Public Key Cryptography (PKC '04), vol. 2947 of Lecture Notes in Computer Science, pp. 115-129, Singapore, March 2004.

[20] M. Abdalla, E. Bresson, O. Chevassut, and D. Pointcheval, "Password-based group key exchange in a constant number of rounds," in Proceedings of the 9th International Conference on Theory and Practice of Public-Key Cryptography (PKC '06), vol. 3958 of Lecture Notes in Computer Science, pp. 427-442, New York, NY, USA, April 2006.

[21] L. Wang and C.-K. Wu, "Efficient identity-based multicast scheme from bilinear pairing," IEE Proceedings: Communications, vol. 152, no. 6, pp. 877-882, 2005.

[22] W. Diffie and M. E. Hellman, "New directions in cryptography," IEEE Transactions on Information Theory, vol. 22, no. 6, pp. 644-654, 1976.

[23] Y. Kim, A. Perrig, and G. Tsudik, "Tree-based group key agreement," ACM Transactions on Information and System Security, vol. 7, no. 1, pp. 60-96, 2004.

[24] F. Zhang and X. Chen, "Attack on an ID-based authenticated group key agreement scheme from PKC 2004," Information Processing Letters, vol. 91, no. 4, pp. 191-193, 2004.

[25] W.-G. Tzeng, "A secure fault-tolerant conference-key agreement protocol," IEEE Transactions on Computers, vol. 51, no. 4, pp. 373-379, 2002.

[26] J. Pieprzyk and C.-H. Li, "Multiparty key agreement protocols," IEE Proceedings: Computers and Digital Techniques, vol. 147, no. 4, pp. 229-236, 2000.

[27] O. Goldreich, S. Goldwasser, and S. Micali, "How to construct random functions," Journal of the ACM, vol. 33, no. 4, pp. 792807, 1986.

[28] O. Goldreich, S. Goldwasser, and S. Micali, "On the cryptographic applications of random functions," in Proceedings of the 4th Annual International Cryptology Conference (CRYPTO '84), vol. 196 of Lecture Notes in Computer Science, pp. 276-288, Santa Barbara, Calif, USA, August 1984.

[29] M. Bellare and P. Rogaway, "Random oracles are practical: a paradigm for designing efficient protocols," in Proceedings of the 1st ACM Conference on Computer and Communications Security (CCS '93), pp. 62-73, Fairfax, Va, USA, November 1993.

[30] M. Bellare, R. Canetti, and H. Krawczyk, "A modular approach to the design and analysis of authentication and key exchange protocols," in Proceedings of the 30th Annual ACM Symposium on Theory of Computing (STOC '98), pp. 419-428, Dallas, Tex, USA, May 1998.

[31] J. Katz and J. S. Shin, "Modeling insider attacks on group keyexchange protocols," in Proceedings of the 12th ACM Conference on Computer and Communications Security (CCS '05),pp. 180-189, Alexandria, Va, USA, November 2005.

[32] R. Canetti, "Universally composable security: a new paradigm for cryptographic protocols," in Proceedings of the 42nd Foundations of Computer Science Symposium (FOCS '01), pp. 136-145, Las Vegas, Nev, USA, October 2001.

[33] R. Canetti and H. Krawczyk, "Universally composable notions of key exchange and secure channels," in Proceedings of the 21st International Conference on the Theory and Applications of Cryptographic Techniques (Eurocrypt '02), vol. 2332 of Lecture Notes in Computer Science, pp. 337-351, Amsterdam, The Netherlands, April-May 2002.

[34] D. Boneh and M. Franklin, "Identity-based encryption from the weil pairing," SIAM Journal on Computing, vol. 32, no. 3, pp. 586-615, 2003.

[35] D. Boneh, C. Gentry, B. Lynn, and H. Shacham, "Aggregate and verifiably encrypted signatures from bilinear maps," in Proceedings of the 22nd Annual International Conference on the Theory and Applications of Cryptographic Techniques (Eurocrypt '03), vol. 2656 of Lecture Notes in Computer Science, pp. 416-432, Warsaw, Poland, May 2003.

[36] F. Hess, "Efficient identity based signature schemes based on pairings," in Proceedings of the 17th Annual ACM Symposium on Applied Computing (SAC '02), pp. 310-324, Madrid, Spain, March 2002.

[37] R. Dutta, R. Barua, and P. Sarkar, "Pairing-based cryptography: a survey," Cryptology ePrint Archive, Report 2004/064, 2004.

[38] M. Bellare and P. Rogaway, "Entity authentication and key distribution," in Proceedings of the 13th Annual International Cryptology Conference (CRYPTO '93), vol. 773 of Lecture Notes in Computer Science, pp. 232-249, Santa Barbara, Calif, USA, August 1993.

[39] M. Bellare and P. Rogaway, "Provably secure session key distribution: the three party case," in Proceedings of the 27th Annual ACM Symposium on Theory of Computing (STOC '95), pp. 57-66, Las Vegas, Nev, USA, May-June 1995.

Copyright of EUIMSIP Journal on Wireless Communications & Networking is the property of Hindawi Publishing Corporation and its content may not be copied or emailed to multiple sites or posted to a listserv without the copyright holder's express written permission. However, users may print, download, or email articles for individual use.