Research Article | Open Access
Silan Zhang, Jianhua Chen, Jingbo Xia, Xiaochuan Ai, "An XTR-Based Constant Round Key Agreement Scheme", Mathematical Problems in Engineering, vol. 2013, Article ID 596868, 9 pages, 2013. https://doi.org/10.1155/2013/596868
An XTR-Based Constant Round Key Agreement Scheme
A new XTR-based key agreement scheme with constant rounds is presented. Three theorems are formulated to reveal the logarithmic computational complexity of this scheme. Furthermore, the computation framework of XTR-based key agreement scheme is introduced, and security of the scheme is proven under the formal model.
Key agreement is to construct secure infrastructures for networks by computing a common session key among a pool of group members. It is a central issue in various multicast applications such as pay preview broadcast of TV program, teleconferencing, military communication, and distributed interactive games.
The pioneer work can be traced to Steiner et al.  in 1996, who proposed the first key agreement scheme, GDH. As an extension of Diffie-Hellman key exchange based on the discrete logarithm problem in , GDH achieves group key exchange, and it is known as the first key agreement scheme. After that, various improved schemes of GDH are presented such as CLIQUES  and TGDH . Unfortunately, the improved schemes are still flawed in excessive computation or unreasonable communication.
Nowadays, it has been widely accepted that a reliable key agreement scheme should meet three utmost crucial demands: fast computation, less communication, and provable security. Here the first demand, that is, fast computation, relies heavily on the algorithm one designed. With the outcome of the new ideas in cryptosystems, including elliptic curve cryptography (ECC) and Hash, computation efficiency in key agreement scheme was increased gradually. At first, the computations were based on the discrete logarithm problem, like Steiner’s classic work [1, 2], Kim’s TGDH , and a lot of forthcoming schemes [4–6]. Afterwards, Hash function was incorporated into some schemes to increase the computation efficiency, referring to Tso et al.’s work , Fu et al.’s work , and so forth. With the development of elliptic curves cryptography, faster computing module like Weil paring was regarded as a good replacement for common exponentiations or multiplications computations in traditional scheme. By using Weil paring on elliptic curve, the pairwise key agreement protocol , the tripartite key agreement protocol , and the ID-based authenticated group key agreement scheme  were given. A newer tendency was to constructing key agreement without using pairing computation; see He et al.’s work .
The second demand is less communicate, which refers to less information exchange between group members. In 2004, the bottleneck of key agreement scheme was illustrated as communication rounds, instead of computation rounds, which reveals the emphasis of design for an efficient key agreement scheme. In the beginning, GDH.3, proposed by Steiner et al. , need rounds of communications. Kim et al.  and Dutta and Barua  reduced the rounds of communications to and , respectively. Afterwards, key agreement with four rounds of communications are proposed by Tso et al. , Fu et al. , Zheng et al. , and so forth, and computation complexity of these schemes is slight. From Tso et al. , Fu et al.  to Zheng et al. , the number of exponentiations is decreased from , to , and the numbers of hash are , , and , respectively. In the meantime, the reduction of communication rounds has been regarded as a central issue. Three rounds scheme is obtained by Nam et al. , Augot et al.  Yao et al. , and so forth. Recently, the rounds of communications have been reduced to two rounds, where Lv and Li , He et al. , and Feng et al.  contribute a lot. In short, key agreement with less communications has drawn many attentions nowadays, and for recent researches and reviews, refer to [16, 23, 24].
Besides the computation cost and communication, another focus on research of the key agreement scheme is the security analysis. The reason lies in two aspects. Firstly, it was widely accepted that a secure key agreement should meet several demands, including key completeness, forward secrecy, and backward secrecy. Secondly, the claim of a secure new scheme should be on the basis of a strict and formal proof, instead of colloquial illustration or informal proof. The strict proof of scheme was commenced by Bresson et al. , who modeled the execution of an authenticated group Diffie-Hellman scheme and proved its security by defining a formal model. Raymond Choo et al.  gave formal proof of certain known protocol to reveal their weakness in the security and henceforth encourage the future designer to provide proofs of security for new protocols. Actually, the importance of provable security has been widely accepted nowadays, and it has been an indispensable part of almost all key agreement schemes appeared in the newly published literatures.
Unfortunately, few schemes can achieve all the three goals because of the unbalance between security and efficiency. However, a suitable balance between computation, communication, and security is utmost importance in current key agreement research. In terms of this, this study is to propose a reliable scheme which meets the above three demands by taking the advantages of Lenstra’s XTR cryptosystem [19, 20]. Here, XTR stands for ECSTR, which is an abbreviation for Efficient and Compact Subgroup Trace Representation. Actually, XTR is an efficient cryptosystem and the mathematics underlying XTR is straightforward while compared to ECC . Moreover, the corresponding XTR public keys are only about twice as large as ECC keys, assuming global system parameters. Unlike RSA and ECC, parameter initiation from scratch for XTR takes a negligible amount of computing time . Furthermore, Verheul  showed that XTR is at least as secure as supersingular elliptic curve system. This conclusion relied on a deduction that the elapse of XTR might lead to the elapse of ECC. Henceforth, the security of XTR was ensured.
In this paper, three algorithms with computation complexity in XTR theory are given. Based on these algorithms, an XTR-based key agreement scheme with constant rounds (XTR-CR) is proposed. The scheme achieves high efficiency and is scalable in computation and security as well. Moreover, the efficiency in computation and communication between XTR-CR and XTR-GDH, which is the natural analogue of GDH in XTR, is compared and the better efficiency of the XTR-CR is shown. Finally, under a decisional Diffie-Hellman (DDH) assumption, the XTR-CR is proved to be secure against active adversary in the formal model. The paper is organized as follows. In Section 2, introductions of XTR cryptosystem with three computation theorems are given. Section 3 introduces our new scheme. The security proof of the new scheme is presented in Section 4. Conclusions are given in the last section.
2. XTR Cryptosystem
As a reliable key agreement scheme which is aiming to achieve good balance in efficiency and security, this scheme is designed on the basis of XTR. Since the XTR cryptosystem has not ever been incorporated into key agreement scheme, preliminaries of XTR cryptosystem are introduced in Section 2.1. By giving and proving three related computation theorems in Section 2.2, computation complexity of our XTR-based scheme is clarified.
For a given , let be the polynomial with roots in , and denote for all . The trace over of is the sum of conjugates over , that is, . Security analysis of the XTR system is based on the difficulties of the following three computational problems:(i)XTR-DL problem: discrete logarithm problem in XTR system. Given , one computes such that ,(ii)XTR-DH problem: Diffie-Hellman problem in XTR system. This problem is the computation of with given and . The XTR-Diffie-Hellman value is denoted by , ,(iii)XTR-DDH problem: decisional Diffie-Hellman problem of determining whether with given .
Unlike RSA and Elgamal, the computation in XTR is involved in a subgroup of multiplicative group with order . The computation owns polynomial complexity, and as a result, it ensures the high efficiency of the implementation. Furthermore, in order to evaluate the security level of XTR, the following equivalence was proven .(i)The XTR-DL problem is equivalent to the DL problem in .(ii)The XTR-DH problem is equivalent to the DH problem in.(iii)The XTR-DL problem is equivalent to the DDH problem in.
where the problem A is equivalent to problem B, if any instance of problem A (or B) can be solved by at most (or ) calls to an algorithm solving problem B (or A).
2.2. Computation Theorem of XTR
For simplicity, denote , , and , and denote as the hash function from to.
Let be matrix over with and defined above, and let be the center column of a matrix .
Lemma 1 (Theorem in ). Given , computation of takes multiplications in .
Lemma 2 (Lemma in ). , for .
Lemma 3 (Corollary in ). , where is defined before.
Lemma 4 (Lemma in ). The determinant of equals . If, then
Lemma 5 (Corollary in ). .
Lemma 6 (Theorem in ). Given and , the trace of is computed at a cost of multiplications in , for and unknown .
Based on the above lemmas, three theorems crucial to the implementation of XTR-CR scheme can be obtained.
Theorem 7. It takes 12 multiplications in to compute with and .
Theorem 8. For unknown , givenand, the multiplicationis computed at a cost of 40 multiplications in.
Proof. First and can be computed from Lemma 2, that is,
As a result, and can be obtained from the computed vector . From Theorem 7, we have
Thus is computed.
Note that and are computed in advance, so it takes 4 multiplications to compute and . From Theorem 7, it costs 12 rounds multiplications in each turn to compute and , summing up to 36. Thus the total demanded multiplication is 40, and the proof of Theorem 8 is now complete.
Theorem 9. For given , , and unknown , the computation of takes multiplications in .
Proof. From given , , and unknown , one can compute via Lemma 6 by multiplications. Since the matrix is precomputed, 22 multiplications can be reduced. Similarly, the computation of takes multiplications. Thus is computed. In conjunction with Lemma 1, the claim is direct.
3. The XTR-Based Key Agreement Scheme
In this section, the new scheme XTR-CR is presented. For this, the fundamental application of Lenstra and Verheul’s work  is mentioned first in Section 3.1. After that, two group extension protocols, XTR-GDH and XTR-CR, are listed in Section 3.2. Among them, XTR-GDH is the natural extension of GDH by combining XTR, while XTR-CR is our proposed new scheme with low computation complexity and two rounds of communications. Finally, explicit comparisons of XTR-CR, XTR-GDH, and other competitive schemes are performed in Section 3.3, so as to reveal the advantage of XTR-based schemes, especially XTR-CR.
3.1. Key Exchange between Alice and Bob
XTR-Diffie-Hellman key exchange protocol between two members is a routine idea in Lenstra and Verheul’s work , and it is remarkable enough to illustrate here in detail.
Suppose that Alice and Bob, who both have access to the XTR public key data , , , want to agree on a shared secret key . This is done by using the following XTR version of Diffie-Hellman protocol.
Step 1. Alice selects a random , uses Algorithm 2.37 in , computes , and sends to Bob.
Step 2. Bob receives from Alice, selects randomly, similarly computes , and sends to Alice.
Step 3. Alice receives , computes , and determines based on .
Step 4. Bob receives , computes , and also determines based on .
3.2. Key Agreement of Group
Here, we present two constant-round communication protocols for the group key agreement. One is an analogue of GDH in XTR, denoted as XTR-GDH, another is the proposed scheme, XTR-CR.
Assume that there are members in group, that is, , and an identity code has been assigned to each member in advance.
3.2.1. Analogue of GDH in XTR: XTR-GDH
The first protocol XTR-GDH is a natural extension of . Steiner’s Group Diffie-Hellman protocol .
Step 1. selects randomly, computes , and broadcast message to .
Step 2. selects a random , computes , and sends message back to .
Step 3. computes via XTR-DH method, hashes it to . Let , and broadcasts messages to .
Step 4. The session key is .
3.2.2. Proposed Scheme: XTR-CR
Below is the scheme we proposed, Algorithm XTR-CR.
Step 1. selects a random , computes , and broadcasts message to .
Step 3. Each computes by Theorem 9. By doing this, reveal the session key by computing . Thus is the session key. The key agreement procedure is finished.
The flow charts of two schemes are depicted in Figure 1.
During the whole process, the latter member acts as a sponsor which carries heavier computation burden than other members. The obligation of sponsor is reasonable and necessary, because the presence of sponsor not only provides high efficiency for the scheme but also keeps the member equality in the group. This property is similar to that in the scheme of GDH  and TGDH .
3.3. Comparison of XTR-GDH, XTR-CR, and Other Competitive Key Agreement Schemes in Communication and Computation
The performances of XTR-based scheme are compared with several competitive key agreement schemes by considering the computations, message amount, and communications. Twelve typical key agreement schemes are listed in Table 1 for comparison with XTR-based schemes in terms of efficiency. All of the chosen schemes are listed with the descending order according to the number of communication rounds. Among them, GDH.3  and TGDH  are classic and traditional protocols, while Dutta95  show better performance in the rounds of communication. Other schemes are typical and competitive key agreement schemes in the literature, as introduced in the first section, and the number of communication rounds is sorted from four, three to two. As a typical one round protocol, Shim’s work  is designed for three-party key agreement instead of arbitraryentities, and signature is demanded; therefore, it is not equal to give a computation comparison. The explicit information of these schemes could be found in Table 1.
As shown in Table 1, both XTR-GDH and XTR-CR perform good in the rounds of communications. In the following, performances in XTR-based schemes will be compared with other two or three round communication schemes.
Among these schemes with three rounds communications, XTR-GDH only demands scalar multiplications, which seems better than YWJ08  and slightly weaker than NPKW07 , and the latter need exponentiations. Though Daniel07  need much less computations than XTR-GDH, it could be easily found that XTR-GDH owns the least message amount. These results show that XTR-GDH is also a competitive scheme.
While observing the performance of XTR-CR among two rounds communication schemes, scalar multiplications are counted for XTR-CR. The computation load in XTR-CR is less than that in FWM08  but a little heavier than that in LL10  and Xiong13 . Taking into account thatorpairing computation is time-consuming for LL10  and Xiong13 , XTR-CR needs comparatively less computations than the above schemes. Besides, message amount of XTR-CR is the least among all of the schemes.
If compared XTR-GDH with XTR-CR, the latter performs better in communication and message amount. Meanwhile, XTR-CR shows slight weakness in computation complexity. For the sake of rapid development of XTR cryptosystem, the weakness in XTR-CR is subtle. Moreover, as mentioned in Section 1, key agreement with less communication is critical in the implementation. Since XTR-GDH needs one more communication than XTR-CR, the proposed scheme is a better and more efficient scheme than XTR-GDH.
In short, result from full comparisons of fourteen competitive key agreement schemes shows that XTR-GDH and XTR-CR achieve good balance in the performance of computation and communication. Moreover, XTR-CR performs the best both in computation and communication.
4. Security Analysis of XTR-CR
In this section, a formal model is utilized to prove that XTR-CR scheme is secure against adversary under XTR-DDH assumption. The explicit security proof of the proposed scheme is given in Section 4.2.
4.1. Security Basis of Formal Model
Let be a set of users who wish to participate in a group key agreement. One assumes that is polynomially bounded in the security parameter . A player has many instances called oracles, involved in distinct concurrent executions of protocols. The instances of player are denoted as .
The adversary has an endless supply of oracles and makes various queries to them. Each query models a capability of adversary.(i)Execute (). This query returns a transcript of an honest protocol execution among instances of users in . (ii)Send (). This query sends message to oracle . When oracle receives the message , it proceeds as specified in the protocol; the oracle updates its state and then generates and sends out a response message as needed. The response message is returned to the adversary . A query of form Send () allows adversary to initiate an execution of the protocol. (iii)Reveal (). This query returns the session key if oracle has computed a session key. This query models the capability of adversary to obtain some session keys. (iv)Corrupt (). The long-term private key of user is returned in response to the query which is considered to deal with forward secrecy. (v)Dump (). This query returns all short-term secret values used by oracle , modeling the adversary’s capability to embed a Trojan horse or other forms of malicious code into a system and then log all the session-specific information of victim. But neither the session key computed by nor the long-term private key is returned. (vi)Test (). This query is asked only once when the adversary wants to attempt to distinguish the real session key from a random fake key, modeling the semantic security of session key . To answer the query, one flips a secret coin and returns the real session key if , or else a random string chosen from , if , where is the length of session key to be distributed in the protocol. This query is made only if oracle is fresh, and the definition of which will be given below.
To quantify the ability of an adversary , one consider the query action of here. During the execution of protocol, the adversary , at any time, asks a Test query to a fresh oracle, then gets back an -bit string as the response to this query, and at some later point, outputs a bit as a guess for the hidden bit . Let Correct Guess () be the event that . Then we define the advantage of in attacking protocol to be We define protocol as secure against an adversary if is negligible.
According to the illustration of XTR-DDH problem in Section 2, a formal description of XTR-DDH assumption is displayed below.
Let be XTR group, and let be randomly chosen elements in . Informally, the XTR-DDH assumption is that it is difficult to distinguish between the distributions of and .
More formally, if we define as the XTR-DDH assumption holds in if is negligible for any probabilistic polynomial time adversary . We denote by the maximum value of over all adversaries running in time at most .
4.2. Security Proof of the Key Agreement Protocol
Theorem 10. Let be a passive adversary attacking protocol XTR-CR, running in time and making Execute queries. Then one has where , with being the time required to compute an exponentiation in .
Proof. Assume that can guess the hidden bit correctly with probability . Then we construct from a distinguisher that solves the XTR-DDH problem in with probability .
Before describing the construction of , we define the following two distributions.
Consider the followingwhere as in protocol XTR-CR, is the transcript of message and is the hash value. We now construct a distribution by the triple , as below:where , are defined above and , , .
If is a XTR-DH triple (i.e., ), then , since triple for all . If not, is a random triple, so . Thus a distribution is constructed to display the advantage of XTR-DDH.
Hence, let be an algorithm that, given computing from and distributions, runs in time and outputs or . Then, we have
On the other hand, it is clear to find that the transcript in experiment is independent of , which implies that for any computationally unbounded adversary , we have The detail of construction of distinguisher is given now. Assume without loss of generality that makes its Test query to an oracle activated by the th Execute query. The distinguisher begins by choosing a random bit as a guess for the value of . Then invokes and simulates the queries of . answers all the queries from in a specified way, following the protocol, except in the th query. In this latter case, embed the DDH problem instance into the transcript as follows.
Given a triple , generates according to the distribution and answers the th Execute query of with . The distinguisher aborts and outputs a random bit of . Otherwise, answers the Test query of with .
When terminates and outputs its guess , outputs if , and otherwise. If is a XTR-DDH triple, from the deduction mentioned before, it is deduced that , and thus . If not, is a random triple, and then and . Finally, since , we obtain From , we have that Therefore,
Thus the theorem follows.
The result of the above theorem shows that the security of proposed key agreement scheme is based on the computational difficulty of XTR-DDH problem. Also, it is shown that the proposed scheme is secure against adversary’s attacking under XTR-DDH assumption.
Moreover, the result of this security proof also supports the idea of Steiner et al. , who proved that DDH assumption implied the G-DDH assumption. Here, G-DDH is short for group decisional Diffie-Hellman assumption, which refers to the difficulty of distinguishing from a random value by knowing elements for some subsets of indices . Actually, Theorem 10 could be regarded as an evidence for this result.
In this paper, a constant round key agreement scheme XTR-CR is proposed on the basis of XTR cryptosystem. Three theorems are given to make a theoretical guarantee of the quick implementation of system. Moreover, under XTR-DHH assumption, the security of scheme is proved in the formal model. It is believed that this scheme is efficient both in communication and computation. Hence, this proposed scheme is reliable in the sense of achieving three efficient and secure demands: less communication, fast computation, and provable security.
This work is supported by doctoral fund of Huazhong Agricultural University, 52204-06072, National Natural Science Foundation of China (Grant no. 61202305), and Project 2013PY120 supported by the fundamental research funds for the central universities. Thanks are also given to the anonymous reviewers for their appreciated suggestions.
- M. Steiner, G. Tsudik, and M. Waidner, “Diffie-Hellman key distribution extended to group communication,” in Proceedings of the 3rd ACM Conference on Computer and Communications Security, pp. 31–37, March 1996.
- M. Steiner, Secure group key agreement [Ph.D. thesis], Universitat des Saarlandes, 2002.
- Y. Kim, A. Perrig, and G. Tsudik, “Tree-based group key agreement,” ACM Transactions on Information and System Security, vol. 7, no. 1, pp. 60–96, 2004.
- R. Dutta and R. Barua, “Dynamic group key agreement in tree-based setting,” in Proceedings of the 10th Australasian Conference on Information Security and Privacy (ACISP '05), pp. 101–112, July 2005.
- J. Nam, J. Paik, U. M. Kim, and D. Won, “Constant-round authenticated group key exchange with logarithmic computation complexity,” Applied Cryptography and Network Security, Springer, Heidelberg, Germany, vol. 4521, pp. 158–176, 2007.
- D. Augot, R. Bhaskar, V. Issarny, and D. Sacchetti, “A three round authenticated group key agreement protocol for ad hoc networks,” Pervasive and Mobile Computing, vol. 3, no. 1, pp. 36–52, 2007.
- R. Tso, X. Yi, and E. Okamoto, “ID-based key agreement for dynamic peer groups in mobile computing environments,” in Proceedings of the 2nd IEEE Asia-Pacific Services Computing Conference (APSCC '07), pp. 103–108, December 2007.
- X. Fu, Q. Xu, and H. Wang, “A provably-secure password-authenticated group key agreement in the standard model,” Journal of Networks, vol. 4, no. 8, pp. 763–770, 2009.
- G. Yao and D.-G. Feng, “Pairwise key agreement protocols based on the weil pairing,” Journal of Software, vol. 17, no. 4, pp. 907–914, 2006.
- A. Joux, “A one round protocol for tripartite Diffie-Hellman,” in Algorithmic Number Theory, vol. 1838 of Lecture Notes in Computer Science, pp. 385–394, 2001.
- X. Lv and H. Li, “ID-based authenticated group key agreement from bilinear maps,” Frontiers of Computer Science in China, vol. 4, no. 2, pp. 302–307, 2010.
- D. He, Y. Chen, J. Chen, R. Zhang, and W. Han, “A new two-round certificateless authenticated key agreement protocol without bilinear pairings,” Mathematical and Computer Modelling, vol. 54, no. 11-12, pp. 3143–3152, 2011.
- M.-H. Zheng, H.-H. Zhou, J. Li, and G.-H. Cui, “Efficient and provably secure password-based group key agreement protocol,” Computer Standards and Interfaces, vol. 31, no. 5, pp. 948–953, 2009.
- G. Yao, H. Wang, and Q. Jiang, “An authenticated 3-round identity-based group key agreement protocol,” in Proceedings of the 3rd International Conference on Availability, Security, and Reliability (ARES '08), pp. 538–543, March 2008.
- T. Feng, Y. Wang, and J. Ma, “A secure and efficient group key agreement for ad hoc networks,” in Proceedings of the International Symposium on Computer Science and Computational Technology (ISCSCT '08), pp. 540–543, December 2008.
- E. Makri and E. Konstantinou, “Constant round group key agreement protocols: a comparative study,” Computers and Security, vol. 30, no. 8, pp. 643–678, 2011.
- E. Bresson, O. Chevassut, and D. Pointcheval, “Provably authenticated group Diffie-Hellman key exchange—the dynamic case,” in Advances in Cryptology—ASIACRYPT 2001, C. Boyded, Ed., vol. 2248 of Lecture Notes in Computer Science, pp. 290–309, Springer, Berlin, Germany, 2001.
- K. K. Raymond Choo, C. Boyd, and Y. Hitchcock, “The importance of proofs of security for key establishment protocols: formal analysis of Jan-Chen, Yang-Shen-Shieh, Kim-Huh-Hwang-Lee, Lin-Sun-Hwang, and Yeh-Sun protocols,” Computer Communications, vol. 29, no. 15, pp. 2788–2797, 2006.
- A. K. Lenstra and E. R. Verheul, “The XTR public key system,” in Advances in Cryptology, vol. 1880 of Lecture Notes in Computer Science, pp. 1–19, Springer, Berlin, Germany, 2000.
- A. K. Lenstra and E. R. Verheul, “An overview of the XTR public key system,” in Proceedings of the Conference on Public Key Cryptography and Computational Number Theory, pp. 151–180, Warsaw, Poland, 2000.
- M. Stam and A. K. Lenstra, “Speeding up XTR,” in Advances in Cryptology—ASIACRYPT 2001, vol. 2248 of Lecture Notes in Computer Science, pp. 125–143, Springer, Berlin, Germany, 2001.
- E. Verheul, “Evidence that XTR is more secure than supersingular ellipticcurve cryptosystems,” in Advances in Cryptology—EUROCRYPT 2001, B. Pfitzmann, Ed., vol. 2045 of Lecture Notes in Computer Science, pp. 195–210, Springer, Berlin, Germany, 2001.
- K.-A. Shim, “A round-optimal three-party ID-based authenticated key agreement protocol,” Information Sciences, vol. 186, no. 1, pp. 239–248, 2012.
- H. Xiong, Z. Chen, and F. Li, “New identity-based three-party authenticated key agreement protocol with provable security,” Journal of Network and Computer Applications, vol. 36, no. 2, pp. 927–932, 2013.
Copyright © 2013 Silan Zhang et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.