# A Secure Multicast Key Agreement Scheme

## Abstract

Wu et al. proposed a key agreement to securely deliver a group key to group members. Their scheme utilized a polynomial to deliver the group key. When membership is dynamically changed, the system refreshes the group key by sending a new polynomial. We commented that, under this situation, the Wu et al.’s scheme is vulnerable to the differential attack. This is because that these polynomials have linear relationship. We exploit a hash function and random number to solve this problem. The secure multicast key agreement (SMKA) scheme is proposed and shown in this paper which could prevent from not only the differential attack, but also subgroup key attack. The modification scheme can reinforce the robustness of the scheme.

## Keywords

Cryptography Security Secure multicast Conference key Key distribution## 1 Introduction

Many security protection schemes [1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 14] have been developed for an individual multicast group. Some schemes address secure group communications by using secure filter [1, 2, 3, 4] to enhance performance of the key management. Wu et al. [4] proposed a key agreement to securely deliver a group key to specific members efficiently. The system conceals the group key within a polynomial consisting of the common keys shared with the members. In the Wu et al.’s scheme, the polynomial is called as a secure filter. Through their scheme, only the legitimate group members can derive a group key generated by a central authority on a public channel. Nevertheless, for the dynamic membership, the scheme is suffered from the differential attack which we describe later. The dynamic membership means the addition and subtraction of the group members. Naturally, the membership changes by the reason caused by network failure or explicit membership change (application driven) [5, 6]. If an adversary collects the secure filters broadcasted among the group members, as the membership changes, the group keys sent to the group members with the secure filter will be discovered through the differential attack [11].

The secure multicast key agreement (SMKA) scheme is proposed in this paper, which is a kind of secure filter to resist against the differential attack. The proposed secure filter is based on the properties of a cryptographically secure one-way hash function. Moreover, the complexity of the modified secure filter is almost the same with the complexity of the original one.

The rest of this paper consists of the following parts. The Sect. 2 gives an overview of the secure filter and the differential attack against the secure filter for the dynamic membership. The Sect. 3 introduces our scheme. The Sect. 4 gives the security proof of our scheme. Then we conclude our scheme in the Sect. 5.

## 2 The Secure Filter and the Differential Attack

### 2.1 Wu et al.’s Scheme

*G*, where

*G*= [

*M*

_{1},

*M*

_{2}, ···

*M*

_{ n }] in which the

*M*

_{ i }indicates

*i*-th group member. The

*M*

_{ i }shares a common key

*k*

_{ i }with the central authority. As the central authority starts to send a group key

*s*to the members in the

*G*, the central authority computes the secure filter as follows.

Then the central authority broadcasts the coefficient of each item. For the *M* _{ i }, upon receiving the coefficients, he can derive *s* by computing *f*(*h*(*k* _{ i })). Any adversary can not derive the *s* because he doesn’t know any *k* _{ i }, where *i* = [1, 2, ···, *n*].

### 2.2 A Differential Attack on Wu et al.’s Scheme

*Ad*, where

*Ad*∉

*G*. The

*Ad*collects each secure filter used to send a group key at each session which means a period of the time for the membership unchanged. Observe that the coefficients of the secure filter, we learn the relationship as follows.

*M*

_{3}is excluded from the group, which may be caused by network failure, then the central authority re-computes the following secure filter to refresh the group key, where

*n′*means the membership as the

*M*

_{3}is excluded below.

For the coefficient *a* _{ n′-1}, the adversary can compute *a* _{ n-1} - *a* _{ n′-1} to derive *h*(*x* _{3}). Through the *h*(*x* _{3}), the adversary can derive the previous group keys through the preceding secure filters. Moreover, as the *M* _{3} returns into the group, the central authority will refresh the group key through another secure filter composed of the secure factor *h*(*x* _{3}). Then the adversary who already derives the *h*(*x* _{3}) through the differential attack can derive any group key as long as the *M* _{3} is in the group.

## 3 Our Scheme

Notations

| central authority |

| number of the group members at the session |

| cryptographically secure one-way function |

| random number used at the session |

| group key for the session |

| |

| common key only shared with the |

| secure factor of the modified secure factors |

| modified secure filter for the session |

### 3.1 SMKA Scheme

*n*group members at the session

*t*. The set of these group members at the session

*t*is denoted as

*G*

_{ t }, where

*G*

_{ t }= [

*M*

_{1},

*M*

_{2}, ···,

*M*

_{ n }]. The

*M*

_{ i }denotes

*i*-th group member, where

*i*∊ [1, 2, ···,

*n*]. The set of the common keys is denoted as

*K*

_{ t }, where

*K*

_{ t }= [

*k*

_{1},

*k*

_{2}, ···,

*k*

_{ n }]. Before the

*CA*starts to send the group key

*s*

_{ t }for the session

*t*to the members in the

*G*

_{ t }, the

*CA*generates a random number

*c*

_{ t }. Then the

*CA*computes the secure factors below.

*k*

_{ i }∊

*K*

_{ t }and

*i*= {1, 2, ···,

*n*}. Next, the

*CA*generates a group key

*s*

_{ t }and calculates the modified secure filter below.

*CA*can derive the extension of the

*f*

_{ t }(

*x*) as following.

The *CA* broadcasts the set of the coefficients, denoted as *A*, and *c* _{ t }, where *A* = [*a* _{ n }, *a* _{ n-1}, ···, *a* _{0}]. After receiving the *A* and the *c* _{ t }, the group member *M* _{ i } compute the secure factor, *x* _{ i } through the procedure of (1) with the common key *k* _{ i } and *c* _{ t }. Next, the *M* _{ i } derive *s* _{ t } by calculating *f* _{ t }(*x* _{ i }) = *f* _{ t }(*h*(*k* _{ i }||*c* _{ t })). In the next session *t* + 1, the *CA* generates a new random number *c* _{ t+1} and repeats the procedures of (1) to (3) to send the secret *s* _{ t+1} to the *G* _{ t+1}, where the *G* _{ t+1} may not be the same as *G* _{ t }.

## 4 Security and Complexity Analyses

In this section, we show that the modified secure filter can resist against the differential attack. Moreover, we proof that the modified secure filter can also prevent from the subgroup key attack [13, 14] which could compromise other common keys through factorizing algorithm [15].

### Proposition 1.

*A cryptographically secure hash function h*(·) *has the properties: intractability, randomness, collision-free, unpredictability.*

The Proposition 1 is assumed commonly on cryptography [15]. The intractability means that, for only given a hash value *y*, where *y* = *h*(*x*), the value of *x* is intractable. The randomness means that, for a variable *x*, the elements in the set of the result *y* = *h*(*x*), denoted as *Y*, are uniformly distributed. The collision free means that, given *y*, where *y* = *h*(*x*), the probability of discovering *x′*, where *x* ≠ *x′*, that *h*(*x*) equals *h*(*x′*) is negligible. The unpredictability means that hash functions exhibit no predictable relationship or correlation between inputs and outputs.

### Theorem 1.

*An adversary cannot discover the group keys through the differential attack.*

### Proof:

*t*, the adversary can collect the modified secure filter below.

*f*

_{ t }(

*x*) can be derived below.

*t′*, where

*t′*≠

*t*, the adversary can discover another modified secure filter for different membership in which the number of group member is

*n′*below.

*f*

_{ t′ }(

*x*) can be presented below.

According to the Proposition 1, we can learn that the coefficients in (5) and (7) are predictable for an adversary. Therefore, it induces that the adversary cannot predict the linear relationship between these coefficients. Hence, the adversary cannot engage the differential attack successfully to compromise the group key distributed within a secure filter. □

### Theorem 2.

*A legitimate group member cannot discover other common keys shared between the CA and other group members.*

### Proof:

According to the Proposition 1, assume that a legitimate group member has enough ability to factorize the value of *f* _{ t }(0) and discover the other secure factors of the *f* _{ t }(*x*); he only can discover the hash values not tractable to the common keys. Therefore, the common keys cannot be discovered by the adversary. Then we prove that the modified secure filter can resist against the subgroup key attack.

According to Theorems 1 and 2, we proof that the modified secure filter can resist against the differential attack as well as the subgroup key attack [13, 14]. □

## 5 Conclusions

In this paper, the navel key agreement scheme by using the new secure filter to improve the robustness in order to support the security functionality on dynamically changing members in the Wu’s secure filter [4]. The proposed secure filter is based on the properties of a cryptographically secure hash function. Via the security analysis, we proved that the modified secure filter can resist against the differential attack. Moreover, the modified secure filter can prevent from the subgroup key attack. The modified secure filter almost has the same complexity with the original secure filter. For a group communication, the dynamic membership is an unavoidable issue. Though the secure filter proposed in [4] gave a simple and robustness distribution scheme for the group secret, it is suffered from the problems of the dynamic membership. The modified secure filter can enhance the secure filter for the dynamic membership and keep the efficiency.

## References

- 1.Chen, H.-C., Wang, S.-J., Wen, J.-H.: Packet construction for secure conference call request in ad hoc network systems. Inf. Sci.
**177**(24), 5598–5610 (2007)CrossRefGoogle Scholar - 2.Chen, H.-C.: Secure multicast key protocol for electronic mail systems with providing perfect forward secrecy. Secur. Commun. Netw.
**6**(1), 100–107 (2013)CrossRefGoogle Scholar - 3.Chen, H.-C., Yang, C.-Y., Su, H.-K., Wei, C.-C., Lee, C.-C.: A secure E-mail protocol using ID-based FNS multicast mechanism. Comput. Sci. Inf. Syst.
**11**(3), 1091–1112 (2014). Special Issue on Mobile Collaboration Technologies and Internet ServicesCrossRefGoogle Scholar - 4.Wu, K.P., Ruan, S.J., Lai, F., Tseng, C.K.: On key distribution in secure multicasting. In: Proceedings of 25th Annual IEEE International Conference on Local Computer Networks, p. 208 (2000)Google Scholar
- 5.Kim, Y., Perrig, A., Tsudik, G.: Communication-efficient group key agreement. IEEE Trans. Comput.
**53**(7), 905–921 (2001)CrossRefGoogle Scholar - 6.Kim, Y., Perrig, A., Tsudik, G.: Tree-based group key agreement. ACM Trans. Inf. Syst. Secur.
**7**(1), 60–96 (2004)CrossRefGoogle Scholar - 7.Fekete, A., Lynch, N., Shvartsman, A.: Specifying and using a partionable group communication service. ACM Trans. Comput. Syst.
**19**(2), 171–216 (2001)CrossRefGoogle Scholar - 8.Chen, X., Lenzini, G., Mauw, S., Pang, J.: Design and formal analysis of a group signature based electronic toll pricing system. J. Wireless Mobile Netw. Ubiquitous Comput. Dependable Appl. (JoWUA)
**4**(1), 55–75 (2013)Google Scholar - 9.Craß, S., Dönz, T., Joskowicz, G., Kühn, E., Marek, A.: Securing a space-based service architecture with coordination-driven access control. J. Wireless Mobile Netw. Ubiquitous Comput. Dependable Appl. (JoWUA)
**4**(1), 76–97 (2013)Google Scholar - 10.Malik, S., Lee, J.-H.: Privacy enhancing factors in people-nearby applications. J. Wireless Mobile Netw. Ubiquitous Comput. Dependable Appl. (JoWUA)
**6**(2), 113–121 (2015)Google Scholar - 11.Kent, A.D., Liebrock, L.M., Wernicke, J.: Differentiating user authentication graphs. J. Wireless Mobile Netw. Ubiquitous Comput. Dependable Appl. (JoWUA)
**5**(2), 24–38 (2014)Google Scholar - 12.Moser, L.E., Amir, Y., Melliar-Smith, P.M., Agarwal, D.A.: Extended virtual synchrony. In: Proceedings of the IEEE 14th International Conference on Distributed Computing Systems, pp. 55–65 (1994)Google Scholar
- 13.Wen, J.H., Wu, M.C., Chen, T.S.: A novel elliptic curve method for secure multicast system. Far East J. Math. Sci.
**28**(2), 449–467 (2008)MathSciNetzbMATHGoogle Scholar - 14.Wu, K.P., Ruan, S.J., Tseng, C.K., Lai, F.: Hierarchical access control using the secure filter. IEICE Trans. Inf. Syst.
**E84-D**(6), 700–708 (2001)Google Scholar - 15.Menezes, A.J., van Oorschot, P.C., Vanstone, S.A.: Handbook of Applied Cryptography. CRC Press, Boca Raton (1997)zbMATHGoogle Scholar