A Secure Multicast Key Agreement Scheme

  • Hsing-Chung ChenEmail author
  • Chung-Wei Chen
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9357)


Wu et al. proposed a key agreement to securely deliver a group key to group members. Their scheme utilized a polynomial to deliver the group key. When membership is dynamically changed, the system refreshes the group key by sending a new polynomial. We commented that, under this situation, the Wu et al.’s scheme is vulnerable to the differential attack. This is because that these polynomials have linear relationship. We exploit a hash function and random number to solve this problem. The secure multicast key agreement (SMKA) scheme is proposed and shown in this paper which could prevent from not only the differential attack, but also subgroup key attack. The modification scheme can reinforce the robustness of the scheme.


Cryptography Security Secure multicast Conference key Key distribution 

1 Introduction

Many security protection schemes [1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 14] have been developed for an individual multicast group. Some schemes address secure group communications by using secure filter [1, 2, 3, 4] to enhance performance of the key management. Wu et al. [4] proposed a key agreement to securely deliver a group key to specific members efficiently. The system conceals the group key within a polynomial consisting of the common keys shared with the members. In the Wu et al.’s scheme, the polynomial is called as a secure filter. Through their scheme, only the legitimate group members can derive a group key generated by a central authority on a public channel. Nevertheless, for the dynamic membership, the scheme is suffered from the differential attack which we describe later. The dynamic membership means the addition and subtraction of the group members. Naturally, the membership changes by the reason caused by network failure or explicit membership change (application driven) [5, 6]. If an adversary collects the secure filters broadcasted among the group members, as the membership changes, the group keys sent to the group members with the secure filter will be discovered through the differential attack [11].

The secure multicast key agreement (SMKA) scheme is proposed in this paper, which is a kind of secure filter to resist against the differential attack. The proposed secure filter is based on the properties of a cryptographically secure one-way hash function. Moreover, the complexity of the modified secure filter is almost the same with the complexity of the original one.

The rest of this paper consists of the following parts. The Sect. 2 gives an overview of the secure filter and the differential attack against the secure filter for the dynamic membership. The Sect. 3 introduces our scheme. The Sect. 4 gives the security proof of our scheme. Then we conclude our scheme in the Sect. 5.

2 The Secure Filter and the Differential Attack

2.1 Wu et al.’s Scheme

In Wu et al.’s Scheme [4], assume that there is a central authority which is in charge of distributing a group key to the group members, denoted as G, where G = [M 1M 2, ···M n ] in which the M i indicates i-th group member. The M i shares a common key k i with the central authority. As the central authority starts to send a group key s to the members in the G, the central authority computes the secure filter as follows.
$$ f(x) = \prod\limits_{{i = 1,k_{i} \in K}}^{n} {(x - h(k_{i} ))} + s \, \bmod p $$
$$ = \sum\limits_{i = 1}^{n} {a_{i} x^{i} } \, \bmod p $$

Then the central authority broadcasts the coefficient of each item. For the M i , upon receiving the coefficients, he can derive s by computing f(h(k i )). Any adversary can not derive the s because he doesn’t know any k i , where i = [1, 2, ···, n].

2.2 A Differential Attack on Wu et al.’s Scheme

The differential attack utilizes the linear relationship of the coefficients in the secure filter to compromise the group keys. The differential attack is described as follows. Assume that an adversary, Ad, where Ad ∉ G. The Ad collects each secure filter used to send a group key at each session which means a period of the time for the membership unchanged. Observe that the coefficients of the secure filter, we learn the relationship as follows.
$$ \begin{aligned} a_{n} & = 1 \, \bmod p, \\ a_{n - 1} & = \sum\limits_{i = 1}^{{C_{1}^{n} }} {h(x_{i} )} \, \bmod p, \\ a_{n - 2} & = \sum\limits_{i = 1,i \ne j}^{{C_{2}^{n} }} {h(x_{i} )} h(x_{j} ) \, \bmod p, \\ & \;\, \vdots \\ \end{aligned} $$
The coefficients of the secure filter are the linear relationship of the secure factors. As membership changes, the differential value of the coefficients will disclose the secure factors in the secure filter. For example, as the M 3 is excluded from the group, which may be caused by network failure, then the central authority re-computes the following secure filter to refresh the group key, where n′ means the membership as the M 3 is excluded below.
$$ f'(x) = \prod\limits_{{i = 1,k_{i} \in K,i \ne 3}}^{n'} {(x - h(x_{i} ))} + s' \, \bmod p $$
$$ = \sum\limits_{i = 1}^{n'} {a_{i} x^{i} } \, \bmod p $$

For the coefficient a n′-1, the adversary can compute a n-1 - a n′-1 to derive h(x 3). Through the h(x 3), the adversary can derive the previous group keys through the preceding secure filters. Moreover, as the M 3 returns into the group, the central authority will refresh the group key through another secure filter composed of the secure factor h(x 3). Then the adversary who already derives the h(x 3) through the differential attack can derive any group key as long as the M 3 is in the group.

3 Our Scheme

In this section, we introduce our scheme. First, we define the environment and notation. And then we introduce our scheme. The notations used in the rest of this paper are shown in Table 1.
Table 1.



central authority


number of the group members at the session t

h( · )

cryptographically secure one-way function

c t

random number used at the session t

s t

group key for the session t

M i

i-th group member

k i

common key only shared with the CA and the i-th user

x i

secure factor of the modified secure factors

f t (x)

modified secure filter for the session t

3.1 SMKA Scheme

The secure multicast key agreement (SMKA) scheme is proposed in this section. Assume that there are n group members at the session t. The set of these group members at the session t is denoted as G t , where G t  = [M 1M 2, ···, M n ]. The M i denotes i-th group member, where i ∊ [1, 2, ···, n]. The set of the common keys is denoted as K t , where K t  = [k 1k 2, ···, k n ]. Before the CA starts to send the group key s t for the session t to the members in the G t , the CA generates a random number c t . Then the CA computes the secure factors below.
$$ x_{i} = h(k_{i} ||c_{t} ), $$
where k i  ∊ K t and i = {1, 2, ···, n}. Next, the CA generates a group key s t and calculates the modified secure filter below.
$$ f_{t} (x) = \prod\limits_{i = 1}^{n} {(x - x_{i} )} + s_{t} \, \bmod p. $$
Then the CA can derive the extension of the f t (x) as following.
$$ f_{t} (x) = a_{n} x_{n} + a_{n - 1} x_{n - 1} + \cdots + a_{0} \, \bmod p. $$

The CA broadcasts the set of the coefficients, denoted as A, and c t , where A = [a n a n-1, ···, a 0]. After receiving the A and the c t , the group member M i compute the secure factor, x i through the procedure of (1) with the common key k i and c t . Next, the M i derive s t by calculating f t (x i ) = f t (h(k i ||c t )). In the next session t + 1, the CA generates a new random number c t+1 and repeats the procedures of (1) to (3) to send the secret s t+1 to the G t+1, where the G t+1 may not be the same as G t .

4 Security and Complexity Analyses

In this section, we show that the modified secure filter can resist against the differential attack. Moreover, we proof that the modified secure filter can also prevent from the subgroup key attack [13, 14] which could compromise other common keys through factorizing algorithm [15].

Proposition 1.

A cryptographically secure hash function h(·) has the properties: intractability, randomness, collision-free, unpredictability.

The Proposition 1 is assumed commonly on cryptography [15]. The intractability means that, for only given a hash value y, where y = h(x), the value of x is intractable. The randomness means that, for a variable x, the elements in the set of the result y = h(x), denoted as Y, are uniformly distributed. The collision free means that, given y, where y = h(x), the probability of discovering x′, where x ≠ x′, that h(x) equals h(x′) is negligible. The unpredictability means that hash functions exhibit no predictable relationship or correlation between inputs and outputs.

Theorem 1.

An adversary cannot discover the group keys through the differential attack.


Assume that an adversary can know the membership of the group exactly. He records the distinct membership at different session. For the session t, the adversary can collect the modified secure filter below.
$$ f_{t} (x) = a_{n} x_{n} + a_{n - 1} x_{n - 1} + \cdots + a_{0} \, \bmod p. $$
The coefficient of f t (x) can be derived below.
$$ a_{n} = \sum\limits_{i = 1}^{n} {h(x_{i} ||c_{t} )} \, \bmod p, $$
$$ a_{n - 1} = \sum\limits_{i = 1,i \ne j}^{{C_{2}^{n} }} {h(x_{i} ||c_{t} )h(x_{j} ||c_{t} )} \, \bmod p, $$
$$ \vdots $$
For any session t′, where t′ ≠ t, the adversary can discover another modified secure filter for different membership in which the number of group member is n′ below.
$$ f_{t'} (x) = a_{{n^{'} }} x_{{n^{'} }} + a_{{n^{'} - 1}} x_{{n^{'} - 1}} + \cdots + a_{0}^{'} \, \bmod p. $$
The coefficient of f t′ (x) can be presented below.
$$ a_{n'} = \sum\limits_{i = 1}^{n'} {h(x_{i} ||c_{t'} )} \, \bmod p, $$
$$ a_{n' - 1} = \sum\limits_{i = 1,i \ne j}^{{C_{2}^{n'} }} {h(x_{i} ||c_{t'} )h(x_{j} ||c_{t'} )} \, \bmod p, $$
$$ \vdots $$

According to the Proposition 1, we can learn that the coefficients in (5) and (7) are predictable for an adversary. Therefore, it induces that the adversary cannot predict the linear relationship between these coefficients. Hence, the adversary cannot engage the differential attack successfully to compromise the group key distributed within a secure filter. □

Theorem 2.

A legitimate group member cannot discover other common keys shared between the CA and other group members.


According to the Proposition 1, assume that a legitimate group member has enough ability to factorize the value of f t (0) and discover the other secure factors of the f t (x); he only can discover the hash values not tractable to the common keys. Therefore, the common keys cannot be discovered by the adversary. Then we prove that the modified secure filter can resist against the subgroup key attack.

According to Theorems 1 and 2, we proof that the modified secure filter can resist against the differential attack as well as the subgroup key attack [13, 14]. □

5 Conclusions

In this paper, the navel key agreement scheme by using the new secure filter to improve the robustness in order to support the security functionality on dynamically changing members in the Wu’s secure filter [4]. The proposed secure filter is based on the properties of a cryptographically secure hash function. Via the security analysis, we proved that the modified secure filter can resist against the differential attack. Moreover, the modified secure filter can prevent from the subgroup key attack. The modified secure filter almost has the same complexity with the original secure filter. For a group communication, the dynamic membership is an unavoidable issue. Though the secure filter proposed in [4] gave a simple and robustness distribution scheme for the group secret, it is suffered from the problems of the dynamic membership. The modified secure filter can enhance the secure filter for the dynamic membership and keep the efficiency.


  1. 1.
    Chen, H.-C., Wang, S.-J., Wen, J.-H.: Packet construction for secure conference call request in ad hoc network systems. Inf. Sci. 177(24), 5598–5610 (2007)CrossRefGoogle Scholar
  2. 2.
    Chen, H.-C.: Secure multicast key protocol for electronic mail systems with providing perfect forward secrecy. Secur. Commun. Netw. 6(1), 100–107 (2013)CrossRefGoogle Scholar
  3. 3.
    Chen, H.-C., Yang, C.-Y., Su, H.-K., Wei, C.-C., Lee, C.-C.: A secure E-mail protocol using ID-based FNS multicast mechanism. Comput. Sci. Inf. Syst. 11(3), 1091–1112 (2014). Special Issue on Mobile Collaboration Technologies and Internet ServicesCrossRefGoogle Scholar
  4. 4.
    Wu, K.P., Ruan, S.J., Lai, F., Tseng, C.K.: On key distribution in secure multicasting. In: Proceedings of 25th Annual IEEE International Conference on Local Computer Networks, p. 208 (2000)Google Scholar
  5. 5.
    Kim, Y., Perrig, A., Tsudik, G.: Communication-efficient group key agreement. IEEE Trans. Comput. 53(7), 905–921 (2001)CrossRefGoogle Scholar
  6. 6.
    Kim, Y., Perrig, A., Tsudik, G.: Tree-based group key agreement. ACM Trans. Inf. Syst. Secur. 7(1), 60–96 (2004)CrossRefGoogle Scholar
  7. 7.
    Fekete, A., Lynch, N., Shvartsman, A.: Specifying and using a partionable group communication service. ACM Trans. Comput. Syst. 19(2), 171–216 (2001)CrossRefGoogle Scholar
  8. 8.
    Chen, X., Lenzini, G., Mauw, S., Pang, J.: Design and formal analysis of a group signature based electronic toll pricing system. J. Wireless Mobile Netw. Ubiquitous Comput. Dependable Appl. (JoWUA) 4(1), 55–75 (2013)Google Scholar
  9. 9.
    Craß, S., Dönz, T., Joskowicz, G., Kühn, E., Marek, A.: Securing a space-based service architecture with coordination-driven access control. J. Wireless Mobile Netw. Ubiquitous Comput. Dependable Appl. (JoWUA) 4(1), 76–97 (2013)Google Scholar
  10. 10.
    Malik, S., Lee, J.-H.: Privacy enhancing factors in people-nearby applications. J. Wireless Mobile Netw. Ubiquitous Comput. Dependable Appl. (JoWUA) 6(2), 113–121 (2015)Google Scholar
  11. 11.
    Kent, A.D., Liebrock, L.M., Wernicke, J.: Differentiating user authentication graphs. J. Wireless Mobile Netw. Ubiquitous Comput. Dependable Appl. (JoWUA) 5(2), 24–38 (2014)Google Scholar
  12. 12.
    Moser, L.E., Amir, Y., Melliar-Smith, P.M., Agarwal, D.A.: Extended virtual synchrony. In: Proceedings of the IEEE 14th International Conference on Distributed Computing Systems, pp. 55–65 (1994)Google Scholar
  13. 13.
    Wen, J.H., Wu, M.C., Chen, T.S.: A novel elliptic curve method for secure multicast system. Far East J. Math. Sci. 28(2), 449–467 (2008)MathSciNetzbMATHGoogle Scholar
  14. 14.
    Wu, K.P., Ruan, S.J., Tseng, C.K., Lai, F.: Hierarchical access control using the secure filter. IEICE Trans. Inf. Syst. E84-D(6), 700–708 (2001)Google Scholar
  15. 15.
    Menezes, A.J., van Oorschot, P.C., Vanstone, S.A.: Handbook of Applied Cryptography. CRC Press, Boca Raton (1997)zbMATHGoogle Scholar

Copyright information

© IFIP International Federation for Information Processing 2015

Authors and Affiliations

  1. 1.Department of Computer Science and Information EngineeringAsia UniversityTaichung CityTaiwan
  2. 2.Research Consultant with Department of Medical ResearchChina Medical University HospitalTaichungTaiwan, R.O.C.
  3. 3.China Medical University TaichungTaichungTaiwan, R.O.C.
  4. 4.Institute of Communications EngineeringNational Tsing Hua UniversityHsinchu CityTaiwan

Personalised recommendations