Abstract
We propose a group key exchange compiler using any two-party key exchange for which the shared key space is the subset of a group and whose security reduces to a decisional hard problem, such that the security of the group key exchange relies on the security of the two-party key exchange and, in turn, the hardness of the underlying decisional problem.
This work is a generalization of the multicast Burmester-Desmedt group key exchange in a modified G-CK\(^+\) security model.
For n parties, the group key exchange protocol has constant round complexity and communicational complexity \(O(\log _2 n)\). We also present a peer-to-peer version with round complexity \(O(\log _2 n)\) and constant communicational complexity.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Suzuki and Yoneyama [17] define their sessions with a āroleā for a party, which may be indexed differently from the party index, as well as a corresponding āplayerā definition. In our protocols, the role of a party is determined by the placement in the double-tree (see Sect.Ā 3), which in turn is determined by the index of the party, which can be altered as needed, hence the role is uniquely determined by the party index. We therefore remove this āroleā (and āplayerā) from our definition of session.
- 2.
Suzuki and Yoneyama [17] assume that each party receives public keys from all other parties, but this forces a GKE to have at least linear order in n, which we aim to avoid, hence we have altered the model slightly. In the end, parties only need as many keys as are relevant or necessary to compute the session key, which our alteration highlights.
- 3.
Note that ā\(+\)ā could be used instead, but the notation is pedagogical for our compiler. We also do not assume that the group is abelian. Furthermore, note that any set S can be made into a group, namely the Free Group, or Universal Group, generated by S, so this requirement is trivially satisfied. For computation purposes however, we assume that the group operation is efficient.
- 4.
This means that at most a single secondary key is chosen per party as each party has only a single parent.
- 5.
This means that at most a single secondary key is chosen per party as each party has only a single parent.
- 6.
The products in these x values could also be reversed, as long as the rest of the procedure remains consistent, for example in the \(\mathbf {KeyGen} \mathbf{and} \mathbf {Publish_{3}}\) round, regardless of the commutativity of the group.
- 7.
In doing so, we assume that multicasting a message does not depend on the number of receivers but that receiving l messages means that the receiver incurs a cost of l, even if all messages are received in a single round. The reason for this is that it takes into account that receiving messages requires being online and also storing said messages while multicasting is usually a one-time operation.
- 8.
- 9.
Both must remain secret, so essentially, this is a single secret key in the form of a pair.
References
Bos, J.W., Costello, C., Naehrig, M., Stebila, D.: Post-quantum key exchange for the TLS protocol from the ring learning with errors problem. In: IEEE Symposium on Security and Privacy, pp. 553ā570. IEEE Computer Society (2015). http://dblp.uni-trier.de/db/conf/sp/sp2015.html#BosCNS15
Bresson, E., Chevassut, O., Pointcheval, D., Quisquater, J.J.: Provably authenticated group Diffie-Hellman key exchange. In: Proceedings of the 8th ACM Conference on Computer and Communications Security, CCS 2001, pp. 255ā264. Association for Computing Machinery, New York (2001). https://doi.org/10.1145/501983.502018
Bresson, E., Manulis, M.: Securing group key exchange against strong corruptions. In: Proceedings of the 2008 ACM Symposium on Information, Computer and Communications Security, ASIACCS 2008, pp. 249ā260. Association for Computing Machinery, New York (2008)
Burmester, M., Desmedt, Y.: A secure and efficient conference key distribution system. In: De Santis, A. (ed.) EUROCRYPT 1994. LNCS, vol. 950, pp. 275ā286. Springer, Heidelberg (1995). https://doi.org/10.1007/BFb0053443
Burmester, M., Desmedt, Y.G.: Efficient and secure conference-key distribution. In: Lomas, M. (ed.) Security Protocols 1996. LNCS, vol. 1189, pp. 119ā129. Springer, Heidelberg (1997). https://doi.org/10.1007/3-540-62494-5_12
De Feo, L., Jao, D.: defeo/sidh-paper. https://github.com/defeo/sidh-paper/blob/master/eprint.tex
Desmedt, Y., Lange, T., Burmester, M.: Scalable authenticated tree based group key exchange for ad-hoc groups. In: Dietrich, S., Dhamija, R. (eds.) FC 2007. LNCS, vol. 4886, pp. 104ā118. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-77366-5_12
Diffie, W., Hellman, M.: New directions in cryptography. IEEE Trans. Inf. Theor. 22(6), 644ā654 (2006). https://doi.org/10.1109/TIT.1976.1055638
Feo, L.D., Jao, D., PlĆ»t, J.: Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies. J. Math. Cryptol. 8(3), 209ā247 (2014). https://doi.org/10.1515/jmc-2012-0015
Furukawa, S., Kunihiro, N., Takashima, K.: Multi-party key exchange protocols from supersingular isogenies. In: 2018 International Symposium on Information Theory and Its Applications (ISITA), pp. 208ā212 (2018)
Hougaard, H.B., Miyaji, A.: SIT: supersingular isogeny tree-based group key exchange. In: 15th Asia Joint Conference on Information Security, AsiaJCIS 2020, Taipei, Taiwan, 20ā21 August 2020, pp. 46ā53. IEEE (2020). https://doi.org/10.1109/AsiaJCIS50894.2020.00019
Hougaard, H.B., Miyaji, A.: Tree-based ring-LWE group key exchanges with logarithmic complexity. In: Meng, W., Gollmann, D., Jensen, C.D., Zhou, J. (eds.) ICICS 2020. LNCS, vol. 12282, pp. 91ā106. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-61078-4_6
Jao, D., De Feo, L.: Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies. In: Yang, B.-Y. (ed.) PQCrypto 2011. LNCS, vol. 7071, pp. 19ā34. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25405-5_2
Ding, J., Xie, X., Lin, X.: A simple provably secure key exchange scheme based on the learning with errors problem. Cryptology ePrint Archive, Report 2012/688 (2012). https://eprint.iacr.org/2012/688
Katz, J., Yung, M.: Scalable protocols for authenticated group key exchange. J. Cryptol. 20(1), 85ā113 (2007)
Peikert, C.: Lattice cryptography for the internet. In: Mosca, M. (ed.) PQCrypto 2014. LNCS, vol. 8772, pp. 197ā219. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-11659-4_12
Suzuki, K., Yoneyama, K.: Exposure-resilient one-round tripartite key exchange without random oracles. IEICE Trans. 97-A(6), 1345ā1355 (2014). https://doi.org/10.1587/transfun.E97.A.1345
Thanks and Acknowledgment
This work is partially supported by CREST (JPMJCR1404) at Japan Science and Technology Agency, enPiT(Education Network for Practical Information Technologies) at MEXT, and Innovation Platform for Society 5.0 at MEXT.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
Appendix 1 SIDH Key Exchange andĀ Hard Problem
We assume knowledge of elliptic curves. An isogeny may be understood as a non-zero rational homomorphism between two elliptic curves, generated by a subgroup of the first curve. Finding the isogeny between them is called the isogeny finding problem. We define the SIDH key exchange by Jao and De Feo [9, 13] in the form of the supersingular isogeny key encapsulation (SIKEFootnote 8) protocol as given by Furukawa et al. in [10].
Consider the SIDH key exchange between parties \(\mathcal {P}_0\) and \(\mathcal {P}_1\). Given a security parameter \(1^\lambda \), \(\mathsf {Gen}\) outputs \((p,E,\{P_0,Q_0\},\{P_1,Q_1\})\), where \(p=f\ell _0^{e_0}\ell _1^{e_1}\pm 1\) is prime for a small integer \(f>0\) and with \(\ell _0^{e_0}\approx \ell _1^{e_1}\) (usually \(\ell _0 = 2\) and \(\ell _1=3\)), E is a randomly chosen supersingular elliptic curve over \(\mathbb {F}_{p^2}\) such that \(\#E(\mathbb {F}_{p^2}) = (p\pm 1)^2\), and \(\{P_i,Q_i\}\) is a randomly chosen basis of \(E[\ell _i^{e_i}]\) for \(i=0,1\).
Protocol 8
(Supersingular isogeny Diffie-Hellman (SIDH) key exchange [10]). For parties \(\mathcal {P}_0\) and \(\mathcal {P}_1,\) the SIDH protocol is as follows:
-
Setup: For the security parameter \(1^\lambda \), \(\mathsf {Gen}\) outputs to both parties the tuple of public parameters:
$$\begin{aligned} \mathfrak {P} = (\mathfrak {P}_0,\mathfrak {P}_1) =((p,E,\{P_0,Q_0\},\{P_1,Q_1\}),(p,E,\{P_1,Q_1\},\{P_0,Q_0\})) \leftarrow \mathsf {Gen}(1^\lambda ), \end{aligned}$$where \(\mathfrak {P}_0,\mathfrak {P}_1\) are party-specific tuples.
-
Publish: Each party \(\mathcal {P}_i\), for \(i=0,1\), chooses \(r_i\overset{R}{\leftarrow } \mathbb {Z}/\ell _i^{e_i}\mathbb {Z}\) uniformly at random and computes \(R_i := P_i + [r_i]Q_i\). Then it computes the isogeny \(\phi _i: E \rightarrow E_i \cong E/\langle R_i \rangle \) having \(\ker (\phi _i)= \langle R_i \rangle \), as well as the points \(\phi _i(P_{1-i})\) and \(\phi _i(Q_{1-i})\). \(\mathcal {P}_i\) has secret and public keys
$$\begin{aligned} sk_i:= r_i \text { and } pk_i := (E_i, \phi _i(P_{1-i}),\phi _i(Q_{1-i})), \end{aligned}$$of which it sends \(pk_i\) to \(\mathcal {P}_{1-i}\).
-
KeyGen: Party \(\mathcal {P}_i\) takes \(pk_{1-i}\) as input and computes an isogeny \(\phi '_i:= E_{1-i} \rightarrow E_{{1-i},i}\) with \(\ker (\phi '_i) = \langle \phi _{1-i}(R_i) \rangle \) and computes \(k_i = j(E_{{1-i},i})\in \mathbb {F}_{p^2}\) (see Fig.Ā 3).
It holds that \(E_{1,0} = \phi '_0(\phi _1(E)) \cong \phi '_1(\phi _0(E)) = E_{0,1},\) i.e. \(k_0 = j(E_{1,0}) = j(E_{0,1}) = k_1\), such that \(\mathcal {P}_0\) and \(\mathcal {P}_1\) have the shared key \(k=k_0=k_1\).
The following definition is taken from De Feo et al. [9] with minor changes to fit our notation.
Definition 6
(Supersingular decisional Diffie-Hellman (SSDDH) problem). Given a tuple sampled with probability 1/2 from one of the following two distributions:
-
\((\mathfrak {P},(pk_0,pk_1),k),\) where \(\mathfrak {P},pk_0=(E_0,\phi _0(P_1),\phi _0(Q_1)),\) and \(pk_1=(E_1,\phi _1(P_0),\phi _1(Q_0))\) are as in the SIDH protocol (DefinitionĀ 8) and \(k=E_{0,1} \cong E/\langle P_0 + [r_0]Q_0, P_1 + [r_1]Q_1\rangle ,\)
-
\((\mathfrak {P},(pk_0,pk_1),k'),\) where \(\mathfrak {P},pk_0=(E_0,\phi _0(P_1),\phi _0(Q_1)),\) and \(pk_1=(E_1,\phi _1(P_0),\phi _1(Q_0))\) are as in the SIDH protocol (DefinitionĀ 8) and \(k' = E_{x} \cong E/\langle P_0 + [r'_0]Q_0, P_1 + [r'_1]Q_1\rangle ,\) where \(r'_0\) (respectively \(r'_1\)) is chosen at random from \(\mathbb {Z}/\ell _0^{e_0}\mathbb {Z}\) (respectively \(\mathbb {Z}/\ell _1^{e_1}\mathbb {Z}\)),
determine from which distribution the tuple is sampled.
Theorem 9
(Security of SIDH [9]). Under the SSDDH assumption, the key-agreement protocol of DefinitionĀ 8 is session-key secure in the authenticated-links adversarial model of Canetti and Krawczyk.
Appendix 2 R-LWE Key Exchange andĀ Hard Problem
Although R-LWE protocols are usually expected to reduce to the R-LWE problem, Bos et al. [1] give a Diffie-Hellman-like definition of indistinguishability that takes Peikertās key reconciliation into consideration and show how it reduces to the hardness of the R-LWE problem. All definitions are taken from Bos et al. [1].
Let \(\mathbb {Z}\) be the ring of integers and denote \([ N ] = \{0,1,\ldots ,N-1\}\). In this article, we set \(R= \mathbb {Z}[X]/(f(X))\) where \(f(X)=X^n+1\) for \(n=2^l,l>0\) for some l. We let q be a modulus defining the quotient ring \(R_q = R/qR \cong \mathbb {Z}_q[X]/(f[X])\), where \(\mathbb {Z}_q = \mathbb {Z}/q\mathbb {Z}\).
Definition 7
(Decisional R-LWE (D-R-LWE) problem). Let the values n,Ā R,Ā q and \(R_q\) be as above. Let \(\chi \) be a distribution over R and let \(s\overset{R}{\leftarrow } \chi \). Define \(O_{\chi ,s}\) as an oracle that does the following:
-
1.
Sample \(a\overset{R}{\leftarrow } R_q\) and \(e\overset{R}{\leftarrow } \chi \),
-
2.
Return \((a,as+e)\in R_q\times R_q\).
The decisional R-LWE problem for \(n,q,\chi \) is to distinguish \(O_{\chi ,s}\) from an oracle that returns uniformly random samples from \(R_q\times R_q\).
Let \(\left\lceil \cdot \right\rfloor \) denote the rounding function: \(\left\lceil x\right\rfloor = z\) for \(z\in \mathbb {Z}\) and \(x \in [z-1/2 , z + 1/2)\).
Definition 8
([1], Definition 2). Let q be a positive integer. Define the modular rounding function \(\left\lceil \cdot \right\rfloor _{q,2}: \mathbb {Z}_q \rightarrow \mathbb {Z}_2, x\mapsto \left\lceil x\right\rfloor _{q,2} = \left\lceil \tfrac{2}{q}x\right\rfloor \mod 2,\) and the cross-rounding function \(\left\langle \cdot \right\rangle _{q,2}: \mathbb {Z}_q \rightarrow \mathbb {Z}_2, x \mapsto \left\langle x\right\rangle _{q,2} = \lfloor \tfrac{4}{q}x \rfloor \mod 2.\) Both functions are extended to elements of \(R_q\) coefficient-wise: for \(f=f_{n-1}X^{n-1}+\cdots +f_1X+f_0 \in R_q\), define
We also define the randomized doubling function \(\mathtt {dbl}: \mathbb {Z}_q \rightarrow \mathbb {Z}_{2q}, x\mapsto \mathtt {dbl}(x) = 2x-e,\) where e is sampled from \(\lbrace -1,0,1 \rbrace \) with probabilities \(p_{-1} = p_1 = \tfrac{1}{4}\) and \(p_0=\tfrac{1}{2}\).
The doubling function may be applied to elements in \(R_q\) by applying it on each of the coefficients, as done with the rounding functions. Such an application of the doubling function results in a polynomial in \(R_{2q}\). The reason for considering such a doubling function is that this allows for odd q.
The rounding of the doubling function on a uniformly random element in \(\mathbb {Z}_q\) results in a uniformly random element in \(\mathbb {Z}_{2q}\).
Lemma 1
([1], Lemma 1). For odd q, if \(v\in \mathbb {Z}_q\) is uniformly random and \(\overline{v}\overset{R}{\leftarrow }\mathtt {dbl}(v)\in \mathbb {Z}_{2q}\), then \(\left\lceil \overline{v}\right\rfloor _{2q,2}\) is uniformly random, given \(\left\langle \overline{v}\right\rangle _{2q,2}\).
We may now define Peikertās reconciliation function, \(\mathtt {rec}(\cdot )\), which recovers \(\left\lceil v\right\rfloor _{q,2}\) from an element \(w\in \mathbb {Z}_q\) that is ācloseā to the original \(v\in \mathbb {Z}_q\), given only w and the cross-rounding of v.
Definition 9
Define sets \(I_0 = \{ 0,1,\ldots ,\left\lceil \tfrac{q}{2}\right\rfloor -1\}\) and \(I_1 = \{ -\left\lceil \tfrac{q}{2}\right\rfloor ,\ldots , -1 \}\). Let \(E=[ - \tfrac{q}{4}, \tfrac{q}{4} )\), then define the map \(\mathtt {rec}: \mathbb {Z}_{2q} \times \mathbb {Z}_2 \rightarrow \mathbb {Z}_2\),
Reconciliation of a polynomial in \(R_q\) is done coefficient-wise so the following lemma allows us to reconcile two polynomials in \(R_q\) that are close to each other.
Lemma 2
([1], Lemma 2). For odd q, let \(v=w+e\in \mathbb {Z}_q\) for \(w,e\in \mathbb {Z}_q\) such that \(2e\pm 1\in E \pmod {q}\). Let \(\overline{v}= \mathtt {dbl}(v)\), then \(\mathtt {rec}(2w,\left\langle \overline{v}\right\rangle _{2q,2}) = \left\lceil \overline{v}\right\rfloor _{2q,2}\).
We may finally define the R-LWE key exchange below. Given a security parameter \(1^\lambda \), \(\mathsf {Gen}\) outputs \(\mathfrak {I}=(n,R,q,R_q)\) as in the D-R-LWE problem (DefinitionĀ 7), a distribution \(\chi \) on \(R_q\) (usually the Discrete Gaussian distribution), and a uniformly random \(a\overset{R}{\leftarrow } R_q\).
Protocol 10
(R-LWE key exchange w/ Peikertās tweak [14, 16]). Parties \(\mathcal {P}_0\) and \(\mathcal {P}_1\) generate an R-LWE key exchange w/ Peikertās tweak protocol as follows:
-
\(\mathbf {Setup}\): For the security parameter \(1^\lambda \), \(\mathsf {Gen}\) outputs to both parties the tuple of public parameters: \(\mathfrak {P}=(\mathfrak {I}, \chi , a) \leftarrow \mathsf {Gen}(1^\lambda ).\)
-
\(\mathbf {Publish_1}\): Each party \(\mathcal {P}_i\) chooses \(s_i,e_i\overset{R}{\leftarrow } \chi \) as their secret key and error key,Footnote 9 respectively, computes their public key \(b_i = as_i + e_i\in R_q\), and sends their public key \(b_i\) to party \(\mathcal {P}_{1-i}\).
-
\(\mathbf {Publish_2}\): Party \(\mathcal {P}_1\), upon receiving \(b_0\) from \(P_0\), chooses a new error key \(e'_1\overset{R}{\leftarrow } \chi \), computes \(v = b_0s_1 + e'_1\in R_q\), and uses the randomized doubling function on v to receive \(\overline{v}\overset{R}{\leftarrow }\mathtt {dbl}(v)\in R_{2q}\). Using the cross-rounding function, \(\mathcal {P}_1\) computes \(c = \left\langle \overline{v}\right\rangle _{2q,2}\in \{ 0,1\}^n\) and sends c to \(\mathcal {P}_0\)
-
\(\mathbf {KeyGen}\): In order to generate the final key, party \(\mathcal {P}_0\) uses the reconciliation function to output \(k_0 \leftarrow \mathtt {rec}(2b_1s_0,c)\in \{0,1\}^n\). Party \(\mathcal {P}_1\) simply computes \(k_1 = \left\lceil \overline{v}\right\rfloor _{2q,2}\in \{0,1\}^n\).
Except with negligible probability \(k_0= k_1 = k\), i.e. this protocol satisfies correctness.
The protocol reduces to a decisional hardness problem that Bos et al. [1] dub the decision Diffie-Hellman-like (DDH-like) problem. We give a reformulation, which is equivalent, but fits the other security definitions in this paper.
Definition 10
(Decision Diffie-Hellman-like (DDH-like) problem). Let \(n,R,q,\chi \) be R-LWE key exchange parameters. Given a tuple sampled with probability 1/2 from one of the following two distributions:
-
\((\mathfrak {P},(b_0,(b_1,c)),k),\) where \(\mathfrak {P} = (\mathfrak {I},\chi ,a)\) for \(a\overset{R}{\leftarrow } R_q\), \(s_0,s_1,e_0,e_1,e'_1\overset{R}{\leftarrow } \chi \), \(b_i = as_i+e_i\) for \(i=0,1\), \(v = b_0s_1 + e'_1\), \(\overline{v}\overset{R}{\leftarrow } \mathtt {dbl}(v)\), \(c = \left\langle \overline{v}\right\rangle _{2q,2}\), and \(k = \left\lceil \overline{v}\right\rfloor _{2q,2}\),
-
\((\mathfrak {P},(b_0,(b_1,c)),k'),\) where \(\mathfrak {P} = (\mathfrak {I},\chi ,a)\) for \(a\overset{R}{\leftarrow } R_q\), \(s_0,s_1,e_0,e_1,e'_1\overset{R}{\leftarrow } \chi \), \(b_i = as_i+e_i\) for \(i=0,1\), \(v = b_0s_1 + e'_1\), \(\overline{v}\overset{R}{\leftarrow } \mathtt {dbl}(v)\), \(c = \left\langle \overline{v}\right\rangle _{2q,2}\), and \(k' \overset{R}{\leftarrow } \{0,1\}^n\),
determine from which distribution the tuple is sampled.
Theorem 11
(Hardness of DDH-like problem; [1], Theorem 1). Let q be an odd integer, let n a parameter, R a polynomial ring, and \(\chi \) a distribution on \(R_q\). If the decision R-LWE problem for \(q,n,\chi \) is hard, then the DDH-like problem for \(q,n,\chi \) is also hard.
Rights and permissions
Copyright information
Ā© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
Hougaard, H.B., Miyaji, A. (2021). Group Key Exchange Compilers fromĀ Generic Key Exchanges. In: Yang, M., Chen, C., Liu, Y. (eds) Network and System Security. NSS 2021. Lecture Notes in Computer Science(), vol 13041. Springer, Cham. https://doi.org/10.1007/978-3-030-92708-0_10
Download citation
DOI: https://doi.org/10.1007/978-3-030-92708-0_10
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-92707-3
Online ISBN: 978-3-030-92708-0
eBook Packages: Computer ScienceComputer Science (R0)