A Conference Key Agreement Protocol for Mobile Environment

Transcription

1 Journal of Information Assurance and Security 4 (2009) A Conference Key Agreement Protocol for Mobile Environment Mounita Saha Dipanwita Roy Chowdhury Dept. of Computer Science & Engineering, Indian Institute of Technology Kharagpur, INDIA mounita, drc@cse.iitkgp.ernet.in Abstract: In recent times, the popularity of group oriented applications such as electronic conferences and collaboration works have increased manifold. Security is crucial for such collaborative applications which operate in a dynamic network environment and communicate over insecure networks such as internet. The design of secure conference key establishment protocol is essential to provide security to such group applications. Most security protocols currently available in the literature are not fully applicable to wireless environment involving low power mobile devices. Few protocols that have been proposed for wireless environment also lack important security properties and formal proof. One such important property is truly contributory key agreement that has not been addressed previously. In this work we propose a new conference key agreement protocol for mobile environment which addresses the truly contributory property and assures users about their participation in the key computation. The design of the protocol is based on polynomial interpolation. We demonstrate that the protocol is provably secure against active adversaries. The performance analysis of the proposed protocol shows that its well suited for mobile environment. I. Introduction In recent time, there has been a tremendous research interest in different areas of mobile technology. With the reducing price and advanced functionalities, the mobile network is expected to play a major role in the evolution of next generation communication networks. Nowadays the popularity of group oriented applications such as electronic conferences and collaboration works has increased manifold and these services are also being offered on mobile. However, security in wireless network is a major challenge as wireless communication has easy vulnerability to eavesdropping and unauthorized access. Therefore, while deploying new services over mobile wireless network the concerned security issues should be addressed carefully. The first step towards setting up a secure communication is the design of a secure key establishment protocol. There has been a considerable amount of research work on key establishment protocols over past few decades. The first work on multi-party key agreement protocol was proposed in the classical paper of Ingemarsson et al. [5] which is an extension of the 2 party Diffie-Hellman scheme [17] into multi-party setting. Since then, a number of group key agreement protocols were proposed [18, 8, 7, 1, 6, 2, 16] offering various levels of complexity. However, all these approaches simply assume a passive adversary, or only provide an informal/non-standard security analysis for an active adversary. Nonetheless, the works based on traditional communication networks are often not applicable to wireless networks. The mobile communication is more constrained due to the power consumption and bandwidth restrictions. Thus, the multiround or computationally expensive protocols proposed in the previous works are not exactly suitable for mobile environment. The first conference key establishment scheme for mobile communication was proposed by Hwang and Yang in [20]. Hwang later published an improved solution in [21] to allow dynamic joining and leaving from the conference. This was shown insecure against eavesdropping and impersonation in [22]. Some more works were followed in [23, 24]. However, these works are not based on formal model of security and adversary and lack some security properties like forward secrecy. Research on provably-secure group key agreement in a formal security model started when Bresson et al. [13, 15, 12, 14] presented the first group key agreement protocols proven secure in a well-defined security model. The security model extends earlier work of Bellare et al. [3, 4] to the multi-party setting. Katz and Yung [9] have proposed the first constant-round protocol for group key agreement that has been proven secure against an active adversary. While the protocol is very efficient in general, this full symmetry negatively impacts the protocol performance in an imbalanced scenario. In [10] Boyd and Nieto have introduced a one-round group key agreement protocol which is provably secure in the random oracle model [3]. This protocol is computationally asymmetric. But unfortunately, this protocol does not consider dynamic changes and does not achieve forward secrecy even if its round complexity is optimal. Received December 19, $ Dynamic Publishers, Inc.

2 A Conference Key Agreement Protocol for Mobile Environment 61 In [19], Nam et al. proposed a group key agreement protocol for an imbalanced network. They adopted the Katz and Yung scalable compiler to transform their two-round protocol into an authenticated group key agreement protocol with three rounds. However, their protocol is not a real group key agreement protocol as the users cannot confirm that their contribution was involved in establishing the group key. The present work is based on group key agreement protocol for mobile environment which achieves true contributory key agreement. The contribution of the work is discussed in the next section. The section 3 presents the security model for the protocol. In section 4, we present the detail description of proposed protocol. The security and performance analysis of the protocol are given in the following two sections. II. Protocol scenario and contribution The group key establishment protocols can be categorized into two classes: key distribution and key agreement. In key distribution protocols one user selects and distributes the key. Whereas, in a key agreement protocol all the users contribute to the construction of the group key. Although these protocols are preferred for their contributive property, they also pose a challenge due to their multiples rounds of execution. In order to reduce the number of rounds, key agreement in groups can be performed using a trusted server or on a peer to peer basis. In peer to peer approach, one of the users take up the role of server. While this provides more flexibility, it also requires each user to be capable of assuming the role of a server. Therefore, for resource constrained user application, this may become restrictive. In key agreement protocols involving a trusted server, the contribution of users are taken by the server and a key is computed as a function of all these inputs. This model of key agreement is particularly suitable for imbalanced environments like mobile where the are one/more node with high computational ability is/are connected to a number of node with low computational efficiency. The current work is focussed in this scenario of key establishment. In such environment, the computational requirement by the low power mobile devices can become one major bottleneck if the amount of computations increases with number of users. It is therefore preferred to have the major computation burden shifted from computationally restricted mobile host nodes to computationally powerful network gateway node. In our work, we follow this asymmetric computation pattern. The amount of computations required by the mobile host nodes is independent of number of users and fixed to a constant value. Considering the bandwidth restrictions we have designed the protocol with two rounds. In the literature, some protocols have been proposed for server based contributory key agreement. However, none of them assure the user about its participation in key construction and thus user is not able to distinguish between a random key or an actual key. We note that, the contributory key agreement is meaningful only when the users verify that their contributions are indeed utilized in key construction. The contribution of this work is to provide a truly contributory group key agreement with user verifiability. i.e. In the proposed work, users are able to verify the utilization of their contributions. In addition, we consider the user groups to be completely dynamic i.e. allow the users to leave or join the group within a protocol session. The protocol provides security against each possible vulnerability of dynamically changing group membership. Moreover, the protocol provides mutual authentication between communicating parties (user and server) and perfect forward secrecy. Thus, the contributions of the work are as follows: Proposal of truly contributory group key agreement protocol where users can verify the utilization of their contributions. Allowing complete group dynamics without compromising security. Allowing mutual authentication between user and server and perfect forward secrecy Security guarantee of the protocols under formal model. Performance efficiency comparable to the existing methods. III. Security properties and adversary We now describe the formal security model for the proposed work. The model is similar to the game based security models widely used in literature [3, 14]. Protocol participants: Let U = (U 1, U 2,..., U n ) be the set of all users that can participate in the key agreement protocol. Any subset of U can decide at any point of time to establish a session key and we do not assume that these subsets are always of same size or always include the same set of participants. Each user can simultaneously participate in different protocols sessions. Thus each instance of an user U i in protocol session s is represented by the oracle Π s i. Each user U i U obtains a private-public key pair (k ir, k iu ) for signature generation/verification. Partnering: The partner ID of an user U i in session s is the set of all users who compute the same key as the user U i in that session. The partner ID is defined using session ID. We define the session ID in terms of the messages exchanged among the users in a session. Let Mij st be the concatenation of all messages that oracle Π s i has exchanged with oracle Πt j, and P i s is the set of all oracles with which Π s i has exchanged messages. The session ID for an oracle Π s i, denoted as SIDs i is defined as

3 62 Saha and Chowdhury SIDi s st = {Mij Πj t Pi s} sion key from the random key is taken as the basis of SIDi s is NULL when a session is initiated and defined when determining security of the protocol. the user accepts in the protocol execution. Let ACCi s be a variable that is TRUE if Πs i has accepted a session key and FALSE otherwise. Now we define partner A. Security definitions ID for user U i in session i is as follows: P ID i = {Π t j SIDs i SIDu k 0 SIDu k Now we define the security notions for a session key distribution within the security model given above. SIDj t 0 ACCs i = ACCu k = ACCt j = T RUE; for some Πu k } The users U i and U j are directly partnered if both have accepted and (SIDi s SIDt j ) 0. Similarly the users Freshness Freshness captures the intuitive fact that a session U i and U j are indirectly partnered if, for some user U k, key is not obviously known to the adversary. An oracle Π s i (SIDi s SIDu k ) 0 and (SIDu k SIDt j ) 0, provided all is fresh, (i.e. holds a fresh session key) if the oracle has accepted and neither the oracle nor any of its partner was asked U i, U j, U k have accepted. All the SID and P ID are public and hence available to the adversary A. a reveal query or a corrupt query. The adversary The adversary is active and computationally bound. It is assumed to have control over all communication flows in the network. The adversary communicates with the users through a number of queries, each of which represent a capability of the adversary. The queries are as follows. Send(U i, s, m): Models the ability of A to send message m to user U i. The adversary gets back from his query, the response that the user U i would have generated on processing the message m. If the message m is not in expected format, the oracle would halt. If the oracle accepts, rejects or simply halts, the reply will indicate that. If the message m = NULL, a new session would be initiated. An oracle is said to have accepted, if it has obtained/computed a session key and accepted it. Reveal(U i ): If an oracle Π s i accepts and holds a session key K, then the adversary A can use the Reveal query to obtain the session key held by the oracle. An oracle is called opened, if it has been subjected to reveal query. Corrupt(U i ): When the adversary sends a corrupt query to an user U i, the internal state information, that the user holds is revealed. Also, the long term secret key of user U i is replaced by a value K of the adversary s choice. From that point on U i will use the revised key. Considering the Corrupt query, a protocol is secure if the adversary does not succeed to reveal the long term keys of other uncorrupted users. The corrupt query models the insider attack (where one user of protocol is adversary) and unknown key share attack. An user is termed corrupted if it has been subjected to a corrupt query. T est(u i ): Once an oracle Π s i has accepted a session key K, the adversary can ask a single T est query. In reply to this query, a random bit b is chosen. If b = 0 the session key is returned, otherwise a random string is returned from the same distribution as the session keys. The advantage of the adversary to distinguish the ses- Authenticated group key agreement The security of an authenticated group key agreement protocol P is defined by a game G(A, P) between the computationally bound adversary A and protocol P. The adversary A executes the protocol P and executes all the queries described in the security model, as many times as she wishes. A wins the game, if at any time it asks a single T est query to a fresh user and gets back a l-bit string as the response to the query. At a later point of time it outputs a bit b as a guess for the hidden bit b. Let GG (Good Guess) be the event that b = b, i.e. the adversary A, correctly guesses the bit b. Then we define the advantage of A in attacking P, as AdvA P (k) = 2.P r[gg] 1 We say that a group key agreement scheme P is secure if AdvA P (k) is negligible for any probabilistic polynomial time adversary A. Secure Signature Scheme The signature scheme τ(g, S, V) is defined in the following way. A probabilistic key generation algorithm G, on input 1 k, produces a pair of matching public and private keys (P K ; S K ). A signing algorithm S is a (possibly probabilistic) polynomial time algorithm that, given a message m and a key pair (P K ; S K ) as inputs, outputs a signature Sig of m. A verification algorithm V is a (usually deterministic) polynomial time algorithm that on input (m; Sig; P K ), outputs 1 if Sig is a valid signature of the message m with respect to P K, and 0 otherwise. A signature scheme τ(g, S, V) is (t, q, ɛ) secure if there is no adversary whose probability in mounting an existential forgery under chosen message attack within time t after making q queries is greater than ɛ(negligible). The probability is denoted as Succ cma τ (A). Computational Diffie-Hellman (CDH) Assumption Let G be a cyclic group of prime order q with order g and x 1, x 2 are

4 A Conference Key Agreement Protocol for Mobile Environment 63 chosen randomly from Z q. A CDH attacker in G is a probabilistic polynomial time algorithm that given (g x1, g x2 ), outputs g x 1x 2 with non-negligible probability. The assumption is the CDH problem is intractable and there is no polynomial time CDH-attacker in G. IV. Proposed contributory key agreement protocol In this section, we describe the proposed group key agreement protocol. As stated earlier, it is based on an asymmetric communication model, where the users are connected to a powerful node or server and all message exchanges take place between the users and that node. In the protocol, the users send their contributions to the powerful node or server who combines all the contribution to compute a secret value. The computation method used here to combine contributions to the secret is polynomial interpolation. Finally, the secret value is transmitted securely to the users from the server. In the proposed protocol, the users, on receipt of the secret, can verify it to see whether their contributions were indeed used in the secret computation. Irrespective of the number of users, the protocol finishes in two rounds of communication: first users to server and then server to users. The protocol also includes auxiliary protocols for dynamic user handling, i.e., user join and leave. We shall use the following notations for the protocol descriptions. The system model that we consider for this work consists of a cluster of n mobile hosts or users with limited computational power U = {U 1, U 2,..., U n }, and one computationally efficient node called server or network center (N C). The participants communicate with the server to establish a common conference key among themselves. The users do not communicate among themselves. All the communications are through server (NC). The NC is responsible to add and join users from the group. The public parameters are cyclic group G p,with generator g, hash function H and the signature scheme. They are assumed to be known to all the participants in advance. Each user U i and NC has a unique identity ID i. The NC has a (private,public) key pair (pr nc, pu nc ) for encryption-decryption and signature. Each user U i also has a set of (private,public) key pair (pr i, pu i ) for signature generation and verification. The step by step description of the protocol is as follows: A. Proposed protocol Step 1: (User input preparation) Each user U i with identity ID i chooses its contribution (x i ) and a number r i randomly. It then computes z i = g ri. Let T be the current timestamp. The values of (ID i, ID nc, x i, T ) are then encrypted with NC s public key. e i = {ID i, ID nc, x i, T } punc It also takes a signature sig i of (ID i, ID nc, x i, z i, T ) using it s private signature key. sig i = Signature pri (ID i, ID nc, x i, z i, T ) Each user then sends e i, z i, sig i to the NC. U i NC : e i, z i, sig i In applications where maintaining synchronized clock is not possible, a logical clock/counter can be assumed for timestamp. Step 2: (Server receipt and verification) The NC receives all the messages and decrypts them. It then verifies all the signatures of the corresponding users. It also checks the validity of the timestamp and accepts if the signatures and timestamps are valid. Step 3: (Computation of secret) The pair of identity and random value (ID i, x i ) received from each user is taken as it s contribution to construct the key. NC itself also selects a random number x G p as its contribution. The secret is constructed by interpolating all the contributions. The interpolation method is discussed as follows. The unisolvence theorem of polynomial interpolation states that Definition : Given a set of (n + 1) data points (x i, y i ) where no two x i are the same, there exist one unique polynomial p of degree n with the property: p(x i ) = y i, i = 0,..., n. Suppose that the interpolation polynomial is in the form: A(x) = a 0 + a 1 x + a 2 x a n x n (1) The statement that A(x) interpolates the data points means that A(x i ) = y i. If we substitute equation (1) in here, we get a system of linear equations in the coefficients a i. a 0 + a 1 x 0 + a 2 x a n x n 0 = y 0 a 0 + a 1 x 1 + a 2 x a n x n 1 = y =... a 0 + a 1 x n + a 2 x 2 n + + a n x n n = y n The system in matrix-vector form reads 1 x 0 x x n 0 a 0 1 x 1 x x n a x n x 2 n... x n a n n = y 0 y 1... y n We have to solve this system for a i to construct the interpolant A(x). The matrix on the left is commonly referred to as a Vandermonde matrix. The determinant of the matrix is expressed as follows:

5 64 Saha and Chowdhury det(v ) = Π 1 i j n (x j x i ) For unique values of x i (i = 0, n), the determinant is nonzero. In the proposed protocol, the n values of (ID i, x i ) and (ID nc, x) are taken as (n + 1) input points to the interpolation algorithm. Let the resulting polynomial be A(x) = a 0 + a 1 x + a 2 x a n x n The secret value is constructed K = (a 0 a 1... a n ). Step 4:(User message preparation) NC now picks up a random value r Z q. For each user M i, NC constructs w i = z r i = grri. For each user U i, NC computes a one way hash H(ID i, ID nc, x i, w i ) over the identity ID i, ID nc, contribution x i and w i. Then the secret value K is xored with this hash value to obtain a value P i as follows: P i = K H(ID i, ID nc, w i, x i ) Now, the length of K is dependent on the number of coefficients, which in turn depends on the number of users present. If the number of users (n) in the conference is large enough such that the length of K is more than the length of the hash function output then instead of computing P i directly, the following fragmentation is performed. Suppose the length of hash function H output is equal to the length of l coefficients. Then the secret K is divided in λ fragments, each having l coefficients. Let these fragments be K 1, K 2,..K λ. Here K 1 = (a 0 a 2... a l ), K 2 = (a l+1... a 2l )..., K λ = (a (λ 1)l... a n ) Now, NC performs the computation P 1i = (K 1 H(ID i, w i, x i, ID nc ), B) P 2i = (K 2 H(ID i, w i, x i, ID nc ), B)... P λi = (K λ H(ID i, w i, x i, ID nc ), B) Let P i = (P 1i, P 2i,..., P λi ) B is a single bit field used to indicate whether there are more fragments following. B is 0 for the last fragment and 1 otherwise. Figure 1 shows the construction and format of the fragments. Let Y = {P i i = 1...n}, NC takes a signature σ i of the values (ID nc, Y, U) using its private signature key. sig i = Signature prnc (ID nc, Y, U, g r ) It then creates a broadcast message M = {Y, σ i, g r } and broadcasts M to all the users. Step 5:(Secret key computation & Verification) Each user U i, (i = 1, n) will receive the NC s messages and verify the signature of NC. The user then computes w i = (g r ) r i using its own r i value. Then the value of H(ID i, w i, x i, ID nc ) is calculated. The user will obtain the shared secret as follows: P i H(ID i, w i, x i, ID nc ) = K H(ID i, w i, x i, ID nc ) H(ID i, w i, x i, ID nc ) = K If K is sent fragmented, the user has to obtain all the fragments in a similar manner and combine them to get the secret. K 1 = P 1i H(ID i, w i, x i, ID nc ) K 2 = P 2i H(ID i, w i, x i, ID nc ). K = K 1 K 2 K λ The users can now verify whether the secret is constructed using their contributions. If the contribution x i of user U i is used, then the relation A(ID i ) = x i should be true. The verification is done in the following way: After receiving the coefficients, user U i will compute the following: A(ID i ) = a 0 + a 1 ID i + a 2 IDi a nidi n If this value is equal to x i, the user knows his/her contribution was used in key construction. According to Horner s rule, this computation can be written as a 0 + a 1 ID i + a 2 ID 2 i a nid n i =a 0 + ID i (a 1 + ID i (a 2 + ID i (... ))) This way, the verification requires only n multiplications. Finally, the shared secret key for conference is computed by all the users as Key = F(K, U), where F is a predefined one-way function. Figure 2 demonstrates one instance of the Key Agreement scheme of the protocol. B. Dynamic handling of user join and leave When a conference session is in progress, users may be allowed to join or leave. In some applications it may not be desirable that a new joining user understands the content of previous conversations. Similarly, it is also not desirable that a leaving user continues to understand the ongoing conversation. Thus, ensuring the security of the conference while allowing dynamic join and leave is essential. In the proposed protocol, the security of the secret key while maintaining dynamic join/leave is maintained in the following way. User Join When a new user U new with identity ID new joins, the NC takes its share (ID new, x new ). The set of users is updated as U = U U new. NC also refreshes its contribution to (ID nc, x ) using a new random value x. Then the new shared secret is recomputed and distributed via single broadcast to all the users. The detail is similar to the method described in steps 3 to 5 of the protocol description.

6 A Conference Key Agreement Protocol for Mobile Environment 65 e1 K 1 e2 e3 K 2... e4 lam PSfrag replacements h a 0, a 1, a 2, a 3,..., a n 1, a n K λ a 0 a 1... a l a l+1 a l+2... a 2l a (λ 1)l+1... a n H(w i, x i, ID nc ) P 1i P 2i Sfrag replacements P λi x 1, r 1 P 1i Z, 1, q P 2i, 1,..., P λi, 0 x 2, r 2 Z q x n, r n Z q z 1 = g r 1 z 2 = g r2 User 1 z n = g rn T, ID nc } pus, z 1, s 1 {ID 2,..} pus, z 2, s 2 e1 {ID n,..} pus, z n, s n e11 K H(T, x 1, w 1 ) P 2 =... P n =... x + a e7 2 x 2 +..a n x n = a 0 a 1... a n a1 w 1 = z1 r w 2 = z2 r E1 w n = zn r H(ID nc, x i, w i, T ) {K i i = 1..n} M = (Y, g r, T ) (w e4 i, x i, ID nc, ID i ) K =... K =...? a 0 + a 1 ID A x 2 =?.. x n =?.. Key = F (K, U) Key = (...) K1 e5 e6... P i e8 e7 Figure. 1: Message format for large n M... Network Center (NC) w1 w2 wn e2 e22 e5 Y e8 a2 E K User 2 e3 e33 e6 User n e9 a3 E Figure. 2: Proposed Conference Key Agreement Protocol User Leave When an existing user U old with identity ID old leaves, NC discards its share (ID old, x old ). The set of users is updated as U = U U old. NC also changes its contribution to (ID nc, x ) using a new value x. Then the shared secret is computed and distributed as described in steps 3 to 5 of the protocol description. It can be noted that, as one group member joins or leaves, it s corresponding contribution point is added/discarded. The N C s contribution also changes. So, whenever there is a change in membership, atleast two points of the secure poly-

7 66 Saha and Chowdhury nomial change and its value is refreshed. Now, from the property of polynomial interpolation, it is known that, if 1 out of (n + 1) points on a n degree polynomial is changed, the polynomial changes in an unpredictable way. This is information theoretically true. Thus, secrecy of the previous (new) key from new (former) group members is maintained. V. Formal Security Analysis The general idea of the security proof is to assume that the protocol adversary can gain an advantage and use this to break the security assumptions. The proof is based on simulation of the oracles to answer all the adversary queries. We follow the proofing techniques of [12] by dividing it to two cases: First, authentication attacker, i.e. attacking the signature scheme, then attacking the confidentiality. Signature Forger In this case, the adversary A breaks the protocol by forging a signature with respect to some user or NC s public key. Thus, in this case, we reduce the security of the protocol P to the security of the signature scheme τ, by constructing an efficient forger F, who on input of long term key P K and access to a signing oracle associated with this key, outputs a valid forgery w.r.t. P K. F has access to the signing oracle H. Its output should be a forged signature for a fresh message m which was not asked previously. Now, F randomly selects a user U f from the set of users. U f R [U 1... U n ]. U f is F s guess at which user A will choose for forgery. For the user U f it sets the public key P K i to P K. For all other users it selects their keys using a key generation algorithm. F also generates the encryption keys for all the users. The forger F now runs the adversary A and answers its queries as follows: Any Send(U i, s, m) query will be replied with some valid answer by F. In the protocol, if U i = U f, F will forge the signature using forged public key of U f, otherwise it will generate the reply as per protocol specification. The information is returned to A. The Reveal query can be trivially answered with the session key. If U i = U f, the corrupt query cannot be answered and F will abort and output F ail as F does not know the actual secret key of U f. In all other cases the query is answered using the long term secret key generated by F itself. The T est query is answered trivially. The simulation continues and F is able to answer all the queries apart form corrupt(u f ). It looks for a message with valid signature value (m, σ) combination which was accepted. If no such values are found until A stops, F outputs F ail otherwise it produces (m, σ) as the valid forgery with respect to user U f s forged key K. Let A succeeds by forging a signature with probability Succ A. In this case F does not halt as U f is not corrupted before forging. The probability that this is forgery with respect to the public key P K i of some user U f [U 1... U n ] is 1 n Thus, the probability of success for Forger F to forge a signature is: P r(success of F) P r(success of A). P r(choosing U i ) or P r(succ τ F ) P r(succ A) n Thus, the probability of an adversary A attacking the protocol is at most n times the probability of signature forgery. So, if P r(succ A ) is non-negligible, P r(succ F ) is also nonnegligible. i.e. if the adversary A has non-negligible probability of success against the protocol, then there exist a function F with non-negligible probability of success against the signature scheme, which contradicts our security assumption about the signature scheme. Confidentiality attacker In the proposed protocol, the user contributions are sent encrypted to the NC. However, NC also gives a fresh input (ID nc, x) in the final construction of the polynomial, which is not compromised even if the encryption is attacked. According to the polynomial interpolation property, in the absence of this input, the final value of the polynomial cannot be obtained. Thus, an encryption attacker cannot gain any information about the final key. However, the key is transmitted XOR-ed with a hash of the contribution, identities and w i. The security of the hashed value thus depends on the security of contribution and w i. As, the disclosure of the contribution alone, does not give meaningful information to the adversary, the confidentiality of the key is dependent on the construction of w i. The construction of w i = g rir is based on the hardness of computational Diffie- Hellman (CDH) problem. Thus, we use A to form a CDH-attacker X which has a nonnegligible advantage against the security of CDH property. We assume that A gains an advantage without forging a signature. X receives as input an instance (g a, g b, C) of the CDH problem. Let U x [U1, U n ] and t [1, q] are the X s guess at which user and session the A will be given the inputs. A list L H is maintained to answer the queries to the hash oracles. If a query of the form H(x i, w i, ID i, ID nc ) is asked, then the list is searched to see if the same query was asked previously. If so, then the previous answer stored in the list will be returned to maintain consistency. Otherwise, a random value is returned. This answer together with the query is stored in the L H list. All the signature keys and public keys are known to X. X answers the queries of A in the following way: The Send(U i, s, ) query initiate a communication s between user U i and server. This query is handled as per the protocol specification. A random x i is generated and {ID i, ID nc, x i, T } punc is returned. Send(NC, U i, s, m): If the received message is in correct format, and U i U x

8 A Conference Key Agreement Protocol for Mobile Environment 67 and s t, this query is answered correctly. Reveal(U i, s) : This query is answered by returning the session key of session s, if available. Corrupt(U i, s) : If U i U x and s t this query is answered otherwise, as the values of a, b are not known, a F ail is returned. Let E be the event that A is successful before making the query Corrupt(U 1 ) in session t. Thus, if X is successful, the probability that the user involved is U x is 1 n and session involved is t is 1 n. Also, in this case, X does not Fail as U i was not asked the corrupt query Thus, P r(success of F) P r(success of A). P r(choosing U i ).P r(choosing t) or P r(succ cdh (X)) P r(succ cdh(a)) nq Thus on the assumption that A does not perform a signature forgery, it is shown that a non-negligible advantage of attacking the CDH can be turned into the non-negligible probability of the existence of a CDH-attacker. This violates the security assumption. Thus the advantage of adversary is negligible. VI. Performance analysis Table 1 shows a comparison of the proposed work is shown with respect to existing similar works. Here first two columns show the computation requirements of user and N C respectively. next two columns show the number of rounds and messages required to complete the protocols. Dynamic in next column denotes whether the protocol is dynamic or not, Auth denotes whether authentication is provided, FS denotes forward secrecy and Verif denotes user verifiability and PS denotes whether the protocol is provably secure. In the computations, Ex denotes exponentiation, Sig is signature, Sv signature verification, E encryption and D denotes decryption. (u) and (b) denotes unicast and broadcast respectively. The table shows that the proposed protocol, in-spite of offering the verifiability, mutual authentication and forward secrecy property, is comparable to the existing works. Apart from [10], the rest of the protocols also use 2 exponentiations. The 2 exponentiations used in the proposed protocol are solely to support the forward secrecy property and can be made optional. The extra encryption in the proposed protocol is not expensive as it is a public key (3 5 bit) exponentiation. The [10], despite being computation efficient uses (n 1) broadcasts which is expensive. VII. Conclusion In this work, we have proposed a provably secure true conference key agree- ment protocol that provides the users the facility to verify the utility of its contribution in the key construction. The protocol also provide important security properties like forward secrecy and mutual authentication. The assymetric computation property of the protocol makes is suitable for mobile communication environmment. References [1] G. Ateniese, M. Steiner, and G. Tsudik: New multiparty authentication services and key agreement protocols, IEEE Journal on Selected Areas in Communications, Vol. 18, No. 4, pp , April [2] K. Becker, and U. Wille, Communication complexity of group key distribution, Proceedings of the 5 th ACM Conf. on Computer and Communications Security, pp. 1-6, [3] M. Bellare and P. Rogaway, Entity authentication and key distribution - Advances in Cryptology, Crypto 93, LNCS 773, pp , [4] M. Bellare and P. Rogaway, Provably secure session key distribution: the three party case, Proceedings of the 27 th ACM Symposium on the Theory of Computing (STOC), pp , [5] I. Ingemarsson, D. Tang, and C. Wong, A conference key distribution system, IEEE Trans. on Information Theory, Vol. 28, No. 5, pp , September [6] M. Just and S. Vaudenay, Authenticated multi-party key agreement, Proceedings of the Asiacrypt 96, LNCS 1163, pp , [7] Y. Kim, A. Perrig, and G. Tsudik, Simple and fault-tolerant key agreement for dynamic collaborative groups, Proceedings of the 7 th ACM Conf. on Computer and Communications Security, pp , [8] Y. Kim, A. Perrig, and G. Tsudik, Communicationefficient group key agreement, Prockeedings of the International Federation for Information Processing, 16 th International Conference on Information Security (IFIP SEC 01), pp , June, [9] J. Katz and M. Yung, Scalable protocols for authenticated group key exchange, Proceedings of the Crypto 03, LNCS 2729, pp , August [10] C. Boyd and J.M.G. Nieto, Round-optimal contributory conference key agreement, Proceedings of the 6 th International Workshop on Practice and Theory in Public Key Cryptography (PKC 03), LNCS 2567, pp , [11] E. Bresson and D. Catalano, Constant round authenticated group key agreement via distributed computation, Proceedings of the 7 th International Workshop on Practice and Theory in Public Key Cryptography (PKC 04), LNCS 2947, pp , 2004.

9 68 Saha and Chowdhury Table 1: Comparison with existing protocols Prot User NC round Message Dynamic Auth PFS Verif PS [19] 2Ex (n + 1)Ex 2 n 1(u),1(b) Y N Y N Y [10] 1Sig,1Sv (n 1)E,1Sig,Sv 1 n(b) N Y N N Y [12] 2Ex, (n 1)Ex 2 n 1(u),1(b) Y N N N Y [23] 1Ex,1E 1Ex,nD (n 1) Y Y N N N [24] 1Ex,1E 1Ex,nD (n 1) Y Y N N N Here 2Ex,1S,1Sv (n 1)D 2 n 1(u),1(b) Y Y Y Y Y [12] E. Bresson, O. Chevassut, A. Essiari and D. Pointcheval: Mutual authentication and group key agreement for low-power mobile devices. Computer Communications 27(17): pp , [13] E. Bresson, O. Chevassut, and D. Pointcheval, Provably authenticated group Diffie-Hellman key exchange: the dynamic case, Proceedings of the Asiacrypt 01, LNCS 2248, pp , [14] E. Bresson, O. Chevassut, and D. Pointcheval, Group Diffie-Hellman key exchange secure against dictionary attacks, Proceedings of the Asiacrypt 02, LNCS 2501, pp , [15] E. Bresson, O. Chevassut, D. Pointcheval, and J.- J. Quisquater, Provably authenticated group Diffie- Hellman key exchange, Proceedings of the 8 th ACM Conf. on Computer and Communications Security, pp , [16] M. Burmester and Y. Desmedt, A secure and efficient conference key distribution system, Proceedings of the Eurocrypt 94, LNCS 950, pp , [17] W. Diffie and M.E. Hellman, New Directions in cryptography, IEEE Transactions on Information Theory, Vol. 22, pp , [18] W.G. Tzeng and Z.-J. Tzeng, Round-efficient conference key agreement protocols with provable security, Proceedings of the Asiacrypt 00, LNCS 1976, pp , [22] X. Yi, C.K. Siew, C.H.Tan and Y. Ye, A Secure Conference Scheme for mobile communications, IEEE Transaction on wireless communicaions, Vol 2, No. 6, pp , [23] K.F. Hwang and C.C. Chang, A self-encryption mechanism for authentication of roaming and teleconference services, IEEE Transaction on Wireless Communications, Vol 2, pp , [24] Y. Jiang, C. Lin, M. Shi and X. S. Shen, A selfencryption authentication protocol for teleconference services, International Journal of Security and Networks, Vol. 1, No. 3/4 pp , Author Biographies Mounita saha is currently persuing PhD in Computer Science and Engineering in Department of Computer Science and Engineering, IIT Kharagpur. She received her Masters in Science (MS) in Computer Science and Engineering from the same department in Her research interests are cryptography, security protocols and networking. Dipanwita Roy Chowdhury is a Professor in the department of Computer Scienece and Engineering, Indian Institute of Technology, Kharagpur, India. Her current research interests are in the field of Cryptography, VLSI Testing and Cellular Automata. Dr. Roy Chowdhury received her B.Tech and M.Tech. degrees in Computer Science from University of Kolkata in 1987 and 1989 respectively, and the PhD degree from the department of Computer Science and Engineering, Indian Institute of Technology, Kharagpur, India in [19] J. Nam, J. Lee, S. Kim and D. Won, DDH-based group key agreement in a mobile environment, Journal of Systems and Software, Vol. 78, No. 1, pp , [20] M.S. Hwang, W.P. Yang, Conference key distribution schemes for secure digital mobile communications, IEEE Journal on Selected areas in communications, Vol. 13, No. 2, pp , [21] M.S. Hwang, Dynamic participation in a secure conference scheme for mobile communications, IEEE transaction on vehicular technology, Vol. 48, No. 5, pp , 1999.