Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Secure Fault-Tolerant Conference- Key Agreement Protocol Wen-Guey Tzeng Source : IEEE Transactions on computers Speaker : LIN, KENG-CHU.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "A Secure Fault-Tolerant Conference- Key Agreement Protocol Wen-Guey Tzeng Source : IEEE Transactions on computers Speaker : LIN, KENG-CHU."— Presentation transcript:

1 A Secure Fault-Tolerant Conference- Key Agreement Protocol Wen-Guey Tzeng Source : IEEE Transactions on computers Speaker : LIN, KENG-CHU

2 Outline Introduction Introduction Model Model Design Principles Design Principles Concrete protocol Concrete protocol Security analysis Security analysis Conclusion Conclusion

3 Introduction What is conference key ? What is conference key ? Types of the conference key protocol Types of the conference key protocol  Key distribution protocol  Key agreement protocol The conference key are either pre-distributed or dynamic distributed. Types of the Adversary Types of the Adversary  Active  Passive

4 Model User : a probabilistic polynomial-time turning machine User : a probabilistic polynomial-time turning machine A public directory A public directory Authenticated broadcast network Authenticated broadcast network Passive adversary and Active adversary Passive adversary and Active adversary

5 Design Principles (1/2) component-based component-based  Easy to upgrade  Easy to apply strong security analysis  Flexible and suitable for use in a large system. The idea of the protocol every member handle a sub-function of a multiparty-computation function. The idea of the protocol every member handle a sub-function of a multiparty-computation function. Component Component  Secure multiparty computation for fi  K i commitment and verfication

6 Design Principles (2/2) Stages of the protocol Stages of the protocol  Secret distribution and commitment  Sub-key computation and verification  Fault detection  Conference key computation

7 A Concrete protocol (1/5) The system has public parameters The system has public parameters  p, q : large prime number and p = 2q +1  H : a one-way permutation from Z q to Z q  g : a generator for the subgroup Each user U i has two parameters: Each user U i has two parameters:  Private parameter x i : a number in  Public parameter y i :

8 A Concrete protocol (2/5) Secret distribution and commitment (each participant U i do the following ) Secret distribution and commitment (each participant U i do the following ) a) Randomly select b) Compute a polynomial h i (x) that passes points 1 ≦ j ≦ n c) Compute and broadcast

9 A Concrete protocol (3/5) Sub-key computation and verification ( each participant U i does the following for j ≠ i) Sub-key computation and verification ( each participant U i does the following for j ≠ i) a) On receiving w jl , 1 ≦ l ≦ n , and α j , compute the polynomial that passes 1 ≦ l ≦ n b) Let c) Check whether is the ELGamal signature of if so, broadcast V ij = “ success ” , otherwise broadcast V ij = “ failure ”

10 A Concrete protocol (4/5) Fault detection ( each participant U i does the following for j ≠ i) Fault detection ( each participant U i does the following for j ≠ i) a) On receive V ji = “ failure ” for some U j : U j claims that U i itself faulty 。 (1) Output R i , K i , S i 。 b) On receive V jm = “ failure ” for some U m : U j claims that U m faulty (1)wait for U m ’ s fault detection R m , K m , S m (2)if U m ’ s fault detection messages are not received, set U m a malicious participant. (3)On receiving R m , K m , S m , check its correctness 。 If it ’ s correct, set U j malicious. c) Restart the protocol by deleting malicious participant

11 A Concrete protocol (5/5) Conference-key computation : if no faults are detected in the fault detection stage , each participant U i computes the conference key where the current participant set is Conference-key computation : if no faults are detected in the fault detection stage , each participant U i computes the conference key where the current participant set is

12 Security analysis(1/3) Correctness Correctness Fault Tolerance Fault Tolerance Security against passive attackers. Security against passive attackers.

13 Security analysis(2/3) Correctness Theorem (correctness) : if all participants follow the protocol, they compute a common conference key proof : 1. From the broadcast message of participant U j , U i can compute the polynomial h j (x) then compute h j (0) = K j 2. By verify the γ j δ j , U i can check whether K j is correct 。 Since for fixed γ j δ j , the signed text H(K j ) is unique, all participants compute the same K j 。 Thus, the compute the same key K =(K 1 + K 2 +…+ K n ) mod q 。 Lemma(1) : any malicious participant U i who tries to cheat honest participants into accepting different K i shall be wxcluded from the participant sets of all honest participant 。 Lemma(2) : no honest participant excludes any other honest participant from his participant set 。 Correctness Theorem (correctness) : if all participants follow the protocol, they compute a common conference key proof : 1. From the broadcast message of participant U j , U i can compute the polynomial h j (x) then compute h j (0) = K j 2. By verify the γ j δ j , U i can check whether K j is correct 。 Since for fixed γ j δ j , the signed text H(K j ) is unique, all participants compute the same K j 。 Thus, the compute the same key K =(K 1 + K 2 +…+ K n ) mod q 。 Lemma(1) : any malicious participant U i who tries to cheat honest participants into accepting different K i shall be wxcluded from the participant sets of all honest participant 。 Lemma(2) : no honest participant excludes any other honest participant from his participant set 。

14 Security analysis(3/3) Fault tolerance Theorem (Fault tolerance) : all honest participants have the same participant set and thus compute the same conference key no matter how many participants are malicious proof : By the two lemmas , there are two participants in the system , one is the honest participant and another is the one, though deviating from the protocol, make all honest participants compute the same key. Fault tolerance Theorem (Fault tolerance) : all honest participants have the same participant set and thus compute the same conference key no matter how many participants are malicious proof : By the two lemmas , there are two participants in the system , one is the honest participant and another is the one, though deviating from the protocol, make all honest participants compute the same key.

15 Conclusion Propose an secure, fault-tolerant, efficient protocol after deleting all malicious users. Propose an secure, fault-tolerant, efficient protocol after deleting all malicious users. The flaw is that the size of messages that each participant sends is proportional to the number of users. The flaw is that the size of messages that each participant sends is proportional to the number of users. The future work is to design a protocol both round and message-efficiency. The future work is to design a protocol both round and message-efficiency.

Download ppt "A Secure Fault-Tolerant Conference- Key Agreement Protocol Wen-Guey Tzeng Source : IEEE Transactions on computers Speaker : LIN, KENG-CHU."

Similar presentations

Multi-Party Contract Signing Sam Hasinoff April 9, 2001.

Multi-Party Contract Signing Sam Hasinoff April 9, 2001.
Impossibility of Distributed Consensus with One Faulty Process

Impossibility of Distributed Consensus with One Faulty Process
A Survey of Key Management for Secure Group Communications Celia Li.

A Survey of Key Management for Secure Group Communications Celia Li.
Spreading Alerts Quietly and the Subgroup Escape Problem Aleksandr Yampolskiy (Yale) Joint work with James Aspnes, Zoë Diamadi, Kristian Gjøsteen, and.

Spreading Alerts Quietly and the Subgroup Escape Problem Aleksandr Yampolskiy (Yale) Joint work with James Aspnes, Zoë Diamadi, Kristian Gjøsteen, and.
Secure Multiparty Computations on Bitcoin

Secure Multiparty Computations on Bitcoin
Byzantine Generals. Outline r Byzantine generals problem.

Byzantine Generals. Outline r Byzantine generals problem.
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
1 Chapter 7-2 Signature Schemes. 2 Outline [1] Introduction [2] Security Requirements for Signature Schemes [3] The ElGamal Signature Scheme [4] Variants.

1 Chapter 7-2 Signature Schemes. 2 Outline [1] Introduction [2] Security Requirements for Signature Schemes [3] The ElGamal Signature Scheme [4] Variants.
Further improvement on the modified authenticated key agreement scheme Authors: N.Y. Lee and M.F. Lee Source: Applied Mathematics and Computation, Vol.157,

Further improvement on the modified authenticated key agreement scheme Authors: N.Y. Lee and M.F. Lee Source: Applied Mathematics and Computation, Vol.157,
Distribution and Revocation of Cryptographic Keys in Sensor Networks Amrinder Singh Dept. of Computer Science Virginia Tech.

Distribution and Revocation of Cryptographic Keys in Sensor Networks Amrinder Singh Dept. of Computer Science Virginia Tech.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
1 Authenticated key agreement without using one-way hash functions Harn, L.; Lin, H.-Y. Electronics Letters, Volume: 37 Issue: 10, 10 May 2001 Presented.

1 Authenticated key agreement without using one-way hash functions Harn, L.; Lin, H.-Y. Electronics Letters, Volume: 37 Issue: 10, 10 May 2001 Presented.
Proactive Secure Mobile Digital Signatures Work in progress. Ivan Damgård and Gert Læssøe Mikkelsen University of Aarhus.

Proactive Secure Mobile Digital Signatures Work in progress. Ivan Damgård and Gert Læssøe Mikkelsen University of Aarhus.
1 Cryptosystems Based on Discrete Logarithms. 2 Outline [1] Discrete Logarithm Problem [2] Algorithms for Discrete Logarithm –A trivial algorithm –Shanks’

1 Cryptosystems Based on Discrete Logarithms. 2 Outline [1] Discrete Logarithm Problem [2] Algorithms for Discrete Logarithm –A trivial algorithm –Shanks’
Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.

Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.
Mar 4, 2003Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities.

Mar 4, 2003Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities.
01101100101001001010011001011110010110101000101010010010110010100010100101010101010001101001010101001000101001011110011110100110 100100101010100010101010100101010101010010100101010101010010100111001001001000101000001010110000100101000100111101001010100101

Establishment of Conference Keys in Heterogeneous Networks Wade Trappe, Yuke Wang, K. J. Ray Liu 2002. ICC 2002. IEEE International Conference.

Establishment of Conference Keys in Heterogeneous Networks Wade Trappe, Yuke Wang, K. J. Ray Liu ICC IEEE International Conference.
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
Efficient fault-tolerant scheme based on the RSA system Author: N.-Y. Lee and W.-L. Tsai IEE Proceedings Presented by 詹益誌 2004/03/02.

Efficient fault-tolerant scheme based on the RSA system Author: N.-Y. Lee and W.-L. Tsai IEE Proceedings Presented by 詹益誌 2004/03/02.

Similar presentations

Ads by Google