A Secure Fault-Tolerant Conference- Key Agreement Protocol Wen-Guey Tzeng Source : IEEE Transactions on computers Speaker : LIN, KENG-CHU.

Slides:



Advertisements
Similar presentations
Multi-Party Contract Signing Sam Hasinoff April 9, 2001.
Advertisements

Impossibility of Distributed Consensus with One Faulty Process
A Survey of Key Management for Secure Group Communications Celia Li.
Spreading Alerts Quietly and the Subgroup Escape Problem Aleksandr Yampolskiy (Yale) Joint work with James Aspnes, Zoë Diamadi, Kristian Gjøsteen, and.
Secure Multiparty Computations on Bitcoin
Byzantine Generals. Outline r Byzantine generals problem.
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
1 Chapter 7-2 Signature Schemes. 2 Outline [1] Introduction [2] Security Requirements for Signature Schemes [3] The ElGamal Signature Scheme [4] Variants.
Further improvement on the modified authenticated key agreement scheme Authors: N.Y. Lee and M.F. Lee Source: Applied Mathematics and Computation, Vol.157,
Distribution and Revocation of Cryptographic Keys in Sensor Networks Amrinder Singh Dept. of Computer Science Virginia Tech.
Digital Signatures and Hash Functions. Digital Signatures.
1 Authenticated key agreement without using one-way hash functions Harn, L.; Lin, H.-Y. Electronics Letters, Volume: 37 Issue: 10, 10 May 2001 Presented.
Proactive Secure Mobile Digital Signatures Work in progress. Ivan Damgård and Gert Læssøe Mikkelsen University of Aarhus.
1 Cryptosystems Based on Discrete Logarithms. 2 Outline [1] Discrete Logarithm Problem [2] Algorithms for Discrete Logarithm –A trivial algorithm –Shanks’
Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.
Mar 4, 2003Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities.

Establishment of Conference Keys in Heterogeneous Networks Wade Trappe, Yuke Wang, K. J. Ray Liu ICC IEEE International Conference.
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
Efficient fault-tolerant scheme based on the RSA system Author: N.-Y. Lee and W.-L. Tsai IEE Proceedings Presented by 詹益誌 2004/03/02.
An Authentication Service Against Dishonest Users in Mobile Ad Hoc Networks Edith Ngai, Michael R. Lyu, and Roland T. Chin IEEE Aerospace Conference, Big.
Introduction to Signcryption November 22, /11/2004 Signcryption Public Key (PK) Cryptography Discovering Public Key (PK) cryptography has made.
1 An ID-based multisignature scheme without reblocking and predetermined signing order Chin-Chen Chang, Iuon-Chang Lin, and Kwok-Yan Lam Computer Standards.
Optimistic Synchronous Multi-Party Contract Signing N. Asokan, Baum-Waidner, M. Schunter, M. Waidner Presented By Uday Nayak Advisor: Chris Lynch.
Security Arguments for Digital Signatures and Blind Signatures Journal of Cryptology, (2000) 13: Authors: D. Pointcheval and J. Stern Presented.
K-Anonymous Message Transmission Luis von Ahn Andrew Bortz Nick Hopper The Aladdin Center Carnegie Mellon University.
Foundations of Cryptography Lecture 8 Lecturer: Moni Naor.
ElGamal Public Key Cryptography CS 303 Alg. Number Theory & Cryptography Jeremy Johnson Taher ElGamal, "A Public-Key Cryptosystem and a Signature Scheme.
Lecture 8 Digital Signatures. This lecture considers techniques designed to provide the digital counterpart to a handwritten signature. A digital signature.
The RSA Algorithm Rocky K. C. Chang, March
Chi-Cheng Lin, Winona State University CS 313 Introduction to Computer Networking & Telecommunication Network Security (A Very Brief Introduction)
How to play ANY mental game
Oblivious Signature-Based Envelope Ninghui Li, Stanford University Wenliang (Kevin) Du, Syracuse University Dan Boneh, Stanford University.
Securing Every Bit: Authenticated Broadcast in Wireless Networks Dan Alistarh, Seth Gilbert, Rachid Guerraoui, Zarko Milosevic, and Calvin Newport.
Simple and Fault-Tolerant Key Agreement for Dynamic Collaborative Groups David Insel John Stephens Shawn Smith Shaun Jamieson.
Distributed Algorithms – 2g1513 Lecture 9 – by Ali Ghodsi Fault-Tolerance in Distributed Systems.
Cryptography Dec 29. This Lecture In this last lecture for number theory, we will see probably the most important application of number theory in computer.
Robust Sharing of Secrets when the Dealer Is Honest or Cheating Tal Rabin 1994 Brian Fry COEN
Topic 22: Digital Schemes (2)
6. Esoteric Protocols secure elections and multi-party computation Kim Hyoung-Shick.
Fall 2004/Lecture 201 Cryptography CS 555 Lecture 20-b Zero-Knowledge Proof.
Foundations of Cryptography Lecture 6 Lecturer: Moni Naor.
Information Security -- Part II Public-Key Encryption and Hash Functions Frank Yeong-Sung Lin Information Management Department National Taiwan University.
Presented by: Suparita Parakarn Kinzang Wangdi Research Report Presentation Computer Network Security.
Byzantine fault-tolerance COMP 413 Fall Overview Models –Synchronous vs. asynchronous systems –Byzantine failure model Secure storage with self-certifying.
On the Cost of Reconstructing a Secret, or VSS with Optimal Reconstruction Phase Ronald Cramer, Ivan Damgard, Serge Fehr.
Linkability of Some Blind Signature Schemes Swee-Huay Heng 1, Wun-She Yap 1 Khoongming Khoo 2 1 Multimedia University, 2 DSO National Laboratories.
1 一個新的代理簽章法 A New Proxy Signature Scheme 作 者 : 洪國寶, 許琪慧, 郭淑娟與邱文怡 報 告者 : 郭淑娟.
Interactive proof systems Section 10.4 Giorgi Japaridze Theory of Computability.
Zero-knowledge proof protocols 1 CHAPTER 12: Zero-knowledge proof protocols One of the most important, and at the same time very counterintuitive, primitives.
15-499Page :Algorithms and Applications Cryptography I – Introduction – Terminology – Some primitives – Some protocols.
Secure Communication between Set-top Box and Smart Card in DTV Broadcasting Authors: T. Jiang, Y. Hou and S. Zheng Source: IEEE Transactions on Consumer.
多媒體網路安全實驗室 Anonymous ID Signature Scheme with Provable Identity Date: Reporter :Chien-Wen Huang 出處: 2008 Second International Conference on Future.
Identity based signature schemes by using pairings Parshuram Budhathoki Department of Mathematical Science FAU 02/21/2013 Cyber Security Seminar, FAU.
Prepared by Dr. Lamiaa Elshenawy
UNIVERSITY of WISCONSIN-MADISON Computer Sciences Department
PROACTIVE SECRET SHARING Or: How to Cope With Perpetual Leakage Herzberg et al. Presented by: Avinash Ravi Kevin Skapinetz.
Interleaving and Collusion Attacks on a Dynamic Group Key Agreement Scheme for Low-Power Mobile Devices * Junghyun Nam 1, Juryon Paik 2, Jeeyeon Kim 2,
Key Management Network Systems Security Mort Anvari.
多媒體網路安全實驗室 Anonymous Authentication Systems Based on Private Information Retrieval Date: Reporter: Chien-Wen Huang 出處: Networked Digital Technologies,
1 An Ordered Multi-Proxy Multi-Signature Scheme Authors: Min-Shiang Hwang, Shiang-Feng Tzeng, Shu-Fen Chiou Speaker: Shu-Fen Chiou.
COM 5336 Lecture 8 Digital Signatures
1 The RSA Algorithm Rocky K. C. Chang February 23, 2007.
1/18 Talking to Strangers: Authentication in Ad-Hoc Wireless Networks Dirk Balfanz 외 2 명 in Xerox Palo Alto Research Center Presentation: Lee Youn-ho.
Cryptographic methods. Outline  Preliminary Assumptions Public-key encryption  Oblivious Transfer (OT)  Random share based methods  Homomorphic Encryption.
Software Security Seminar - 1 Chapter 2. Protocol Building Blocks 발표자 : 최두호 Applied Cryptography.
Cryptography and Network Security Chapter 13
Topic 36: Zero-Knowledge Proofs
On the Power of Hybrid Networks in Multi-Party Computation
Introduction to Cryptography
Presentation transcript:

A Secure Fault-Tolerant Conference- Key Agreement Protocol Wen-Guey Tzeng Source : IEEE Transactions on computers Speaker : LIN, KENG-CHU

Outline Introduction Introduction Model Model Design Principles Design Principles Concrete protocol Concrete protocol Security analysis Security analysis Conclusion Conclusion

Introduction What is conference key ? What is conference key ? Types of the conference key protocol Types of the conference key protocol  Key distribution protocol  Key agreement protocol The conference key are either pre-distributed or dynamic distributed. Types of the Adversary Types of the Adversary  Active  Passive

Model User : a probabilistic polynomial-time turning machine User : a probabilistic polynomial-time turning machine A public directory A public directory Authenticated broadcast network Authenticated broadcast network Passive adversary and Active adversary Passive adversary and Active adversary

Design Principles (1/2) component-based component-based  Easy to upgrade  Easy to apply strong security analysis  Flexible and suitable for use in a large system. The idea of the protocol every member handle a sub-function of a multiparty-computation function. The idea of the protocol every member handle a sub-function of a multiparty-computation function. Component Component  Secure multiparty computation for fi  K i commitment and verfication

Design Principles (2/2) Stages of the protocol Stages of the protocol  Secret distribution and commitment  Sub-key computation and verification  Fault detection  Conference key computation

A Concrete protocol (1/5) The system has public parameters The system has public parameters  p, q : large prime number and p = 2q +1  H : a one-way permutation from Z q to Z q  g : a generator for the subgroup Each user U i has two parameters: Each user U i has two parameters:  Private parameter x i : a number in  Public parameter y i :

A Concrete protocol (2/5) Secret distribution and commitment (each participant U i do the following ) Secret distribution and commitment (each participant U i do the following ) a) Randomly select b) Compute a polynomial h i (x) that passes points 1 ≦ j ≦ n c) Compute and broadcast

A Concrete protocol (3/5) Sub-key computation and verification ( each participant U i does the following for j ≠ i) Sub-key computation and verification ( each participant U i does the following for j ≠ i) a) On receiving w jl , 1 ≦ l ≦ n , and α j , compute the polynomial that passes 1 ≦ l ≦ n b) Let c) Check whether is the ELGamal signature of if so, broadcast V ij = “ success ” , otherwise broadcast V ij = “ failure ”

A Concrete protocol (4/5) Fault detection ( each participant U i does the following for j ≠ i) Fault detection ( each participant U i does the following for j ≠ i) a) On receive V ji = “ failure ” for some U j : U j claims that U i itself faulty 。 (1) Output R i , K i , S i 。 b) On receive V jm = “ failure ” for some U m : U j claims that U m faulty (1)wait for U m ’ s fault detection R m , K m , S m (2)if U m ’ s fault detection messages are not received, set U m a malicious participant. (3)On receiving R m , K m , S m , check its correctness 。 If it ’ s correct, set U j malicious. c) Restart the protocol by deleting malicious participant

A Concrete protocol (5/5) Conference-key computation : if no faults are detected in the fault detection stage , each participant U i computes the conference key where the current participant set is Conference-key computation : if no faults are detected in the fault detection stage , each participant U i computes the conference key where the current participant set is

Security analysis(1/3) Correctness Correctness Fault Tolerance Fault Tolerance Security against passive attackers. Security against passive attackers.

Security analysis(2/3) Correctness Theorem (correctness) : if all participants follow the protocol, they compute a common conference key proof : 1. From the broadcast message of participant U j , U i can compute the polynomial h j (x) then compute h j (0) = K j 2. By verify the γ j δ j , U i can check whether K j is correct 。 Since for fixed γ j δ j , the signed text H(K j ) is unique, all participants compute the same K j 。 Thus, the compute the same key K =(K 1 + K 2 +…+ K n ) mod q 。 Lemma(1) : any malicious participant U i who tries to cheat honest participants into accepting different K i shall be wxcluded from the participant sets of all honest participant 。 Lemma(2) : no honest participant excludes any other honest participant from his participant set 。 Correctness Theorem (correctness) : if all participants follow the protocol, they compute a common conference key proof : 1. From the broadcast message of participant U j , U i can compute the polynomial h j (x) then compute h j (0) = K j 2. By verify the γ j δ j , U i can check whether K j is correct 。 Since for fixed γ j δ j , the signed text H(K j ) is unique, all participants compute the same K j 。 Thus, the compute the same key K =(K 1 + K 2 +…+ K n ) mod q 。 Lemma(1) : any malicious participant U i who tries to cheat honest participants into accepting different K i shall be wxcluded from the participant sets of all honest participant 。 Lemma(2) : no honest participant excludes any other honest participant from his participant set 。

Security analysis(3/3) Fault tolerance Theorem (Fault tolerance) : all honest participants have the same participant set and thus compute the same conference key no matter how many participants are malicious proof : By the two lemmas , there are two participants in the system , one is the honest participant and another is the one, though deviating from the protocol, make all honest participants compute the same key. Fault tolerance Theorem (Fault tolerance) : all honest participants have the same participant set and thus compute the same conference key no matter how many participants are malicious proof : By the two lemmas , there are two participants in the system , one is the honest participant and another is the one, though deviating from the protocol, make all honest participants compute the same key.

Conclusion Propose an secure, fault-tolerant, efficient protocol after deleting all malicious users. Propose an secure, fault-tolerant, efficient protocol after deleting all malicious users. The flaw is that the size of messages that each participant sends is proportional to the number of users. The flaw is that the size of messages that each participant sends is proportional to the number of users. The future work is to design a protocol both round and message-efficiency. The future work is to design a protocol both round and message-efficiency.