A Note on an Improved Self-Healing Group Key Distribution Scheme

Abstract

In 2014, Chen et al. proposed a one-way hash self-healing group key distribution scheme for resource-constrained wireless networks in the journal of Sensors (14(14):24358-24380, doi: 10.3390/s141224358). They asserted that their Scheme 2 achieves $mt$-revocation capability, $mt$-wise forward secrecy, $any$-wise backward secrecy and has $mt$-wise collusion attack resistance capability. Unfortunately, this paper pointed out that their scheme does not satisfy the forward security, $mt$-revocation capability and $mt$-wise collusion attack resistance capability.

1. Introduction

Group communication includes a group manager (GM) and some group members, in which all of the group members share a common session key which is distributed by GM. In order to achieve secure group communication in unreliable wireless networks, Staddon et al. [1] introduced a group key distribution scheme with self-healing mechanism, which allows a group member to recover session keys even if he doesn’t receive the corresponding broadcast messages because of packet loss, without requesting anything to the group manager. Recently, Chen et al. [2] developed two schemes to realize the self-healing group key distribution based on one-way hash chain. The proposed Scheme 2 has the constant storage overhead and low communication overhead, thus is very suitable for the resource-constrained wireless networks. They assert that their scheme is secure, i.e., satisfies $mt$-revocation capability, $mt$-wise forward secrecy, $any$-wise backward secrecy and resistance to $mt$-wise collusion attack. Unfortunately, we found a revoked user can recover other legitimate users’ personal secrets which can be used to recover the current session’s session key, this directly breaks the forward security, $mt$-revocation capability and $mt$-wise collusion attack resistance capability. Thus, Chen et al.’s Scheme 2 is insecure.

2. Overview of Chen et al.’s Scheme

Chen et al.’s self-healing group key distribution Scheme 2 includes five parts: Set up, Broadcast in session j, Group session key recovery and self-healing, Group member addition and Group member revocation. Here we only describe the first three parts which is helpful to understand the attack.

(1)

Set up

The GM selects a random 2t-degree polynomial $s_1\left(x\right)=a_0+a_{1}x+\cdots +a_{2t}{x}^{2t}$ and a random t-degree polynomial $s_2\left(x\right)=b_0+b_{1}x+\cdots +b_t{x}^t$ from $F_q\left[x\right]$. Then, the GM chooses a random value ${\epsilon }_1$ from $F_q$. The GM sends the user’s personal secret ${\mathcal{S}}_i=\{{\epsilon }_1·s_1\left(i\right),{\epsilon }_1·s_2\left(i\right)\}$ to a user via a secure channel.

(2)

Broadcast in session j (for $1\le j\le m$)

Let ${\mathbf{R}}_j=\{R_j^1,R_j^2,\cdots ,R_j^{j^{\prime }},\cdots ,R_j^j\}$ be the set of revoked users before and in session j, where $R_j^{j^{\prime }}$ is the set of users who join the group in session $j^{\prime }$ and are revoked before and in session j. $R_j^{j^{\prime }}=\{U_{r_1^{j^{\prime }}},U_{r_2^{j^{\prime }}},\cdots ,U_{r_{w_{j^{\prime }}}^{j^{\prime }}}\}$ and $|R_j^{j^{\prime }}|=w_{j^{\prime }}\le t$. $r_1^{j^{\prime }},r_2^{j^{\prime }},\cdots ,r_{w_{j^{\prime }}}^{j^{\prime }}$ are the IDs of users in $R_j^{j^{\prime }}$. $R_j^{j^{\prime }}=\varnothing$ if no users joined the group in session $j^{\prime }$.

-

The GM chooses a random value $k_j^0\in F_q$ and a one-way hash function $h(·)$. Note that $h^i(·)$ denotes applying i times hash operation. Then GM constructs the j-th key chain for session j: $\{k_j^1,k_j^2,\cdots ,k_j^j\}$, where

$$\begin{array}{ccc}\hfill k_j^1& =& h\left(k_j^0\right)\hfill \\ \hfill k_j^2& =& h\left(k_j^1\right)=h\left(h\left(k_j^0\right)\right)=h^2\left(k_j^0\right)\hfill \\ & \cdots ,& \\ \hfill k_j^j& =& h\left(k_j^{j-1}\right)=h\left(h\left(k_j^{j-2}\right)\right)=\cdots =h^j\left(k_j^0\right)\hfill \end{array}$$

For security, $k_j^0(1\le j\le m)$ is different from each other.

The GM splits the $k_j^{j^{\prime }}$ into two t-degree polynomials, $U_j^{j^{\prime }}\left(x\right)$ and $V_j^{j^{\prime }}\left(x\right)$, where

$$k_j^{j^{\prime }}=U_j^{j^{\prime }}\left(x\right)+V_j^{j^{\prime }}\left(x\right),j^{\prime }=1,2,\cdots ,j$$

-

To construct the revocation polynomials for session j, the GM firstly chooses number sets ${\overline{R}}_j^{j^{\prime }}$, where ${\overline{R}}_j^{j^{\prime }}=\{{\overline{r}}_1^{j^{\prime }},{\overline{r}}_2^{j^{\prime }},\cdots ,{\overline{r}}_{t-w_{j^{\prime }}}^{j^{\prime }}\}$ are random numbers which are not used as a user ID and different from each other. Then, the GM computes

$$A_j^{j^{\prime }}\left(x\right)={\Pi }_{z=1}^{|R_j^{j^{\prime }}|}(x-r_z^{j^{\prime }}){\Pi }_{z^{\prime }=1}^{t-|R_j^{j^{\prime }}|}(x-{\overline{r}}_{z^{\prime }}^{j^{\prime }}),j^{\prime }=1,2,\cdots ,j$$

-

The GM chooses a random session key $K_j$ from $F_q$. Then, the GM computes

$$M_j^{j^{\prime }}\left(x\right)=A_j^{j^{\prime }}\left(x\right)·U_j^{j^{\prime }}\left(x\right)+{\epsilon }_{j^{\prime }}·s_1\left(x\right)$$

and

$$N_j^{j^{\prime }}\left(x\right)=V_j^{j^{\prime }}\left(x\right)+{\epsilon }_{j^{\prime }}·s_2\left(x\right)$$

After that, the GM broadcasts the message

$$\begin{array}{ccc}\hfill B_j& =& {\mathbf{R}}_j\cup {\overline{\mathbf{R}}}_j\cup \left\{M_j^{j^{\prime }}\left(x\right)\right|j^{\prime }=1,2,\cdots ,j\}\cup \left\{N_j^{j^{\prime }}\left(x\right)\right|j^{\prime }=1,2,\cdots ,j\}\hfill \\ & & \cup \left\{E_{k_j^{j^{\prime }}}\left(K_{j^{\prime }}\right)\right|j^{\prime }=1,2,\cdots ,j\}\hfill \end{array}$$

where ${\overline{\mathbf{R}}}_j=\{{\overline{R}}_j^1,{\overline{R}}_j^2,\cdots ,{\overline{R}}_j^j\}$ and $E_k(·)$ is a symmetric encryption function.

(3)

Group session key recovery and self-healing

Any legitimate user $U_i\in G_j^{j^{\prime }}$ can recover the j-th session key when he receives the broadcast message $B_j$ as follows.

-

$U_i$ uses his personal secret ${\epsilon }_{j^{\prime }}·s_1\left(i\right)$ and ${\epsilon }_{j^{\prime }}·s_2\left(i\right)$ to compute

$$U_j^{j^{\prime }}\left(i\right)=\frac{M_j^{j^{\prime }}\left(i\right)-{\epsilon }_{j^{\prime }}·s_1\left(i\right)}{A_j^{j^{\prime }}\left(i\right)}$$

and

$$V_j^{j^{\prime }}\left(i\right)=N_j^{j^{\prime }}\left(i\right)-{\epsilon }_{j^{\prime }}·s_2\left(i\right)$$

Then, $U_i$ computes $k_j^{j^{\prime }}=U_j^{j^{\prime }}\left(i\right)+V_j^{j^{\prime }}\left(i\right)$.

-

$U_i$ uses the hash function $h(·)$ to compute all $\left\{k_j^{j^{{}^{\prime \prime }}}\right\}$ for $j^{\prime }<j^{{}^{\prime \prime }}\le j$ in the j-th key chain.

-

$U_i$ recovers the session keys $\left\{K_{j^{{}^{\prime \prime }}}\right\}(j^{\prime }<j^{{}^{\prime \prime }}\le j)$ by decrypting $E_{k_j^{j^{{}^{\prime \prime }}}}\left(K_{j^{{}^{\prime \prime }}}\right)$$(j^{\prime }<j^{{}^{\prime \prime }}\le j)$ with corresponding keys $\left\{k_j^{j^{{}^{\prime \prime }}}\right\}(j^{\prime }<j^{{}^{\prime \prime }}\le j)$.

3. Cryptanalysis of Chen et al.’s Scheme 2

In this section we exhibit the attack on Chen et al.’s Scheme 2 step by step, and explain why this attack exists.

3.1. Attack on Chen et al.’s Scheme 2

Let $G_{j_1}^{j^{\prime }}$ denote the users who join the group in session $j^{\prime }$ and are still legitimate in session $j_1$ where $j^{\prime }<j_1$. Suppose that $U_i\in G_{j_1}^{j^{\prime }}$ and $U_i$ is revoked in session $j_2(j^{\prime }<j_1<j_2)$. Now we are ready to show how $U_i$, who is revoked in session $j_2$, recovers the personal secret of another user who is legitimate in session $j_2$, furthermore uses this personal secret to compute the session key $K_{j_2}$ which should be kept secret from $U_i$.

• Step 1. $U_i$ computes $k_{j^{\prime }}^{j{}^{\prime }}$ and $k_{j_1}^{j^{\prime }}$ with his personal key ${\mathcal{S}}_i$ and the broadcast messages $M_{j^{\prime }}^{j^{\prime }}\left(x\right)$, $N_{j^{\prime }}^{j^{\prime }}\left(x\right)$ and $M_{j_1}^{j^{\prime }}\left(x\right)$, $N_{j_1}^{j^{\prime }}\left(x\right)$.
• Step 2. In session $j^{\prime }$, $U_i$ receives the broadcast messages $M_{j^{\prime }}^{j^{\prime }}\left(x\right),N_{j^{\prime }}^{j^{\prime }}\left(x\right)$, where

  $$\begin{array}{c}\hfill M_j^{j^{\prime }}\left(x\right)=A_j^{j^{\prime }}\left(x\right)·U_j^{j^{\prime }}\left(x\right)+{\epsilon }_{j^{\prime }}·s_1\left(x\right)\end{array}$$

  (1)

  and

  $$\begin{array}{c}\hfill N_j^{j^{\prime }}\left(x\right)=V_j^{j^{\prime }}\left(x\right)+{\epsilon }_{j^{\prime }}·s_2\left(x\right)\end{array}$$

  (2)

  Note that $k_{j^{\prime }}^{j^{\prime }}=U_{j^{\prime }}^{j^{\prime }}\left(x\right)+V_{j^{\prime }}^{j^{\prime }}\left(x\right)$, Equation (2) can be converted to $N_j^{j^{\prime }}\left(x\right)=k_{j^{\prime }}^{j^{\prime }}-U_j^{j^{\prime }}\left(x\right)+{\epsilon }_{j^{\prime }}·s_2\left(x\right)$.
  Let Equation (1) + $A_j^{j^{\prime }}\left(x\right)·Equation\left(2\right)$, $U_i$ can obtain

  $$\begin{array}{c}\hfill M_{j^{\prime }}^{j^{\prime }}\left(x\right)+A_{j^{\prime }}^{j^{\prime }}\left(x\right)·N_{j^{\prime }}^{j^{\prime }}\left(x\right)=k_{j^{\prime }}^{j^{\prime }}·A_{j^{\prime }}^{j^{\prime }}\left(x\right)+{\epsilon }_{j^{\prime }}·s_1\left(x\right)+A_{j^{\prime }}^{j^{\prime }}\left(x\right)·{\epsilon }_{j^{\prime }}·s_2\left(x\right)\end{array}$$

  (3)

  With the values of $k_{j^{\prime }}^{j^{\prime }}$ which is computed from step (1), $U_i$ can obtain

  $$\begin{array}{c}\hfill M_{j^{\prime }}^{j^{\prime }}\left(x\right)+A_{j^{\prime }}^{j^{\prime }}\left(x\right)·N_{j^{\prime }}^{j^{\prime }}\left(x\right)-A_{j^{\prime }}^{j^{\prime }}\left(x\right)·k_{j^{\prime }}^{j^{\prime }}={\epsilon }_{j^{\prime }}·s_1\left(x\right)+A_{j^{\prime }}^{j^{\prime }}\left(x\right)·{\epsilon }_{j^{\prime }}·s_2\left(x\right)\end{array}$$

  (4)
• Step 3. Since $U_i$ is legitimate in session $j_1$, $U_i$ can obtain the similar result in the same way:

  $$\begin{array}{c}\hfill M_{j_1}^{j^{\prime }}\left(x\right)+A_{j_1}^{j^{\prime }}\left(x\right)·N_{j_1}^{j^{\prime }}\left(x\right)-A_{j_1}^{j^{\prime }}\left(x\right)·k_{j_1}^{j^{\prime }}={\epsilon }_{j^{\prime }}·s_1\left(x\right)+A_{j_1}^{j^{\prime }}\left(x\right)·{\epsilon }_{j^{\prime }}·s_2\left(x\right)\end{array}$$

  (5)

  Let Equation (4) – Equation (5), user $U_i$ can obtain

  $$\begin{array}{c}\hfill \begin{array}{cc}& M_{j^{\prime }}^{j^{\prime }}\left(x\right)+A_{j^{\prime }}^{j^{\prime }}\left(x\right)·N_{j^{\prime }}^{j^{\prime }}\left(x\right)-A_{j^{\prime }}^{j^{\prime }}\left(x\right)·k_{j^{\prime }}^{j^{\prime }}-M_{j_1}^{j^{\prime }}\left(x\right)-A_{j_1}^{j^{\prime }}\left(x\right)·N_{j_1}^{j^{\prime }}\left(x\right)+A_{j_1}^{j^{\prime }}\left(x\right)·k_{j_1}^{j^{\prime }}\hfill \\ \hfill =& (A_{j^{\prime }}^{j^{\prime }}\left(x\right)-A_{j_1}^{j^{\prime }}\left(x\right))·{\epsilon }_{j^{\prime }}·s_2\left(x\right)\hfill \end{array}\end{array}$$

  (6)
• Step 4. $U_i$ computes ${\epsilon }_{j^{\prime }}·s_2\left(x\right)$ as

  $$\begin{array}{c}\hfill \begin{array}{cc}& {\epsilon }_{j^{\prime }}·s_2\left(x\right)\hfill \\ \hfill =& \frac{M_{j^{\prime }}^{j^{\prime }}\left(x\right)+A_{j^{\prime }}^{j^{\prime }}\left(x\right)·N_{j^{\prime }}^{j^{\prime }}\left(x\right)-A_{j^{\prime }}^{j^{\prime }}\left(x\right)·k_{j^{\prime }}^{j^{\prime }}-M_{j_1}^{j^{\prime }}\left(x\right)-A_{j_1}^{j^{\prime }}\left(x\right)·N_{j_1}^{j^{\prime }}\left(x\right)+A_{j_1}^{j^{\prime }}\left(x\right)·k_{j_1}^{j^{\prime }}}{(A_{j^{\prime }}^{j^{\prime }}\left(x\right)-A_{j_1}^{j^{\prime }}\left(x\right))}\hfill \end{array}\end{array}$$

  (7)

  Take ${\epsilon }_{j^{\prime }}·s_2\left(x\right)$ to Equation (3), $U_i$ computes ${\epsilon }_{j^{\prime }}·s_1\left(x\right)$ as

  $$\begin{array}{c}\hfill {\epsilon }_{j^{\prime }}·s_1\left(x\right)=M_{j^{\prime }}^{j^{\prime }}\left(x\right)+A_{j^{\prime }}^{j^{\prime }}\left(x\right)·N_{j^{\prime }}^{j^{\prime }}\left(x\right)-A_{j^{\prime }}^{j^{\prime }}\left(x\right)·k_{j^{\prime }}^{j^{\prime }}-A_{j^{\prime }}^{j^{\prime }}\left(x\right)·{\epsilon }_{j^{\prime }}·s_2\left(x\right)\end{array}$$

  (8)
• Step 5. $U_i$ gets a legitimate user’s identity, v, in session $j_2$ by observing $R_j^{j^{\prime }}$ where $j>j_2$.
• Step 6. $U_i$ computes ${\epsilon }_{j^{\prime }}·s_1\left(v\right)$ and ${\epsilon }_{j^{\prime }}·s_2\left(v\right)$ through ${\epsilon }_{j^{\prime }}·s_1\left(x\right)$ and ${\epsilon }_{j^{\prime }}·s_2\left(x\right)$. Then, $U_i$ pretends $U_v$ to compute the session key $K_{j_2}$ using ${\epsilon }_{j^{\prime }}·s_1\left(v\right),{\epsilon }_{j^{\prime }}·s_2\left(v\right)$ and $M_{j_2}^{j^{\prime }}\left(x\right),N_{j_2}^{j^{\prime }}\left(x\right)$ from the broadcast message $B_{j_2}$.

Note that $U_i$ is revoked in session $j_2$, thus he should not have computed $K_{j_2}$. Therefore the scheme cannot achieve the forward security. When the revoked user $U_i$ obtains the session key $K_{j_2}$, he can of course give this session key to a new user who joins the group after session $j_2$ and should not know $K_{j_2}$. Hence, the scheme can not resist the collusion attack. Similarly, the scheme does not have the $mt$-revocation capability.

3.2. Analysis of the Weakness

Chen et al. [2] proposed two one-way hash chain self-healing group key distribution schemes based on the revocation polynomial in their paper. In fact, in the first scheme, each $k_j^{j^{\prime }}$ is masked by different masking polynomials, $\{{\epsilon }_{j^{\prime }}·s_j\left(x\right)|j=j^{\prime },j^{\prime }+1,\cdots ,m\}$, which makes the scheme to be more secure. However, Chen et al. claimed that using multiple masking polynomials does not contribute to the security. Based on this consideration, they presented the second scheme only using one masking polynomial for each $k_j^{j^{\prime }}$ to reduce the number of masking polynomials and the personal secret stored by each user. Thus the second scheme achieves the optimal storage overhead.

Now let us check the attack again. From the above attack, it is easy to find that only using one masking polynomial to construct the personal secret directly makes the Equation (6) (in step 4) hold, where ${\epsilon }_{j^{\prime }}·s_1\left(x\right)$ disappears when Equation (4) minus Equation (5). Furthermore, ${\epsilon }_{j^{\prime }}·s_2\left(x\right)$ can be computed by the revoked user $U_i$ through the Equation (7), which leads to the exposure of those users’ personal secret who join the group in session $j^{\prime }$, and finally results in the exposure of the session keys which should be kept secret from $U_i$.

Chen et al. [2] list Theorem 5 to show the security of their Scheme 2, thus Theorem 5 does not hold. To sum up, multiple masking polynomials should be adopted to design a secure self-healing group key distribution schemes using the polynomial secret sharing as the basic cryptographic technique. Unfortunately, multiple masking polynomials brings in the linear storage overhead. How to design a secure self-healing group key distribution schemes with constant storage overhead based on the polynomial secret sharing technique is still an open problem.

4. Conclusions

Chen et al. claimed that their self-healing group key distribution Scheme 2 achieves all basic security properties. Unfortunately, we found that Chen et al.’s Scheme 2 is insecure. Some security flaws are pointed out in this paper, i.e., the Scheme 2 can not hold the forward security, $mt$-revocation capability and $mt$-wise collusion attack resistance capability.