In the LKH scheme, when the membership changes, the members who are still in the group need to update all keys on their key paths. In the case of a large communication group, group members need to perform decryption operations several times. Due to the limited computation resources of mobile terminals, if traditional symmetric encryption algorithms, such as AES, are used in the rekeying process, it takes too long for mobile terminals to decrypt the rekeying messages which lead to a long processing delay shown in Table 5 and they cannot participate in group communication in time. This is unacceptable for some time-sensitive communication requirements. Therefore, a faster encryption and decryption scheme is needed to reduce the computation cost of group members in decrypting the rekeying messages. In the LKH scheme, each member holds all the keys in its key path, which can be regarded as secret sharing. This enables the GC to distribute the group key using the secret-sharing scheme. However, in the traditional threshold secret-sharing scheme, secret shares need to be generated by the secret distributor and transmitted to all encrypted members. It is meaningless to transmit other encrypted information in order to safely transmit the group key. In this section, we first propose a new form of secret-sharing scheme that enables the secret distributor to directly encrypt the message when the secret shares held by each member have been determined, and its decryption algorithm is simpler on the group-member side. Then, a simple and effective key-numbering method is implemented on the tree structure of LKH. Based on these, CEGKD is proposed, and the rekeying process is described in detail.
3.1. New Form of Secret Sharing Scheme
In this section, we give another form of a secret-sharing scheme, which enables the secret distributor to calculate the corresponding polynomial when the secret shares of all authorized members have been determined, so that any authorized member can obtain the secret. This avoids the computation and communication cost caused by encrypting and transmitting secret shares between GC and group members. In fact, if encrypted transmission is required between GC and group member, the transmission content can be directly set as the group key to be updated without any subsequent protocols. The polynomial degree is high if the threshold value is large, which leads to an excessive encryption and decryption cost. Therefore, a new secret sharing scheme with no extra transmission and a faster secret recovery algorithm is necessary.
A set of existing secret shares is denoted as , and their number set is .
Secret division: First, the distributor GC randomly selects a random number r, and then calculates
for each secret share
, where
is a hash function, and obtains a series of different points
. Then, according to the Lagrange interpolation method, a polynomial with a maximum number of
t − 1 is obtained on
GF(
q):
where
. After uniting like terms,
is converted into the following form:
Finally, GC publishes public parameters , where .
Secret recovery: Any authorized member can recover the secret GC through its secret share
and its number
, as well as public parameter P. After receiving the public parameters, members recover polynomial
according to
, and calculate the secret as follows:
Security analysis
Theorem 1. The authorized members can calculate the secret according to the parameters, and the calculation result is unique.
Proof. There are
t points on the plane
, according to Lagrange interpolation theorem [
30], the only
t − 1 degree polynomial passing through these
t points on the plane can be determined. For all
, the difference
s between
and
is the same value
s. Therefore, all authorized members can calculate
and
in Equation (5) according to their corresponding number
and the random number
in the public parameters. □
Theorem 2. The attacker cannot calculate secret using the public parameters provided by GC.
Proof. In our scheme, the secret is hidden in the polynomial generated by Equation (3), and the adversary can only obtain public parameter P. The adversary can infer the number of secret shares through P and calculate , but since the adversary does not know , it is impossible to calculate , and thus, s cannot be calculated. That is, the enemy cannot calculate secret s without obtaining the secret share. □
Theorem 3. The authorized members cannot calculate the secret shares of others through the obtained secret.
Proof. Once the member obtains the secret s, the hash function value corresponding to any secret share can be calculated. Due to the unidirectionality of the hash function, it is impossible to find the value of according to the . □
Actually, the two secret-sharing schemes are different applications of the Lagrange interpolation method, and they obviously have equivalent security. However, it is necessary to make such changes that enable the secret sharing scheme to be applied more efficiently in the encryption and decryption algorithm of the key distribution process. For the convenience of the following description, the encryption and decryption method are first defined before introducing the key-distribution protocol.
Encrypt (s, S, X) The input of the encryption algorithm consists of a secret s, a secret share set , and a set , and outputs a public parameter P.
Decrypt (,) The input of the decryption algorithm consists of public parameter P and secret share , owned by the decrypter and its corresponding number , and the secret s is output.
3.2. Group-Key Distribution Protocol
In this paper, an LKH tree structure is used to manage keys. Based on the secret-sharing scheme proposed above, the CEGKD is proposed. Taking the key represented by the child node of the new key as the secret share, GC encrypts the new key to form a rekeying message, and group members decrypt the rekeying message, layer by layer, using the key they have mastered. The encryption and decryption method adopt the new form of the secret-sharing scheme proposed in the previous section, and the protocol is described below by taking the trigeminal tree as an example.
3.2.2. Joining a Group
(1) Apply to join
After the new member applies to join, the GC verifies the group member’s identity, generates the group member’s personal key and leaf node
leaf, then finds the internal node
insert with the shallowest depth and the number of its child nodes less than 3 from the key tree, and inserts
leaf into the tree as the child node of
insert. If the key tree is a full trigeminal tree, the splitting operation as shown in
Figure 1 is performed to generate a new tree node
, and then
is inserted into the tree as a child node of
. Finally, GC sends the personal key to the new member through a secure channel.
(2) Update keys and send rekeying message
The GC updates all keys on the path from the parent node of the joining node to the root node, from bottom to top, and each new key corresponds to a key update polynomial on
GF(
q):
The construction of the polynomial method is as follows: denote the updated node as node, the key to update is , the node has t children, and the corresponding numbers and keys are ; then, the GC takes as the secret, sets as the secret share set, sets , and calculates public parameters Encrypt(,K,X). P corresponds to key update polynomial .
Assuming that h keys are updated after the group members join, the GC constructs and multicasts a rekeying message to the group members:
where
is the coefficient of key update polynomial
and
is the update serial number. If the key tree is split when the new node joins,
is the key number of the parent node of the new member; otherwise,
is the number of the joining node.
(3) Obtain updated key
Suppose a member has a total of keys , arranged in the order from the root node to the leaf node, i.e., is the group key GK and is the member’s private key. Private key corresponds to key number . After receiving RM, group members update their stored keys as follows:
Align private key number to the right of . If =, and it is not the new member, update the private key number to , and set .
From right to left, compare and the SN of each two bits to obtain the same number in succession. Once the difference is found, the process is terminated. Denote the result as . For the new member, the result is set to .
Calculate new key
according to the following formula:
Replace the -th key stored by the member with .
Reduce the value of I by 1 and repeat Steps 2 to 5 until is obtained.
For example, in
Figure 1, member
requests to join the group communication. The GC updates
,
,
to
,
,
, respectively, and then calculates:
Extract
from
, and broadcast rekeying message
After receiving the rekeying message, group member m9 updates the private key number to
, and then calculates, in turn:
Finally, replace with .