Member Tampering Attack on Burmester-Desmedt Group Key Exchange Protocol and Its Countermeasure

Abstract

With the rapid development of cloud computing and mobile networks, more and more application scenarios require a secret group key for secure communication. Group Key Exchange (GKE) protocol provides a secret group key for three or more members. Burmester and Desmedt presented an influential GKE protocol, which has a broadcast version and a cyclic version. In this paper, we investigate the security weaknesses of the Burmester-Desmedt protocol. We report that both the broadcast version and the cyclic version of the Burmester-Desmedt protocol suffer member tampering attacks if the two members that belong to both group A and group B are corrupted. That is, two corrupted members can add some unknowing members of group A to group B and trick the legal members of group B to believe that these unknowing members share the secret group key with them after a protocol run. Furthermore, to defeat the member tampering attack, we propose digital signature-based improvements on the broadcast version and the cyclic version of the Burmester-Desmedt protocol. We hope our research results will encourage the development of more robust and effective GKE protocols that stand rigorous security analysis.

1. Introduction

Group Key Exchange (GKE) protocol makes an extension for the traditional two-member key establishment [1]. The function of the GKE protocol is to provide a shared secret group key for three or more members. With the rapid development of cloud computing and mobile networks, more and more application scenarios require group communication. Naturally, the security of group communication depends on the security of the group key [2,3]. We can summarize the general requirements of the GKE protocols as follows.

(1)

Members in various groups generate different shared secret group keys (also named group session keys).

(2)

The group session key is dynamic and can be updated as needed.

(3)

The protocol messages exchanged among the members are open and via the public channel.

(4)

Each member calculates his group session key independently.

To realize group key generation, an obvious method is to deploy a Trusted Third Party (TTP) recognized by all members in a group communication system. Moreover, each member shares a secret key with the TTP in advance. When the group session key needs to be established, the TTP randomly generates a group session key, determines the group of members and encrypts the group session key by using the shared secret key with each member. Upon receiving the ciphertext of the group session key, each member in the group can decrypt it using his shared key and obtain the group session key. The disadvantage of this method is that there must be a TTP to provide group key generation services for all members in real-time. That is, the online TTP means heavy computation and communication overhead and may become the technical bottleneck.

Another optional method that does not require a TTP is to choose a member of the group as the group controller. The group controller negotiates a secret Diffie-Hellman key [4] with each member of the group. Then, the group controller randomly generates a group session key, uses each Diffie-Hellman key to encrypt the group session key, and sends it to each member of the group. After receiving the ciphertext of the group session key, the members can respectively decrypt the group session key using its own Diffie-Hellman key. The disadvantage of this method is that the large overhead of computation and communication is a burden on the group controller, and the members of the group need to designate a group controller before the group key generation services.

In this paper, we investigate the GKE protocols based on generalizing Diffie-Hellman two-member key exchange [4], because such protocols can potentially avoid the TTP or the group controller. This is a desirable feature under decentralized computing environments such as ad hoc networks and Blockchain.

1.1. Basic Notion of Group Key Exchange

Let k be a security parameter and U₁, U₂, …, U_n, n = poly(k) (a polynomial in the security parameter k), be members that are allowed to take part in a specified GKE protocol P to generate a group session key K. We can define the GKE protocol as follows.

Definition 1.

Protocol P is called a GKE if: when a group of any t members has honestly executed the protocol P as specified, then each member U_i in the group will finally compute his own session key K_i such that K = K_i, where 3 ≤ t ≤ n and i∊ {1,2, …, n}.

Assume that any GKE protocol P runs on public networks in which all members in a group can broadcast or send messages (bit strings) to other members in the presence of a (polynomially bounded) passive adversary E. Passive adversary E can eavesdrop on the transmitting messages and keep a log of the messages during past protocol runs. However, the passive adversary E does not modify the transmitting messages of protocol runs. A formal security definition as an example is presented to address the above passive adversary of the GKE protocol P [5] as follows.

Definition 2.

The GKE protocol P guarantees privacy if it is computationally infeasible for the passive adversary E to compute the group session key K. The GKE protocol P guarantees secrecy if the passive adversary E cannot distinguish the group session key K from a random bit string of the same length with probability better than 1/2 + ε, where ε is negligible (in the security parameter k).

1.2. Related Work

Some of the literature in the GKE domain mainly revolves around the exposition of new construction of the GKE protocols. An early investigation of GKE protocols by Ingemarsson, Tang, and Wong [6] described a number of so-called Diffie-Hellman generalizations based on the idea of symmetric functions. Steer et al. [7] gave other GKE protocols generalizing the Diffie-Hellman two-member key exchange. Their protocol is suitable for adding new group members; however, deleting members is relatively difficult. Latter, Steiner, Tsudik, and Waidner [8] presented three GKE protocols (named GDH.1, GDH.2, and GDH.3) to improve the communication and computation costs of the Ingemarsson-Tang-Wong GKE protocols. Kim, Perrig, and Tsudik [9], and Bresson and Manulis [10] considered tree-based Diffie-Hellman two-member key exchange and showed that their protocols are very suitable when the composition of the group is changed without restarting the whole protocol. Burmester and Desmedt [5] presented an influential GKE protocol by extending in a natural way of the Diffie-Hellman two-member key exchange. Harn and Lin [11], Harn and Hsu [12] proposed GKE protocols based on both the secret sharing scheme and the group Diffie-Hellman key exchange scheme. Moriya, Takashima, and Takagi [13] and Fan, Xu, and Li [14] proposed the GKE protocols based on Commutative Supersingular Isogeny Diffie-Hellman (CSIDH), which are the post-quantum Diffie-Hellman type key exchange protocols from commutative group action.

Some of the literature in the GKE domain research on the security analysis of the GKE protocols. Katz and Yung [15] presented a compiler that transforms the GKE protocol secure against a passive adversary and proved the Burmester-Desmedt protocol secure against the passive adversary. Emmanuel, Chevassut, and Pointcheval [16] provided a formal security model and several security definitions, which are adapted to many cryptographic scenarios for authenticated Diffie-Hellman key exchange in a group. To prevent stronger attacks against honest but open members, Bresson, Manulis, and Schwenk [17] gave examples where m uncorrupted members accept each other but have different session keys. Gorantla, Boyd, and Nieto [18] specifically analyzed the security of the GKE protocol under the key-compromise impersonation attacks. Baouch et al. [19] introduced an active attack on the Burmester-Desmedt protocol, that is, the adversary can obtain a copy of the shared key, which is created in a collaborative manner with the legal members in a group. Yang et al. [20] presented a security model for generic dynamic authenticated GKE to cover more active attacks (such as leakage of the ephemeral secret key) than previous similar models. As another line of security analysis work on GKE, Cohn-Gordon et al. [21] considered the post-compromise security of group messaging, that is, an adversary who compromises a single group member can indefinitely read and inject messages and built a formal security model on the ideas of multi-stage key exchange by Fischlin and Günther [22]. Alwen et al. [23] further analyzed the TreeKEM protocol [24], which is proposed by the Internet Engineering Task Force (IETF) working group and is the core of the secure group messaging protocols on message-layer security. Alwen et al. [25] also defined optimal security notions for GKE and considered two settings, i.e., the passive setting and the active setting. In addition, Hougaard and Miyaji [26] recently proposed a GKE compiler using any two-member key exchange for which the shared key space is the subset of a group and whose security reduces to the Decisional Diffie-Hellman (DDH) problem. Poettering et al. [27] classified characteristics of a large selection of game based GKE models, including those proposed for GKE with post-compromise security, and observed a range of shortcomings in some of the studied models.

1.3. Our Motivations and Contributions

When a GKE protocol is running, the adversary may illegally add some dummy members to the group. Although these dummy members do not belong to the group, the legal members believe that they are in the group and share a group session key with them. We call it the member tampering attack. To the best of our knowledge, the member tampering problem of the GKE protocol has not been studied yet. It is widely known that the Burmester-Desmedt protocol has advantages over other existing GKE protocols in terms of computation cost, communication cost, and the number of rounds. Moreover, since broadcasting messages can be expensive in some communications networks, the Burmester-Desmedt protocol [1,5] has not only a broadcast version but also a cyclic version. Therefore, we investigate the member tampering attack on the broadcast version and cyclic version of the Burmester-Desmedt protocol. We report that both the broadcast version and cyclic version suffer the member tampering attack when two members are corrupted. That is, two corrupted members, who belong to two groups A and B, can collude to include some unknowing members of group A into the group B and cheat other legal members of the group B to believe that these unknowing members exist in their group and share a group session key after the protocol run.

2. Review of the Burmester-Desmedt Group Key Exchange Protocol

Burmester and Desmedt [5] employed a certain structure of the cyclic group to design their GKE protocol. Without loss of generality, we can write it as follows. Let G be a cyclic group with prime order q and let g be a fixed generator of G. Let Z_p = Z/pZ be the integers modulo p. The cyclic group requires choosing two primes p and q such that q|p−1 and a generator g ∊ Z_p with the order q. Then, the cyclic group is formed by G = {g^x mod p, x ∊ Z}.

Assume that U₁, U₂, …, U_n are all legal members of the GKE system. Initially, a GKE center chooses the system parameters for the GKE protocol. That is, the GKE center determines a security parameter k and a constant c ≥ 1, randomly generates a prime p = Θ(2^ck) and an element g ∊ Z_p of order q = Θ(2^k), where Θ denotes asymptotic tight bound, and publishes the parameters p, g, and q to build the cyclic group G. Let U₁, U₂, …, U_{t ≤ n} be a group of members who want to generate a group session key K. To enable a general description, we always allow any index i but U_i and U_j are the same members when satisfying i = j mod t.

2.1. Broadcast Version

The Burmester-Desmedt protocol is simplest to describe in the version that allows broadcast communications. Here, any message sent to more than one member means the broadcast.

• Protocol 1: Broadcast version

Round 1. Each member U_i (i = 1, 2, …, t) selects a random r_i ∊ Z_q and computes and broadcasts z_i = g^r_i mod p.

Round 2. Each member U_i (i = 1, 2, …, t) computes and broadcasts X_i = (z_i+1/z_i−1)^r_i mod p.

Key Computation. Each member U_i (i = 1, 2, …, t) computes his own session key:

$$K_i={\left(z_{i-1}\right)}^{t{r}_i}{X}_i^{t-1}{X}_{i+1}^{t-2}\dots X_{i-2} \mathrm{mod} p.$$

(1)

Figure 1 shows the communication and computation of broadcast version. If each member U_i (i = 1, 2, …, t) honestly generates and broadcasts his z_i and X_i, all members will secretly share the same group session key K = g^{r₁r_t+r₁r₂+ r₂r₃+…+r_t−2r_t−1+r_t−1r_t} mod p. That is to say, for every member U_i (i = 1, 2, …, t), we have

$$\begin{gathered} K_i={\left(z_{i-1}\right)}^{t{r}_i}{X}_i^{t-1}{X}_{i+1}^{t-2}\dots X_{i-2} \mathrm{mod} p= \\ {\left(z_{i-1}\right)}^{t{r}_i}{\left(\frac{z_{i+1}}{z_{i-1}}\right)}^{\left(t-1\right)r_i}{\left(\frac{z_{i+2}}{z_i}\right)}^{\left(t-2\right)r_{i+1}}\dots {\left(\frac{z_{i-1}}{z_{i-3}}\right)}^{r_{i-2}} \mathrm{mod} p= \\ {\left(g^{r_{i-1}}\right)}^{t{r}_i}{\left(\frac{g^{r_{i+1}}}{g^{r_{i-1}}}\right)}^{\left(t-1\right)r_i}{\left(\frac{g^{r_{i+2}}}{g^{r_i}}\right)}^{\left(t-2\right)r_{i+1}}\dots {\left(\frac{g^{r_{i-1}}}{g^{r_{i-3}}}\right)}^{r_{i-2}} \mathrm{mod} p= \\ {\left(g^{r_{i-1}}\right)}^{r_i}{\left(g^{r_{i+1}}\right)}^{r_i}{\left(g^{r_{i+2}}\right)}^{r_{i+1}}\dots {\left(g^{r_{i-3}}\right)}^{r_{i-2}}{\left(g^{r_{i-1}}\right)}^{r_{i-2}} \mathrm{mod} p= \\ {g}^{r_1{r}_t+r_1{r}_2+r_2{r}_3+\dots +r_{t-2}{r}_{t-1}+r_{t-1}{r}_t} \mathrm{mod} p=K \end{gathered}$$

(2)

2.2. Cyclic Version

In the broadcast version, the protocol messages always need to be sent to all of the members. In some communications environments such as wired communications, the broadcast of messages to all involved members may be more costly than sending them to a single member. Therefore, the cyclic version can maintain the same Diffie-Hellman generalization function as the broadcast version but implement the point-to-point message transmission among the members.

• Protocol 2: Cyclic version

Round 1. Each member U_i (i = 1, 2,…, t) selects a random r_i ∊ Z_q, and then computes and sends z_i = g^r_i mod p to the members U_i−1 and U_i−1.

Round 2. Each member U_i (i = 1, 2,…, t) computes X_i = (z_i+1/z_i−1)^r_i mod p. Let b₀ = c₀ = 1. For i = 1 to t, the member U_i computes b_i = b_i−1X_i mod p and c_i= b_i−1c_i−1 mod p, and then sends b_i and c_i to the member U_i+1.

Round 3. Let d₀ = c_t and d = b_t. For i = 1 to t − 1, the member U_i computes d_i = dd_i−1X_i ^−t mod p, and then sends d_i and d to the member U_i+1.

Key Computation. Each member U_i (i = 1, 2,…, t) computes his own session key:

$$K_i={\left(z_{i-1}\right)}^{t{r}_i}{d}_{i-1} \mathrm{mod} p.$$

(3)

It is easily to see that cyclic version does not require the broadcast channel. We know that in Round 2, b₀ = c₀ = 1, b₁ = b₀X₁ = X₁ mod p, c₁ = b₀c₀ = 1, b₂ = b₁X₂ = X₁X₂ mod p, c₂ = b₁c₁ = X₁ mod p, b₃ = b₂X₃ = X₁X₂X₃ mod p, c₃ = b₂c₂ = X₁²X₂ mod p,…, b_t = b_t−1X_t = X₁X₂…X_t mod p, c_t = b_t−1c_t−1 = X₁X₂…X_t−2X_t−1X₁^t−2X₂^t−3…X_t−2 = X₁^t−1X₂^t−2…X_t−2²X_t−1 mod p. Since d₀ = c_t = X₁^t−1X₂^t−2…X_t−1 mod p and d = b_t = X₁X₂…X_t mod p during Round 3, we get d₁ = dd₀X₁^−t = X₁X₂X₃…X_t−1X_tX₁^t−1X₂^t−2 X₃^t−3…X_t−1X₁^−t = X₂^t−1X₃^t−2…X_t−1²X_t mod p, d₂ = dd₁X₂^−t = X₁X₂X₃X₄…X_tX₂^t−1X₃^t−2X₄^t−3…X_tX₂^−t = X₃^t−1X₄^t−2…X_t²X₁ mod p,…, d_t−1 = dd_t−2X_t−1^−t = X₁X₂…X_t−3X_t−2X_t−1X_tX_t−1^t−1X_t^t−2X₁^t−3 X₂^t−4…X_t−3X_t−1^−t = X_t^t−1X₁^t−2X₂^t−3…X_t−3²X_t−2 mod p. We therefore know d_i−1 = X_i^t−1X_i+1^t−2…X_i−2 mod p, where i = 1, 2,…, t. Thus, for all 1 ≤ i ≤ t, it follows that

$$\begin{gathered} K_i={\left(z_{i-1}\right)}^{t{r}_i}{d}_{i-1} \mathrm{mod} p={\left(z_{i-1}\right)}^{t{r}_i}{X}_i^{t-1}{X}_{i+1}^{t-2}\dots X_{i-2} \mathrm{mod} p= \\ {g}^{r_1{r}_t+r_1{r}_2+r_2{r}_3+\dots +r_{t-2}{r}_{t-1}+r_{t-1}{r}_t} \mathrm{mod} p=K. \end{gathered}$$

(4)

Hence, we conclude that all members in cyclic version can finally share the same group session key as broadcast version. Figure 2 shows the communication and computation of cyclic version.

2.3. Security Results

The security of the Burmester-Desmedt protocol depends on the Computational Diffie-Hellman (CDH) problem and the DDH problem. We describe the CDH problem and the DDH problem as follows.

Definition 3.

The CDH problem: given two primes p and g and two random numbers x = g^a mod p, y =g^b mod p, find g^ab mod p.

Definition 4.

The DDH problem: given two primes p and g and three random numbers x = g^a mod p, y = g^b mod p, and z = g^c mod p, decide if ab = c.

The Burmester-Desmedt protocol achieves the following security properties [5].

Fact 1.

Protocol 1 and Protocol 2 guarantee the privacy as in Definition 2 if, and only if, the CDH problem is intractable. Protocol 1 and Protocol 2 guarantee the secrecy as in Definition 2 if, and only if, the DDH problem is intractable.

Fact 1 indicates that both Protocol 1 and Protocol 2 maintain a sound security promise when the CDH problem and the DDH problem are hard to solve.

3. Member Tampering Attacks on the Burmester-Desmedt Protocol

We know that any group U₁, U₂,…, U_t named as group A can execute a protocol run and negotiate a group session key K by using Equation (1) or Equation (3). We assume that members U_i′ and U_i″ are two malicious insiders in group A, that is, i′, i″∊ {1, 2,…, t} and i′ ≠ i″. Without loss of generality, let 0 < i’ < i″ < t+1. Moreover, both members U_i′ and U_i″ simultaneously initiate an abnormal protocol run with another group U_a1, U_a2, …, U_at′ named as the group B. Here, 0 < a_j < n + 1 for 0 < j < t’ + 1.

3.1. Attacks on Broadcast Version

In the protocol run as shown in Figure 1, each member U_i (i = 1, 2,…, t) of group A should compute and broadcast z_i = g^r_i mod p and X_i = (z_i+1/z_i−1)^r_i mod p during Round 1 and Round 2 of Protocol 1. Finally, each member U_i (i = 1, 2,…, t) is able to compute and share the same group session key K = g^{r₁r_t+r₁r₂+ r₂r₃+…+r_t−2r_t−1+r_t−1r_t} mod p by computing (z_i−1)^tr_iX_i^t−1X_i+1^t−2…X_i−2 mod p. To realize the member tampering attack, two malicious insiders U_i′ and U_i″ of group A simultaneously start an abnormal protocol run with another group B. Let i″ − i′ > 1. We assume that each member U_i (i = i′ + 1, i′ + 2,…, i″ − 1) in the group A does not belong to the group B, that is, a_j∉{i′+1, i′+2,…, i″ − 1} for all j ∊ {1, 2,…, t’}. After the abnormal protocol run of the group B, each member U_aj (j = 1, 2,…, t′) believes that not only members U_aj (j = 1, 2,…, t′) but also members U_i (i = i′, i′ + 1,…, i″) take part in negotiating a group session key. However, all members U_i (i = i′ + 1, i′ + 2,…, i″ − 1) in group A actually do not involve themselves in the abnormal protocol run of group B. In the following, we always write t′ + i″ − i′ as f to make the expression concise and easy to understand. We describe the abnormal protocol run as follows.

Round 1. Each member U_aj (j = 1, 2,…, t′) selects a random number r′_j∊ Z_q, and computes and broadcasts z′_j= g^r′_j mod p. Each z_i generated by the member U_i (i = i′, i′+1,…, i″) also is broadcasted to group B.

Round 2. The malicious insider U_i″ computes and broadcasts X′_f+1 = (z′₁/z_i″−1)^r_i″ mod p and the member U_a1 computes and broadcasts X′₁ = (z′₂/z_i″)^r′₁ mod p. Each member U_aj (j = 2,…, t′ − 1) computes and broadcasts X′_j = (z′_j+1/z′_j−1)^r′_j mod p. The member U_at′ computes and broadcasts X′_t′ = (z_i′/z′_t′−1)^r_′t′ mod p and the malicious insider U_i′ computes and broadcasts X′_t′+1 = (z_i′−1/z′_t′)^r_i′ mod p. In addition, each X_i generated by the member U_i (i = i′ + 1,…, i″ − 1) is broadcasted to all members U_aj (j = 1, 2,…, t′).

Key Computation. Assume that r′_i= r_{i+i′−t′−1} and z′_i= z_{i+i′−t′−1}, where i = t′ + 1, t′ + 2,…, t′ + i″ − i′ + 1 and X′_i= X_{i+i′−t′−1}, where i = t′ + 2, t′ + 3,…, f. Each member U_aj (j = 1, 2,…, t′) computes the group session key:

$$K{\prime }_j={\left(z{\prime }_{j-1}\right)}^{\left(f+1\right)r_j^{\prime }}X{\prime }_j^{f}X{\prime }_{j+1}^{f-1}\dots {X^{\prime }}_{j-2} \mathrm{mod} p,$$

(5)

where the indexes j in both z′_j and X′_j are performed modulo f + 1.

The member U_i′ can share the group session key by calculating

$$K{\prime }_{i^{\prime }}={\left(z{\prime }_{t^{\prime }}\right)}^{\left(f+1\right)r_{i^{\prime }}}X{\prime }_{t^{\prime }+1}^{f}X{\prime }_{t^{\prime }+2}^{f-1}\dots {X^{\prime }}_{t^{\prime }-1} \mathrm{mod} p.$$

(6)

The member U_i″ also can obtain the group session key by calculating

$$K{\prime }_{i^{″}}={\left(z{\prime }_f\right)}^{\left(f+1\right)r_{i^{″}}}X{\prime }_{f+1}^{f}X{\prime }_1^{f-1}\dots {X^{\prime }}_{f-1} \mathrm{mod} p.$$

(7)

According to Equation (5), we have

$$\begin{gathered} {K^{\prime }}_j={\left({z^{\prime }}_{j-1}\right)}^{\left(f+1\right)r_j^{\prime }}{X^{\prime }}_j^f{X^{\prime }}_{j+1}^{f-1}\dots {X^{\prime }}_{j-2} \mathrm{mod} p= \\ {\left({z^{\prime }}_{j-1}\right)}^{\left(f+1\right)r_j^{\prime }}{\left(\frac{{z^{\prime }}_{j+1}}{{z^{\prime }}_{j-1}}\right)}^{f{r}_j^{\prime }}{\left(\frac{{z^{\prime }}_{j+2}}{{z^{\prime }}_j}\right)}^{\left(f-1\right)r_{j+1}^{\prime }}\dots {\left(\frac{{z^{\prime }}_{j-1}}{{z^{\prime }}_{j-3}}\right)}^{r_{j-2}^{\prime }} \mathrm{mod} p, \end{gathered}$$

(8)

$$\begin{gathered} {K^{\prime }}_j={\left(g^{r_{j-1}^{\prime }}\right)}^{\left(f+1\right)r_j^{\prime }}{\left(\frac{g^{r_{j+1}^{\prime }}}{g^{r_{j-1}^{\prime }}}\right)}^{f{r}_j^{\prime }}{\left(\frac{g^{r_{j+2}^{\prime }}}{g^{r_j^{\prime }}}\right)}^{\left(f-1\right)r_{j+1}^{\prime }}\dots {\left(\frac{g^{r_{j-1}^{\prime }}}{g^{r_{j-3}^{\prime }}}\right)}^{r_{j-2}^{\prime }} \mathrm{mod} p \\ ={\left(g^{r_{j-1}^{\prime }}\right)}^{r_j^{\prime }}{\left(g^{r_{j+1}^{\prime }}\right)}^{r_j^{\prime }}{\left(g^{r_{j+2}^{\prime }}\right)}^{r_{j+1}^{\prime }}\dots {\left(g^{r_{j-3}^{\prime }}\right)}^{r_{j-2}^{\prime }}{\left(g^{r_{j-1}^{\prime }}\right)}^{r_{j-2}^{\prime }} \mathrm{mod} p, \end{gathered}$$

(9)

$$\begin{gathered} {K^{\prime }}_j=g^{{r^{\prime }}_1{r^{\prime }}_{f+1}+{r^{\prime }}_1{r^{\prime }}_2+{r^{\prime }}_2{r^{\prime }}_3+\dots +r_{f-1}^{\prime }{r}_f^{\prime }+r_f^{\prime }{r}_{f+1}^{\prime }} \mathrm{mod} p= \\ {g}^{{r^{\prime }}_1{r}_{i^{″}}+{r^{\prime }}_1{r^{\prime }}_2+{r^{\prime }}_2{r^{\prime }}_3+\dots +r_{i^{″}-2}{r}_{i^{″}-1}+r_{i^{″}-1}{r}_{i^{″}}} \mathrm{mod} p. \end{gathered}$$

(10)

Since r_i′ = r′_t′+1 and r_i″ = r′_f+1, we know that Equations (6) and (7) satisfy Equation (5) when j = t′ + 1 and j = f + 1. Hence, all members U_i′, U_aj (j = 1, 2,…, t′), U_i″ should share the same group session key K′ = K′_i′ = K′_i″ = K′_j = g^{r′₁r_t″+r′₁r′₂+ r′₂r′₃+…+ r_i″−2r_i″−1+r_i″−1r_i″} mod p. Moreover, all members U_aj (j = 1, 2,…, t′) believe that the members U_i (i = i′ + 1, i′ + 2,…, i″ − 1) also exist in their group. Figure 3 shows member tampering attacks, which exploits two parallel protocol runs of group A and group B. In fact, the malicious insiders U_i′ and U_i″ also can use above attack to add the unknowing members U_i (i = 1, 2,…, i′ − 1, i″ + 1, i″ + 2,…, t) of the group A into the group B.

3.2. Attack on Cyclic Version

Consider the protocol run of group A. As shown in Figure 2, each member U_i (i = 1, 2,…, t) computes z_i = g^r_i mod p and sends it to the members U_i−1 and U_i+1 during Round 1 of Protocol 2. Each member U_i (i = 1, 2,…, t) computes X_i = (z_i+1/z_i−1)^r_i mod p, b_i = b_i−1X_i mod p, c_i = b_i−1c_i−1 mod p, where b₀ = c₀= 1, and then sends b_i and c_i to the member U_i+1 during Round 2 of Protocol 2. In Round 3 of Protocol 2, each member U_i (i = 1, 2,…, t − 1) computes d_i = dd_i−1X_i^−t mod p, where d = b_t and d₀ = c_t, and then sends d_i and d to the next member U_i+1. Finally, each member U_i (i = 1, 2,…, t) computes and secretly shares the group session key K = K_i = (z_i−1)^tr_id_i−1 mod p.

Meanwhile, the malicious insiders U_i′ and U_i″ of group A also simultaneously start another abnormal protocol run with the group U_a1, U_a2,…, U_at′, i.e., group B. Here, we assume that i″ − i′ < t − 1 and a_j ∉ {1, 2,…, i′ − 1, i″+1, i″+2,…, t} for any j ∊ {1, 2,…, t′}. At the end of the abnormal protocol run of group B, each member U_aj (j = 1, 2,…, t′) mistakenly believes that the members U_i, where i = 1, 2,…, i′ − 1, i″ + 1, i″+ 2,…, t, also are in their group and share a group session key with them, although any of these members do not participate in in the abnormal protocol run. We assume that the malicious insider U_i″ eavesdrops on all b_i, where i = 1, 2,…, i′ − 2, i″ + 1, i″ + 2,…, t. Since the malicious insider U_i″ knows b₀ = 1, he can further compute all X_i = b_i/b_i−1 mod p, where i = 1, 2,…, i′ − 1, i″ + 1, i″ + 2,…, t. Figure 4 depicts the member tampering attack on the cyclic version. For simplicity, we write t + i′ + t′ − i″ as h in the following. We further describe the abnormal protocol run of group B as follows.

Round 1. The member U_i′ sends z_i′ to member U_a1. The member U_a1 selects a random number r′₁ ∊ Z_q, computes z′₁ = g^r′₁ mod p and sends z′₁ to the members U_i′ and U_a2. Each member U_aj (j = 2, 3,…, t′ − 1) selects a random number r′_j ∈ Z_q, computes z′_j = g^r′_j mod p, and sends z′_j to the members U_aj−1 and U_aj+1. The member U_at′ selects a random number r′_t′ ∊ Z_q and computes z′_t′ = g^r′_t′ mod p, and then sends z′_t′ to the members U_at′−1 and U_i″. The member U_i″ sends his z_i″ to the member U_at′.

Round 2. The member U_i′ computes and updates his new X′_h+1 = (z′₁/z_i′−1)^r_i′ mod p. The member U_i′ then computes b′ = b_i′−1X′_h+1 mod p and c′ = c_i′ = b_i′−1c_i′−1 mod p, and further sends b′ and c′ to the member U_a1. The member U_a1 computes X′₁ = (z′₂/z_i′)^r′₁ mod p. Moreover, member U_a1 computes b′₁ = b′X′₁ mod p and c′₁ = b′c′ mod p, and then sends b′₁ and c′₁ to the next member U_a2. Each member U_aj (j = 2, 3,…, t’ − 1) computes X′_j = (z′_j+1/z′_j−1)^r′_j mod p. For j = 2 to t′ − 1, the member U_aj computes b′_j = b′_j−1X′_j mod p and c′_j = b′_j−1c′_j−1 mod p, and then sends b′_j and c′_j to U_aj+1. Upon receiving the member U_at′−1’s b′_t′−1 and c′_t′−1, the member U_at’ computes X′_t′ = (z_i″/z′_t′−1)^r′t′ mod p, b′_t′ = b′_t′−1X′_t′ mod p, c′_t′ = b′_t′−1c′_t′−1 mod p, and then sends b′_t′ and c′_t′ to the member U_i″. Upon receiving the member U_at′’s b′_t′ and c′_t′, the member U_i″ calculates his X′_t′+1 = (z_i″−1/z′_t′)^r_i″ mod p, b′_t′+1 = b′_t′X′_t′+1 mod p, c′_t′+1 = b′_t′c′_t′ mod p. For i = i″ + 1 to t, the member U_i″ further computes b′_{i+t′−i″+1} = b′_{i+t′−i″}X_i mod p and c′_{i+t′−i″+1} = b′_{i+t′−i″}c′_{i+t′−i″} mod p.

Round 3. Let d′₀ = c′_{t+t′−i″+1}. For i = 1 to i′ − 1, the member U_i″ computes d′_i = b′_{t+t′−i″+1}d′_i−1X_i^−(h+1) mod p. And then, the member U_i″ sends d′_i′−1 and b′_{t+t′−i″+1} to the member U_i′. The member U_i′ computes d′_i′ = b′_{t+t′−i″+1}d′_i′−1X′_h+1^−(h+1) mod p and sends d′_i′ and b′_{t+t′−i″+1} to the member U_a1. For j = 1 to t′ − 1, the member U_aj computes d′_j+i′ = b′_{t+t′−i″+1}d′_j+i′−1X′_j^−(h+1) mod p, and then sends d_j+i′ and b′_{t+t′−i″+1} to the member U_aj+1. Upon receiving the member U_aj−1’s d′_{i′+t′−1} and b′_{t+t′−i″+1}, the member U_at′ computes d′_i′+t′ = b′_{t+t′−i″+1}d′_{i′+t′−1}X′_t′^−(h+1) mod p, and then sends d′_i′+t and b′_{t+t′−i″+1} to the member U_i″.

Key Computation. Let z′₀ = z_i′. Each member U_aj (j = 1, 2,…, t′) computes the group session key:

$$K{\prime }_j={\left(z{\prime }_{j-1}\right)}^{\left(h+1\right)r_j^{\prime }}d{\prime }_{j+i^{\prime }-1} \mathrm{mod} p.$$

(11)

The member U_i′ shares the group session key by calculating

$$K{\prime }_{i^{\prime }}={\left(z_{i^{\prime }-1}\right)}^{\left(h+1\right)r_{i^{\prime }}}d{\prime }_{i^{\prime }-1} \mathrm{mod} p.$$

(12)

The member U_i″ also obtains the group session key by computing

$$K{\prime }_{i^{″}}={\left({z^{\prime }}_{t^{\prime }}\right)}^{\left(h+1\right)r_{i^{″}}}d{\prime }_{i^{\prime }+t^{\prime }} \mathrm{mod} p.$$

(13)

In the following, we analyze and confirm the group session key shared among the members U_i′, U_aj (j = 1, 2,…, t′), U_i″. During Round 1, the members U_i′ and U_i″ reuse their z_i′ and z_i″ generated in the protocol run of the group A and send z_i′ to the member U_a1 and z_i″ to the member U_at′. During Round 2, the member U_i′ computes his new X′_h+1 = (z′₁/z_i′−1)^r_i′ mod p instead of the old X _i′ = (z _i′+1/z_i′−1)^r_i′ mod p in the protocol run of the group A, and uses this X′_h+1 to compute b′ = b_i′−1X′_h+1 mod p. Then, the member U_a1 computes X′₁ = (z′₂/z_i′)^r′₁ mod p and b′₁ = b′X′₁ mod p and the member U_aj computes X′_j = (z′_j+1/z′_j−1)^r′_j mod p and b′_j = b′_j−1X′_j mod p for j = 2 to t′. After calculating X′_t′+1 = (z_i″−1/z′_t′)^r_i″ mod p and b′_t′+1 = b′_t′X′_t′+1 mod p, the member U_i″ can sequentially compute each member U_i′s b′_{i+t′−i″+1} = b′_{i+t′−i″}X_i mod p, where i = i″ + 1, i″ + 2,…, t. The reason is that the member U_i″ had eavesdropped on all b_i for i = i″ + 1, i″ + 2,…, t in the protocol run of the group A and can derive the member U_i′s X_i by computing b_i/b_i−1 mod p. Therefore, we know that

$$b^{\prime }=b_{i^{\prime }-1}{X^{\prime }}_{h+1}=X_1{X}_2\dots X_{i^{\prime }-1}{X^{\prime }}_{h+1} \mathrm{mod} p,$$

(14)

$$\begin{gathered} b{\prime }_{t^{\prime }}=b{\prime }_{t^{\prime }-1}{X^{\prime }}_{t^{\prime }}=b{\prime }_{t^{\prime }-2}{X^{\prime }}_{t^{\prime }-1}{X}^{\prime }{}_{t^{\prime }}=b\prime X{\prime }_1\dots X^{\prime }{}_{t^{\prime }-1}X{\prime }_{t^{\prime }} \\ \hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}=X_1{X}_2\dots X_{i^{\prime }-1}{X^{\prime }}_{h+1}{X^{\prime }}_1\dots X^{\prime }{}_{t^{\prime }-1}{X^{\prime }}_{t^{\prime }} \mathrm{mod} p, \end{gathered}$$

(15)

and

$$\begin{gathered} {b^{\prime }}_{t+t^{\prime }-i^{″}+1}={b^{\prime }}_{t+t^{\prime }-i^{″}}{X}_t={b^{\prime }}_{t+t^{\prime }-i^{″}-1}{X}_{t-1}=\dots = \\ {b^{\prime }}_{t^{\prime }+1}{X}_{i^{″}+1}{X}_{i^{″}+2}\dots X_{t-1}{X}_t={b^{\prime }}_{t^{\prime }}{X^{\prime }}_{t^{\prime }+1}{X}_{i^{″}+1}{X}_{i^{″}+2}\dots X_{t-1}{X}_t= \\ {X}_1{X}_2\dots X_{i^{\prime }-1}{X^{\prime }}_{h+1}{X^{\prime }}_1\dots {X^{\prime }}_{t^{\prime }-1}{X^{\prime }}_{t^{\prime }}{X^{\prime }}_{t^{\prime }+1}{X}_{i^{″}+1}{X}_{i^{″}+2}\dots X_{t-1}{X}_t mod p. \end{gathered}$$

(16)

According to the analysis in Section 2.2, we have c′ = c_i′ = b_i′−1c_i′−1 = X₁X₂…X_i′−2X_i′−1X₁^i′−2 X₂^i′−3…X_i′−2 = X₁^i′−1X₂^i′−2…X_i′−2²X_i′−1 mod p. Since b′ = b_i′−1X′_h+1 mod p in Round 2 of the group B, c′₁ = b′c′ = b_i′−1X′_h+1c′ = b_i′−1X′_h+1X₁^i′−1X₂^i′−2…X_i′−2²X_i′−1 = X₁X₂…X_i′−2X_i′−1X′_h+1X₁^i′−1X₂^i′−2…X_i′−2²X_i′−1 = X₁^i′X₂^i′−1…X_i′−2³X_i′−1²X′ _h+1 mod p. We further get c′_j= b′_j−1c′_j−1 = b′_j−1b′_j−2 c′_j−2 =…= b′_j−1b′_j−2…b′₁c′₁ mod p for j = 2 to t′. Therefore,

$$\begin{array}{c}{c^{\prime }}_{t^{\prime }}={b^{\prime }}_{t^{\prime }-1}{b^{\prime }}_{t^{\prime }-2}\dots {b^{\prime }}_1{c^{\prime }}_1={X^{\prime }}_{t^{\prime }-1}{b^{\prime }}_{t^{\prime }-2}{b^{\prime }}_{t^{\prime }-2}\dots {b^{\prime }}_1{c^{\prime }}_1=\dots \hfill \\ ={X^{\prime }}_{t^{\prime }-1}{X^{\prime }}_{t^{\prime }-2}^2\dots {X^{\prime }}_2^{t^{\prime }-2}{b^{\prime }}_1^{t^{\prime }-1}{c^{\prime }}_1={X^{\prime }}_{t^{\prime }-1}{X^{\prime }}_{t^{\prime }-2}^2\dots {X^{\prime }}_2^{t^{\prime }-2}{X^{\prime }}_1^{t^{\prime }-1}{b^{\prime }}^{t^{\prime }-1}{c^{\prime }}_1\hfill \\ ={X^{\prime }}_{t^{\prime }-1}{X^{\prime }}_{t^{\prime }-2}^2\dots {X^{\prime }}_2^{t^{\prime }-2}{X^{\prime }}_1^{t^{\prime }-1}{X}_1^{t^{\prime }-1}{X}_2^{t^{\prime }-1}\dots X_{i^{\prime }-1}^{t^{\prime }-1}{X^{\prime }}_{h+1}^{t^{\prime }-1}{X}_1^{i^{\prime }}{X}_2^{i^{\prime }-1}\dots X_{i^{\prime }-1}^2{X^{\prime }}_{h+1}\mathrm{mod} p,\hfill \end{array}$$

(17)

$${c^{\prime }}_{t^{\prime }}={X^{\prime }}_{t^{\prime }-1}{X^{\prime }}_{t^{\prime }-2}^2\dots {X^{\prime }}_2^{t^{\prime }-2}{X^{\prime }}_1^{t^{\prime }-1}{X^{\prime }}_{h+1}^{t^{\prime }}{X}_{i^{\prime }-1}^{t^{\prime }+1}\dots X_2^{t^{\prime }+i^{\prime }-2}{X}_1^{t^{\prime }+i^{\prime }-1} \mathrm{mod} p.$$

(18)

Since the member U_i″ in Round 2 of the group B computes b′_t′+1 = b′_t′X′_t′+1 mod p and c′_t′+1 = b′_t′c′_t′ mod p, and then calculates b′_{i+t′−i″+1} = b′_{i+t′−i″}X_i mod p and c′_{i+t′−i″+1} = b′_{i+t′−i″}c′_{i+t′−i″} mod p for i = i″ + 1 to t, we have

$$\begin{gathered} {c^{\prime }}_{t+t^{\prime }-i^{″}+1}={b^{\prime }}_{t+t^{\prime }-i^{″}}{c^{\prime }}_{t+t^{\prime }-i^{″}}={b^{\prime }}_{t+t^{\prime }-i^{″}}{b^{\prime }}_{t+t^{\prime }-i^{″}-1}{c^{\prime }}_{t+t^{\prime }-i^{″}-1}=\dots = \\ {b^{\prime }}_{t+t^{\prime }-i^{″}}{b^{\prime }}_{t+t^{\prime }-i^{″}-1}\dots {b^{\prime }}_{t^{\prime }+1}{c^{\prime }}_{t^{\prime }+1}={b^{\prime }}_{t+t^{\prime }-i^{″}}{b^{\prime }}_{t+t^{\prime }-i^{″}-1}\dots {b^{\prime }}_{t^{\prime }+1}{b^{\prime }}_{t^{\prime }}{c^{\prime }}_{t^{\prime }}, \end{gathered}$$

(19)

$$\begin{gathered} \begin{array}{c}{c^{\prime }}_{t+t^{\prime }-i^{″}+1}=X_{t-1}{X}_{t-2}^2\dots X_{i^{″}+1}^{t-i^{″}-1}{X^{\prime }}_{t^{\prime }+1}^{t-i^{″}}{b^{\prime }}_{t^{\prime }}^{t-i^{″}+1}{c^{\prime }}_{t^{\prime }}\hfill \\ \hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}=X_{t-1}{X}_{t-2}^2\dots X_{i^{″}+1}^{t-i^{″}-1}{X^{\prime }}_{t^{\prime }+1}^{t-i^{″}}{X}_1^{t-i^{″}+1}{X}_2^{t-i^{″}+1}\dots \\ X_{i^{\prime }-1}^{t-i^{″}+1}X{\prime }_{h+1}^{t-i^{″}+1}{X^{\prime }}_1^{t-i^{″}+1}{X^{\prime }}_2^{t-i^{″}+1}\dots {X^{\prime }}_{t^{\prime }-2}^{t-i^{″}+1}{X^{\prime }}_{t^{\prime }-1}^{t-i^{″}+1}{X^{\prime }}_{t^{\prime }}^{t-i^{″}+1}{X^{\prime }}_{t^{\prime }-1}\\ \\ {X^{\prime }}_{t^{\prime }-2}^2\dots {X^{\prime }}_2^{t^{\prime }-2}{X^{\prime }}_1^{t^{\prime }-1}{X^{\prime }}_{h+1}^{t^{\prime }}{X}_{i^{\prime }-1}^{t^{\prime }+1}\dots X_2^{t^{\prime }+i^{\prime }-2}{X}_1^{t^{\prime }+i^{\prime }-1}\mathrm{mod} p,\end{array} \end{gathered}$$

(20)

$$\begin{gathered} {c^{\prime }}_{t+t^{\prime }-i^{″}+1}=X_1^h{X}_2^{h-1}\dots X_{i^{\prime }-1}^{t+t^{\prime }-i^{″}+2}{X^{\prime }}_{h+1}^{t+t^{\prime }-i^{\prime \prime }+1}{X^{\prime }}_1^{t+t^{\prime }-i^{\prime \prime }}{X^{\prime }}_2^{t+t^{\prime }-i^{\prime \prime }-1} \\ \dots {X^{\prime }}_{t^{\prime }-2}^{t-i^{″}+3}{X^{\prime }}_{t^{\prime }-1}^{t-i^{″}+2}{X^{\prime }}_{t^{\prime }}^{t-i^{″}+1}{X^{\prime }}_{t^{\prime }+1}^{t-i^{″}}{X}_{i^{″}+1}^{t-i^{″}-1}\dots X_{t-2}^2{X}_{t-1} \mathrm{mod} p. \end{gathered}$$

(21)

In Round 3 of the group B, we know d′₀ = c′_{t+t′−i″+1} and d′_i = b′_{t+t′−i″+1}d′_i−1X_i ^–(h+1) mod p or i = 1 to i′ − 1. That is, d′_i′−1 = b′_{t+t′−i″+1}d′_i′−2X_i′−1^−(h+1) = b′_{t+t′−i″+1}²d′_i′−3X_i′−1^−(h+1)X_i′−2^−(h+1) =…= b′_{t+t′−i″+1}^i′−1X_i′−1^−(h+1)X_i′−2^−(h+1) … X₁^−(h+1)d′₀ = b′_{t+t′−i″+1}^i′−1X_i′−1^−(h+1)X_i′−2^−(h+1)…X₂^−(h+1)X₁^−(h+1)c′_{t+t′−i″+1} mod p. Now we have

$$\begin{array}{c}{d^{\prime }}_{i^{\prime }-1}={b^{\prime }}_{t+i^{\prime }-i^{″}+1}^{i^{\prime }-1}{X}_{i^{\prime }-1}^{-\left(h+1\right)}{X}_{i^{\prime }-2}^{-\left(h+1\right)}\dots X_2^{-\left(h+1\right)}{X}_1^{-\left(h+1\right)}{c^{\prime }}_{t+t^{\prime }-i^{″}-1}=\hfill \\ {\left(X_1{X}_2\dots X_{i^{\prime }-2}{X}_{i^{\prime }-1}{X^{\prime }}_{h+1}{X^{\prime }}_1{X^{\prime }}_2\dots {X^{\prime }}_{t^{\prime }-2}{X^{\prime }}_{t^{\prime }-1}{X^{\prime }}_{t^{\prime }}{X^{\prime }}_{t^{\prime }+1}{X}_{i^{″}+1}\dots X_{t-2}{X}_{t-1}{X}_t\right)}^{i^{\prime }-1}\hfill \\ X_{i^{\prime }-1}^{-\left(h+1\right)}{X}_{i^{\prime }-2}^{-\left(h+1\right)}\dots X_2^{-\left(h+1\right)}{X}_1^{-\left(h+1\right)}{X}_1^h{X}_2^{h-1}\dots {X^{\prime }}_2^{t+t^{\prime }-i^{\prime \prime }-1}\dots {X^{\prime }}_{t^{\prime }-2}^{t-i^{″}+3}{X^{\prime }}_{t^{\prime }-1}^{t-i^{″}+2}\hfill \\ \hfill \hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}{X^{\prime }}_{t^{\prime }}^{t-i^{″}+1}{X^{\prime }}_{t^{\prime }+1}^{t-i^{″}}{X}_{i^{″}+1}^{t-i^{″}-1}\dots X_{t-2}^2{X}_{t-1}\mathrm{mod} p,\hfill \end{array}$$

(22)

$$\begin{gathered} d{\prime }_{i^{\prime }-1}={X^{\prime }}_{h+1}^h{X^{\prime }}_1^{h-1}{X^{\prime }}_2^{h-2}\dots {X^{\prime }}_{t^{\prime }-2}^{t+i^{\prime }-i^{″}+2}{X^{\prime }}_{t^{\prime }-1}^{t+i^{\prime }-i^{″}+1}{X^{\prime }}_{t^{\prime }}^{t+i^{\prime }-i^{″}} \\ \hspace{1em}\hspace{1em}\hspace{1em}{X^{\prime }}_{t^{\prime }+1}^{t+i^{\prime }-i^{″}-1}{X}_{i^{″}+1}^{t+i^{\prime }-i^{″}-2}\dots X_{t-2}^{i^{\prime }+1}{X}_{t-1}^{i^{\prime }}{X}_t^{i^{\prime }-1}{X}_1^{i^{\prime }-2}{X}_2^{i^{\prime }-3}\dots X_{i^{\prime }-2} \mathrm{mod} p. \end{gathered}$$

(23)

Owing to d′_i′ = b′_{t+t′−i″+1}d′_i′−1X′_h+1^−(h+1) mod p, we get

$$\begin{gathered} \hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}d{\prime }_{i^{\prime }}=X_1{X}_2\dots X_{i^{\prime }-2}{X}_{i^{\prime }-1}{X^{\prime }}_{h+1}{X^{\prime }}_1{X^{\prime }}_2\dots {X^{\prime }}_{t^{\prime }-2}{X^{\prime }}_{t^{\prime }-1}{X}^{\prime }{}_{t^{\prime }}{X^{\prime }}_{t^{\prime }+1}{X}_{i^{″}+1}\dots \\ {X}_{t-2}{X}_{t-1}{X}_t{X}^{\prime }{}_{h+1}^h{X^{\prime }}_1^{h-1}{X^{\prime }}_2^{h-2}\dots {X^{\prime }}_{t^{\prime }-2}^{t+i^{\prime }-i^{″}+2}{X^{\prime }}_{t^{\prime }-1}^{t+i^{\prime }-i^{″}+1}{X^{\prime }}_{t^{\prime }}^{t+i^{\prime }-i^{″}} \\ \hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}{X^{\prime }}_{t^{\prime }+1}^{t+i^{\prime }-i^{″}-1}{X}_{i^{″}+1}^{t+i^{\prime }-i^{″}-2}\dots X_{t-2}^{i^{\prime }+1}{X}_{t-1}^{i^{\prime }}{X}_t^{i^{\prime }-1}{X}_1^{i^{\prime }-2}{X}_2^{i^{\prime }-3}\dots X_{i^{\prime }-2}{X^{\prime }}_{h+1}^{-\left(h+1\right)}\mathrm{mod} p, \end{gathered}$$

(24)

$$\begin{gathered} \hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}d{\prime }_{i^{\prime }}={X^{\prime }}_1^h{X^{\prime }}_2^{h-1}\dots {X^{\prime }}_{t^{\prime }-2}^{t+i^{\prime }-i^{″}+3}{X^{\prime }}_{t^{\prime }-1}^{t+i^{\prime }-i^{″}+2}{X^{\prime }}_{t^{\prime }}^{t+i^{\prime }-i^{″}+1}{X^{\prime }}_{t^{\prime }+1}^{t+i^{\prime }-i^{″}}{X}_{i^{″}+1}^{t+i^{\prime }-i^{″}-1} \\ \dots X_{t-2}^{i^{\prime }+2}{X}_{t-1}^{i^{\prime }+1}{X}_t^{i^{\prime }}{X}_1^{i^{\prime }-1}{X}_2^{i^{\prime }-2}\dots X_{i^{\prime }-2}^2{X}_{i^{\prime }-1} \mathrm{mod} p. \end{gathered}$$

(25)

Since d′_j+i′ = b′_{t+t′−i″+1}d′_j+i′−1X′_j^–(h+1) mod p for j = 1 to t′ − 1 and d′_t′+i′ = b′_{t+t′−i″+1}d′_{t′+i′−1}X′_t^–(h+1) mod p, we get

$$\begin{gathered} {d^{\prime }}_{j+i^{\prime }}={b^{\prime }}_{t+i^{\prime }-i^{″}+1}^2{d^{\prime }}_{j+i^{\prime }-2}{X^{\prime }}_j^{-\left(h+1\right)}=\dots ={b^{\prime }}_{t+i^{\prime }-i^{″}+1}^j{d^{\prime }}_{i^{\prime }}{X^{\prime }}_j^{-\left(h+1\right)} \\ {X^{\prime }}_{j-1}^{-\left(h+1\right)}{X^{\prime }}_{j-2}^{-\left(h+1\right)}\dots {X^{\prime }}_1^{-\left(h+1\right)}\mathrm{mod} p, \end{gathered}$$

(26)

$$\begin{array}{c}{d^{\prime }}_{j+i^{\prime }}\hfill \\ ={\left(X_1{X}_2\dots X_{i^{\prime }-1}{X^{\prime }}_{h+1}{X^{\prime }}_1\dots {X^{\prime }}_{j-2}{X^{\prime }}_{j-1}{X^{\prime }}_j{X^{\prime }}_{j+1}{X^{\prime }}_{j+2}\dots X^{\prime }{}_{t^{\prime }}{X^{\prime }}_{t^{\prime }+1}{X}_{i^{″}+1}\dots X_{t-2}{X}_{t-1}{X}_t\right)}^j\hfill \\ {X^{\prime }}_1^h\dots {X^{\prime }}_{j-2}^{h-j+3}{X^{\prime }}_{j-1}^{h-j+2}{X^{\prime }}_j^{h-j+1}{X^{\prime }}_{j+1}^{h-j}{X^{\prime }}_{j+2}^{h-j-1}\dots {X^{\prime }}_{t^{\prime }}^{t+i^{\prime }-i^{″}+1}{X^{\prime }}_{t^{\prime }+1}^{t+i^{\prime }-i^{″}}{X}_{i^{″}+1}^{t+i^{\prime }-i^{″}-1}\dots \hfill \\ X_{t-2}^{i^{\prime }+2}{X}_{t-1}^{i^{\prime }+1}{X}_t^{i^{\prime }}{X}_1^{i^{\prime }-1}{X}_2^{i^{\prime }-2}\dots X_{i^{\prime }-1}{X^{\prime }}_j^{-\left(h+1\right)}{X^{\prime }}_{j-1}^{-\left(h+1\right)} {X^{\prime }}_{j-2}^{-\left(h+1\right)}\dots {X^{\prime }}_1^{-\left(h+1\right)}\mathrm{mod} p,\hfill \end{array}$$

(27)

$$\begin{gathered} {d^{\prime }}_{j+i^{\prime }}={X^{\prime }}_{j+1}^h{X^{\prime }}_{j+2}^{h-1}\dots {X^{\prime }}_{t^{\prime }}^{j+t+i^{\prime }-i^{″}+1}{X^{\prime }}_{t^{\prime }+1}^{j+t+i^{\prime }-i^{″}}{X}_{i^{″}+1}^{j+t+i^{\prime }-i^{″}-1}\dots \\ \hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}{X}_{t-2}^{j+i^{\prime }+2}{X}_{t-1}^{j+i^{\prime }+1}{X}_t^{j+i^{\prime }}{X}_1^{j+i^{\prime }-1}{X}_2^{j+i^{\prime }-2}\dots X_{i^{\prime }-1}^{j+1}{X^{\prime }}_{h+1}^j{X^{\prime }}_1^{j-1}\dots {X^{\prime }}_{j-2}^2{X^{\prime }}_{j-1} \mathrm{mod} p \end{gathered}$$

(28)

and

$$\begin{gathered} {d^{\prime }}_{i^{\prime }+t^{\prime }}=b{\prime }_{t+i^{\prime }-i^{″}+1}{d^{\prime }}_{i^{\prime }+t^{\prime }-1}{X^{\prime }}_{t^{\prime }}^{-\left(h+1\right)}=X_1{X}_2\cdots X_{i^{\prime }-1}{X^{\prime }}_{h+1}{X^{\prime }}_1\cdots {X^{\prime }}_{t^{\prime }-3} \\ {X^{\prime }}_{t^{\prime }-2}{X^{\prime }}_{t^{\prime }-1}{X^{\prime }}_{t^{\prime }}{X^{\prime }}_{t^{\prime }+1}{X}_{i^{″}+1}\cdots X_{t-2}{X}_{t-1}{X}_t{X^{\prime }}_{t^{\prime }}^h{X^{\prime }}_{t^{\prime }+1}^{h-1}{X}_{i^{″}+1}^{h-2}\cdots X_{t-2}^{i^{\prime }+t^{\prime }+1}{X}_{t-1}^{i^{\prime }+t^{\prime }} \\ {X}_t^{i^{\prime }+t^{\prime }-1}{X}_1^{i^{\prime }+t^{\prime }-2}{X}_2^{i^{\prime }+t^{\prime }-3}\cdots X_{i^{\prime }-1}^{t^{\prime }}X{\prime }_{h+1}^{t^{\prime }-1}X{\prime }_1^{t^{\prime }-2}\cdots {X^{\prime }}_{t^{\prime }-3}^2{X^{\prime }}_{t^{\prime }-2}{X^{\prime }}_{t^{\prime }}^{-\left(h+1\right)} \mathrm{mod} p, \end{gathered}$$

(29)

$$\begin{gathered} \hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}{d^{\prime }}_{i^{\prime }+t^{\prime }}={X^{\prime }}_{t^{\prime }+1}^h{X}_{i^{″}+1}^{h-1}\cdots X_{t-2}^{i^{\prime }+t^{\prime }+2}{X}_{t-1}^{i^{\prime }+t^{\prime }+1}{X}_t^{i^{\prime }+t^{\prime }}{X}_1^{i^{\prime }+t^{\prime }-1}{X}_2^{i^{\prime }+t^{\prime }-2}\cdots \\ \hspace{1em}\hspace{1em}\hspace{1em}{X^{\prime }}_{t^{\prime }+1}^h{X}_{i^{″}+1}^{h-1}\cdots X_{t-2}^{i^{\prime }+t^{\prime }+2}{X}_{t-1}^{i^{\prime }+t^{\prime }+1}{X}_t^{i^{\prime }+t^{\prime }}{X}_1^{i^{\prime }+t^{\prime }-1}{X}_2^{i^{\prime }+t^{\prime }-2}\cdots \\ {X}_{i^{\prime }-1}^{t^{\prime }+1}X{\prime }_{h+1}^{t^{\prime }}X{\prime }_1^{t^{\prime }-1}\cdots {X^{\prime }}_{t^{\prime }-3}^3{X^{\prime }}_{t^{\prime }-2}^2{X^{\prime }}_{t^{\prime }-1} \mathrm{mod} p. \end{gathered}$$

(30)

Let X′ _{l+t+t′−i″+1} = X_l mod p for l = 1 to i′ − 1 and X′ _{l+t′−i″+1} = X_l mod p for l = i″ + 1 to t. Moreover, let n′ = h + 1 and any index j but X′_i and X′_j are the same value when satisfying i = j mod n’. According to Equations (11), (25), and (28), we have

$$\begin{array}{c}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}K{\prime }_j={\left(z{\prime }_{j-1}\right)}^{\left(h+1\right)r_j^{\prime }}d{\prime }_{j+i^{\prime }-1}\hfill \\ \hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}={\left(z{\prime }_{j-1}\right)}^{\left(h+1\right)r_j^{\prime }}{X^{\prime }}_{j+1}^h{X^{\prime }}_{j+2}^{h-1}\dots {X^{\prime }}_{t^{\prime }}^{j+t+i^{\prime }-i^{″}+1}{X^{\prime }}_{t^{\prime }+1}^{j+t+i^{\prime }-i^{″}}\\ \hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}X{\prime }_{t^{\prime }+2}^{j+t+i^{\prime }-i^{″}-1}\dots X{\prime }_{t+t^{\prime }-i^{″}-1}^{j+i^{\prime }+2}X{\prime }_{t+t^{\prime }-i^{″}}^{j+i^{\prime }+1}X{\prime }_{t+t^{\prime }-i^{″}+1}^{j+i^{\prime }}X{\prime }_{t+t^{\prime }-i^{″}+2}^{j+i^{\prime }-1}X{\prime }_{t+t^{\prime }-i^{″}+3}^{j+i^{\prime }-2}\dots \hfill \\ \hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}X{\prime }_h^{j+1}{X^{\prime }}_{h+1}^j{X^{\prime }}_1^{j-1}\dots {X^{\prime }}_{j-2}^2{X^{\prime }}_{j-1} \mathrm{mod} p\hfill \end{array}$$

(31)

for j = 1, 2,…, t′. We write z′_h = z_i′−1, r′_h+1 = r_i′, r′_t′+1 = r_i″. By Equations (23) and (30), and Equations (12) and (13) become

$$\begin{gathered} \hspace{1em}\hspace{1em}K{\prime }_{i^{\prime }}={\left(z_{i^{\prime }-1}\right)}^{\left(h+1\right)r_{i^{\prime }}}d{\prime }_{i^{\prime }-1}={\left(z{\prime }_h\right)}^{\left(h+1\right)r_{h+1}^{\prime }}{X^{\prime }}_{h+1}^h{X^{\prime }}_1^{h-1}{X^{\prime }}_2^{h-2}\dots \\ \hspace{1em}\hspace{1em}\hspace{1em}{X^{\prime }}_{t^{\prime }-2}^{t+i^{\prime }-i^{″}+2}{X^{\prime }}_{t^{\prime }-1}^{t+i^{\prime }-i^{″}+1}{X^{\prime }}_{t^{\prime }}^{t+i^{\prime }-i^{″}}{X^{\prime }}_{t^{\prime }+1}^{t+i^{\prime }-i^{″}-1}X{\prime }_{t^{\prime }+2}^{t+i^{\prime }-i^{″}-2}\dots X{\prime }_{t+t^{\prime }-i^{″}-1}^{i^{\prime }+1} \\ X{\prime }_{t+t^{\prime }-i^{″}}^{i^{\prime }}X{\prime }_{t+t^{\prime }-i^{″}+1}^{i^{\prime }-1}X{\prime }_{t+t^{\prime }-i^{″}+2}^{i^{\prime }-2}X{\prime }_{t+t^{\prime }-i^{″}+3}^{i^{\prime }-3}\dots X{\prime }_{h-1} \mathrm{mod} p \end{gathered}$$

(32)

and

$$\begin{gathered} K{\prime }_{i^{″}}={\left({z^{\prime }}_{t^{\prime }}\right)}^{\left(h+1\right)r_{i^{″}}}d{\prime }_{i^{\prime }+t^{\prime }}={\left(z{\prime }_{t^{\prime }}\right)}^{\left(h+1\right)r_{t^{\prime }+1}^{\prime }}{X^{\prime }}_{t^{\prime }+1}^{h}X{\prime }_{t^{\prime }+2}^{h-1}\cdots X{\prime }_{t+t^{\prime }-i^{″}-1}^{i^{\prime }+t^{\prime }+2}X{\prime }_{t+t^{\prime }-i^{″}}^{i^{\prime }+t^{\prime }+1} \\ X{\prime }_{t+t^{\prime }-i^{″}+1}^{i^{\prime }+t^{\prime }}X{\prime }_{t+t^{\prime }-i^{″}+2}^{i^{\prime }+t^{\prime }-1}X{\prime }_{t+t^{\prime }-i^{″}+3}^{i^{\prime }+t^{\prime }-2}\cdots {X^{\prime }}_h^{t^{\prime }+1}{X^{\prime }}_{h+1}^{t^{\prime }}{X^{\prime }}_1^{t^{\prime }-1}\cdots {X^{\prime }}_{t^{\prime }-3}^3{X^{\prime }}_{t^{\prime }-2}^2{X^{\prime }}_{t^{\prime }-1} \mathrm{mod} p. \end{gathered}$$

(33)

According to Equations (31)–(33), we know Equations (11)–(13) are strictly consistent with Equation (1). This means that h+1 members, i.e., the members U_aj (j = 1, 2,…, t’) and U_i (i = 1, 2,…, i′, i″, i″ + 1, …, t), run cyclic version of the protocol. Finally, we can concluded that each member U_aj (j = 1, 2,…, t’) believes the members U_i (i = 1, 2,…, i′, i″, i″ + 1, …, t) of group A are in their group and share the secret key, i.e., K′ =g^{r₁r₂+r₂r₃+…+r_i′ r′₁+ r′₁r′₂+…+ r′_t′r_i″ + r_i″ r_i″+1+…+ r_t r₁} mod p. However, the fact is that the members U_i (i = 1, 2,…, i′ − 1, i″ + 1, i″ + 2,…, t) do not take part in the abnormal protocol run with the group B. It needs to point out that the member U_i″ can select the part of the members U_i (i = i″ + 1, i″ + 2, …, t) to add in the group B or ignore them all. Assume that S ⊂ {i″ + 1, i″ + 2,…, t } and the member U_i″ wants to include the members U_i∈S into group B. The member U_i″ only modifies the computation of the b′_{i+t′−i″+1} and c′_{i+t′−i″+1} in Round 2. That is, for i = i″ + 1 to t, the member U_i″ computes b′_{i+t′−i″+1} = b′_{i+t′−i″}X_i mod p and c′_{i+t′−i″+1} = b′_{i+t′−i″}c′_{i+t′−i″} mod p, when i∈S.

Further comment. The member tampering attacks are possibly exploited to cheat the members of the group and threaten group communication security. One threat scenario is patient consultation in telemedicine. When the medical experts and the patient establish a group communication by using the Burmester-Desmedt protocol, two medical experts can add some experts who have not participated in the consultation to the group as needed. This behavior can improve the authority of the consultation. Another threat scenario is the online auction system. If the online auction system runs the Burmester-Desmedt protocol, two members in the auction group can include the auction notaries, who do not exist in the auction group.

4. Countermeasure and Open Problem

The reason why the Burmester-Desmedt protocol suffers is that the members have not explicitly verified the identity of other members in the group. Therefore, the malicious insiders in the group can reuse messages of another protocol run to cheat other members into believing the non-existent members. If each member can confirm the identity of other members in the group during the protocol run, it is difficult for malicious insiders to add those dummy members.

Let Sign_skUi() and Vrfy_pkUi() (i = 1, 2, …, n) denote the member U_i’s signature function using private key sk_Ui and verification function using public key pk_Ui. We require the signature scheme that is existentially unforgeable under an adaptive chosen-message attack. Here, the existentially unforgeable property and the game of adaptive chosen-message attack are the standard notions of security for digital signature schemes. Let UI_i (i = 1, 2, …, n) be the member U_i’s recognizable identities (in lexicographic order) wishing to establish the group session key. Let ‖ be the concatenation operator. In the following, we provide the improvements on the Burmester-Desmedt protocol to defeat the member tampering attack.

In broadcast version as Figure 1, we require each member U_i (i = 1, 2, …, t) to receiving all z_j and X_j during Round 1 and Round 2, where j = 1, 2, …, t and j ≠ i. More importantly, each member U_i simultaneously computes and broadcasts S_i = Sign_skUi(z₁ ‖ X₁ ‖ UI₁ ‖ z₂ ‖ X₂ ‖ UI₂ ‖…‖ z_t ‖ X_t ‖ UI_t) in Round 2. Moreover, upon receiving all messages from other members, each member U_i also should verify all S_j by computing Vrfy_pkUj(S_j), where j = 1, 2, …, t and j ≠ i. If any verification operation fails, the member U_i should terminate the protocol run. When an adversary wants to illegally include any member U_j into a certain group and cheat other members of the group, he must forge the member U_j′s signature S_j during the protocol run. This signature signs recognizable identities of all group members and the fresh random values generated by all group members. However, the security of the signature algorithm [28] prevents the possibility of forging the member U_j′s signature without his private key sk_Ui.

In cyclic version as Figure 2, we assume that each member U_i (i = 1, 2, …, t) knows all other members U_j, where j = 1, 2, …, t and j ≠ i, potentially are in the group before the protocol run starts. Figure 5 shows our improvement of cyclic version. Our Round 1 and Round 2 are fully same as cyclic version described in Figure 2. During Round 3, we require each member U_i (i = 1, 2, …, t) simultaneously computes the signature SC_i = Sign_skUi(K_i ‖ UI₁ ‖ UI₂ ‖…‖ UI_t), and then each member U_i (i = 1, 2, …, t − 1) sends the signatures SC₁, SC₂, …, SC_i to the next member U_i+1 and the member U_t sends the signatures SC₂, SC₃, …, SC_t to the member U₁. After Round 3, we additionally demand a new round named Round 4. In Round 4, each member U_i (i = 1, 2, …, t − 2) sends the signatures SC_i+2, SC_i+3, …, SC_t to the member U_i+1. In Round 3 and Round 4, each member U_i (i = 1, 2, …, t) should verify all signatures SC_j by computing Vrfy_pkUj(SC_j), where j = 1, 2, …, t and j ≠ i. If any verification operation fails, the member U_i should immediately terminate the protocol run. For reasons similar to the improved broadcast version, the improved cyclic version also can resist the member tampering attack under the malicious active insider or outsider, when the signature algorithm is secure.

However, we argue that the above signature-based improvements on the Burmester-Desmedt protocol have at least two disadvantages, though they can resist member tampering attacks. First, the signature mechanism means that the group system needs to be equipped with Public Key Infrastructure (PKI) and issue digital certificates to ensure the authenticity of the members’ public keys. In addition, the certificate chain may also increase the complexity of the group system. Second, the signature mechanism requires the members of the group to generate, verify, transmit, and receive a considerable number of signatures. For example, each member in the improved broadcast version needs to generate and broadcast 1 signature and receive and verify the t − 1 signature, if there are t members in the group. Moreover, the members of the group must run an extra round in an improved cyclic version. Obviously, these two disadvantages indicate a significant increase in the implementation overheads of the group system, when the Burmester-Desmedt protocol adopts the signature mechanism. Hence, the signature-based improvements on the Burmester-Desmedt protocol are not suitable for resource-constrained security environments, such as Bluetooth security [29,30]. The group systems based on Bluetooth low-energy devices are very popular in wireless personal area networks and Internet-of-Things (IoT). However, to maintain the low energy feature, Bluetooth security currently does not support the signature mechanism. Hence, an interesting open problem is whether one could enhance the Burmester-Desmedt protocol to prevent member tampering attacks without relying on resource-intensive public key algorithms, e.g., the signature and the public encryption. A related approach might be to rely on the cryptographic hash techniques to develop a more intricate hybrid structure for the Burmester-Desmedt protocol. This requires in-depth studies, including protocol design, efficiency evaluation, security analysis, etc. We leave it as future work.

5. Conclusions

One advantage of the Burmester-Desmedt protocol is scalability, that is, any t > 2 members can establish a group session key after the protocol run. The scalability is very fit to ad hoc networks, where the number of members is often changing. However, we have shown that two malicious insiders in both group A and the group B can exploit its scalability to add the unknowing members of group A into the group B and make other members of the group B mistakenly believe that their group session key is shared with those unknowing members. Hence, owing to our member tampering attacks, the number of members is a security parameter and needs to be protected in the appropriate way when the scalable GKE protocol is deployed.

We proposed the signature-based improvement on the Burmester-Desmedt protocols, which is secure against our member tampering attacks. We compared our improvement with Katz-Yung protocol [15], because they are all base on the Burmester-Desmedt protocol and employ the signature schemes. In the broadcast version, the Katz-Yung protocol requires signing the messages of Round 1 and Round 2, respectively. Therefore, each member in the Katz-Yung protocol demands double signature operations compared with our improvement on the broadcast version. To the best of our knowledge, no other signature-based improvement on the cyclic version is proposed. However, under resource-constrained environments, our signature-based improvement is still not practical in view of the implementation costs.