1 Introduction

Secure group communication is a primary need for various groupware applications like video conferencing, e-voting, online chatting, online gaming, etc. The fundamental criteria of the secure group communication are confidentiality and authentication. Confidentiality ensures the privacy of the message (secret) within the group means the message can be read only by an intended receiver. Message authentication ensures the receiver that the messages are sent by the particular sender and are not altered in route. To provide these security features in a group, a common session key is required to be shared among communication entities for encryption/decryption or other cryptographic operation. Therefore, a key establishment protocol is needed to construct a common session key among all legitimate members of the group. The key establishment protocols are broadly categories into [1]: key transfer protocols [24] and key agreement protocols [5, 6]. A Key transfer protocol can be subdivided into key transfer protocols with the KGC and key transfer protocol without KGC. In the first type, key transfer protocol depends on a mutually trusted third party called as KGC to select a session key and then distribute the session keys to all the group members secretly. In the second type of key transfer protocol, session keys are generated with the help of group members.

Traditional group key management protocols can be grouped into two categories: Centralized group key management protocols and distributed group key management protocols. The centralized approach is simple as it involves a single entity (or a small set of entity) to generate and distribute key to all the group members [7, 8] but there is a drawback of centralized approach that there should be continuous availability of the central server for supporting the group communication. To overcome this type of problem, distributed key management approach is introduced [911]. Distributed key management involves dynamically selecting a group member that acts as a key distribution server. Distributed key management protocols are generally based on either Diffie–Hellman (DH) key exchange approach [10, 1214] or non DH key exchange approach [15, 16]. However, these types of key management protocols use encryption/decryption techniques in the generation of the secret (session) key. In DH based key agreement protocol, the session key is determined by exchanging public key of two communication entities. Since the public key does not provide the property of authentication, a signature/certificate can be attached in public key to provide authentication. However, the DH key agreement protocol is not suitable for group communication which has more than two parties. So the two party DH key exchange protocol is generalized for group communication [10]. The non DH protocols generally provide a key agreement with fault tolerance [15, 16]. In general terms, fault tolerance means the system continuing its operation even if in the event of a power failure. Tzeng et al. [6] proposed a group key agreement protocol based on the discrete logarithm problem and pointed out that klein et al. [14] protocol is quite inefficient in terms of security. Chang and Laih [15] modified the Tzeng conference key agreement protocol based on bilinear pairing. In 2009, Huang et al.[16] proposed an enhanced non interactive group key agreement protocol based on the discrete logarithm problem (DLP) and their protocol was more efficient than Tzeng protocol, in terms of computation and communication cost. In 2010, Zhao et al. [17] proposed a group key agreement protocol based on the RSA cryptosystem to improve the performance of Huang et al.’s protocol.

On the other hand, to avoid the use of encryption secret sharing has been used to design group communication protocol. The concept of secret sharing was first introduced by Blakley [18] and Shamir [19] separately in 1979. There are two different methods to implement a secret sharing scheme: One assumes that a trusted offline server is involved only in the initialization process [2022] and the other one assume that an online trusted server called KGC involved in all the processes [23]. The first scheme of secret sharing is called key pre-distribution scheme. In key pre-distribution scheme, a trusted authority generates and distributes pieces of information to all users offline. The main drawback of the pre-distribution scheme is that every user requires storing a large piece of information. The second one requires an online server to be active so that the trusted KGC generates and broadcasts group key information to all group members at once [23]. This approach uses the similar model like IEEE 802.11i standard [24]. In 1989, Laih et al. [23] proposed the first algorithm based on this approach using threshold secret sharing scheme. Later, there are some papers [2, 25, 26] following the same approach. Harn et al. [27] proposed a key transfer protocol uses secret sharing that provide confidentiality and authentication, in which KGC and each group member computed t degree interpolating polynomial. However, [28, 29] pointed out that it doesn’t protect from malicious user and gave an improvement.

This paper represents a group key transfer protocol based on the concept of Shamir’s secret sharing and ECC. The involvement of ECC reduces the size of the key as well as it takes less time for key computation. Furthermore, the proposed protocol replaces the role of KGC by a member called initiator that reduces the extra overheads of the online KGC.

The rest of this paper is organized as follows. In Sect. 2, we provide some preliminaries. The design principle of the proposed protocol is given in Sect. 3. The proposed group key transfer protocol is given in Sect. 4. In Sect. 5 security analysis and performance comparison is given and finally, we conclude in Sect. 6.

2 Preliminaries

In this section we introduce some fundamental backgrounds. The notations and the meaning of the notations are shown in Table 1.

Table 1 Notation table
Full size table

2.1 Background of elliptic curve group

Let the symbol E(F p ) denote an elliptic curve E over a prime finite field F p , defined by an equation. Y 2 mod p = (x 3 + ax + b)mod p, where a, b ∈ F p with the discriminant Δ = (4a 3 + 27b 2)mod p ≠ 0. The point on E (F p ) together with an extra point O called the point at infinity that forms a group G.: G = {f(x, y) : x, y ∈ F p and(x, y) ∈ E(F p )} ∪ {o}

2.1.1 Point addition

Let the order of G is n. G is a cyclic additive group under the point addition operation + defined as follows:

Let A, B ∈ G, l be the line connecting A and B, and C’ be the point of intersection of line l with E(F p ). C’ reflects on x axis and defines C.

$$ C=A+B $$

2.1.2 Point multiplication

For any scalar k scalar point multiplication over E (F p ) can be computed as follows:

$$ kA=k.A=A+A+\dots +A(kTimes) $$

The detail description of ECC can be found in [30, 31].

2.1.3 Discrete logarithm problem (DLP) on elliptic curve group

For a Given generator Q of G and an element A∈ Z p *, to find an integer a ∈Z p * such that A = a.Q.

2.2 Background of secret sharing

Secret sharing scheme was first introduced by Blakley [18] and Shamir [19] for safeguarding the cryptographic key. In secret sharing a secret is divided into n shares and shares among n shareholders in such a way that with any t or more than t shares it is able to reconstruct the secret but with less than t shares, it cannot reconstruct the secret. This scheme is called as (t, n) Secret Sharing Scheme. It is denoted as (t, n) − SS.

Shamir’s (t, n) − SS Secret sharing is an algorithm in cryptography. It is a form of secret sharing where the secret is divided into n parts, giving each participant its own unique parts, where some of the parts or all of them are needed in order to construct the secret. There are n shareholders U = {U 1, U 2, …, U n } and a mutual trusted participant U i  ∈ U called the initiator of the group. This scheme consists of two algorithms.

  1. 1)

    Share Generation Algorithm

    Share generation and secret reconstruction are related to each other. In share generation algorithm the initiator does the following.

    • The initiator first picks a polynomial of degree (t − 1) arbitrarily: f(x) = a 0 + a 1 x + … + a t − 1 x t − 1, in which the secret s = a 0 = f(0) and all coefficients a 0, a 1, …, a (t − 1) are in finite field F p  = GF(p) with p elements.

    • U i computes all secret s i  = f(i)(mod p) for i = 1, … n.

    • Then the initiator gives outputs a list of n secret shares s i to corresponding shareholders privately.

  2. 2)

    Secret Reconstruction Algorithm

    In this phase any t shares (s i1, …, s it ) are used to reconstruct the secret s.

    $$ s=f(0)={\displaystyle \sum_{i\in A}{s}_i{\beta}_i={\displaystyle \sum_{i\in A}{s}_i\left({\displaystyle \prod_{j\in A-\left\{i\right\}}\frac{x_j}{x_j-{x}_i}}\right)\left( \mod p\right)}} $$

    where A = {i 1, …, i t } ⊆ {1, 2, …, n}, β i for i ∈ A is Lagrange coefficients.

    The above scheme satisfies the fundamental security criteria of secret sharing schemes as follows: 1) Secret s can be constructed with the knowledge of any t or more than t shares. 2) Secret s cannot be reconstructed with the knowledge, the knowledge of less than it shares. Shamir’s scheme is information theoretically secure since it satisfies these two basic requirements to share a secret without any computational assumption.

3 Design principle

This section consists of two subsections. The first section (Sect. 4.1) describes the designing concept, and the security goals for our group key transfer protocol is given in Sect. 4.2.

3.1 The concept of our design

To maintain the confidentiality of the group key a onetime session key is required to share among the group members. Shamir’s (t, n)-SS can be used to establish the common session key for all the group members. However, the conventional group key transport schemes based on secret sharing require an online trusted KGC to share secrets among group members. In addition, KGC must generate a group key and then uses secret sharing scheme to transmit group key to all members. This type of result causes extra overheads in system implementation. To overcome these drawbacks an alternative approach, in which one of the group members is chosen as initiator and has endowed with the authority to select the secret key as group key and to originate the group communication.

In our design, the concept of ECC is used to share a secret between initiator and other group member. Further, the initiator constructs an interpolated polynomial f(x) of degree less than one from the group members. The polynomial f(x) passes through these shares and the selected session key by using Lagrangian interpolation, where f(0) represents the session key. Furthermore, the initiator publishes some additional point on f(x), where the number of those public points is equal to the number of group members minus one. On the other hand, each group member except the initiator, who know the public points and the shared secret is able to reconstruct the interpolated polynomial f(x) and derive the session key as f(0) by using Lagrangian interpolation. Finally, all group members share a common group session key.

3.2 Security goals

The main security goals for our group key transfer protocol are: key freshness, key confidentiality and key authentication.

Key freshness ensures that a group key never been used before. Thus, a compromised group key cannot cause any further damage in group communication.

Key confidentiality protects the group key such that a session key can only be recovered by authorized member i.e., a session is available to only authorized group members. It protects the group key from unauthorized access.

Key authentication confirms the identity of the users, it provides assurance to authorized group members that the group key is distributed by the initiator, but not an attacker.

4 The proposed protocol

Suppose that a set of t participants, U = {U 1 , U 2 , …, U t } wants to establish a secure communication and each participant, including initiator must maintain a public/private key pair(puk, prk) such that puk = prk . Q, where Q is a generating point in the elliptic curve group. Note that the long term pair (puk, prk) is authenticated by a trusted authority with the corresponding certificate. An initiator as (U i ∈U), one of the group members, has an authority to select the secret key as the group key and to originate the group communication. Figure 1 represents the proposed protocol structure. The proposed protocol consists of two phases, i.e., 1) secret establishment phase and 2) session key transfer phase.

Fig. 1
figure 1

The proposed group key transfer protocol

Full size image

The secret establishment phase consists of the following operations.

  1. 1.

    The initiator randomly selects a number r i  ∈ Z * p broadcast the following information to all other members to announce the group communication:

    $$ \left({r}_i,pu{k}_i,{U}_1,{U}_2,\dots {U}_t\right). $$
  2. 2.

    Upon receiving the announcement from the initiator, each participating group member U j (j ≠ i) selects a random number r j  ∈ Z * p and compute the following:

    • $$ {R}_j={r}_j.pu{k}_j $$
    • $$ {\overline{R}}_j={r}_j.pu{k}_i $$
    • $$ {s}_j=\overline{R_j}.pr{k}_j $$
    • $$ Aut{h}_j=h\left({s}_j\left|\right|{r}_i\right) $$
  3. 3.

    U j send the following information to the initiator as the response: {R j , Auth j }

  4. 4.

    After receiving a message from U j , the initiator computes s ' j  = R j . prk i and then checks \( Aut{h}_j\underline {\underline{?}}h\left({s}_j^{\hbox{'}}\left|\right|{r}_i\right) \), if the result is valid, the initiator believes that the secret s j  = r j . prk i . prk j . Q is shared with corresponding U j otherwise clams that U j is fraudulent and then restart the protocol.

In the session key transfer phase, the initiator and the other participating members U j execute the following operation.

  1. 1.

    The initiator has a secret s j shared with each member. These are basically elliptic curve points having x and y co–ordinates s j  = (x j , y j ). The initiator randomly selects a group session key k and constructs an interpolated polynomial f(x) of degree (t − 1) passes through t points (0, k) and (x j , y j ) for j = 1 to (t − 1), by using Lagrange interpolation. Further the initiator also computes (t − 1) additional points P i on f(x), where P i  = (x i , y i ) for i = 1 to (t-1) to Uj. Finally, the initiator computes Auth = h(k||r i ||U 1||U 2|| … ||U t ||P 1||P 2|| … ||P (t − 1)) and broadcast the message {Auth, P i } to all other members.

  2. 2.

    On receiving the above message from initiator each participating member U j knowing sj, and (t − 1) additional points P i , is able to reconstruct the polynomial f(x) and derive the group key k = f(0) by using Lagrange interpolation. Afterward, U j computes Auth* = h(k||r i ||U 1||U 2|| … ||U t ||P 1||P 2|| … ||P (t − 1)) and then check the hash value \( Aut{h}^{*}\underline {\underline{?}} Auth \). If the result is correct the result is authenticated.

    After the successful execution of the above process, the session key k is established among all group members. Later the key (k) can be used for secure group communication.

Remark

Most of the key transfer protocols based on Shamir’s (t, n)-SS are claimed information theoretically secure. However, these schemes must pre shared secret between the dealer and each participant. In other words, the secret must be shared via secure channel. Actually, it is strong assumption to suppose that a secure channel is existed in public networks. That is most existing scheme does not propose any practical method to share secrets in the public network. This work presents the first ECDLD assumption based group key transfer protocol to share the secret between initiator and other group participants. Next, we propose a group key transfer protocol based on Shamir’s (t, n)-SS. Since the concept of Shamir’s (t, n) -SS is information theoretically secure and adapted to transfer the group key, So we can say that group key procedure of the proposed scheme is information theoretically secure.

5 Security analysis

This section justifies the proposed protocol against different types of adversary attacks. Adversaries can be categorized as two types: 1) Outsider adversaries and insider adversaries. The first types of adversaries want to crack the confidentiality. The Second type of adversaries authorized to know the group session key and attempting to recover the individual member secret. In the following security discussion, we will show that our group key transfer protocol is secure against outsiders and insiders adversaries and achieves the following security goals: 1) key freshness 2) key confidentiality 3) key authentication.

Theorem 1

The key transfer protocol achieves key freshness.

Proof

Key freshness is ensured by the initiator, since a random group key is selected by the initiator for each service request. In addition, the group key is a function of random number selected by each participating group member and one time secret shared between corresponding group member and initiator.

Theorem 2

The key transfer protocol achieves key confidentiality.

Proof key

Confidentiality is ensured due to the security feature and ECDLP assumption and Shamir’s (t,n)-SS. Let us focus on the stage of group key generation and distribution. The initiator computes secrets s ' j  = prk i . R j as a point and construct an interpolated polynomial of degree (t − 1) to pass through the t points, (0, k) and (x j , y j ) for i = 1to(t − 1) and makes (t − 1) additional points P i publicly known, so that the authorized member gets the information to construct the secret key. However, the unauthorized member (outsider) has only (t − 1) public points on f(x) are available. They know only public information which is broadcasted by the initiator. Thus, the unauthorized members know nothing about the group key. In other words, the proposed protocol is secure since the Shamir (t,n)-SS is information theoretically secure (i.e., it does not involve any computational assumption) and elliptic curve cryptosystem is based on the difficulty of ECDLP.

Theorem 3

The proposed protocol achieves key authentication.

Proof

Group key authentication is provided through the value of Auth = h(k||r i ||U 1||U 2|| … ||U t ||P 1||P 2|| … ||P (t − 1)) where Auth is a one way hash function with the secret group key and random challenges generated by the initiator. It follows Theorem 2 that the unauthorized member knows nothing about the group key and so, they cannot forge Auth value. Any insider also cannot forge the group key since the group key is the function of all secrets shared between the group members and the initiator. Furthermore, any replay of Auth and P i can be detected since the group key is constructed with the help of shared secrets between initiator and each group member’s which is a function of the initiator and each group member’s random number.

Theorem 4

(Outsider Attack) Assume that an adversary who impersonates a group member requesting for group communication, then the attacker can neither obtain the group key nor share the group key with any other member.

Proof

Although the adversaries can intercept the messages between the initiator and the participating members, the adversaries can’t find shared secret s j , i.e., \( {s}_j=pr{k}_j.{\overline{R}}_j \) due to the long term private key prk j of any members U j are unknown. Furthermore, the group key k is can only be recovered by the honest member who has the correct private key corresponding to the shared secret s j . Therefore, the adversaries can’t impersonate as any group member to obtain the group key. On the other hand, since the adversaries do not have the information about the private key prk i of the initiator, thus the adversary cannot impersonate, as the initiator securely share the secret with the other member, in other words the adversary can’t share the group key with any group member by masquerading as an initiator.

Theorem 5

(Insider Attack) Assume that the protocols run successfully many times; then, the onetime secret (x j , y j ) of each U j shared with the initiator still can’t be traced by the other group member.

Proof

In order to provide the group service k on receiving the group key request, the initiator generates a polynomial f(x) of degree (t − 1) to pass through t points, (0, k) and (x j , y j ) for j = 1to(t − 1). Each appropriate group member can obtain the one time secret (x j , y j ) shared with the initiator by using the interactive key agreement protocol. Furthermore, with the knowledge of shared secret and (t − 1) public information, only the honest group member is able to reconstruct the polynomial f(x). However, the secret of each group member shared by the initiator is still untraceable by insiders, due to the fact that the onetime secret (x j , y j ) depends on the random number’s and long term private keys (prk i , prk j )

5.1 Functionality and security comparison

This section compares the major functionalities and security aspects of the proposed protocol with some other existing protocols in Table 2. The result of the table under the proposed protocol is obtained from the security analysis section (section 5) while the same for existing protocols are taken from the referenced papers. The results show that the proposed protocol achieving all desired functionalities, however, others are not achieving all functionalities.

Table 2 Functionality comparison of different schemes with the proposed scheme
Full size table
  1. F1

    (Without an online KGC)

    The proposed scheme supports communication among group members without initialization of an online KGC. In the proposed protocol one of the group member play the role of the KGC and initiate communication. However, in other key transfer protocol, KGC is required for the generation and distribution of group key.

  2. F2

    (Group key generated by user)

    The other functionality that supports the proposed key transfer protocol is that the group session key is generated with the help of members of the group, is no need of a trusted server.

  3. F3

    (No need for additional synchronized time)

    Most of the group key transfer schemes required additional synchronization time at the starting phase of the protocol. However, the proposed scheme does not require additional synchronization time.

  4. F4

    (Mutual Authentication)

    The proposed scheme provides mutual authentication between the initiator and other participating member, the mutual authentication is supported by ECDLP assumptions.

  5. F5

    (Session key agreement)

    The proposed schemes also support the session key agreement technique, which helps to establish a common and secure session key among the group members in each session. With the session key agreement, the member of the group exchange high confidential data among them.

5.2 Performance analysis

A comparative study in terms of security principles, operation used, ECC is used, and overall computation cost in different schemes such as [4, 16, 17, 27, 29] and the proposed scheme is shown in Table 3. The key distribution protocol of Huang scheme uses DH key exchange algorithm [32] and since random challenges required to execute modular exponentiation (MEXP), which is an expensive operation. The computation cost of elliptic curve point multiplication is much less than that modular exponentiation [33]. This is because 160 bit ECDLP and 1024 bit discrete logarithm problem (DLP) have the same security level [30]. Therefore, the Huang scheme has a high computational cost. The proposed protocol reduces the computation, communication and storage space cost, as the ECC and Shamir’s secret (t, n) -SS is used. It is to be noted that the proposed scheme uses the general cryptographic hash function instead of XOR operation. Elliptic curve multiplication/addition (EPM/EAD) is used instead of modular exponentiation. EPM/EAD is quite slower than XOR operation, but instead, encryption/decryption technique (having slower processing speed) secret sharing (faster) is used. Therefore, overall computation cost of the proposed protocol is less than others [4, 16, 17, 27]. From the security analysis and efficiency discussion, it is obvious that the proposed scheme is efficient, secure and user friendly.

Table 3 List of different security principles, operations used and overall computation cost of different schemes
Full size table

6 Conclusion

This paper presents an efficient group key transfer protocol using ECC. In the proposed protocol, the role of KGC is replaced by a group member called as initiator. Initiator distributes information related to the group key to all other members of the group. In this paper, we remove the extra overheads of KGC in system preparation as well as save the computation and communication cost with minimal storage overheads. The confidentiality of the group key distribution is information theoretically secure. This protocol also provide group key authentication. Security analysis shows that the protocol is also safe from possible attack. This protocol is fairly interesting for group oriented application.