Flexible Group Non-interactive Key Exchange in the Standard Model

Abstract

In this paper, we constructed a non-interactive group key exchange protocol (GNIKE) with flexibility, i.e., the number of participants in the GNIKE is not predefined. Moreover, our GNIKE construction is only based on multilinear map and conventional cryptographic building blocks. The security proof of our GNIKE is in the standard model and relies on an n-exponent multilinear DDH assumption.

Appendices

A Intractability Analysis of n-Exponent Multilinear Diffie-Hellman Assumption

To analyze the intractability of the n-exponent multilinear Diffie-Hellman assumption, we relate it to another problem which is claimed to be hard [10, 22]. This \(\textsf{nMDDH}\) problem is rephrased below in our notation.

Definition 8

The n-multilinear decisional Diffie-Hellman (\(\textsf{nMDDH}\)) problem is \((t,\epsilon _{\textsf{nMDDH}})\)-hard in \(\textsf{GP}= (\mathbb {G}, \mathbb {G}_T, p, \textsf{nMAP}, g)\) with multilinear map \(\textsf{nMAP}\), if for all adversaries running in probabilistic polynomial time t, it holds that

$$ \left| \Pr \left[ \mathcal {A} (g,g^a, \textsf{nMAP}(g, \ldots , g )^{a^{n+1}}) = 1 \right] - \Pr \left[ \mathcal {A} (g, g^a, R) = 1\right] \right| \le \epsilon _{\textsf{nMDDH}}, $$

where \((g, a, R) {\mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}}\mathbb {G}\times \mathbb {Z}_p \times \mathbb {G}_T\).

With the following lemma, the complexity of \(\textsf{nEMDDH}\) can be demonstrated.

Lemma 1

If the \(\textsf{nMDDH}\) problem is \((t,\epsilon _{\textsf{nMDDH}})\)-hard in \(\textsf{GP}\), then the n-Exponent multilinear decisional Diffie-Hellman (\(\textsf{nEMDDH}\)) problem is \((t_e,\epsilon _{\textsf{nEMDDH}})\)-hard in \(\textsf{GP}\), where \(t_e \approx t\), \(\epsilon _{\textsf{nMDDH}} = \epsilon _{\textsf{nEMDDH}}\).

Proof

Let \(\mathcal {A}_{\textsf{nEMDDH}}\) be a \({\textsf{nEMDDH}}\) adversary. We show how to construct another adversary \(\mathcal {B}\) against the \(\textsf{nMDDH}\) problem instance \((\mathbb {G}, \mathbb {G}_T, p, \textsf{nMAP}, g, g^a, R)\), with \(R = \textsf{nMAP}(g,g)^{a^{n+1}}\) or \(R {\mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}}\mathbb {G}_T\).

After receiving its own challenge \(\mathcal {B}\) first chooses \(c {\mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}}\mathbb {Z}_p\) and sets implicitly \(b = a\cdot c\) and then computes

$$R' = R^c,\ g^b = g^{ac} = (g^a)^c $$

\(\mathcal {B}\) outputs whatever \(\mathcal {A}_{\textsf{nEMDDH}}\) outputs on \((\mathbb {G}, \mathbb {G}_T, p, \textsf{nMAP}, g, g^a, g^b, R')\).

It is obvious that \(\mathcal {B} \) runs in time \(t_e \approx t\), if the exponentiation is efficient in \(\textsf{GP}\).

Note that since c is uniformly random in \(\mathbb {Z}_p\), so is \(g^b = (g^a)^c\) in \(\mathbb {G}\). Moreover, if \(R = \textsf{nMAP}(g,g)^{a^{n+1}} = \textsf{nMAP}(g,g)^{a^{n}a} \), then \(R' = R^c = (\textsf{nMAP}(g,g)^{a^{n}a})^c = \textsf{nMAP}(g,g)^{a^{n}\cdot ac} = \textsf{nMAP}(g,g)^{a^{n}\cdot b} \). Otherwise, \(R'\) remains uniformly random in \(\mathbb {G}_T\). Therefore, \(\mathcal {B}\) has generated perfectly an \({\textsf{nEMDDH}}\) instance for \(\mathcal {A}_{\textsf{nEMDDH}}\) and \(\epsilon _{\textsf{nMDDH}} = \epsilon _{\textsf{nEMDDH}}\).

B Cases in Game 2 in the Proof of Theorem 1

In game 2, we prove the claim by constructing a \(\textsf{nEMDDH}\) adversary \(\mathcal {B} \) with advantage \(\epsilon \) calling \(\mathcal {A} \) as a sub-procedure. Let \((g, g^a, g^b, R) \in \mathbb {G}^3 \times \mathbb {G}_T\) be \(\mathcal {B} \)’s inputs, where \(a, b \in \mathbb {Z}_p\). \(\mathcal {B} \)’s goal is to determine if \(\textsf{nMAP}(g, \ldots , g )^{a^nb} = R\). To set up the \(\textsf{GNIKE}\) instance, \(\mathcal {B} \) as a challenger runs \(\mathsf {GNIKE.Setup}(1^\kappa )\) to generate the system parameters, including a chameleon key pair \(\textsf{CHAMKey}=(\textsf{p}, \mathsf {\tau })\) and the groups with \(\textsf{nMultilinear}\) map \(\textsf{MG}\). It then randomly selects \(s_{\hat{A}_1}, \ldots , s_{\hat{A}_n} {\mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}}\{0, 1\}^*\) and \(r_{\hat{A}_i}, \ldots , r_{\hat{A}_i} {\mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}}\mathbb {R}_{\textsf{CH}}\).

Let p(t) = \(\prod ^n_{i=0}(t-t_{\hat{A}_i})^i\) = \(\varSigma ^{n}_{i=0} p_{i}t^i\) = \(p_{0} + p_{1}{t} + \ldots + p_{n}{t^n}\) be a polynomial of degree n over \(\mathbb {Z}_p\), where \(t_{\hat{A}_i} := \) \(\textsf{H}_{\textsf{p}}(s_{\hat{A}_i}, r_{\hat{A}_i})\). Next, a polynomial of degree n, q(t) = \(\varSigma ^{n}_{i=0} q_{i}t^i\) = \(q_{0} + q_{1}{t} + \ldots + q_{n}{t^n}\) is randomly selected over \(\mathbb {Z}_p\). Consequently, \(\mathcal {B} \) selects random values \(\gamma _1, \gamma _2\), uniformly in \( \mathbb {Z}^*_p\), sets then \(\varPhi = (g^a)^{\gamma _1}g^{\gamma _2}\), \(u_{i}=(g^{a})^{p_i}g^{q_{i}}\) for \(0 \le i \le n\) and \(S = g^b\). Since \(q_{i} {\mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}}\mathbb {Z}^*_p\), we have \(u_{i} {\mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}}\mathbb {G}\). Observably, \(u_{0}\ldots u_{n}^{t^n} = (g^{a})^{p(t)}g^{q(t)}\). \(\mathcal {B} \) then returns the public parameters \((\textsf{MG},\{u_i\}_{0 \le i\le n}, \varPhi , S, \textsf{p})\) to \(\mathcal {A} \) to finish the set up phase. Thereafter, \(\mathcal {B} \) answers the queries from \(\mathcal {A} \) in the following ways.

• \(\textsf{RegisterHonestUID}(\textsf{ID}_{\hat{A}_i})\): \(\mathcal {A} \) supplies an identity \(\textsf{ID}_{\hat{A}_i}\) (\(i \in [n]\)) to be registered as honest. To answer this query, B selects \(\alpha _i, \beta _i {\mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}}\mathbb {Z}_p\), computes \(Z_{\hat{A}_i} = (g^a)^{\alpha _i}g^{\beta _i}\). With the trapdoor key \(\mathsf {\tau }\), \(\mathcal {B} \) can extract \(r_{\hat{A}_{i, ch}}\), such that

  $$\textsf{H}_{\textsf{p}}(Z_{\textsf{ID}_{\hat{A}_i}} || \textsf{ID}_{\hat{A}_i}, r_{\hat{A}_{i, ch}}) = \textsf{H}_{\textsf{p}} (s_{\hat{A}_i}, r_{\hat{A}_i}) = t_{\hat{A}_i}. $$

  \(\mathcal {B} \) then computes \(X_{\textsf{ID}_{\hat{A}_i}}\) = \([(g^{a})^{p(t_{\hat{A}_i})}g^{q(t_{\hat{A}_i})}]^{a\alpha _i+\beta _i}\) = \([(g^{a})^{0}g^{q(t_{\hat{A}_i})}]^{a\alpha _i+\beta _i}\) = \((g^{q(t_{\hat{A}_i})})^{a\alpha _i+\beta _i}\) = \((g^a)^{\alpha _iq(t_{\hat{A}_i})}g^{\beta _iq(t_{\hat{A}_i})}\). Finally, \(\mathcal {B} \) returns the public key \(pk_{\textsf{ID}_{\hat{A}_i}}\) = (\(Z_{\hat{A}_i}\), \(X_{\hat{A}_i}\), \(r_{\hat{A}_{i, ch}}\)) to \(\mathcal {A} \).

• \(\textsf{RegisterCorruptUID}(\textsf{ID}_{\mathcal {A} _i},pk_{\textsf{ID}_{\mathcal {A} _i}})\): Upon receiving a public key \(pk_{\textsf{ID}_{\mathcal {A} _i}}\) and an identity \(\textsf{ID}_{\mathcal {A} _i}\) from \(\mathcal {A} \). The public key \(pk_{\textsf{ID}_{\mathcal {A} _i}}\) is registered as corrupt if \(\textsf{ID}_{\mathcal {A} _i}\) has not been registered before.

• \(\textsf{RevealCorruptKey}\): \(\mathcal {A} \) supplies two sets of identities \(IDS_{\mathcal {A}}\) and \(IDS_{H}\): \(IDS_{\mathcal {A}}\) = \(\{ \textsf{ID}_{\mathcal {A} _1}, \ldots , \textsf{ID}_{\mathcal {A} _{l_1}} \}\) denoted here as corrupt and \(IDS_{H}\) = \(\{\) \(\textsf{ID}_{H_1}\), \(\ldots \), \(\textsf{ID}_{H_{l_2}}\) \(\}\) as honest and \(l_1 + l_2 = n^*\).

  • Case 1 (\(n^* = n\)), where n is the upper bound on the size of the group: For this query at least one of the identities supplied by \(\mathcal {A} \) was registered as honest (\(1 \le l_2 < n\)), and all identities supplied by \(\mathcal {A} \) must be unique. \(\mathcal {B} \) then checks the public key of any corrupt identity in \(IDS_{\mathcal {A}}\) using the multilinear equations to confirm that \(pk_{\textsf{ID}_{\mathcal {A} _i}}\) is of the form (\(Z_{\textsf{ID}_{\mathcal {A} _i}}\), \(a_{\textsf{ID}_{\mathcal {A} _i}}\), \(r_{\textsf{ID}_{\mathcal {A} _i}}\)), where \(Z_{\textsf{ID}_{\mathcal {A} _i}}\) = \(g^{a_{\textsf{ID}_{\mathcal {A} _i}}}\) and \(a_{\textsf{ID}_{\mathcal {A} _i}}\)=\(Y_{\textsf{ID}_{\mathcal {A} _i}}^{a_{\textsf{ID}_{\mathcal {A} _i}}}\) = \([(g^a)^{p(t_{\textsf{ID}_{\mathcal {A} _i}})}g^{q(t_{\textsf{ID}_{\mathcal {A} _i}})}]^{a_{\textsf{ID}_{\mathcal {A} _i}}}\). If the check fails, \(\mathcal {B} \) rejects this query. \(\mathcal {B} \) then computes the corresponding shared key \(K_{IDS_{\mathcal {A}},IDS_{H}}\) as follows:

    \(*\):

    \(t_{\textsf{ID}_{\mathcal {A} _i}}\) = \(\textsf{H}_{\textsf{p}}(Z_{\textsf{ID}_{\mathcal {A} _i}} || \textsf{ID}_{\textsf{ID}_{\mathcal {A} _i}}, r_{\textsf{ID}_{\mathcal {A} _i}})\), where \(i \in [l_1]\),

    \(*\):

    computes \(p(t_{\textsf{ID}_{\mathcal {A} _i}})\) and \(q(t_{\textsf{ID}_{\mathcal {A} _i}})\) using the polynomials p(t) and q(t)³,

    \(*\):

    \(\{[a_{\textsf{ID}_{\mathcal {A} _i}}]/ [Z_{\textsf{ID}_{\mathcal {A} _i}}^{q(t_{\textsf{ID}_{\mathcal {A} _i}})}]\}^{p(t_{\textsf{ID}_{\mathcal {A} _i}})^{-1}}\)

    = \(\{[(g^a)^{p(t_{\textsf{ID}_{\mathcal {A} _i}})}g^{q(t_{\textsf{ID}_{\mathcal {A} _i}})}]^{a_{\textsf{ID}_{\mathcal {A} _i}}}/ [(g^{a_{\textsf{ID}_{\mathcal {A} _i}}})^{q(t_{\textsf{ID}_{\mathcal {A} _i}})}]\}^{p(t_{\textsf{ID}_{\mathcal {A} _i}})^{-1}}\) = \((g^a)^{a_{\textsf{ID}_{\mathcal {A} _i}}}\),

    \(*\):

    \(Z_{\textsf{ID}_{\mathcal {A} _{i}}}^*\) = \([(g^a)^{a_{\textsf{ID}_{\mathcal {A} _i}}}]^{\alpha _i}\) \((Z_{\textsf{ID}_{\mathcal {A} _i}})^{\beta _i}\) = \((g^a)^{a_{\textsf{ID}_{\mathcal {A} _i}}{\alpha _i}}\) \((g^{a_{\textsf{ID}_{\mathcal {A} _i}}})^{\beta _i}\) = \((g^{a_{\textsf{ID}_{\mathcal {A} _i}}})^{({a \alpha _i} + {\beta _i})}\) = \(Z_{\textsf{ID}_{\mathcal {A} _i}}^{({a \alpha _i} + {\beta _i})}\)

    \(*\):

    the shared key \(K_{IDS_{\mathcal {A}},IDS_{H}}\)⁴:

    $$\begin{aligned} \textsf{nMAP}(&Z_{\textsf{ID}_{\mathcal {A} _1}},\ldots ,Z_{\textsf{ID}_{\mathcal {A} _{i-1}}},Z_{\textsf{ID}_{\mathcal {A} _{i}}}^*,\\&Z_{\textsf{ID}_{\mathcal {A} _{i+1}}} \ldots ,Z_{\textsf{ID}_{\mathcal {A} _{l_1}}},Z_{\textsf{ID}_{H_{1}}},\ldots ,Z_{\textsf{ID}_{H_{i-1}}},Z_{\textsf{ID}_{H_{i+1}}},\ldots ,Z_{\textsf{ID}_{H_{l_2}}},S) \end{aligned}$$

  • Case 2 (\( 2 \le n^* < n\)): \(\mathcal {B} \) proceeds as the same as case 1 mentioned above. For this case \(\mathcal {B} \) firstly adds \(\varPhi \) as padding for (\(n - n^*\)) times in the following \(\textsf{nMAP}\) equation, computes then the corresponding shared key \(K_{IDS_{\mathcal {A}},IDS_{H}}\) as follows:

    \(*\):

    the shared key \(K_{IDS_{\mathcal {A}},IDS_{H}}\)⁵ is computed as

    $$\begin{aligned} \textsf{nMAP}(&\ldots ,Z_{\textsf{ID}_{\mathcal {A} _{i-1}}},Z_{\textsf{ID}_{\mathcal {A} _{i}}}^*,Z_{\textsf{ID}_{\mathcal {A} _{i+1}}},\ldots ,Z_{\textsf{ID}_{\mathcal {A} _{l_1}}},Z_{\textsf{ID}_{H_{1}}},\ldots ,Z_{\textsf{ID}_{H_{i-1}}},\\&Z_{\textsf{ID}_{H_{i+1}}},\ldots ,Z_{\textsf{ID}_{H_{l_2}}},\underbrace{\varPhi ,\ldots ,\varPhi }_{{(n - n^*) }}, S) \end{aligned}$$

• \(\textsf{Test}\): Assume \(R =\textsf{nMAP}(g,\ldots ,g)^{a^n b}\). \(\mathcal {A} \) supplies \(n^*\) identities (\(\textsf{ID}_i, i \in [n^*]\)) that were registered as honest.

  • Caes 1 (\(n^* = n\)): \(\mathcal {B} \) computes

    $$\begin{aligned} K_b&= \textsf{nMAP}(g, \ldots , g)^{(\varPi _{i=1}^{n^*}(a\alpha _i+\beta _i))b} \\&= \textsf{nMAP}(g, \ldots , g)^{(\sum _{k=0}^{n^*}\psi _k a^k)b} \\&= \textsf{nMAP}(g, \ldots , g)^{(a^nb\varPi \alpha _i)+(\sum _{k=0}^{(n^*-1)}\psi _k a^k)b} \\&= R^{\varPi \alpha _i} \textsf{nMAP}(g, \ldots , g)^{\sum _{k=0}^{(n^*-1)}(\psi _k a^k)b}, \end{aligned}$$

    and returns \(K_b\) to \(\mathcal {A} \).

  • Case 2 (\( 2 \le n^* < n\)): \(\mathcal {B} \) computes

    $$\begin{aligned} K_b&=\textsf{nMAP}(g, \ldots , g)^{(\varPi _{i=1}^{n^*}(a\alpha _i+\beta _i))\overbrace{(\varPi _{i=(n^*+1)}^{n}(a\gamma _1 + \gamma _2))}^{\varPhi \ padding} b} \\&=\textsf{nMAP}(g, \ldots , g)^{(\sum _{k=0}^{n}\psi _k a^k)b}\\&= \textsf{nMAP}(g, \ldots , g)^{(a^nb\psi _n)+(\sum _{k=0}^{(n-1)}\psi _k a^k)b}\\&= R^{\psi _n} \textsf{nMAP}(g, \ldots , g)^{\sum _{k=0}^{(n-1)}(\psi _k a^k)b}, \end{aligned}$$

    and returns \(K_b\) to \(\mathcal {A} \).

  • Finally, when \(\mathcal {A} \) terminates by outputting a bit b, then \(\mathcal {B} \) returns the same bit to \(\textsf{nEMDDH}\) challenger.

In each case of the \(\textsf{Test}\) query, the right side of the last equality is how \(\mathcal {B} \) can compute \(K_b\). According to other equalities, \(\mathcal {B} \) can compute the real shared key if \(R = \textsf{nMAP}(g,\ldots , g)^{a^n b}\) holds, with known values of R, \(\alpha _i\), \(\beta _i\), \(\gamma _1\) and \(\gamma _2\). This is exactly as in game \(\mathsf {G^{}_{1}}\). On the other hand, if R is random, \(\mathcal {B} \) will output an independent random value in \(\mathbb {G}_T\). This is exactly as in game \(\mathsf {G^{}_{2}}\).