# On Key Distribution Systems

## Abstract

Zero Knowledge (ZK) theory formed the basis for practical identification and signature cryptosysems (invented by Fiat and Shamir). It also was used to construct a key distribution scheme (invented by Bauspiess and Knobloch); however, it seems that the ZK concept is less appropriate for key distribution systems (KDS), where the main cost is the number of communications. We propose relaxed criteria for the security of KDS, which we assert are sufficient, and present a system which meets most of the criteria. Our system is not ZK (it leaks few bits), but in return it is very simple. It is a Diffie-Hellman variation. Its security is equivalent to RS A, but it runs faster.

Our definition for the security of KDS is based on a new definition of security for one-way functions recently proposed by Goldreich and Levin. For a given system and given cracking- algorithm, *I*, the cracking rate is roughly the average of the inverse of the running-time over all instances (if on some instance it fails, that inverse is zero). If there exists a function *s*:*N*→*N*, s.t. for all *I*, the cracking-rate for security parameter *n* is *O* (1)/*s*(*n*), then we say that the system has at least security *s*. We use this concept to define the security of KDS for malicious adversary (the passive adversary is a special case). Our definition of a malicious adversary is relatively restricted, but we assert it is general enough for KDS. This restriction enables the proof of security results for simple and practical systems. We further modify the definition to allow past keys and their protocol messages in the input data to a cracking algorithm. The resulting security functi on is called the “amortized security” of the system. This is justified by current usage of KDS, where the keys are often used with cryptosystems of moderate strength. We demonstrate the above properties on some Diffie-Hellman KDS variants which also authenticate the parties. In particular, we give evidence that one of the variants has super-polynomial security against any malicious adversary, assuming RSA modulus is hard to factor. We also give evidence that its amortized security is super-polynomial. (The original DH scheme does not authenticate, and the version with public directory has a fixed key, i.e. zero amortized security.)

## Keywords

Security Parameter Probabilistic Algorithm Triangular Distribution Protocol Message Honest Party## References

- [BCGL]Ben-David, S., Chor, B., Goldreich, O., Luby, M.: “On the Theory of Average Case Complexity”,
*STOC*, 1989 pp. 204–216.Google Scholar - [BK]Bauspiess, F., Knobloch, H.: “How to Keep Authenticity Alive in a Computer Network”,
*Eurocrypt’89*.Google Scholar - [DEK]Dolev, D., Even, E., Karp, R.M.: “On the Security of Ping-Pong Protocols”,
*Information and Control*, Vol. 55, Nos 1–3, Nov. Dec. 1982, pp. 57–68.zbMATHCrossRefMathSciNetGoogle Scholar - [DH]Diffie, W., Hellman, M.: “New Directions In Cryptography”,
*IEEE Trans. on Inf. Theory*, 1976, IT-22, pp. 644–654.CrossRefMathSciNetGoogle Scholar - [FS]Fiat, A., Shamir, A.: “How to Prove Yourself: Practical Solutions to Identification and Signature Problems”,
*Proceedings of Crypto 86*.Google Scholar - [G]Günther, C.G.: “Diffie-Hellman and El-Gamal Protocols With One Single Authentication Key”,
*Eurocrypt’89*.Google Scholar - [GHY]Galil, Z., Haber, S., Yung, M.: “Minimum-Knowledge Interactive Proofs for Decision Problems”,
*SIAM J. on Computers*Vol. 18, No. 4, Aug. 1989.Google Scholar - [GL]Goldreich, O., Levin, A.L.: “A Hard-Core Predicate for All One-Way Functions”,
*STOC’89*, pp. 25–32.Google Scholar - [GM]Goldwasser, S., Micali, S.,: “Probabilistic Encryption”,
*JCSS*, Vol. 28, No. 2, 1984, pp. 270–279.zbMATHMathSciNetGoogle Scholar - [GMR]Goldwasser, S., Micali, S., Rackoff, C: “The knowledge Complexity of Interactive Proof Systems”,
*Proc. 17th ACM Symposium on Theory of Computing*1985, and SIAM 1989.Google Scholar - [GMW]Goldreich, O., Micali, S., Wigderson, A.: “How to Play Any Mental Game”,
*Proc. STOC*1987, pp 218–229Google Scholar - [HU]Hopcroft, J.E., Ullman, J.D.: “
*Introduction to automata theory, languages, & computation*” Addison-Wesley, 1979Google Scholar - [KO]Koyama, K., Ohta, K.: “Identity Based Conference Key Distribution Systems”,
*Proc. Crypto’87*.Google Scholar - [M]McCurley, K.S.: “A Key Distribution System Equivalent to Factoring”,
*J. of Cryptology*, Vol.1, No. 2, 1988, pp. 95–106.zbMATHCrossRefMathSciNetGoogle Scholar - [MTI]Matsumoto, T., Takashima, Y., Imai, H.: “On Seeking Smart Public-Key-Distribution Systems”,
*Trans. of IECE Japan*Vo. E 69, No. 2, Feb 1986.Google Scholar - [O]Okamoto, E.: “Proposal for Identity-Based Key Distribution Systems”,
*Electronic Letters*1986, 22, pp. 1283,1284.CrossRefGoogle Scholar - [RSA]Rivest, R.L., Shamir, A., and Adelman, L.: “A Method for Obtaining Digital Signatures and Public-Key Cryptosystems”,
*Commun. ACM*1978, 21, pp. 120–126.zbMATHCrossRefGoogle Scholar - [S]Shmuely, Z.: “Composite Diffie-Hellman Public-Key Generating Systems Are Hard to Break”, TR #356,
*Computer Science Dept. Technion, IIT*, Feb. 1985.Google Scholar - [Y]Yacobi, Y.: “Attack on The Koyama-Ohta Identity Based Key-Distribution System”,
*Proc. Crypto’87*.Google Scholar