On Key Distribution Systems

  • Y. Yacobi
  • Z. Shmuely
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 435)


Zero Knowledge (ZK) theory formed the basis for practical identification and signature cryptosysems (invented by Fiat and Shamir). It also was used to construct a key distribution scheme (invented by Bauspiess and Knobloch); however, it seems that the ZK concept is less appropriate for key distribution systems (KDS), where the main cost is the number of communications. We propose relaxed criteria for the security of KDS, which we assert are sufficient, and present a system which meets most of the criteria. Our system is not ZK (it leaks few bits), but in return it is very simple. It is a Diffie-Hellman variation. Its security is equivalent to RS A, but it runs faster.

Our definition for the security of KDS is based on a new definition of security for one-way functions recently proposed by Goldreich and Levin. For a given system and given cracking- algorithm, I, the cracking rate is roughly the average of the inverse of the running-time over all instances (if on some instance it fails, that inverse is zero). If there exists a function s:NN, s.t. for all I, the cracking-rate for security parameter n is O (1)/s(n), then we say that the system has at least security s. We use this concept to define the security of KDS for malicious adversary (the passive adversary is a special case). Our definition of a malicious adversary is relatively restricted, but we assert it is general enough for KDS. This restriction enables the proof of security results for simple and practical systems. We further modify the definition to allow past keys and their protocol messages in the input data to a cracking algorithm. The resulting security functi on is called the “amortized security” of the system. This is justified by current usage of KDS, where the keys are often used with cryptosystems of moderate strength. We demonstrate the above properties on some Diffie-Hellman KDS variants which also authenticate the parties. In particular, we give evidence that one of the variants has super-polynomial security against any malicious adversary, assuming RSA modulus is hard to factor. We also give evidence that its amortized security is super-polynomial. (The original DH scheme does not authenticate, and the version with public directory has a fixed key, i.e. zero amortized security.)


Security Parameter Probabilistic Algorithm Triangular Distribution Protocol Message Honest Party 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. [BCGL]
    Ben-David, S., Chor, B., Goldreich, O., Luby, M.: “On the Theory of Average Case Complexity”, STOC, 1989 pp. 204–216.Google Scholar
  2. [BK]
    Bauspiess, F., Knobloch, H.: “How to Keep Authenticity Alive in a Computer Network”, Eurocrypt’89.Google Scholar
  3. [DEK]
    Dolev, D., Even, E., Karp, R.M.: “On the Security of Ping-Pong Protocols”, Information and Control, Vol. 55, Nos 1–3, Nov. Dec. 1982, pp. 57–68.zbMATHCrossRefMathSciNetGoogle Scholar
  4. [DH]
    Diffie, W., Hellman, M.: “New Directions In Cryptography”, IEEE Trans. on Inf. Theory, 1976, IT-22, pp. 644–654.CrossRefMathSciNetGoogle Scholar
  5. [FS]
    Fiat, A., Shamir, A.: “How to Prove Yourself: Practical Solutions to Identification and Signature Problems”, Proceedings of Crypto 86.Google Scholar
  6. [G]
    Günther, C.G.: “Diffie-Hellman and El-Gamal Protocols With One Single Authentication Key”, Eurocrypt’89.Google Scholar
  7. [GHY]
    Galil, Z., Haber, S., Yung, M.: “Minimum-Knowledge Interactive Proofs for Decision Problems”, SIAM J. on Computers Vol. 18, No. 4, Aug. 1989.Google Scholar
  8. [GL]
    Goldreich, O., Levin, A.L.: “A Hard-Core Predicate for All One-Way Functions”, STOC’89, pp. 25–32.Google Scholar
  9. [GM]
    Goldwasser, S., Micali, S.,: “Probabilistic Encryption”, JCSS, Vol. 28, No. 2, 1984, pp. 270–279.zbMATHMathSciNetGoogle Scholar
  10. [GMR]
    Goldwasser, S., Micali, S., Rackoff, C: “The knowledge Complexity of Interactive Proof Systems”, Proc. 17th ACM Symposium on Theory of Computing 1985, and SIAM 1989.Google Scholar
  11. [GMW]
    Goldreich, O., Micali, S., Wigderson, A.: “How to Play Any Mental Game”, Proc. STOC 1987, pp 218–229Google Scholar
  12. [HU]
    Hopcroft, J.E., Ullman, J.D.: “Introduction to automata theory, languages, & computation” Addison-Wesley, 1979Google Scholar
  13. [KO]
    Koyama, K., Ohta, K.: “Identity Based Conference Key Distribution Systems”, Proc. Crypto’87.Google Scholar
  14. [M]
    McCurley, K.S.: “A Key Distribution System Equivalent to Factoring”, J. of Cryptology, Vol.1, No. 2, 1988, pp. 95–106.zbMATHCrossRefMathSciNetGoogle Scholar
  15. [MTI]
    Matsumoto, T., Takashima, Y., Imai, H.: “On Seeking Smart Public-Key-Distribution Systems”, Trans. of IECE Japan Vo. E 69, No. 2, Feb 1986.Google Scholar
  16. [O]
    Okamoto, E.: “Proposal for Identity-Based Key Distribution Systems”, Electronic Letters 1986, 22, pp. 1283,1284.CrossRefGoogle Scholar
  17. [RSA]
    Rivest, R.L., Shamir, A., and Adelman, L.: “A Method for Obtaining Digital Signatures and Public-Key Cryptosystems”, Commun. ACM 1978, 21, pp. 120–126.zbMATHCrossRefGoogle Scholar
  18. [S]
    Shmuely, Z.: “Composite Diffie-Hellman Public-Key Generating Systems Are Hard to Break”, TR #356, Computer Science Dept. Technion, IIT, Feb. 1985.Google Scholar
  19. [Y]
    Yacobi, Y.: “Attack on The Koyama-Ohta Identity Based Key-Distribution System”, Proc. Crypto’87.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 1990

Authors and Affiliations

  • Y. Yacobi
    • 1
  • Z. Shmuely
    • 2
  1. 1.BellcoreMorristown
  2. 2.Computer Science DepartmentTechnionHaifaIsrael

Personalised recommendations