An XTR-Based Constant Round Key Agreement Scheme

A new XTR-based key agreement scheme with constant rounds is presented. Three theorems are formulated to reveal the logarithmic computational complexity of this scheme. Furthermore, the computation framework of XTR-based key agreement scheme is introduced, and security of the scheme is proven under the formal model.


Introduction
Key agreement is to construct secure infrastructures for networks by computing a common session key among a pool of group members.It is a central issue in various multicast applications such as pay preview broadcast of TV program, teleconferencing, military communication, and distributed interactive games.
The pioneer work can be traced to Steiner et al. [1] in 1996, who proposed the first key agreement scheme, GDH.As an extension of Diffie-Hellman key exchange based on the discrete logarithm problem in ⟨⟩, GDH achieves group key exchange, and it is known as the first key agreement scheme.After that, various improved schemes of GDH are presented such as CLIQUES [2] and TGDH [3].Unfortunately, the improved schemes are still flawed in excessive computation or unreasonable communication.
Nowadays, it has been widely accepted that a reliable key agreement scheme should meet three utmost crucial demands: fast computation, less communication, and provable security.Here the first demand, that is, fast computation, relies heavily on the algorithm one designed.With the outcome of the new ideas in cryptosystems, including elliptic curve cryptography (ECC) and Hash, computation efficiency in key agreement scheme was increased gradually.At first, the computations were based on the discrete logarithm problem, like Steiner's classic work [1,2], Kim's TGDH [3], and a lot of forthcoming schemes [4][5][6].Afterwards, Hash function was incorporated into some schemes to increase the computation efficiency, referring to Tso et al. 's work [7], Fu et al. 's work [8], and so forth.With the development of elliptic curves cryptography, faster computing module like Weil paring was regarded as a good replacement for common exponentiations or multiplications computations in traditional scheme.By using Weil paring on elliptic curve, the pairwise key agreement protocol [9], the tripartite key agreement protocol [10], and the ID-based authenticated group key agreement scheme [11] were given.A newer tendency was to constructing key agreement without using pairing computation; see He et al. 's work [12].
The second demand is less communicate, which refers to less information exchange between group members.In 2004, the bottleneck of key agreement scheme was illustrated as communication rounds, instead of computation rounds, which reveals the emphasis of design for an efficient key agreement scheme.In the beginning, GDH.3, proposed by Steiner et al. [1], need  + 1 rounds of communications.Kim et al. [3] and Dutta and Barua [4] reduced the rounds of communications to log 2  and log 3 , respectively.Afterwards, key agreement with four rounds of communications are proposed by Tso et al. [7], Fu et al. [8], Zheng et al. [13], and so forth, and computation complexity of these schemes is slight.From Tso et al. [7], Fu et al. [8] to Zheng et al. [13], the number of exponentiations is decreased from 2 2 + 5, 7 to 5, and the numbers of hash are  2 +  + 1, 2, and 3, respectively.In the meantime, the reduction of communication rounds has been regarded as a central issue.Three rounds scheme is obtained by Nam et al. [5], Augot et al. [6] Yao et al. [14], and so forth.Recently, the rounds of communications have been reduced to two rounds, where Lv and Li [11], He et al. [12], and Feng et al. [15] contribute a lot.In short, key agreement with less communications has drawn many attentions nowadays, and for recent researches and reviews, refer to [16,23,24].
Besides the computation cost and communication, another focus on research of the key agreement scheme is the security analysis.The reason lies in two aspects.Firstly, it was widely accepted that a secure key agreement should meet several demands, including key completeness, forward secrecy, and backward secrecy.Secondly, the claim of a secure new scheme should be on the basis of a strict and formal proof, instead of colloquial illustration or informal proof.The strict proof of scheme was commenced by Bresson et al. [17], who modeled the execution of an authenticated group Diffie-Hellman scheme and proved its security by defining a formal model.Raymond Choo et al. [18] gave formal proof of certain known protocol to reveal their weakness in the security and henceforth encourage the future designer to provide proofs of security for new protocols.Actually, the importance of provable security has been widely accepted nowadays, and it has been an indispensable part of almost all key agreement schemes appeared in the newly published literatures.
Unfortunately, few schemes can achieve all the three goals because of the unbalance between security and efficiency.However, a suitable balance between computation, communication, and security is utmost importance in current key agreement research.In terms of this, this study is to propose a reliable scheme which meets the above three demands by taking the advantages of Lenstra's XTR cryptosystem [19,20].Here, XTR stands for ECSTR, which is an abbreviation for Efficient and Compact Subgroup Trace Representation.Actually, XTR is an efficient cryptosystem and the mathematics underlying XTR is straightforward while compared to ECC [19].Moreover, the corresponding XTR public keys are only about twice as large as ECC keys, assuming global system parameters.Unlike RSA and ECC, parameter initiation from scratch for XTR takes a negligible amount of computing time [21].Furthermore, Verheul [22] showed that XTR is at least as secure as supersingular elliptic curve system.This conclusion relied on a deduction that the elapse of XTR might lead to the elapse of ECC.Henceforth, the security of XTR was ensured.
In this paper, three algorithms with computation complexity in XTR theory are given.Based on these algorithms, an XTR-based key agreement scheme with constant rounds (XTR-CR) is proposed.The scheme achieves high efficiency and is scalable in computation and security as well.Moreover, the efficiency in computation and communication between XTR-CR and XTR-GDH, which is the natural analogue of GDH in XTR, is compared and the better efficiency of the XTR-CR is shown.Finally, under a decisional Diffie-Hellman (DDH) assumption, the XTR-CR is proved to be secure against active adversary in the formal model.The paper is organized as follows.In Section 2, introductions of XTR cryptosystem with three computation theorems are given.Section 3 introduces our new scheme.The security proof of the new scheme is presented in Section 4. Conclusions are given in the last section.

XTR Cryptosystem
As a reliable key agreement scheme which is aiming to achieve good balance in efficiency and security, this scheme is designed on the basis of XTR.Since the XTR cryptosystem has not ever been incorporated into key agreement scheme, preliminaries of XTR cryptosystem are introduced in Section 2.1.By giving and proving three related computation theorems in Section 2.2, computation complexity of our XTR-based scheme is clarified.
. Security analysis of the XTR system is based on the difficulties of the following three computational problems: Unlike RSA and Elgamal, the computation in XTR is involved in a subgroup of multiplicative group ( 6 ) * with order  2 −  + 1.The computation owns polynomial complexity, and as a result, it ensures the high efficiency of the implementation.Furthermore, in order to evaluate the security level of XTR, the following equivalence was proven [19].
where the problem A is (, ) equivalent to problem B, if any instance of problem A (or B) can be solved by at most  (or ) calls to an algorithm solving problem B (or A).
Following six lemmas are necessary for the proof of Theorems 7, 8, and 9.

The XTR-Based Key Agreement Scheme
In this section, the new scheme XTR-CR is presented.For this, the fundamental application of Lenstra and Verheul's work [19] is mentioned first in Section 3.1.After that, two group extension protocols, XTR-GDH and XTR-CR, are listed in Section 3.2.Among them, XTR-GDH is the natural extension of GDH by combining XTR, while XTR-CR is our proposed new scheme with low computation complexity and two rounds of communications.Finally, explicit comparisons of XTR-CR, XTR-GDH, and other competitive schemes are performed in Section 3.3, so as to reveal the advantage of XTR-based schemes, especially XTR-CR.

Key Exchange between
Alice and Bob.XTR-Diffie-Hellman key exchange protocol between two members is a routine idea in Lenstra and Verheul's work [20], and it is remarkable enough to illustrate here in detail.
Suppose that Alice and Bob, who both have access to the XTR public key data , , Tr(), want to agree on a shared secret key .This is done by using the following XTR version of Diffie-Hellman protocol.

Key Agreement of Group.
Here, we present two constantround communication protocols for the group key agreement.One is an analogue of GDH in XTR, denoted as XTR-GDH, another is the proposed scheme, XTR-CR.

Analogue of GDH in XTR: XTR-GDH.
The first protocol XTR-GDH is a natural extension of .Steiner's Group Diffie-Hellman protocol [19].

Proposed Scheme: XTR-CR.
Below is the scheme we proposed, Algorithm XTR-CR.
The flow charts of two schemes are depicted in Figure 1.During the whole process, the latter member   acts as a sponsor which carries heavier computation burden than other members.The obligation of sponsor is reasonable and necessary, because the presence of sponsor not only provides high efficiency for the scheme but also keeps the member equality in the group.This property is similar to that in the scheme of GDH [1] and TGDH [3].

Comparison of XTR-GDH, XTR-CR, and Other Competitive Key Agreement Schemes in Communication and
Computation.The performances of XTR-based scheme are compared with several competitive key agreement schemes by considering the computations, message amount, and communications.Twelve typical key agreement schemes are listed in Table 1 for comparison with XTR-based schemes in terms of efficiency.All of the chosen schemes are listed with the descending order according to the number of communication rounds.Among them, GDH.3 [1] and TGDH [3] are classic and traditional protocols, while Dutta95 [4] show better performance in the rounds of communication.Other schemes are typical and competitive key agreement schemes in the literature, as introduced in the first section, and the number of communication rounds is sorted from four, three to two.As a typical one round protocol, Shim's work [23] is designed for three-party key agreement instead of arbitrary  entities, and signature is demanded; therefore, it is not equal to give a computation comparison.The explicit information of these schemes could be found in Table 1.
As shown in Table 1, both XTR-GDH and XTR-CR perform good in the rounds of communications.In the following, performances in XTR-based schemes will be compared with other two or three round communication schemes.
Among these schemes with three rounds communications, XTR-GDH only demands 16log 2  scalar multiplications, which seems better than YWJ08 [9] and slightly weaker than NPKW07 [5], and the latter need 5.5 + 5log 2  − 1 exponentiations.Though Daniel07 [6] need much less computations than XTR-GDH, it could be easily found that XTR-GDH owns the least message amount.These results show that XTR-GDH is also a competitive scheme.
While observing the performance of XTR-CR among two rounds communication schemes, (−1)(88log 2 +128) scalar multiplications are counted for XTR-CR.The computation load in XTR-CR is less than that in FWM08 [15] but a little heavier than that in LL10 [11] and Xiong13 [24].Taking into account that 5 or  pairing computation is timeconsuming for LL10 [11] and Xiong13 [24], XTR-CR needs comparatively less computations than the above schemes.
Besides, message amount of XTR-CR is the least among all of the schemes.
If compared XTR-GDH with XTR-CR, the latter performs better in communication and message amount.Meanwhile, XTR-CR shows slight weakness in computation complexity.For the sake of rapid development of XTR cryptosystem, the weakness in XTR-CR is subtle.Moreover, as mentioned in Section 1, key agreement with less communication is critical in the implementation.Since XTR-GDH needs one more communication than XTR-CR, the proposed scheme is a better and more efficient scheme than XTR-GDH.
In short, result from full comparisons of fourteen competitive key agreement schemes shows that XTR-GDH and XTR-CR achieve good balance in the performance of computation and communication.Moreover, XTR-CR performs the best both in computation and communication.

Security Analysis of XTR-CR
In this section, a formal model is utilized to prove that XTR-CR scheme is secure against adversary under XTR-DDH assumption.The explicit security proof of the proposed scheme is given in Section 4.2.

Security Basis of Formal Model.
Let  = { 1 ,  2 , . . .,   } be a set of  users who wish to participate in a group key agreement.One assumes that  is polynomially bounded in the security parameter .A player   has many instances called oracles, involved in distinct concurrent executions of protocols.The instances  of player   are denoted as ∏   .The adversary  has an endless supply of oracles ∏   and makes various queries to them.Each query models a capability of adversary.
(i) Execute ().This query returns a transcript of an honest protocol execution among instances of users in .
(ii) Send (∏   , ).This query sends message  to oracle ∏   .When oracle ∏   receives the message , it proceeds as specified in the protocol; the oracle updates its state and then generates and sends out a response message as needed.The response message is returned to the adversary .A query of form Send (prod    , Start  ) allows adversary  to initiate an execution of the protocol.
(iii) Reveal (∏   ).This query returns the session key  if oracle ∏   has computed a session key.This query models the capability of adversary to obtain some session keys.
(iv) Corrupt (  ).The long-term private key of user   is returned in response to the query which is considered to deal with forward secrecy.
(v) Dump (∏   ).This query returns all short-term secret values used by oracle ∏   , modeling the adversary's capability to embed a Trojan horse or other forms of malicious code into a system and then log all the session-specific information of victim.But neither the session key  computed by ∏   nor the long-term private key   is returned.
(vi) Test (∏   ).This query is asked only once when the adversary  wants to attempt to distinguish the real session key  from a random fake key, modeling the semantic security of session key .To answer the query, one flips a secret coin  and returns the real session key  if  = 1, or else a random string chosen from {0, 1}  , if  = 0, where  is the length of session key to be distributed in the protocol.This query is made only if oracle ∏   is fresh, and the definition of which will be given below.
To quantify the ability of an adversary , one consider the query action of  here.During the execution of protocol, the adversary , at any time, asks a Test query to a fresh oracle, then gets back an -bit string as the response to this query, and at some later point, outputs a bit   as a guess for the hidden bit .Let Correct Guess () be the event that   = .Then we define the advantage of  in attacking protocol  to be We define protocol  as secure against an adversary  if Adv , () is negligible.
According to the illustration of XTR-DDH problem in Section 2, a formal description of XTR-DDH assumption is displayed below.
More formally, if we define Adv Thus the theorem follows.
The result of the above theorem shows that the security of proposed key agreement scheme is based on the computational difficulty of XTR-DDH problem.Also, it is shown that the proposed scheme is secure against adversary's attacking under XTR-DDH assumption.
Moreover, the result of this security proof also supports the idea of Steiner et al. [1], who proved that DDH assumption implied the G-DDH assumption.Here, G-DDH is short for group decisional Diffie-Hellman assumption, which refers to the difficulty of distinguishing  ∏  from a random value by knowing elements  ∏  for some subsets of indices .Actually, Theorem 10 could be regarded as an evidence for this result.

Conclusions
In this paper, a constant round key agreement scheme XTR-CR is proposed on the basis of XTR cryptosystem.Three theorems are given to make a theoretical guarantee of the quick implementation of system.Moreover, under XTR-DHH assumption, the security of scheme is proved in the formal model.It is believed that this scheme is efficient both in communication and computation.Hence, this proposed scheme is reliable in the sense of achieving three efficient and secure demands: less communication, fast computation, and provable security.

Table 1 :
Comparison between XTR-GDH, XTR-CR, and other competitive key agreements schemes.