On the (In)Security of Recent Group Key Distribution Protocols

摘要

group key distribution;multicast key distribution;broadcast encryption;collusion attacks;cryptanalysis%A typical stateful (resp. stateless) group key distribution (GKD) protocol is composed of a secret assignment algorithm, and stateful join/leave rekeying algorithms (resp. a stateless group rekeying algorithm). Any design flaw in any of these algorithms could lead to attacks on GKD protocols. We show how two recently-proposed stateful GKD protocols based on asymmetric cryptographic primitives suffer from collusion attacks due to security flaws in either secret assignment algorithms or leave rekeying algorithms. A variety of single-user attacks and improvements on stateless group rekeying algorithms of a number of GKD protocols based on Shamir's Secret-Sharing Scheme (SSS) have been put forward. We show the stateless group rekeying algorithms of one improved protocol and its variant (proposed by us) still suffer from attacks. In addition, we prove a lower bound on the size of a user's long-term secret for perfectly secure multi-session stateless GKD protocols. This bound reveals that (i) it is impossible to design an infinite-session stateless GKD protocol that is both perfectly secure and practical; (ii) all the considered SSS-based stateless GKD protocols are bound to be either incorrect or vulnerable to attacks. This work highlights the urgent necessity of adopting the provable security approach in this research field.