Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TDSC.2017.2725953, IEEE
Transactions on Dependable and Secure Computing
1
Abstract—Data sharing in cloud computing enables multiple participants to freely share the group data, which improves the efficiency
of work in cooperative environments and has widespread potential applications. However, how to ensure the security of data sharing
within a group and how to efficiently share the outsourced data in a group manner are formidable challenges. Note that key agreement
protocols have played a very important role in secure and efficient group data sharing in cloud computing. In this paper, by taking
advantage of the symmetric balanced incomplete block design (SBIBD), we present a novel block design-based key agreement
protocol that supports multiple participants, which can flexibly extend the number of participants in a cloud environment according to
the structure of the block design. Based on the proposed group data sharing model, we present general formulas for generating the
common conference key K for multiple participants. Note that by benefiting from the (v, k + 1, 1)-block design, the computational
complexity of the proposed protocol linearly increases with the number of participants and the communication complexity is greatly
reduced. In addition, the fault tolerance property of our protocol enables the group data sharing in cloud computing to withstand
different key attacks, which is similar to Yi’s protocol.
Index Terms—Key agreement protocol, symmetric balanced incomplete block design (SBIBD), data sharing, cloud computing.
1 I NTRODUCTION
1545-5971 (c) 2017 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TDSC.2017.2725953, IEEE
Transactions on Dependable and Secure Computing
2
from malicious conferees, who attempt to deliberately delay over, the communication complexity is reduced without in-
or destroy the conference, Yi proposed an identity-based troducing extra computational complexity. Specifically,
√ the
fault-tolerant conference key agreement in [7]. Currently, communication complexity of our protocol is O(n n), and
many researches have been devoted to improving the se- the computational complexity is O(nm2 ). Here, n is the
curity and communication efficiency of the key agreement number of participants, and m is the extension degree of
protocol, which is covered in the literature [8], [9], [10], the finite field Fpm , which is the space for rational points in
[11]. Note that in Chung and Bae’s paper [12] and Lee et a supersingular elliptic curve.
al.’s paper [13], block design is utilized in the design of an
efficient load balance algorithm to maintain load balanc- 1.2 Organization
ing in a distributed system. Inspired by [12] and [13], we
The remainder of this paper is organized as follows. Sec-
introduce the symmetric balanced incomplete block design
tion 2 introduces related works. Section 3 briefly presents
(SBIBD) in designing the key agreement protocol to reduce
preliminaries and the system model. Section 4 describes
the complexity of communication and computation. As far
the algorithm for constructing the SBIBD and depicts the
as we know, the work to design the key agreement protocol
group data sharing model. Section 5 shows the block design-
with respect to the SBIBD is novel and original.
based key agreement protocol with the general formulas
for calculating the common conference key for multiple
1.1 Main Contributions participants. Section 6 and Section 7 present the security
and performance analyses, respectively. Finally, conclusions
In this paper, we present an efficient and secure block
are drawn in Section 8. To understand our protocol well,
design-based key agreement protocol by extending the
the detailed process of the key agreement with multiple
structure of the SBIBD to support multiple participants,
participants and a concrete example with 31 participants are
which enables multiple data owners to freely share the
provided in the Appendix.
outsourced data with high security and efficiency. Note that
the SBIBD is constructed as the group data sharing model to
support group data sharing in cloud computing. Moreover, 2 R ELATED WORKS
the protocol can provide authentication services and a fault It is well known that data sharing in cloud computing can
tolerance property. The main contributions of this paper are provide scalable and unlimited storage and computational
summarized as follows. resources to individuals and enterprises. However, cloud
1. Model of group data sharing according to the struc- computing also leads to many security and privacy con-
ture of the SBIBD is constructed. In this paper, a group cerns, such as data integrity, confidentiality, reliability, fault
data sharing model is established based on the definition tolerance and so on. Note that the key agreement protocol is
of the SBIBD, which can be used to determine the way of one of the fundamental cryptographic primitives, which can
communication among the participants. Regarding mathe- provide secure communication among multiple participants
matical descriptions of the structure of the SBIBD, general in cloud environments.
formulas for computing the common conference key for In [14] and [15], based on symmetric-key cryptogra-
multiple participants are derived. phy, several schemes were proposed to enable efficient
2. Fault detection and fault tolerance can be provided encryption of the outsourced data. However, encryption
in the protocol. The presented protocol can perform fault keys should be transmitted in a secure channel, which
detection to ensure that a common conference key is estab- is not possible in practice, particularly in the open cloud
lished among all participants without failure. Moreover, in environment. Since it was introduced in [16], resistance to
the fault detection phase, a volunteer will be used to replace compromised keys has been taken into consideration, which
a malicious participant to support the fault tolerance prop- is an important issue in the context of cloud computing.
erty. The volunteer enables the protocol to resist different Note that cloud storage auditing with verifiable outsourcing
key attacks [7], which makes the group data sharing in cloud of key updates paradigm was proposed by Yu et al. in [17] to
computing more secure. achieve resistance to compromised keys. In this paradigm,
3. Secure group data sharing in cloud computing can be the third party auditor (TPA) takes responsibility for the
supported by the protocol. According to the data sharing cloud storage auditing and key updates. In particular, the
model applying the SBIBD, multiple participants can form a TPA is responsible for the selection and distribution of the
group to efficiently share the outsourced data. Subsequently, key. The key downloaded from the TPA can be used by the
each group member performs the key agreement to derive client to encrypt files that he will upload to the cloud. In
a common conference key to ensure the security of the contrast, the generation and distribution of the key is based
outsourced group data. Note that the common conference on a centralized model in [17], which not only imparts a
key is only produced by group members. Attackers or the burden to the TPA but also introduces some security prob-
semi-trusted cloud server has no access to the generated key. lems. In [18], a key agreement algorithm was exploited by
Thus, they cannot access the original outsourced data (i.e., De Capitani di Vimercati et al. to achieve data access when
they only obtain some unintelligible data). Therefore, the data are controlled by multiple owners. Therefore, the key
proposed key agreement protocol can support secure and agreement protocol can be applied in group data sharing to
efficient group data sharing in cloud computing. solve related security problems in cloud computing.
Notably, the above contributions substantially widen Following the first pioneering work for key agree-
the field of applications of the key agreement protocol by ment [4], many works have attempted to provide authen-
applying an SBIBD with high security and flexibility. More- tication services in the key agreement protocol. In [19],
1545-5971 (c) 2017 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TDSC.2017.2725953, IEEE
Transactions on Dependable and Secure Computing
3
a public key infrastructure (PKI) is used to circumvent propose an algorithm to construct the (v, k + 1, 1)-design.
man-in-the-middle attacks. However, these protocols are not Then, with respect to the mathematical description of the
suitable for resource-constrained environments since they structure of the (v, k+1, 1)-design, general formulas for gen-
require executions of time-consuming modular exponenti- erating the common conference key K for multiple partici-
ation operations. Key agreement protocols that use elliptic pants are derived. Namely, the proposed protocol supports
curve cryptography (ECC) have been proposed in [20], [21]. multiple participants. We believe that our contributions can
These protocols are more efficient than the protocols that widen the application scope of the key agreement protocol
resort to the PKI because point additions or multiplications in cloud computing employing an SBIBD.
in elliptic curves are more efficient compared with the
modular exponentiation. Moreover, based on the difficulty 3 P RELIMINARIES AND S YSTEM M ODEL
of solving the elliptic curve discrete logarithm problem
3.1 Cryptographic Bilinear Maps
(ECDLP), protocols that use ECC are more secure.
To avoid the requirement of the public key certificate, Modified Weil pairing [10] is an example of a cryptographic
in 1984, identity-based cryptography (IBC) was proposed bilinear map. One way to construct this map is described
by Shamir [22]. However, it was not until 2001 that the as follows. Let p be a prime such that p = 6q − 1 for some
first practical IBC scheme [10] was proposed by Boneh and prime q and E be a supersingular elliptic curve defined by
Franklin. Due to the strict security proof and high efficiency, the Weierstrass equation y 2 = x3 + 1 over Fp . The group
this scheme has received widespread recognition in aca- of rational points E(Fp ) = {(x, y) ∈ Fp × Fp : (x, y) ∈ E}
demic fields. In the same year, a popular proof model for forms a cyclic group of order p + 1. Furthermore, because
group key establishment was proposed by Bresson et al. [23]. p + 1 = 6q for some prime q , the group of points of order
In this protocol, to manage the complexity of definitions q in E(Fp ) forms a cyclic subgroup, denoted as G1 . Further
and proofs for the authenticated group Diffie-Hellman key discussion of the Weil pairing is shown in the literature [8].
exchange, a formal model was presented, where two secu- Definition 1. Let G be a generator of G1 , and let G2 be
rity goals of the group Diffie-Hellman key exchange were the subgroup of Fp2 containing all elements of order q . A
addressed. However, some security properties are missing modified Weil pairing is a map ê : G1 × G1 → G2 , which
in [23], which are essential for preventing malicious protocol has the following properties for points in E(Fp ):
participants. 1. Bilinear: For any P, Q ∈ G1 and a, b ∈ Z , we have
Note that all the above protocols have been proven and ê(aP, bQ) = ê(P, Q)ab .
analyzed for security, but some of them can only be applied 2. Non-degenerate: If P is a generator of G1 , then
to the key agreement between two entities and need a large ê(P, P) ∈ Fp∗2 is a generator of G2 . In other words,
amount of resources to perform calculations. Recently, an ê(P, P) 6= 1.
identity-based authenticated key agreement protocol was 3. Non-commutative: For any P, Q ∈ G1 , P 6= Q,
proposed by Shen et al. in [9], which improves the efficiency ê(P, Q) 6= ê(Q, P).
of the conference key agreement and provides entity au- 4. Computable: Given P, Q ∈ G1 , there exists an efficient
thentication services. However, there are some obstacles in algorithm to compute e(P, Q).
Shen et al.’s protocol [9] in real applications. One is that the 5. For any P1 , P2 , Q1 , Q2 ∈ G1 , we have
protocol only discusses a specific situation when the number ê(P1 + P2 , Q1 ) = ê(P1 , Q1 ) · ê(P2 , Q1 )
of conferees is exactly 7. The other is that the protocol ê(P1 , Q1 + Q2 ) = ê(P1 , Q1 ) · ê(P1 , Q2 )
does not discuss the general situation and does not provide
the key agreement process for multiple participants, which 3.2 Security Assumption
makes the protocol lack flexibility and practicability.
Security is one of the most essential conditions that a good
Motivated by the above observation, the key agreement
cryptographic algorithm or protocol should first meet. Stud-
protocol is applicable to support data sharing in cloud
ies on safety issues can boil down to the security model.
computing for the following reasons.
The attacker’s ability and the goal of security achieved can
1. The generation of a common conference key is per-
be well reflected by the correct and appropriate security
formed in a public channel, which is suitable for cloud
model. In this paper, we use the security model defined in
computing environments.
the literature [9]. Note that the security of our protocol relies
2. The key agreement protocol can support and pro-
on a variant of the computational Diffie-Hellman (CDH)
vide secure data sharing for multiple data owners within
assumption: the bilinear Diffie-Hellman (BDH) assumption,
a group, where the data sharing follows a many-to-many
which is defined as follows. According to the proof in [9],
pattern. Compared with the one-to-many pattern, the many-
the presented protocol can resist both passive attacks and
to-many pattern in group data sharing provides higher
active attacks. Many formal security analyses of the key
efficiency in the environment of cooperative storage.
agreement protocol can be found in the literature [11].
3. The key agreement protocol is based on a decentral-
ized model, where a trusted third party is not required. This Definition 2. In (G1 , G2 , ê), the BDH problem is defined as
means that every data owner in a group fairly contributes follows. Given G ∈ G1 and (G, aG, bG, cG) for some a, b, c ∈
and determines the common conference key such that the Zq∗ , compute W = ê(G, G)abc ∈ G2 [10].
outsourced data are controlled by all the data owners within
An algorithm A is said to have advantage ε in solving
a group.
the BDH problem in (G1 , G2 , ê) if
Therefore, we design a block design-based key agree-
ment protocol for data sharing in cloud computing. First, we Pr[A(G, aG, bG, cG) = ê(G, G)abc ] ≥ ε,
1545-5971 (c) 2017 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
4
4. A malicious participant chooses different sub keys, Algorithm 1 Generation of a (v, k + 1, 1)-design
generates different signatures and broadcasts the messages for i = 0; i ≤ k ; i + + do
to the corresponding participants, which makes the confer- for j = 0; j ≤ k ; j + + do
ence key derived by different participants distinct. if j == 0 then
Bi,j = 0;
4 T HE C ONSTRUCTION OF THE G ROUP DATA else
Bi,j = ik + j ;
S HARING M ODEL
end if
To support a group data sharing scheme for multiple par- end for
ticipants applying an SBIBD, we design an algorithm to end for
construct the (v, k + 1, 1)-design. Moreover, the constructed for i = k + 1; i ≤ k 2 + k ; i + + do
(v, k + 1, 1)-design requires some transformations to estab- for j = 0; j ≤ k ; j + + do
lish the group data sharing model such that v participants if j == 0 then
can perform the key agreement protocol. Bi,j = b(i − 1) /kc;
else
4.1 Construct the (v, k + 1, 1)-design Bi,j = jk + 1 + M ODk (i − j + (j − 1) b(i − 1)/kc);
end if
In our group data sharing model, the parameters of the
end for
SBIBD have some specific meanings. In a (v, k+1, 1)-design,
end for
v denotes the number of participants and the number
of blocks. Every block embraces k + 1 participants, and
every participant appears k + 1 times in these v blocks.
Note that Algorithm 1 is an optimization of the algorithm
Furthermore, every two participants appear simultaneously
in [12] and the proof of the correctness follows the same
in exactly one of the v blocks. Following papers [12]
lines than the proof in [12] and [13]. The structure created
and [13], Algorithm 1 is designed to construct the structure
by Algorithm 1 can be proven to satisfy the conditions of
of a (v, k + 1, 1)-design. First, a prime number k is selected.
the (v, k + 1, 1)-design, which means that each participant
Then, the number of participants is determined by the value of
of V appears exactly k + 1 times in B and that each
k , which is computed as v = k 2 + k + 1† . Finally, according
pair of participants of V appears exactly once in B . These
to Definition 3, V = {0, 1, 2, ..., v − 1} represents the set of
properties can be utilized to design the group data sharing
v participants, whereas B = {B0 , B1 , B2 , ..., Bv−1 } implies v
model, which can diminish the communication cost of the
blocks constituted by these v participants. Note that the block is
proposed protocol. The detailed process of the protocol and
defined as Bi = {Bi,0 , Bi,1 , Bi,2 , ..., Bi,k }, which means each
the corresponding performance analysis based on the model
block embraces k + 1 participants, and Bi,j denotes which partic-
can be found in Section 5 and Section 7, respectively.
ipant is contained in the j th column of the ith block. Sometimes
we will consider blocks organized as a matrix in which column j Definition 4. In our (v, k + 1, 1)-design of an SBIBD,
is composed by elements Bi,j for i = 0, 1, 2, ..., k and row i is a sector is a collection of blocks defined by Sx =
composed by elements Bi,j for j = 0, 1, 2, ..., k . The structure {Bi : Bi,0 = x} for x = 0, 1, 2, ..., k . Sector S0 =
of the (v, k + 1, 1)-design is constructed by Algorithm 1, which {B0 , B1 , B2 , ..., Bk } is formed by k + 1 blocks, and sector
outputs numbers Bi,j for i = 0, 1, ..., k 2 + k and j = 0, 1, ..., k . Sj = {Bkj+1 , Bkj+2 , Bkj+3 , ..., Bk(j+1) } is formed by k
In Algorithm 1, the notation M ODk represents the mod- blocks for j = 1, 2, 3, ..., k .
ular operation that takes the class residue as an integer in For example, in a (v, k + 1, 1)-design, S1 =
the range 0, 1, 2, ..., k − 1. Based on Algorithm 1, we can {Bk+1 , Bk+2 , ..., B 2k }.
create the structure of a (v, k + 1, 1)-design that involves
v participants. Moreover, Algorithm 1 can directly determine Lemma 1. In S0 with (k + 1) · (k + 1) elements, element 0
which participant should be involved in each block. For ex- appears k+1 times in the first column of S0 , and the remaining
ample, taking the (13, 4, 1)-design into consideration, where k 2 + k elements {1, 2, ..., k 2 + k} appear exactly once in S0 in
13 participants are involved in this structure, we can decide order.
which participant should be contained in the 3rd column of
Proof. According to Algorithm 1, when i = 0, 1, ..., k , if
the 8th block by computing
j = 0, then Bi,j = 0. Therefore, element 0 appears
B7,2 = jk + 1 + M ODk (i − j + (j − 1) b(i − 1)/kc) k + 1 times in the k + 1 blocks (i.e., B0,0 , B1,0 , ..., Bk,0 )
= 2 · 3 + 1 + M OD3 (7 − 2 + (2 − 1) b(7 − 1)/3c) of S0 . If j 6= 0, then Bi,j = ik + j , which implies that
Bi,j+1 = Bi,j + 1(f or j = 0, 1, ..., k − 1) and Bi+1,1 =
= 7 + M OD3 (5 + 1 · 2) Bi,k + 1(f or i = 0, 1, ..., k − 1). Given Bi,j = 0, we have
= 7 + 1 = 8. the progression B0,0 , B0,1 , B0,2 , ..., B0,k , B1,1 , B1,2 , ..., B1,k ,
B2,1 , B2,2 , ..., B2,k , ..., Bk,1 , Bk,2 , ..., Bk,k is the arithmetic
Therefore, from the above calculation, it is concluded
progression 0, 1, 2, 3, 4, ..., k 2 + k . It is concluded that the
that participant8 is contained in the 3rd column of the 8th
remaining k 2 + k elements {1, 2, ..., k 2 + k} appear exactly
block. Here, participanti represents the ith participant.
once in S0 in order.
†. From here to the end of the paper, the value of v is v = k2 + k + 1
and (v, k + 1, 1)-design is used to represent (k2 + k + 1, k + 1, 1)-design In any sector Sx with k or k + 1 blocks, the first element
for brevity. of each block has the same value as x. Based on Lemma 1,
1545-5971 (c) 2017 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TDSC.2017.2725953, IEEE
Transactions on Dependable and Secure Computing
6
equal to V − B0 . 7 2 4 8 12 7 2 6 7 11
S2 8 2 5 9 10 8 0 7 8 9
Proof. Based on Definition 4, in Sx , the first element of 9 2 6 7 11 9 2 5 9 10
each block has the same value as x. Then, according to 10 3 4 9 11 10 3 6 8 10
Algorithm 1, the remaining k 2 elements of Sx are calculated S3 11 3 5 7 12 11 0 10 11 12
as Bi,j = jk + 1 + M ODk (i − j + (j − 1) b(i − 1)/kc). 12 3 6 8 10 12 3 5 7 12
1545-5971 (c) 2017 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TDSC.2017.2725953, IEEE
Transactions on Dependable and Secure Computing
7
transformed to the E1 to Ek blocks of E . Consequently, compute the common conference key for each participant.
the results of transformations in step 1 are E0 = B0 and In summary, based on Algorithm 1, mathematical
Et = Btk+1 ,(1 ≤ t ≤ k). For example, in Fig. 2, the first descriptions of the structure of B can be deduced first. Then,
elements of the first block in S1 , S2 , and S3 in B are 4, 7, to derive the mathematical descriptions of the structure of
and 10, respectively, which are marked with a red color. The E , the functional relationships of the transformations of
results of the transformations of step 1 in Fig. 2 are E0 = B0 , B to E should be determined. Based on Algorithm 2, the
E1 = B4 , E2 = B7 and E3 = B10 . It is clearly observed transformations of B to E can be divided into four different
from Fig. 2 that the first k + 1 blocks of E have the property cases. In the following four different cases, t denotes the
that 0 ∈ E0 , 1 ∈ E1 , 2 ∈ E2 , and 3 ∈ E3 . index of the block of E , m implies the mth column of
Step 2: Transformations of step 2 are based on Lemma 1; one block of E , and Et,m indicates which participant is
in S0 with (k + 1)(k + 1) elements, element 0 appears k+1 contained in the mth column of the tth block in E .
times in the first column of S0 and the remaining k 2 + k Case 1: E0 = B0 = {0, 1, ..., k}
elements {1, 2, ..., k 2 + k} appear exactly once in S0 in Case 2: 0 ≤ m ≤ k, 1 ≤ t ≤ k
order. To satisfy the property that each block Et embraces Et,m
= Btk+1,m
participantt , the k blocks of B1 , B2 , ..., Bk in B will be t, (m = 0)
=
transformed to the intended k blocks of E . Note that the mk + 1 + M ODk (t − 1)(m − 1), (m > 0)
index of the k blocks of E is determined by the xth element Case 3: 0 ≤ m ≤ k, t = Ei,i , (1 ≤ i ≤ k)
of the first block of Sx (x 6= 0) in B , which is equal to Et,m
= Bb(t−1)/kc,m
Et,t (1 ≤ t ≤ k) of E . The results of the transformations 0, (m = 0)
=
in step 2 are EEt,t = Bb(Et,t −1)/kc (1 ≤ t ≤ k). For example, b(t − 1)/kc k + m, (m > 0)
Case 4: 0 ≤ m ≤ k, t = Bi,x , (t 6= Ei,i )
in Fig. 2, the xth element of the first block of Sx (x 6= 0)
Et,m
= Bk(x+1)+r,m
in B is 4, 8, 11, respectively, which is marked with a green
x, (m = 0)
color. The results of the transformations of step 2 in Fig. 2 =
mk + 1 + M ODk (mx − x − m + r), (m > 0)
are E4 = B1 , E8 = B2 and E11 = B3 . It is clearly observed
from Fig. 2 that the Et,t (1 ≤ t ≤ k) blocks of E have the Case 1 and Case 2 correspond to step 1 of Algorithm 2,
property that 4 ∈ E4 , 8 ∈ E8 , and 11 ∈ E11 . Case 3 corresponds to step 2 of Algorithm 2, and Case 4
Step 3: The transformations of step 3 are based on corresponds to step 3 of Algorithm 2. In Case 1, the structure
Lemma 3; in sector Sx (x 6= 0) with k blocks, the set of of E0 is directly described by B0 , which is {0, 1, ..., k}. Since
the k elements of the xth column is equal to the index in step 1 and step 2 of Algorithm 2, the index of B is a
set of the k blocks in Sx . In step 3, the remaining k − 1 function of the index of E , namely, tk + 1 is a function of
blocks of each sector Sx (x 6= 0) in B are transformed to t, b(Et,t − 1)/kc is a function of Et,t . The transformations
the intended k · (k − 1) blocks of E . Note that the index of B to E can be directly determined by the functional
of the k · (k − 1) blocks of E is determined by the xth relationships between the index of B and the index of E .
column of the remaining k − 1 blocks of sector Sx (x 6= 0) Thus, the mathematical descriptions in Case 2 and Case 3
in B . Hence, Bi,x (k + 1 ≤ i ≤ k 2 + 2) is used as the can easily be obtained by Algorithm 1. However, in step
index of E . The results of the transformations in step 3 are 3 of Algorithm 2, the index of B is not a function of the
EBi,x = Bi (k + 1 ≤ i ≤ k 2 + k, Bi,x 6= Et,t (1 ≤ t ≤ k)), index of E , namely, i is not a function of Bi,x . According
where Bi belongs to the xth sector in B . According to to Algorithm 1, the index Bi,x (k + 1 ≤ i ≤ k 2 + k) of E in
Definition 4, the Bi block in B belongs to the b(i − 1)/kc step 3 of Algorithm 2 is calculated as Eq. 1, where x and k
sector in B ; thus, in step 3 of Algorithm 2, x is denoted as are known and the index Bi,x (k + 1 ≤ i ≤ k 2 + k) of E is a
b(i − 1)/kc. The k Et,t (1 ≤ t ≤ k) blocks of Sx (x 6= 0) function of the index i of B .
in B have been transformed in step 2; therefore, the k Bi,j = xk + 1 + M ODk (i − x + (x − 1) b(i − 1)/kc) (1)
blocks need no transformations in step 3. For example, in
Fig. 2, the xth column of the k − 1 blocks of sector Sx is Let t = Bi,x (k+1 ≤i ≤ k 2 +k), according to [28], the values
{5, 6}, {9, 7}, {12, 10}, respectively, which is marked with a i in Eq. 1 are i = k t−1 k + r, where r = 2, 3, 4, ..., k − 1, k
white color. The results of the transformations of step 3 in and the index i of B is a function of the index t−1t = Bi,x
Fig. 2 are {E5 = B5 , E6 = B6 }, {E9 = B8 , E7 = B9 }, of E . According to Definition 4, in B , x = k . Thus,
i = k t−1
{E12 = B11 , and E10 = B12 }. It is clearly observed from k + r is equivalent to Eq. 2.
Fig. 2 that the Bi,x (k + 1 ≤ i ≤ k 2 + k, Bi,x 6= Et,t (1 ≤
t ≤ k)) blocks of E have the property that 5 ∈ E5 , 6 ∈ E6 , i = kx + r (2)
9 ∈ E9 , 7 ∈ E7 , 12 ∈ E12 , and 10 ∈ E10 . Based on Eq. 2, the mathematical descriptions in Case 4
By Algorithm 2, the structure of E is reconstructed, which are derived to describe the structure of the k − 1 blocks
not only conforms to the properties of a (v, k + 1, 1)- of Sx (x 6= 0) in E . Note that r has k − 1 different values,
design but also satisfies the property that each block Et which describes the structure of the (k − 1) blocks of Sx in
contains participantt . Hence, the reconstructed E can be Et .
used to design the group data sharing model. Based on The structure of E of a (v, k + 1, 1)-design can be de-
this model, the key agreement protocol can be processed scribed in detail based on the mathematical descriptions in
by v participants and a common conference key can be Case 1, Case 2, Case 3 and Case 4, which is illustrated in
derived. Moreover, the structure of E should be determined TABLE 1. In TABLE 1, the index of E is between 0 and k 2 +k ,
by mathematical descriptions to derive general formulas to and which participant is contained in the mth column in Et
1545-5971 (c) 2017 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TDSC.2017.2725953, IEEE
Transactions on Dependable and Secure Computing
8
1545-5971 (c) 2017 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TDSC.2017.2725953, IEEE
Transactions on Dependable and Secure Computing
9
participantj (j = mk + 1 + M ODk (i − 1)(m − 1), j 6= i). receives k 2 messages in Round 2. In summary, participanti
Case 3: receives k 2 +k messages after two rounds of key agreement.
For participanti (i = Em,m ), they need to receive According to Definition 3, in a (v, k + 1, 1)-design, every
messages from participant0 and participantj (j = pair of two elements appears simultaneously in exactly one
b(i − 1)/kc k + m, j 6= i). of the b blocks; here, v = b. Therefore, the k 2 + k mes-
Case 4: sages of each participant are not repeated. For participanti ,
For the remaining k 2 − k participants, they need to he obtains messages from (participant0 , ..., participanti−1 ,
receive messages from participantb(i−1)/kc and participant participanti+1 , ..., participantv−1 ) without redundancy,
j, (j = mk + 1 + M ODk (mx − x − m + r), j 6= i), where which contribute to generating a common conference
r = 2, 3, 4, ..., k − 1, k . key.
After every participant receives k messages contributed
Theorem 2. In our protocol, participanti can authenticate their
to generate a common conference key from their intended e w∗
message senders, Eq. 3 is calculated by participanti to counterparts if the condition of Tj j /Mj j = Yj holds.
decrypt the messages. Proof. According to Definition 1, we have
ei di wj∗
Mj = [(Mj ) ] , j ∈ Ei − {i} (3) e
Tj j /Mj =
(Xj ·ê(G,wj rj Sj ))ej
w∗
ê(G,ej rj Sj ) j
where di is the secret key of participanti . To authenticate ej
Xj ·ê(G,wj ej rj Sj )
e w∗ = ê(G,wj∗ ej rj Sj )
participantj ’s identity, participanti computes Tj j /Mj j .
e wj∗
If the condition of Tj j /Mj = Yj holds, participanti Here, wj = H2 (Mj, tj ) is computed by participantj ,
can authenticate participantj , where wj∗ = H2 (Mj, tj ). while wj∗ = H2 (Mj, tj ) is computed by participanti . In
e
In addition, Eq. 4 is used to derive Ci,j , which will be addition, according to Euler’s Theorem, we have Xj j =
used in Round 2 to generate a common conference key for d e w∗
(Yj j )ej = Yj . The equality is held between Tj j /Mj j and
participantj . Yj if wj = wj∗ . Note that the wj calculated by participantj
Y and the wj∗ calculated by participanti are equal only if the
Ci,j = Mx (4) message is actually sent from participantj . An adversary
x∈Ei −{j}
that has no access to rj and Sj could not derive Mj =
e w∗
Round 2: P articipanti receives message Ej,i = ê(G, ej rj Sj ). Therefore, if the equation Tj j /Mj j = Yj
{Yj , (Cj,i )ei , (Mj )ei , Tj , tj } from participantj in the case holds, participanti can authenticate that the message is
that i ∈ Ej , where Cj,i is used to generate a common actually transmitted from participantj in Round 1 and
conference key. In fact, every Cj,i contributes k messages for Round 2.
participanti to generate a common conference key. Similar
e w∗ If all participants follow the protocol, they can form a
to Round 1, participanti verifies the equation Tj j /Mj j =
data sharing group, derive a common conference key and
Yj to support authentication services. If the equation holds,
ascertain its correctness. To facilitate understanding, the
participanti can authenticate participantj ’s identity, but
detailed process for computing the common conference key
not vice versa. Subsequently, for participanti , the common
for multiple participants based on a (v, k + 1, 1)-design is
conference key is computed as Eq. 5.
illustrated in Appendix A. In addition, a concrete example
of the protocol can be found in Appendix B, where 31
Q
K = Mi ( Cj,i )
j such that i∈Ej
Q participants are involved.
= ê(G, ei ri Si ) · ( Cj,i )
j such that i∈Ej (5)
v−1
P 5.3 Fault Detection Phase
= ê(G, ei ri Si )
i=0 In practice, we cannot guarantee that all participants in the
group are honest. The existence of malicious participants
Theorem 1. According to the presented block design-based key
can seriously destroy the conference. In Yi’s protocol [7],
agreement protocol, a common conference key is derived for mul-
an attack from malicious participants is called a different
tiple participants in the same group.
key attack. In different key attacks, a malicious participant
Proof. The conference key agreement requires all conferees chooses different sub keys, generates different signatures
to obtain messages from the others. In the group data and broadcasts different messages to different participants
sharing model of the (v, k + 1, 1)-design, v participants are such that the signatures of malicious participants are valid
involved in a group, where v = k 2 + k + 1. It is required that and malicious participants can be authenticated by other
each participant receives messages from the remaining k 2 + participants. In addition, the different sub keys make dif-
k participants. Based on the group data sharing model, ev- ferent participants derive different conference keys, which
ery participant receives k messages from their intended par- may lead to serious damage of the conference and make
ticipants in each round. In Round 1, participanti receives the protocol invalid. Therefore, the fault detection phase
k secret messages Mj from participantj in the case that is added to prevent different key attacks from malicious
j ∈ Ei (j 6= i). In Round 2, participanti receives k secret participants.
messages Cj,i from participantj in the case that i ∈ Ej (j 6= The role of the TPA in the fault detection phase is to
i). Furthermore, based on Eq. 4, each Cj,i contains k secret ensure that each participant only generates a unique sub
messages Mx of k participants. Thus, every participant key and to prevent the conference from being delayed
1545-5971 (c) 2017 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TDSC.2017.2725953, IEEE
Transactions on Dependable and Secure Computing
10
or destroyed by malicious participants. In our protocol, uations should be taken into consideration. The first
v−1
IDT P A ∈ {0, 1}∗ represents the identity of the TPA. In the is that participanth finds Kg 6=
Q
Ai . Subsequently,
initial phase of the protocol, the TPA needs to select one i=0
more integer g ∈ Zq∗ and each participanti needs to submit the fault detection phase begins, and the fault report
Ai = Mgi to the TPA. After all the participants generate (N, IDh , rh , Mx , x ∈ Eh − h) of participanth is sent to
a common conference key following the protocol, the TPA the TPA. Due to the honesty of participanth , there exists
broadcasts {N, IDT P A , Ai |0 ≤ i ≤ v − 1} among all partici- participanti such that either Mgi 6= Ai or Mi 6= M∗i .
pants, where N = H2 (ID1 , ID2 , ..., IDv , ID1 , IDT P A , t) is Therefore, participanti is detected as a malicious partici-
an unique serial number for this conference and Ai denotes pant. The second is that participanth is asked to submit
the verified unique sub key of all participants. Then, every (N, IDh , rh , Mx , x ∈ Eh − h) to the TPA. Because of the
g
participant verifies the authenticity of the common confer- honesty of participanth , the TPA finds Mh = Ah and
∗
v−1 Mh = Mh . In conclusion, an honest participant will never
ence key K by checking whether the equation Kg =
Q
Ai be removed by the TPA.
i=0
holds. If the equation does not hold for some participants, For a malicious participant participantm who attempts
some malicious participants are involved in the group and to delay or destroy the conference, three cases where
the fault detection phase begins. Otherwise, a common participantm attempts to sabotage the conference should be
conference key is established among all participants. taken into consideration. The first case is that participantm
In the fault detection phase, participantj , who finds that delays submitting a required message or keeps sending
v−1 invalid messages to the TPA. In this case, participantm will
the above equation Kg =
Q
Ai does not hold, needs to be removed from the conference if the failure occurrence
i=0
send a fault report (N, IDj , rj , Mx , x ∈ Ej − j) to the TPA. exceeds a threshold τ or participantm did not resend the re-
The fault report contains the secret key of participantj and port within 4t. The second case is that participantm delib-
the messages M he received from the intended participants. erately sends a fault report (N, IDm , rm , Mx , x ∈ Em − m)
g v−1
Then, the TPA checks whether Mj = ê(G, ej rj Sj )g = Aj to the TPA. In this case, the TPA finds Kg 6=
Q
Ai , and all
holds. If not, the message that participantj sends to other i=0
participants is different from the message that participantj the remaining participants have to send a fault report to the
submits to the TPA. Thus, participantj has to resend the TPA. However, if Mi = M∗i holds for all the remaining
fault report in a period of time 4t. Note that participantj participants, participantm is detected as malicious and
should be removed from the conference if the failure occur- removed by the TPA. The third case is that participantm
rence of participantj exceeds a threshold τ or participantj performs the different key attack. P articipantm selects two
∗
did not resend the report within 4t. Here, τ represents different sub keys rm and rm and submits a false message
the tolerable number of errors. In this case, participantj to the TPA. Due to the different sub keys of participantm ,
is either a malicious participant or undergoes a denial of the common conference key generated from different partic-
service attack. Otherwise, the fault detection should be ipants is distinct. In this case, there is at least one Mgm not
∗
processed among all the remaining participants. equal to Am since rm 6= rm . P articipanti who detects Kg 6=
v−1
When the fault detection phase is conducted by all the re-
Q
Ai will report this fault to the TPA. Then, participantm
maining participants, every participant except participantj i=0
should send (N, IDi , ri , Mx , x ∈ Ei − i) to the TPA. Then, is required to submit (N, IDm , rm , Mx , x ∈ Em − m). Be-
g
the TPA checks whether Mi = ê(G, ei ri Si )g = Aj holds. If cause Mm calculated by participantm does not equal M∗m
not, participanti has to resend the fault report in a period received from other participants, participantm is detected
of time 4t. Similar to participantj , participanti should be as a malicious participant.
removed from the conference if the failure occurrence of According to Theorem 3, an honest participant will not
participanti exceeds a threshold τ or participanti did not be removed from the conference, whereas a malicious par-
resend the report within 4t. Otherwise, the TPA checks ticipant will be detected and removed from the conference.
whether Mi = ê(G, ei ri Si ) calculated by participanti is In addition, after some malicious participants are removed
equal to M∗i received from participanty (i ∈ Ey (y 6= i)). from the conference, the common conference key could not
If not, participanti is a malicious participant. If yes for be derived because some messages are missing for gener-
all the remaining participants, participantj is a malicious ating the conference key. Then, the positions of malicious
participant. The TPA removes the malicious participant participants should be replaced by volunteers to ensure that
and denial of service participant, and the protocol restarts. the protocol performs well. A volunteer is a participant in a
After the fault detection phase, an authenticated common conference who helps real participants complete some calcu-
conference key is derived among all the honest participants lations and transfer information. Moreover, during the key
in a group. Following the proof of Theorem 3, the presented agreement process, Mi of the volunteer is set as 1, which
protocol can resist different key attacks and support the fault can make our protocol perform well. Therefore, the protocol
tolerance property. can not only resist different key attacks from malicious
Theorem 3. In fault detection phase, an honest participant will participants but also provide the property of fault tolerance.
not be removed by the TPA and a malicious participant who
The proposed protocol can effectively support secure
attempts to delay or destroy the conference will be removed by
and efficient group data sharing in cloud computing, which
the TPA.
is described as follows. In the initial phase, the system
Proof. For an honest participant participanth , two sit- parameters are generated by the TPA. Then, the TPA dis-
1545-5971 (c) 2017 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TDSC.2017.2725953, IEEE
Transactions on Dependable and Secure Computing
11
1545-5971 (c) 2017 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TDSC.2017.2725953, IEEE
Transactions on Dependable and Secure Computing
12
mising of the previous session key (Kpre ). In our protocol, needed, namely, Mi = k . Furthermore, participanti needs
e w∗
the previous session key is computed as to compute 2k modular exponentiations Tj j and Mj j for
v−1 the purpose of ensuring his counterparts. In summary, in
ei di
X
Kpre = ê(G, ei ri pre Si ). Round 1, Mi = 3k . In Round 2, to obtain Cj,i = (Cj,i ) ,
i=0 participanti needs to compute k modular exponentiations.
Even if the long-term keys (Si ) are compromised by an In addition, 3k modular exponentiations are required to ob-
e w∗
adversary, the adversary who has no access to the previous tain Mj , Tj j , Mj j for the purpose of providing authentica-
ephemeral secret key (ri pre ) cannot generate the previous tion services. Therefore, in Round 2, the number of modular
session key. Note that the security of the previous ephemeral exponentiations is Mi = 4k . In terms of communication
key (ri pre ) is based on the ECDLP and the BDH assump- overhead, every participant needs to receive k messages in
tion. Therefore, the presented protocol provides perfect for- each round based on the group data sharing model of a
ward security. (v, k + 1, 1)-design. Thus, the number of message exchanges
Different key attacks of participanti is 2k .
In accordance with Theorem 3, in the fault detection In our protocol, the calculation of the point multiplica-
phase, a malicious participant who attempts to delay or tion, the pairing computation and the modular exponentia-
destruct the conference will be removed from the conference tion is over the supersingular elliptic curve, which is defined
by the TPA. Therefore, the proposed protocol can resist in Definition 1. Thus, the computational complexities of the
different key attacks. point multiplications and the pairing computation are O(m)
Key confirmation and O(m2 ), respectively. Here, m is the extension degree of
If a participant is assured that its counterparts actually the finite field Fpm .
have possession of a particular secret key, the protocol Essentially, in the presented protocol with v participants,
provides key confirmation. In our protocol, with respect the total numbers of point multiplications and Weil pairing
to the fault detection phase in Section 5, each participant computations in the protocol are P = 2v and W = 2v ,
can ensure that its counterparts actually have possession respectively. Additionally, the total number of modular ex-
of a common conference key K. Therefore, the presented ponentiations is M = 7kv . The communication complexity
protocol can provide key confirmation. and the computational complexity in the protocol are O(vk)
Moreover, the presented protocol can resist denial of and O(2vm2 + 2vm), respectively. Moreover, in accordance
service attacks. In the fault detection phase, a participant with the basic equation of a BIBD defined in Definition 3,
should be removed by the TPA if he did not resend the we have λ(v − 1) = r(k − 1). Note that the presented
fault report within 4t or the failure occurrence exceeds a protocol is based on the (v, k + 1, 1)-design of an SBIBD. √
threshold τ . Note that the presented protocol is contributory. Thus, we have λ = 1 and r = k . In this case, k ≈ v .
Unlike the El Gamal one-pass protocol where only one of the Therefore,
√ the communication complexity of our protocol
parties contributes a fresh exponent, each participant in our is O(v v), and the computational complexity is O(vm2 ).
protocol equally contributes to the common conference key Note that compared to the protocol in paper [9], our protocol
and guarantees the freshness of the key. is more efficient since we adopt the (v, k + 1, 1)-design of
an SBIBD such that λ can reach its minimum value of one
(λ = 1), where λ is a parameter in the SBIBD.√In paper [9],
7 P ERFORMANCE A NALYSIS AND E VALUATION when λ > 1, k is approximately equal to λv √and the
7.1 Performance Analysis communication complexity of the protocol is O(v λv). In
Generally, the performance of a key agreement protocol addition, one more modular exponentiation is required for
consists of communicational and computational efficiency. each participant. The detailed comparison results are shown
In each round of our protocol, each participant has to receive in TABLE 2.
k messages from the intended k participants according to a
(v, k + 1, 1)-design of the SBIBD. Then, each participant has
7.2 Performance Evaluation
to perform some operations such as point multiplications,
pairing computations, and so forth. Computational com- To study the performance of our scheme, we provide an
plexity is composed of pairing computations, point multipli- experimental evaluation of the proposed scheme† . Our ex-
cations and modular exponentiations, whereas communica- periments are simulated by using C programming language
tion complexity is composed of the number of participants with the pairing-based cryptography (PBC) library and
and the number of message exchanges. the GUN multiple precision arithmetic (GMP) library on
Let Pi denote the total point multiplications of a VMware Workstation machine with Intel Core i5-3210
participanti , Mi represent the total modular exponentia- processors running at 2.50 GHz and 2 G memory, Ubuntu
tions of participanti and Wi imply the total Weil pair- 12.04 X64.
ings computed by participanti . In Round 1, participanti
needs to compute ei ri Si , wi ri Si and two Weil pairings †. Source codes of the simulation have been uploaded to
IEEE Xplore + Code Ocean. They are named as
Mi = ê(G, ei ri Si ), ê(G, wi ri Si ). Thus, we have Pi = 2, “Efficiency comparison for different phases (v2)” with DOI
Wi = 2. After receiving some messages from participantj , “10.24433/CO.eea19cea-ca33-4f3c-b641-f46fb7b79253”,
e d “Efficiency comparison for multiple participants (v2)” with DOI
participanti decrypts Mj = [(Mj ) i ] i , j ∈ Ei − {i} by
“10.24433/CO.a433f2e9-2003-45d1-b519-98bf3aec28dc”, and
his secret key di . The number of messages received by “Efficiency comparison for different simulation times (v2)” with DOI
participanti is k . Hence, k modular exponentiations are “10.24433/CO.6b08d728-fc8b-4af7-8f1d-cae7c28af097”.
1545-5971 (c) 2017 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TDSC.2017.2725953, IEEE
Transactions on Dependable and Secure Computing
13
10 18 3.5
Our scheme Our scheme Our scheme
9 16
Yi's scheme 3
8 Yi's scheme Yi's scheme
14
7 2.5
12
Time cost (s)
6 2
10
5
8 1.5
4
6
3 1
2 4
2 0.5
1
0 0 0
0 200 400 600 800 1000 0 200 400 600 800 1000 0 200 400 600 800 1000
Participant's number Participant's number Participant's number
(a) Initial phase (b) Key agreement phase (c) Authentication phase
30 5
Our scheme Our scheme
4.5
25 Yi's scheme 4 Yi's scheme
3.5
20
Time cost (s)
Time cost (s)
3
15 2.5
2
10 1.5
1
5
0.5
0 0
0 200 400 600 800 1000 0 10 20 30 40 50 60 70 80 90 100
Participant's number Simulation times
Fig. 5: Efficiency comparison for multiple participants. Fig. 6: Efficiency comparison for different simulation times.
The simulation consists of two parts. In the first part, In the second part, we focus on analyzing the total
we present a comparative simulation analysis between Yi’s computational cost for each participant of Yi’s scheme
scheme [7] and our scheme with respect to the time cost and our scheme with respect to different participants and
for each participant in different phases, which is illustrated different simulation times. It is clearly seen from Fig. 5
in Fig. 4. It can be seen that the time cost increases with that our scheme is superior to Yi’s scheme. Note that the
the number of participants. On the one hand, simulation computational cost of Yi’s scheme continuously increases
results in Fig. 4(a) and Fig. 4(b) indicate that our scheme is with the growth of the participant’s number n, while the
much more efficient than Yi’s scheme in both initial phase computational cost of our scheme increases slightly with a
and key agreement phase. On the other hand, in Fig. 4(c), prime number k (Here, n = k 2 + k + 1). It is concluded that
the time cost of our scheme is slightly higher than that our scheme is much more efficient than Yi’s scheme, which
of Yi’s scheme. The reason is that, for each participant, 4 makes our scheme more practical for key agreement in the
point multiplications are required in Yi’s scheme, while k cloud environment. In addition, in Fig. 6, we present the
modular exponentiations are required in our scheme during efficiency comparison of Yi’s scheme and our scheme with
the authentication phase. However, we argue that, in terms different simulation times, where the participants number
of the total computational cost for each participant, our is fixed as 133. Note that taking advantage of the SBIBD in
scheme is much more efficient than Yi’s scheme, which is our scheme, k = 11 when the participant’s number is 133.
illustrated in Fig. 5. Firstly, in the initial phase, Yi’s scheme requires to compute
1545-5971 (c) 2017 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TDSC.2017.2725953, IEEE
Transactions on Dependable and Secure Computing
14
2 point multiplications and 132 weil pairings, while our [2] F. Chen, T. Xiang, Y. Yang, and S. S. M. Chow, “Secure cloud
scheme only needs 2 point multiplications, 2 weil pair- storage meets with secure network coding,” in IEEE INFOCOM,
2014, pp. 673–681.
ings and 11 modular exponentiations. Secondly, in the key [3] D. He, S. Zeadally, and L. Wu, “Certificateless public auditing
agreement phase, Yi’s scheme requires 132 weil pairings, scheme for cloud-assisted wireless body area networks,” IEEE
while our scheme only needs 33 modular exponentiations. Systems Journal, pp. 1–10, 2015.
Finally, in the authentication phase, Yi’s scheme requires 4 [4] W. Diffie and M. E. Hellman, “New directions in cryptography,”
IEEE Transactions on Information Theory, vol. 22, no. 6, pp. 644–654,
point multiplications, while our scheme needs 33 modular 1976.
exponentiations. Through the simulation, we can conclude [5] J. Shen, H. Tan, S. Moh, I. Chung, and J. Wang, “An efficient rfid
that the time cost of our scheme is much smaller than that authentication protocol providing strong privacy and security,”
of Yi’s scheme with different simulation times. In addition, Journal of Internet Technology, vol. 17, no. 3, p. 2, 2016.
[6] L. Law, A. Menezes, M. Qu, J. Solinas, and S. Vanstone, “An
it is easily observed that the performance of our scheme is efficient protocol for authenticated key agreement,” Designs Codes
more stable than Yi’s scheme. and Cryptography, vol. 28, no. 2, pp. 119–134, 2010.
[7] X. Yi, “Identity-based fault-tolerant conference key agreement,”
8 C ONCLUSION IEEE Transactions on Dependable and Secure Computing, vol. 1, no. 3,
pp. 170–178, 2004.
As a development in the technology of the Internet and [8] R. Barua, R. Dutta, and P. Sarkar, “Extending joux’s protocol to
cryptography, group data sharing in cloud computing has multi party key agreement (extended abstract).” Lecture Notes in
opened up a new area of usefulness to computer networks. Computer Science, vol. 2003, pp. 205–217, 2003.
[9] J. Shen, S. Moh, and I. Chung, “Identity-based key agreement pro-
With the help of the conference key agreement protocol, tocol employing a symmetric balanced incomplete block design,”
the security and efficiency of group data sharing in cloud Journal of Communications and Networks, vol. 14, no. 6, pp. 682–691,
computing can be greatly improved. Specifically, the out- 2012.
sourced data of the data owners encrypted by the common [10] B. Dan and M. Franklin, “Identity-based encryption from the weil
pairing,” Siam Journal on Computing, vol. 32, no. 3, pp. 213–229,
conference key are protected from the attacks of adversaries. 2003.
Compared with conference key distribution, the conference [11] S. Blakewilson, D. Johnson, and A. Menezes, “Key agreement pro-
key agreement has qualities of higher safety and reliability. tocols and their security analysis,” in IMA International Conference
However, the conference key agreement asks for a large on Cryptography and Coding, 1997, pp. 30–45.
[12] I. Chung and Y. Bae, “The design of an efficient load balancing
amount of information interaction in the system and more algorithm employing block design,” Journal of Applied Mathematics
computational cost. To combat the problems in the confer- and Computing, vol. 14, no. 1, pp. 343–351, 2004.
ence key agreement, the SBIBD is employed in the protocol [13] O. Lee, S. Yoo, B. Park, and I. Chung, “The design and analysis
design. of an efficient load balancing algorithm employing the symmetric
balanced incomplete block design.” Information Sciences, vol. 176,
In this paper, we present a novel block design-based no. 15, pp. 2148–2160, 2006.
key agreement protocol that supports group data sharing [14] R. Curtmola, J. Garay, S. Kamara, and R. Ostrovsky, “Searchable
in cloud computing. Due to the definition and the math- symmetric encryption: Improved definitions and efficient con-
ematical descriptions of the structure of a (v, k + 1, 1)- structions,” Journal of Computer Security, vol. 19, no. 5, pp. 79–88,
2011.
design, multiple participants can be involved in the pro- [15] N. Cao, C. Wang, M. Li, K. Ren, and W. Lou, “Privacy-preserving
tocol and general formulas of the common conference key multi-keyword ranked search over encrypted cloud data,” IEEE
for participanti are derived. Moreover, the introduction of Transactions on Parallel and Distributed Systems, vol. 25, no. 1, pp.
volunteers enables the presented protocol to support the 222–233, 2014.
[16] J. Yu, K. Ren, C. Wang, and V. Varadharajan, “Enabling cloud
fault tolerance property, thereby making the protocol more storage auditing with key-exposure resistance,” IEEE Transactions
practical and secure. In our future work, we would like on Information Forensics and Security, vol. 10, no. 6, pp. 1–1, 2015.
to extend our protocol to provide more properties (e.g., [17] J. Yu, K. Ren, and C. Wang, “Enabling cloud storage auditing
anonymity, traceability, and so on) to make it appliable for with verifiable outsourcing of key updates,” IEEE Transactions on
Information Forensics and Security, vol. 11, no. 6, pp. 1–1, 2016.
a variety of environments. [18] S. D. C. D. Vimercati, S. Foresti, S. Jajodia, S. Paraboschi, and
P. Samarati, “Encryption policies for regulating access to out-
ACKNOWLEDGMENTS sourced data,” Acm Transactions on Database Systems, vol. 35, no. 2,
pp. 78–78, 2010.
The authors would like to thank the editors and anonymous [19] H. Guo, Z. Li, Y. Mu, and X. Zhang, “Cryptanalysis of sim-
reviewers for their constructive feedback and insightful ple three-party key exchange protocol,” Computers and Security,
suggestions that helped to significantly improve the quality vol. 27, no. 1-2, pp. 16–21, 2008.
of this work. [20] Z. Tan, “An enhanced three-party authentication key exchange
protocol for mobile commerce environments,” Journal of Commu-
This work is supported by the National Science Founda- nications, vol. 5, no. 5, pp. 436–443, 2010.
tion of China under Grant No. 61672295, No. 61373169, No. [21] Y. M. Tseng, “An efficient two-party identity-based key exchange
61572379, No. 61501333 and No. U1405254, the State Key protocol.” Informatica, vol. 18, no. 1, pp. 125–136, 2007.
Laboratory of Information Security under Grant No. 2017- [22] A. Shamir, “Identity-based cryptosystems and signature schemes,”
Lecture Notes in Computer Science, vol. 21, no. 2, pp. 47–53, 1985.
MS-10, the 2015 Project of six personnel in Jiangsu Province
[23] E. Bresson, O. Chevassut, D. Pointcheval, and J. J. Quisquater,
under Grant No. R2015L06, the CICAEET fund, and the “Provably authenticated group diffie-hellman key exchange,” Acm
PAPD fund. Transactions on Information and System Security, vol. 10, no. 3, pp.
89–92, 2001.
[24] D. R. Stinson, Combinatorial designs: constructions and analysis.
R EFERENCES Springer Science and Business Media, 2007.
[1] L. Zhou, V. Varadharajan, and M. Hitchens, “Cryptographic role- [25] J. Shen, J. Shen, X. Chen, X. Huang, and W. Susilo, “An efficient
based access control for secure cloud data storage systems,” Infor- public auditing protocol with novel dynamic structure for cloud
mation Forensics and Security IEEE Transactions on, vol. 10, no. 11, data,” IEEE Transactions on Information Forensics and Security, 2017,
pp. 2381–2395, 2015. doi: 10.1109/TIFS.2017.2705620.
1545-5971 (c) 2017 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TDSC.2017.2725953, IEEE
Transactions on Dependable and Secure Computing
15
[26] B. Lamacchia, K. Lauter, and A. Mityagin, “Stronger security of Xingming Sun received his B.S. in mathematics
authenticated key exchange,” in International Conference on Provable from Hunan Normal University, China, in 1984,
Security, 2007, pp. 1–16. M.E. in computing science from Dalian Univer-
[27] O. Hasan, L. Brunie, E. Bertino, and N. Shang, “A decentralized sity of Science and Technology, China, in 1988,
privacy preserving reputation protocol for the malicious adversar- and Ph.D. in computing science from Fudan Uni-
ial model,” Information Forensics and Security IEEE Transactions on, versity, China, in 2001. He is currently a profes-
vol. 8, no. 6, pp. 949–962, 2013. sor in School of Computer and Software, Nanjing
[28] L.-K. Hua, Introduction to number theory. Springer Science and University of Information Science and Technol-
Business Media, 2012. ogy, China. His research interests include net-
[29] W. Stallings, “Cryptography and network security: Principles and work and information security, digital watermark-
practice,” International Annals of Criminology, vol. 46, no. 4, pp. ing, digital forensic, database security, and natu-
121–136, 2008. ral language processing.
[30] M. Steiner, G. Tsudik, and M. Waidner, “Key agreement in dy-
namic peer groups,” IEEE Transactions on Parallel and Distributed
Systems, vol. 11, no. 8, pp. 769–780, 2000.
1545-5971 (c) 2017 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.