Provably Secure Non-interactive Key Exchange Protocol for Group-Oriented Applications in Scenarios with Low-Quality Networks
Rui Zhang, Lei Zhang
TL;DR
The paper addresses non-interactive group key exchange for dynamic, group-oriented settings over low-quality networks by introducing NI-CBE, a CBE-based NIKE protocol built on bilinear maps. It enables non-interactive derivation of a public group encryption key and per-user decryption keys, supports dynamic joins/leaves, and yields constant-size ciphertexts for sender-to-group communications. Security is established under the decision $k$-BDHE assumption via a semi-static model, with a formal reduction showing that breaking the scheme would solve BDHE. Efficiency analyses and simulations indicate practical performance for group sizes up to 100 members, highlighting suitability for MANETs and related environments.
Abstract
Non-interactive key exchange (NIKE) enables two or multiple parties (just knowing the public system parameters and each other's public key) to derive a (group) session key without the need for interaction. Recently, NIKE in multi-party settings has been attached importance. However, we note that most existing multi-party NIKE protocols, underlying costly cryptographic techniques (i.e., multilinear maps and indistinguishability obfuscation), lead to high computational costs once employed in practice. Therefore, it is a challenging task to achieve multi-party NIKE protocols by using more practical cryptographic primitives. In this paper, we propose a secure and efficient NIKE protocol for secure communications in dynamic groups, whose construction only bases on bilinear maps. This protocol allows multiple parties to negotiate asymmetric group keys (a public group encryption key and each party's decryption key) without any interaction among one another. Additionally, the protocol supports updating of group keys in an efficient and non-interactive way once any party outside a group or any group member joins or leaves the group. Further, any party called a sender (even outside a group) intending to connect with some or all of group members called receivers in a group, just needs to generate a ciphertext with constant size under the public group encryption key, and only the group member who is the real receiver can decrypt the ciphertext to obtain the session key. We prove our protocol captures the correctness and indistinguishability of session key under k-Bilinear Diffie-Hellman exponent (k-BDHE) assumption. Efficiency evaluation shows the efficiency of our protocol.