A key distribution scheme for dynamic conferences is a method by which initially an (off-line) trusted server distributes private individual pieces of information to a set of users. Later, each member of any group of users of a given size (a dynamic conference) can compute a common secure group key. In this paper we study the theory and applications of such perfectly secure systems. In this setting, any group of t users can compute a common key by each user computing using only his private initial piece of information and the identities of the other t \Gamma 1 users in the group. Keys are secure against coalitions of up to k users, that is, even if k users pool together their pieces they cannot compute anything about a key of any t-size conference comprised of other users. First we consider a non-interactive model where users compute the common key without any interaction. We prove a lower bound on the size of each user's piece of information of \Gamma k+t\Gamma1 t\Gamma1 \Delta t...

We examine multi-party key agreement protocols that provide (i) key authentication, (ii) key confirmation and (iii) forward secrecy. Several minor (repairable) attacks are presented against previous two-party key agreement schemes and a model for key agreement is presented that provably provides the properties listed above. A generalization of the Burmester-Desmedt model (Eurocrypt '94) for multi-party key agreement is given, allowing a transformation of any two-party key agreement scheme into a multi-party scheme. Multi-party schemes (based on the general model and two specific 2-party schemes) are presented that reduce the number of rounds required for key computation compared to the specific Burmester-Desmedt scheme. It is also shown how the specific Burmester-Desmedt scheme fails to provide key authentication. 1991 AMS Classification: 94A60 CR Categories: D.4.6 Key Words: multi-party, key agreement, key authentication, key confirmation, forward secrecy. Carleton University, Sc...

This paper provides an exposition of methods by which a trusted authority can distribute keys and/or broadcast a message over a network, so that each member of a privileged subset of users can compute a specified key or decrypt the broadcast message. Moreover, this is done in such a way that no coalition is able to recover any information on a key or broadcast message they are not supposed to know. The problems are studied using the tools of information theory, so the security provided is unconditional (i.e., not based on any computational assumption). We begin by surveying some useful schemes schemes for key distribution that have been presented in the literature, giving background and examples (but not too many proofs). In particular, we look more closely at the attractive concept of key distribution patterns, and present a new method for making these schemes more efficient through the use of resilient functions. Then we present a general approach to the construction of broadcast sch...

. In 1993, Beimel and Chor presented an unconditionally secure interactive protocol which allows a subset of users in a network to establish a common key. This scheme made use of a key predistribution scheme due to Blom. In this paper, we describe some variations and generalizations of the Beimel-Chor scheme, including broadcast encryption schemes as well as interactive key distribution schemes. Our constructions use the key predistribution scheme of Blundo et al, which is a generalization of the Blom scheme. We obtain families of schemes in which the amount of secret information held by the network users can be traded off against the amount of information that needs to be broadcast. We also discuss lower bounds on the storage and communcation requirements of protocols of these types. Some of our schemes are optimal (or close to optimal) with respect to these bounds. 1 Introduction When a subset of users in a network wishes to communicate privately in conference, encryption algorithms...

We address the problem of establishing a group key amongst a dynamic group of users over an unreliable, or Iossy, network. We term our key distribution mechanisms self-healing because users' are capable of recovering lost group keys on their own, without requesting additional transmissions from the group manager, thus cutting back on network traffic, decreasing the load on the group manager, and reducing the risk of user exposure through traffic analysis. A user must be a member both before and after the session in which a particular key is sent in order to be able to recover the key through self-healing. Binding the ability to recover keys' to membership status enables the group manager to use short broadcasts' to establish group keys', independent of the group size. In addition, the selfhealing approach to key distribution is stateless, meaning that a group member who has been off-line for some time is able to recover new session keys' immediately after coming back on-line.

In 1993, Beimel and Chor presented an unconditionally secure interactive protocol which allows a subset of users in a network to establish a common key. This scheme made use of a key predistribution scheme due to Blom. In this paper, we describe some variations and generalizations of the Beimel-Chor scheme, including broadcast encryption schemes as well as interactive key distribution schemes. Our constructions use the key predistribution scheme of Blundo et al, which is a generalization of the Blom scheme. We obtain families of schemes in which the amount of secret information held by the network users can be traded off against the amount of information that needs to be broadcast. We also consider lower bounds for protocols of these types, using the concept of entropy as our main tool. Some of our schemes are optimal (or close to optimal) with respect to the bounds we prove. keywords: broadcast encryption, interactive key distribution, communication, space, entropy A preliminary ve...

A new family of broadcast encryption schemes (BESs), which will be called linear broadcast encryption schemes (LBESs), is presented in this paper by using linear algebraic techniques. This family generalizes most previous proposals and provide a general framework to the study of broadcast encryption schemes. We present a method to construct LBESs for a general specication structure in order to nd schemes that t in situations that have not been considered before. Key words: Distributed cryptography, Key distribution, Broadcast encryption, Key predistribution schemes. 1

Secure group communication (SGC) is becoming more popular in the Internet. Burstiness is an important behavior in SGC. Performing bursty operation in one aggregate operation is important for efficiency and scalability. In this paper, we extend the well-known key-tree key management protocol for SGC to situations with bursty user arrival and departure patterns. By using a binary representation technique for indexing the keys and the members on the key tree, we propose an efficient algorithm for bursty operation. The algorithm uses only binary right shift operation, which is extremely simple and efficient and could be embedded in standard secure multicast API packages. We also present experimental results from our algorithm.

A one-restricted key agreement is a method by which... In this paper we analyse τ-restricted key agreement schemes. Such schemes allow the computation of up to τ common keys for τ distinct conferences. For certain values of the parameters the scheme that we propose distributes less information than the trivial one obtained by considering τ copies of a one-restricted scheme.