A flaw in a self-healing key distribution scheme

A self-healing key distribution scheme enables a dynamic group of users to establish a group key over an unreliable channel. In such a scheme, a group manager, to distribute a session key to each member of the group, broadcasts packets along the channel. If some packets get lost, users are still capable of recovering the group key using the received packets, without requesting additional transmission from the group manager. A user must be member both before and after the session in which a particular key is sent in order to recover the key through "self-healing". This novel and appealing approach to key distribution is quite suitable in military applications and in several Internet-related settings, where high security requirements should be satisfied. We show a ciphertext-only attack that applies to a proposed scheme.

[1]  Aggelos Kiayias,et al.  Self Protecting Pirates and Black-Box Traitor Tracing , 2001, CRYPTO.

[2]  Dalit Naor,et al.  Broadcast Encryption , 1993, Encyclopedia of Multimedia.

[3]  Adi Shamir,et al.  The LSD Broadcast Encryption Scheme , 2002, CRYPTO.

[4]  Reihaneh Safavi-Naini,et al.  A Group Key Distribution Scheme with Decentralised User Join , 2002, SCN.

[5]  Moni Naor,et al.  Efficient Trace and Revoke Schemes , 2000, Financial Cryptography.

[6]  Amos Fiat,et al.  Tracing traitors , 2000, IEEE Trans. Inf. Theory.

[7]  Jessica Staddon,et al.  Efficient Methods for Integrating Traceability and Broadcast Encryption , 1999, CRYPTO.

[8]  Douglas R. Stinson,et al.  On Some Methods for Unconditionally Secure Key Distribution and Broadcast Encryption , 1997, Des. Codes Cryptogr..

[9]  Douglas R. Stinson,et al.  Some New Results on Key Distribution Patterns and Broadcast Encryption , 1998, Des. Codes Cryptogr..

[10]  Ran Canetti,et al.  Efficient Communication-Storage Tradeoffs for Multicast Encryption , 1999, EUROCRYPT.

[11]  Shimshon Berkovits,et al.  How To Broadcast A Secret , 1991, EUROCRYPT.

[12]  Moni Naor,et al.  Revocation and Tracing Schemes for Stateless Receivers , 2001, CRYPTO.

[13]  Amit Sahai,et al.  Coding Constructions for Blacklisting Problems without Computational Assumptions , 1999, CRYPTO.

[14]  Avishai Wool,et al.  Long-Lived Broadcast Encryption , 2000, CRYPTO.

[15]  Jessica Staddon,et al.  Combinatorial properties of frameproof and traceability codes , 2001, IEEE Trans. Inf. Theory.

[16]  Douglas R. Stinson,et al.  Fault Tolerant and DistributedBroadcast Encryption , 2003, CT-RSA.

[17]  Reihaneh Safavi-Naini,et al.  Sequential Traitor Tracing , 2000, CRYPTO.

[18]  Jessica Staddon,et al.  Combinatorial Bounds for Broadcast Encryption , 1998, EUROCRYPT.

[19]  Douglas R. Stinson,et al.  An Application of Ramp Schemes to Broadcast Encryption , 1999, Inf. Process. Lett..

[20]  Carlo Blundo,et al.  Space Requirements for Broadcast Encryption , 1994, EUROCRYPT.

[21]  Tsutomu Matsumoto,et al.  A Quick Group Key Distribution Scheme with "Entity Revocation" , 1999, ASIACRYPT.

[22]  Eric J. Harder,et al.  Key Management for Multicast: Issues and Architectures , 1999, RFC.

[23]  Reihaneh Safavi-Naini,et al.  A Secure Re-keying Scheme with Key Recovery Property , 2002, ACISP.

[24]  Douglas R. Stinson,et al.  Combinatorial Properties and Constructions of Traceability Schemes and Frameproof Codes , 1998, SIAM J. Discret. Math..

[25]  Douglas R. Stinson,et al.  Key Preassigned Traceability Schemes for Broadcast Encryption , 1998, Selected Areas in Cryptography.

[26]  Moni Naor,et al.  Digital signets: self-enforcing protection of digital information (preliminary version) , 1996, STOC '96.

[27]  Douglas R. Stinson,et al.  Generalized Beimel-Chor Schemes for Broadcast Encryption and Interactive Key Distribution , 1998, Theor. Comput. Sci..

[28]  Aggelos Kiayias,et al.  Traitor Tracing with Constant Transmission Rate , 2002, EUROCRYPT.

[29]  Moni Naor,et al.  Multicast security: a taxonomy and some efficient constructions , 1999, IEEE INFOCOM '99. Conference on Computer Communications. Proceedings. Eighteenth Annual Joint Conference of the IEEE Computer and Communications Societies. The Future is Now (Cat. No.99CH36320).

[30]  Reihaneh Safavi-Naini,et al.  New constructions for multicast re-keying schemes using perfect hash families , 2000, CCS.

[31]  Matthew K. Franklin,et al.  Self-healing key distribution with revocation , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[32]  Birgit Pfitzmann,et al.  Trials of Traced Traitors , 1996, Information Hiding.

[33]  Dawn Xiaodong Song,et al.  ELK, a new protocol for efficient large-group key distribution , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[34]  Amos Fiat,et al.  Dynamic Traitor Training , 1999, CRYPTO.

[35]  Amos Fiat,et al.  Dynamic Traitor Tracing , 2001, Journal of Cryptology.