### Interaction in Key Distribution Schemes [chapter]

Amos Beimel, Benny Chor
Advances in Cryptology — CRYPTO' 93
A (9, b) key distribution scheme allows conferences of g users to generate secret keys, so that disjoint coalitions of b users cannot gain any information on the key (in the information theoretic sense). In this work we study the relationships between interaction and space efficiency of key distribution schemes. We prove that interaction does not help in the context of zcnrestricted schemes. On the other hand, we show that for restricted schemes, which are secure for a limited number of
more » ... ces, interaction can substantially improve the space efficiency. 2. Every "bad" coalition B of b users does not gain any information on the key of any disjoint conference G. It is clear that non-interactive schemes require initial distribution of pieces of information t o the users. The (space) efficiency of the scheme is measured by the cardinality of the domain of pieces. The cardinality is a function of the cardinality of the domain of possible keys, ISI, of the number of users, n, of the size of conferences g, and of the size of coalitions b. Blom 1 1 1 was the first to consider non-interactive schemes for conference of size 2 and coalitions of size b. He presented an efficient ( 2 , b ) scheme, baaed on MDS codes. Other works dealing with non-interactive schemes in our setting are [7,9]. Matsumoto and Imai [8] suggest the use of symmetric linear functions for (9, b) schemes. 445 present ( 9 , b) schemes, based on symmetric multinomials. Their multinomials have g variables and degree at most b in each variable. The pieces in their scheme are taken from a domain of cardinality ]SI(' :6;1) (where S is the domain of keys). For large values of g and b, this expression is quite large. However, using entropy arguments, Blundo et. al. [2] prove a tight lower bound on the cardinality of the domain of pieces. Therefore, their scheme is spacc-optimal. We use direct arguments (no entropy) to prove the same lower bound. Our proof has two advantages. First, it seems more intuitive and less technical. Second, it actually applies t o a weaker notion of security, thereby providing a stronger result. This stronger result is used in proving our lower bound on interactive schemes which is described in the next paragraph. The large lower bound (for big conferences or coalitions) raises the question whether interaction could be of help in reducing the size of pieces. Interaction has some subtle implications on the security requirement (see section 5 for details). Just like the non-interactive schemes, we require that even if all conferences interact in order to generate keys, these keys remain secure with respect to disjoint coalitions of size b. Since no secure channels among users can be assumed, interaction takes place via a broadcast media, One problem which arises is that the communication of one conference could leak information on the keys of other conferences. Therefore, we require that even if a "bad" coalition heard the communication of all the conferences, the coalition does not gain any information on keys of disjoint conferences. We argue that this is the right security requirement for interactive schemes. We prove that, regrettably, such unrestricted interactive schemes require pieces from a domain as large as'non-interactive schemes. interactive schemes. These schemes can be used only for a limited number of conferences, whose identity is not known beforehand. We construct an efficient one-time secure scheme, where the size of the domain of pieces is of cardinality lS12+2'("1)/g. This is a substantial improvement over the lS1g+b-l cardinality in the one-time secure interactive scheme of [2] . (The fact that this scheme is only one-time secure was not mentioned in [Z]). Other, less efficient, one time secure interactive schemes are presented in [5, 61. We contrast our results with known results in the computational model, where users are restricted t o probabilistic polynomial time computations. Diffie and Hellman [3], in their pioneering work on public key cryptography, introduced an interactive scheme of key generation for conferences of size two4. This interactive scheme requires no server and no pieces. In this scheme a given communication uniqueZy determines the key, but it is (presumably) intractable for a third party to compute the key from the communication (of course, in our setting this information enables other users to find the conference key). On the other hand, even in the computational model, a non-interactive schcme requires Let p be a prime number, and let a be a primitive element in the field GF(p). User i (respectively j ) chooses a random number ri E GF(p) (respectively rj) and sends the message mi = ari (respectively mj = d j ) . The joint key of users i and j is ari'"j, which i easily computes from mt and r; using the equality m;' = ar*+j.