Applied Cryptography, Second Edition: Protocols, Algorthms, and Source Code in C (cloth)
(Publisher: John Wiley & Sons, Inc.)
Author(s): Bruce Schneier
ISBN: 0471128457
Publication Date: 01/01/96

Previous Table of Contents Next

Another method is suggested in [352]. First, each listener shares a secret key with Alice, one that is larger than any possible encrypted message. All of those keys should be pairwise prime. She encrypts the message in a random key, K. Then, she computes a single integer, R, such that R modulo a secret key is congruent to K when that secret key is supposed to decrypt the message, and R modulo a secret key is otherwise congruent to zero.

For example, if Alice wants the secret to be received by Bob, Carol, and Ellen, but not by Dave and Frank, she encrypts the message with K and then computes R such that

RK(mod KB)
RK(mod KC)
R≡ 0 (mod KD)
RK(mod KE)
R≡ 0 (mod KF)

This is a straightforward algebra problem, one that Alice can solve easily. When listeners receive the broadcast, they compute the received key modulo their secret key. If they were intended to receive the message, they recover the key. Otherwise, they recover nothing.

Yet a third way, using a threshold scheme (see Section 3.7), is suggested in [141]. Like the others, every potential receiver gets a secret key. This key is a shadow in a yet-uncreated threshold scheme. Alice saves some secret keys for herself, adding some randomness to the system. Let’s say there are k people out there.

Then, to broadcast M, Alice encrypts M with key K and does the following.

(1)  Alice chooses a random number, j. This number serves to hide the number of recipients of the message. It doesn’t have to be very large; it can be as small as 0.
(2)  Alice creates a (k + j + 1, 2k + j + 1) threshold scheme, with:
K as the secret.
The secret keys of the intended recipients as shadows.
The secret keys of nonrecipients not as shadows.
j randomly chosen shadows, not the same as any of the secret keys.
(3)  Alice broadcasts k + j randomly chosen shadows, none of which is any of the shadows listed in step (2).
(4)  All listeners who receive the broadcast add their shadow to the k + j shadows they received. If adding their shadow allows them to calculate the secret, then they have recovered the key. If it does not, then they haven’t.

Another approach can be found in [885,886,1194]. For yet another approach, see [1000].

Conference Key Distribution

This protocol allows a group of n users to agree on a secret key using only insecure channels. The group shares two large primes, p and q, and a generator g the same size as q.

(1)  User i, where i goes from 1 to n, chooses a random ri less than q, and broadcasts
zi = gri mod p
(2)  Every user verifies that zjq≡ 1 (mod p), for all i from 1 to n.
(3)  User i broadcasts
xi = (zi+1/zi-1)ri mod p
(4)  User i computes
K = (zi-1)nri * xin-1 * xi+1n-2 *...* xi-2 mod p

All index computations in the above protocol—i - 1, i - 2, and i + 1—should be computed mod n. At the end of the protocol, all honest users have the same K. No one else gets anything. However, this protocol falls to a man-in-the-middle attack. Another protocol, not quite as pretty, is in [757].


This key distribution protocol is suitable for networks [1521]. Alice wants to generate a session key with Bob using Trent, the KDC. All parties know Trent’s public key, n. Trent knows the two large primes that n factors to, and hence can easily take cube roots modulo n. A lot of the details are left out of the following protocol, but you get the idea.

(1)  Alice chooses a random number, rA, and sends Trent
rA3 mod n
(2)  Trent tells Bob that someone wants to exchange a key with him.
(3)  Bob chooses a random number, rB, and sends Trent
rB3 mod n
(4)  Trent uses his private key to recover rA and rB. He sends Alice
(5)  Alice calculates
(rArB) ⊕ rA = rB

She uses this rB to communicate securely with Bob.

This protocol looks good, but it has a horrible flaw. Carol can listen in on step (3) and use that information, with the help of an unsuspecting Trent and another malicious user (Dave), to recover rB [1472].

(1)  Carol chooses a random number, rC, and sends Trent
rB3rC3 mod n
(2)  Trent tells Dave that someone wants to exchange a key with him.
(3)  Dave chooses a random number, rD, and sends Trent
rD3 mod n
(4)  Trent uses his private key to recover rC and rD. He sends Carol
(rBrC) mod nrD
(5)  Dave sends rD to Carol.
(6)  Carol uses rC and rD to recover rB. She uses rB to eavesdrop on Alice and Bob.

This is not good.

Previous Table of Contents Next
[an error occurred while processing this directive]