2.1 Common-key cryptography

In common-key cryptography, encryption and decryption are conducted by the sender and receiver using a common key that is secret to all but the sender and receiver (hereafter referred to as the secret common key). Although it has the advantage of high-speed computation, it is often used in combination with public-key cryptography (described below) because of problems in the delivery of the secret common key.

2.2 Public-key cryptography

Public-key cryptography is a cryptosystem that solves the problem of sharing a secret key, which has been a problem of conventional common-key cryptosystems that use a secret common key. The cryptographic key PK is made public, and only the decryption key SK is kept secret, making it difficult to obtain SK from PK. The message sender sends an encrypted message to the recipient using the recipient’s public key PK, and the recipient decrypts the message using his/her own private key SK. Although RSA cryptography and ElGamal cryptography are popular public key ciphers, they assume one-to-one communication as well as common key cryptography.

2.3 Broadcast cryptography

Broadcast cryptography is a cryptographic scheme that applies the conventional cryptography realized for one-to-one communication to one-to-n communication. In the case of one-to-n communication using common-key cryptography or public-key cryptography, it has been necessary to send a message encrypted n times using the public key or secret common key of each recipient separately. In broadcast cryptography, the sender only needs to encrypt the message once, and only one ciphertext is generated; however, the message can be decrypted with the decryption key of each recipient, and the same plaintext can be obtained.

Broadcast cryptography has four main processes i.e., key generation (e.g., a secret key) (Gen), recipient registration with the center (Reg), encryption (Enc), and decryption (Dec), respectively. The broadcast cryptosystem is classified into two types: a symmetric key scheme, in which only a specific sender can send a message, and a public key scheme, in which any sender can send a message.

2.4 Three-party public key delivery

Joux [22] extended the DH public key delivery scheme to three parties using a pairing map on an elliptic curve. With this scheme, the three users are A, B, and C respectively, their (private and public) keys are (a, aP), (b, bP), and (c, cP) (where P is a fixed point on the elliptic curve), and e is a pairing.

$\begin{array}{l}{\text{A : K = e(bP, cP)}}^{\text{a}}{\text{ = e(P, P)}}^{\text{abc}}\\ {\text{B : K = e(aP, cP)}}^{\text{b}}{\text{ = e(P, P)}}^{\text{abc}}\\ {\text{C : K = e(aP, bP)}}^{\text{c}}{\text{ = e(P, P)}}^{\text{abc}}\end{array}$

By applying the above calculation, we can obtain the common secret key e(P, P)^abc.

This scheme, in which no other entity has the secret key of each user, extends to three parties and is not applicable to n-to-n communication.

3.1 Concept

Multicast cryptography, like public key broadcast cryptography, assumes an environment in which the sender is not fixed, and is defined as a method in the upper layer of the IP layer, independent of IP multicast routing protocols such as PIM-SM[23] and CBT[24]. ¹The encrypted message to be sent is not generated separately for each recipient, as in broadcast cryptography; however, the message received by all recipients is the same, and each recipient obtains the same plaintext with a different secret key.

¹Support for IPSec as IPv6 multicast will be considered in the future in consideration of the affinity.

The sender can choose any recipient to whom he/she wants to deliver the message, and uses the recipient’s public key in combination with his/her own to encrypt the message. Any recipient with the public key chosen by the sender decrypts the message with its own private key, and everyone receives the same plaintext.

This differs from public-key broadcast cryptography in that the private and public keys are generated by the recipients themselves (and can be updated by the recipients themselves at any time), there is no system administrator who knows the private key, and there is no Reg process in broadcast cryptography. In addition, the sender can arbitrarily select the recipients, only the sender knows the list of the selected recipients, and the selected recipients need not to know the other selected or unselected recipients.

3.2 Requirements

When considering cryptography over an IP multicast, it is necessary to consider the following characteristics of an IP multicast.

1. The recipient can join and leave the group at any time.
2. No one entity can know all members of a group in real time.
3. The messages that can be received are the same for all recipients.
4. Recipients do not necessarily have a trustworthy relationship with each other.
5. It is desirable to have a sender authentication function because basically anyone can be a sender except for a sender-specified group.

3.3 Definition

Multicast cryptography is defined by a group of polynomial-time algorithms (Gen, Enc, Dec): key generation algorithm Gen, encryption algorithm Enc, and decryption algorithm Dec.

Gen (Key generation algorithm) Taking 1^λ (λ is a security parameter) as input, recipient i outputs its own public key PK_i and private key SK_i.

Enc (Encryption algorithm) The public key PK_i and the plaintext M of the recipient are input, and the ciphertext C is output. The ciphertext C is output.

Dec (Decryption algorithm) It takes as input the public key PK_i and private key SK_i of any recipient i who is allowed to decrypt by the sender, and the ciphertext C, and outputs the plaintext M or ⊥, which indicates that a decryption is not allowed.

4.1 Algorithm

4.2 Legitimacy of the decryption algorithm

Let any integer be $N={\displaystyle {\prod }_{i=1}^n{P}_i^{r_i}}$ (i = 1, 2, ..n, where P_i are prime numbers that are prime to each other), and for any integer $a\in Z_n^{*},$ the following holds from Euler’s theorem:

$a^{{\displaystyle {\prod }_{i=1}^n{P}_i^{r_n-1}(P_i-1)}}=1\mathrm{mod}N$ (5)

Equation (2) can be transformed as follows:

$\begin{array}{l}c=s^e\mathrm{mod}{\displaystyle \prod _{i=1}^{n}P{K}_i}\\ =s^e\mathrm{mod}{\displaystyle \prod _{i=1}^n{p}_i{q}_i}\end{array}$ (6)

Now, consider the case in which the secret keys (p_i, q_i) of each recipient are not prime (they use the same prime number as a factor). Note that m ≤ 2n.

${\displaystyle \prod _{i=1}^n{p}_i{q}_i}={\displaystyle \prod _{i=1}^m{r}_i^{h_i}}$ (7)

For m = 2n, all factors of the secret key are prime to each other, and any h_i = 1.

From Equations (5) and (7), Equation (6) becomes Equation (8).

$\begin{array}{l}c=s^e\mathrm{mod}{\displaystyle \prod _{i=1}^n{p}_i{q}_i}\\ =s^{{\displaystyle {\prod }_{i=1}^m{r}_i^{h_i-1}(r_i+1)+e}}\mathrm{mod}{\displaystyle \prod _{i=1}^m{r}_i^{h_i}}\end{array}$ (8)

Now, considering the decryption of receiver j, the right-hand side of Equation (4) becomes Equation (9) from Equation (8).

$\begin{array}{l}{c}^{d_j}=s^{\left({\displaystyle {\prod }_{i=1}^m{r}_i^{h_i-1}(r_i-1)+e}\right)d_j}\mathrm{mod}{p}_j{q}_j\\ =s^{{\displaystyle {\prod }_{i=1}^m{r}_i^{h_i-1}(r_i-1)+e}{d}_j}\mathrm{mod}{p}_j{q}_j\end{array}$ (9)

Because ${\displaystyle {\prod }_{i=1}^m{r}_i^{h_i-1}(r_i-1)}{d}_j$ has (p_j - 1)(q_j - 1) as a factor, we can use Equation (10).

${\displaystyle \prod _{i=1}^m{r}_i^{h_i-1}(r_i-1)d_j}=k(p_j-1)(q_j-1)$ (10)

From Equations (10) and (3), we can see that Equation (9) is as follows and Equation (4) holds.

$\begin{array}{l}{c}^{d_j}=s^{k(p_j-1)(q_j-1)+e{d}_j}\mathrm{mod}{p}_j{q}_j\\ =s^{k(p_j-1)(q_j-1)}\times s^{e{d}_j}\mathrm{mod}{p}_j{q}_j\\ =1\times s^{e{d}_j}\mathrm{mod}{p}_j{q}_j\\ =s\mathrm{mod}{p}_j{q}_j\end{array}$ (11)

5.1 Security

Deriving the private keys p_i and q_i from the public key PK_i of any recipient i is as difficult as the RSA assumption. Because our method is completely equivalent to an RSA cryptosystem when the number of recipients n = 1, the security of our method is equivalent to RSA when the number of recipients.

In the case of multiple recipients, the number of decryption keys increases as much as the number of recipients, so unfortunately the difficulty of decryption is slightly lower.

5.2 Header size

Because the modulo of c is ${\displaystyle {\prod }_{i=1}^{n}P{K}_i,}$ it increases according to O(n) as the number of recipients increases.

However, because the value of the modulo ${\displaystyle {\prod }_{i=1}^{n}P{K}_i}$ is not included in the header, the value of c is extremely small if e is taken well, and the header size can be reduced. The size of c is an issue to be discussed in the future.

5.3 Signature

The same procedure as used for RSA signatures can be applied for sender authentication. The sender encrypts M with his/her own d, and the receiver decrypts it with e. By Contrast, the recipient decrypts M with e. The decryption result is M, which is accepted.

Let i be the sender. The sender calculates d_i using the encryption key e used for message encryption and its own secret keys p_i and q_i.

$e{d}_i=1\mathrm{mod}(p_i-1)(q_i-1)$

The sender computes D using the plaintext M applied for sender authentication, and sends it to the receiver.

$D=M^{d_i}\mathrm{mod}{p}_i{q}_i$

Each recipient obtains M' using the sender’s public key PK_i = p_iq_i.

$M^{\prime }=D^e\mathrm{mod}P{K}_i$

If M = M', it is accepted. The validity and security of this authentication is the same as for RSA signatures.

5.4 Comparison with public-key broadcast cryptography

Unlike public-key broadcast cryptography, multicast cryptography does not require an entity to manage all keys. Therefore, any user can become a sender at any time. In addition, because the sender can specify any group of recipients at the time of transmission, the proposed method can be used in an IP multicast and a secret inter-group communication. In the proposed prototype scheme, the secret and public keys of RSA cryptography can be used as they are, and there is no need to prepare a separate key for multicast cryptography.