Another method is suggested in [352]. First, each listener shares a secret key with Alice, one that is larger than any possible encrypted message. All of those keys should be pairwise prime. She encrypts the message in a random key, K. Then, she computes a single integer, R, such that R modulo a secret key is congruent to K when that secret key is supposed to decrypt the message, and R modulo a secret key is otherwise congruent to zero.

For example, if Alice wants the secret to be received by Bob, Carol, and Ellen, but not by Dave and Frank, she encrypts the message with K and then computes R such that

R≡ K(mod K_B)

R≡ K(mod K_C)

R≡ 0 (mod K_D)

R≡ K(mod K_E)

R≡ 0 (mod K_F)

This is a straightforward algebra problem, one that Alice can solve easily. When listeners receive the broadcast, they compute the received key modulo their secret key. If they were intended to receive the message, they recover the key. Otherwise, they recover nothing.

Yet a third way, using a threshold scheme (see Section 3.7), is suggested in [141]. Like the others, every potential receiver gets a secret key. This key is a shadow in a yet-uncreated threshold scheme. Alice saves some secret keys for herself, adding some randomness to the system. Let’s say there are k people out there.

Then, to broadcast M, Alice encrypts M with key K and does the following.

(1)  Alice chooses a random number, j. This number serves to hide the number of recipients of the message. It doesn’t have to be very large; it can be as small as 0.

(2)  Alice creates a (k + j + 1, 2k + j + 1) threshold scheme, with:

K as the secret.

The secret keys of the intended recipients as shadows.

The secret keys of nonrecipients not as shadows.

j randomly chosen shadows, not the same as any of the secret keys.

(3)  Alice broadcasts k + j randomly chosen shadows, none of which is any of the shadows listed in step (2).

(4)  All listeners who receive the broadcast add their shadow to the k + j shadows they received. If adding their shadow allows them to calculate the secret, then they have recovered the key. If it does not, then they haven’t.

Another approach can be found in [885,886,1194]. For yet another approach, see [1000].

Conference Key Distribution

This protocol allows a group of n users to agree on a secret key using only insecure channels. The group shares two large primes, p and q, and a generator g the same size as q.

(1)  User i, where i goes from 1 to n, chooses a random r_i less than q, and broadcasts

z_i = g^ri mod p

(2)  Every user verifies that z_j^q≡ 1 (mod p), for all i from 1 to n.

(3)  User i broadcasts

x_i = (z_i+1/z_i-1)^ri mod p

(4)  User i computes

K = (z_i-1)^nri * x_i^n-1 * x_i+1^n-2 *...* x_i-2 mod p

All index computations in the above protocol—i - 1, i - 2, and i + 1—should be computed mod n. At the end of the protocol, all honest users have the same K. No one else gets anything. However, this protocol falls to a man-in-the-middle attack. Another protocol, not quite as pretty, is in [757].

Tatebayashi-Matsuzaki-Newman

This key distribution protocol is suitable for networks [1521]. Alice wants to generate a session key with Bob using Trent, the KDC. All parties know Trent’s public key, n. Trent knows the two large primes that n factors to, and hence can easily take cube roots modulo n. A lot of the details are left out of the following protocol, but you get the idea.

(1)  Alice chooses a random number, r_A, and sends Trent

r_A³ mod n

(2)  Trent tells Bob that someone wants to exchange a key with him.

(3)  Bob chooses a random number, r_B, and sends Trent

r_B³ mod n

(4)  Trent uses his private key to recover r_A and r_B. He sends Alice

r_A⊕ r_B

(5)  Alice calculates

(r_A⊕ r_B) ⊕ r_A = r_B

She uses this r_B to communicate securely with Bob.

This protocol looks good, but it has a horrible flaw. Carol can listen in on step (3) and use that information, with the help of an unsuspecting Trent and another malicious user (Dave), to recover r_B [1472].

(1)  Carol chooses a random number, r_C, and sends Trent

r_B³r_C³ mod n

(2)  Trent tells Dave that someone wants to exchange a key with him.

(3)  Dave chooses a random number, r_D, and sends Trent

r_D³ mod n

(4)  Trent uses his private key to recover r_C and r_D. He sends Carol

(r_Br_C) mod ⁿ⊕ r_D

(5)  Dave sends r_D to Carol.

(6)  Carol uses r_C and r_D to recover r_B. She uses r_B to eavesdrop on Alice and Bob.

This is not good.