Amending Leighton and Micali's Key Distribution Protocol

A key distribution protocol is a set of rules by which two users can establish a shared common key between them and then use the key in future secure communications. We analyze a key distribution protocol presented by Leighton and Micali at the CRYPTO'93 conference, which is based on tamper-proof hardware, and show that the protocol fails in that a common key shared between two users can always be obtained by a number of other legitimate users in a system where the proposed protocol is employed. An interesting point is that the legitimate users can derive the key without opening a single tamper-proof chip. We also propose a very simple identity based conference key distribution protocol that frees of the aw possessed by Leighton and Micali's protocol. Furthermore, we employ ideas behind our protocol to successfully repair Leighton and Micali's failed protocol. At the CRYPTO'93 conference, Leighton and Micali proposed two key distribution protocols 1], which were aimed at such communications scenarios as the one based on the Clipper Chip. Both of the protocols assume the existence of a trusted agent (or a group of agents at least one of which is trusted). The rst protocol also relies on a tamper-proof VLSI chip that contains a CPU together with internal memory. Using an asymtotic argument, the authors proved that if an adversary tried to obtain a common key between two users by opening tamper-proof chips, then the chance for him to succeed was slim that it could be ignored in practical applications. This led them to conclude that the protocol was secure. While the asymtotic argument might be appropriate for the situation where an adversary armed with sophisticated machinery tries to crack the protocol by compromising tamper-proof chips, it does not exclude the possibility that the protocol might be vulnerable to other types of adversaries. That is, the asymtotic argument is not suucient to conclude that the protocol is secure. Indeed, we will show in this paper that the hardware based protocol proposed by Leighton and Micali is easily breakable by much less sophisticated adversaries. In particular, we will show that the protocol fails in that a common key shared between two users is always clear to a number of other legitimate users in a system that employs the protocol. In doing this the legitimate users need not to open any tamper-proof chips ! The following is a brief description …