One-round Group Key Exchanges from Scratch

Since the inception of the Diffie-Hellman protocol in 1976, it has been an elusive open problem to construct a one-round group key exchange (GKE) protocol. In this paper, we investigate the open problem and answer it in a modular way. We first revisit the GKE definition and distinguish the conventional (symmetric) group key exchange from asymmetric group key exchange (ASGKE) protocols. In the latter notion, instead of a common secret key, only a shared encryption key is negotiated at the end of the protocol. This encryption key is accessible for attackers and corresponds to different decryption keys merely computable by each group member. We propose a generic construction of one-round static ASGKEs based on a new cryptographic primitive referred to as asteroidal cryptosystem, which is of independent interest. Using bilinear pairings, we instantiate efficient asteroidal cryptosystem and one-round ASGKE schemes. Towards solving the open problem, we show that our one-round n-party ASGKE instantiation implies an (n+1)-party conventional GKE protocol where each member merely broadcasts one message, but the (n+ 1)-th member cannot send its message until it sees the messages of the other n members. By letting the n members distributively simulate the (n + 1)-th member, we propose a one-round n-party GKE protocol in a strict round definition where each member can broadcast its one independent message simultaneously. Hence, one round is sufficient for multiple parties to establish a common secret key from scratch.