Asymmetric Group Key Agreement Qianhong Wu 1,2 , Yi Mu 3 , Willy Susilo 3 , Bo Qin 1,4 , and Josep Domingo-Ferrer 1 1 Universitat Rovira i Virgili, Dept. of Comp. Eng. and Maths UNESCO Chair in Data Privacy, Tarragona, Catalonia {qianhong.wu,bo.qin,josep.domingo}@urv.cat 2 Key Lab. of Aerospace Information Security and Trusted Computing Ministry of Education, School of Computer, Wuhan University, China 3 Centre for Computer and Information Security Research School of Computer Science and Software Engineering University of Wollongong, Australia {ymu,wsusilo}@uow.edu.au 4 Dept. of Maths, School of Science, Xi’an University of Technology, China Abstract. A group key agreement (GKA) protocol allows a set of users to establish a common secret via open networks. Observing that a major goal of GKAs for most applications is to establish a confidential chan- nel among group members, we revisit the group key agreement defini- tion and distinguish the conventional (symmetric) group key agreement from asymmetric group key agreement (ASGKA) protocols. Instead of a common secret key, only a shared encryption key is negotiated in an ASGKA protocol. This encryption key is accessible to attackers and cor- responds to different decryption keys, each of which is only computable by one group member. We propose a generic construction of one-round ASGKAs based on a new primitive referred to as aggregatable signature- based broadcast (ASBB), in which the public key can be simultaneously used to verify signatures and encrypt messages while any signature can be used to decrypt ciphertexts under this public key. Using bilinear pair- ings, we realize an efficient ASBB scheme equipped with useful prop- erties. Following the generic construction, we instantiate a one-round ASGKA protocol tightly reduced to the decision Bilinear Diffie-Hellman Exponentiation (BDHE) assumption in the standard model. 1 Introduction Many complex cryptosystems rely on the existence of a confidential channel among the users. A major goal of key agreement protocols is to establish such a channel for two or more users. Since the inception of the Diffie-Hellman protocol [12] in 1976, it has been an elusive open problem to construct a one-round group key agreement protocol from scratch.A round means that each party sends one message and can broadcast simultaneously. A key agreement protocol is said to be from scratch if each participant does not hold any secret values prior to the execution of the protocol. Each type of long-term-key free protocols can only provide security against passive attackers, but they are the basis to build A. Joux (Ed.): EUROCRYPT 2009, LNCS 5479, pp. 153–170, 2009. c  International Association for Cryptologic Research 2009