996 IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, VOL. 16, NO.

6, NOVEMBER/DECEMBER 2019

Block Design-Based Key Agreement for

Group Data Sharing in Cloud Computing
Jian Shen , Member, IEEE, Tianqi Zhou , Debiao He , Yuexin Zhang,
Xingming Sun, Senior Member, IEEE, and Yang Xiang , Senior Member, IEEE

Abstract—Data sharing in cloud computing enables multiple participants to freely share the group data, which improves the efficiency
of work in cooperative environments and has widespread potential applications. However, how to ensure the security of data sharing
within a group and how to efficiently share the outsourced data in a group manner are formidable challenges. Note that key agreement
protocols have played a very important role in secure and efficient group data sharing in cloud computing. In this paper, by taking
advantage of the symmetric balanced incomplete block design (SBIBD), we present a novel block design-based key agreement
protocol that supports multiple participants, which can flexibly extend the number of participants in a cloud environment according to
the structure of the block design. Based on the proposed group data sharing model, we present general formulas for generating the
common conference key K for multiple participants. Note that by benefiting from the ðv; k þ 1; 1Þ-block design, the computational
complexity of the proposed protocol linearly increases with the number of participants and the communication complexity is greatly
reduced. In addition, the fault tolerance property of our protocol enables the group data sharing in cloud computing to withstand
different key attacks, which is similar to Yi’s protocol.

Index Terms—Key agreement protocol, symmetric balanced incomplete block design (SBIBD), data sharing, cloud computing

Ç
1 INTRODUCTION

C LOUD computing and cloud storage have become hot

topics in recent decades. Both are changing the way we
live and greatly improving production efficiency in some
areas. At present, due to limited storage resources and the
requirement for convenient access, we prefer to store all
types of data in cloud servers, which is also a good option
for companies and organizations to avoid the overhead
of deploying and maintaining equipment when data are
stored locally. The cloud server provides an open and con-
venient storage platform for individuals and organizations,
but it also introduces security problems. For instance, a
cloud system may be subjected to attacks from both mali-
cious users and cloud providers. In these scenarios, it is
important to ensure the security of the stored data in the
 J. Shen is with the School of Computer and Software, Nanjing University
of Information Science and Technology, Nanjing 210044, China, and the
State Key Laboratory of Information Security, Institute of Information
Engineering, Chinese Academy of Sciences, Beijing 100093, China.
E-mail:
cloud. In [1], [2], [3], several schemes were proposed to pre-
serve the privacy of the outsourced data. The above
schemes only considered security problems of a single data
owner. However, in some applications, multiple data own-
ers would like to securely share their data in a group man-
ner. Therefore, a protocol that supports secure group data
sharing under cloud computing is needed.
A key agreement protocol is used to generate a common
conference key for multiple participants to ensure the secu-
rity of their later communications, and this protocol can be
applied in cloud computing to support secure and efficient
data sharing. Since it was introduced by Diffie-Hellman in
their seminal paper [4], the key agreement protocol has
become one of the fundamental cryptographic primitives.
The basic version of the Diffie-Hellman protocol provides an
efficient solution to the problem of creating a common secret
key between two participants. In cryptography, a key agree-
ment protocol is a protocol in which two or more parties can
agree on a key in such a way that both influence the outcome.

[email protected].
 T. Zhou and X. Sun are with the School of Computer and Software, Nanj- By employing the key agreement protocol, the conferees can
ing University of Information Science and Technology, Nanjing 210044, securely send and receive messages from each other using
China. E-mail: [email protected], [email protected]. the common conference key that they agree upon in advance.
 D. He is with the State Key Laboratory of Software Engineering, Computer
School, Wuhan University, Wuhan 430072, China, and the State Key Lab- Specifically, a secure key agreement protocol ensures that the
oratory of Cryptology, Beijing 100878, China. E-mail: [email protected]. adversary cannot obtain the generated key by implementing
 Y. Zhang is with the School of Information Technology, Deakin Univer- malicious attacks, such as eavesdropping. Thus, the key
sity, Burwood, Vic 3125, Australia. E-mail: [email protected]. agreement protocol can be widely used in interactive com-
 Y. Xiang is with the Digital Research & Innovation Capability Platform,
Swinburne University of Technology, John Street, Hawthorn, Vic 3122, munication environments with high security requirements
Australia. E-mail: [email protected]. (e.g., remote board meetings, teleconferences, collaborative
Manuscript received 27 Mar. 2017; revised 29 June 2017; accepted 3 July workspaces, radio frequency identification [5], cloud com-
2017. Date of publication 12 July 2017; date of current version 8 Nov. 2019. puting and so on).
(Corresponding author: Yang Xiang.) The Diffie-Hellman key agreement [4] provides a way to
For information on obtaining reprints of this article, please send e-mail to:
[email protected], and reference the Digital Object Identifier below. generate keys. However, it does not provide an authentica-
Digital Object Identifier no. 10.1109/TDSC.2017.2725953 tion service, which makes it vulnerable to man-in-the-middle
1545-5971 ß 2017 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.
See ht_tp://www.ieee.org/publications_standards/publications/rights/index.html for more information.

Authorized licensed use limited to: St Martin's Engineering College. Downloaded on June 08,2022 at 07:39:40 UTC from IEEE Xplore. Restrictions apply.
SHEN ET AL.: BLOCK DESIGN-BASED KEY AGREEMENT FOR GROUP DATA SHARING IN CLOUD COMPUTING
attacks. This situation can be addressed by adding some
forms of authentication mechanisms to the protocol, as pro-
posed by Law et al. in [6]. In addition, the Diffie-Hellman
key agreement can only support two participants. Subse-
quently, to solve the different key attacks from malicious
conferees, who attempt to deliberately delay or destroy the
conference, Yi proposed an identity-based fault-tolerant con-
ference key agreement in [7]. Currently, many researches
have been devoted to improving the security and communi-
cation efficiency of the key agreement protocol, which is cov-
ered in the literature [8], [9], [10], [11]. Note that in Chung
and Bae’s paper [12] and Lee et al.’s paper [13], block design
is utilized in the design of an efficient load balance algorithm
to maintain load balancing in a distributed system. Inspired
by [12] and [13], we introduce the symmetric balanced
incomplete block design (SBIBD) in designing the key agree-
ment protocol to reduce the complexity of communication
and computation. As far as we know, the work to design the
key agreement protocol with respect to the SBIBD is novel
and original.
1.1 Main Contributions
In this paper, we present an efficient and secure block
design-based key agreement protocol by extending the
structure of the SBIBD to support multiple participants,
which enables multiple data owners to freely share the out-
sourced data with high security and efficiency. Note that
the SBIBD is constructed as the group data sharing model to
support group data sharing in cloud computing. Moreover,
the protocol can provide authentication services and a fault
tolerance property. The main contributions of this paper are
summarized as follows.
1. Model of group data sharing according to the structure of
the SBIBD is constructed. In this paper, a group data
sharing model is established based on the definition
of the SBIBD, which can be used to determine the way
of communication among the participants. Regarding
mathematical descriptions of the structure of the
SBIBD, general formulas for computing the common
conference key for multiple participants are derived.
2. Fault detection and fault tolerance can be provided in the
protocol. The presented protocol can perform fault
detection to ensure that a common conference key is
established among all participants without failure.
Moreover, in the fault detection phase, a volunteer
will be used to replace a malicious participant to
support the fault tolerance property. The volunteer
enables the protocol to resist different key attacks [7],
which makes the group data sharing in cloud com-
puting more secure.
3. Secure group data sharing in cloud computing can be sup-
ported by the protocol. According to the data sharing
model applying the SBIBD, multiple participants can
form a group to efficiently share the outsourced data.
Subsequently, each group member performs the key
agreement to derive a common conference key to
ensure the security of the outsourced group data. Note
that the common conference key is only produced by
group members. Attackers or the semi-trusted cloud
server has no access to the generated key. Thus, they
Authorized licensed use limited to: St Martin's Engineering College. Downloaded on June 08,2022 at 07:39:40 UTC from IEEE Xplore. Restrictions apply.
997
cannot access the original outsourced data (i.e., they
only obtain some unintelligible data). Therefore, the
proposed key agreement protocol can support secure
and efficient group data sharing in cloud computing.
Notably, the above contributions substantially widen the
field of applications of the key agreement protocol by apply-
ing an SBIBD with high security and flexibility. Moreover,
the communication complexity is reduced without intro-
ducing extra computational complexity. Specifically, pffiffiffi the
communication complexity of our protocol is Oðn nÞ, and
the computational complexity is Oðnm2 Þ. Here, n is the
number of participants, and m is the extension degree of the
finite field F pm , which is the space for rational points in a
supersingular elliptic curve.
1.2 Organization
The remainder of this paper is organized as follows. Sec-
tion 2 introduces related works. Section 3 briefly presents
preliminaries and the system model. Section 4 describes
the algorithm for constructing the SBIBD and depicts the
group data sharing model. Section 5 shows the block
design-based key agreement protocol with the general for-
mulas for calculating the common conference key for mul-
tiple participants. Sections 6 and 7 present the security and
performance analyses, respectively. Finally, conclusions
are drawn in Section 8. To understand our protocol well,
the detailed process of the key agreement with multiple
participants and a concrete example with 31 participants
are provided in the Appendix, which can be found on
the Computer Society Digital Library at http://doi.
ieeecomputersociety.org/10.1109/TDSC.2017.2725953.
2 RELATED WORKS
It is well known that data sharing in cloud computing can
provide scalable and unlimited storage and computational
resources to individuals and enterprises. However, cloud
computing also leads to many security and privacy con-
cerns, such as data integrity, confidentiality, reliability, fault
tolerance and so on. Note that the key agreement protocol is
one of the fundamental cryptographic primitives, which
can provide secure communication among multiple partici-
pants in cloud environments.
In [14] and [15], based on symmetric-key cryptography,
several schemes were proposed to enable efficient encryp-
tion of the outsourced data. However, encryption keys
should be transmitted in a secure channel, which is not possi-
ble in practice, particularly in the open cloud environment.
Since it was introduced in [16], resistance to compromised
keys has been taken into consideration, which is an impor-
tant issue in the context of cloud computing. Note that cloud
storage auditing with verifiable outsourcing of key updates
paradigm was proposed by Yu et al. in [17] to achieve resis-
tance to compromised keys. In this paradigm, the third party
auditor (TPA) takes responsibility for the cloud storage
auditing and key updates. In particular, the TPA is responsi-
ble for the selection and distribution of the key. The key
downloaded from the TPA can be used by the client to
encrypt files that he will upload to the cloud. In contrast, the
generation and distribution of the key is based on a central-
ized model in [17], which not only imparts a burden to the
998 IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING,
TPA but also introduces some security problems. In [18], a
key agreement algorithm was exploited by De Capitani di
Vimercati et al. to achieve data access when data are con-
trolled by multiple owners. Therefore, the key agreement
protocol can be applied in group data sharing to solve related
security problems in cloud computing.
Following the first pioneering work for key agreement [4],
many works have attempted to provide authentication serv-
ices in the key agreement protocol. In [19], a public key
infrastructure (PKI) is used to circumvent man-in-the-mid-
dle attacks. However, these protocols are not suitable for
resource-constrained environments since they require exe-
cutions of time-consuming modular exponentiation opera-
tions. Key agreement protocols that use elliptic curve
cryptography (ECC) have been proposed in [20], [21]. These
protocols are more efficient than the protocols that resort to
the PKI because point additions or multiplications in elliptic
curves are more efficient compared with the modular expo-
nentiation. Moreover, based on the difficulty of solving the
elliptic curve discrete logarithm problem (ECDLP), proto-
cols that use ECC are more secure.
To avoid the requirement of the public key certificate, in
1984, identity-based cryptography (IBC) was proposed by
Shamir [22]. However, it was not until 2001 that the first
practical IBC scheme [10] was proposed by Boneh and
Franklin. Due to the strict security proof and high efficiency,
this scheme has received widespread recognition in aca-
demic fields. In the same year, a popular proof model for
group key establishment was proposed by Bresson
et al. [23]. In this protocol, to manage the complexity of defi-
nitions and proofs for the authenticated group Diffie-Hell-
man key exchange, a formal model was presented, where
two security goals of the group Diffie-Hellman key
exchange were addressed. However, some security proper-
ties are missing in [23], which are essential for preventing
malicious protocol participants.
Note that all the above protocols have been proven and
analyzed for security, but some of them can only be applied
to the key agreement between two entities and need a large
amount of resources to perform calculations. Recently, an
identity-based authenticated key agreement protocol was
proposed by Shen et al. in [9], which improves the efficiency
of the conference key agreement and provides entity
authentication services. However, there are some obstacles
in Shen et al.’s protocol [9] in real applications. One is that
the protocol only discusses a specific situation when the
number of conferees is exactly 7. The other is that the proto-
col does not discuss the general situation and does not pro-
vide the key agreement process for multiple participants,
which makes the protocol lack flexibility and practicability.
Motivated by the above observation, the key agreement
protocol is applicable to support data sharing in cloud com-
puting for the following reasons.
1. The generation of a common conference key is per-
formed in a public channel, which is suitable for
cloud computing environments.
2. The key agreement protocol can support and pro-
vide secure data sharing for multiple data owners
within a group, where the data sharing follows a
many-to-many pattern. Compared with the one-to-
Authorized licensed use limited to: St Martin's Engineering College. Downloaded on June 08,2022 at 07:39:40 UTC from IEEE Xplore. Restrictions apply.
VOL. 16, NO. 6, NOVEMBER/DECEMBER 2019
many pattern, the many-to-many pattern in group
data sharing provides higher efficiency in the envi-
ronment of cooperative storage.
3. The key agreement protocol is based on a decentral-
ized model, where a trusted third party is not
required. This means that every data owner in a
group fairly contributes and determines the common
conference key such that the outsourced data are
controlled by all the data owners within a group.
Therefore, we design a block design-based key agreement
protocol for data sharing in cloud computing. First, we pro-
pose an algorithm to construct the ðv; k þ 1; 1Þ-design. Then,
with respect to the mathematical description of the structure
of the ðv; k þ 1; 1Þ-design, general formulas for generating
the common conference key K for multiple participants are
derived. Namely, the proposed protocol supports multiple
participants. We believe that our contributions can widen
the application scope of the key agreement protocol in cloud
computing employing an SBIBD.
3 PRELIMINARIES AND SYSTEM MODEL
3.1 Cryptographic Bilinear Maps
Modified Weil pairing [10] is an example of a cryptographic
bilinear map. One way to construct this map is described as
follows. Let p be a prime such that p ¼ 6q  1 for some
prime q and E be a supersingular elliptic curve defined by
the Weierstrass equation y2 ¼ x3 þ 1 over Fp . The group of
rational points EðFp Þ ¼ fðx; yÞ 2 Fp  Fp : ðx; yÞ 2 Eg forms
a cyclic group of order p þ 1. Furthermore, because
p þ 1 ¼ 6q for some prime q, the group of points of order q
in EðFp Þ forms a cyclic subgroup, denoted as G1 . Further
discussion of the Weil pairing is shown in the literature [8].
Definition 1. Let G be a generator of G1 , and let G2 be the sub-
group of Fp2 containing all elements of order q. A modified
Weil pairing is a map e^ : G1  G1 ! G2 , which has the follow-
ing properties for points in EðFp Þ:
1. Bilinear: For any P; Q 2 G1 and a; b 2 Z, we have
e^ðaP; bQÞ ¼ e^ðP; QÞab .
2. Non-degenerate: If P is a generator of G1 , then
e^ðP; PÞ 2 Fp2 is a generator of G2 . In other words,
e^ðP; PÞ 6¼ 1.
3. Non-commutative: For any P; Q 2 G1 , P 6¼ Q,
e^ðP; QÞ 6¼ e^ðQ; PÞ.
4. Computable: Given P; Q 2 G1 , there exists an efficient
algorithm to compute eðP; QÞ.
5. For any P 1 ; P 2 ; Q1 ; Q2 2 G1 , we have
e^ðP 1 þ P 2 ; Q1 Þ ¼ e^ðP 1 ; Q1 Þ  e^ðP 2 ; Q1 Þ
e^ðP 1 ; Q1 þ Q2 Þ ¼ e^ðP 1 ; Q1 Þ  e^ðP 1 ; Q2 Þ
3.2 Security Assumption
Security is one of the most essential conditions that a good
cryptographic algorithm or protocol should first meet. Stud-
ies on safety issues can boil down to the security model. The
attacker’s ability and the goal of security achieved can be
well reflected by the correct and appropriate security
model. In this paper, we use the security model defined in
the literature [9]. Note that the security of our protocol relies
on a variant of the computational Diffie-Hellman (CDH)
assumption: the bilinear Diffie-Hellman (BDH) assumption,
which is defined as follows. According to the proof in [9],
SHEN ET AL.: BLOCK DESIGN-BASED KEY AGREEMENT FOR GROUP DATA SHARING IN CLOUD COMPUTING 999

the presented protocol can resist both passive attacks and

active attacks. Many formal security analyses of the key
agreement protocol can be found in the literature [11].
Definition 2. In ðG1 ; G2 ; e^Þ, the BDH problem is defined as fol-
lows. Given G 2 G1 and ðG; aG; bG; cGÞ for some a; b; c 2 Zq ,
compute W ¼ e^ðG; GÞabc 2 G2 [10].
An algorithm A is said to have advantage " in solving the
BDH problem in ðG1 ; G2 ; e^Þ if
Pr½AðG; aG; bG; cGÞ ¼ e^ðG; GÞabc   ";

where " > 0 and the probability is based on the random

choice of a; b; c 2 Zq , the random choice of G 2 G1 and the
random bits of A.
The BDH assumption states that no polynomial time
algorithm A has an advantage of at least " in solving the
BDH problem in ðG1 ; G2 ; e^Þ, which means that this advan-
tage is negligible.
3.3 Block Design and ðv; k þ 1; 1Þ-Design
In combinatorial mathematics, a block design is a set together
with a family of subsets whose members are chosen to satisfy
some set of properties that are deemed useful for a particular
application. Definition 3 defines the balanced incomplete
block design (BIBD) in detail below [12], [13], [24].
Definition 3. Let V ¼ f0; 1; 2 . . . v  1g be a set of v elements
and B ¼ fB0 ; B1 ; B2 . . . Bb1 g be a set of b blocks, where Bi is
a subset of V and jBi j ¼ k. For a finite incidence structure
s ¼ ðV; BÞ, if s satisfies the following conditions, then it is a
BIBD, which is called a ðb; v; r; k; Þ-design.
1. Each element of V appears in exactly r of the b blocks.
2. Every two elements of V appear simultaneously in
exactly  of the b blocks.
3. Parameters k and v of V meet the condition of k < v.
Thus, no block contains all the elements of the set V .
4. Parameters b and v of V meet the condition of b  v.
The case of equality is called a symmetric design.
Here, v is the number of elements of V , b denotes the
number of blocks, k implies the number of elements in each
block, and r and  are the parameters of the design. For a
ðb; v; r; k; Þ-design, if the condition of k ¼ r and b ¼ v holds,
it is a symmetric balanced incomplete block design (SBIBD).
It is also called a ðv; k; Þ-design. In this paper, we require a
ðv; k þ 1; 1Þ-design to construct our group data sharing
decentralized model, where k is a prime number and  ¼ 1.
The reason for why the ðv; k þ 1; 1Þ-design is chosen will be
shown in detail in Section 4. Moreover, in the BIBD and the
SBIBD, these five parameters are not all independent: b and
r are determined by v, k and . Two basic equations con-
necting these parameters in the BIBD and the SBIBD are
bk ¼ vr and ðv  1Þ ¼ rðk  1Þ.
Note that information exchange in our key agreement
protocol is based on the ðv; k þ 1; 1Þ-design. Consequently,
each participant can determine the intended message
receivers or message senders based on the group data shar-
ing model constructed by the ðv; k þ 1; 1Þ-design.
In Section 5 will be noted that information exchange in our
key agreement protocol is based on the ðv; k þ 1; 1Þ-design
and the detailed processes are described.
Fig. 1. System model of data sharing in cloud computing.
3.4 System Model and Adversary Model
3.4.1 System Model
The system model of our group data sharing scheme in
cloud computing is illustrated in Fig. 1. A TPA, cloud and
users are involved in the model, where the TPA is responsi-
ble for cloud storage auditing, fault detection and generat-
ing the system parameters. The cloud, who is a semi-trusted
party, provides users with data storage services and down-
load services. Users can be individuals or staff in a com-
pany. To work together, they form a group, upload data to
the cloud server and share the outsourced data with the
group members. In practice, users can be mobile Android
devices, mobile phones, laptops, nodes in underwater sen-
sor networks and so forth.
Moreover, the group data sharing model is based on the
SBIBD, where a trusted third party is not required. The
construction of the SBIBD group data sharing model is
described in detail in Section 4. With respect to this model,
all the participants exchange messages from intended enti-
ties according to the structure of the SBIBD to determine a
common conference key. In addition to participants, vol-
unteers and adversaries are also included in the presented
protocol, and all of them run as a probabilistic polynomial-
time Turing machine. Two types of adversaries may be
involved in the protocol: passive adversaries and active
adversaries. A passive adversary is a person who attempts
to learn information about the conference key by eaves-
dropping on the multicast channel, whereas an active
adversary is a person who attempts to impersonate a par-
ticipant or disrupt a conference. Note that the generation
and update of the key are accomplished by the partici-
pants. Moreover, with the fault tolerance property of our
protocol, the participants are able to ascertain the correct-
ness of the common conference key. Since the storage
auditing can follow the state of the art auditing protocols
(e.g., [25] ), we only focus on the design of group data
sharing scheme in cloud computing in the paper.
3.4.2 Adversary Model
The adversary model determines the capabilities and possi-
ble actions of the attacker. Similar to [11], [26] and [27], the
adversary model is defined as follows.

Authorized licensed use limited to: St Martin's Engineering College. Downloaded on June 08,2022 at 07:39:40 UTC from IEEE Xplore. Restrictions apply.
1000 IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING,
1. The adversary reveals a long-term secret key of a
participant in a conference and then impersonates
others to this participant.
2. The adversary reveals some previous session keys
and then learns the information about the session
key of a fresh participant. Consequently, the adver-
sary can impersonate the fresh participant with the
session key to others.
3. The adversary reveals the long-term keys of one or
more participants in the current run. Then, the
adversary attempts to learn the previous session key.
4. A malicious participant chooses different sub keys,
generates different signatures and broadcasts the
messages to the corresponding participants, which
makes the conference key derived by different par-
ticipants distinct.
4 THE CONSTRUCTION OF THE GROUP DATA
SHARING MODEL
To support a group data sharing scheme for multiple partic-
ipants applying an SBIBD, we design an algorithm to con-
struct the ðv; k þ 1; 1Þ-design. Moreover, the constructed
ðv; k þ 1; 1Þ-design requires some transformations to estab-
lish the group data sharing model such that v participants
can perform the key agreement protocol.
4.1 Construct the ðv; k þ 1; 1Þ-Design
In our group data sharing model, the parameters of the
SBIBD have some specific meanings. In a ðv; k þ 1; 1Þ-design,
v denotes the number of participants and the number of
blocks. Every block embraces k þ 1 participants, and every
participant appears k þ 1 times in these v blocks. Further-
more, every two participants appear simultaneously in
exactly one of the v blocks. Following papers [12] and [13],
Algorithm 1 is designed to construct the structure of a
ðv; k þ 1; 1Þ-design. First, a prime number k is selected. Then,
the number of participants is determined by the value of k,
which is computed as v ¼ k2 þ k þ 1.1 Finally, according to
Definition 3, V ¼ f0; 1; 2; . . . ; v  1g represents the set of v
participants, whereas B ¼ fB0 ; B1 ; B2 ; . . . ; Bv1 g implies v
blocks constituted by these v participants. Note that the block
is defined as Bi ¼ fBi;0 ; Bi;1 ; Bi;2 ; . . . ; Bi;k g, which means
each block embraces k þ 1 participants, and Bi;j denotes
which participant is contained in the jth column of the ith
block. Sometimes we will consider blocks organized as a
matrix in which column j is composed by elements Bi;j for
i ¼ 0; 1; 2; . . . ; k and row i is composed by elements Bi;j for
j ¼ 0; 1; 2; . . . ; k. The structure of the ðv; k þ 1; 1Þ-design is
constructed by Algorithm 1, which outputs numbers Bi;j for
i ¼ 0; 1; . . . ; k2 þ k and j ¼ 0; 1; . . . ; k.
In Algorithm 1, the notation MODk represents the modu-
lar operation that takes the class residue as an integer in the
range 0; 1; 2; . . . ; k  1. Based on Algorithm 1, we can create
the structure of a ðv; k þ 1; 1Þ-design that involves v partici-
pants. Moreover, Algorithm 1 can directly determine which
participant should be involved in each block. For example,
taking the ð13; 4; 1Þ-design into consideration, where 13
1. From here to the end of the paper, the value of v is v ¼ k2 þ k þ 1
and ðv; k þ 1; 1Þ-design is used to represent ðk2 þ k þ 1; k þ 1; 1Þ-design
for brevity.
Authorized licensed use limited to: St Martin's Engineering College. Downloaded on June 08,2022 at 07:39:40 UTC from IEEE Xplore. Restrictions apply.
VOL. 16, NO. 6, NOVEMBER/DECEMBER 2019
participants are involved in this structure, we can decide
which participant should be contained in the 3rd column of
the 8th block by computing
B7;2 ¼ jk þ 1 þ MODk ði  j þ ðj  1Þbði  1Þ=kcÞ
¼ 2  3 þ 1 þ MOD3 ð7  2 þ ð2  1Þbð7  1Þ=3cÞ
¼ 7 þ MOD3 ð5 þ 1  2Þ
¼ 7 þ 1 ¼ 8:
Therefore, from the above calculation, it is concluded
that participant8 is contained in the 3rd column of the 8th
block. Here, participanti represents the ith participant.
Note that Algorithm 1 is an optimization of the algo-
rithm in [12] and the proof of the correctness follows the
same lines than the proof in [12] and [13]. The structure
created by Algorithm 1 can be proven to satisfy the condi-
tions of the ðv; k þ 1; 1Þ-design, which means that each
participant of V appears exactly k þ 1 times in B and that
each pair of participants of V appears exactly once in B.
These properties can be utilized to design the group data
sharing model, which can diminish the communication
cost of the proposed protocol. The detailed process of the
protocol and the corresponding performance analysis
based on the model can be found in Sections 5 and 7,
respectively.
Algorithm 1. Generation of a ðv; k þ 1; 1Þ-Design
for i ¼ 0; i k; i þ þ do
for j ¼ 0; j k; j þ þ do
if j ¼¼ 0 then
Bi;j ¼ 0;
else
Bi;j ¼ ik þ j;
end if
end for
end for
for i ¼ k þ 1; i k2 þ k; i þ þ do
for j ¼ 0; j k; j þ þ do
if j ¼¼ 0 then
Bi;j ¼ bði  1Þ=kc;
else
Bi;j ¼ jk þ 1 þ MODk ði  j þ ðj  1Þbði  1Þ=kcÞ;
end if
end for
end for
Definition 4. In our ðv; k þ 1; 1Þ-design of an SBIBD, a sector is a
collection of blocks defined by Sx ¼ fBi : Bi;0 ¼ xg for x ¼ 0; 1;
2; . . . ; k. Sector S0 ¼ fB0 ; B1 ; B2 ; . . . ; Bk g is formed by k þ 1
blocks, and sector Sj ¼ fBkjþ1 ; Bkjþ2 ; Bkjþ3 ; . . . ; Bkðjþ1Þ g is
formed by k blocks for j ¼ 1; 2; 3; . . . ; k.
For example, in a ðv; k þ 1; 1Þ-design, S1 ¼ fBkþ1 ;
Bkþ2 ; . . . ; B2k g.
Lemma 1. In S0 with ðk þ 1Þ  ðk þ 1Þ elements, element 0
appears k+1 times in the first column of S0 , and the remaining
k2 þ k elements f1; 2; . . . ; k2 þ kg appear exactly once in S0 in
order.
Proof. According to Algorithm 1, when i ¼ 0; 1; . . . ; k, if j ¼ 0,
then Bi;j ¼ 0. Therefore, element 0 appears k þ 1 times in
SHEN ET AL.: BLOCK DESIGN-BASED KEY AGREEMENT FOR GROUP DATA SHARING IN CLOUD COMPUTING
the k þ 1 blocks (i.e., B0;0 ; B1;0 ; . . . ; Bk;0 ) of S0 . If j 6¼ 0, then
Bi;j ¼ ik þ j, which implies that Bi;jþ1 ¼ Bi;j þ 1ðfor j ¼
0; 1; . . . ; k  1Þ and Biþ1;1 ¼ Bi;k þ 1ðfor i ¼ 0; 1; . . . ; k  1Þ.
Given Bi;j ¼ 0, we have the progression B0;0 ; B0;1 ;
B0;2 ; . . . ; B0;k ; B1;1 ; B1;2 ; . . . ; B1;k ; B2;1 ; B2;2 ; . . . ; B2;k ; . . . ;
Bk;1 ; Bk;2 ; . . . ; Bk;k is the arithmetic progression 0; 1; 2; 3;
4; . . . ; k2 þ k. It is concluded that the remaining k2 þ k
elements f1; 2; . . . ; k2 þ kg appear exactly once in S0 in
order.
In any sector Sx with k or k þ 1 blocks, the first element of
each block has the same value as x. Based on Lemma 1, in
sector S0 , the first element of these k þ 1 blocks is 0. Then, in
the last k2 blocks, Bi;j ¼ bði  1Þ=kc if j ¼ 0. Based on Defini-
tion 4, the index of each sector is x ¼ bi  1=kc, which is
equal to Bi;j . Therefore, the first element of each block has
the same value as bði  1Þ=kc, namely, x.
Lemma 2. In sector Sx ðx 6¼ 0Þ, except for the first element of
each block that are the same, the set of the other k2 elements is
equal to V  B0 .
Proof. Based on Definition 4, in Sx , the first element of each
block has the same value as x. Then, according to Algo-
rithm 1, the remaining k2 elements of Sx are calculated as
Bi;j ¼ jk þ 1 þ MODk ði  j þ ðj  1Þbði  1Þ=kcÞ.
Due to the property of the modular arithmetic and ele-
mentary properties of floor function, the values of these
k2 elements are between k þ 1 and k2 þ k and these k2
values are distinct. Note that V ¼ f0; 1; . . . ; k2 þ kg and
B0 ¼ f0; 1; . . . ; kg. Therefore, the set of the other k2 ele-
ments in Sx is equal to V  B0 ¼ fk þ 1; k þ 2; . . . ; ; k2 þ kg.
In addition, the detailed proof for the fact that the val-
ues of these k2 elements are between k þ 1 and k2 þ k
and these k2 values are distinct is given as follows.
For a given value between k þ 1 and k2 þ k, say k þ n
for 1 n k2 we look for an index j, 0 j k such that
k þ n is in sector Sx for a fixed x ¼ 0; 1; 2 . . . ; k. On the
other hand sector Sx ¼ fBkxþ1 ; Bkxþ2 ; Bkxþ3 ; . . . ; Bkðxþ1Þ g,
then we also look for m and j, 1 m k such that
Bkxþm;j ¼ k þ n.  We obtain jk þ 1 þ MODk ðkx þ m  j þ
ðj  1ÞÞ kxþm1 k Þ ¼ k þ n and then MODk ðm  j þ ðj 
1ÞxÞ ¼ k þ n  jk  1 must be a number in the range
0; 1; 2 . . . ; k  1, that is, 0 k þ n  jk  1 < k obtaining
0 1 þ n1 k  j < 1 and then j  1
n1
k < j equivalent
to j  1 ¼ k . We can
n1
  conclude that the value j is
unique and j ¼ 1 þ n1 k . From the value of j,
MODk ðm  j þ ðj  1ÞxÞ ¼ k þ n jk  1 and taking into
account that 1 m k  1, we can obtain a unique pos-
sible value m  1 ¼ MODk ðð1  jÞx þ j þ n  2Þ, that is
m ¼ 1 þ MODk ðð1  jÞx þ j þ n  2Þ. u
t blocks of fS0 ; S1 ; S2 ; . . . ; Sk g in B to the first k þ 1 blocks in
Lemma 3. In sector Sx ðx 6¼ 0Þ with k blocks, the set of the k ele-
ments of the xth column is equal to the index set of the k blocks
in Sx .
Proof. According to Definition 4, in Sx , the index set of k
blocks is fxk þ 1; xk þ 2; . . . ; xk þ kg. Then, elements of
the xth column of Sx are computed as Bi;j ¼ jk þ
1 þ MODk ði  j þ ðj  1Þbði  1Þ=kcÞ. The xth column of
Sx means that j ¼ x. Therefore, Bi;j ¼ xk þ 1 þ MODk ði 
x þ ðx  1Þbði  1Þ=kcÞ. Based on the modular arithmetic,
when i takes a value of the set ½xk þ 1; xk þ k, we have
Authorized licensed use limited to: St Martin's Engineering College. Downloaded on June 08,2022 at 07:39:40 UTC from IEEE Xplore. Restrictions apply.
1001
u
t
Fig. 2. The reconstruction process of B to E.
Bi;j ¼ xk þ 1; xk þ 2; . . . ; xk þ k, which is equal to the
index set of the k blocks in Sx . u
t
4.2 Design of the Group Data Sharing Model
Through Algorithm 1, the structure B of the ðv; k þ 1; 1Þ-design
is constructed for v participants, which satisfies the properties
of an SBIBD. However, to generate a common conference key
for the v participants, the structure of the ðv; k þ 1; 1Þ-design
should have the property that each block Bi embraces
participanti . Here, Bi is the ith block of the structure of the
ðv; k þ 1; 1Þ-design, and the order of the appearance of these v
blocks is represented by i. Note that the structure B con-
structed by Algorithm 1 does not have the required property.
Thus, some transformations of the structure of B are needed.
Based on Lemma 1, Lemma 3, and Definition 4, the v blocks
of B can be reconstructed to derive a new structure E of
the ðv; k þ 1; 1Þ-design such that each block Et embraces
participantt . Notably, the adjustment of the structural order
among blocks in the block design does not affect its character-
istics and this transformed structure E is therefore a standard
one in the theory of SBIBDs. Algorithm 2 can be employed to
accomplish the reconstruction of B to E after the structure of
B is created by Algorithm 1. During the reconstruction pro-
cess, a flag bit for each block Bi is required to indicate whether
Bi is transformed. The flag bit is denoted as Bi ½flag, which is
0 if Bi has not been transformed and is 1 otherwise. The
detailed reconstruction process is given as follows. To make
the process from B to E clear, a concrete example is shown in
Fig. 2. In Fig. 2, a ð13; 4; 1Þ-design is constructed by Algorithm 1
first, which is depicted on the left of Fig. 2. Then, Algorithm 2
with three steps is used to accomplish the reconstruction of B
to E. Note that the transformed structure of E is shown on
the right of Fig. 2.
Step 1. Step 1 describes transformations of the first k þ 1
E. Here, B0 needs no transformations; thus, we have
E0 ¼ B0 . Based on Definition 4, in any sector Sx of B, the
first element of each block has the same value as x. To sat-
isfy the property that each block Et embraces participantt ,
the first block of fS1 ; S2 ; . . . ; Sk g of B will be transformed to
the E1 to Ek blocks of E. Consequently, the results of trans-
formations in step 1 are E0 ¼ B0 and Et ¼ Btkþ1 ; ð1 t kÞ.
For example, in Fig. 2, the first elements of the first block in
S1 , S2 , and S3 in B are 4,7, and 10, respectively, which are
marked with a red color. The results of the transformations
of step 1 in Fig. 2 are E0 ¼ B0 , E1 ¼ B4 , E2 ¼ B7 and
1002 IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING,
E3 ¼ B10 . It is clearly observed from Fig. 2 that the first k þ 1
blocks of E have the property that 0 2 E0 , 1 2 E1 , 2 2 E2 ,
and 3 2 E3 .
Algorithm 2. The Reconstruction of B
E0 ¼ B0 ; (step 1)
for t ¼ 1; t k; t þ þ do
Et ¼ Btkþ1 ; (step 1)
Btkþ1 ½flag ¼ 1;
EEt;t ¼ BbðEt;t 1Þ=kc ; (step 2)
Btkþ1 ½flag ¼ 1;
end for
for i ¼ k þ 1; i k2 þ k; i þ þ do
if Bi ½flag 6¼ 1 then
EBi;bði1Þ=kc ¼ Bi ; (step 3)
end if
end for
Step 2. Transformations of step 2 are based on Lemma 1;
in S0 with ðk þ 1Þðk þ 1Þ elements, element 0 appears k þ 1
times in the first column of S0 and the remaining k2 þ k ele-
ments f1; 2; . . . ; k2 þ kg appear exactly once in S0 in order.
To satisfy the property that each block Et embraces
participantt , the k blocks of B1 ; B2 ; . . . ; Bk in B will be trans-
formed to the intended k blocks of E. Note that the index of
the k blocks of E is determined by the xth element of the
first block of Sx ðx 6¼ 0Þ in B, which is equal to Et;t ð1 t kÞ
of E. The results of the transformations in step 2 are
EEt;t ¼ BbðEt;t 1Þ=kc ð1 t kÞ. For example, in Fig. 2, the xth
element of the first block of Sx ðx 6¼ 0Þ in B is 4, 8, 11, respec-
tively, which is marked with a green color. The results of
the transformations of step 2 in Fig. 2 are E4 ¼ B1 , E8 ¼ B2
and E11 ¼ B3 . It is clearly observed from Fig. 2 that the
Et;t ð1 t kÞ blocks of E have the property that 4 2 E4 ,
8 2 E8 , and 11 2 E11 .
Step 3. The transformations of step 3 are based on
Lemma 3; in sector Sx ðx 6¼ 0Þ with k blocks, the set of the k
elements of the xth column is equal to the index set of the k
blocks in Sx . In step 3, the remaining k  1 blocks of each
sector Sx ðx 6¼ 0Þ in B are transformed to the intended
k  ðk  1Þ blocks of E. Note that the index of the k  ðk  1Þ
blocks of E is determined by the xth column of the remain-
ing k  1 blocks of sector Sx ðx 6¼ 0Þ in B. Hence,
Bi;x ðk þ 1 i k2 þ 2Þ is used as the index of E. The results
of the transformations in step 3 are EBi;x ¼ Bi ðk þ 1
i k2 þ k; Bi;x 6¼ Et;t ð1 t kÞÞ, where Bi belongs to the
xth sector in B. According to Definition 4, the Bi block in B
belongs to the bði  1Þ=kc sector in B; thus, in step 3 of Algo-
rithm 2, x is denoted as bði  1Þ=kc. The k Et;t ð1 t kÞ
blocks of Sx ðx 6¼ 0Þ in B have been transformed in step 2;
therefore, the k blocks need no transformations in step 3.
For example, in Fig. 2, the xth column of the k  1 blocks
of sector Sx is f5; 6g; f9; 7g; f12; 10g, respectively, which is
marked with a white color. The results of the transfor-
mations of step 3 in Fig. 2 are fE5 ¼ B5 ; E6 ¼ B6 g, fE9 ¼
B8 ; E7 ¼ B9 g, fE12 ¼ B11 ; and E10 ¼ B12 g. It is clearly
observed from Fig. 2 that the Bi;x ðk þ 1 i k2 þ k; Bi;x 6¼
Et;t ð1 t kÞÞ blocks of E have the property that 5 2 E5 ,
6 2 E6 , 9 2 E9 , 7 2 E7 , 12 2 E12 , and 10 2 E10 .
By Algorithm 2, the structure of E is reconstructed, which
not only conforms to the properties of a ðv; k þ 1; 1Þ-design
Authorized licensed use limited to: St Martin's Engineering College. Downloaded on June 08,2022 at 07:39:40 UTC from IEEE Xplore. Restrictions apply.
VOL. 16, NO. 6, NOVEMBER/DECEMBER 2019
but also satisfies the property that each block Et contains
participantt . Hence, the reconstructed E can be used to
design the group data sharing model. Based on this model,
the key agreement protocol can be processed by v partici-
pants and a common conference key can be derived. More-
over, the structure of E should be determined by
mathematical descriptions to derive general formulas to
compute the common conference key for each participant.
In summary, based on Algorithm 1, mathematical descrip-
tions of the structure of B can be deduced first. Then, to
derive the mathematical descriptions of the structure of E,
the functional relationships of the transformations of B to E
should be determined. Based on Algorithm 2, the transfor-
mations of B to E can be divided into four different cases.
In the following four different cases, t denotes the index of
the block of E, m implies the mth column of one block of E,
and Et;m indicates which participant is contained in the mth
column of the tth block in E.
Case 1. E0 ¼ B0 ¼ f0; 1; . . . ; kg
Case 2. 0 m k; 1 t k
Et;m ¼ Btkþ1;m

t; ðm ¼ 0Þ
¼
mk þ 1 þ MODk ðt  1Þðm  1Þ; ðm > 0Þ
Case 3. 0 m k; t ¼ Ei;i ; ð1 i kÞ
Et;m ¼ Bbðt1Þ=kc;m

0; ðm ¼ 0Þ
¼
bðt  1Þ=kck þ m; ðm > 0Þ
Case 4. 0 m k; t ¼ Bi;x ; ðt 6¼ Ei;i Þ
Et;m ¼ Bkðxþ1Þþr;m

x; ðm ¼ 0Þ
¼
mk þ 1 þ MODk ðmx  x  m þ rÞ; ðm > 0Þ
Case 1 and Case 2 correspond to step 1 of Algorithm 2, Case
3 corresponds to step 2 of Algorithm 2, and Case 4 corre-
sponds to step 3 of Algorithm 2. In Case 1, the structure of E0
is directly described by B0 , which is f0; 1; . . . ; kg. Since in
step 1 and step 2 of Algorithm 2, the index of B is a function
of
 the index  of E, namely, tk þ 1 is a function of t,
ðEt;t  1Þ=k is a function of Et;t . The transformations of B
to E can be directly determined by the functional relation-
ships between the index of B and the index of E. Thus, the
mathematical descriptions in Case 2 and Case 3 can easily be
obtained by Algorithm 1. However, in step 3 of Algorithm 2,
the index of B is not a function of the index of E, namely, i
is not a function of Bi;x . According to Algorithm 1, the index
Bi;x ðk þ 1 i k2 þ kÞ of E in step 3 of Algorithm 2 is calcu-
lated as Eq. (1), where x and k are known and the index
Bi;x ðk þ 1 i k2 þ kÞ of E is a function of the index i of B
Bi;j ¼ xk þ 1 þ MODk ði  x þ ðx  1Þbði  1Þ=kcÞ: (1)
Let t ¼ Bi;x ðk þ 1 i  k2 þ kÞ, according to [28], the values
i in Eq. (1) are i ¼ k t1
k þ r, where r ¼ 2; 3; 4; . . . ; k  1; k
and the index i of B is a function ofthe index t ¼ Bi;x of  E.
According to Definition 4, in B, x ¼ t1
k . Thus, i ¼ k t1
k þr
is equivalent to
i ¼ kx þ r: (2)
SHEN ET AL.: BLOCK DESIGN-BASED KEY AGREEMENT FOR GROUP DATA SHARING IN CLOUD COMPUTING
TABLE 1
The Structure of E of a ðv; k þ 1; 1Þ-Design
E0 ¼ f0; 1; . . . ; kg
E1 ¼ f1; k þ 1; 2k þ 1 þ MODk ð0  ð2  1ÞÞ; . . . ; k2 þ 1g
E2 ¼ f2; k þ 1; 2k þ 1 þ MODk ð1  ð2  1ÞÞ; . . . ; k2 þ 1 þ
MODk ð1  ðk  1ÞÞg
E3 ¼ f3; k þ 1; 2k þ 1 þ MODk ð2  ð2  1ÞÞ; . . . ; k2 þ 1 þ
MODk ð2  ðk  1ÞÞg
...
Ek ¼ fk; k þ 1; k2 þ 1 þ MODk ððk  1Þð2  1ÞÞ; . . . ; k2 þ 1 þ
MODk ðk  1Þ2 g
EE1;1 ¼ f0; k þ 1; k þ 2; . . . ; k þ kg
Et ¼ f1; k þ 1 þ MODk ðr  1Þ; . . . ; k2 þ 1 þ MODk ðkx  x  k þ rÞg
EE2;2 ¼ f0; 2k þ 1; 2k þ 2; . . . ; 2k þ kg
Et ¼ f2; k þ 1 þ MODk ðr  1Þ; . . . ; k2 þ 1 þ MODk ðkx  x  k þ rÞg
...
EEk;k ¼ f0; k2 þ 1; k2 þ 2; . . . ; k2 þ kg
Et ¼ fk; k þ 1 þ MODk ðr  1Þ; . . . ; k2 þ 1 þ MODk ðk2  2k þ rÞg
Based on Eq. (2), the mathematical descriptions in Case 4 are
derived to describe the structure of the k  1 blocks of
Sx ðx 6¼ 0Þ in E. Note that r has k  1 different values, which
describes the structure of the ðk  1Þ blocks of Sx in Et .
The structure of E of a ðv; k þ 1; 1Þ-design can be
described in detail based on the mathematical descriptions
in Case 1, Case 2, Case 3 and Case 4, which is illustrated in
Table 1. In Table 1, the index of E is between 0 and k2 þ k,
and which participant is contained in the mth column in Et
can be determined by the mathematical descriptions in the
four different cases. A concrete example can be found in
Appendix, available in the online supplemental material,
where the structure of E of a ð31; 6; 1Þ-design is constructed.
In our protocol, two rounds are required to generate a
common conference key. In each round, every participant
will receive messages from their intended participants. The
group data sharing model can determine which participants
are the intended message senders of participanti . The group
data sharing model is established as follows. If j 2 Ei ,
participantj is the intended message sender of participanti
in Round 1. If i 2 Ej , participantj is the intended message
sender of participanti in Round 2. Based on the group data
sharing model, every participant can receive messages from
their 2k intended message senders after two rounds of the
key agreement. For example, in Fig. 3, the ð13; 4; 1Þ-design
group data sharing model is established by the structure of
E of a ð13; 4; 1Þ-design. Based on the group data sharing
model in Fig. 3, 13 participants are involved, where each
participant has 2  3 intended message senders. Taking
participant0 into consideration, the intended message send-
ers of participant0 in Round 1 are 1, 2, 3, whereas the
intended message senders of participant0 in Round 2 are 4,
8, 11. Moreover, for participanti , the messages sending from
his 2k intended message senders can generate the common
conference key for himself.
After the construction of the group data sharing model,
the block design-based key agreement protocol is designed
for data sharing in cloud computing, which is described in
detail in Section 5.
Authorized licensed use limited to: St Martin's Engineering College. Downloaded on June 08,2022 at 07:39:40 UTC from IEEE Xplore. Restrictions apply.
1003
Fig. 3. ð13; 4; 1Þ-design group data sharing model.
5 A BLOCK DESIGN-BASED KEY AGREEMENT
PROTOCOL
5.1 Initial Phase
In the protocol, a TPA takes responsibility for generating
some system parameters and distributing the private key
for all participants. In the key generation phase of the proto-
col, the TPA publishes fp; q; G1 ; G2 ; G; e^; Ppub ; H1 ; H2 g but
keeps his private key s 2 Zq secret. Here, p and q are two
prime numbers, and G; G1 ; G2 and e^ are the parameters of
the Weil pairing, which are defined in Definition 1. In addi-
tion, H1 and H2 are two hash functions, which map its arbi-
trary length to a nonzero point of G1 and nonzero integer,
respectively. In our block design-based key agreement pro-
tocol, participanti ’s public key and private key are mapped
as H1 ðIDi Þ and S i ¼ sH1 ðIDi Þ, respectively. Here,
IDi 2 f0; 1g is the identity for participanti . Moreover, to
provide authentication, based on the RSA cryptographic
algorithm, the TPA selects a public key ei and a private key
di for each participant and distributes ðei ; nÞ to all the partic-
ipants, where n is the product of two large prime numbers.
Subsequently, participant i computes Yi ¼ H2 ðIDi Þ, Xi ¼
ðYi Þdi and keeps ðdi ; Xi Þ secret.
5.2 Key Agreement Phase
In the key agreement phase, two rounds are required for
generating a common conference key for multiple partici-
pants, and the way of message exchanges is with respect to
the group data sharing model established by the structure
E of the ðv; k þ 1; 1Þ-design.
Round 1. In Round 1, a random number ri is chosen as a
secret key and Mi ¼ e^ðG; ei ri S i Þ is calculated by each partic-
ipant, which contributes to generating a common confer-
ence key among all participants. Then, Yi ¼ H2 ðIDi Þ,
Ti ¼ Xi  e^ðG; wi ri S i Þ and a time stamp ti are used to support
d
authentication services, where Xi ¼ Yi i , wi ¼ H2 ðMi; ti Þ.
Subsequently, participanti receives message Dj ¼ fYj ;
ðMj Þei ; Tj ; tj g from participantj in the case that j 2 Ei . In
addition, according to the property that each block Ei con-
tains participanti , we have i 2 Ei . However, participanti
does not have to receive a message from himself. Therefore,
participanti receives message Dj ¼ fYj ; ðMj Þei ; Tj ; tj g from
participantj in the case that j 2 Ei ðj 6¼ iÞ. According to the
1004 IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING,
four mathematical descriptions of the structure of E of a
ðv; k þ 1; 1Þ-design, the key agreement phase in Round 1 is
divided into four cases.
Case 1: Participant0 needs to receive messages from
participantj ð1 j kÞ.
Case 2: For participanti ði kÞ, they need to receive mes-
sages from participantj ðj ¼ mk þ 1 þ MODk ði  1Þðm  1Þ;
j 6¼ iÞ.
Case 3: For participanti ði ¼ Em;m Þ, they need to receive
messages from participant0 and participantj ðj ¼ bði  1Þ=kc
k þ m; j 6¼ iÞ.
Case 4: For the remaining k2  k participants, they need to
receive messages from participantbði1Þ=kc and participant
j; ðj ¼ mk þ 1 þ MODk ðmx  x  m þ rÞ; j 6¼ iÞ, where r ¼
2; 3; 4; . . . ; k  1; k.
After every participant receives k messages contributed
to generate a common conference key from their intended
message senders, Eq. (3) is calculated by participanti to
decrypt the messages
 d
Mj ¼ ðMj Þei i ; j 2 Ei  fig;
where di is the secret key of participanti . To authenticate
e w
participantj ’s identity, participanti computes Tj j =Mj j . If the
e w
condition of ¼ Yj holds, participanti can authenti-
Tj j =Mj j
cate participantj , where wj ¼ H2 ðMj; tj Þ. In addition, Eq. (4)
is used to derive Ci;j , which will be used in Round 2 to gener-
ate a common conference key for participantj
Y ¼
Ci;j ¼ Mx (4)
x2Ei fjg
Round 2: Participanti receives message E j;i ¼ fYj ;
ðCj;i Þei ; ðMj Þei ; Tj ; tj g from participantj in the case that
i 2 Ej , where Cj;i is used to generate a common conference
key. In fact, every Cj;i contributes k messages for
participanti to generate a common conference key. Similar
e w
to Round 1, participanti verifies the equation Tj j =Mj j ¼ Yj
to support authentication services. If the equation holds,
participanti can authenticate participantj ’s identity, but not
vice versa. Subsequently, for participanti , the common con-
ference key is computed as
0 1
Y
K ¼ Mi @ Cj;i A
j such that i2Ej
0 1
Y ascertain its correctness. To facilitate understanding, the
¼ e^ðG; ei ri S i Þ  @ Cj;i A
j such that i2Ej
! illustrated in Appendix A, available in the online supple-
X
v1
¼ e^ G; ei ri S i :
i¼0
Theorem 1. According to the presented block design-based key
agreement protocol, a common conference key is derived for
multiple participants in the same group.
Proof. The conference key agreement requires all conferees
to obtain messages from the others. In the group data
sharing model of the ðv; k þ 1; 1Þ-design, v participants
are involved in a group, where v ¼ k2 þ k þ 1. It is
Authorized licensed use limited to: St Martin's Engineering College. Downloaded on June 08,2022 at 07:39:40 UTC from IEEE Xplore. Restrictions apply.
VOL. 16, NO. 6, NOVEMBER/DECEMBER 2019
required that each participant receives messages from
the remaining k2 þ k participants. Based on the group
data sharing model, every participant receives k mes-
sages from their intended participants in each round. In
Round 1, participanti receives k secret messages Mj
from participantj in the case that j 2 Ei ðj 6¼ iÞ. In Round
2, participanti receives k secret messages Cj;i from
participantj in the case that i 2 Ej ðj 6¼ iÞ. Furthermore,
based on Eq. (4), each Cj;i contains k secret messages
Mx of k participants. Thus, every participant receives k2
messages in Round 2. In summary, participanti receives
k2 þ k messages after two rounds of key agreement.
According to Definition 3, in a ðv; k þ 1; 1Þ-design, every
pair of two elements appears simultaneously in exactly
one of the b blocks; here, v ¼ b. Therefore, the k2 þ k
messages of each participant are not repeated. For
participanti , he obtains messages from ðparticipant0 ; . . . ;
participanti1 ; participantiþ1 ; . . . ; participantv1 Þ without
redundancy, which contribute to generating a common
conference key. u
t
(3)
Theorem 2. In our protocol, participanti can authenticate their
e w
counterparts if the condition of Tj j =Mj j ¼ Yj holds.
Proof. According to Definition 1, we have
e w ðXj  e^ðG; wj rj Sj ÞÞej
Tj j =Mj j ¼ wj
e^ðG; ej rj Sj Þ
e
Xj j  e^ðG; wj ej rj Sj Þ
:
e^ðG; wj ej rj Sj Þ
Here, wj ¼ H2 ðMj; tj Þ is computed by participantj ,
while wj ¼ H2 ðMj; tj Þ is computed by participanti . In
addition, according to Euler’s Theorem, we have
e d e w
Xj j ¼ ðYj j Þej ¼ Yj . The equality is held between Tj j =Mj j
and Yj if wj ¼ wj . Note that the wj calculated by
participantj and the wj calculated by participanti are
equal only if the message is actually sent from
participantj . An adversary that has no access to rj and S j
could not derive Mj ¼ e^ðG; ej rj Sj Þ. Therefore, if the equa-
e w
tion Tj j =Mj j ¼ Yj holds, participanti can authenticate
that the message is actually transmitted from participantj
in Round 1 and Round 2. u
t
If all participants follow the protocol, they can form a
data sharing group, derive a common conference key and
(5) detailed process for computing the common conference key
for multiple participants based on a ðv; k þ 1; 1Þ-design is
mental material. In addition, a concrete example of the pro-
tocol can be found in Appendix B, available in the online
supplemental material, where 31 participants are involved.
5.3 Fault Detection Phase
In practice, we cannot guarantee that all participants in the
group are honest. The existence of malicious participants
can seriously destroy the conference. In Yi’s protocol [7], an
attack from malicious participants is called a different key
attack. In different key attacks, a malicious participant
SHEN ET AL.: BLOCK DESIGN-BASED KEY AGREEMENT FOR GROUP DATA SHARING IN CLOUD COMPUTING
chooses different sub keys, generates different signatures
and broadcasts different messages to different participants
such that the signatures of malicious participants are valid
and malicious participants can be authenticated by other
participants. In addition, the different sub keys make differ-
ent participants derive different conference keys, which may
lead to serious damage of the conference and make the proto-
col invalid. Therefore, the fault detection phase is added to
prevent different key attacks from malicious participants.
The role of the TPA in the fault detection phase is to
ensure that each participant only generates a unique sub
key and to prevent the conference from being delayed or
destroyed by malicious participants. In our protocol,
IDTPA 2 f0; 1g represents the identity of the TPA. In the ini-
tial phase of the protocol, the TPA needs to select one more
integer g 2 Zq and each participanti needs to submit
Ai ¼ Mgi to the TPA. After all the participants generate a
common conference key following the protocol, the TPA
broadcasts fN; IDTPA ; Ai j0 i v  1g among all partici-
pants, where N ¼ H2 ðID1 ; ID2 ; . . . ; IDv ; ID1 ; IDTPA ; tÞ is an
unique serial number for this conference and Ai denotes the
verified unique sub key of all participants. Then, every par-
ticipant verifies the authenticity of the common conference Qv1
key K by checking whether the equation Kg ¼ i¼0 Ai
holds. If the equation does not hold for some participants,
some malicious participants are involved in the group and
the fault detection phase begins. Otherwise, a common con-
ference key is established among all participants.
In the fault detection phase,
Q participantj , who finds that
the above equation Kg ¼ v1 i¼0 Ai does not hold, needs to
send a fault report ðN; IDj ; rj ; Mx ; x 2 Ej  jÞ to the TPA.
The fault report contains the secret key of participantj and
the messages M he received from the intended participants.
Then, the TPA checks whether Mgj ¼ e^ðG; ej rj S j Þg ¼ Aj
holds. If not, the message that participantj sends to other
participants is different from the message that participantj
submits to the TPA. Thus, participantj has to resend the
fault report in a period of time ~t. Note that participantj
should be removed from the conference if the failure occur-
rence of participantj exceeds a threshold t or participantj
did not resend the report within ~t. Here, t represents the
tolerable number of errors. In this case, participantj is either
a malicious participant or undergoes a denial of service
attack. Otherwise, the fault detection should be processed
among all the remaining participants.
When the fault detection phase is conducted by all the
remaining participants, every participant except participantj
should send ðN; IDi ; ri ; Mx ; x 2 Ei  iÞ to the TPA. Then,
the TPA checks whether Mgi ¼ e^ðG; ei ri S i Þg ¼ Aj holds. If
not, participanti has to resend the fault report in a period of
time ~t. Similar to participantj , participanti should be
removed from the conference if the failure occurrence of
participanti exceeds a threshold t or participanti did not
resend the report within ~t. Otherwise, the TPA checks
whether Mi ¼ e^ðG; ei ri S i Þ calculated by participanti is equal
to Mi received from participanty ði 2 Ey ðy 6¼ iÞÞ. If not,
participanti is a malicious participant. If yes for all the
remaining participants, participantj is a malicious partici-
pant. The TPA removes the malicious participant and denial
of service participant, and the protocol restarts. After the
fault detection phase, an authenticated common conference
Authorized licensed use limited to: St Martin's Engineering College. Downloaded on June 08,2022 at 07:39:40 UTC from IEEE Xplore. Restrictions apply.
1005
key is derived among all the honest participants in a group.
Following the proof of Theorem 3, the presented protocol
can resist different key attacks and support the fault toler-
ance property.
Theorem 3. In fault detection phase, an honest participant will
not be removed by the TPA and a malicious participant who
attempts to delay or destroy the conference will be removed by
the TPA.
Proof. For an honest participant participanth , two situations
should be taken into consideration. The first is that
Qv1
participanth finds Kg 6¼ i¼0 Ai . Subsequently, the fault
detection phase begins, and the fault report
ðN; IDh ; rh ; Mx ; x 2 Eh  hÞ of participanth is sent to the
TPA. Due to the honesty of participanth , there exists
participanti such that either Mgi 6¼ Ai or Mi 6¼ Mi .
Therefore, participanti is detected as a malicious partici-
pant. The second is that participanth is asked to submit
ðN; IDh ; rh ; Mx ; x 2 Eh  hÞ to the TPA. Because of the
honesty of participanth , the TPA finds Mgh ¼ Ah and
Mh ¼ Mh . In conclusion, an honest participant will never
be removed by the TPA.
For a malicious participant participantm who attempts
to delay or destroy the conference, three cases where
participantm attempts to sabotage the conference should
be taken into consideration. The first case is that
participantm delays submitting a required message or
keeps sending invalid messages to the TPA. In this case,
participantm will be removed from the conference if the
failure occurrence exceeds a threshold t or participantm
did not resend the report within ~t. The second case is
that participantm deliberately sends a fault report
ðN; IDm ; rm ; Mx ; x 2QEm  mÞ to the TPA. In this case,
the TPA finds Kg 6¼ v1 i¼0 Ai , and all the remaining partic-
ipants have to send a fault report to the TPA. However, if
Mi ¼ Mi holds for all the remaining participants,
participantm is detected as malicious and removed by
the TPA. The third case is that participantm performs the
different key attack. Participantm selects two different
sub keys rm and rm and submits a false message to the
TPA. Due to the different sub keys of participantm , the
common conference key generated from different partici-
pants is distinct. In this case, there is at least one Mgm not
equal Qto Am since rm 6¼ rm . Participanti who detects
v1
Kg 6¼ i¼0 Ai will report this fault to the TPA. Then,
participantm is required to submit ðN; IDm ; rm ; Mx ; x 2
Em  mÞ. Because Mm calculated by participantm does
not equal Mm received from other participants,
participantm is detected as a malicious participant. u
t
According to Theorem 3, an honest participant will not be
removed from the conference, whereas a malicious partici-
pant will be detected and removed from the conference. In
addition, after some malicious participants are removed
from the conference, the common conference key could not
be derived because some messages are missing for generat-
ing the conference key. Then, the positions of malicious par-
ticipants should be replaced by volunteers to ensure that the
protocol performs well. A volunteer is a participant in a con-
ference who helps real participants complete some calcula-
tions and transfer information. Moreover, during the key
1006 IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING,
agreement process, Mi of the volunteer is set as 1, which can
make our protocol perform well. Therefore, the protocol can
not only resist different key attacks from malicious partici-
pants but also provide the property of fault tolerance.
The proposed protocol can effectively support secure and
efficient group data sharing in cloud computing, which is
described as follows. In the initial phase, the system parame-
ters are generated by the TPA. Then, the TPA distributes the
parameters to the clients who want to achieve data sharing
in the cloud. In the key agreement phase, in Round 1, each
client in the same group selects a secret key ri and calculates
Mi ¼ e^ðG; ei ri S i Þ. In addition, Yi ¼ H2 ðIDi Þ, Ti ¼ Xi  e^ðG; wi ri S i Þ
and a time stamp ti are used to support authentication serv-
d
ices, where Xi ¼ Yi i and wi ¼ H2 ðMi; ti Þ. Subsequently,
each client receives messages Dj ¼ fYj ; ðMj Þei ; Tj ; tj g from
their intended counterparts based on the structure of the
SBIBD. In Round 2, each client receives messages E j;i ¼
fYj ; ðCj;i Þei ; ðMj Þei ; Tj ; tj g from their intended counterparts.
According to Theorem 1, after the two rounds of information
exchange, every client within a group generates a common
conference key. In a group, the correctness and validity of
the common conference key are guaranteed by the fault tol-
erance property of the protocol. In addition, the clients in the
group can dynamically update the key by restarting the pro-
tocol. In Sections 6 and 7, the presented protocol has already
been proven to be secure against both passive attacks and
active attacks, and the communication complexity and p theffiffiffi
computational complexity of our protocol is only Oðv vÞ
2
and Oðvm Þ, respectively.
6 SECURITY ANALYSIS
The security of our protocol is based on the ECDLP [29] and
the BDH assumption [10]. In this section, we prove that our
protocol is secure against passive attacks and active attacks.
6.1 Security Against Passive Attacks
In our protocol with v participants, a participant and a vol-
unteer in the protocol are a probabilistic polynomial-time
Turing machine, as is an adversary. A passive adversary is
the person who attempts to learn information about the con-
ference key by eavesdropping on the multicast channel.
Note that an adversary has access to the system parameters
fG; PPUB ; H2 ðIDi Þj0 i v  1g and the public key ðei ; nÞ
for participanti . In contrast, the secret key di for participanti
cannot be deduced since it is hard to solve the integer factor-
ization problem. In addition, the ephemeral key ri for
participanti is prevented from the adversary due to the
ECDLP and the BDH assumption. According to [10], if
X poly Y , then the presented protocol is secure against pas-
sive attacks. X poly Y represents thatPtwo tuples of random
variables X ¼ fG; PPUB ; H2 ðIDi Þ; e^ðG; ei ri S i Þj0 i v  1g
and Y ¼ fG; PPUB ; H2 ðIDi Þ; yj0 i v  1; y 2 Zq g are poly-
nomially indistinguishable, where y 2 Zq is a randomly
chosen number. More precisely, if X poly Y , for all polyno-
mial time distinguishers, the probability of distinguishing
X and Y is smaller than 12 þ QðlÞ1
for all polynomials QðlÞ [30].
Here, l 2 Z þ is a security parameter in our key agreement
protocol, which can determine the size of p defined in Defi-
nition 1. All algorithms run in probabilistic polynomial time
with l as an input.
Authorized licensed use limited to: St Martin's Engineering College. Downloaded on June 08,2022 at 07:39:40 UTC from IEEE Xplore. Restrictions apply.
VOL. 16, NO. 6, NOVEMBER/DECEMBER 2019
Theorem 4. If the condition of Xi poly Yi holds for all
participanti , then X poly Y .
P
Proof. Let Xi ¼ fG; PPUB ; H2 ðIDi Þ; e^ðG; ei ri S i Þg and
Yi ¼ fG; PPUB ; H2 ðIDi Þ; yi g.
X
X ¼ ðG; PPUB ; H2 ðIDi Þ; e^ðG; ei ri S i Þj0 i v  1Þ
X
¼ ðG; PPUB ; H2 ðID0 Þ . . . H2 ðIDv1 Þ; e^ðG; e0 r0 S 0 Þ
X
. . . e^ðG; ev1 rv1 S v1 ÞÞ
Y
v1
¼ Xi
i¼0
Y ¼ ðG; PPUB ; H2 ðIDi Þ; yj0 i v  1; y 2 Zq Þ
Y
v1
¼ Y i:
i¼0
Due to the discrete logarithm problem over elliptic
curves being hard when p is more than 512-bits long and
the BDH assumption, we have Xi poly Yi . Thus,
Qv1 Qv1
i¼0 X i poly i¼0 Y i . It implies that X poly Y . u
t
6.2 Security Against Active Attacks
In an active attack, an adversary not only learns information
about the conference key but also replays, forges and delays
the messages. To resist active attacks, desired properties for
a practical key agreement protocol typically include the
following.
Key Comprise Impersonation. Our protocol can withstand
the key comprise impersonation attack, in which the adver-
sary impersonates a legal conferee (e.g., participantj ) to
participanti with the long-term secret key (S i ) of
participanti . In our protocol, long-term secret keys of partici-
pants are independent of each other with respect to real iden-
tities of participants. Therefore, with the long-term secret key
(S i ), the adversary still cannot learn any information about
long-term secret keys of other participants. In addition, sig-
natures produced by participants are tied with a time stamp.
Thus, the adversary cannot be authenticated by replaying
the signature of a legal participant later. Moreover, the signa-
ture of participanti is encrypted by his public key ei . Since no
polynomial algorithm has been found for solving the factori-
zation problem, the adversary having no access to di cannot
forge or decrypt the signature of a legal participant.
Known Session Key. The known session key prevents the
session key held by a fresh participant [11] from being
compromised by an adversary, even if the adversary has
learned some previous session keys. In the presented
protocol, the ephemeral secret key ri is selected by
participanti in each session randomly, which makes every
value of ri equally P likely. Therefore, session keys calcu-
lated as K ¼ e^ðG; v1 i¼0 ei ri S i Þ are independent in each ses-
sion such that the adversary cannot learn any information
about the session key of a fresh participant. He cannot do
any better than a guess.
Perfect Forward Security. A protocol offers perfect forward
security if the compromising of long-term keys (S i ) during
the communication among multiple participants cannot
result in the compromising of the previous session key (Kpre ).
In our protocol, the previous session key is computed as
SHEN ET AL.: BLOCK DESIGN-BASED KEY AGREEMENT FOR GROUP DATA SHARING IN CLOUD COMPUTING
! e
X
v1
Kpre ¼ e^ G; ei ri pre S i : Mj for the purpose of providing authentication services.
i¼0
Even if the long-term keys (S i ) are compromised by an
adversary, the adversary who has no access to the previous
ephemeral secret key (ri pre ) cannot generate the previous
session key. Note that the security of the previous ephem-
eral key (ri pre ) is based on the ECDLP and the BDH
assumption. Therefore, the presented protocol provides per-
fect forward security.
Different Key Attacks. In accordance with Theorem 3, in
the fault detection phase, a malicious participant who
attempts to delay or destruct the conference will be
removed from the conference by the TPA. Therefore, the
proposed protocol can resist different key attacks.
Key Confirmation. If a participant is assured that its coun-
terparts actually have possession of a particular secret key,
the protocol provides key confirmation. In our protocol,
with respect to the fault detection phase in Section 5, each
participant can ensure that its counterparts actually have
possession of a common conference key K. Therefore, the
presented protocol can provide key confirmation.
Moreover, the presented protocol can resist denial of ser-
vice attacks. In the fault detection phase, a participant
should be removed by the TPA if he did not resend the fault
report within ~t or the failure occurrence exceeds a thresh-
old t. Note that the presented protocol is contributory.
Unlike the El Gamal one-pass protocol where only one of
the parties contributes a fresh exponent, each participant in
our protocol equally contributes to the common conference
key and guarantees the freshness of the key.
7 PERFORMANCE ANALYSIS AND EVALUATION
7.1 Performance Analysis
Generally, the performance of a key agreement protocol con-
sists of communicational and computational efficiency. In
each round of our protocol, each participant has to receive k
messages from the intended k participants according to a
ðv; k þ 1; 1Þ-design of the SBIBD. Then, each participant has
to perform some operations such as point multiplications,
pairing computations, and so forth. Computational complex-
ity is composed of pairing computations, point multiplica-
tions and modular exponentiations, whereas communication
complexity is composed of the number of participants and
the number of message exchanges.
Let Pi denote the total point multiplications of
participanti , Mi represent the total modular exponentiations
of participanti and Wi imply the total Weil pairings com-
puted by participanti . In Round 1, participanti needs
to compute ei ri S i , wi ri S i and two Weil pairings Mi ¼
e^ðG; ei ri S i Þ, e^ðG; wi ri S i Þ. Thus, we have Pi ¼ 2, Wi ¼ 2. After
receiving some messages from participantj , participanti
 d
decrypts Mj ¼ ðMj Þei i ; j 2 Ei  fig by his secret key di .
The number of messages received by participanti is k.
Hence, k modular exponentiations are needed, namely,
Mi ¼ k. Furthermore, participanti needs to compute 2k
e w
modular exponentiations Tj j and Mj j for the purpose of
ensuring his counterparts. In summary, in Round 1,
e “10.24433/CO.a433f2e9-2003-45d1-b519-98bf3aec28dc”, and
Mi ¼ 3k. In Round 2, to obtain Cj;i ¼ ðCj;ii Þdi , participanti
needs to compute k modular exponentiations. In addition,
Authorized licensed use limited to: St Martin's Engineering College. Downloaded on June 08,2022 at 07:39:40 UTC from IEEE Xplore. Restrictions apply.
1007
3k modular exponentiations are required to obtain Mj ; Tj j ;
wj
Therefore, in Round 2, the number of modular exponentia-
tions is Mi ¼ 4k. In terms of communication overhead,
every participant needs to receive k messages in each
round based on the group data sharing model of a
ðv; k þ 1; 1Þ-design. Thus, the number of message exchanges
of participanti is 2k.
In our protocol, the calculation of the point multiplica-
tion, the pairing computation and the modular exponentia-
tion is over the supersingular elliptic curve, which is
defined in Definition 1. Thus, the computational complexi-
ties of the point multiplications and the pairing computa-
tion are OðmÞ and Oðm2 Þ, respectively. Here, m is the
extension degree of the finite field F pm .
Essentially, in the presented protocol with v participants,
the total numbers of point multiplications and Weil pairing
computations in the protocol are P ¼ 2v and W ¼ 2v, respec-
tively. Additionally, the total number of modular exponen-
tiations is M ¼ 7kv. The communication complexity and the
computational complexity in the protocol are OðvkÞ and
Oð2vm2 þ 2vmÞ, respectively. Moreover, in accordance with
the basic equation of a BIBD defined in Definition 3, we have
ðv  1Þ ¼ rðk  1Þ. Note that the presented protocol is based
on the ðv; k þ 1; 1Þ-design of p anffiffiffi SBIBD. Thus, we have  ¼ 1
and r ¼ k. In this case, k v. Therefore,
pffiffiffi the communica-
tion complexity of our protocol is Oðv vÞ, and the computa-
tional complexity is Oðvm2 Þ. Note that compared to the
protocol in paper [9], our protocol is more efficient since we
adopt the ðv; k þ 1; 1Þ-design of an SBIBD such that  can
reach its minimum value of one ( ¼ 1), where  is a parame-
ter in the SBIBD. Inffi paper [9], when  > 1, k is approxi-
pffiffiffiffiffi
mately equal to vpand ffiffiffiffiffiffi the communication complexity of
the protocol is Oðv vÞ. In addition, one more modular
exponentiation is required for each participant. The detailed
comparison results are shown in Table 2.
7.2 Performance Evaluation
To study the performance of our scheme, we provide an
experimental evaluation of the proposed scheme.2 Our
experiments are simulated by using C programming lan-
guage with the pairing-based cryptography (PBC) library
and the GUN multiple precision arithmetic (GMP) library
on a VMware Workstation machine with Intel Core i5-3210
processors running at 2.50 GHz and 2G memory, Ubuntu
12.04 X64.
The simulation consists of two parts. In the first part, we
present a comparative simulation analysis between Yi’s
scheme [7] and our scheme with respect to the time cost for
each participant in different phases, which is illustrated in
Fig. 4. It can be seen that the time cost increases with the
number of participants. On the one hand, simulation results
in Figs. 4a and 4b indicate that our scheme is much more
2. Source codes of the simulation have been uploaded to
IEEE Xplore + Code Ocean. They are named as
“Efficiency comparison for different phases (v2)” with DOI
“10.24433/CO.eea19cea-ca33-4f3c-b641-f46fb7b79253”,
“Efficiency comparison for multiple participants (v2)” with DOI
“Efficiency comparison for different simulation times (v2)” with DOI
“10.24433/CO.6b08d728-fc8b-4af7-8f1d-cae7c28af097”.
1008 IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, VOL. 16, NO. 6, NOVEMBER/DECEMBER 2019

TABLE 2
Comparison Results

Yi’s protocol Shen et al.’s protocol Our protocol

Type of msgs distribution Broadcast Multicast Multicast
Type of communication model Centralized Decentralized Decentralized
The number of participants n 7 n
No. of Weil pairing computation
per participanti 2ðn  1Þ 2 2
No. of point multiplication
per participanti 6 2 2
No. of modular exponentiation pffiffiffiffiffiffi pffiffiffi
per participanti 2n 7n n 7n n
pffiffiffiffiffiffi pffiffiffi
Total computation cost 2n2 ðWi Þ þ 7nðPi Þ þ 2nðMi Þ 2nðWi Þ þ 2nðPi Þ þ ð7n n þ nÞðMi Þ 2nðWi Þ þ 2nðPi Þ þ 7n nðMi Þ
pffiffiffiffiffiffi pffiffiffi
Communication complexity Oðn2 Þ Oðn nÞ Oðn nÞ
Computational complexity Oðn2 m2 Þ Oðnm2 Þ Oðnm2 Þ

n: Participant’s number, m: Extension degree of the finite field F pm ; Pi : Point multiplications of participanti , Mi : Modular exponentiations of participanti ,
Wi : Weil pairings computed by participanti , : Parameter in the SBIBD.

Fig. 4. Efficiency comparison for different phases.

efficient than Yi’s scheme in both initial phase and key
agreement phase. On the other hand, in Fig. 4c, the time
cost of our scheme is slightly higher than that of Yi’s
scheme. The reason is that, for each participant, 4 point mul-
tiplications are required in Yi’s scheme, while k modular
exponentiations are required in our scheme during the
authentication phase. However, we argue that, in terms of
the total computational cost for each participant, our
scheme is much more efficient than Yi’s scheme, which is
illustrated in Fig. 5.
In the second part, we focus on analyzing the total
computational cost for each participant of Yi’s scheme and
our scheme with respect to different participants and differ-
ent simulation times. It is clearly seen from Fig. 5 that our
scheme is superior to Yi’s scheme. Note that the
computational cost of Yi’s scheme continuously increases
with the growth of the participant’s number n, while the
computational cost of our scheme increases slightly with a
prime number k (Here, n ¼ k2 þ k þ 1). It is concluded that
our scheme is much more efficient than Yi’s scheme, which
makes our scheme more practical for key agreement in the
cloud environment. In addition, in Fig. 6, we present the
efficiency comparison of Yi’s scheme and our scheme with
different simulation times, where the participants number
is fixed as 133. Note that taking advantage of the SBIBD in
our scheme, k ¼ 11 when the participant’s number is 133.
First, in the initial phase, Yi’s scheme requires to compute 2
point multiplications and 132 weil pairings, while our
scheme only needs 2 point multiplications, 2 weil pairings
and 11 modular exponentiations. Second, in the key

Fig. 5. Efficiency comparison for multiple participants. Fig. 6. Efficiency comparison for different simulation times.

Authorized licensed use limited to: St Martin's Engineering College. Downloaded on June 08,2022 at 07:39:40 UTC from IEEE Xplore. Restrictions apply.
SHEN ET AL.: BLOCK DESIGN-BASED KEY AGREEMENT FOR GROUP DATA SHARING IN CLOUD COMPUTING
agreement phase, Yi’s scheme requires 132 weil pairings, [4]
while our scheme only needs 33 modular exponentiations. [5]
Finally, in the authentication phase, Yi’s scheme requires 4
point multiplications, while our scheme needs 33 modular
exponentiations. Through the simulation, we can conclude [6]
that the time cost of our scheme is much smaller than that of
Yi’s scheme with different simulation times. In addition, it [7]
is easily observed that the performance of our scheme is
more stable than Yi’s scheme. [8]
8 CONCLUSION
[9]
As a development in the technology of the Internet and
cryptography, group data sharing in cloud computing has
opened up a new area of usefulness to computer networks. [10]
With the help of the conference key agreement protocol, the [11]
security and efficiency of group data sharing in cloud com-
puting can be greatly improved. Specifically, the outsourced
[12]
data of the data owners encrypted by the common conference
key are protected from the attacks of adversaries. Compared
with conference key distribution, the conference key agree- [13]
ment has qualities of higher safety and reliability. However,
the conference key agreement asks for a large amount of
information interaction in the system and more computa- [14]
tional cost. To combat the problems in the conference key
agreement, the SBIBD is employed in the protocol design. [15]
In this paper, we present a novel block design-based key
agreement protocol that supports group data sharing in
cloud computing. Due to the definition and the mathemati- [16]
cal descriptions of the structure of a ðv; k þ 1; 1Þ-design,
multiple participants can be involved in the protocol and [17]
general formulas of the common conference key for
participanti are derived. Moreover, the introduction of vol-
[18]
unteers enables the presented protocol to support the fault
tolerance property, thereby making the protocol more prac-
tical and secure. In our future work, we would like to [19]
extend our protocol to provide more properties (e.g., ano-
nymity, traceability, and so on) to make it appliable for [20]
a variety of environments.
[21]
ACKNOWLEDGMENTS
The authors would like to thank the editors and anonymous [22]
reviewers for their constructive feedback and insightful
suggestions that helped to significantly improve the quality [23]
of this work. This work is supported by the National Science
Foundation of China under Grant No. 61672295, No. [24]
61373169, No. 61572379, No. 61501333 and No. U1405254,
the State Key Laboratory of Information Security under [25]
Grant No. 2017-MS-10, the 2015 Project of six personnel in
Jiangsu Province under Grant No. R2015L06, the CICAEET
fund, and the PAPD fund. [26]
REFERENCES
[27]
[1] L. Zhou, V. Varadharajan, and M. Hitchens, “Cryptographic role-
based access control for secure cloud data storage systems,” IEEE
Trans. Inf. Forensics Secur., vol. 10, no. 11, pp. 2381–2395,
Nov. 2015. [28]
[2] F. Chen, T. Xiang, Y. Yang, and S. S. M. Chow, “Secure cloud
storage meets with secure network coding,” in Proc. IEEE Conf. [29]
Comput. Commun., 2014, pp. 673–681.
[3] D. He, S. Zeadally, and L. Wu, “Certificateless public auditing [30]
scheme for cloud-assisted wireless body area networks,” IEEE Syst.
J., vol. PP, no. 99, pp. 1–10, 2015, doi: 10.1109/JSYST.2015.2428620.
Authorized licensed use limited to: St Martin's Engineering College. Downloaded on June 08,2022 at 07:39:40 UTC from IEEE Xplore. Restrictions apply.
1009
W. Diffie and M. E. Hellman, “New directions in cryptography,”
IEEE Trans. Inf. Theory, vol. IT-22, no. 6, pp. 644–654, Nov. 1976.
J. Shen, H. Tan, S. Moh, I. Chung, and J. Wang, “An efficient RFID
authentication protocol providing strong privacy and security,”
J. Internet Technol., vol. 17, no. 3, 2016, Art. no. 2.
L. Law, A. Menezes, M. Qu, J. Solinas, and S. Vanstone, “An effi-
cient protocol for authenticated key agreement,” Des. Codes Cryp-
tography, vol. 28, no. 2, pp. 119–134, 2010.
X. Yi, “Identity-based fault-tolerant conference key agreement,”
IEEE Trans. Depend. Secure Comput., vol. 1, no. 3, pp. 170–178, Jul.–
Sep. 2004.
R. Barua, R. Dutta, and P. Sarkar, “Extending joux’s protocol to
multi party key agreement (extended abstract),” in Proc. 4th Int.
Conf. Cryptology India, 2003, pp. 205–217.
J. Shen, S. Moh, and I. Chung, “Identity-based key agreement pro-
tocol employing a symmetric balanced incomplete block design,”
J. Commun. Netw., vol. 14, no. 6, pp. 682–691, 2012.
B. Dan and M. Franklin, “Identity-based encryption from the weil
pairing,” SIAM J. Comput., vol. 32, no. 3, pp. 213–229, 2003.
S. Blakewilson, D. Johnson, and A. Menezes, “Key agreement pro-
tocols and their security analysis,” in Proc. IMA Int. Conf. Cryptog-
raphy Coding, 1997, pp. 30–45.
I. Chung and Y. Bae, “The design of an efficient load balancing
algorithm employing block design,” J. Appl. Mathematics Comput.,
vol. 14, no. 1, pp. 343–351, 2004.
O. Lee, S. Yoo, B. Park, and I. Chung, “The design and analysis of
an efficient load balancing algorithm employing the symmetric
balanced incomplete block design,” Inf. Sci., vol. 176, no. 15,
pp. 2148–2160, 2006.
R. Curtmola, J. Garay, S. Kamara, and R. Ostrovsky, “Searchable
symmetric encryption: Improved definitions and efficient con-
structions,” J. Comput. Secur., vol. 19, no. 5, pp. 79–88, 2011.
N. Cao, C. Wang, M. Li, K. Ren, and W. Lou, “Privacy-preserving
multi-keyword ranked search over encrypted cloud data,” IEEE
Trans. Parallel Distrib. Syst., vol. 25, no. 1, pp. 222–233, Jan. 2014.
J. Yu, K. Ren, C. Wang, and V. Varadharajan, “Enabling cloud
storage auditing with key-exposure resistance,” IEEE Trans. Inf.
Forensics Secur., vol. 10, no. 6, pp. 1167–1179, Jun. 2015.
J. Yu, K. Ren, and C. Wang, “Enabling cloud storage auditing with
verifiable outsourcing of key updates,” IEEE Trans. Inf. Forensics
Secur., vol. 11, no. 6, pp. 1362–1375, Jun. 2016.
S. D. C. D. Vimercati, S. Foresti, S. Jajodia, S. Paraboschi, and
P. Samarati, “Encryption policies for regulating access to outsourced
data,” ACM Trans. Database Syst., vol. 35, no. 2, pp. 78–78, 2010.
H. Guo, Z. Li, Y. Mu, and X. Zhang, “Cryptanalysis of simple
three-party key exchange protocol,” Comput. Secur., vol. 27,
no. 1/2, pp. 16–21, 2008.
Z. Tan, “An enhanced three-party authentication key exchange
protocol for mobile commerce environments,” J. Commun., vol. 5,
no. 5, pp. 436–443, 2010.
Y. M. Tseng, “An efficient two-party identity-based key exchange
protocol,” Informatica, vol. 18, no. 1, pp. 125–136, 2007.
A. Shamir, “Identity-based cryptosystems and signature
schemes,” in Proc. Workshop Theory Appl. Cryptographic Techn.,
1985, vol. 21, no. 2, pp. 47–53.
E. Bresson, O. Chevassut, D. Pointcheval, and J. J. Quisquater,
“Provably authenticated group Diffie-Hellman key exchange,”
ACM Trans. Inf. Syst. Secur., vol. 10, no. 3, pp. 89–92, 2001.
D. R. Stinson, Combinatorial Designs: Constructions and Analysis.
Berlin, Germany: Springer, 2007.
J. Shen, J. Shen, X. Chen, X. Huang, and W. Susilo, “An efficient
public auditing protocol with novel dynamic structure for cloud
data,” IEEE Trans. Inf. Forensics Secur., vol. 12, no. 10, pp. 2402–2415,
Oct. 2017, doi: 10.1109/TIFS.2017.2705620.
B. Lamacchia, K. Lauter, and A. Mityagin, “Stronger security of
authenticated key exchange,” in Proc. Int. Conf. Provable Secur.,
2007, pp. 1–16.
O. Hasan, L. Brunie, E. Bertino, and N. Shang, “A decentralized
privacy preserving reputation protocol for the malicious adversar-
ial model,” IEEE Trans. Inf. Forensics Secur., vol. 8, no. 6, pp. 949–
962, Jun. 2013.
L.-K. Hua, Introduction to Number Theory. Berlin, Germany:
Springer, 2012.
W. Stallings, “Cryptography and network security: Principles and
practice,” Int. Ann. Criminology, vol. 46, no. 4, pp. 121–136, 2008.
M. Steiner, G. Tsudik, and M. Waidner, “Key agreement in
dynamic peer groups,” IEEE Trans. Parallel Distrib. Syst., vol. 11,
no. 8, pp. 769–780, Aug. 2000.
1010 IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING,
Jian Shen received the ME and PhD degrees in
computer science from Chosun University, South
Korea, in 2009 and 2012, respectively. Since late
2012, he has been a professor with Nanjing Uni-
versity of Information Science and Technology,
Nanjing, China. His research interests include
public key cryptography, secure data sharing,
and data auditing in cloud. He is a member of the
IEEE.
Tianqi Zhou received the BE degree from the
Nanjing University of Information Science and
Technology, Nanjing, China, in 2016. She is
currently working toward the postgraduate at
the School of Nanjing University of Information
Science and Technology, Nanjing, China. Her
research interests include computer and network
security, security systems, and cryptography.
Debiao He received the PhD degree in applied
mathematics from the School of Mathematics and
Statistics, Wuhan University, Wuhan, China, in
2009. Currently, he is a professor with the State
Key Laboratory of Software Engineering, Com-
puter School, Wuhan University. His research
interests include cryptography and information
security, in particular, cryptographic protocols.
Yuexin Zhang received the BS degree from the
Department of Physics and Electronic Information
Engineering, Inner Mongolia Normal University,
China, in 2010 and the MS degree from the School
of Mathematics and Computer Science, Fujian
Normal University, China, in 2013. He is currently
working toward the PhD degree in computer sci-
ence at Deakin University, Melbourne, Australia.
His research focuses on network security.
Authorized licensed use limited to: St Martin's Engineering College. Downloaded on June 08,2022 at 07:39:40 UTC from IEEE Xplore. Restrictions apply.
VOL. 16, NO. 6, NOVEMBER/DECEMBER 2019
Xingming Sun received the BS degree in mathe-
matics from Hunan Normal University, China, in
1984, the ME degree in computing science from
the Dalian University of Science and Technology,
China, in 1988, and the PhD degree in computing
science from Fudan University, China, in 2001.
He is currently a professor in the School of Com-
puter and Software, Nanjing University of Infor-
mation Science and Technology, China. His
research interests include network and informa-
tion security, digital watermarking, digital foren-
sic, database security, and natural language processing. He is a senior
member of the IEEE.
Yang Xiang received the PhD degree in com-
puter science from Deakin University, Australia.
He is currently a dean at the Digital Research &
Innovation Capability Platform, Swinburne Uni-
versity of Technology. He is the director of the
Network Security and Computing Lab (NSCLab).
His research interests include network and sys-
tem security, distributed systems, and network-
ing. In particular, he is currently leading his team
developing active defense systems against large-
scale distributed network attacks. He is the chief
investigator of several projects in network and system security, funded
by the Australian Research Council (ARC). He has published more than
130 research papers in many international journals and conferences,
such as the IEEE Transactions on Computers, the IEEE Transactions
on Parallel and Distributed Systems, the IEEE Transactions on Informa-
tion Security and Forensics, and the IEEE Journal on Selected Areas in
Communications. Two of his papers were selected as the featured
articles in the April 2009 and the July 2013 issues of the IEEE Transac-
tions on Parallel and Distributed Systems. He has published two books,
Software Similarity and Classification (Springer) and Dynamic and
Advanced Data Mining for Progressing Technological Development
(IGI-Global). He has served as the program/general chair for many inter-
national conferences such as ICA3PP 12/11, IEEE/IFIP EUC 11, IEEE
TrustCom 13/11, IEEE HPCC 10/09, IEEE ICPADS 08, and NSS 11/10/
09/08/07. He has been the PC member for more than 60 international
conferences in distributed systems, networking, and security. He serves
as the associate editor of the IEEE Transactions on Computers, the
IEEE Transactions on Parallel and Distributed Systems, Security
and Communication Networks (Wiley), and the editor of the Journal
of Network and Computer Applications. He is the coordinator, Asia for
IEEE Computer Society Technical Committee on Distributed Processing
(TCDP). He is a senior member of the IEEE.
" For more information on this or any other computing topic,
please visit our Digital Library at www.computer.org/publications/dlib.