Blom's scheme

Last updated December 29, 2022

Blom's scheme is a symmetric threshold key exchange protocol in cryptography. The scheme was proposed by the Swedish cryptographer Rolf Blom in a series of articles in the early 1980s.^[1]^[2]

A trusted party gives each participant a secret key and a public identifier, which enables any two participants to independently create a shared key for communicating. However, if an attacker can compromise the keys of at least k users, they can break the scheme and reconstruct every shared key. Blom's scheme is a form of threshold secret sharing.

Blom's scheme is currently used by the HDCP (Version 1.x only) copy protection scheme to generate shared keys for high-definition content sources and receivers, such as HD DVD players and high-definition televisions.^[3]

The protocol

The key exchange protocol involves a trusted party (Trent) and a group of $\scriptstyle n$ users. Let Alice and Bob be two users of the group.

Protocol setup

Trent chooses a random and secret symmetric matrix $\scriptstyle D_{k,k}$ over the finite field $\scriptstyle GF(p)$ , where p is a prime number. $\scriptstyle D$ is required when a new user is to be added to the key sharing group.

For example:

${\begin{aligned}k&=3\\p&=17\\D&={\begin{pmatrix}1&6&2\\6&3&8\\2&8&2\end{pmatrix}}\ \mathrm {mod} \ 17\end{aligned}}$

Inserting a new participant

New users Alice and Bob want to join the key exchanging group. Trent chooses public identifiers for each of them; i.e., k-element vectors:

$I_{\mathrm {Alice} },I_{\mathrm {Bob} }\in GF^{k}(p)$ .

For example:

$I_{\mathrm {Alice} }={\begin{pmatrix}1\\2\\3\end{pmatrix}},I_{\mathrm {Bob} }={\begin{pmatrix}5\\3\\1\end{pmatrix}}$

Trent then computes their private keys:

${\begin{aligned}g_{\mathrm {Alice} }&=DI_{\mathrm {Alice} }\\g_{\mathrm {Bob} }&=DI_{\mathrm {Bob} }\end{aligned}}$

Using $D$ as described above:

${\begin{aligned}g_{\mathrm {Alice} }&={\begin{pmatrix}1&6&2\\6&3&8\\2&8&2\end{pmatrix}}{\begin{pmatrix}1\\2\\3\end{pmatrix}}={\begin{pmatrix}19\\36\\24\end{pmatrix}}\ \mathrm {mod} \ 17={\begin{pmatrix}2\\2\\7\end{pmatrix}}\ \\g_{\mathrm {Bob} }&={\begin{pmatrix}1&6&2\\6&3&8\\2&8&2\end{pmatrix}}{\begin{pmatrix}5\\3\\1\end{pmatrix}}={\begin{pmatrix}25\\47\\36\end{pmatrix}}\ \mathrm {mod} \ 17={\begin{pmatrix}8\\13\\2\end{pmatrix}}\ \end{aligned}}$

Each will use their private key to compute shared keys with other participants of the group.

Computing a shared key between Alice and Bob

Now Alice and Bob wish to communicate with one another. Alice has Bob's identifier $\scriptstyle I_{\mathrm {Bob} }$ and her private key $\scriptstyle g_{\mathrm {Alice} }$ .

She computes the shared key $\scriptstyle k_{\mathrm {Alice/Bob} }=g_{\mathrm {Alice} }^{T}I_{\mathrm {Bob} }$ , where $\scriptstyle T$ denotes matrix transpose. Bob does the same, using his private key and her identifier, giving the same result:

$k_{\mathrm {Alice/Bob} }=k_{\mathrm {Alice/Bob} }^{T}=(g_{\mathrm {Alice} }^{T}I_{\mathrm {Bob} })^{T}=(I_{\mathrm {Alice} }^{T}D^{T}I_{\mathrm {Bob} })^{T}=I_{\mathrm {Bob} }^{T}DI_{\mathrm {Alice} }=k_{\mathrm {Bob/Alice} }$

They will each generate their shared key as follows:

${\begin{aligned}k_{\mathrm {Alice/Bob} }&={\begin{pmatrix}2\\2\\7\end{pmatrix}}^{T}{\begin{pmatrix}5\\3\\1\end{pmatrix}}=2\times 5+2\times 3+7\times 1=23\ \mathrm {mod} \ 17=6\\k_{\mathrm {Bob/Alice} }&={\begin{pmatrix}8\\13\\2\end{pmatrix}}^{T}{\begin{pmatrix}1\\2\\3\end{pmatrix}}=8\times 1+13\times 2+2\times 3=40\ \mathrm {mod} \ 17=6\end{aligned}}$

Attack resistance

In order to ensure at least k keys must be compromised before every shared key can be computed by an attacker, identifiers must be k-linearly independent: all sets of k randomly selected user identifiers must be linearly independent. Otherwise, a group of malicious users can compute the key of any other member whose identifier is linearly dependent to theirs. To ensure this property, the identifiers shall be preferably chosen from a MDS-Code matrix (maximum distance separable error correction code matrix). The rows of the MDS-Matrix would be the identifiers of the users. A MDS-Code matrix can be chosen in practice using the code-matrix of the Reed–Solomon error correction code (this error correction code requires only easily understandable mathematics and can be computed extremely quickly).^[4]

Related Research Articles

In mathematics, the determinant is a scalar value that is a function of the entries of a square matrix. It characterizes some properties of the matrix and the linear map represented by the matrix. In particular, the determinant is nonzero if and only if the matrix is invertible and the linear map represented by the matrix is an isomorphism. The determinant of a product of matrices is the product of their determinants . The determinant of a matrix $A$ is denoted $det(A)$ , $det A$ , or $| A |$ .

In linear algebra, the Cholesky decomposition or Cholesky factorization is a decomposition of a Hermitian, positive-definite matrix into the product of a lower triangular matrix and its conjugate transpose, which is useful for efficient numerical solutions, e.g., Monte Carlo simulations. It was discovered by André-Louis Cholesky for real matrices, and posthumously published in 1924. When it is applicable, the Cholesky decomposition is roughly twice as efficient as the LU decomposition for solving systems of linear equations.

In group theory, the quaternion group Q₈ (sometimes just denoted by Q) is a non-abelian group of order eight, isomorphic to the eight-element subset $of the quaternions under multiplication. It is given by the group presentation$

In linear algebra, the Cayley–Hamilton theorem states that every square matrix over a commutative ring satisfies its own characteristic equation.

<span class="mw-page-title-main">Symplectic group</span> Mathematical group

In mathematics, the name symplectic group can refer to two different, but closely related, collections of mathematical groups, denoted $Sp(2 n, F)$ and $Sp(n)$ for positive integer n and field F. The latter is called the compact symplectic group and is also denoted by $. Many authors prefer slightly different notations, usually differing by factors of 2 . The notation used here is consistent with the size of the most common matrices which represent the groups. In Cartan's classification of the simple Lie algebras, the Lie algebra of the complex group Sp(2 n, C) is denoted C n, and Sp(n) is the compact real form of Sp(2 n, C) . Note that when we refer to the (compact) symplectic group it is implied that we are talking about the collection of (compact) symplectic groups, indexed by their dimension n .$

In linear algebra, an $n$ -by- $n$ square matrix $A$ is called invertible, if there exists an $n$ -by- $n$ square matrix $B$ such that

In mathematics, and in particular linear algebra, the Moore–Penrose inverse $of a matrix is the most widely known generalization of the inverse matrix. It was independently described by E. H. Moore in 1920, Arne Bjerhammar in 1951, and Roger Penrose in 1955. Earlier, Erik Ivar Fredholm had introduced the concept of a pseudoinverse of integral operators in 1903. When referring to a matrix, the term pseudoinverse, without further specification, is often used to indicate the Moore-Penrose inverse. The term generalized inverse is sometimes used as a synonym for pseudoinverse.$

In physics, the S-matrix or scattering matrix relates the initial state and the final state of a physical system undergoing a scattering process. It is used in quantum mechanics, scattering theory and quantum field theory (QFT).

A two-port network is an electrical network (circuit) or device with two pairs of terminals to connect to external circuits. Two terminals constitute a port if the currents applied to them satisfy the essential requirement known as the port condition: the electric current entering one terminal must equal the current emerging from the other terminal on the same port. The ports constitute interfaces where the network connects to other networks, the points where signals are applied or outputs are taken. In a two-port network, often port 1 is considered the input port and port 2 is considered the output port.

In abstract algebra, the split-quaternions or coquaternions form an algebraic structure introduced by James Cockle in 1849 under the latter name. They form an associative algebra of dimension four over the real numbers.

Scattering parameters or S-parameters describe the electrical behavior of linear electrical networks when undergoing various steady state stimuli by electrical signals.

In mathematics, the group of rotations about a fixed point in four-dimensional Euclidean space is denoted SO(4). The name comes from the fact that it is the special orthogonal group of order 4.

In mathematical physics, the gamma matrices, $, also called the Dirac matrices, are a set of conventional matrices with specific anticommutation relations that ensure they generate a matrix representation of the Clifford algebra Cl 1,3 (). It is also possible to define higher-dimensional gamma matrices. When interpreted as the matrices of the action of a set of orthogonal basis vectors for contravariant vectors in Minkowski space, the column vectors on which the matrices act become a space of spinors, on which the Clifford algebra of spacetime acts. This in turn makes it possible to represent infinitesimal spatial rotations and Lorentz boosts. Spinors facilitate spacetime computations in general, and in particular are fundamental to the Dirac equation for relativistic spin- 1 / 2 particles.$

In physics, the Majorana equation is a relativistic wave equation. It is named after the Italian physicist Ettore Majorana, who proposed it in 1937 as a means of describing fermions that are their own antiparticle. Particles corresponding to this equation are termed Majorana particles, although that term now has a more expansive meaning, referring to any fermionic particle that is its own anti-particle.

The following are important identities involving derivatives and integrals in vector calculus.

In signal processing, a polyphase matrix is a matrix whose elements are filter masks. It represents a filter bank as it is used in sub-band coders alias discrete wavelet transforms.

The Eckart conditions, named after Carl Eckart, simplify the nuclear motion (rovibrational) Hamiltonian that arises in the second step of the Born–Oppenheimer approximation. They make it possible to approximately separate rotation from vibration. Although the rotational and vibrational motions of the nuclei in a molecule cannot be fully separated, the Eckart conditions minimize the coupling close to a reference configuration. The Eckart conditions are explained by Louck and Galbraith and in Section 10.2 of the textbook by Bunker and Jensen, where a numerical example is given.

In mathematics, specifically multilinear algebra, a dyadic or dyadic tensor is a second order tensor, written in a notation that fits in with vector algebra.

In the mathematical discipline of numerical linear algebra, a matrix splitting is an expression which represents a given matrix as a sum or difference of matrices. Many iterative methods depend upon the direct solution of matrix equations involving matrices more general than tridiagonal matrices. These matrix equations can often be solved directly and efficiently when written as a matrix splitting. The technique was devised by Richard S. Varga in 1960.

In mathematics, the Frobenius inner product is a binary operation that takes two matrices and returns a scalar. It is often denoted $. The operation is a component-wise inner product of two matrices as though they are vectors, and satisfies the axioms for an inner product. The two matrices must have the same dimension - same number of rows and columns, but are not restricted to be square matrices.$

References

↑ Blom, Rolf. Non-public key distribution. In Proc. CRYPTO 82, pages 231–236, New York, 1983. Plenum Press
↑ Blom, Rolf. "An optimal class of symmetric key generation systems", Report LiTH-ISY-I-0641, Linköping University, 1984
↑ Crosby, Scott; Goldberg, Ian; Johnson, Robert; Song, Dawn; Wagner, David (2002). A Cryptanalysis of the High-Bandwidth Digital Content Protection System. Security and Privacy in Digital Rights Management. DRM 2001. Lecture Notes in Computer Science. Lecture Notes in Computer Science. Vol. 2320. pp. 192–200. CiteSeerX 10.1.1.10.9307 . doi:10.1007/3-540-47870-1_12. ISBN 978-3-540-43677-5.
↑ Menezes, A.; Paul C. van Oorschot & Scott A. Vanstone (1996). Handbook of Applied Cryptography . CRC Press. ISBN 978-0-8493-8523-0.

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] Blom, Rolf. Non-public key distribution. In Proc. CRYPTO 82, pages 231–236, New York, 1983. Plenum Press

[2] Blom, Rolf. "An optimal class of symmetric key generation systems", Report LiTH-ISY-I-0641, Linköping University, 1984

[3] Crosby, Scott; Goldberg, Ian; Johnson, Robert; Song, Dawn; Wagner, David (2002). A Cryptanalysis of the High-Bandwidth Digital Content Protection System. Security and Privacy in Digital Rights Management. DRM 2001. Lecture Notes in Computer Science. Lecture Notes in Computer Science. Vol. 2320. pp. 192–200. CiteSeerX 10.1.1.10.9307 . doi:10.1007/3-540-47870-1_12. ISBN 978-3-540-43677-5.

[4] Menezes, A.; Paul C. van Oorschot & Scott A. Vanstone (1996). Handbook of Applied Cryptography . CRC Press. ISBN 978-0-8493-8523-0.

[1]

[2]

[3]

[4]