The member h knows two different multiples of L , v·L and v'·L . The greatest com-

mon divisor (gcd) of these multiples gives L with high probability. In the case L is not

recovered from the gcd, a lower multiple is obtained. Anyway, the member h could

try it again in the next refreshment.

Example. This is an example performed with the help of MapleV software. Let us

consider a group of 10 member. The tickets could be the following primes: x 1 = 71,

x 2 = 73, x 3 = 79, x 4 = 83, x 5 = 89, x 6 = 97, x 7 = 101, x 8 = 103, x 9 = 107 and x 10 =109.

Hence, L = 35597295809230452047.

The server establishes the following parameters: m = 1259, p = 37 and g = 698. If

k = 32 is considered, then

= k + p = 69. Applying the extended Euclidean algorithm,

u = -5674931215964274964 and v = 11. Finally, the key r = g k mod m = 1123.

When member 1 receives g , m and u , he obtains

δ

= u -1 mod x 1 = 69, and the key

r = g 69 mod m = 1123. He also computes a multiple of L applying equation 6 and

obtains vL = 391570253901534972517. The other members act in the same way and

recover the same value of r and vL .

A given time later, the server refresh the values: m ' = 3539, p ' = 61, g ' = 2036, and

k ' = 3. This determines

δ

' = 64. Since no arrival or departure has been produced, L has

the same value. Hence, u = 9455531699326838825, v = -17 and r = 1300.

When the members receive the new values m ', g ' and u ', they compute the values

δ

' = u' -1 mod x i = 64 and the multiple v'L = -605154028756917684799.

They obtain L = gcd(391570253901534972517, -605154028756917684799 ) =

35597295809230452047.

δ

Case 2 . Let us suppose that the number of members changes, thus originating a key

refreshment. In this situation, the parameter L has changed, but maintains many com-

mon factors with the previous value, as it is derived from equation 1. The server sends

g' , m' and u' , computed from the new value L '. When the member h obtain

' = u' -1

δ

mod x h , he also obtains a multiple of L ',

v'·L' = 1 - u '·

δ

' .

(7)

The member h could employ v'L' to impersonate the server, as it is previously de-

scribed in this section. Furthermore, if he computes the gcd to the multiples computed

from different refreshments, he could obtain a new parameter L sub that corresponds to

the product of the tickets of members still in the group.

Therefore, if member h applies this procedure at every refreshment he could obtain

the product of tickets belonging to the members that arrive to the group at the same

time that member h . This fact could help the cryptanalyst to recover the tickets be-

cause the gcd decrease progressively the multiple size.

4 Key Refreshment Message Authentication

In [1], the authors propose a message authentication protocol to authenticate the re-

freshment messages from the Key server, trying to protect the system against forged

refreshment messages. Since the only two entities in the system that know the ticket

are its owner and the Key server, the protocol tries to prove that the sender of the

messages knows the recipient's ticket. It is as follows: