Step 1 . The Key server computes s = ( g k ) -1 mod L . Then the server chooses a random

number a , such that a < x i , for every x i , and multicasts a·s and h ( a ), where h ( a ) is the

output of a hash operation not specified in [1].

Step 2 . Every member i receives the authentication message and computes the value

h ( a·s·r mod x i ) which should be equal to the value h ( a ) received if x i is a factor of L .

5 Breaking the Authentication Protocol

As it is described in section 3, the main weakness of the key refreshment scheme

proposed in [1] resides on the fact that any user could impersonate the server, generat-

ing forged refreshment messages, from the knowledge of a multiple of L .

The protocol described in previous section tries to avoid this situation. However,

the same weakness described in section 3, allows the members to break the authenti-

cation protocol in such a way that they could generate forged refreshment that will be

considered as authentic by the recipients.

The procedure to break the protocol is the following.

Step 1 . Let us consider that the member h wants to impersonate the Key server. The

member h knows a multiple of L , computed as it is described in section 3. He gener-

ates new values for the system parameters, that is, m', p', g',

δ

' and k'. Then, he com-

putes u ', v ' applying the extended Euclidean algorithm to

' and the multiple of L , v·L .

In this point, the member h begins with the authentication protocol described in sec-

tion 4 using v·L instead of L , that is, he generates s ' = ( g ' k ' ) -1 mod vL , and chosses a ' at

random. Then, he sends the forged refreshment ( m ', g ', u ') and the authentication mes-

sage ( a'·s' , h( a ')).

δ

' = u ' -1 mod x i , and the

refreshed key r ' = g ' δ' mod m '. Then, in order to authenticate the refreshment, he com-

putes h ( a '· s '· r ' mod x i ). As one can easily observe, h ( a '· s '· r ' mod x i ) = h ( a ) since the

system parameters have been selected in the same way as the server does, and x i is a

factor of L , and a factor of any multiple of L .

Step 2 . The member i receives the message and computes

δ

6 Zero-Knowledge Protocol

In [1], a zero-knowledge protocol is proposed to verify that the information is distrib-

uted over legal peers. In other words, the aim of the protocol is to verify that a given

peer j holds a valid ticket x j . It is supposed that the two peers involved in this protocol

have previously obtain key r using the key refreshment scheme described in section 2.

The protocol is as follows:

Step 1 . Peer i chooses a random integer r such that 1 < r < m and sends it to the

Key server.

Step 2 . The Key server computes inv = r -1 mod L and sends it to i .

Step 3 . Peer i sends ( inv , g xi mod m ) to peer j .

Step 4 . Peer j calculates r j = inv -1 mod x j , β j = r j ·( g xi ) xj mod m and sends (β j , g xj ) to

peer i .

Step 5 . Peer i computes β i = r ·( g xj ) xi , which should be equal to β j .