the network has a unique identification number such as u A for Alice. Trent will

distribute to each user, over a secure channel, a mechanism for communicating

with any other user on the network.

Protocol Steps :

1. Trent chooses three random values r 1 ,r 2 ,r 3 ∈ F p , and for each user, such

as Alice, computes

x A ≡

r 1 + r 2 u A (mod p ) and y A ≡

r 2 + r 3 u A (mod p ) .

Then for each user, such as Alice, he computes the polynomial f A ( x )=

x A + y A x , which is sent over the secure channel to her.

2. If Alice wants to communicate with user u B for Bob, say, then Alice com-

putes k AB = f A ( u B ) and Bobcomputes k BA = f B ( u A ). In the analysis

below, we show that k AB = k BA = k , say, so Alice and Bobnow have a

means of communicating with k via some chosen SKC.

Example 6.1 For simplicity, we will assume a network of three users, Alice,

Bob, and Carol. If p =31 , u A =7 for Alice, u B =11 , for Bob, u C =17 for

Carol, and Trent selects r 1 =2 , r 2 =10 , r 3 =29 , then

x A =2+10

·

7 = 72; y A =10+29

·

7 = 213; so, f A = 72 + 213 x ;

x B =2+10

·

11 = 112; y B =10+29

·

11 = 329; so, f B = 112 + 329 x ;

17 = 503; so, f C = 172 + 503 x

are the respective polynomials for Alice, Bob, and Carol. Thus,

x C =2+10

·

17 = 172; y C =10+29

·

k AB = f A ( u B ) = 72 + 213

·

11 = 2415 = k BA = f B ( u A ) = 112 + 329

·

7 ,

k AC = f A ( u C ) = 72 + 213

·

17 = 3693 = k CA = f C ( u A ) = 172 + 503

·

7 ,

k BC = f B ( u C ) = 112 + 329

·

17 = 5705 = k CB = f C ( u B ) = 172 + 503

·

11 .

Analysis : First we show that k AB = k BA , where we assume the equalities

are congruences modulo p for convenience.

k AB = x A + y A u B = r 1 + r 2 u A +( r 2 + r 3 u A ) u B = r 1 + r 2 u A +( r 2 + r 3 u A ) u B =

r 1 + r 2 u A + r 2 u B + r 3 u A u B = r 1 + r 2 u B +( r 2 + r 3 u B ) u A = f B ( u A )= k BA .

Now we show that Blom's scheme is unconditionally secure against an attack

by a user, Mallory. In other words, we will show that with the knowledge Mallory

has, namely,

r 1 + r 2 u M +( r 2 + r 3 u M ) x (mod p )

sent by Trent, all values of z

f M ( x )

≡

∈ F p are possible for k AB , which he is trying to

cryptanalyze. Since Mallory knows f M ( x ), then he knows the coe7cients

r 1 + r 2 u M ≡

x M (mod p ) ,

(6.1)