On the Generalizations of Megrelishvili Protocol for Group Key Distribution

This article presents an extension of our previous research in [1] where we propose two variants of Megrelishvili key distribution schemes and investigate some of their elementary theoretical security analysis. We brieﬂy discuss the two protocols in [1] and propose another two schemes which are more efﬁcient than the preceding ones. Additionally, we also devise effective procedures for constructing a new mutual key if the group membership is altered. Furthermore, we discuss the security of the protocols rigorously and we provide a sufﬁcient condition for breaking the protocols by way of solving several instances of Megrelishvili vector-matrix problems (MVMP). We prove that the secret group key can be recovered easily if an attacker can express the sum of the secret exponents of the participants as a linear combination of the secret exponents excerpted from the transmission. Based on this result, we reason that our Megrelishvili key distribution schemes are theoretically at least as secure as the standard two-party Megrelishvili key exchange procedure.


I. INTRODUCTION
The group communication among multiple participants is one of the omnipresent occurrence in our modern world.On many occasions, this communication needs to be protected from unauthorized parties.The protection can be achieved in many ways, one of them is by the creation of a mutual secret key among legitimate participants.The efficient construction of the mutual secret key for group communication has been one of the central discussions in modern cryptography.Since the development of the Diffie-Hellman key exchange (DHKE) procedure in [2], numerous protocols for the group key creation have been proposed [3]- [6].Despite these abundant options, the security of these key generation algorithms depends on somewhat equivalent discrete logarithm problems in finite groups-which have been extensively investigated in numerous studies [7]- [10].
The original concept of Megrelishvili key exchange procedure was first discussed in [11].This protocol can be considered as a linear algebra-based variant of the DHKE.It combines vector-matrix multiplication and matrix exponentiation for the construction of the mutual secret key.These linear algebraic operations cause the security of Megrelishvili protocol does not directly relate to a specific discrete logarithm problem in a finite group.Thus, Megrelishvili key exchange procedure offers an alternative method for the construction of a mutual key between two parties.
The objective of this article is to present an extension of our previous work in [1]-where we propose two variants of multi-party Megrelishvili protocols and discuss their elementary theoretical security analysis.These multi-party Megrelishvili protocols allow multiple participants to establish a common mutual key using the computational characteristics of the standard two-party Megrelishvili key exchange.In this article, we briefly discuss the two protocols in [1] and we propose another two key distribution schemes which are more efficient than the previous protocols.Our construction idea of these protocols is based on the extension idea of the generic two-party DHKE to multiple participants described in [3], [5].The correctness and some important characteristics of our key distribution schemes are discussed rigorously.In addition, we also devise membership modification protocols for two of our schemes.These additional protocols allow the group to add a new or delete an existing participant after the initial key distribution is completed without running a complete re-execution of the procedure.
This article also presents a rigorous elementary theoretical security analysis of our Megrelishvili key distribution schemes.The analysis is focused on the investigation of multi-party Megrelishvili shared key problem (MMSKP) which was first addressed in [1].We prove that MMSKP can be solved by means of finding the solution of several MVMP (Megrelishvili vector-matrix problem) instances.Furthermore, we show that the mutual secret key of the group can be computed efficiently if an attacker can express the sum of the secret exponents of the participants as a linear combination of the secret exponents excerpted from the transmission.By this result, we reason that our Megrelishvili key distribution procedures are at least as secure as the original two-party Megrelishvili key exchange.
The rest of this article is organized as follows.We present our linear algebra notations and terminologies in Section II.Next, we discuss some of our related works, e.g., the two-party and three-party Megrelishvili protocols and some of their characteristics in Section III.The generalizations of Megrelishvili protocol for key distribution scheme and their analyses are explained in Section IV.Section V discusses our proposed membership modification protocols for two types of our key distribution procedure.The security of the protocols are then analyzed in Section VI.Finally, some of the important concluding remarks are summarized in Section VII.

II. LINEAR ALGEBRA NOTATIONS AND TERMINOLOGIES
Before we discuss some variants of Megrelishvili key distribution and their properties rigorously, we first explain some of our notations and terminologies in linear algebra over finite fields.We use similar notations as in [1], [12]- [14].Throughout this paper, F q denotes the finite field of q elements and F n q denotes the n-dimensional vector space over F q .We use boldface lowercase letters (e.g., v) to denote all vectors in F n q and boldface uppercase letters (e.g., M) to denote all matrices over F q .The vectors are mostly considered and handled as row matrices, unless otherwise specified (e.g., in Section VI).Therefore, for any v ∈ F n q and any n × n matrix M over F q , the expression vM is well-defined and is a vector in F n q .Moreover, the expression vM is called a left-multiplication of M by v, or equivalently, a right-multiplication of v by M. The order of a nonsingular matrix M is the smallest positive integer s that makes M s = I, where I is the identity matrix.According to [15], the order of any n × n nonsingular matrix over F q is always less than or equal to q n − 1.Given N invertible matrices M 1 , M 2 , . . ., M N , we define
For convenience, we define the empty product of invertible matrix, that is j k=i M k with i > j, as the identity matrix.
Although for most part of the paper the matrices and vector spaces are considered over a finite field, we utilize elementary linear algebra over real field to discuss some theoretical security aspects of our protocols in Section VI.In this case, the vectors are typically considered and treated as column matrices.Thus, for any v ∈ R n and any m × n matrix M over R, the expression Mv is well-defined and is a vector in R m .

A. Two-Party Megrelishvili Protocol, MVMP, and MSKP
The two-party Megrelishvili protocol is an example of linear algebra-based variant of the Diffie-Hellman key exchange.The theoretical concept of this protocol was first discussed in [11] by R. Megrelishvili, M. Chelidze, and K. Chelidze.Since then, the study concerning this protocol has been conducted by numerous researchers (e.g.: [1], [12]- [14], [16]- [19]).In this section, we briefly discuss the formal description of the generic two-party protocol using the notations used in [1], [12]- [14], [19].The reader is referred to [12] for the discussion concerning the algorithm analyses and the comparison of the standard two-party Megrelishvili protocol to other prominent variants of the Diffie-Hellman key agreement.
The mutual secret key in Megrelishvili protocol is a vector in F n q .Before the key exchange between two participants takes place, a trusted third party chooses and publishes several public parameters, i.e.: a finite field F q , a nonsingular matrix M of size n × n over F q , and a nonzero vector v ∈ F n q .The matrix M is chosen in such a way that its order is sufficiently large.One method to construct the public matrix M and the public nonzero vector v is discussed in [13].The author in [13] suggested to choose M that is similar to a companion matrix of a primitive polynomial over F q 1 .By using such M, Theorem 3 in [13] ensures that the value of vM t are all nonzero and distinct for any nonzero vector v ∈ F n q and t ∈ [0, q n − 2].The construction method for M and v in [13] also provides a maximal possible key space in Megrelishvili protocol, i.e., any nonzero vector w ∈ F n q can be expressed as vM t for some integer t.
Suppose the participants in the two-party Megrelishvili protocol are participant 1 (P 1 ) and participant 2 (P 2 ).To generate the mutual secret vector, each participant i picks a secret integer α i and constructs a private matrix P i = M αi .Afterward, each participant i computes the vector a i = vP i and transmits this value to another participant in an open channel.To retrieve the mutual vector, each participant rightmultiplies the received vector by its own private matrix.Because P 1 P 2 = M α1 M α2 = M α1+α2 = M α1 M α2 = P 2 P 1 , we have vP 1 P 2 = vP 2 P 1 , and thus the key exchange is completed.This protocol is summarized in Table I.
Since the exchange of vectors is performed over an open channel, the value of a i = vP i = vM ti is publicly known.This condition makes an attacker knows the values of a 1 and a 2 .By observation, the attacker can acquire the mutual secret vector by solving the equation a i = vM ti for t i , where i ∈ {1, 2}, and then computing the value of vM t1+t2 in a polynomial number of scalar operations in F q .Hence, from mathematical perspective, the security of Megrelishvili protocol strongly relates to the Megrelishvili vector-matrix problem (MVMP), that is, the problem of determining the value t from the equation vM t = w where M is a nonsingular matrix and both v and w are vectors of compatible size [1], [12]- [14].However, the actual objective of the attacker is to solve the Megrelishvili shared key problem (MSKP), that is, the problem of computing the vector vM t1+t2 from the known values of vM t1 and vM t2 [1], [14].It is evident that the attacker can solve the MSKP by solving the MVMP first.Moreover, if the attacker has retrieved the value of t 1 and t 2 , then the value vM t1+t2 can be computed in a polynomial number of scalar operations in F q .This condition also implies that the MSKP is not computationally harder than the MVMP.Nevertheless, to our knowledge, the formal relationship between MVMP and MSKP has not been comprehensively explored.ON THE GENERALIZATIONS OF MEGRELISHVILI...

Setup for public parameters
A trusted third party announce: a finite field Fq, a (large) integer n, an n × n nonsingular matrix M over Fq, and a nonzero vector v ∈ F n q .Generation of the private matrices Participant 1 (P 1 ) Participant 2 (P 2 ) Pick an integer α 1 .
Mutual secret key retrieval Participant 1 (P 1 ) Participant 2 The common secret vector is a 1 = a 2 .
One straightforward method to solve the MVMP is by using the brute-force (exhaustive search) attack described in [12]- [14].If the order of the public matrix M is known, the attacker simply computes the sequence of vectors vM 0 , vM 1 , . . ., vM b , where b is the order of M.However, if the order of the public matrix is unknown, the attacker can assume that the order of M is maximal, i.e., b = q n − 1.The brute-force method can solve the MVMP in F n q using O n3 • q n scalar operations under the assumption that the standard O n 3 matrix multiplication algorithm is used for exponentiating the matrix and the order of the public matrix is bounded by q n − 1.Besides this straightforward approach, there exists a non-trivial method for solving the MVMP using collision algorithm described in [14].Under the similar aforementioned assumption, this algorithm requires at most O log q • n 4 • q n/2 scalar operations for solving the MVMP in F n q , which means that it is faster than the exhaustive search attack by a factor of O (1/n log q) • q n/2 .Nevertheless, the collision algorithm requires more storage during its execution [14].

B. Three-Party Megrelishvili Protocol
In this section, we explain the extension of the two-party Megrelishvili protocol to a group containing three members, namely P 0 , P 1 , and P 2 2 .This relatively straightforward extension was first discussed [1] and it uses identical public parameters as in the two-party key exchange.Like the two-party protocol, each member P i initially generates a private matrix P i by choosing an integer α i and setting P i = M αi .
The key exchange for three members consists of two rounds (or stages) of transmissions 3 .We define a j i as a vector computed by P i at round j.At the beginning, each P i calculates a 0 i = vP i .In the first round, each P i sends a 0 i to P (i+1) mod 3 .This means P 0 sends a 0 0 to P 1 , P 1 sends a 0 1 to P 2 , and P 2 sends a 0 2 to P 1 .Each member P i then right-multiplies the vector received by its own private matrix, the resulting vector is denoted by a 1  i .Notice that we have a 1 0 = a 0 2 P 0 = vP 2 P 0 , a 1 1 = a 0 0 P 1 = vP 0 P 1 , and a 1 2 = a 0 1 P 2 = vP 1 P 2 .In the second round, each P i sends a 1 i to the identical recipient as in the first round.To retrieve the mutual key, each member simply right-multiplies the vector received by its own private matrix.At this point, we have and P 1 P 2 P 0 = P 2 P 0 P 1 = P 0 P 1 P 2 = M α0+α1+α2 .This protocol is summarized in Table II.We refer the reader to [1, Example 1] for small computational example of this protocol.
Setup for public parameters The public parameters are identical to those described for the two-party protocol.
Generation of the private matrices Participant 0 (P 0 ) Participant 1 (P TABLE II: Megrelishvili key distribution for three members as explained in [1].

IV. SOME GENERALIZATIONS OF MEGRELISHVILI PROTOCOL FOR GROUP KEY DISTRIBUTION
This section discusses four different generalizations of Megrelishvili protocol for a group of N participants and their elementary characteristics.The first two schemes have also been discussed in [1].Our idea is based on the extension of the generic two-party Diffie-Hellman key exchange to group communication explained in [5].

A. Generic Multi-Party Megrelishvili Key Distribution
We first discuss a straightforward generalization of the three-party Megrelishvili protocol previously explained in Section III-B to a group of N members.This procedure was first described in [1] and it uses the same public parameters as in the two-party and the three-party protocols.Suppose the members of the group are P 0 , P 1 , . . ., P N −1 .At the beginning, each member P i selects a secret integer α i and computes the private matrix P i = M αi .If M is an n × n matrix over F q of maximal order, the value of α i can be drawn randomly from the integers in [0, q n − 2].One objective of the protocol is to ensure that each member eventually obtains the mutual vector vM s where s = To establish the mutual secret key, initially the members are arranged in a circular configuration as in [3].With this configuration, each participant P i always transmits its messages to participant P (i+1) mod N .The protocol uses N −1 rounds of vectors transmission to establish the mutual secret key.To facilitate our analysis, let a j i be a vector computed by P i at round j where 0 ≤ i, j ≤ N − 1.Before the key exchange occurs, each member P i calculates a 0 i = vP i .In the first round, P i transmits a 0 i to P (i+1) mod N , and subsequently computes a 1 i = a 0 (i−1) mod N P i .In general, at round j where 1 ≤ j ≤ N − 1, participant P i sends a j−1 i to P (i+1) mod N and calculates a j i = a j−1 (i−1) mod N P i .The uniformity of the mutual secret vectors in this protocol originates from the commutativity of the private matrices' product.This means the product i∈[0,N −1] P i is the same regardless the order of the matrices.Using mathematical induction, we can prove that a j i = a j−1 (i−1) mod for all 0 ≤ i ≤ N − 1.The last equality in (5) ensures that each participant gets identical vector after N − 1 rounds of messages transmission.The reader may refer to [1, Theorem 1] for more detailed explanation regarding the correctness proof of this protocol.
We summarize the protocol in Table III and present its simulation procedure in Algorithm 1.By observation, each member in the protocol only performs one matrix exponentiation for computing the private matrix during the initialization step.Hence, this generic multi-party Megrelishvili protocol differs from the conventional multi-party DHKE in [3] where exponentiation is always performed in each of the rounds.The most extensively used operation in this protocol is the right-multiplication (i.e., the vector-matrix multiplication), which can be performed using O n 2 scalar operations in F q .

Setup for public parameters
The public parameters are identical to those described for the two-party protocol.
Generation of the private matrices For all 0 ≤ i ≤ N − 1, each participant P i selects a random integer α i and generates the private matrix The values α i and P i are both private.

TABLE III:
A straightforward extension of Megrelishvili protocol for N participants as described in [1].
Algorithm 1 A procedure for simulating the generic multi-party Megrelishvili protocol as in [1].
Require: Public parameters as explained in Table III for i ← 0 to N − 1 do // N group members 9: P i sends a j−1 i to P (i+1) mod N // message transmission to P i+1 10: end for 12: end for Ensure: The value of a N −1 i is the mutual key which is identical for every participant The generic key distribution procedure in Table III uses N − 1 rounds of messages transmission to establish a mutual vector for N group members.This protocol also requires a prearranged initial circular configuration before the key exchange occurs.The configuration is compulsory because every member in the group always transmits its messages to the same predetermined recipient at any round.From Table III, this configuration also implies that each member performs uniform steps in each of the rounds.By observation, each member sends N − 1 messages, performs N right-multiplications, and receives N − 1 messages in the entire process.Additionally, the scheme also infers that the total number of rightmultiplications in the entire key exchange is N 2 .We summarize some of the important characteristics in this protocol as follows: 1) total rounds: N − 1 2) total messages sent per member: N − 1 3) total messages received per member: N − 1 4) total right-multiplications (vector-matrix multiplications) per member: N 5) total messages in the entire protocol: N (N − 1) 6) total right-multiplications in the entire protocol: N 2 .

B. Megrelishvili Key Distribution with Upflow-Downflow Rounds
The protocol described in Table III has several drawbacks.Firstly, it needs an a priori ordering of the group members.Among N members P 0 , P 1 , . . ., P N −1 , this ordering is required because participant P i always sends its messages to participant P (i+1) mod N .Secondly, this protocol needs N − 1 rounds of key exchange to establish the mutual secret vector.This section discusses a Megrelishvili key distribution which uses only two rounds, i.e., the upflow and downflow rounds, which was first proposed in [1].This procedure is adapted from the GDH.1 scheme for the Diffie-Hellman key distribution explained in [5].The public parameters used in this protocol is identical to those used in the previous one.
The aim of the upflow stage is to gather the contribution of each participant.Initially, for each 0 ≤ i ≤ N − 1, participant P i constructs the private matrix P i .The upflow round is initiated by P 0 by computing the vectors vP 0 and sending the upflow list U = [vP 0 ] to P 1 .Participant P 1 then right-multiplies the last value in U by P 1 (i.e., calculating vP 0 P 1 ) and updates the upflow list by appending the resulting vector (i.e., vP 0 P 1 ) to U. Next, P 1 sends the updated upflow list U = [vP 0 , vP 0 P 1 ] to P 2 .In general, for each 1 ≤ i ≤ N − 2, participant P i right-multiplies the last value in U (i.e., v i−1 k=0 P k ) by P i and attaches the result to the previous list.This implies that each participant P i with 0 ≤ i ≤ N − 2 always sends the upflow list U = v j k=0 P k : 0 ≤ j ≤ i to participant P i+1 .At the end of the upflow stage, participant P N −1 receives the upflow list U = v j k=0 P k : 0 ≤ j ≤ N − 2 .The mutual key v N −1 k=0 P k can be retrieved by P N −1 simply by right-multiplying the last element of U by P N −1 .The purpose of the downflow stage is to distribute appropriate vector for each participant so that each of them can compute the mutual secret key.The downflow stage consists of successive message transmissions from P i to P i−1 for i ∈ [1, N − 1] in reverse order.Participant P N −1 initiates the downflow stage by constructing the initial downflow list D, where and then sends this list to P N −2 .After that, P N −2 pops the last element of D and right-multiplies this element by P N −2 to retrieve the key.Observe that due to the commutativity of the private matrices' product.Next, P N −2 updates the list by right-multiplying In general, for i ∈ [1, N − 2] in reverse order, P i pops the last element of downflow list D from P i+1 , i.e.,v P k and retrieves the mutual key by right-multiplying this vector by P i , notice that the equality in (13) follows from the commutativity of the matrices' product.Subsequently, P i updates D by right-multiplying the remaining i vectors by P i , yielding the list and sends this list to P i−1 .At the end of downflow round, P 0 obtains the following list D from P 1 To get the mutual secret vector, P 0 simply right-multiplies the only element in D by P 0 .We summarize this protocol in Table IV and present its simulation procedure in Algorithm 2.
Setup for public parameters The public parameters are identical to those described for the two-party protocol.
Generation of the private matrices The procedure for generating the private matrices is identical to the procedure described in Table III.
Upflow round Initialization for the upflow list P 0 constructs the list U = [vP 0 ] and sends U to P 1 For all 1 ≤ i ≤ N − 2, (i) P i reads the last element of U and right-multiplies it by P i (ii) P i appends the right-multiplication result in (i) to U (iii) P i transmits U to P i+1 Mutual key retrieval for P N −1 P N −1 reads the last element of U and right-multiplies it by P N −1 , the result is the mutual secret key (see (13) and ( 14)).Downflow rounds Initialization for the downflow list P N −1 constructs the initial downflow list as in (7) and sends D to P N −2 For all 0 ≤ i ≤ N − 2 in reverse order (i) P i pops the last element of D and right-multiplies it by P i , the result is the mutual secret key (see see (13) and ( 14)) (ii) if i = 0, P i right-multiplies each of the remaining i elements in D by P i and transmits D to P i−1 TABLE IV: Megrelishvili group key distribution with upflow-downflow rounds as in [1].

Muhammad Arzaki
On the Generalizations of Megrelishvili... Algorithm 2 A procedure for simulating the Megrelishvili key distribution using upflow-downflow rounds as in [1].Require: Public parameters as explained in Table IV   P i sends U to P i+1 9: end for 10: key for // key retrieval for P N −1 11: P N −1 constructs D as in Equation ( 7) and transmits D to P N −1 12: for i ← N − 2 down to 0 do // downflow round 13: // popping the last element of the list end if 18: end for Ensure: Each participant has an identical secret key.
Unlike the generic multi-party Megrelishvili key distribution scheme in Section IV-A, the Megrelishvili key distribution procedure with upflow-downflow rounds does not require a predefined circular ordering of the group members.Moreover, each participant in this upflow-downflow scheme performs different computation depending on its order in a linear configuration of the members.This property also allows the completion of the key distribution in two rounds.
The correctness of this protocol is derived from the property that the matrices P 0 , P 1 , . . ., P N −1 commute.This implies that the right-multiplication procedure in (13) always produces the same vector for every member of the group.The reader is referred to [1,Theorem 2] for the formal proof regarding the correctness of Megrelishvili protocol with upflow-downflow rounds.
The upflow-downflow scheme allows a distribution of the mutual secret key using only two rounds, i.e., the upflow and downflow rounds, regardless the number of participants within the group.Moreover, unlike the generic scheme in Section IV-A, this scheme does not need a prior circular synchronization of the group members.However, each group member performs different computational procedure that depends on its appearance during the upflow round.During the upflow stage, P i performs one vectormatrix multiplication and updates the previous list with the resulting value.At the end of the upflow round, the last participant retrieves the mutual key by right-multiplying the last element in the upflow list by its own private matrix.Consequently, there are N vector-matrix multiplications in total during the upflow round and the key retrieval for P N −1 .
The downflow stage consists of sequential messages transmission in reverse order from that of the upflow stage.From Table IV, we know that each P i for 1 ≤ i ≤ N − 1 performs i vector-matrix multiplications before it sends the downflow list to P i−1 .In addition, each P i for 0 ≤ i ≤ N − 2 performs a vector-matrix multiplication to retrieve the mutual key.Thus, each P i for 0 ≤ i ≤ N − 2 performs i + 1 right-multiplications during the downflow round, and consequently the total number of right-multiplications performed by all P i for 0 ≤ i ≤ N − 2 in this round is N −2 i=0 (i + 1) = N (N − 1) /2.Since P N −1 performs N − 1 right-multiplications at the beginning of the downflow stage, the total number of right-multiplications performed by all participants during the downflow stage is From the previous analysis, the total number of right-multiplications within the protocol described in Table IV is which is N 2 − 3N + 2 /2 multiplications fewer than that in the generic procedure in Section IV-A.In summary, the Megrelishvili key distribution with upflow-downflow scheme has the following computational properties: 1) total rounds: 2 (upflow and downflow) 2) total messages sent per member: 2 for P i with 0 < i < N − 1 (each contains i + 1 vectors during the upflow stage and i vectors during the downflow stage); 1 for P 0 and P N −1 (P 0 sends one vector while P N −1 sends N − 1 vectors) 3) total messages received per member: 2 for P i with 0 < i < N − 1 (each contains i vectors during the upflow stage and i + 1 vectors during the downflow stage); 1 for P 0 and P N −1 (P 0 receives one vector while P N −1 receives N − 1 vectors) 4) total right-multiplications (vector-matrix multiplications) per member: i + 2 for P i with 0 ≤ i < N − 1; N for P N −1 5) total messages in the entire protocol: 2 (N − 1) with varying size from one to N − 1 vectors 6) total right-multiplications in the entire protocol: (N 2 + 3N − 2)/2.

C. Megrelishvili Key Distribution with Upflow-Broadcast Rounds
The key distribution protocol with upflow-downflow rounds in Section IV-B allows a group to agree on a mutual secret key using only two rounds of messages transmission.The first round is the upflow round whose purpose is to collect the contribution of each group member.The second round is the downflow round whose objective is to distribute vectors to every participant.Each round contains a sequence of messages transmission between two adjacent participants.Suppose we consider a group of N members P 0 , P 1 , . . ., P N −1 .During the upflow round P i always transmits its messages to P i+1 for 0 ≤ i ≤ N − 2. The downflow round works in reverse direction to that of the upflow round, i.e., participant P i always sends its messages to P i−1 for 1 ≤ i ≤ N − 1 in reverse order.Unlike the generic Megrelishvili key distribution scheme in Section IV-A, the participants in the key distribution with upflow-downflow scheme cannot retrieve the mutual secret key simultaneously.From observation, the key retrieval must be done sequentially from P N −1 to P 0 with P i is the (N − i)-th participant to retrieve the key.That is, the first member to retrieve the key is P N −1 , whereas the last member to retrieve the key is P 0 .
In this section, we propose a two-stage Megrelishvili key distribution that allows a simultaneous key retrieval for almost all of the group members.This scheme is adapted from GDH.2 scheme for the Diffie-Hellman key distribution with upflow and broadcast rounds described in [5].The first stage is the upflow stage that is similar to the upflow round explained in the previous protocol.The aim of this stage is to collect the contribution of each participant.At the end of this stage P N −1 retrieves the mutual key by right-multiplying a particular vector by its private matrix.The second stage is the broadcast stage whose aim is to distribute appropriate vector to each participant.Unlike the downflow round in Section IV-B, the distribution of the vectors is performed by broadcast method.In this stage, P N −1 constructs a list B of N − 1 vectors and then broadcasts this list to all other group members.Every member except P N −1 uses the list B to simultaneously perform a specific vector-matrix multiplication for retrieving the mutual secret vector.
Suppose there are N participants P 0 , P 1 , . . ., P N −1 whose corresponding private matrices are P 0 , P 1 , . . ., P N −1 , respectively.To commence the upflow stage, P 0 creates the upflow list U = [vP 0 ] and sends this list to P 1 .Next, P 1 uses the list U to construct the updated list U = [vP 0 P 1 , vP 0 , vP 1 ] and subsequently sends U to P 2 .Participant P 2 then constructs the updated list U of four elements where the first element of the new U is the first element in the previous list right-multiplied by P 2 , the second element of the new U is the first element in the previous list, and the two remaining elements of the new U are respectively the third and the last elements in the previous U right-multiplied by P 2 .In other words, P 2 produces the updated list U = [vP 0 P 1 P 2 , vP 0 P 1 , vP 0 P 2 , vP 1 P 2 ] and subsequently sends U to P 3 .In general, suppose P i where 2 ≤ i ≤ N − 2 receives the upflow list U old of length i + 1 from P i−1 .Participant P i uses U old to create the updated list U new of length i + 2 using the following rules: In other words, if P i−1 sends the upflow list We now prove the following lemma.
Lemma 1 For any 2 ≤ i ≤ N − 1, participant P i receives the list U of length i + 1 from P i−1 where Proof: We prove the lemma by induction on i and we use the rules ( 18), (19), and (20).For i = 2, (21) tells us that P 2 receives the following list which conforms to the aforementioned description that P 1 sends U = [vP 0 P 1 , vP 0 , vP 1 ] to P 2 .Assume that (21) holds for P i−1 , that is, P i−1 receives the following list U old from P i−2 Notice that for 1 We shall prove that (21) holds for P i .Suppose U new is the updated list sent by P i−1 to P i .By rules (18), (19), and (20), we have Consequently, we obtain which is consistent to (21), and thus the proof is complete.
From Lemma 1, we infer that P N −1 receives the list The broadcast list B is transmitted by P N −1 to all remaining members simultaneously.The mutual key retrieval by P i for 0 ≤ i ≤ N − 2 is performed by calculating the vector B [N − 2 − i] • P i .In practice, P N −1 may send unique vector that correlates to the mutual key computation for each of the other members.That is, We present the summary of this protocol in Table V and its simulation procedure in Algorithm 3. The correctness of this key distribution scheme is derived from the property that the product k∈[0,N −1] P k is always the same regardless the order of the matrices.This condition happens because the private matrices P 0 , P 1 , . . ., P N −1 commute.We prove the correctness of this protocol in Theorem 1.
Theorem 1 At the end of the broadcast round, each group member in the upflow-broadcast Megrelishvili key distribution scheme described in Table V gets an identical vector as its mutual secret key.
Proof: By Lemma 1, P N −1 receives the upflow list Next P N −1 constructs the broadcast list B using (26).By observation, we have the equality in (31) comes from the commutativity of matrices' product.Therefore, we conclude that each member P i (0 ≤ i ≤ N − 1) gets identical mutual vector at the end of the broadcast round.The upflow-broadcast scheme combines the benefits of the generic scheme in Section IV-A and the upflow-downflow scheme in Section IV-B.Specifically, it provides a two stage key distribution whilst allows a simultaneous mutual key retrieval for almost all participants.Additionally, the upflow-broadcast scheme does not need a predetermined configuration of the group members before the key distribution occurs.However, the computational burden for each participant is different and it depends on the participant's order during the upflow stage.
By observation, each participant P i (0 ≤ i ≤ N − 2) carries out i + 1 vector-matrix multiplications during the upflow round.Thus, the total number of this operation in the upflow round is For the next step, participant P N −1 performs one right-multiplication for retrieving the mutual key and N − 1 right-multiplications for constructing the broadcast list.Finally, each participant P i (0 ≤ i ≤ N − 2) retrieves the mutual key by performing one vector-matrix multiplication.Thus, the total number of right-multiplications for the mutual key retrieval in the entire procedure is N .Therefore, the total number of vector-matrix multiplications in the entire scheme is which is equal to (17).This implies that the total number of operations in upflow-broadcast scheme is identical to that of the upflow-downflow scheme.The Megrelishvili key distribution with upflow-broadcast scheme has the following characteristics: 1) total rounds: 2 (upflow and broadcast) (one during the upflow round, one during the response round, and one for the mutual key retrieval), N for P N −1 .5) total messages in the entire protocol: 2N with varying size from one to N − 1 vectors 6) total right-multiplications in the entire protocol: 4N − 3.

V. PROTOCOLS FOR GROUP MEMBERSHIP MODIFICATION
All schemes in Section IV assume that the members of the group are determined prior to the execution of the protocols.However, sometimes it is necessary to insert a new or delete an existing participant in the protocols after the key distribution is completed.Pragmatically, it is enviable to perform so without having to re-execute the process all over again.In this section, we concisely propose the procedures for inserting a new and removing an existing group member for the upflow-broadcast scheme and the upflow-broadcast-response scheme.We choose these schemes due to their efficient nature in the key distribution process.Our procedures are inspired by the similar group membership alteration protocols explained in [5].

A. Protocols for a New Participant Insertion
Suppose initially there are N participants labeled as P 0 , P 1 , . . ., P N −1 who have completed a key distribution using upflow-broadcast scheme.The formation of a new mutual key for N + 1 participants which consist of the original N members and a new member labeled as P N needs to satisfy two specifications.First, the group does not need to re-run the key distribution anew.Second, the previous mutual key for N group members should remain secret from outsiders as well as P N .In the upflowbroadcast scheme, these intentions can be achieved using the following protocols: and P N −1 subsequently sends this list P N .4) Next, P N chooses an integer α N , generates P N = M αN , and computes a) v for the broadcast list.5) After receiving the broadcast message from P N , each participant P i with 0 ≤ i ≤ N − 1 then computes the mutual key by right-multiplying B [N − 1 − i] by its own private matrix.
Member insertion in upflow-broadcast-response scheme is almost identical to that in upflow-broadcast scheme.Suppose there are N initial participants labeled as P 0 , P 1 , . . ., P N −1 and a new participant labeled as P N .The protocol for inserting a new member has to comply with the efficiency and security aspects as described previously for the upflow-broadcast scheme.These intentions can be accomplished in the following steps: 1) We assume that P N −1 keeps the message from P N −2 (that is, the vector v   4) We assume that participant P N chooses an integer α N and uses P N = M αN as its private matrix.5) After receiving the list R from P N −1 , participant P N right-multiplies each vector in R by P N and defines the resulting list as the broadcast list B. This list is then broadcast to all remaining group members.6) For the key retrieval, P N simply right-multiplies the vector v N −2 k=0 P k PN−1 by P N while each of the other group members computes the mutual key by right-multiplying the vector B [i] by its own private matrix (i.e., participant

B. Protocols for an Existing Participant Removal
We consider a group of N members P 0 , P 1 , . . ., P N −1 who have completed a key distribution using upflow-broadcast scheme.Suppose the group wants to remove a member P r for some 0 ≤ r ≤ N − 1.The formation of a new mutual key for N − 1 participants needs to fulfil two properties.First, the group does not need to re-run the key distribution all over again.Second, the new mutual key for the initial N members should remain secret from outsiders as well as P r .In the following member removal protocol for upflow-broadcast scheme, we assume that r = N − 1.The key agreement steps are as follows:  4) In the case that P r (for some 0 ≤ r ≤ N − 2) is detached from the group, P N −1 needs to ensure that only P i with 0 ≤ i ≤ N − 1 and i = r can retrieve the new mutual key.Thus, P N −1 defines a broadcast list B of length N − 1 as follows: Subsequently, P N −1 broadcast this list to all other group members.Observe that (39) is analogous to (26).5) The key retrieval for P i with 0 ≤ i ≤ N −2 and i = r is performed by calculating B [N − 2 − i]•P i .
In this case, we have This procedure ensures that the removed member P r unable to compute the new mutual key because the vector v N −2 k=0,k =r P k • PN−1 is missing from the list.In particular, the operation B [N − 2 − r] • P r yields vP r .In the event that P N −1 is removed from the group, P N −2 assumes the role as the last participant as explained earlier.
Member removal in upflow-broadcast-response scheme is almost similar to that in upflow-broadcast scheme.Suppose there are N initial participants labeled as P 0 , P 1 , . . ., P N −1 and the group wants to remove P r for some 0 ≤ r ≤ N − 1.The protocol for removing a member needs to fulfil the efficiency and security requirements as described previously for the upflow-broadcast scheme.If r = N − 1, these purposes can be attained using the following steps: The new mutual key is v N −2 k=0 P k PN−1 .4) In the case that P r (for some 0 ≤ r ≤ N − 2) is removed from the group, P N −1 needs to ensure that only P i with 0 ≤ i ≤ N − 1 and i = r can retrieve the new mutual key.Thus, P N −1 defines a broadcast list B of length N − 1 as follows: Afterward, P N −1 broadcast this list to all other group members.Observe that (39) is analogous to the definition of the ordinary broadcast list in Table VI.5) The key retrieval for P i with 0 ≤ i ≤ N − 2 and i = r is performed by calculating B [i] • P i .In this case, we have This procedure ensures that the removed member P r unable to compute the new mutual key because the vector v N −2 k=0,k =r P k • PN−1 is missing from the list.In particular, we have B [r] • P r = vP r .In the event that P N −1 is removed from the group, P N −2 assumes the role as the last participant as explained earlier.

VI. ELEMENTARY THEORETICAL SECURITY ANALYSIS
One important security requirement for the key distribution protocols in Section IV and Section V is the secrecy of the mutual group key created.The protocols must ensure that no outsider can recover the mutual key easily.We notice that in a group of N participants P 0 , P 1 , . . ., P N −1 , the mutual key is v N −1 k=0 P k .Let I = {0, 1, . . ., N − 1}, then the mutual key can be rewritten as v k∈I P k due to the commutativity of the private matrices.By observation, any message sent during the transmission in our key distribution protocols contains at least one vector of the form v k∈J P k for some J ⊂ I.An eavesdropper (Eve) may recover the mutual key if she can reconstruct the value v k∈I P k from several vectors of the form v k∈J P k with J ⊂ I.
More formally, suppose {J 1 , J 2 , . . ., J m } denotes a collection of m non-empty subset of I, that is J i ⊂ I for all 1 ≤ i ≤ m.We assume that Eve intercepts the transmission and accordingly owns m vectors w 1 , w 2 , . . ., w m , and each w i satisfies w i = v k∈Ji P k with 1 ≤ i ≤ m.To recover the mutual key, she must be able to calculate the value of v k∈I P k using only m vectors w i where 1 ≤ i ≤ m.In addition, it is necessary that m i=1 J i = I, otherwise the mutual key cannot be obtained.However, this condition alone does not guarantee that the mutual key can be acquired easily.One main problem is because the matrices P 0 , P 1 , . . ., P N −1 are private and unknown to the outsider.
To overcome the problem, Eve needs to consider all public parameters before she try to recover the key.The matrices P i (0 ≤ i ≤ N − 1) are private, but fortunately for Eve, each of these matrices can be expressed as P i = M αi where M is a public matrix and α i is a secret integer.Using this relationship, we have which possibly makes the mutual secret key recovery less complicated.If we assume that Eve gets m vectors of the form w i = v k∈Ji P k with 1 ≤ i ≤ m, then by (45), each w i can be expressed If we expand k j N −1 i=0 c i,j α i , then we have By substituting the expansion (50) to (48), we get which can be expressed as By Lemma 2, the mutual key is recoverable if we have m j=1 By matching the terms α i for 0 ≤ i ≤ N − 1 in (52), we have The expression (53) can be expanded as follows The system of equations in (54) can be expressed in matrix equation form: where A = [a i,j ] is an N × m matrix over {0, 1} with a i,j = c i−1,j for all 1 ≤ i ≤ N and 1 ≤ j ≤ m, k is a column vector of unknowns of size m, and 1 is a column vector of N ones.Therefore, the solvability of the matrix equation (56) implies the recoverability of the mutual secret key.This stipulation leads to a sufficient condition for the recoverability of the mutual secret key in connection with the collection of secret exponents excerpted from the transmission.
Theorem 3 Assume that the eavesdropper intercepts the message and excerpts the set of m secret exponents from a key distribution scheme among N participants P 0 , P 1 , . . ., P N −1 .Suppose A = [a i,j ] is an N × m matrix over {0, 1} with a i,j = c i−1,j for all 1 ≤ i ≤ N and 1 ≤ j ≤ m.Let A be the N × (m + 1) augmented matrix of the matrix equation ( 56).If the reduced row echelon form of A contains no row of the form [0 m * ] where 0 m denotes a submatrix of size 1 × m and * denotes any nonzero value, then the mutual secret key is recoverable from the set E. Additionally, the sum of all secret exponents of N participant can be expressed as a linear combination of the elements in E.
Proof: Suppose A = [a i.j ] is an N × m matrix over {0, 1} with a i,j = c i−1,j for all 1 ≤ i ≤ N and 1 ≤ j ≤ m.From elementary linear algebra, the matrix equation Ak = 1 in (56) has a solution for k if and only if the reduced row echelon form of the augmented matrix A = [A 1] has no row of the form [0 m * ] where 0 m is a submatrix of size 1 × m and * is any nonzero value.Accordingly, the condition that A has no row of the form [0 m * ] implies that there are scalars k 1 , k 2 , . . ., k m that makes (48) is satisfied.By Lemma 2, the later condition implies that the sum of all secret exponents of N participants can be expressed as a linear combination of m secret exponents excerpted from the messages transmission.Theorem 3 provides a sufficient condition for recovering the mutual group key from several secret exponents excerpted from the messages transmission.In particular, this theorem states a sufficient condition for the sum of all private exponents α 0 , α 1 , . . ., α N −1 of N participants P 0 , P 1 , . . ., P N −1 to be expressed as a linear combination of the secret exponents extracted from the messages during the public transmission.From the aforementioned analysis, we see that MMSKP can be reduced to several instances of MVMP, thus making MMSKP is not computationally harder than MVMP 4 .In addition, we conjecture that an eavesdropper should be able to solve MVMP in order to solve MMSKP.Thus far, the fastest known algorithm for solving MVMP still requires exponential number of scalar operations in terms of the vector space dimension used [14].By this assumption, we argue that the Megrelishvili key distribution scheme is at least as secure as its two-party counterpart.

VII. CONCLUDING REMARKS
We have presented an extension of our previous work in [1] where we discuss the two first variations of Megrelishvili key distribution scheme and some of their elementary theoretical security analysis.In this article we introduce two different multi-party Megrelishvili protocols which are more efficient than those two first schemes.We propose two efficient Megrelishvili key distribution protocols, i.e.: the Megrelishvili key distribution with upflow-broadcast rounds and the Megrelishvili key distribution with upflow-broadcast-response rounds.These two schemes allow simultaneous key retrieval for almost all group members whilst maintaining the efficiency of the computational procedures involved.In addition, both schemes support the group membership alteration protocols.That is, the protocols enable the group to construct a new mutual secret key whenever a new member is added or an existing member is removed without re-executing the protocols all over again.The comparison of important characteristics for all Megrelishvili key distribution schemes described in Section IV is summarized in Table VII.
From Table VII, it can be derived that Megrelishvili key distribution scheme with upflow-broadcastresponse rounds is more superior than the other three schemes in terms of computational efficiency.This protocol allows the group to agree on a mutual secret key using O (N ) number of vector-matrix multiplications where N is the group size.Moreover, this scheme requires no a priori synchronization of the group members, yet it still supports simultaneous key retrieval for almost all participants (i.e., all but one participant).Another important feature of this key distribution procedure is the easiness for the implementation of membership alteration protocol.

Ind.
Journal on Computing Vol. 2, Issue.2, Sept 2017 25) from P N −2 .To get the mutual key, P N −1 simply right-multiplies U [0] by P N −1 .Afterward, P N −1 initiates the broadcast round by constructing the broadcast list B of N − 1 vectors.To construct this list, P N −1 initially removes U [0] and shifts all remaining entries one position to the left.Next, P N −1 right-multiplies each of the entries by its private matrix.More formally, the entry B [j] of the broadcast list B = [B [0] , B [1] . . ., B [N − 2]] of length N − 1 is defined as

1 )
We assume that P N −1 saves the contents of the upflow list U from P N −2 as in (25).2) To make the previous group key remains secret, P N −1 chooses a new integer αN−1 = α N −1 and generates PN−1 = M αN−1 .Additionally, P N −1 also needs to ensure that PN−1 = P N −1 .3) Participant P N −1 then constructs the new upflow list by right-multiplying each of the entries in U by PN−1 , the resulting updated list is

N − 2 k=0
P k ) and the response list R where R [i] = v N −2 k=0,k =i P k as described in Table VI.2) To make the previous group key remains secret, P N −1 chooses a new integer αN−1 = α N −1 and generates PN−1 = M αN−1 .Additionally, P N −1 also needs to ensure that PN−1 = P N −1 .3) Subsequently, P N −1 performs the following steps:

Ind.
Journal on Computing Vol. 2, Issue.2, Sept 2017 a) Participant P N −1 right-multiplies the broadcast message from P N −2 by its new private matrix PN−1 and sends the resulting value to P N .Accordingly, P N has the vector v N −2 k=0 P k PN−1 .b) Participant P N −1 right-multiplies each of the elements in the response list R by PN−1 and appends the vector v N −2 k=0 P k to the resulting list.The outcome is denoted as the list R .Afterward P N −1 sends R to P N .

1 )N − 2 k=0
Participant P N −1 is assumed to have save the upflow list U of length N from P N −2 as in (25).2) To ensure that the initial group key remains secret, P N −1 chooses a new integer αN−1 = α N −1 and generates PN−1 = M αN−1 .Additionally, P N −1 also needs to ensure that PN−1 = P N −1 .3) The key retrieval for P N −1 is performed by right-multiplying U [0] by PN−1 .The new mutual key is v P k PN−1 .
Muhammad ArzakiOn the Generalizations of Megrelishvili... 1) Participant P N −1 is assumed to retain the message from P N −2 (that is, the vector vN −2 k=0 P k ) and the response list R where R [i] = v N −2 k=0,k =i P k as described in Table VI.2) To ensure that the initial group key remains secret, P N −1 chooses a new integer αN−1 = α N −1 and generates PN−1 = M αN−1 .Additionally, P N −1 also needs to ensure that PN−1 = P N −1 .3)The key retrieval for P N −1 is performed by right-multiplying the message from P N −2 by PN−1 .
Ind. Journal on Computing Vol. 2, Issue.2, Sept 2017 each of the remaining N − 2 vectors by P N −2 , yielding a new downflow list and an integer N ≥ 2 which denotes the number of group members.1: for i ← 0 to N − 1 do // N group members