Blom's scheme

Blom's scheme is a symmetric threshold key exchange protocol in cryptography.

A trusted party gives each participant a secret key and a public identifier, which enables any two participants to independently create a shared key for communicating.

Every participant can create a shared key with any other participant, allowing secure communication to take place between any two members of the group. However, if an attacker can compromise the keys of at least k users, he can break the scheme and reconstruct every shared key. Blom's scheme is a form of threshold secret sharing. The scheme was proposed by the Swedish cryptographer Rolf Blom in a series of articles in the early 1980s. ^{[1] [2]}

Blom's scheme is currently used by the HDCP copy protection scheme to generate shared keys for high-definition content sources and receivers, such as HD DVD players and high-definition televisions.

The key exchange protocol involves a trusted party (Trent) and a group of n users. Let Alice and Bob be two users of the group.

Trent chooses a random and secret symmetric matrix D_{k x k} over the finite field ${\displaystyle GF(p)}$, where p is a prime number. D is required when a new user is to be added to the key sharing group.

For example, let p = 17, and D = ${\displaystyle {\begin{pmatrix}1&6&2\\6&3&8\\2&8&2\end{pmatrix}}\ \mathrm {mod} \ 17}$.

New users Alice and Bob want to join the key exchanging group. Trent chooses public identifiers for each of them, i.e.: k-element vectors I_Alice, I_Bob in ${\displaystyle GF(p)}$.

Trent then computes their private keys: g_Alice = ${\displaystyle (D*I_{\mathrm {Alice} })}$, g_Bob = ${\displaystyle (D*I_{\mathrm {Bob} })}$.

Each will use their private key to compute shared keys with other participants of the group.

Let I_Alice = ${\displaystyle {\begin{pmatrix}3\\10\\11\end{pmatrix}}}$, and I_Bob = ${\displaystyle {\begin{pmatrix}1\\3\\15\end{pmatrix}}}$. Trent will create Alice's and Bob's secret keys as follows:

g_Alice = ${\displaystyle {\begin{pmatrix}1&6&2\\6&3&8\\2&8&2\end{pmatrix}}*{\begin{pmatrix}3\\10\\11\end{pmatrix}}={\begin{pmatrix}0\\0\\6\end{pmatrix}}\ \mathrm {mod} \ 17}$,

g_Bob = ${\displaystyle {\begin{pmatrix}1&6&2\\6&3&8\\2&8&2\end{pmatrix}}*{\begin{pmatrix}1\\3\\15\end{pmatrix}}={\begin{pmatrix}15\\16\\5\end{pmatrix}}\ \mathrm {mod} \ 17}$.

Now Alice and Bob wish to communicate with one another. Alice has Bob's identifier I_Bob and her private key g_Alice.

She computes the shared key k_{Alice / Bob} = g_Alice^t * I_Bob, where t denotes matrix transpose. Bob does the same, using his private key and her identifier.

They will each generate their shared key as follows:

k_{Alice / Bob} = ${\displaystyle {\begin{pmatrix}0\\0\\6\end{pmatrix}}^{t}*{\begin{pmatrix}1\\3\\15\end{pmatrix}}=0*1+0*3+6*15=5\ \mathrm {mod} \ 17}$

k_{Bob / Alice} = ${\displaystyle {\begin{pmatrix}15\\16\\5\end{pmatrix}}^{t}*{\begin{pmatrix}3\\10\\11\end{pmatrix}}=15*3+16*10+5*11=5\ \mathrm {mod} \ 17}$

Proof:

${\displaystyle k_{Alice/Bob}=k_{Alice/Bob}^{t}=(g_{Alice}^{t}*I_{Bob})^{t}=(I_{Alice}^{t}*D^{t}*I_{Bob})^{t}=I_{Bob}^{t}*D*I_{Alice}=k_{Bob/Alice}}$

In order to ensure at least k keys must be compromised before every shared key can be computed by an attacker, identifiers must be k-linearly independent: all k-sets of randomly selected user identifiers must be linearly independent. Otherwise, a group of malicious users can compute the key of any other member whose identifier is linearly dependent to theirs. To ensure this property, the identifiers shall be preferably chosen from a MDS-Code matrix (maximum distance separable error correction code matrix). The rows of the MDS-Matrix would be the identifiers of the users. A MDS-Code matrix can be chosen in practice using the code-matrix of the Reed–Solomon error correction code (this error correction code requires only easily understandable mathematics and can be computed extremely fast).

• Alfred J. Menezes, Paul C. van Oorschot and Scott A. Vanstone (1996). Handbook of Applied Cryptography. CRC Press. ISBN 0-8493-8523-7.
• R. Blom, "An optimal class of symmetric key generation systems". Abbreviated version of the original Blom's work