Blom's Scheme

Blom's scheme is a symmetric threshold key exchange protocol in cryptography. The scheme was proposed by the Swedish cryptographer Rolf Blom in a series of articles in the early 1980s.

A trusted party gives each participant a secret key and a public identifier, which enables any two participants to independently create a shared key for communicating. However, if an attacker can compromise the keys of at least k users, they can break the scheme and reconstruct every shared key. Blom's scheme is a form of threshold secret sharing.

Blom's scheme is currently used by the HDCP (Version 1.x only) copy protection scheme to generate shared keys for high-definition content sources and receivers, such as HD DVD players and high-definition televisions.

The protocol

The key exchange protocol involves a trusted party (Trent) and a group of $\scriptstyle n$ users. Let Alice and Bob be two users of the group.

Protocol setup

Trent chooses a random and secret symmetric matrix $\scriptstyle D_$ over the finite field $\scriptstyle GF(p)$, where p is a prime number. $\scriptstyle D$ is required when a new user is to be added to the key sharing group.

For example:

$\begin k &= 3\\ p &= 17\\ D &= \begin 1&6&2\\6&3&8\\2&8&2\end\ \mathrm\ 17 \end$

Inserting a new participant

New users Alice and Bob want to join the key exchanging group. Trent chooses public identifiers for each of them; i.e., k-element vectors:

$I_, I_ \in GF^k(p)$.

For example:

$I_ = \begin 1 \\ 2 \\ 3 \end, I_ = \begin 5 \\ 3 \\ 1 \end$

Trent then computes their private keys:

$\begin g_ &= DI_\\ g_ &= DI_ \end$

Using $D$ as described above:

$\begin g_ &= \begin 1&6&2\\6&3&8\\2&8&2\end\begin 1 \\ 2 \\ 3 \end = \begin 19\\36\\24\end\ \mathrm\ 17 = \begin 2\\2\\7\end\ \\ g_ &= \begin 1&6&2\\6&3&8\\2&8&2\end\begin 5 \\ 3 \\ 1 \end = \begin 25\\47\\36\end\ \mathrm\ 17 = \begin 8\\13\\2\end\ \end$

Each will use their private key to compute shared keys with other participants of the group.

Computing a shared key between Alice and Bob

Now Alice and Bob wish to communicate with one another. Alice has Bob's identifier $\scriptstyle I_$ and her private key $\scriptstyle g_$.

She computes the shared key $\scriptstyle k_ = g_^T I_$, where $\scriptstyle T$ denotes matrix transpose. Bob does the same, using his private key and her identifier, giving the same result:

$k_ = k_^T = (g_^T I_)^T = (I_^T D^T I_)^T = I_^T D I_ = k_$

They will each generate their shared key as follows:

$\begin k_ &= \begin 2\\2\\7 \end^T \begin 5\\3\\1 \end = 2 \times 5 + 2 \times 3 + 7 \times 1 = 23\ \mathrm\ 17 = 6\\ k_ &= \begin 8\\13\\2 \end^T \begin 1\\2\\3 \end = 8 \times 1 + 13 \times 2 + 2 \times 3 = 40\ \mathrm\ 17 = 6 \end$

Attack resistance

In order to ensure at least k keys must be compromised before every shared key can be computed by an attacker, identifiers must be k-linearly independent: all sets of k randomly selected user identifiers must be linearly independent. Otherwise, a group of malicious users can compute the key of any other member whose identifier is linearly dependent to theirs. To ensure this property, the identifiers shall be preferably chosen from a MDS-Code matrix (maximum distance separable error correction code matrix). The rows of the MDS-Matrix would be the identifiers of the users. A MDS-Code matrix can be chosen in practice using the code-matrix of the Reed–Solomon error correction code (this error correction code requires only easily understandable mathematics and can be computed extremely quickly).

References

{{Reflist

Secret sharing
Key management