Complexity Analysis. This section compares the computation and communication of STR protocol to other recent group key agreement methods, Cliques GDH.2 [STW00], Tree-Based Xxxxxx-Xxxxxxx (TGDH) [KPT00], and Xxxxxxxxx/Xxxxxxx (BD) [BD94]. These protocols provide contribu- tory group key agreement based on different extensions of the two-party Xxxxxx-Xxxxxxx key exchange. Moreover, they all support dynamic mem- bership operations. We consider the following costs: Number of rounds: this affects serial communication delay. Total number of messages: as the number of messages grows, the probability of message loss or corruption is increased, and so is the delay. Number of unicasts and broadcasts: a broadcast is much more expen- sive operation than a unicast, since it requires many acknowledgments within the group communication system. Number of serial exponentiation: this is the main factor in the com- putation overhead.
Complexity Analysis. Above the study has discussed the security properties of group key agreement schemes. Important is also their complexity, namely performance costs. Sometimes trade-off between complexity and security is required, so that the schemes are suitable to particular environments. Two of the most important criteria are computation costs and communication costs.
Complexity Analysis. Table 1 provides communication, computation and mem- ory costs of the optimized protocols. We consider one pro- tocol round as over if members have to wait for missing data to continue with the computation of the group key. Columns U and B represent the total number of unicast and broadcast messages, respectively. The message size column gives the total size of sent messages in log q-bits where q is the pa- rameter of the finite field Fq (in practice q ≈ 160 bits). Computation costs specify the total number of scalar-point multiplications per member based on member’s index (po- sition) in the group. This creates a basis for the suitabil- ity analysis of the protocols for homogeneous and hetero- geneous groups. The memory costs column specifies the size of data that a device has to store in order to handle dynamic events. The following notations are used: n - ini- tial group size, i - updated index (position) of Mi, s - up- dated index (position) of the sponsor, m - size of the merg- ing group, p - number of leaving (partitioned) members, h - height of the TGDH tree (note h = ⌈log n⌉), li (ls) - up- dated level of member’s Mi (sponsor’s Ms) node in TGDH initial merging group with sponsor Msj , Msr - the right- most sponsor in µTGDH partition, s∗ - index of sponsor Msj whose level lsj is maximal compared to other spon- sors in µTGDH merge. j Communication Obviously, µSTR provides best commu- nication efficiency concerning the total number of rounds and sent messages. The total messages size in case of join is constant, in case of merge depends on the number of merging members, and in other cases scales linearly with the sponsor’s position, varying between 1 and n. Compared to µSTR the size of µTGDH messages scales linearly with the level of sponsor’s node ls, which varies between 0 and h = ⌈log n⌉. Thus, in some cases µTGDH may require less communication bandwidth than µSTR. Computation µBD protocol requires only 3 scalar-point multiplications (we do not count additional n − 1 multi- plications with a small integer whose costs may become non-negligible for large n). From all protocols that were de- signed to handle dynamic events we point out µCLIQUES and µTGDH. µCLIQUES requires a constant number of multiplications for all members except for the sponsor. Sig- nificant drawback is that the number of sponsor’s multipli- cations scales linearly in the number of group members. In µTGDH the number of multiplications performed by Mi is given by the function f (no...
Complexity Analysis. We discuss the communication and computation overhead for join and leave operations only, because these operations are more frequent than merge or partition operations6. We compare the protocols to the state-of- the-art authenticated group key agreement scheme A-GDH.2 described in [4]. Our worst-case computation complexity is based on the assumption that the maximum number of group members is N = 2d, in which case the maximum height of the key tree is d. The cost for join is computed from the case when we have N 1 members and a member is joining to the current group. The leave cost is when we have N members and one member leaves the group. We do not include the number of exponentiations for the long-term key computation (A-GDH) and signature/verification (TGDH). Table 1 shows the comparison. We would like to emphasize that these numbers represent worst-case numbers for TGDH. In practice, we can optimize the communication overhead of TGDH to O(log N ), because only the keys on the key path of the joining or leaving member change, hence only these blinded keys need to be broadcasted, and not the entire key tree. For the computation overhead, TGDH offers a substantial saving for consecutive (serial or non-parallelizable) exponentiations, because every member only needs to perform at most log N exponentiations, which is much faster than the A-GDH.2 protocol. Note that since the joining point in the join and merge operation is located at a shallower node than the deepest node, the average join and leave cost is lower than the worst case. The savings for the total number of exponentiations, however, is smaller, so TGDH offers less of a benefit if all members run on the same workstation, which is a rare case. Operations Join Leave Protocol A-GDH TGDH A-GDH TGDH Communication cost Broadcasts 1 2 1 1 Total messages 2 2 1 1 Maximum bandwidth N 2N N 1 2N 2 Computation cost Serial exponentiation Total exponentiation 2N +1 3N +2 2(d 1) 2(N 2) N 1 2N 3 2(d 1) 2(N d 2) Table 1: Communication Cost
Complexity Analysis. Before discussing the simulation-based results, it is crucial to perform the complexity analysis of the system. Therefore, we can better understand how the system behaves under specific conditions.
Complexity Analysis. ^ ⟨ ⟩ ⟨ ⟩ In this section we analyze the memory, communica- tion, and computation costs of µSTR, µTGDH, and TFAN. The number of current group members, merging mem- bers, merging groups, and leaving members are denoted by: n, m, k, and p, respectively. Additionally, the height of the current and updated tree are denoted by h and h, respec- tively. The sponsor is denoted by ls, vs (or lsi , vsi if several sponsors exist). The sum of the heights of all non- highest trees in the merge protocol is denoted by α. We fo- cus on the number of stored secret and public keys, the num- ber of rounds, the total number of broadcast messages, the cumulative broadcast message size 4, and the serial num- ber of multiplications 5. We consider here random µTGDH trees and half fully filled TFAN trees, i.e., the number of members in each cs-tree is [ q+1 | for art = S and 2q—1 and public keys outside the cs-tree is decreased. It is obvi- ous that the required memory space for TFAN (art = S) is lower than for µSTR, and of TFAN (art = T ) is higher than for µTGDH. Hence as a whole, all protocol suites can be sorted from the least to the highest according to their memory consumption as follows: µTGDH < TFAN (art = T ) < TFAN (art = S) < µSTR.
Complexity Analysis. This section provides various comparisons among M2MAKA-FS and well-known related protocols including Shuai et al.’s protocol, Xxxxx et al.’s protocol, Kapito et al.’s protocol, Yang et al.’s protocol and Li et al.’s protocol. First of all, we will focus on feature comparisons to know the distinctive feature differences among them. After that, computation and communication analysis follows, to show IoT environmental fitness of them.
Complexity Analysis. This section compares the computation and communication of STR proto- col to other recent group key agreement methods, Cliques GDH.2 [STW00], Tree-Based Xxxxxx-Xxxxxxx (TGDH) [KPT00], and Xxxxxxxxx/Xxxxxxx (BD) [BD94]. These protocols provide contributory group key agreement based on different extensions of the two-party Xxxxxx-Xxxxxxx key exchange. Moreover, they all support dynamic membership operations. We consider the following costs: ■ Number of rounds: this affects serial communication delay. Total number of messages: as the number of messages grows, the probability of message loss or corruption is increased, and so is the delay. ■ Number of unicasts and broadcasts: a broadcast is much more expensive operation than a unicast, since it requires many acknowledgments within the group communication system. ■ Number of serial exponentiation: this is the main factor in the computation overhead. ■ Robustness: Lack of robustness requires additional measures to make the secure group communication system robust against cascaded (nested) faults and membership events. Table 1 shows a comparison of the current approaches for group key manage- ment. The bold text refers to a parameter that severely slows down the protocol in a WAN deployment, for which STR is best suited. In Cliques GDH.2 protocol, the number of new members k is considered, since the merge cost depends on number of new members. The cost for TGDH is the average value when the key tree is fully balanced. The partition or leave cost for STR is computed on average, since it depends on the depth of the lowest-numbered leaving member node. For security reasons [STW00], BD always has to restart anew upon every membership event. As seen from the table, STR is minimal in communication on every mem- bership event. We showed in Section 5 that robustness in the STR protocol is not only easier to implement than in other protocols, but it also achieves higher robustness to network partitions. Cliques GDH.2 is quite expensive protocol in wide area network, since: 1) it is hard or very expensive to provide robustness against cascaded events [AKNR+ 01] and 2) communication cost for merge in- creases linearly as the number of new members does. In TGDH, the partition protocol is expensive (relatively slow) which may cause more cascaded faults and long delays to agree on a key. The cost of BD is mostly acceptable but large number of simultaneous broadcast messages can be problematic over a wide area network. Table 1 ...
Complexity Analysis. In this section we show that our global and local problems are NP-hard, by reducing the minimum set cover problem to G-STAC and L-STAC. The minimum set cover problem is a well studied NP-hard problem defined as follows.
Complexity Analysis. In this section, we summarize the functionality of the proposed protocol and compare the proposed protocol with Xxx et al.’s protocol. In Xie et al.’s protocol, the server needs to store a password table of all registered users for verification. In the proposed protocol, the password is embedded in h(PW a) . After receiving {h(PW
