Common use of Group Key Agreement Protocols Clause in Contracts

Group Key Agreement Protocols. Research on group key agreement protocols started in 1982. We first summarize the early (theoretical) group key agreement protocols which did not consider dynamic membership operations; Most of them only supported group genesis. The earliest contributory group key agreement built upon the 2-party ▇▇▇▇▇▇-▇▇▇▇▇▇▇ (DH) is due to ▇▇▇▇▇▇▇▇▇▇▇ et al. (ING) [20]. In the fist round of ING, every member generates its session random and computes . In the subsequent rounds to , computes where is the message received from in the previous round . The resulting group key is of the form: The ING protocol is inefficient because: 1) every member has to start synchronously, 2) rounds are required to compute a group key, 3) it is hard to support dynamic membership operations due to its symmetry and 4) sequential modular exponentiations are required. Another group key agreement developed for teleconferencing was proposed by ▇▇▇▇▇ et al. [33]. This protocol is of particular interest since its group key structure is similar to that in TGDH. This protocol is well-suited for adding new group members as it takes only two rounds and four modular exponentia- tions. Member exclusion, however, is relatively difficult (for example, consider excluding from the group key). ▇▇▇▇▇▇▇▇▇ and ▇▇▇▇▇▇▇ construct an efficient protocol (called BD) which takes only two rounds and three modular exponentiations per member to generate a group key [14]. This efficiency allows all members to re-compute the group key for any membership change by rerunning the protocol. However, according to [34], most (at least half) of the members need to change their session random on every membership event. The group key in this protocol is different from STR and TGDH: One shortcoming of BD is the high communication overhead. It requires broadcast messages and each member needs to generate 2 signatures and verify signatures. BD also has a hidden cost mentioned in Section 7.2. ▇▇▇▇▇▇ and ▇▇▇▇▇ analyze the minimal communication complexity of contributory group key agreement in general [8] and propose two protocols: octopus and hypercube. Their group key has the same structure as the key in TGDH. For example, for eight users their group key is: The ▇▇▇▇▇▇/▇▇▇▇▇ protocols handle join and merge operations efficiently, but the member leave operation is inefficient. Also, the hypercube protocol requires the group to be of size (for some integer ); otherwise, the efficiency slips. ▇▇▇▇▇▇ et al. look at the problem of small-group key agreement, where the members do not have previously set up security associations [5]. Their motivating example is a meeting where the participants want to bootstrap a secure communication group. They adapt password authenticated DH key exchange to the group setting. Their setting, however, is different from ours, since they assume that all members share a secret password, whereas we assume a PKI where each member can verify any other members authenticity and authorization to join the group. Tzeng and Tzeng propose an authenticated key agreement scheme that is based on secure multi-party computation [35]. This scheme also uses broadcast messages. Although the cryptographic mechanisms are quite elegant, a shortcoming is that the resulting group key does not provide perfect forward secrecy (PFS). If a long-term secret key is leaked, all previous and future group keys become insecure. ▇▇▇▇▇▇▇ et al. first address dynamic membership issues [7, 34] in group key agreement and propose a family of Group ▇▇▇▇▇▇ ▇▇▇▇▇▇▇ (GDH) protocols based on straight-forward extensions of the two-party ▇▇▇▇▇▇-▇▇▇▇▇▇▇. GDH provides contributory authenticated key agreement, key independence, key integrity, resistance to known key attacks, and perfect forward secrecy. The GDH protocol suite is fairly efficient in leave and partition operation, but the merge protocol requires as many rounds as the number of new members to complete key agreement. Perrig extends one-way function trees (OFT, originally introduced by ▇▇▇▇▇▇ and ▇▇▇▇▇▇▇ [24]) to design a tree-based key agreement scheme for peer groups [27]. This served as foundation for the design of our protocol. TGDH also resembles OFT by some degree. One can claim that TGDH only modifies OFT by using . This is, by part, true. However, there are major differences between OFT and TGDH: 1) Blinded key in OFT should not be revealed. However, all blinded keys in TGDH are public. Therefore, no secure channel is required.