Common use of Notation and Definitions Clause in Contracts

Notation and Definitions. We use the following notation: number of protocol parties (group members) set of current group members set of leaving members set of newly joining members -th group member; height of a tree -th node at level in a tree ’s view of the key tree ’s modified tree after membership operation A subtree rooted at node set of ’s blinded keys prime integers exponentiation base Key trees have been suggested in the past for centralized group key distribution systems. The seminal work of ▇▇▇▇▇▇▇ et al. [36] is the earliest such proposal. One of the main features of our work is the use of key trees in fully distributed contributory key agreement. Figure 1 shows an example of a key tree. The root is located at level and the lowest leaves are at level . Since we use binary trees,2 every node is either a leaf or a parent of two nodes. The nodes are denoted , where since each level hosts at most nodes.3 Each node is associated with the key and the blinded key (bkey) where the function is modular exponentiation in prime order groups, i.e., (analogous to the ▇▇▇▇▇▇-▇▇▇▇▇▇▇ protocol). Assuming a leaf node hosts the member , the node has ’s session random key . Furthermore, the member at node knows every key along the path from to , referred to as the key-path and denoted . In Figure 1, if a member owns the tree , then knows every key in and every bkey on . Every key is computed recursively as follows: Computing a key at requires the knowledge of the key of one of the two child nodes and the bkey of the other child node. at the root node is the group secret shared by all members. We stress, once again, that this value is never used as a cryptographic key for the purpose of encryption, authentication or integrity. Instead, such special-purpose sub-keys are derived from the group secret, e.g., by setting where is a cryptographically strong hash function uniquely indexed with the purpose idenitifer , e.g., encryption. For example, in Figure 1, can compute and using , , and . The final group key is: To simplify subsequent protocol description, we introduce the term co-path, denoted as , which is the set of siblings of each node in the key-path of member . For example, the co-path of member in Figure 1 is the set of nodes . Consequently, every member at leaf node can derive the group secret from all bkeys on the co-path and its session random .