Group Key Agreement Protocols. Research on group key agreement protocols started in 1982. We first summarize the early (theoretical) group key agreement protocols which did not consider dynamic membership operations; Most of them only supported group genesis. The earliest contributory group key agreement built upon the 2-party Xxxxxx-Xxxxxxx (DH) is due to Xxxxxxxxxxx et al. (ING) [20]. In the fist round of ING, every member generates its session random and computes . In the subsequent rounds to , computes where is the message received from in the previous round . The resulting group key is of the form: The ING protocol is inefficient because: 1) every member has to start synchronously, 2) rounds are required to compute a group key, 3) it is hard to support dynamic membership operations due to its symmetry and 4) sequential modular exponentiations are required. Another group key agreement developed for teleconferencing was proposed by Xxxxx et al. [33]. This protocol is of particular interest since its group key structure is similar to that in TGDH. This protocol is well-suited for adding new group members as it takes only two rounds and four modular exponentia- tions. Member exclusion, however, is relatively difficult (for example, consider excluding from the group key). Xxxxxxxxx and Xxxxxxx construct an efficient protocol (called BD) which takes only two rounds and three modular exponentiations per member to generate a group key [14]. This efficiency allows all members to re-compute the group key for any membership change by rerunning the protocol. However, according to [34], most (at least half) of the members need to change their session random on every membership event. The group key in this protocol is different from STR and TGDH: One shortcoming of BD is the high communication overhead. It requires broadcast messages and each member needs to generate 2 signatures and verify signatures. BD also has a hidden cost mentioned in Section 7.2. Xxxxxx and Xxxxx analyze the minimal communication complexity of contributory group key agreement in general [8] and propose two protocols: octopus and hypercube. Their group key has the same structure as the key in TGDH. For example, for eight users their group key is: The Xxxxxx/Xxxxx protocols handle join and merge operations efficiently, but the member leave operation is inefficient. Also, the hypercube protocol requires the group to be of size (for some integer ); otherwise, the efficiency slips. Xxxxxx et al. look at the problem of small-gr...
Group Key Agreement Protocols. We begin by first summarizing the early (and theoretical) group key agreement protocols which did not consider dynamic membership operations and only supported group formation. The earlist attempt to obtain contributory group key agreement built upon 2-party Xxxxxx- Xxxxxxx (DH) is due to Ingemarsson et al. (called ING) for teleconferencing [16]. In the fist round of ING, every member Mi generates its session random Ni and computes αNi . In the subsequent rounds k to n − 1, Mi computes Ki,k = (Ki−1 mod n,k−1)Ni where Ki−1 is the message received from Mi−1 in the previous round k − 1 when n is the number of group members. The resulting group key is of the form: Kn = αN1N2N3...Nn The ING protocol is inefficient: 1) every member has to start synchronously, 2) n − 1 rounds are required to compute a group key, 3) it is hard to support dynamic membership operations due to its symmetricity and 4) n sequential modular exponentiations are required. Another group key agreement developed for teleconferencing was proposed by Xxx, et al. [18]. This protocol (called TGDH, for Treee-based Group Xxxxxx-Xxxxxxx) is of particular interest since its group key structure is similar to that of STR. TGDH is well-suited for member leave operation since it takes only one round and log(n) modular exponentiations. Member addition, however, is relatively costly since – in order to keep the key tree balanced – the sponsor performs log(n) exponentiations. Also, in the event of partition, as many as log(n) rounds may be necessary to stabilize the key tree. This is where STR offers a clear advantage. Xxxxxxxxx and Xxxxxxx construct an efficient protocol (called BD) which takes only two rounds and three modular exponentiations per member to generate a group key [11]. This effi- ciency allows all members to re-compute the group key for any membership change by performing this protocol. However, according to [27], most (at least half) of the members need to change their session random on every membership event. The group key in this protocol is different from STR and TGDH: Kn = αN1N2+N2N3+...+NnN1 A notable shortcoming of BD is the high communication overhead. It requires 2n broadcast messages and each member needs to generate 2 signatures and verify 2n signatures. Xxxxxx and Xxxxx analyze the minimal communication complexity of contributory group key agreement in general [5] and propose two protocols: octopus and hypercube. Their group key has the same structure as the key in TGDH. For exa...
Group Key Agreement Protocols. In the above, only two-party key agreement protocols, perhaps involving an additional trusted third party, are discussed. Now, we introduce a group key agreement protocol, proposed Xxxxxxxxx and Xxxxxxx [2], which enables a group of parties efficiently establishing a session key. Essentially, the Xxxxxxxxx-Xxxxxxx (BD) protocol is an extension of the Xxxxxx-Xxxxxxxx protocol. Using the same system parameters as in Section 2.1, the BD protocol for n parties (n > 2) can be briefly reviewed as follows. .
Group Key Agreement Protocols. In this section, first, we provide a mathematical background that is common in group key agreement protocols. Then, we describe the protocols in the literature according to their capabilities, security features, and usage areas.
Group Key Agreement Protocols. We begin by first summarizing the early (and theoretical) group key agreement protocols which did not consider dynamic membership operations and only supported group formation. The earlist attempt to obtain contributory group key agreement built upon 2-party Xxxxxx- Xxxxxxx (DH) is due to Xxxxxxxxxxx et al. (called ING) for teleconferencing [16]. In the fist round of ING, every member generates its session random and computes . In the subsequent rounds to , computes where is the message received from in the previous round when is the number of group members. The resulting group key is of the form: The ING protocol is inefficient: 1) every member has to start synchronously, 2) rounds are required to compute a group key, 3) it is hard to support dynamic membership operations due to its symmetricity and 4) sequential modular exponentiations are required. Another group key agreement developed for teleconferencing was proposed by Xxx, et al. [18]. This protocol (called TGDH, for Treee-based Group Xxxxxx-Xxxxxxx) is of particular interest since its group key structure is similar to that of STR. TGDH is well-suited for member leave operation since it takes only one round and modular exponentiations. Member addition, however, is relatively costly since – in order to keep the key tree balanced – the sponsor performs exponentiations. Also, in the event of partition, as many as rounds may be necessary to stabilize the key tree. This is where STR offers a clear advantage. Xxxxxxxxx and Xxxxxxx construct an efficient protocol (called BD) which takes only two rounds and three modular exponentiations per member to generate a group key [11]. This efficiency allows all members to re-compute the group key for any membership change by performing this protocol. However, according to [28], most (at least half) of the members need to change their session random on every membership event. The group key in this protocol is different from STR and TGDH: A shortcoming of BD is the high communication overhead. It requires broadcast messages and each member needs to generate 2 signatures and verify signatures. Xxxxxx and Xxxxx analyze the minimal communication complexity of contributory group key agreement in general [5] and propose two protocols: octopus and hypercube. Their group key has the same structure as the key in TGDH. For example, for eight users their group key is: The Xxxxxx/Xxxxx protocols handle join and merge operations efficiently, but the member leave operation is ine...
Group Key Agreement Protocols. Research on group key agreement protocols started in 1982. We first summarize the early (theoretical) group key agreement protocols which did not consider dynamic membership operations; Most of them only supported group genesis. The earliest contributory group key agreement built upon the 2-party Xxxxxx-Xxxxxxx (DH) is due to Ingemarsson et al. (ING) [18]. In the fist round of ING, every member Mi generates its session random Ni and computes αNi . In the subsequent rounds k to n − 1, Mi computes Ki,k = (Ki−1 mod n,k−1)Ni where Ki−1 is the message received from Mi−1 in the previous round k − 1. The resulting group key is of the form: Kn = αN1 X0 X0 ...Nn . − The ING protocol is inefficient because: 1) every member has to start synchronously, 2) n 1 rounds are required to compute a group key, 3) it is hard to support dynamic membership operations due to its symmetry and 4) n sequential modular exponentiations are required. Another group key agreement developed for teleconferencing was proposed by Steer et al. [31]. This protocol is of particular interest since its group key structure is similar to that in TGDH.
Group Key Agreement Protocols. We begin by first summarizing the early (and theoretical) group key agreement protocols which did not consider dynamic membership operations and only supported group formation. The earlist attempt to obtain contributory group key agreement built upon 2-party Xxxxxx- Xxxxxxx (DH) is due to Xxxxxxxxxxx et al. (called ING) for teleconferencing [16]. In the fist round of ING, every member Mi generates its session random Ni and computes αNi . In the subsequent rounds k to n−1, Mi computes Ki,k = (Ki−1 mod n,k−1)Ni where Ki−1 is the message received from Mi−1 in the previous round k − 1 when n is the number of group members. The resulting group key is of the form:
Group Key Agreement Protocols. The concept of a protocol that enables members of a group to establish a cryptographic key shared by each member of that group is surprisingly old. Probably the first GKA protocol was proposed by Xxxxxxxxxxx et al. [16] only six years after the publication of Xxxxxx-Xxxxxxx’x two-party protocol which essentially defined the concept of key agreement in a two-party set- ting. The protocol has two specific characteristics, perhaps reminiscent of the beginnings of the field as a whole at that time, that are not present in any other protocol that has been subsequently proposed over the years. First, communication is assumed to be parallel, with the members connected on a logical ring; this poses a challenge as group members thus need to have synchronized logical clock time. Second, the protocol can be parameterized to provide passive security against an adversary that is eavesdropping on a specific number of lines, and the authors establish a measure of resilience of a given network against a passive attacker who wants to decrypt all the messages in that particular network. Modern protocols explicitly assume that the adversary can eavesdrop on all communication channels, and even across multiple protocol runs. The next early proposal came from Steer et al. [24] six years after Xxxx- xxxxxxx et al. published their protocol. While specifically targetting tele- conferencing systems, the logical communication infrastructure is generic enough for the protocol to be used directly in any network in which a group member can send data to the remaining group members, irrespective of any physical topology. The authors explicitly mention this at the end of their pa- per, noting that the protocol can be used outside teleconferencing systems without any issues. The protocol was later extended to handle dynamic group events by Xxxxxxx et al. There, the authors emphasize the specific tree- like way in which the group key is established, and use this (along with the assumption that the group operates on a logical tree) to provide member addition and deletion functionality. The field became an area of active research in the last decade of the 20th century, and has been receiving continuous attention every since. An im- | | portant milestone has been the establishment of lower bounds on commu- nication complexity of GKA protocols that do not handle dynamic group events by Xxxxxx and Xxxxx [3]. The authors established the communica- tion complexity of group key agreement protocols...
Group Key Agreement Protocols. Research on group key agreement protocols started in 1982. We first summarize the early (theoretical) group key agreement protocols which did not consider dynamic membership operations; Most of them only supported group genesis. The earliest contributory group key agreement built upon the 2-party Xxxxxx-Xxxxxxx (DH) is due to Ingemarsson et al. (ING) [18]. In the fist round of ING, every member Mi generates its session random Ni and computes αNi . In the subsequent rounds k to n − 1, Mi computes Ki,k = (Ki−1 mod n,k−1)Ni where Ki−1 is the message received from Mi−1 in the previous round k − 1. The resulting group key is of the form:
