Common use of Cryptographic Properties Clause in Contracts

Cryptographic Properties. In this section we summarize the desired properties for a secure group key agreement protocol. Following the model of [18], we define four such properties: 1: Group Key Secrecy guarantees that it is computationally infeasible for a passive adversary to discover any group key. • Forward Secrecy (Not to be confused with Perfect Forward Secrecy or PFS) guarantees that a passive adversary who knows a contiguous subset of old group keys cannot discover subsequent group keys. • Backward Secrecy guarantees that a passive adversary who knows a contiguous subset of group keys cannot discover preceding group keys. • Key Independence guarantees that a passive adversary who knows any proper subset of group keys cannot discover any other group key not included in the subset. The relationship among the properties is intuitive. Backward and Forward Secrecy properties (often called Forward and Backward Secrecy in the literature) assume that the adversary is a current or a former group member. The other properties additionally include the cases of inadvertently leaked or otherwise compromised group keys. Our definition of group key secrecy allows partial leakage of information. Therefore, it would be more desirable to guarantee that any bit of the group key is unpredictable. For this reason, we prove a decisional version of group key secrecy in Section . In other words, decisional version of group key secrecy guarantees that it is computationally infeasible for a passive adversary to distinguish any group key from random number. Other, more subtle, active attacks aim to introduce a known (to the attacker) or old key. These are prevented by the combined use of: sender information, timestamps, unique protocol message identifiers and sequence numbers which identify the particular protocol run. All protocol messages include the following attributes: • sender information: name of the sender, or, equivalently, signer. • group information: unique name of the group. • membership information: names (and other information) of current group members. • protocol identifier: protocol being used (fixed as “STR”). • message type: unique message identifier for each protocol message. 1. Key epoch is the same across all current group members. If a group member receives a protocol message with a smaller than current epoch, it terminates the protocol (suspected replay). • time stamp: current time. Loose time synchronization among group members is assumed. We assume that a group member rejects any message which does not match its expectations. Since all messages are signed, we also assume PKI for all protocol parties. Since no other long- term secrets or keys are used, we are not concerned with Perfect Forward Secrecy (PFS) as it is achieved trivially. In this paper, we do not assume key authentication to be part of group key management. All communication channels are thus considered public but authentic. The latter means that all messages are digitally signed by the sender with some sufficiently strong public key signature method such as DSA or RSA (and using a long-term private key).1 All receivers are required to verify signatures on all received messages and check the aforementioned fields. Consequently, our security model is different from some recent related work [9], [10] that does not assume authentic channels.