Common use of Group Key Agreement Protocols Clause in Contracts

Group Key Agreement Protocols. We begin by first summarizing the early (and theoretical) group key agreement protocols which did not consider dynamic membership operations and only supported group formation. The earlist attempt to obtain contributory group key agreement built upon 2-party ▇▇▇▇▇▇- ▇▇▇▇▇▇▇ (DH) is due to ▇▇▇▇▇▇▇▇▇▇▇ et al. (called ING) for teleconferencing [16]. In the fist round of ING, every member Mi generates its session random Ni and computes αNi . In the subsequent rounds k to n−1, Mi computes Ki,k = (Ki−1 mod n,k−1)Ni where Ki−1 is the message received from Mi−1 in the previous round k − 1 when n is the number of group members. The resulting group key is of the form: Kn = αN1N2N3...Nn . The ING protocol is inefficient: 1) every member has to start synchronously, 2) n − 1 rounds are required to compute a group key, 3) it is hard to support dynamic membership operations due to its symmetricity and 4) n sequential modular exponentiations are required. Another group key agreement developed for teleconferencing was proposed by ▇▇▇, et al. [18]. This protocol (called TGDH, for Treee-based Group ▇▇▇▇▇▇-▇▇▇▇▇▇▇) is of particular interest since its group key structure is similar to that of STR. TGDH is well-suited for member leave operation since it takes only one round and log(n) modular exponentiations. Member addition, however, is relatively costly since – in order to keep the key tree balanced – the sponsor performs log(n) exponentiations. Also, in the event of partition, as many as log(n) rounds may be necessary to stabilize the key tree. This is where STR offers a clear advantage. ▇▇▇▇▇▇▇▇▇ and ▇▇▇▇▇▇▇ construct an efficient protocol (called BD) which takes only two rounds and three modular exponentiations per member to generate a group key [11]. This efficiency allows all members to re-compute the group key for any membership change by performing this protocol. However, according to [28], most (at least half) of the members need to change their session random on every membership event. The group key in this protocol is different from STR and TGDH:

Group Key Agreement Protocols. We begin by first summarizing the early (and theoretical) group key agreement protocols which did not consider dynamic membership operations and only supported group formation. The earlist attempt to obtain contributory group key agreement built upon 2-party ▇▇▇▇▇▇- ▇▇▇▇▇▇▇ (DH) is due to ▇▇▇▇▇▇▇▇▇▇▇ Ingemarsson et al. (called ING) for teleconferencing [16]. In the fist round of ING, every member Mi generates its session random Ni and computes αNi . In the subsequent rounds k to n−1n — 1, Mi computes Ki,k = (Ki−1 mod n,k−1)Ni where Ki−1 is the message received from Mi−1 in the previous round k − — 1 when n is the number of group members. The resulting group key is of the form: Kn = αN1N2N3...Nn . The ING protocol is inefficient: 1) every member has to start synchronously, 2) n − — 1 rounds are required to compute a group key, 3) it is hard to support dynamic membership operations due to its symmetricity and 4) n sequential modular exponentiations are required. Another group key agreement developed for teleconferencing was proposed by ▇▇▇, et al. [18]. This protocol (called TGDH, for Treee-based Group ▇▇▇▇▇▇-▇▇▇▇▇▇▇) is of particular interest since its group key structure is similar to that of STR. TGDH is well-suited for member leave operation since it takes only one round and log(n) modular exponentiations. Member addition, however, is relatively costly since – in order to keep the key tree balanced – the sponsor performs log(n) exponentiations. Also, in the event of partition, as many as log(n) rounds may be necessary to stabilize the key tree. This is where STR offers a clear advantage. ▇▇▇▇▇▇▇▇▇ and ▇▇▇▇▇▇▇ construct an efficient protocol (called BD) which takes only two rounds and three modular exponentiations per member to generate a group key [11]. This efficiency effi- ciency allows all members to re-compute the group key for any membership change by performing this protocol. However, according to [2827], most (at least half) of the members need to change their session random on every membership event. The group key in this protocol is different from STR and TGDH:: Kn = αN1N2+N2N3+...+NnN1 A notable shortcoming of BD is the high communication overhead. It requires 2n broadcast messages and each member needs to generate 2 signatures and verify 2n signatures. ▇▇▇▇▇▇ and ▇▇▇▇▇ analyze the minimal communication complexity of contributory group key agreement in general [5] and propose two protocols: octopus and hypercube. Their group key has the same structure as the key in TGDH. For example, in a group of eight, the key is: Kn = α(ααr1r2 αr3r4 )(ααr5 r6 αr7r8 ). The ▇▇▇▇▇▇ and ▇▇▇▇▇ protocols handle join and merge operations efficiently, but the leave operation is inefficient. Also, the hypercube protocol requires the group to be of size 2n (for some integer n); otherwise, the efficiency slips. ▇▇▇▇▇▇, et al. look at the problem of small-group key agreement, where the members do not have previously set up security associations [3]. Their motivating example is a meeting where the participants want to bootstrap a secure communication group. They adapt password authenticated DH key exchange to the group setting. Their setting, however, is different from ours, since they assume that all members share a secret password, whereas we assume a PKI where each member can verify any other members authenticity and authorization to join the group. Tzeng and Tzeng propose an authenticated key agreement scheme that is based on secure multi-party computation [28]. This scheme also uses 2 · N broadcast messages. Although the cryptographic mechanisms are quite elegant, a shortcoming is that the resulting group key does not provide perfect forward secrecy (PFS). If a long-term secret key is broken and/or published, all previous and future group keys (where that key was used) are also revealed. ▇▇▇▇▇▇▇, et al. first address dynamic membership issues [4, 27] in group key agreement and propose a family of Group Diffie ▇▇▇▇▇▇▇ (GDH) protocols based on straight-forward extensions of the two-party ▇▇▇▇▇▇-▇▇▇▇▇▇▇. GDH provides contributory authenticated key agreement, key independence, key integrity, resistance to known key attacks, and perfect forward secrecy. Their protocol suite is fairly efficient in leave and partition operation, but the merge protocol requires as many rounds as the number of new members to complete key agreement. Perrig extends the work of one-way function trees (OFT, originally introduced by ▇▇▇▇▇▇ and ▇▇▇▇▇▇▇ [20]) to design a tree-based key agreement scheme for peer groups [22]. However, this work does not consider group merges and partitions.