Complexity Analysis. Before discussing the simulation-based results, it is crucial to perform the complexity analysis of the system. Therefore, we can better understand how the system behaves under specific conditions.
Complexity Analysis. Above section has discussed the security properties of group key agreement schemes. Important is also their complexity, namely performance costs. Sometimes trade-off between complexity and security is required, so that the schemes are suitable to particular environments. Two of the most important criteria are computation costs and communication costs.
Complexity Analysis. In this section, we summarize the functionality of the proposed protocol and compare the proposed protocol with Xxx et al.’s protocol. In Xie et al.’s protocol, the server needs to store a password table of all registered users for verification. In the proposed protocol, the password is embedded in h(PW a) . After receiving {h(PW
a) username} in the registration phase, the server computes R h(h(PW
a) username)s1P and stores it in the memory of a smart card, and then delivers the smart card to the user U via a secure channel. During the registration process, the server does not need to store a password table. In addition, the proposed protocol provides a securely update password phase for users to change their password freely and can resist stolen smart card attacks. As shown in Table 1, the proposed protocol can provide more unique properties such as no password or verifier table and password update freely, which were not considered in Xie et al.’s protocol. These new features are very important in implementing a practical and universal authenticated key agreement for session initiation protocol. As the protocol of Xie et al. is currently the most secure and efficient one in the literatures, we compare the proposed protocol and Xie et al.’s protocol in terms of computational costs. First, we define some notations as follows.
Complexity Analysis. This section compares the computation and communication of STR protocol to other recent group key agreement methods, Cliques GDH.2 [STW00], Tree-Based Xxxxxx-Xxxxxxx (TGDH) [KPT00], and Xxxxxxxxx/Desmedt (BD) [BD94]. These protocols provide contribu- tory group key agreement based on different extensions of the two-party Xxxxxx-Xxxxxxx key exchange. Moreover, they all support dynamic mem- bership operations. We consider the following costs: Number of rounds: this affects serial communication delay. Total number of messages: as the number of messages grows, the probability of message loss or corruption is increased, and so is the delay. Number of unicasts and broadcasts: a broadcast is much more expen- sive operation than a unicast, since it requires many acknowledgments within the group communication system. Number of serial exponentiation: this is the main factor in the com- putation overhead.
Complexity Analysis. ^ In this section we analyze the memory, communica- tion, and computation costs of µSTR, µTGDH, and TFAN. The number of current group members, merging mem- bers, merging groups, and leaving members are denoted by: n, m, k, and p, respectively. Additionally, the height of the current and updated tree are denoted by h and h, respec- tively. The sponsor is denoted by ls, vs (or lsi , vsi if several sponsors exist). The sum of the heights of all non- highest trees in the merge protocol is denoted by α. We fo- cus on the number of stored secret and public keys, the num- ber of rounds, the total number of broadcast messages, the cumulative broadcast message size 4, and the serial num- ber of multiplications 5. We consider here random µTGDH trees and half fully filled TFAN trees, i.e., the number of members in each cs-tree is [ q+1 | for art = S and 2q—1 and public keys outside the cs-tree is decreased. It is obvi- ous that the required memory space for TFAN (art = S) is lower than for µSTR, and of TFAN (art = T ) is higher than for µTGDH. Hence as a whole, all protocol suites can be sorted from the least to the highest according to their memory consumption as follows: µTGDH < TFAN (art = T ) < TFAN (art = S) < µSTR.
Complexity Analysis. As Xxxxxxx is guaranteed to terminate in the first good 4t+1 iteration and the probability that each iteration is good is 2t+1 ≥ 1 , Reducer terminates in O(1) expected time. As correct processes send O(nℓ + n2λ log n) bits during the dissemination phase and during each iteration, with Reducer terminating in constantly many iterations, the expected bit complexity is O(nℓ+ n2λ log n).
Complexity Analysis. Reducer++ terminates in a good iteration with constant (3+ϵ)t+1 1 probability. Given that each iteration is good with probability (1+ϵ)t+1 ≈ 1 , Reducer++ terminates in O(C) iterations in expectation. As each iteration takes O(C) time (since there are C trials), the expected time complexity is O(C2). Correct processes send O(nℓ + n2λ log n) bits in the dissemination phase. Additionally, each iteration exchanges O C(nℓ + n2λ log n) bits. As Reducer++ terminates in expected O(C) iterations, Reducer++ yields an expected bit com- plexity of O C2(nℓ + n2λ log n) . Reducer++ with optimal n = 3t + 1. We conclude the section by explaining why Xxxxxxx++ cannot achieve optimal resilience of t < n/3. One reason is that, when t < n/3, Reducer++ cannot maintain its quasi-quadratic expected bit complexity. To ensure that the “good” digest z⋆(k) is identified as a candidate by each correct process after receiving n t = 2t + 1 stored messages in a good iteration k, the “candidate threshold” must be set at (n t) + (n 2t) n =
Complexity Analysis. Table 1 provides communication, computation and mem- ory costs of the optimized protocols. We consider one pro- tocol round as over if members have to wait for missing data to continue with the computation of the group key. Columns U and B represent the total number of unicast and broadcast messages, respectively. The message size column gives the total size of sent messages in log q-bits where q is the pa- rameter of the finite field Fq (in practice q ≈ 160 bits). Computation costs specify the total number of scalar-point multiplications per member based on member’s index (po- sition) in the group. This creates a basis for the suitabil- ity analysis of the protocols for homogeneous and hetero- geneous groups. The memory costs column specifies the size of data that a device has to store in order to handle dynamic events. The following notations are used: n - ini- tial group size, i - updated index (position) of Mi, s - up- dated index (position) of the sponsor, m - size of the merg- ing group, p - number of leaving (partitioned) members, h - height of the TGDH tree (note h = ⌈log n⌉), li (ls) - up- dated level of member’s Mi (sponsor’s Ms) node in TGDH initial merging group with sponsor Msj , Msr - the right- most sponsor in µTGDH partition, s∗ - index of sponsor Msj whose level lsj is maximal compared to other spon- sors in µTGDH merge. Communication Obviously, µSTR provides best commu- nication efficiency concerning the total number of rounds and sent messages. The total messages size in case of join is constant, in case of merge depends on the number of merging members, and in other cases scales linearly with the sponsor’s position, varying between 1 and n. Compared to µSTR the size of µTGDH messages scales linearly with the level of sponsor’s node ls, which varies between 0 and h = ⌈log n⌉. Thus, in some cases µTGDH may require less communication bandwidth than µSTR. Computation µBD protocol requires only 3 scalar-point multiplications (we do not count additional n − 1 multi- plications with a small integer whose costs may become non-negligible for large n). From all protocols that were de- signed to handle dynamic events we point out µCLIQUES and µTGDH. µCLIQUES requires a constant number of multiplications for all members except for the sponsor. Sig- nificant drawback is that the number of sponsor’s multipli- cations scales linearly in the number of group members. In µTGDH the number of multiplications performed by Mi is given by the function f (note...
Complexity Analysis. This section provides various comparisons among M2MAKA-FS and well-known related protocols including Shuai et al.’s protocol, Xxxxx et al.’s protocol, Kapito et al.’s protocol, Yang et al.’s protocol and Li et al.’s protocol. First of all, we will focus on feature comparisons to know the distinctive feature differences among them. After that, computation and communication analysis follows, to show IoT environmental fitness of them.
Complexity Analysis. This section compares the computation and communication of STR proto- col to other recent group key agreement methods, Cliques GDH.2 [STW00], Tree-Based Xxxxxx-Xxxxxxx (TGDH) [KPT00], and Xxxxxxxxx/Xxxxxxx (BD) [BD94]. These protocols provide contributory group key agreement based on different extensions of the two-party Xxxxxx-Xxxxxxx key exchange. Moreover, they all support dynamic membership operations. We consider the following costs: ■ Number of rounds: this affects serial communication delay. Total number of messages: as the number of messages grows, the probability of message loss or corruption is increased, and so is the delay. ■ Number of unicasts and broadcasts: a broadcast is much more expensive operation than a unicast, since it requires many acknowledgments within the group communication system. ■ Number of serial exponentiation: this is the main factor in the computation overhead. ■ Robustness: Lack of robustness requires additional measures to make the secure group communication system robust against cascaded (nested) faults and membership events. Table 1 shows a comparison of the current approaches for group key manage- ment. The bold text refers to a parameter that severely slows down the protocol in a WAN deployment, for which STR is best suited. In Cliques GDH.2 protocol, the number of new members k is considered, since the merge cost depends on number of new members. The cost for TGDH is the average value when the key tree is fully balanced. The partition or leave cost for STR is computed on average, since it depends on the depth of the lowest-numbered leaving member node. For security reasons [STW00], BD always has to restart anew upon every membership event. As seen from the table, STR is minimal in communication on every mem- bership event. We showed in Section 5 that robustness in the STR protocol is not only easier to implement than in other protocols, but it also achieves higher robustness to network partitions. Cliques GDH.2 is quite expensive protocol in wide area network, since: 1) it is hard or very expensive to provide robustness against cascaded events [AKNR+ 01] and 2) communication cost for merge in- creases linearly as the number of new members does. In TGDH, the partition protocol is expensive (relatively slow) which may cause more cascaded faults and long delays to agree on a key. The cost of BD is mostly acceptable but large number of simultaneous broadcast messages can be problematic over a wide area network. [AAH + 0...
