Common use of Forward Secrecy Clause in Contracts

Forward Secrecy. Knowledge of some long term secret does not lead to the knowledge of past group keys. An important advantage of a group key agreement protocol over a simple group key distribution scheme is the forward secrecy. This property can be particularly interesting in situations where some nodes are likely to be compromised (eg. in military scenarios). In such a case, the knowledge of the long term secret of this node does not compromise all past session keys. From a functional point of view, it is desirable to have procedures to handle the dynamism in the network. These procedures enable efficient merging or partitioning of two groups in the network. 2 Related Work Key establishment protocols for networks can be broadly classified into three classes: Key transport using symmetric cryptography, Key transport using asymmetric cryptography and Key agreement using asymmetric cryptography. In key transport protocols, one participant chooses the group key and securely transfers it to other participants using a priori shared secrets (symmetric or asymmetric). These protocols are not suitable for ad hoc networks for two reasons; firstly, they require a single trusted authority to distribute keys and secondly, compromise of the a priori secret of any participant breaches the security of all past group keys, thus failing to provide forward secrecy. Most group key agreement protocols are derived from the two-party Diffie-Xxxxxxx key exchange protocol. GKA protocols, not based on Diffie-Xxxxxxx, are few and include [19, 24, 6]. Both protocols of Li [19] and Xxxx [6] fail to provide forward secrecy while protocol of Tzeng [24] is quite resource-intensive and prone to certain attacks [6]. Forward Secrecy is a very desirable property for key establishment protocols in ad hoc networks, as some nodes can be easily compromised due to low physical security of nodes. Thus it is essential that compromise of one single node does not compromise all past session keys. We summarize and compare in Table 1 existing GKA protocols based on Diffie- Xxxxxxx protocols. We compare essentially the unauthenticated versions of the protocols, as most achieve authentication by using digital signatures in a similar manner and thus have similar costs for achieving authentication. We compare the efficiency of these protocols based on the following parameters: • Number of synchronous rounds: In a single synchronous round, multiple independent mes- sages can be sent in the network. The total time required to run a round-efficient GKA protocol can be much less than other GKA protocols that have the same number of total messages but more rounds. This is because the nodes spend less time waiting for other messages before sending their own. • Number of messages: This is the total number of messages (unicast or broadcast) exchanged in the network to derive the group key. For multiple hop ad hoc networks, the distinction between unicast and broadcast messages is important as the latter can be much more energy consuming (for the whole network) than the former. • Number of exponentiations: All Diffie-Xxxxxxx based GKA protocols require a number of modular exponentiations to be performed by each participant. Relative to all cryptographic operations, a modular operation is the most computationally intensive operation and thus gives a good indication of the computational cost for each node. Communication costs still remain the critical factor for choosing energy-efficient protocols for most ad hoc networks. A modular exponentiation (over an elliptic curve) can be performed in a few tens of milliseconds on most palmtops, whereas message propagation in multi-hop ad hoc networks can be easily of the order of few seconds and has energy implications for multiple nodes in the network. As can be seen in Table 1, most existing GKA protocols require O(m) rounds of com- munication for m participants in the protocol. Such protocols do not scale well in ad hoc networks. Even tree-based GKA protocols with O(log m) rounds can be quite demanding for medium to large sized ad hoc networks. Therefore constant-round protocols are better suited for ad hoc networks. − Among the constant round protocols, Octopus [3], BDB [14] and KLL [15] require special or- dering of the participants. This results in messages sent by some participant being dependent on that of others. In such a case, failure of a single node can often halt the protocol. Thus such protocols are not robust enough to adapt well to the dynamism of ad hoc networks. BCEP protocol [8] fails to provide forward secrecy if the long-term secret of the base station is revealed. Catalano protocol [7] is computationally demanding with O(m) exponentiations for each participant. Another drawback is that if any participant’s message is lost in first round, the whole protocol is brought to a halt, as the secret sharing schemes implies all m contributions are required to compute the key. NKYW [17] though efficient, does not provide any procedure to handle group composition changes and therefore requires a complete re-run in case of group changes. The STR protocol [22, 16] was proposed by Xxxxx et al. in [22] for static groups. Perrig et al. proposed procedures to handle group changes in [16]. But the protocol remains a bit expensive with up to m i exponentiations for participant Mi and 2m exponentiations for the sponsor node (lowermost). The protocol lacks a proof of security against active adversaries. Expo per Ui Messages Broadcasts Rounds †: m exponentiations for the base station. ‡: m + 1 exponentiations and m-1 inverse calculations for the parent node. ∗: Up to 2m exponentiations for the sponsor node. ∗∗: m exponentiations for the leader. Table 1: Comparison of GKA protocols The contributions of this paper are the following: • an authenticated dynamic group key agreement protocol is recalled1, • the mechanisms that must be used in a MANET to implement this group key agreement pro- tocol are described, • a precise study of the cryptographic parameters that this group key agreement protocol must use in the context of an ad hoc network is carried out. Finally the adapted version of the group key agreement protocol that we propose is among the very few protocols suitable for ad hoc networks. The paper is organized as follows: • Section 3 recalls the group key agreement protocol. We describe the basic functioning of the protocol only, • Section 4 explains how this group key agreement protocol can be implemented in an ad hoc network. The main issues discussed in this section include the election of a leader in the ad hoc network and the actions that must be undertaken to handle splits and mergers in the ad hoc network, • Section 5 discusses the overhead of cryptographic operations. 3 Presentation of our authenticated protocol We recall an existing group key agreement protocol in this section. We first illustrate the basic principle of key exchange, followed by a detailed explanation of how it is employed to derive Initial Key Agreement, Join/Merge and Delete/Partition procedures to handle dynamism in ad hoc groups.

Forward Secrecy. Knowledge of some long long-term secret does not lead to the knowledge of past group keys. An important advantage of a group key agreement protocol over a simple group key distribution scheme is the forward secrecy. This property can be particularly interesting in situations where some nodes are likely to be compromised (eg. e.g. in military scenarios). In such scenarios, using a caseGKA, the knowledge of the long long-term secret of this node does not compromise all past session keys. From a functional point of view, it is desirable to have procedures to handle the dynamism in the network. These procedures enable efficient merging or partitioning of two groups in the network. 2 Related Work Key establishment protocols for networks can be broadly classified into three classes: Key transport using symmetric cryptography, Key transport using asymmetric cryptography and Key agreement using asymmetric cryptography. In key transport protocols, one participant chooses the group key and securely transfers it to the other participants using a priori shared secrets (symmetric or asymmetric). These protocols are not suitable for ad hoc networks for two reasons; : firstly, they require a single trusted authority to distribute keys and secondly, compromise of if the a priori secret of any participant is compromised, this breaches the security of all past group keys, thus failing to provide forward secrecy. Thus GKA protocols are more relevant since they provide this forward secrecy property. Most group key agreement protocols are derived from the two-party DiffieXxxxxx-Xxxxxxx key exchange protocol. GKA protocols, not based on DiffieXxxxxx-Xxxxxxx, are few and include the protocols of Pieprzyk and Li [1928], 24, 6Tzeng and Tzeng [33] and Xxxx and Xxxxx [7]. Both the protocols of Pieprzyk and Li [1928] and Xxxx and Xxxxx [67] fail to provide forward secrecy while the protocol of Tzeng and Tzeng [2433] is quite resource-intensive and prone to certain attacks [67]. Forward Secrecy is a very desirable property for key establishment protocols in ad hoc networks, as some nodes can be easily compromised due to low physical security of the nodes. Thus it is essential that compromise of if one single node is compromised, this does not compromise all past session keys. We In Table 1 we summarize and compare in Table 1 existing GKA protocols based on Diffie- Xxxxxx-Xxxxxxx protocols. We compare essentially the unauthenticated versions of the protocols, as most achieve authentication by using digital signatures in a very similar manner and thus have similar added costs for achieving to achieve authentication. We compare the efficiency of these protocols based on the following parameters: • – Number of synchronous rounds: In a single synchronous round, multiple independent mes- sages messages can be sent in the network. The total time required to run a round-efficient GKA protocol can be much less than other GKA protocols that have the same number of total messages but more rounds. This is ; because the nodes spend less time waiting for other messages before sending their own. • – Number of messages: This is the total number of messages (unicast or broadcast) exchanged in the network to derive the group key. For multiple hop ad hoc networks, the distinction between unicast and broadcast messages is important as the latter can be much more energy consuming (for the whole network) than the former. • – Number of exponentiations: All DiffieXxxxxx-Xxxxxxx based GKA protocols require a number of modular exponentiations to be performed by each participant. Relative to all cryptographic operations, a modular operation is the most computationally intensive operation and thus gives a good indication of the computational cost for each node. Communication costs still remain the critical factor for choosing energy-efficient protocols for most ad hoc networks. A modular exponentiation (over an which is most efficiently done using elliptic curvecurve cryptography) can be performed in a few tens of milliseconds on most palmtops, whereas message propagation in multi-hop ad hoc networks can be easily of the order of a few seconds and has energy implications for multiple nodes in the network. As can be seen in Table 1, most existing GKA protocols require O(m) rounds of com- munication communication for m participants in the protocol. Such protocols do not scale well in ad hoc networks. Even tree-based GKA protocols with O(log m) rounds can be quite demanding for medium to large sized ad hoc networks. Therefore constant-round protocols are better suited more suitable for ad hoc networks. − Among the constant round protocols, Octopus [3], BDB [14] and KLL [15] require special or- dering of the participants. This results in messages sent by some participant being dependent on that of others. In such a case, failure of a single node can often halt the protocol. Thus such protocols are not robust enough to adapt well to the dynamism of ad hoc networks. BCEP protocol [8] fails to provide forward secrecy if the long-term secret of the base station is revealed. Catalano protocol [7] is computationally demanding with O(m) exponentiations for each participant. Another drawback is that if any participant’s message is lost in first round, the whole protocol is brought to a halt, as the secret sharing schemes implies all m contributions are required to compute the key. NKYW [17] though efficient, does not provide any procedure to handle group composition changes and therefore requires a complete re-run in case of group changes. The STR protocol [22, 16] was proposed by Xxxxx et al. in [22] for static groups. Perrig et al. proposed procedures to handle group changes in [16]. But the protocol remains a bit expensive with up to m i exponentiations for participant Mi and 2m exponentiations for the sponsor node (lowermost). The protocol lacks a proof of security against active adversaries. Expo per Ui Messages Broadcasts Rounds †: ITW [15] GDH.1 [32] GDH.2 [32, 10] mi + 1i + 1 m(m − 1) 2(m − 1) m exponentiations for the base station. ‡: − 1 2m − 3 2m − 2mm 001 m − 12(m − 1)m GDH.3 [32] 3 2 m + 1 exponentiations and m-1 inverse calculations for the parent node. ∗: Up to TGDH [20] Perrig [27] Dutta [13] ≤ log2 m log2 m + 1 log3 m 2m exponentiations for the sponsor node. ∗∗: − 2 m exponentiations for the leader. − 2m log2 m log2 m log3 m Table 1: . Comparison of non constant rounds GKA protocols The contributions of this paper are the following: • an authenticated dynamic group key agreement protocol is recalled1Expo per Ui Mes- sages Broad- casts Rounds Structure FS Octopus [5] BDB [12, • the mechanisms that must be used in a MANET to implement this group key agreement pro- tocol are described17] 43 2† m + 1 3 2‡ (m − i)∗ 0(m) 2∗∗ 3m − 42m 0m 42 Hypercube Ring Yes Yes BCEP [9] 2m 0 2 None No Xxxxxxxx [8] 2m 0 2 None Yes KLL [18] 2m 2m 2 Ring Yes NKYW [24] m 1 2 None Yes STR [31, • a precise study of the cryptographic parameters that this group key agreement protocol must use in the context of an ad hoc network is carried out. Finally the adapted version of the group key agreement protocol that we propose is among the very few protocols suitable for ad hoc networks. The paper is organized as follows: • Section 19, 23] m 1 2 Skewed tree Yes TFAN [21] m O(m) 3 recalls the group key agreement protocol. We describe the basic functioning of the protocol only, • Section or 4 explains how this group key agreement protocol can be implemented in an ad hoc network. The main issues discussed in this section include the election of a leader in the ad hoc network and the actions that must be undertaken to handle splits and mergers in the ad hoc network, • Section 5 discusses the overhead of cryptographic operations. 3 Presentation of our authenticated protocol We recall an existing group key agreement protocol in this section. We first illustrate the basic principle of key exchange, followed by a detailed explanation of how it is employed to derive Initial Key Agreement, Join/Merge and Delete/Partition procedures to handle dynamism in ad hoc groups.Tree Yes

Forward Secrecy. Knowledge of some long long-term secret does not lead to the knowledge of past group keys. An important advantage of a group key agreement protocol over a simple group key distribution scheme is the forward secrecy. This property can be particularly interesting in situations where some nodes are likely to be compromised (eg. e.g. in military scenarios). In such scenarios, using a caseGKA, the knowledge of the long long-term secret of this node does not compromise all past session keys. From a functional point of view, it is desirable to have procedures to handle the dynamism in the network. These procedures enable efficient merging or partitioning of two groups in the network. 2 Related Work Key establishment protocols for networks can be broadly classified into three classes: Key transport using symmetric cryptography, Key transport using asymmetric cryptography and Key agreement using asymmetric cryptography. In key transport protocols, one participant chooses the group key and securely transfers it to the other participants using a priori shared secrets (symmetric or asymmetric). These protocols are not suitable for ad hoc networks for two reasons; : firstly, they require a single trusted authority to distribute keys and secondly, compromise of if the a priori secret of any participant is compromised, this breaches the security of all past group keys, thus failing to provide forward secrecy. Thus GKA protocols are more relevant since they provide this forward secrecy property. Most group key agreement protocols are derived from the two-party DiffieXxxxxx-Xxxxxxx key exchange protocol. GKA protocols, not based on DiffieXxxxxx-Xxxxxxx, are few and include the protocols of Pieprzyk and Li [1928], 24, 6Tzeng and Tzeng [33] and Xxxx and Xxxxx [7]. Both the protocols of Pieprzyk and Li [1928] and Xxxx and Xxxxx [67] fail to provide forward secrecy while the protocol of Tzeng and Tzeng [2433] is quite resource-intensive and prone to certain attacks [67]. Forward Secrecy is a very desirable property for key establishment protocols in ad hoc networks, as some nodes can be easily compromised due to low physical security of the nodes. Thus it is essential that compromise of if one single node is compromised, this does not compromise all past session keys. We In Table 1 we summarize and compare in Table 1 existing GKA protocols based on Diffie- Xxxxxx-Xxxxxxx protocols. We compare essentially the unauthenticated versions of the protocols, as most achieve authentication by using digital signatures in a very similar manner and thus have similar added costs for achieving to achieve authentication. We compare the efficiency of these protocols based on the following parameters: • – Number of synchronous rounds: In a single synchronous round, multiple independent mes- sages messages can be sent in the network. The total time required to run a round-efficient GKA protocol can be much less than other GKA protocols that have the same number of total messages but more rounds. This is ; because the nodes spend less time waiting for other messages before sending their own. • – Number of messages: This is the total number of messages (unicast or broadcast) exchanged in the network to derive the group key. For multiple hop ad hoc networks, the distinction between unicast and broadcast messages is important as the latter can be much more energy consuming (for the whole network) than the former. • – Number of exponentiations: All DiffieXxxxxx-Xxxxxxx based GKA protocols require a number of modular exponentiations to be performed by each participant. Relative to all cryptographic operations, a modular operation is the most computationally intensive operation and thus gives a good indication of the computational cost for each node. Communication costs still remain the critical factor for choosing energy-efficient protocols for most ad hoc networks. A modular exponentiation (over an which is most efficiently done using elliptic curvecurve cryptography) can be performed in a few tens of milliseconds on most palmtops, whereas message propagation in multi-hop ad hoc networks can be easily of the order of a few seconds and has energy implications for multiple nodes in the network. As can be seen in Table 1, most existing GKA protocols require O(m) rounds of com- munication communication for m participants in the protocol. Such protocols do not scale well in ad hoc networks. Even tree-based GKA protocols with O(log m) rounds can be quite demanding for medium to large sized ad hoc networks. Therefore constant-round protocols are better suited more suitable for ad hoc networks. Expo per Ui Messages Broadcasts Rounds ITW [15] m m(m − 1) 0 m − 1 GDH.2 [32, 10] i + 1 m − 1 1 m GDH.3 [32] 3 2m − 3 2 m + 1 TGDH [20] ≤ log2 m 2m − 2 2m − 2 log2 m Perrig [27] log2 m + 1 m m − 2 log2 m Dutta [13] log3 m m m log3 m Table 1. Comparison of non constant rounds GKA protocols Expo per Ui Mes- sages Broad- casts Rounds Structure FS Octopus [5] 4 3m − 4 0 4 Hypercube Yes Xxxxxxxx [8] m + 1 2m 0 2 None Yes KLL [18]NKYW [24] 32‡ 2mm 2m 1 22 Ring None Yes Yes STR [31, 19, 23] (m − i)∗ m 1 2 Skewed tree Yes TFAN [21]Ours (AGDH) 0(m)2∗∗ mm O(m) 1 3 or 42 Tree None Yes Yes †: m exponentiations for the base station. ‡: m + 1 exponentiations and m-1 inverse calculations for the parent node. ∗: Up to 2m exponentiations for the sponsor node. ∗∗: m exponentiations for the leader. Comparison of constant round GKA protocols Table 2. Among the constant round protocolsprotocols (see Table 2), Octopus [35], BDB [1417] and KLL [1518] require special or- dering ordering of the participants. This results in messages sent by some participant being dependent on that of others. In such a case, failure of a single node can often halt the protocol. Thus such protocols are not robust enough to adapt well to the dynamism of ad hoc networks. The BCEP protocol [89] involves a base station, and fails to provide forward secrecy if the long-term secret of the base station is revealed. Catalano The Bresson and Xxxxxxxx protocol [78] is computationally demanding with O(m) exponentiations for each participant. Another drawback is that if any participant’s message is lost in first round, the whole protocol is brought to a halt, as the secret sharing schemes implies that all m contributions are required to compute the key. NKYW NKYW[24]: The original paper proposes this protocol for ad hoc networks composed of devices with unequal computational powers. In the first round, each participant Mi unicasts its contribution gri , i ∈ [171, n − 1] though efficientto a fixed node Mn, does not provide any procedure to handle group composition changes and therefore requires a complete re-run in case of group changescalled the parent node. The STR parent node chooses random r and rn and computes w = gr, xn = grrn and xi = (gri )r for each received gri . It broadcasts w and {xn ∗ Πjƒ=ixj}i. The key is derived from Πixi. The protocol [22remains somewhat expensive computationally compared to the protocol that will be described in this paper. STR[31, 16] 19]: This protocol was proposed by Xxxxx Steer et al. in [2231] for static groups. Perrig et al. proposed procedures to handle group changes in [1619]. But In [23] a suite of protoocls called µSTR are proposed to optimize the STR protocol remains for MANETs. TFAN [21] is a bit expensive with up to m i exponentiations merge of µSTR and µTGDH, which are optimizations of STR and TGDH, also proposed in [21]. TFAN provides a trade-off between computational and communication costs. Among all the reviewed GKA protocols reviewed only a few of them [23, 22, 21] are designed for participant Mi and 2m exponentiations for the sponsor node (lowermost)MANETs. The protocol lacks proposed in this paper is more robust to messages losses than the previous one. If a proof contribution of security against active adversariesa given member is lost then this member can not compute the key but the others can still agree on shared secret key. Expo per Ui Messages Broadcasts Rounds †: m exponentiations for the base station. ‡: m + 1 exponentiations and m-1 inverse calculations for the parent node. ∗: Up to 2m exponentiations for the sponsor node. ∗∗: m exponentiations for the leader. Table 1: Comparison of GKA protocols The contributions of this paper are the following: • – an authenticated dynamic group key agreement protocol is recalled1recalled [4], • – the mechanisms that must be used in a MANET to implement this group key agreement pro- tocol protocol are described, • – a precise study of the cryptographic parameters that this group key agreement protocol must use in the context of an ad hoc network is carried out. Finally the adapted version of the group key agreement protocol that we propose propose, we call this protocol AGDH for Asymmetric Group Diffie Xxxxxxx, is among the very few group key agreement protocols suitable for ad hoc networks. Note that, in this paper, we do not consider malicious insiders and also the unrelated issue of selfishness. The paper is organized as follows: • Section 3 recalls the group key agreement protocol. We describe the basic functioning of the protocol only, • Section 4 explains how this group key agreement protocol can be implemented in an ad hoc network. The main issues discussed in this section include the election of a leader in the ad hoc network and the actions that must be undertaken to handle splits and mergers in the ad hoc network, • Section 5 discusses the overhead of cryptographic operations. 3 Presentation of our authenticated protocol We recall an existing group key agreement protocol in this section. We first illustrate the basic principle of key exchange, followed by a detailed explanation of how it is employed to derive Initial Key Agreement, Join/Merge and Delete/Partition procedures to handle dynamism in ad hoc groups.: