Group Key Secrecy. Before considering group key secrecy, we briefly examine key fresh- ness. Every group key is fresh, since at least one member in the group generates a new random key share for every membership change.5 The probability that new group key is the same as any old group key is negligible due to bijectiveness of (f ◦ g) function. We note that the root (group) key is never used directly for the purposes of encryption, authentication or integrity. Instead, special-purpose sub-keys are derived from the this key, e.g., by applying a cryptographically secure hash function, i.e. H(group key) is used for such applications. As discussed in Section II-D, decisional group key secrecy is more meaningful if sub-keys are derived from a group key. Decisional group key secrecy of STR protocol is related to imbalanced tree decision Xxxxxx-Xxxxxxx assumption mentioned in Section B. This assumption ensures that there is no information leakage other than public bkey information. We can also derive the sub-keys based on the Xxxxx’x hedge technique [26] as follows: Compute the key as: H(group key) ⊕ H(group key) where H is a random oracle. 4In fact, it need not broadcast unchanged bkeys, {bk1 , bk2 , bk3 }. 5Recall that insider attacks are not our concern. This excludes the case when an insider intentionally generates non-random numbers. It follows that, in addition to the security in the standard model based on imbalanced Tree Decision Xxxxxx-Xxxxxxx assumption, the derived key is also secure in the random oracle model [6] based on the imbalanced Tree Computational Xxxxxx-Xxxxxxx assumption.
Group Key Secrecy. The final session key for all group members K = H(k1 k2 ... kn) is computed from each ki, which is generated from each user’s private key. An attacker has to obtain at least one ki in order to compromise the group session key. In the case of our protocol, an attacker even doesn’t know identities of group users, but only the random numbers ri. Hence the attacker is unable to compute the correct ki without identities Ui. Even if the attacker knows the identities of group users, he still has to obtain the master secret or the private key of a user to calculate ki. Under the BDH assumption, it is impossible to obtain ki without knowing the master secret or the private key, which guarantees group key secrecy of our scheme. Furthermore, our protocol ensures that all group members derive the same group key at the end, which means group key confirmation is guaranteed in the protocol. Group Forward/Backward Secrecy When a group mem- ber leaves the group or a new user joins the group, the protocol should guarantee group forward/backward secrecy. In our protocol, this is achieved by the group member joining protocol and the group member leaving protocol. Whenever group membership is changed because a user joins or leaves the group, the group key is updated and the new group key is unrelated to the old one. As a result, a new group member cannot decrypt previous communication content, and an old group member cannot decrypt communication content encrypted by the new group key.
Group Key Secrecy. In the GKA protocol, the group key K is generated by concatenating all the ki’s. Because the ki’s are obtained sequentially with one ki and all the other Xi’s, the adversary should have at least one ki to compute the session group key. However, when computing ki, it is difficult to compute riri+1P given <P , riP , ri+1P> tuple under the ECDH assumption; also computing e(Qi+1, Si) without the master secret key s is a hard problem under the BDH assumption. Therefore, the passive adversary cannot compute the group key K.
Group Key Secrecy. Pr(K | IK ) = 1 n ∑ p i =1 Pr(K = K vc | IK = iki )
