Common use of Group Key Secrecy Clause in Contracts

Group Key Secrecy. Before considering group key secrecy, we briefly examine key fresh- ness. Every group key is fresh, since at least one member in the group generates a new random key share for every membership change.5 The probability that new group key is the same as any old group key is negligible due to bijectiveness of (f ◦ g) function. We note that the root (group) key is never used directly for the purposes of encryption, authentication or integrity. Instead, special-purpose sub-keys are derived from the this key, e.g., by applying a cryptographically secure hash function, i.e. H(group key) is used for such applications. As discussed in Section II-D, decisional group key secrecy is more meaningful if sub-keys are derived from a group key. Decisional group key secrecy of STR protocol is related to imbalanced tree decision Xxxxxx-Xxxxxxx assumption mentioned in Section B. This assumption ensures that there is no information leakage other than public bkey information. We can also derive the sub-keys based on the Xxxxx’x hedge technique [26] as follows: Compute the key as: H(group key) ⊕ H(group key) where H is a random oracle. 4In fact, it need not broadcast unchanged bkeys, {bk1 , bk2 , bk3 }. 5Recall that insider attacks are not our concern. This excludes the case when an insider intentionally generates non-random numbers. It follows that, in addition to the security in the standard model based on imbalanced Tree Decision Xxxxxx-Xxxxxxx assumption, the derived key is also secure in the random oracle model [6] based on the imbalanced Tree Computational Xxxxxx-Xxxxxxx assumption.

Group Key Secrecy. Before considering group key secrecy, we briefly examine key fresh- ness. Every group key is fresh, since at least one member in the group generates a new random key share for every membership change.5 change6. The probability that new group key is the same as any old group key is negligible due to bijectiveness of (f ◦ g) function. { } 6 Recall that insider attacks are not our concern. This excludes the case when an insider intentionally generates non-random numbers. We note that the root (group) key is never used directly for the purposes of encryption, authentication au- thentication or integrity. Instead, special-purpose sub-keys are derived from the this key, e.g., by applying a cryptographically secure hash function, i.e. H(group key) is used for such applications. As discussed in Section II-D2.4, decisional group key secrecy is more meaningful if sub-keys are derived from a group key. Decisional group key secrecy of STR protocol is related to imbalanced tree decision Xxxxxx-Xxxxxxx assumption mentioned in Section B. A.2. This assumption ensures that there is no information leakage other than public bkey information. We can also derive the sub-keys based on the Xxxxx’x Shoup’s hedge technique [2625] as follows: Compute the key and compute them as: H(group key) ⊕ H(group key) where H is a random oracle. 4In fact, it need not broadcast unchanged bkeys, {bk1 , bk2 , bk3 }. 5Recall that insider attacks are not our concern. This excludes the case when an insider intentionally generates non-random numbers. It follows that, in addition to the security in the standard model based on imbalanced the Imbalanced Tree Decision Xxxxxx-Xxxxxxx assumption, the derived key is also secure in the random oracle model [6] based on the imbalanced Imbalanced Tree Computational Xxxxxx-Xxxxxxx assumption.

Group Key Secrecy. Before considering group key secrecy, we briefly examine key fresh- ness. Every group key is fresh, since at least one member in the group generates a new random key share for every membership change.5 The probability that new group key is the same as any old group key is negligible due to bijectiveness of (f ◦ g) function. We note that the root (group) key is never used directly for the purposes of encryption, authentication or integrity. Instead, special-purpose sub-keys are derived from the this key, e.g., by applying a cryptographically secure hash function, i.e. H(group key) is used for such applications. As discussed in Section II-D, decisional group key secrecy is more meaningful if sub-keys are derived from a group key. Decisional group key secrecy of STR protocol is related to imbalanced tree decision Xxxxxx-Xxxxxxx assumption mentioned in Section B. This assumption ensures that there is no information leakage other than public bkey information. We can also derive the sub-keys based on the Xxxxx’x hedge technique [26] as follows: Compute the key as: H(group key) ⊕ H(group key) where H is a random oracle. 4In fact, it need not broadcast unchanged bkeys, {bk1 , bk2 , bk3 }. 5Recall that insider attacks are not our concern. This excludes the case when an insider intentionally generates non-random numbers. It follows that, in addition to the security in the standard model based on imbalanced Tree Decision Xxxxxx-Xxxxxxx assumption, the derived key is also secure in the random oracle model [6] based on the imbalanced Tree Computational Xxxxxx-Xxxxxxx assumption.

Group Key Secrecy. Before considering group key secrecy, we briefly examine key fresh- ness. Every group key is fresh, since at least one member in the group generates a new random key share for every membership change.5 The probability that new group key is the same as any old group key is negligible due to bijectiveness of (f ◦ g) function. We note that the root (group) key is never used directly for the purposes of encryption, authentication or integrity. Instead, special-purpose sub-keys are derived from the this key, e.g., by applying a cryptographically secure hash function, i.e. H(group key) is used for such applications. As discussed in Section II-D, decisional group key secrecy is more meaningful if sub-keys are derived from a group key. Decisional group key secrecy of STR protocol is related to imbalanced tree decision Xxxxxx-Xxxxxxx assumption mentioned in Section B. This assumption ensures that there is no information leakage other than public bkey information. We can also derive the sub-keys based on the Xxxxx’x hedge technique [26] as follows: Compute the key as: H(group key) ⊕ H(group key) where H is a random oracle. 4In fact, it need not broadcast unchanged bkeys, {bk1 bk1, bk2 bk2, bk3 bk3}. 5Recall that insider attacks are not our concern. This excludes the case when an insider intentionally generates non-random numbers. It follows that, in addition to the security in the standard model based on imbalanced Tree Decision Xxxxxx-Xxxxxxx assumption, the derived key is also secure in the random oracle model [6] based on the imbalanced Tree Computational Xxxxxx-Xxxxxxx assumption.