Key Independence. We now give an informal proof that STR satisfies forward and backward secrecy, or equivalently key independence. In order to show that STR provides key independence, we only need to show that the former (prospective) member’s view of the current tree is exactly the same as the passive adversary’s view. This is because the advantage of the former (prospective) member is the same as the passive adversary, and the view of the passive adversary does not reveal any information about the group key by Xxxxxxx 3. We first consider backward secrecy, which states that a new member who knows the current group key cannot derive any previous group keys. Let Mn+1 be the new member. The sponsor for the join event changes its session random and, consequently, root key of the current key tree is changed. Therefore, the view of Mn+1 with respect to the prior key trees is exactly the same as the view of an outsider. Hence, the new member does not gain any advantage compared to a passive adversary. This argument can be easily extended to a merge of two or more groups. When a merge happens, the sponsor at the top leaf node of the largest tree changes its session random. Therefore, each member’s view on other member’s tree is exactly the same as the view of a passive adversary. This shows that the newly merged member has exactly the same advantage about any of the old key tree as a passive adversary. Now we consider forward secrecy, meaning that a passive adversary who knows a contiguous subset of old group keys cannot discover subsequent group keys. Here, we consider partition and leave at the same time. Xxxxxxx Xx is a former group member who left the group. Whenever subtractive event happens, the sponsor located immediately below the deepest leaving leaf node refreshes its session random, and, therefore, all keys known to leaving members will be changed accordingly. Therefore, Md’s view is exactly the same as the view of the passive adversary. This proves that STR provides decisional version of key independence.
Key Independence. Knowledge of any set of group keys does not lead to the knowledge of any other group key not in this set (see [5]).
Key Independence. Knowledge of a subset of group keys in the life-cycle of a group (by a participant or outsider) should not enable knowledge of any key outside this subset.
Key Independence. We do not assume key authentication here. All communication channels are public but authentic. Order of Content • Introduction • Assumptions and Requirements • Cryptographic Properties • Notations • TGDH Protocols • Practical Aspects ( Issues and solutions ) • Performance Analysis • Related Work • Conclusion Notations • Use of binary trees • Key-path • Co-path • Key of node present at <l,v> - K<l,v> • Blind key - BK<l,v> = f ( K<l,v> ) • Where f ( k ) = aK mod p Notations… Order of Content • Introduction • Assumptions and Requirements • Cryptographic Properties • Notations • TGDH Protocols • Practical Aspects ( Issues and solutions ) • Performance Analysis • Related Work • Conclusion TGDH Protocols • Four basic protocol form the suite • Common framework:
Key Independence. Successive invocation of fA and fB produce indepen- dent random strings. Since each instance of key generation depends only on the outputs of fA, fB, the current key reveals no information about the past keys or future keys. Function: RetV al := fx(1n, s), x ∈ {A, B} i: local persistent counter initialized to 0 during the first execution RetV al := g(s, i) i := i + 1
