Known-key security. It should be noted that the authen- ticated group key K0 consists of a secret random component equivalent to the group key of the non-authenticated TGDH. If E compromises this authenticated group key K0, then it cannot compute the past group keys whose corresponding secret random components are composed of the short-term secrets rMi ’s offered by different combinations of members, and doing so will require E to solve the Xxxxxx-Xxxxxxx problem. If any two past group keys refer to the same set of members, then they are still different since each member Mi renews rMi when it re-joins the group.
Known-key security. Known-key security means that each run of an authentication and key agreement protocol between two communicating parties should produce unique secret keys (session keys). In the proposed protocol, the server and the userU randomly and independently generate the random number c and b separately, the session key SK h1 (cbh(h(PW a) username)P r username) of each session is not connected with the session keys of any other sessions. Knowing a session key SK h1 (cbh(h(PW
a) username)P r username) and the random values c and b is not enough for computing the other session keys SK ' h (c'b'h(h(PW a) username)P r' username) , because in each session a fresh session key is generated depending on
Known-key security. An adversary compromising a ses- sion key in a single session should not impose any threat to the session key security in any other sessions.
Known-key security. The compromise of past short-term keys does not degrade the secrecy of future short-term keys.
Known-key security. In the key agreement phase, the ephemeral secret is the signature of a message. The adversary cannot obtain any information from this signature and derive any information about former session keys even if he compromises the session key of sender A or receiver B. If the adversary compromises A’s session key, he/she cannot obtain any information about other former session keys. With random number tA, the session key computed by sender A is fresh. If the adversary compromises receiver B’s session key, he/she cannot obtain any information about other former session keys. Because of the unique signature message, the session key computed by receiver B is unique. Hence, the proposed scheme can capture Known key security.
Known-key security. In our protocol, ephemeral keys such as a, b, and c are used to construct the session key. As a result, each run of the protocol creates unique session key which is independent to past or future session keys. Therefore, com- promise of past session keys do not affect the security of future session keys.
Known-key security. If A and B execute the regular protocol run, they clearly share their unique session key 汜 , because Ze ( )
Known-key security. For each session, the partici- pant randomly selects hi and ri, results separate in- dependent group encryption and decryption keys for other sessions. Therefore, a leakage of group decryp- tion keys in one session will not help in the derivation of other session group decryption keys.
Known-key security. The session key 𝐾𝑒𝑦 contains random number 𝑤1, 𝑤2, 𝑤3 and 𝑤4 that are randomly selected by user, edge device and cloud server. So the different session key are independent of each other among protocol executions. Hence, our protocol support known- key security.
Known-key security. The known-key security means that compromise of a past session key cannot derive any further session key.