Security Result. The protocol presented in the earlier section is provably secure against passive adversaries in the model of [4], from where the notations and definitions are taken. A Theorem 1: Let P be the protocol as defined above. Let be a passive adversary making qex = (qika +qjoin +qdelete) Execute queries to the parties and running in time t. Then Protocol P is a secure GKA protocol. Namely: AdvPA(t, qex) ≤ 2qex ∗ SuccDDH(t′) (Ml) chooses a new random secret, rl, and sends all the blinded secrets to the new group leader , Xx' . The new where t′ ≤ t + qex |P|t |P| exp , texp is the time to perform an 3For each session, one may want to elect a new leader. exponentiation in G and being the maximum number of participants in the protocol.
Security Result. The protocol presented in the earlier section is provably secure against passive adversaries in the model of [4], from where the notations and definitions are taken. A Theorem 1: Let P be the protocol as defined above. Let be a passive adversary making qex = (qika +qjoin +qdelete) Execute queries to the parties and running in time t. Then Protocol P is a secure GKA protocol. Namely: AdvPA(t, qex) ≤ 2qex ∗ SuccDDH (tj) (Ml) chooses a new random secret, rl, and sends all the blinded secrets to the new group leader , Mlr . The new where tj ≤ t + qex |P|t |P| exp , texp is the time to perform an 3For each session, one may want to elect a new leader. exponentiation in G and being the maximum number of participants in the protocol. Proof: Due to lack of space, we only give a sketch of the proof. The complete proof will appear in the full version4. We show that an adversary who achieves an advantage in calculating the session key, can be used to build an attacker { } A ∆ which gains an advantage in solving an instance of the Decisional Diffie-Xxxxxxx (DDH) Problem. The Send and Corrupt queries are not applicable as we are dealing with a passive adversary and there are no long-term secrets. Thus the only relevant queries are the Execute, Reveal and Test queries. Assume the adversary distinguishes the session key with a probability non-negligibly greater than 0.5. We construct from a DDH attacker ∆ that receives as in- put an instance D = g, g1, g2, g3 and predicts if it is an instance from (g, gra , grb , grarb ) or (g, gra , grb , grc ) with a non-negligible advantage. A A The Attacker ∆ feeds with elements derived from the instance D in the reply to the Execute query of the session for which will make the Test query. So ∆ picks at random ctest from [1, qex] which is its guess for the number of the Execute query, corresponding to the session, for which makes the Test query. For all other sessions, ∆ responds to Execute queries with randomly generated data. A A ∆ replies to the Test query with a session key, sk, con- structed using data from the instance D. sk is a valid ses- sion key only if the instance D is a DH tuple. Thus, if the adversary correctly identifies sk as the session key, the tuple (g, g1, g2, g3) is indeed a DH tuple otherwise it is a random tuple. The success probability of ∆ is the probabil- ity that it correctly guesses the session for which makes the Test query (1/qex), multiplied by the success probabil- ity of A. Thus if we denote by p the proba...
Security Result. P The security of our protocol is measured as the probability that an adversary can get some (partial) information on the key. This probability is denoted Advake and depends on the number of messages sent on the network.
