Flexible Group Key Exchange with On-demand Computation of
Subgroup Keys Supporting Subgroup Key Randomization
Keita Emura
1
and Takashi Sato
2
1
Network Security Research Institute, Security Architecture Laboratory,
National Institute of Information and Communications Technology (NICT), Koganei, Japan
2
School of Information Science, Japan Advanced Institute of Science and Technology (JAIST), Nomi, Japan
Keywords:
Group Key Exchange, On-demand Computation of Subgroup Keys.
Abstract:
In AFRICACRYPT2010, Abdalla, Chevalier, Manulis, and Pointcheval proposed an improvement of group
key exchange (GKE), denoted by GKE+S, which enables on-demand derivation of independent secret sub-
group key for all potential subsets. On-demand derivation is efficient (actually, it requires only one round)
compared with GKE for subgroup (which requires two or more rounds, usually) by re-using values which was
used for the initial GKE session for superior group. In this paper, we improve the Abdalla et al. GKE+S
protocol to support key randomization. In our GKE+S protocol, the subgroup key derivation algorithm is
probabilistic, whereas it is deterministic in the original Abdalla et al. GKE+S protocol. All subgroup member
can compute the new subgroup key (e.g., for countermeasure of subgroup key leakage) with just one-round
additional complexity. Our subgroup key establishment methodology is inspired by the “essential idea” of
the NAXOS technique. Our GKE+S protocol is authenticated key exchange (AKE) secure under the Gap
Diffie-Hellman assumption in the random oracle model.
1 INTRODUCTION
In AFRICACRYPT2010 (Abdalla et al., 2010), Ab-
dalla, Chevalier, Manulis, and Pointcheval proposed
an improvement of group key exchange (GKE), de-
noted by GKE+S
1
, which enables on-demand deriva-
tion of independent secret subgroup key for all poten-
tial subsets. It is particularly worth noting that the re-
quired round of the subgroup key computation phase
is just one by re-using the values {y
1
,...,y
m
}. So,
the Abdalla et al. GKE+S protocol reduces the round
complexity (from two to one) compared with the case
that the BD protocol (Burmester and Desmedt, 1994)
is directly executedfor asubgroup(U
1
,U
2
,... ,U
m
). It
is notable that their on-demand subgroup key deriva-
1
First, the Burmester-Desmedt (BD) proto-
col (Burmester and Desmedt, 1994) (with certain
modification to enable the subgroup key derivation) is
executed with a group (U
1
,U
2
,... ,U
n
)). In this group key
computation phase, a user (say U
i
) publishes the value (say
y
i
) for establishing the group key. The end of this phase,
all user (U
1
,U
2
,... ,U
n
) shares the common group key.
Next, in the subgroup key computation phase, a member
of subgroup (w.l.o.g., (U
1
,U
2
,... ,U
m
) (U
1
,U
2
,... ,U
n
))
can establish the subgroup key, which is independent of the
group key.
tion algorithm is deterministic, that is, the subgroup
key is uniquely determined by (y
1
,y
2
,... , y
m
).
Here, we considered the case that the subgroup
(U
1
,U
2
,...,U
m
) would like to establish the “new”
subgroup key
2
(e.g., for countermeasure of subgroup
key leakage). To establish the new group key, GKE+S
protocol for (U
1
,U
2
,... ,U
n
) needs to be executed
again, and then the new subgroup key is established
by executing the on-demand derivation algorithm for
(U
1
,U
2
,...,U
m
). That is, it spoils the significant
achievement of the GKE+S concept.
Our Contribution. In this paper, we improve the
Abdalla et al. GKE+S protocol to support key ran-
domization. In our GKE+S protocol, the subgroup
key derivation algorithm (say P .SKE) is probabilis-
tic, and therefore all subgroup member can estab-
lish the new subgroup key with just one-round addi-
tional complexity. Our subgroup key establishment
methodology is inspired by the “essential idea” of the
NAXOS technique (LaMacchia et al., 2007)
3
(not di-
2
We explicitly exculde the case that a GKE protocol is
directly executed for (U
1
,U
2
,... ,U
m
).
3
The NAXOS technique is for achieving the ephemeral
key leakage resilience. An ephemeral public key is com-
353
Emura K. and Sato T..
Flexible Group Key Exchange with On-demand Computation of Subgroup Keys Supporting Subgroup Key Randomization.
DOI: 10.5220/0003986003530357
In Proceedings of the International Conference on Security and Cryptography (SECRYPT-2012), pages 353-357
ISBN: 978-989-8565-24-2
Copyright
c
2012 SCITEPRESS (Science and Technology Publications, Lda.)
rect use).
The previous one-round GKE schemes
(e.g., (Boyd and Nieto, 2003; Gorantla et al.,
2009)) assume that each user U
i
has a long-lived
secret key LL
i
which is generated in the initial phase,
and the initial phase is not included in the round
complexity. So, according to the GKE fashion, our
GKE+S protocol (of subgroup key phase) also can be
regarded as a one-round GKE protocol. One-round
GKE has a benefit point from the viewpoint of
robustness
4
. If a GKE has two or more rounds,
robustness is important, since it is impractical the
case that the remaining nodes must run GKE of
the first round again. On the contrary, one-round
GKE does not have to consider robustness from the
protocol termination’s point of view.
Remark. Note that Cheng and Ma pointed out that
the Abdalla et al. GKE+S protocol is vulnerable
to malicious insiders attack (Cheng and Ma, 2010).
They also give a countermeasure of such attack by
adding the key confirmation phase. However, adding
a signature-based key confirmation round is a stan-
dard approach (which has been introduced in (Katz
and Shin, 2005)) for insider security. We make it clear
that our proposed scheme can be modified to be se-
cure against insider attack by adding the key confir-
mation phase.
We should notice that a recent paper (Wu et al.,
2011) allows to compute group encryption keys for
any subgroups without any extra round of communi-
cations. This functionally achieves the same goal of
this paper. We would like to thank a reviewer who
pointed out this fact.
2 SECURITY MODELS
First, we define the syntax of GKE+S protocol by
following (Abdalla et al., 2010). Let U be a set
of at most n users in the universe. We assume that
their identities are unique. Any subset of m users
(2 m n) invokes a single session of a GKE+S
protocol P . Each U
i
U holds a long-lived key LL
i
.
The participation of U
i
is expressed by an instance Π
s
i
for some s N (i stands for the identity of U
i
, and s
puted by using the hashed value of the static long-lived
secret key and the ephemeral secret key. Even if the
ephemeral secret key is revealed, the exponent of the
ephemeral public key is not revealed as long as the static
long-lived secret key is not revealed. We apply this essen-
tial idea of the NAXOS technique.
4
GKE is called robust (Hatano et al., 2011; Jarecki et al.,
2007) even if a node is down, the protocol can be success-
fully terminated by the remaining nodes.
stands for the number of participations of the GKE+S
protocol). An execution of a GKE+S protocol is split
in two stages, denoted as group stage and subgroup
stage. An instance Π
s
i
is invoked for one GKE+S ses-
sion with some partner id pid
s
i
U which includes the
identities of all (i.e., including U
i
also) intended par-
ticipants in a group stage. Similarly, subgroup partner
id spid
s
i
pid
s
i
is also defined. Moreover, Π
s
i
holds
a session id sid
s
i
which uniquely identifies the cur-
rent protocol session of a group stage. Similarly, sub-
group session id ssid
s
i
(which uniquely identifies the
current protocol session of a subgroup stage). More-
over, each subgroup contains different group mem-
bers. So, in this paper, when U
i
executes the P .SKE
algorithm in times, we assume that Π
s
i
holds pid
s
i
,
sid
s
i
, and {(ssid
s,ℓ
i
,spid
s,ℓ
i
)}. In addition, we assume
that (ssid
s,ℓ+1
i
,spid
s,ℓ+1
i
) are added into Π
s
i
when U
i
executes P .SKE again. We say that Π
s
i
and Π
t
j
is
partnered if sid
s
i
= sid
t
j
and pid
s
i
= pid
t
j
. We call Π
s
i
is accepted if Π
s
i
can compute the session group key
k
s
i
successfully.
Definition 1 (Syntax of GKE+S Protocols).
[P .GKE(U
1
,... ,U
n
)]: This protocol defines the
group stage. For each U
i
, a new instance Π
s
i
with
pid
s
i
= (U
1
,... ,U
n
) is created, and a probabilistic
interactive protocol between these instances is exe-
cuted. Then, every instance Π
s
i
computes the session
group key k
s
i
.
[P .SKE(Π
s
i
,spid
s,ℓ
i
)]: This protocol defines the sub-
group stage. For an accepted instance Π
s
i
and a sub-
group partner id spid
s,ℓ
i
pid
s
i
, a probabilistic (pos-
sibly interactive) algorithm is executed, and outputs
the session subgroup key k
s
i,J
, where J
is the set of
indices of users in spid
s,ℓ
i
.
The correctness is defined as follows. A GKE+S
protocol P is said to be correct if all instances
(invoked by the group stage of P .GKE) accept
with identical group keys. In addition, for all in-
stances Π
t
j
(partnered with Π
s
i
), P .SKE(Π
s
i
,spid
s,ℓ
i
) =
P .SKE(Π
t
j
,spid
t,u
j
) holds if spid
s,ℓ
i
= spid
t,u
j
.
Next, we define adversarial models and the au-
thenticated key exchange (AKE) security for both
group key and subgroup key. As mentioned by Ab-
dalla et al., the security of GKE+S protocol must en-
sure independence of the group key and any subgroup
key, i.e., both (1) even if any subgroup key is leaked
to the adversary, the secrecy of the group key must
hold, and (2) the leakage of group key must guaran-
tee the secrecy of any subgroup key. Let A be a PPT
adversary who can issue the following queries:
Execute(U
1
,... ,U
n
): A can obtain the execution
SECRYPT2012-InternationalConferenceonSecurityandCryptography
354
transcript of the group stage between the group
member (U
1
,... ,U
n
).
Send(Π
s
i
,M): Through this query, A can deliver a
message M to Π
s
i
. Then A can obtain the protocol
message generated by Π
s
i
in response to M. As in
the Abdalla et al. definition (Abdalla et al., 2010),
we consider a special invocationquery of the form
Send(U
i
,(
start
,U
1
,... ,U
n
)). It creates a new in-
stance Π
s
i
with pid
s
i
= (U
1
,... ,U
n
) and provides
A with the first protocol message.
SKE(Π
s
i
,spid
s
i
): Through this query,A can sched-
ule the on-demand subgroup key computation. If
P .SKE is an interactive algorithm, then A obtains
the first message for the subgroup stage. Other-
wise, Π
s
i
computes k
s
i,J
. This query is processed
only if Π
s
i
has accepted and spid
s
i
pid
s
i
. Note
that a query (Π
s
i
,spid
s
i
) can be asked in a (polyno-
mial) number of times.
RevealGK(Π
s
i
): A can obtain the group key k
s
i
only if Π
s
i
has accepted in the group stage.
RevealSK(Π
s
i
,spid
s,ℓ
i
): A can obtain the group
key k
s
i,J
. The query is answered only if
P .SKE(Π
s
i
,spid
s,ℓ
i
) has been invoked and the sub-
group key computed.
Corrupt(U
i
): A can obtain the U
i
s long-lived se-
cret key LL
i
. Note that A does not gain control
over the U
i
s behavior, but might be able to com-
municate on behalf of U
i
.
TestGK(Π
s
i
): For a random bit b
$
{0, 1}, if b =
0 A is given a random value chosen by the group
key space, and if b = 1 A is given the real group
key k
s
i
. Note that this query can be issued only
once, and is answered only if Π
s
i
has accepted in
the group stage.
TestSK(Π
s
i
,spid
s,ℓ
i
): For a random bit b
$
{0,1},
if b = 0 A is given a random value chosen by the
subgroup key space, and if b = 1 A is given the
real group key k
s
i,J
. The query is answered only if
P .SKE(Π
s
i
,spid
s,ℓ
i
) has been invoked and the sub-
group key computed.
A user U is called honest if no Corrupt(U) has been
issued by A . On the contrary, a user U is called cor-
rupted or malicious.
Next, we define two freshness notions by follow-
ing the definitions from (Abdalla et al., 2010).
Definition 2 (Instance Freshness). Let Π
s
i
be an in-
stance and Π
t
j
be a partnered instance of Π
s
i
. We say
that Π
s
i
is fresh if Π
s
i
has accepted in the group stage
and none of the following is true; (1) RevealGK(Π
s
i
)
or RevealGK(Π
t
j
) has been asked, or (2) Corrupt(U
i
)
for some U
i
pid
s
i
was asked before any Send(Π
s
i
,·).
Definition 3 (Instance-Subgroup Freshness). Let Π
s
i
be an instance and Π
t
j
be a partnered instance of Π
s
i
and spid
t,u
j
= spid
s,ℓ
i
. We say that (Π
s
i
,spid
s,ℓ
i
) are
fresh if Π
s
i
has accepted in the group stage and none
of the following is true; (1) RevealSK(Π
s
i
,spid
s,ℓ
i
)
or RevealSK(Π
t
j
,spid
t,u
j
) has been asked, or (2)
Corrupt(U
i
) or Corrupt(U
j
) was asked before any
Send(Π
s
i
,·) or Send(Π
t
j
,·).
Definition 4 (AKE Security of Group Key). Let b
$
{0, 1} be a uniformly chosen bit ipped in the TestGK
oracle. A correct GKE+S protocol P is said to be sat-
isfying AKE security of group key when for any PPT
adversary A the advantage
Adv
ake-g
A ,P
(κ) := 2| Pr[b
A
O
(κ);
b
= b The instance Π
s
i
is fresh] 1|
is negligible, where O = {Execute(·), Send(·, ·),
SKE(·,·),RevealGK(·), RevealSK(·, ·), Corrupt(·),
TestGK(·)}, and Π
s
i
is input of TestGK.
Definition 5 (AKE Security of Subgroup Key). Let
b
$
{0,1} be a uniformly chosen bit flipped in the
TestSK oracle. A correct GKE+S protocol P is said
to be satisfying AKE security of subgroup key when
for any PPT adversary A the advantage
Adv
ake-s
A ,P
(κ) := 2| Pr[b
A
O
(κ);
b
= b The instance-subgroup pair (Π
s
i
,spid
s,ℓ
i
)
is fresh] 1|
is negligible, where O = {Execute(·), Send(·, ·),
SKE(·,·),RevealGK(·), RevealSK(·, ·), Corrupt(·),
TestSK(·,·)}, and (Π
s
i
,spid
s,ℓ
i
) is input of TestSK.
3 PROPOSED GKE+S PROTOCOL
In this section, we propose our GKE+S proto-
col supporting subgroup key randomization. In
our proposal, we apply digital signature Σ :=
(KeyGen,Sign, Verify) for two purposes.
The Underlying Idea. Briefly, the flow of our
GKE+S protocol is described as follows.
[Group Stage]. First, we execute the Abdalla et al.
GKE+S protocol with (U
1
,... ,U
n
). Then, (y
1
,y
2
,... ,
y
n
) = (g
x
1
,g
x
2
,... , g
x
n
) are published and intermedi-
ate values (z
1,2
,z
2,3
,... , z
n,1
) are calculated. Note that
these intermediate values can be computed by a group
member only.
FlexibleGroupKeyExchangewithOn-demandComputationofSubgroupKeysSupportingSubgroupKeyRandomization
355
[Subgroup Stage]. Next, in the (-th) subgroup
key computation phase, a member of subgroup U
i
(U
1
,U
2
,... ,U
m
) computes a signature σ
i
Sign(sk
i
,
(U
i
,z
i
,ssid
i
,R
i
)), where R
i
is the random value cho-
sen by U
i
(and other values are explained in the
scheme).
Again, only a subgroup member can compute in-
termediate values (z
1,2
,z
2,3
,... , z
m,1
). We regard
these intermediate values (z
1,2
,z
2,3
,... , z
m,1
) as
the static
5
long-lived secret key in the NAXOS
technique context.
Moreover, we regard (R
1
,R
2
,... , R
m
) as the
ephemeral “secret” key in the NAXOS technique
context.
So, the subgroup key is computed by applying a hash
function to (z
1,2
,z
2,3
,... , z
m,1
) and (R
1
,R
2
,... , R
m
)
(and ssid
s,ℓ
i
also). Here, we pay attention to the fact
that the NAXOS technique leads to the ephemeral se-
cret key leakage resilience. That is,
Even if the ephemeral secret key (R
1
,R
2
,... , R
m
)
are revealed, the subgroup key is not revealed,
as long as the static long-lived secret key
(z
1,2
,z
2,3
,... , z
m,1
) are not revealed.
So, (R
1
,R
2
,... , R
m
) can be published, and this
is the reason why we achieve the PKE-free set-
ting (whereas, in the Boyd et al. one-round
GKE (Boyd and Nieto, 2003), a random nonce is
encrypted by using PKE).
On the contrary of the above discussion, even if the
subgroup key is revealed, (z
1,2
,z
2,3
,... , z
m,1
) are not
revealed since a hash function is modeled as the ran-
dom oracle. In addition, the validity of R
i
can be ver-
ified by using pk
i
.
Here, we describe our GKE+S protocol. It is
particularly worth noting that no additional compu-
tational cost is required, compared with the Abdalla
et al. one. We just additionally require that each user
U
i
chooses a random nonce R
i
.
Protocol 1 (Proposed GKE+S Protocol). We assume
that each U
i
U has the long-lived public and secret
key pair (pk
i
,sk
i
) KeyGen(1
κ
) (i.e., LL
i
= sk
i
). H :
G × {0, 1}
{0, 1}
κ
, H
g
: G {0, 1}
κ
, and H
s
:
G {0, 1}
κ
are cryptographic hash functions which
are modeled as random oracles.
5
That is, (z
1,2
,z
2,3
,... , z
m,1
) are uniquely determined by
the subgroup member ssid = (U
1
,U
2
,... ,U
m
) and their pub-
lic values (y
1
,y
2
,... , y
n
). In the Abdalla et al. GKE+S, the
subgroup key is the hashed value of (z
1,2
,z
2,3
,... , z
m,1
) and
ssid. This is the reason why the subgroup key derivation
algorithm of the Abdalla et al. GKE+S protocol is deter-
ministic.
P .GKE(U
1
,...,U
n
): This is the Group Stage. Let the
group be defined by pid = (U
1
,U
2
,... ,U
n
). We
assume that user indices from a cycle such that
U
i
= U
i mod n
and U
0
= U
n
. We omit s of sid
s
i
for
simplicity.
Round 1. U
i
chooses x
i
$
Z
p
, computes y
i
= g
x
i
,
and broadcasts (U
i
,y
i
).
Round 2. For U
i
, set sid
s
i
= (U
1
|y
1
,... ,U
n
|y
n
)
( | stands for the bit concatenation). U
i
computes k
i1,i
:= y
x
i
i1
, k
i,i+1
:= y
x
i
i+1
, z
i1,i
:=
H(k
i1,i
,sid
i
), z
i,i+1
:= H(k
i,i+1
,sid
i
), z
i
:=
z
i1,i
z
i,i+1
, and σ
i
Sign(sk
i
,(U
i
,z
i
,sid
i
)),
and broadcasts (U
i
,z
i
,σ
i
).
Group Key Computation. U
i
computes the
group key k
i
as follows.
Check whether z
1
··· z
n
= 0 and whether
all received signatures {σ
j
}
U
j
pid\{U
i
}
are
valid. If these checks fail, then abort.
Iteratively compute z
i+1,i+2
z
i,i+1
z
i+1
,
z
i+2,i+3
z
i+1,i+2
z
i+2
, ..., and
z
i+n1,i+n
z
i+n2,i+n1
z
i+n1
.
Output k
i
= H
g
(z
1,2
,z
2,3
,... , z
n,1
,sid
i
).
P .SKE(Π
i
,spid
i
): This is the Subgroup
Stage. Let the subgroup be defined by
spid = (U
1
,U
2
,... ,U
m
) pid. We assume that
user indices from a cycle such that U
i
= U
i mod m
and U
0
= U
m
. Note that (y
1
,... , y
m
) has been
published in the previous group stage. We omit s
of ssid
s
i
and of k
i,J
for simplicity.
Round 1. For U
i
, set ssid
i
= (U
1
|y
1
,... ,U
m
|y
m
).
U
i
chooses R
i
$
{0,1}
κ
, and com-
putes k
i1,i
:= y
x
i
i1
, k
i,i+1
:= y
x
i
i+1
,
z
i1,i
:= H(k
i1,i
,ssid
i
), z
i,i+1
:=
H(k
i,i+1
,ssid
i
), z
i
:= z
i1,i
z
i,i+1
, and
σ
i
Sign(sk
i
,(U
i
,z
i
,ssid
i
,R
i
)), and broad-
casts (U
i
,z
i
,σ
i
,R
i
).
Subgroup Key Computation. U
i
computes
the group key k
i,J
as follows.
Check whether z
1
· · · z
m
= 0 and whether
all received signatures {σ
j
}
U
j
spid\{U
i
}
are
valid. If these checks fail, then abort.
Iteratively compute z
i+1,i+2
z
i,i+1
z
i+1
,
z
i+2,i+3
z
i+1,i+2
z
i+2
, ..., and
z
i+m1,i+m
z
i+m2,i+m1
z
i+n1
.
Output k
i,J
=
H
s
(z
1,2
,z
2,3
,... , z
m,1
,R
1
,R
2
,... , R
m
,ssid
i
).
In the original Abdalla et al. GKE+S, each x
i
is
the random value for establishing both group key
and subgroup key. The most essential point of the
SECRYPT2012-InternationalConferenceonSecurityandCryptography
356
key exchange is that U
i
and U
i+1
can compute k
i,i+1
by using either x
i
or x
i+1
such that k
i,i+1
= y
x
i+1
i
or
k
i,i+1
= y
x
i
i+1
. So, even if y
i
= g
x
i
and y
i+1
= g
x
i+1
are re-randomized, e.g., y
i
:= g
x
i
and y
i+1
:= g
x
i+1
by
re-selected values x
i
,x
i+1
$
Z
p
, U
i
and U
i+1
cannot
compute either (y
i+1
)
x
i
or (y
i
)
x
i+1
, since both y
i
and
y
i+1
are not published. So, to realize randomizationof
keys, our methodology works. As a drawback of our
methodology, it totally depends on the random oracle
methodology.
The remaining concern is the validity of each R
i
,
namely, an adversary A may insert a non-legitimate R
into the transcript. We preventthis attack by including
R as the signed message. It is particularly worth not-
ing that A may be an insider (e.g., A U and A 6∈ pid
or A pid \ ssid). In both cases, A has a legitimate
long-lived key pair (pk,sk) generated by the KeyGen
algorithm. However, since the member of subgroup is
bound by spid = (U
1
,U
2
,...,U
m
), there is no way that
such A inserts non-legitimate R into the transcript if
Σ is EUF-CMA. Note that the random nonce R
i
de-
pends on ssid
i
via σ
i
Sign(sk
i
,(U
i
,z
i
,ssid
i
,R
i
)). In
addition, is incremented by each session. That is, R
i
is not used in the different session.
One may think that what the difference between
our protocol and the following simple protocol is:
the previous subgroup key (say k
i,J
) is used as the
massage authentication code (MAC) key, and broad-
cast MAC
k
i,J
(R
i
), and compute the new subgroup key
k
i,J
+1
= H({R
i
}
m
i=1
) by using certain hash function.
The main difference between ours and the simple pro-
tocol is explained as follows. In our protocol, even if
the subgroup key k
i,J
is revealed, (z
1,2
,z
2,3
,... , z
m,1
)
are not revealed since a hash function is modeled as
the random oracle. So, our protocol is secure against
the subgroup key leakage. On the contrary, in the
above simple protocol, once k
i,J
is revealed, its se-
curity is not guaranteed, i.e., anyone (who is not a
subgroup member) can compute k
i,J
+1
. Note that,
unfortunately, our protocol does not follow forward
secrecy (i.e., the long-term secret key leakage), since
(z
1,2
,z
2,3
,... , z
m,1
) is re-used. There is space for im-
provement of this point.
Here we only state the theorems describing the se-
curity of our GKE+S protocols due to the page limi-
tation. Let q
E
x
, q
S
e
, and q
SKE
be the number of invo-
cation of the Execute oracle, the Send oracle, and the
SKE oracle, respectively, and q
H
, q
H
g
, and q
H
s
be the
number of access of H, H
g
, and H
s
, respectively.
Theorem 1. Our GKE+S protocol satisfies AKE se-
curity of group key under the GDH assumption in the
random oracle model as follows.
Adv
ake-g
A ,P
(κ)
2n(q
E
x
+ q
S
e
)
2
p
+
(q
H
g
+ q
H
s
)
2
2
κ1
+ 2nAdv
EUF-CMA
Σ,A
(κ) + 2q
Se
(nq
H
Adv
GDH
G
(κ) +
q
H
g
2
2κ
)
Theorem 2. Our GKE+S protocol satisfies AKE se-
curity of subgroup key under the GDH assumption in
the random oracle model as follows.
Adv
ake-s
A ,P
(κ)
2n(q
E
x
+ q
S
e
)
2
p
+
(q
H
g
+ q
H
s
)
2
2
κ1
+ 2nAdv
EUF-CMA
Σ,A
(κ)
+ 2q
Se
(n+ (n 1)q
SKE
)q
H
Adv
GDH
G
(κ)
+
q
SKE
q
H
s
2
2κ
REFERENCES
Abdalla, M., Chevalier, C., Manulis, M., and Pointcheval,
D. (2010). Flexible group key exchange with
on-demand computation of subgroup keys. In
AFRICACRYPT, pages 351–368.
Boyd, C. and Nieto, J. M. G. (2003). Round-optimal con-
tributory conference key agreement. In Public Key
Cryptography, pages 161–174.
Burmester, M. and Desmedt, Y. (1994). A secure and ef-
ficient conference key distribution system (extended
abstract). In EUROCRYPT, pages 275–286.
Cheng, Q. and Ma, C. (2010). Security weakness of flexible
group key exchange with on-demand computation of
subgroup keys. CoRR, abs/1008.1221.
Gorantla, M. C., Boyd, C., Nieto, J. M. G., and Manulis, M.
(2009). Generic one round group key exchange in the
standard model. In ICISC, pages 1–15.
Hatano, T., Miyaji, A., and Sato, T. (2011). T-robust scal-
able group key exchange protocol with O(logn) com-
plexity. In ACISP, pages 189–207.
Jarecki, S., Kim, J., and Tsudik, G. (2007). Robust group
key agreement using short broadcasts. In ACM Con-
ference on Computer and Communications Security,
pages 411–420.
Katz, J. and Shin, J. S. (2005). Modeling insider attacks on
group key-exchange protocols. In ACM Conference on
Computer and Communications Security, pages 180–
189. ACM.
LaMacchia, B. A., Lauter, K., and Mityagin, A. (2007).
Stronger security of authenticated key exchange. In
ProvSec, pages 1–16.
Wu, Q., Qin, B., Zhang, L., Domingo-Ferrer, J., and Farr`as,
O. (2011). Bridging broadcast encryption and group
key agreement. In ASIACRYPT, pages 143–160.
FlexibleGroupKeyExchangewithOn-demandComputationofSubgroupKeysSupportingSubgroupKeyRandomization
357