Foundations of Group Key Management —

Framework, Security Model and a

Generic Construction
Naga Naresh Karuturi∗,§ , Ragavendran Gopalakrishnan∗ , Rahul Srinivasan† and Pandu Rangan Chandrasekaran∗
∗ Theoretical
Computer Science Laboratory
Department of Computer Science and Engineering
Indian Institute of Technology Madras
Chennai, India
nnaresh@cse.iitm.ernet.in, ragav@cse.iitm.ernet.in, prangan@iitm.ac.in
† Department of Computer Science and Engineering
Indian Institute of Technology Bombay
Mumbai, India
rahul.srinivasan@iitb.ac.in

Abstract—Group Key Establishment is fundamental for a I. I NTRODUCTION

variety of security mechanisms in group applications. It allows
n ≥ 2 principals to agree upon a common secret key. This
The growth and commercialization of the Internet offers
can further be classified into Group Key Exchange (or Group a large variety of scenarios where group communication
Key Agreement), where all the principals participate in the using multicast will greatly save bandwidth and sender re-
construction of the key, and Group Key Transport (or Group Key sources. Immediate examples include news feeds and stock
Distribution), where the key is chosen by a singe principal and is quotes, video transmissions, teleconferencing, software up-
then securely communicated to the others. Both these techniques
can be analyzed in the context of either static or dynamic groups.
dates, movie on demand and more. (See [1] for a more
Dynamic Group Key Establishment is better known as Group complete survey on multicast applications.) Secure multicast
Key Management (GKM), as it involves not only the initital key sessions can be implemented by applying encryption schemes.
establishment, but also efficient key management when group The messages are protected by encryption using a chosen
members join or leave the group. Dynamic Group Key Exchange key, which, in the context of group communication, is known
is also known as decentralized or distributed GKM, while
Dynamic Group Key Transport is known as centralized GKM.
as Session Key or Data Encryption Key (DEK). Only those
While there has been a lot of recent work in formal security who know the DEK can recover the original message. There-
models for Dynamic Group Key Exchange, little, if any, attention fore, the problem of securely sending data to authorized
has been directed towards building a concrete framework and group members reduces to securely establishing the DEKs
formal security model for centralized GKM. Many such schemes among the authorized group members. Furthermore, changes
that have been proposed so far have been broken, as they cite
ambiguous arguments and lack formal proofs. In this paper, we
in membership may require that the group key be refreshed.
take a first step towards addressing this problem by providing Such a key refreshing procedure prevents a joining (leaving)
firm foundations for centralized Group Key Management. We group member from decoding messages exchanged in the past
provide a generalized framework for centralized GKM along with (future), even if he has recorded earlier messages, in their
a formal security model and strong definitions for the security encrypted form (encrypted with the old (new) keys).
properties that dynamic groups demand. We also show a generic
construction of a centralized GKM scheme from any given multi- However, establishing and managing the group key among
receiver ID-based Key Encapsulation Mechanism (mID-KEM). valid members is a complex problem. Although refreshing
By doing so, we unify two concepts that are significantly different
in terms of what they achieve. Our construction is simple and
the DEK before the join of a new member is trivial (in
efficient. We prove that the resulting GKM inherits the security of a centralized setting, for example, the central authority can
the underlying mID-KEM up to CCA security. We also illustrate simply send a new group key to the group members encrypted
our general conversion using the mID-KEM proposed in 2007 with the old group key), performing it after a member leaves is
by Delerablée. far more complicated. The old key cannot be used to establish
Index Terms—Provable Security, General Framework, Secu- a new one, because the leaving group member knows the old
rity Model, Group Communication, Multicast Security, Group key. Therefore, some other scalable mechanism to refresh the
Key Management, ID-based Cryptography, Generic Conversion data encryption key must be provided.
§ Work Supported by Project No. CSE/05-06/075/MICO/CPAN on Founda-
tion Research in Cryptography sponsored by Microsoft Research India
Group Key Establishment — Group Key Establishment allows with decentralized GKM schemes are key independence,
n ≥ 2 principals to agree upon a common secret key. This keys vs. data, type of communication, etc. This category
general definition can further be shaped in two different falls into the class of Dynamic Group Key Exchange
classes — Group Key Exchange (Agreement) and Group Key (Agreement) protocols.
Transport (Distribution). • Distributed Group Key Management — The distributed
• Group Key Transport (Distribution). A Group Key Trans- Group Key Management approach is characterized by
port (Distribution) protocol is a Group Key Establishment having no group controller. The group key can be gener-
technique where a single entity (often known as the ated either in a contributory fashion, or by one member.
central authority) creates or otherwise obtains a secret Parameters like the number of rounds, number of mes-
value, and securely transfers it to the other members. This sages and computation during setup are used to evaluate
definition leaves open whether the central authority may the efficiency of such protocols. This category can fall
be a group member. It is also imaginable to have some under the class of Dynamic Group Key Exchange or
trusted third party (TTP) as the central authority. Dynamic Group Key Transport, depending on how the
• Group Key Exchange (Agreement). A Group Key Ex- group key is generated.
change (Agreement) protocol is a Group Key Establish- Security Properties — Any secure GKM scheme must satisfy
ment technique where a shared secret is derived by two the following desired security properties. We will define them
or more group members as a function of the information formally in Section IV-C.
contributed by each of them, such that no group member 1) Perfect Forward Secrecy. It ensures that when a Rekey
can predetermine the resulting value. Here, the main is performed, a group member cannot decipher past
difference from Group Key Transport techniques is that messages encrypted with any of the older DEKs.
no group member is allowed to choose the group key on
behalf of the whole group. 2) Group Forward Secrecy. It prevents a leaving or expelled
group member from continued access to group commu-
Both group key establishment techniques can be analyzed in nication.
context of either static or dynamic groups. Of course, it is
always possible to establish the group key for the modified 3) Group Backward Secrecy. It prevents a new group mem-
group by restarting the protocol. However, this may be in- ber from decoding messages exchanged before he joined
efficient if groups are large or the protocol is expensive (in the group.
terms of communication or computational costs). Therefore, 4) Collusion Resistance. It ensures that even if all the past
many Group Key Establishment protocols that are designed group members who currently do not belong to the group
for dynamic groups provide more efficient operations for collude, they will not be able to decipher group messages
addition and exclusion of group members. Dynamic Group that are encrypted with the current DEK.
Key Establishment is better known as Group Key Management
Multi-receiver ID-based Key Encapsulation Mechanism
(GKM).
(mID-KEM) — A multi-receiver Key Encapsulation Mecha-
Group Key Management — As defined by Menezes et al. nism (mKEM) enables a cryptographic key (which may be
in [2], Group Key Management is the set of techniques and used subsequently for other purposes) to be securely sent
procedures supporting the establishment and maintenance of across to a set of receivers. Smart [4] introduced the notion
keying relationships between authorized parties that form a of mKEM in 2004. It was extended later, in [5], [6], to
group. It plays an important role enforcing access control multi-receiver ID-based Key Encapsulation Mechanism (mID-
on the group key (DEK) (and consequently on the group KEM), i.e., mKEM in the ID-based setting. Later, [7] proposed
communication). According to [3], group key management can an mID-KEM that has an efficient trade-off between the
be classified into the following three categories. ciphertext size and the private key size. Recently, Abdalla et al.
[8] proposed an mID-KEM construction where ciphertexts are
• Centralized Group Key Management — In these schemes,
of constant size, but private keys grow quadratic in the number
there is a Key Distribution Center (KDC), also known
of receivers. Furukawa [9] and Delerablée [10] independently
as Central Authority (CA), who maintains the entire
proposed an mID-KEM scheme which achieves constant size
group, performing operations which involve allocating
ciphertext at the cost of the public key size growing linearly
keys to members, communicating the Data Encryption
in the number of receivers.
Key (DEK) to the members, etc. This category falls into
the class of Dynamic Group Key Transport (Distribution) A. Related Work on Centralized Group Key Management
protocols. One of the major contributions of this paper is a generic
• Decentralized Group Key Management — In decentral- framework and concrete security model for centralized GKM.
ized Group Key Management schemes, members of a Here, we discuss the related work done in the area of cen-
multicast group are split into several smaller subgroups tralized GKM, and highlight the major drawbacks of various
which are managed by different subgroup controllers. existing schemes, so as to better emphasize the need for such
This reduces the load on the KDC. Properties associated a formal security model.
The key generation concept used by Group Key Management Drawbacks — In most of the schemes that are cited above,
Protocol (GKMP) [11] is a cooperative generation between there is no formal security proof presented in a suitable
two protocol entities. There are several key generation algo- security model. Therefore, most of them base their security
rithms viable for use in GKMP (i.e., RSA, Diffie-Hellman, claims on informal arguments. Even though [17] presents a
elliptic curves). All these algorithms use asymmetric key somewhat formal proof, it is not clear as to how each security
technology to pass information between two entities to create property is satisfied. Waldvogel et al. [19] argue how their
a single cryptographic key. Apart from protocols like GKMP, scheme is secure only against certain types of attacks such as
the centralized group key management schemes can be hier- denial-of-service, man-in-the-middle, etc. And almost all the
archical tree based and flat-table based. We briefly mention tree based schemes lack perfect forward secrecy. Some of the
a few tree based group key management protocols below (a flat-table based schemes are not collusion resistant.
detailed description of all these protocols can be found in [3]).
B. Our Contribution
• Logical Key Hierarchy (LKH) [12] — The KDC is the
root of the tree and it maintains a tree of keys. The leaves Though a lot of work has been done in the development of
of the tree are the group members, and each node is formal frameworks and security models for Dynamic Group
associated with a Key Encryption Key (KEK). Each group Key Exchange [22], no concrete framework and security model
member (leaf) maintains a copy of the KEKs associated for centralized Group Key Management exists in literature.
with all the nodes that are part of the unique path from To the best of our knowledge, we are the first to propose
itself to the root. If a member joins or leaves, the KDC a generic framework for centralized GKM, and more impor-
updates the KEKs of all the nodes that are part of the tantly, to present a formal security model that defines each of
corresponding root-to-leaf path, preserving group secrecy. the security properties (forward secrecy, backward secrecy,
perfect forward secrecy and collusion resistance). This is
• One-Way Function Tree (OFT) [13] — A node’s KEK is done in Section III. None of the existing centralized GKM
generated rather than just attributed. The KEKs held by a schemes have been formally proven secure due to the lack
node’s children are blinded using a one-way function and of such a formal security model. Numerous attacks [23] have
then mixed together using a mixing function, resulting in been mounted on various GKM schemes proposed so far. In
the KEK held by the node. Section IV, we construct adversarial games for each of the
• One-Way Function Chain Tree [14] — A pseudo random security properties mentioned above, to provide a framework
generator is used to generate the new KEKs rather than a in which one can formally prove a centralized GKM scheme
one-way function and it is done only during user removal. secure. Next, we construct a generalized conversion from any
• Hierarchical a-ary Tree with Clustering [15] — The multi-receiver ID-based Key Encapsulation Mechanism to a
group with n members is divided into clusters of size full-fledged centralized Group Key Management scheme in
m and each cluster is assigned to a unique leaf node, Section VI, which is so simple (yet powerful) that there is no
resulting in n/m clusters. All members in a cluster share significant overhead while going from mID-KEM to GKM.
the same cluster KEK. Every member of a cluster is also Thus we show that any efficient mID-KEM is enough to obtain
assigned a unique key which is shared only with the KDC. an efficient GKM. Further, in Section VII, we proceed to
use formal reduction techniques to establish the security of
The group rekeying method proposed in [16] uses the Chinese the GKM scheme, using our own security model. We prove
Remainder Theorem to construct a secure lock that is used to forward secrecy, backward secrecy and collusion resistance
lock the group decryption key. Because the lock is common of our GKM scheme by reduction to the underlying mID-
among all valid members, the transmission efficiency of the KEM. For perfect forward secrecy, we build our proof on
decryption key is O(1) if the message size is disregarded. one-way functions. Finally, in Section VIII, we illustrate our
However, this method suffers from scalability problems. generalization by extending the efficient mID-KEM proposed
Cliques [17] provides a way to distribute group session keys in [10], to centralized GKM. This is the first GKM scheme to
in dynamic groups. However, it doesn’t scale well to a large achieve constant-size rekeying message length.
group. Molva et al. [18] proposed a scalable alternative. Never-
theless, the scheme would modify the structure of intermediate II. P RELIMINARIES
components of the multicast communication such as routers or In this section, we review important concepts like one-way
proxies and it suffers from collusion attacks. functions, bilinear maps and negligible functions that are used
The flat-table based schemes proposed by Waldvogel et al. in the forthcoming sections.
[19] uses a table to reduce the number of keys stored at the A. One-Way Functions
KDC. When a member leaves, the KDC changes all the keys A function F : {0, 1}∗ → {0, 1}∗ is called one-way if the
associated with that member. Chang et al. [20] use boolean following conditions hold.
function minimization to minimize the number of messages
• Easy to Compute. There exists a (deterministic) polyno-
needed for Rekey, but this method is not collusion resistant.
mial time algorithm A such that on input x, algorithm A
Some attribute based encryption schemes, like FT (CP-ABE)
outputs F(x).
by Cheung et al. [21] are collusion resistant as well.
 • Hard to Invert. Let Un denote a random variable uni- standalone cryptographic primitive that achieves this is multi-
formly distributed over {0, 1}n . For every probabilistic receiver Key Encapsulation Mechanism (mKEM).
polynomial time algorithm A0 , every polynomial p(·), and It becomes natural, therefore, to think of centralized GKM
all sufficiently large n, schemes as being constructed out of mKEMs. Many GKM
£ ¤ 1 schemes do not explicitly view it this way. For example, in
P r A0 (f (Un ), 1n ) ∈ f −1 (f (Un )) ≤ LKH [12], the KDC first distributes the KEKs which are
p(n)
then used to encrypt the DEK. The underlying mKEM here
We denote the advantage of an adversary B in inverting a is a simple symmetric key encryption scheme. The FT (CP-
one-way function F as ABE) scheme [21] explicitly uses a public key technique called
inv
AdvF = P r [F(B(F(x))) = F(x) | x ← {0, 1}n ] ciphertext policy - attribute based encryption to establish the
DEK. Normal multi-receiver encryption schemes also fall into
B. Bilinear Maps the category of mKEMs; the difference lies in the fact that,
We present the necessary facts about bilinear maps and in encryption schemes, the key that is encrypted is known be-
bilinear map groups. Let G be an additive cyclic group and forehand and is a necessary input to the encryption algorithm.
G1 be a multiplicative cyclic group, both of prime order p. A Whereas, in traditional KEMs, it is impossible to know the key
bilinear map or a bilinear pairing is a map ê : G × G → G1 that is encapsulated beforehand; the encapsulation algorithm
with the following properties. outputs both the ciphertext and the key that would emerge
• Bilinearity. For all P, Q, R ∈ G, during its decapsulation.
– ê(P + Q, R) = ê(P, R) · ê(Q, R) We now describe the algorithms that form the building
– ê(P, Q + R) = ê(P, Q) · ê(P, R) blocks of a generic GKM scheme. The description is largely
– ê(aP, bQ) = ê(P, Q)ab functional in nature; the implementation details are specific to
the underlying mKEM and the GKM scheme using it.
• Non-Degeneracy. There exist P, Q ∈ G such that
1) Setup(k, N, Sinit , E)
ê(P, Q) 6= IG1 , where IG1 is the identity in G1 .
 Input. k is a security parameter, N is the maximum
• Computability. There exists an efficient algorithm to number of group members (the capacity)1 , Sinit is the
compute ê(P, Q) for all P, Q ∈ G. set of identifiers of initial group members and E is an
Modified Weil pairing [24] and Tate pairing [25] are ex- underlying multi-receiver key encapsulation mechanism,
amples of cryptographic bilinear maps where G is an elliptic which is described by the following algorithms. Note
curve group and G1 is a subgroup of a finite field. that our description is that of a most general mKEM,
including normal multi-receiver encryption schemes.
C. Negligible Functions Depending upon the specific mKEM that is used, some
We call a function µ : N → R negligible if, for every inputs to the algorithms may not actually be necessary.
possible polynomial p(·), there exists an N such that for all a) SetupE (k, N) — This algorithm takes as input
1
n > N , we have µ(n) < p(n) . Negligible functions remain a security parameter k and the maximum number
negligible when multiplied by any fixed polynomial. of receivers N and outputs the public system
III. A F ORMAL F RAMEWORK FOR G ROUP K EY parameters (or public key) as P K, the secret keys
M ANAGEMENT SKi of users with identifiers i, and, if used, a
master secret key M SK.
In centralized Group Key Management (centralized GKM)
b) EncapsulateE (DEK, PK, MSK, S) — This
schemes, there is an entity known as the Central Authority
algorithm takes as input the key DEK to be
(CA), who maintains a dynamically changing group of mem-
encrypted2 , the public key P K, the master secret
bers (users) by performing operations that include, but are
key M SK (if used) and the set S of receivers
not restricted to, allocating unique secret keys to members,
who alone can decrypt and recover DEK (known
establishing the common Data Encryption Key (DEK) among
as authorized, privileged or intended receivers). It
members, and ensuring and maintaining group secrecy at all
returns a ciphertext, more specifically known in
times, especially when a member joins or leaves the group.
our context as a header Hdr, and in the case
Every group member is uniquely identified with an identifier.
of a non-trivial mKEM (mKEMs that are not
In the case of ID-based systems for example, this identifier
simply encryption schemes), also returns the DEK
may be the member’s identity itself.
corresponding to the header.
At an abstract level, GKM consists of initially establishing
a group key and “managing” it throughout the lifetime of the 1 This is an optional input as there may be GKM schemes which can
group. By management, we mean activities that the CA carries accommodate any number of group members and do not require an upper
out in order to preserve the desired security properties of the bound to be specified before Setup.
2 This input will not be required (indeed, it would be impossible to know
group. In centralized schemes, key establishment simplifies to
the key being encrypted beforehand) when the mKEM used is not a normal
secure key transport, that is, the CA broadcasts a ciphertext multi-receiver encryption scheme (where the key would simply be encrypted
which the group members decipher to obtain the key. A (just like a message) and sent to the user(s)).
 c) DecapsulateE (Hdr, PK, SKi , S) — This algo- 4) Leave(L, S, PK, MSK, E)
rithm takes as input the ciphertext or header Hdr,  Input. L is the set of identifiers of the members who
the public key P K, the secret key SKi of one of wish to leave the group or are being banned (revoked),
the authorized decrypting receivers, and the set S S is the set of identifiers of current group members, P K
of authorized receivers3 . It returns the key DEK is the public key, M SK is the master secret key, and E
corresponding to the header Hdr. is the underlying mKEM.
 The CA runs SetupE (k, N, Sinit ) to obtain P K E ,  The CA updates the set S ← S − L.
SKiE for all users with identifiers i, and M SK E . Using  The CA then runs Rekey(S, PK, MSK, E).
these, the CA generates the public key P K, the secret Note. Many GKM schemes exist that specify different
keys SKi (SKiE must explicitly be part of SKi as the techniques for Leave depending on whether L is single-
users would need it for decapsulation) and the master ton or not.
secret key M SK of the GKM scheme.
Note. The CA may choose to perform the Rekey operation
 Every member with identifier i in the set Sinit of periodically even if no member joins or leaves the group, in
current group members is given through secure channels, order to maintain the “freshness” of the group and the data
his secret key SKi and the initial DEK, which may be encryption key. This measure is necessary to ensure perfect
chosen randomly from the key space K. forward secrecy.
2) Rekey(S, PK, MSK, E)
 Input. S is the set of identifiers of the current group IV. S ECURITY M ODEL FOR G ROUP K EY M ANAGEMENT
members, P K is the public key, M SK is the master In this section, we present formally, the security model for
secret key, and E is the underlying mKEM. GKM. We proceed as follows. First, we describe the notations
 Every group member first updates his secret key and that are used throughout the rest of this paper. Then, we
securely erases the old one. The exact mechanism, for describe the oracles that are used in the adversarial games,
example, whether this updating process involves an input following which we formally describe these games for each
from the CA or is independent of it, would depend of the four security properties that were informally discussed
on the specific GKM scheme. Failure to securely erase above.
the old key would enable someone who gains control
of the group member’s hardware to retrieve the old A. Notations
key using hardware forensics. If a group member does We stress that it is vital that the notations that are presented
not securely erase the previous key, it is considered a here are understood beyond doubt, as we have used them
violation of the protocol, meaning that he has already liberally in the rest of this paper. We use St to denote the
been compromised. Also, the CA can choose to update set of identifiers of group members at time instant t. We have
the public key as well, if required. introduced time as a variable in order to model the dynamics
 The CA has the pair (HdrE , DEK E ), after running of GKM. Table IV.1 summarizes the notations dealing with
EncapsulateE (DEKE , PKE , MSKE , S). He com- time.
putes (Hdr, DEK) for the group and broadcasts Hdr.
B. Oracles
 The group members with identifiers i retrieve
HdrE from Hdr and decrypt it by executing The adversarial games involve a challenger to present the
DecapsulateE (HdrE , PKE , SKEi , S) to obtain adversary with an interface consisting of the oracles that model
DEK E , from which DEK is recovered. Again, the the algorithms of the real scheme. Below, we describe, again
exact mechanism is specific to the GKM scheme. only in functional terms, the oracles to be implemented by a
challenger of a generic GKM scheme.
3) Join(i, S, PK, MSK, E)
1) OJoin (i) — This oracle simulates the Join algorithm of
 Input. i is the identifier of the member who wishes
the GKM, to include the member i in the current group.
to join the group, S is the set of identifiers of current
group members, P K is the public key, M SK is the • Input. i should be the identifier of a member who

master secret key, and E is the underlying mKEM. is not currently part of the group.
 A member with identifier i ∈ / S who wishes to join • The oracle aborts if i ∈ St− .
now

the group establishes a secure connection with the CA • The set of identifiers of current group members is

who may perform some checks before authorizing the updated as Stnow ← St− now
∪ {i}.
user to join the group. • The Rekey algorithm is run and the new ciphertext

 The CA updates the set S ← S ∪ {i}, and gives SKi is recorded.

to the joining member through a secure channel.
 The CA then runs Rekey(S, PK, MSK, E). 4 There is no ambiguity because, as we shall see, in every adversarial game,
the adversary makes at most one corrupt query
3 While most existing mKEMs require the specification of this set, there 5 In other words, the group parameters used in generating the challenge
may be some which do not require that S be specified. ciphertext will be those at time tChallenge
 t An arbitrary instant of time
tnow The current time instant (the present time)
tCorrupt The time at which the corrupt query was issued4
tChallenge The time for which the challenge ciphertext is to be generated5
tJoin (i) The time at which the user with identifier i most recently joined the group
tLeave (i) The time at which the user with identifier i most recently left the group
t−
now The time instant just before tnow

TABLE IV.1
T IME -R ELATED N OTATIONS

2) OLeave (i) 6 — This oracle simulates the Leave algo- bs (backward secrecy) or pfs (perfect forward
rithm of the GKM, to expel the member i from the secrecy), indicating the type of security that is being
current group. attacked using this compromised member.
• Input. i should be the identifier of a member who • The oracle aborts if type = pfs and i ∈ / Stnow
is currently part of the group. because, for perfect forward secrecy, the member
• The oracle aborts if i ∈ / St− . who is to be corrupted must be part of the group
now
• The set of identifiers of current group members is when he is compromised.
updated as Stnow ← St− − {i}. • Depending on whether type is fs, bs or pfs, the
now
• The Rekey algorithm is run and the new ciphertext secret key corresponding to the user with identifier
is recorded. i at time tLeave (i), tJoin (i) or tnow respectively is
returned.
3) OCiphertext (t) — This oracle is used to retrieve the
broadcasted ciphertext of Rekey operations. Note. The challenger who runs these oracles must have some
• Input. t should be the present time or a time in the mechanism of recording the set of group members, secret keys
past. and ciphertexts as time progresses. The most natural way of
• The oracle aborts if t > tnow . doing this is to maintain lists (indexed by time) for each of
• The ciphertext (header) corresponding to time t these variables and keep appending the new values to the
is returned. By “corresponding to”, we mean the respective lists whenever changes occur.
following. C. Formal Definitions of Security
– If a Rekey operation was done at time t, then the Normal multi-receiver cryptographic schemes which do not
ciphertext broadcasted during that Rekey opera- involve operations carried out over a time-line, but are just
tion is returned. a collection of algorithms that are executed once, have two
– Otherwise, the ciphertext broadcasted during the clearly defined extremes when describing the intensity of
most recent Rekey operation done before time t attacks — static attacks, while proving the security against
is returned. which, the adversary is required to submit the identifiers of
4) ODecrypt (Hdr, t) — This oracle is used to retrieve the the entities whom he would attack during the challenge phase
DEK from its encrypted form. of the game, and adaptive attacks, in which case, the adversary
• Input. Hdr should be a ciphertext and t should be
is under no such restriction. In Group Key Management,
the present time or a time in the past. we consider static and adaptive security not only along the
• The oracle aborts if t > tnow .
dimension of receiver identifiers, but also along the time
• The set St of group members at time t is recalled
dimension. While describing adversarial games for time-static
and the secret key SKi corresponding to a user with security, the adversary would be required to submit beforehand
identifier i ∈ St at time t is obtained. the time at which he would like the challenge to be generated,
E E
• Hdr and SKi are derived from Hdr and SKi
which would eventually be given to him during the challenge
respectively. phase. The adversary is not required to do so for time-adaptive
E E E
• DecapsulateE (Hdr , PK , SKi , St ) is run, and
security. From now, when we simply say “static” (“adaptive”),
the resultant DEK is returned. we mean static (adaptive) in both dimensions. In contexts
where a mixed security is discussed, we will be explicit with
5) OCorrupt (i, type) — This oracle simulates the com- respect to the two dimensions.
promise of a member.
Before describing the adversarial games involved, we formally
• Input. i should be the identifier of a member,
define the four security notions that were informally discussed
and type should be one of fs (forward secrecy), in Section I. For simplicity, we define only the CCA2 security
6 For a set L of leaving members, this oracle can be called repeatedly on against adaptive attacks here. We discuss briefly about other
each member in L notions in a separate paragraph at the end of this section.
 Definition 1: A (k, N ) − GKM scheme is forward secure • Adversarial Game for Backward Secrecy
against adaptive chosen ciphertext attacks (secure in the bs−GKM GKM
GCCA2 = GCCA2 (C bs−GKM , Abs−GKM , bs)
sense of fs-CCA2) if for all polynomials N (·), the advantage
f s−CCA2
AdvGKM of any probabilistic polynomial time adver- In this adversarial game, we allow the adversary to
f s−GKM
sary Af s−GKM in the game GCCA2 against a challenger corrupt any member of his choice at any time he wishes
C f s−GKM
is negligible in k, the security parameter. (before the challenge phase). Meanwhile, he can also
Definition 2: A (k, N )−GKM scheme is backward secure query other oracles to learn about the system. A GKM
against adaptive chosen ciphertext attacks (secure in the scheme satisfies backward secrecy, if a member who has
sense of bs-CCA2) if for all polynomials N (·), the advantage joined the group cannot decipher any past ciphertexts
AdvGKMbs−CCA2
of any probabilistic polynomial time adver- intended to the group when he was not part of the group.
sary Abs−GKM in the game GCCA2 bs−GKM
against a challenger Since we are talking about a corrupted member who has
C bs−GKM
is negligible in k, the security parameter. joined the group, during the corrupt phase, we give the
adversary the secret key of the corrupted member at the
Definition 3: A (k, N ) − GKM scheme is perfect forward
time of his joining the group. And, during the challenge
secure against adaptive chosen ciphertext attacks (secure in
phase, we allow the adversary to specify any time of
the sense of pfs-CCA2) if for all polynomials N (·), the
pf s−CCA2 his choice (before the corrupted member last joined the
advantage AdvGKM of any probabilistic polynomial time
pf s−GKM pf s−GKM group) as the time tChallenge during which the challenge
adversary A in the game GCCA2 against a chal- is to be generated. Of course, since we are dealing with
lenger C pf s−GKM is negligible in k, the security parameter. backward secrecy, the corrupted member should not be
Definition 4: A (k, N ) − GKM scheme is collusion resis- part of the group during tChallenge .
tant against adaptive chosen ciphertext attacks (secure in the • Adversarial Game for Perfect Forward Secrecy
sense of cr-CCA2) if for all polynomials N (·), the advantage
pfs−GKM GKM
AdvGKMcr−CCA2
of any probabilistic polynomial time adver- GCCA2 = GCCA2 (C pfs−GKM , Apfs−GKM , pfs)
cr−GKM
sary Acr−GKM in the game GCCA2 against a challenger In this adversarial game, we allow the adversary to
cr−GKM
C is negligible in k, the security parameter. corrupt any member of his choice at any time he
These definitions are not complete because we have neither wishes (before the challenge phase). A constraint that
described the adversarial games nor defined the advantage of we impose here is that this member should be part of
an adversary. In Game IV.1, we describe formally a generic the group when he is being corrupted. This is because
GKM
adversarial CCA2 game GCCA2 . Below, we define the games perfect forward secrecy deals with the situation when a
f s−GKM bs−GKM pf s−GKM
GCCA2 , GCCA2 and GCCA2 as special cases of member is compromised when he is part of the group.
cr−GKM
this generic game. The collusion resistance game GCCA2 Accordingly, we give the adversary the secret key of the
is described in Game IV.2. corrupted member at the time of corruption. Meanwhile,
We define the adversarial games that model attacks against he can also query other oracles to learn about the system.
forward secrecy, backward secrecy, perfect forward secrecy The compromised group member should not be able to
and collusion resistance as follows. decipher any past ciphertexts. So, we require that the time
• Adversarial Game for Forward Secrecy
tChallenge at which the adversary wants the challenge to
be generated occurs before the member was corrupted.
fs−GKM GKM
GCCA2 = GCCA2 (C fs−GKM , Afs−GKM , fs) Another constraint is that the corrupted member should
be in the group during tChallenge . Otherwise, it would
In this adversarial game, we allow the adversary to
model backward secrecy.
corrupt any member of his choice at any time he wishes
(before the challenge phase). Meanwhile, he can also • Adversarial Game for Collusion Resistance
query other oracles to learn about the system. A GKM cr−GKM
GCCA2
scheme satisfies forward secrecy, if a member who has
left the group cannot decipher any future ciphertexts This game is described in Game IV.2. Collusion resis-
intended to the group when he is no longer part of the tance means that at any point in time, even if all the
group. Since we are talking about a corrupted member members who are currently not part of the group collude,
who has left the group, during the corrupt phase, we give they will not be able to decipher the present ciphertext. To
the adversary the secret key of the corrupted member at model this, in this adversarial game, during the challenge
the time of his leaving the group. We allow the adversary phase, we give the secret keys7 of all the users who are
to enter the challenge phase at any time after the corrupt currently not part of the group to the adversary.
phase. In particular, he may choose to make the challenge Other Security Notions. We have defined only adaptive CCA2
query at the time that he thinks is most convenient for him security for GKM . Now, without going into detailed defi-
to win the challenge. Of course, since we are dealing with nitions for other security definitions, which would result in
forward secrecy, when the adversary makes the challenge
7 Since secret keys are time dependent, we give the adversary the secret
query, the corrupted member should not be in the group.
keys of the members corresponding to the time when they last left the group.
 GKM
Game IV.1 GCCA2 (C GKM , AGKM , type)

This generic game is played between a challenger C GKM and an adversary AGKM . The variable type signifies the type of
security that the adversary claims he can break, and can take on any of three values fs, bs, or pfs.
Both the challenger and the adversary are given the security parameter k, the maximum number of group members N , and the
specification of the underlying mKEM E. The game consists of the following phases which are presented in the order in which
they occur. In addition to carrying out these phases, the challenger takes care of simulating the Rekey operation periodically
(if periodic rekey is carried out in the GKM scheme that is being attacked).
Setup Phase — The challenger runs Setup(k, N, Sinit , E), for any choice of Sinit by the adversary. The public key P K is
given to the adversary AGKM . A Rekey operation is simulated immediately after, and the time-line is started at this instant
(t = 0).
Query Phase 1 — During this phase, the adversary is given access to the oracles as described below.
• Queries of the form OJoin (i) and OLeave (i). The adversary can use these queries to control the group dynamics, i.e., he
can make a member with identifier i join or leave the group using these queries.
• Queries of the form OCiphertext (t). These queries help the adversary to retrieve the Hdr corresponding to the most
recent Rekey operation performed at or before a past time t (Note the Join and Leave operations also involve a Rekey
operation and such rekeys are also taken into account).
• Queries of the form ODecrypt (Hdr, t). The adversary can use these queries to learn the DEK corresponding to any
Hdr of his choice, as decrypted at any time t in the past. The challenger responds by decrypting Hdr using the secret
key SKu of some user u ∈ St .

Corrupt Phase — The adversary, at any time tCorrupt of his choice, invokes OCorrupt (ic , type), where ic is the identifier of a
member of the adversary’s choice. The only constraint is that if type = pfs, then the member with identifier ic must currently
be part of the group. The adversary receives, in return, the secret key SKic corresponding to time tLeave (ic ), tJoin (ic ), or
tnow , depending whether type is fs, bs or pfs respectively. Note that unlike in the other phases, the Corrupt oracle can
be invoked only once in this phase.
Query Phase 2 — The description of this phase is identical to that of Query Phase 1 — the adversary is given access to
OJoin , OLeave , OCiphertext and ODecrypt .
Challenge Phase — The adversary issues one challenge query to the challenger C GKM specifying the time tChallenge , subject
to one of the following restrictions depending on the value of type.
• If type = fs, the restrictions are tChallenge = tnow and ic ∈ / StChallenge .
• If type = bs, the restrictions are tChallenge < tJoin (ic ) and ic ∈
/ StChallenge .
• If type = pfs, the restrictions are tChallenge < tCorrupt and ic ∈ StChallenge .

The challenger runs EncapsulateE (DEKE , PKE , MSKE , StChallenge ), at the end of which he has the (HdrE , DEK E ) pair.
Using this, he computes (Hdr∗ , DEK ∗ ) corresponding to time tChallenge , following which he selects a random bit b, sets Kb
to DEK ∗ and K1−b to a random DEK from the key space K and challenges the adversary with hHdr∗ , K0 , K1 i.
Query Phase 3 — The adversary can continue to adaptively issue queries to all the oracles as in earlier query phases, subject
to the restriction that (Hdr∗ , tChallenge ) is not given as a query to ODecrypt .
Guess Phase The adversary outputs a guess b0 of b from {0, 1} and he wins the game if b0 = b. The adversary’s advantage in
CCA2
winning the game is defined as AdvGKM = |P r[b0 = b] − 12 |

Note. We have provided two Query Phases before the Challenge Phase to model a situation in which the Adversary can
corrupt a member at a time of his choice before receiving the challenge.
 cr−GKM
Game IV.2 GCCA2

This game is played between the challenger C cr−GKM and the adversary Acr−GKM . Both the challenger and the adversary
are given the security parameter k, the maximum number of group members N , and the specification of the underlying mKEM
E. The game consists of the following phases which are presented in the order in which they occur. In addition to carrying
out these phases, the challenger takes care of simulating the Rekey operation periodically (if periodic rekey is carried out in
the GKM scheme that is being attacked).
GKM
Setup Phase — Same as in GCCA2 (C cr−GKM , Acr−GKM , ·).
GKM
Query Phase 1 — Same as in GCCA2 (C cr−GKM , Acr−GKM , ·).
Challenge Phase — The adversary issues one challenge query to the challenger C cr−GKM at any time instant tChallenge .
First, the adversary is given the secret keys SKi corresponding to time tLeave (i) of all the group members with identifiers i ∈
/
StChallenge . The challenger obtains the (HdrE , DEK E ) pair by running EncapsulateE (DEKE , PKE , MSKE , StChallenge ).
Using this, he computes (Hdr∗ , DEK ∗ ) corresponding to time tChallenge , following which he selects a random bit b, sets Kb
to DEK ∗ and K1−b to a random DEK from the key space K and challenges the adversary with hHdr∗ , K0 , K1 i.
Query Phase 2 — The adversary can continue to adaptively issue queries to all the oracles as in earlier query phase, subject
to the restriction that (Hdr∗ , tChallenge ) is not given as a query to ODecrypt .
Guess Phase The adversary outputs a guess b0 of b from {0, 1} and he wins the game if b0 = b. The adversary’s advantage in
cr−CCA2
winning the game is defined as AdvGKM = |P r[b0 = b] − 12 |

considerable repetition, we explain the intuition behind them. discussion. An mID-KEM consists of a Private Key Generator
We consider adaptive CCA and adaptive CPA security as well (PKG), who generates, using a master secret key M SK, the
as static versions of these security notions. private keys SKIDi of group members with identities IDi ,
• Adaptive CCA Security — The adversarial game and securely transmits these keys to them. The sender uses
(·)−GKM
GCCA for adaptive CCA security is the same as the public key P K and identities of the privileged receivers
the game GCCA2
(·)−GKM
, except that in the Query phase to generate a ciphertext or header, which can be decrypted only
that follows the Challenge phase, the adversary is denied by the privileged receivers to obtain a key. More formally, a
access to ODecrypt altogether. multi-receiver ID-based Key Encapsulation Mechanism (mID-
• Adaptive CPA Security — The adversarial game
KEM) with security parameter k and maximum size N of
(·)−GKM the set of privileged members, consists of the following
GCP A for adaptive CPA security is the same as the
(·)−GKM algorithms8 .
game GCCA , except that in all the Query phases, the
adversary is denied access to ODecrypt . Setup(k, N) — This algorithm inputs a security parameter
(·)−GKM k and the maximum size of the set of authorized receivers N ,
• Static Security — The adversarial games GsCCA2 ,
(·)−GKM (·)−GKM and outputs a master secret key M SK and a public key P K.
GsCCA and GsCP A for static security are the
The PKG is given M SK, and P K is made public.
same as the respective games for adaptive security, except
that the adversary must submit StChallenge (for identifier- Extract(MSK, IDi , PK) — This algorithm inputs the mas-
static) and tChallenge (for time-static) to the challenger ter secret key M SK, a user identity IDi , and the public key
in the beginning of the Setup phase. P K, and outputs the private key SKIDi of the user, which is
securely transported to the user.
V. M ULTI - RECEIVER ID- BASED K EY E NCAPSULATION Encapsulate(S, PK) — This algorithm inputs a set
M ECHANISM ( M ID-KEM) of identities of privileged (intended) receivers S =
In this section, we quickly review the basic framework of {ID1 , ID2 , . . . , IDt }, with t ≤ N and the public key P K,
an mID-KEM and the formal security model for the same. In and outputs a pair (Hdr, DEK). Hdr is called the header
the forthcoming sections, we shall be using these as black- and DEK ∈ K, where K is the key space.
boxes while taking a general mID-KEM to a GKM scheme Decapsulate(S, IDi , SKIDi , Hdr, PK) — This algorithm
and proving its security. inputs the set S of identities of the intended receivers, the
identity IDi of one of the intended receivers, and the corre-
A. General Framework of an mID-KEM sponding private key SKIDi , a header Hdr, and the public
We describe the framework of a non-trivial mID-KEM here. key P K. If IDi ∈ S, the algorithm outputs the key K.
By non-trivial, we mean that we do not consider normal 8 Our description of an mID-KEM does fall into the generic framework of
encryption schemes (which may trivially be used to encrypt the underlying mKEM discussed in Section III; the only difference is that the
keys just like messages) as KEMs for the purposes of our Setup algorithm is split here into two algorithms Setup and Extract
 mID−KEM
Game V.1 GCCA2

This game is played between the challenger C mID−KEM and the adversary AmID−KEM . Both the challenger and the adversary
are given the security parameter k and the maximum number of receivers N . The game consists of the following phases that
are presented in the order in which they occur.
Setup Phase — The challenger runs Setup(k, N) and the public key P K is given to the adversary AmID−KEM .
Query Phase 1 — During this phase the adversary is given access to the oracles as described below.
• Queries of the form OExtract (IDi ) — The adversary can use this query to learn the secret keys of any of the members
of his choice.
• Queries of the form ODecapsulate (IDi , S, Hdr) — The adversary can use this query to learn the DEK corresponding
to any Hdr meant for any subset of privileged users.
Challenge Phase — During this phase the adversary issues one challenge query to the challenger, submitting a set S ∗ of
identities of users of the adversary’s choice. The only restriction is that S ∗ should not contain an identity of a user whose
secret key was queried earlier by the adversary. The challenger then uses the Encapsulate algorithm with S ∗ as input to obtain
a (Hdr∗ , DEK ∗ ) pair. He then chooses a bit b ∈ {0, 1} at random and sets Kb to DEK ∗ and K1−b to a random element
from the key space K. He then challenges the adversary with hHdr∗ , K0 , K1 i.
Query Phase 2 — During this phase the adversary can continue to query the oracles as before, subject to the following
restrictions.
∗
• He should not query the Extract oracle for the secret key of any member whose identity belongs to S .
∗ ∗ ∗
• He should not query the Decapsulate oracle with (IDi , S , Hdr ), for any IDi ∈ S .

Guess Phase — During this phase, the adversary outputs a guess b of b from {0, 1} and he wins the game if b0 = b. The
0
CCA2
adversary’s advantage in winning the game is defined as AdvmID−KEM = |P r[b0 = b] − 12 |.

B. Security Model for mID-KEM We consider adaptive CCA and adaptive CPA security as well
as static versions of these security notions.
The adversarial game involves a challenger who presents
the adversary with an interface consisting of oracles that • Adaptive CCA Security — The adversarial game
mID−KEM
model the algorithms of the real scheme. Below, we describe GCCA for adaptive CCA security is the same as
mID−KEM
in functional terms, the oracles to be implemented by a the game GCCA2 , except that in the Query phase
challenger of a generic mID-KEM. that follows the Challenge phase, the adversary is denied
access to ODecrypt altogether.
1) OExtract (IDi ) — Here, IDi is the identity of a user.
The oracle returns the secret key SKIDi of the user by • Adaptive CPA Security — The adversarial game
mID−KEM
using the Extract algorithm. GCP A for adaptive CPA security is the same as the
mID−KEM
2) ODecapsulate (IDi , S, Hdr) — Here, IDi is the iden- game GCCA , except that in all the Query phases,
tity of an intended user, S is the set of identities of the the adversary is denied access to ODecrypt .
intended (privileged) users, and Hdr is a header to be • Static Security — The adversarial games GsCCA2 mID−KEM
,
decrypted. The oracle returns the DEK corresponding mID−KEM
GsCCA mID−KEM
and GsCP A for static security are the
to Hdr by using the Decapsulate algorithm. same as the respective games for adaptive security, except
We define CCA2 security for mID-KEM using the adversarial that the adversary must submit, in the beginning of the
mID−KEM
game GCCA2 that is described in Game V.1. Setup phase, to the challenger, the set S ∗ of identities of
users he wishes to be challenged upon.9
Definition 5: A (k, N ) − mID − KEM is CCA2 secure
against adaptive chosen ciphertext attacks if for all poly- VI. A G ENERIC C ONVERSION TO C ENTRALIZED GKM
CCA2
nomials N (·), the advantage AdvmID−KEM of any proba- FROM M ID-KEM
bilistic polynomial time adversary AmID−KEM in the game Let mID − KEM be the underlying mID-KEM and let
mID−KEM
GCCA2 against a challenger C mID−KEM is negligible GKM be the centralized GKM scheme that is to be con-
in k, the security parameter. structed using mID − KEM. Before we formally describe
the constituent algorithms of GKM as per our construction,
Other Security Notions. We have defined only adaptive CCA2 we state informally what it does and the intuition behind it.
security for mID-KEM. Now, without going into detailed
definitions for other security definitions, which would result in 9 Consequently, in Query Phase 1 of G mID−KEM , the adversary should
(·)
considerable repetition, we explain the intuition behind them. not query the Extract oracle for any identities that are present in S ∗ .
Consider the following trivial (and hypothetical) construc- •Run ExtractmID−KEM (IDi ) for each identity IDi ∈
tion of GKM. For Setup, run the Setup algorithm of Sinit to obtain the secret keys of all the members
mID−KEM mID−KEM
mID − KEM, make the public key public, run the Extract SKID i
. Compute SKIDi = (SKID i
, g)
algorithm of mID − KEM for all the group members, and for all IDi ∈ Sinit and securely send these keys to
securely transport their secret keys and the initial DEK to the corresponding members. Also send the initial DEK
them. For Rekey, simply execute the Encapsulate algorithm of securely to these members.
mID − KEM and broadcast the new header to the members, Note. We refer to the second component of the secret key
who can retrieve the new DEK by running the Decapsulate SKIDi , which is common to all the group members, as the
algorithm. For Join and Leave, just update the set of identities dynamic key. It is “dynamic” because, as we shall see, it is
of the current group members accordingly and do a Rekey updated regularly during every Rekey operation.
operation. It is not difficult to see that this GKM will be Rekey(S, PK)
forward secure, backward secure and collusion resistant if • Input. Take as input the set S of the identities of current
mID − KEM is provably secure. But it is not perfect forward group members, and the public key P K.
secure because, a header generated now can be decrypted by ∗
• Select a random r ∈ Zp and update the dynamic key by
the group member (who was part of the group when the
using the one-way function F as g ← r · F(g).
ciphertext was generated) at any point in the future. This mID−KEM
• Run EncapsulatemID−KEM (S, P K ) to ob-
enables a group member to decrypt past headers and recover
past DEKs. We circumvent this problem by introducing time- tain a (HdrmID−KEM , DEK) pair.
10
dependent secret keys for group members, so that a group • Construct HdrGKM = HdrmID−KEM ⊕ (g) and
member cannot use his current secret key to decrypt a header broadcast hHdrGKM , ri to the group.
that was generated in the past. • Every group member also updates the second component

Informally, all that our construction does is to introduce of his secret key (the dynamic key) as g ← r · F(g) and
an additional time-varying secret key component g that is securely erases the old copy of g values.
common to all group members, with which the header of • Every group member with identity IDi will re-
mID − KEM is XORed before being broadcasted to the trieve HdrmID−KEM = HdrGKM ⊕ g and run
mID−KEM
group. The group members first recover the header because DecapsulatemID−KEM ( S, IDi , SKID i
,
they know the secret g, and then decrypt it to recover the DEK. HdrmID−KEM , P K mID−KEM ) to obtain DEK.
Both the CA and the members update this secret g during every Note. The CA keeps running the Rekey algorithm periodically
Rekey operation by using a one-way function, the old value of even though the group may remain static without any Join or
g, and a randomness parameter that is broadcasted by the CA. Leave operations.
Since we are using a one-way function to update the secret Join(IDi , S, PK)
keys, a group member cannot derive a past secret key from • Input. Take as input the identity IDi of a member who
his present secret key. (If he manages to do that, then he can wishes to join the group, the set S of identities of current
decrypt past headers.) Of course, the group member can store group members, and the public key P K.
his past secret keys, but we prohibit this in our construction,
• The joining member establishes a secure connection
considering it to be a violation of the protocol.
with the CA, who may perform some checks before
Formally, GKM consists of the following algorithms, all of authorizing the member to join the group. If authorized,
which are run by the CA, who plays the role of the PKG of run ExtractmID−KEM (IDi ) to obtain the secret key
mID − KEM as well. mID−KEM
SKID i
of the member.
mID−KEM
Setup(k, N, Sinit , mID − KEM) • Compute SKIDi = (SKID i
, g) and securely
• Input. Take as input the security parameter k, the maxi-
send it to the joining member.
mum number of group members N , the set Sinit of the • Update the set of identities of current group members as
identities of initial group members, and mID − KEM, S ← S ∪ {IDi }.
the underlying multi-receiver key encapsulation mecha- • Run Rekey(S, PK).
nism. Leave(L, S, PK)
• Choose a one-way function F : Z∗p → Z∗p , and a random • Input. Take as input the set L of identities of members
seed g ∈ Z∗p , where p is a large prime such that |p| = k. who wish to leave the group or are revoked, the set S of
• Run SetupmID−KEM (k, N ) to obtain P K mID−KEM identities of current group members, and the public key
and M SK mID−KEM . Construct the public key P K = P K.
hP K mID−KEM , F, mID − KEMi and make it public. • Update the set of identities of current group members as
S ← S − L.
• Set M SK = hM SK mID−KEM , gi.
• Run Rekey(S, PK).
• Choose a data encryption key DEK at random from the
10 The XOR operation is done bitwise. g is represented as bits and is padded
key space K.
with additional zeroes if necessary.
 VII. F ORMAL S ECURITY P ROOF FOR GKM • Ls contains entries of the form ht, St i, where St is the
We now prove that GKM is secure against adaptive11 set of identities of the group members present at time t.
Chosen Ciphertext Attacks (CCA) with respect to all the four • Lg contains entries of the form ht, gt i, where gt is the
security properties by assuming the adaptive CCA security of dynamic key at time t.
the underlying mID-KEM and the hardness of inverting one- • Lj contains entries of the form hID, tJoin (ID)i. Recall
way functions. For proofs which involve the reduction of an that tJoin (ID) is the most recent time at which the
adversary of mID − KEM to an adversary of GKM, we will member with identity ID joined the group. For every
be running the following two adversarial games in parallel. ID, there will be a unique entry in this list.
mID−KEM
• GCCA — The CCA game corresponding to • L` contains entries of the form hID, tLeave (ID)i. Recall
mID − KEM. The challenger for this game is denoted that tLeave (ID) is the most recent time at which the
by C mID−KEM and the adversary for this game is member with identity ID left the group. For every ID,
denoted by AmID−KEM . there will be a unique entry in this list.
(·)−GKM
(·)−GKM C , acting as the challenger for A(·)−GKM , must
• GCCA — The (·)-CCA game corresponding to (·)−GKM
provide access to all the oracles involved in GCCA . In
GKM. Here, (·) can refer to f s, bs, pf s or cr depend-
those three proofs in which he is also an adversary for
ing on the security property that is being proved. The
mID − KEM, he has access to the oracles provided by
challenger and adversary for this game are denoted by mID−KEM mID−KEM
C mID−KEM , namely OExtract and ODecapsulate . In the
C (·)−GKM and A(·)−GKM respectively.
proof in which there is no access to these oracles, he can sim-
For proofs which involve the reduction of the problem of ulate them himself.13 In any case, we describe how C (·)−GKM
inverting a given one-way function to the problem of breaking simulates the oracles of GKM using those of mID − KEM
(·)−GKM
the security of GKM, we will just run the game GCCA . and a little bookkeeping.
Before presenting the formal proof, we give a short informal • OJoin (IDi ) — C
(·)−GKM
does the following.
overview of the two proof techniques that we employ.
1) Retrieve the last entry, (t0 , St0 ), from Ls and check
• Proofs for Forward Secrecy, Backward Secrecy and Col-
if IDi ∈ St0 . If so, then abort. Else, set Stnow =
lusion Resistance — For these properties, we shall be St0 ∪ {IDi } and append (tnow , Stnow ) to Ls .
reducing AmID−KEM to A(·)−GKM . That is, we assume
the existence of an adversary A(·)−GKM who can break 2) Retrieve gt− now
from Lg (gt− now
= gt00 , where
a particular security property of GKM and use him to (t00 , gt00 ) is the last entry in Lg ), pick a random
construct the adversary AmID−KEM who can break the r ∈ Z∗p , compute gtnow = r · F(gt− now
) and append
security of mID − KEM. We let AmID−KEM take on the entry (tnow , gtnow ) to Lg .
the role of C (·)−GKM and interact with A(·)−GKM on one 3) Run EncapsulatemID−KEM (Stnow , P K mID−KEM )
(·)−GKM
side through the game GCCA and simultaneously in- to obtain HdrmID−KEM corresponding
mID−KEM
teract with C mID−KEM through the game GCCA . to a new DEK, compute HdrGKM =
mID−KEM hHdrmID−KEM ⊕ gtnow , ri and append the
Thus, the task of A is to use its interaction
with A(·)−GKM to try and win against C mID−KEM . entry (tnow , HdrGKM ) to Lc .
• Proof for Perfect Forward Secrecy — For this property, 4) Record the join by appending the entry (IDi , tnow )
we shall be reducing the problem of inverting a one-way to Lj . If there already exists an entry corresponding
function F to the problem of breaking perfect forward to IDi , overwrite it.
secrecy of GKM. This reduction is somewhat weak in the
sense that we do not give an exact algorithm for inverting • OLeave (IDi ) — C (·)−GKM does the following.
a given one-way function, but merely show the existence 1) Retrieve the last entry, (t0 , St0 ), from Ls and check
of such an algorithm. The algorithm acts as the challenger if IDi ∈ / St0 . If so, then abort. Else, set Stnow =
C pf s−GKM of the adversary Apf s−GKM , and interacts St0 − {IDi } and append (tnow , Stnow ) to Ls .
pf s−GKM
with him through the game GCCA . Thus, the task 2) Retrieve gt− from Lg (gt− = gt00 , where
pf s−GKM now now
of the algorithm is to force A to invert the one- (t00 , gt00 ) is the last entry in Lg ), pick a random
pf s−GKM
way function F, if at all he is to win GCCA . r ∈ Z∗p , compute gtnow = r · F(gt− ) and append
now
(·)−GKM
We now describe the working of C , who is an the entry (tnow , gtnow ) to Lg .
important entity in all our proofs.12 He maintains five lists 3) Run EncapsulatemID−KEM (Stnow , P K mID−KEM )
Lc , Ls , Lg , Lj and L` as described below. to obtain HdrmID−KEM corresponding
• Lc contains entries of the form ht, HdrGKM i, where to a new DEK, compute HdrGKM =
HdrGKM is the broadcast ciphertext of the Rekey op- hHdrmID−KEM ⊕ gtnow , ri and append the
eration performed at time t. entry (tnow , HdrGKM ) to Lc .
11 Both time-adaptive and identity-adaptive
12 Itmust be kept in mind that in the proofs for forward secrecy, backward 13 He is able to do so because there is no game G mID−KEM and no
CCA
secrecy and collusion resistance, C (·)−GKM is also AmID−KEM corresponding challenger to win against.
 4) Record the leave by appending the entry Af s−GKM . He also picks a random seed g from
(IDi , tnow ) to L` . If there already exists an Z∗p and sets the master secret key M SK to
entry corresponding to IDi , overwrite it. hM SKmID−KEM , gi.
• OCiphertext (t) — C (·)−GKM aborts if t > tnow . Oth- 2) Query Phase 1 — Af s−GKM is allowed to query the
erwise, he retrieves, if present, the entry (t0 , HdrGKM ) oracles OJoin , OLeave , OCiphertext and ODecrypt .
from Lc such that t0 is the most recent (numerically 3) Corrupt Phase — Af s−GKM chooses IDic , an iden-
largest) time stamp satisfying t0 ≤ t and returns tity which he wants to corrupt and makes the query
HdrGKM . If no such entry is present, he returns ⊥. OCorrupt (IDic , fs) at time tCorrupt (which is the
• ODecrypt (HdrGKM , t) — C (·)−GKM aborts if t > tnow . choice of Af s−GKM ).
Otherwise, he does the following. 4) Query Phase 2 — Af s−GKM can query the oracles as
1) Retrieve, if present, the entries (t0 , St0 ) from Ls in Query Phase 1.
and (t0 , gt0 ) from Lg such that t0 is the most recent
(numerically largest) time stamp satisfying t0 ≤ t. 5) Challenge Phase — Af s−GKM issues one challenge
If no such entries are present, return ⊥. query to its challenger AmID−KEM at time tChallenge
(which is the choice of Af s−GKM ), subject to the
2) Generate the header HdrmID−KEM = HdrGKM ⊕
/ StChallenge . Now, AmID−KEM
restriction that IDic ∈
gt0 corresponding to mID − KEM and return the
mID−KEM does the following before responding with the challenge.
result of ODecapsulate (IDi , St0 , HdrmID−KEM ),
• Retrieve the set StChallenge from the list Ls .
where IDi is chosen at random from St0 .
• Issue a challenge query, specifying the set
• OCorrupt (IDi , type) — C (·)−GKM does the following. StChallenge , to the challenger C mID−KEM .
1) When type = fs, retrieve if present, the entries •
∗
Receive the challenge (HdrmID−KEM , K0 , K1 ).
(IDi , tLeave (IDi )) and (tLeave (IDi ), gtLeave (IDi ) ) ∗ ∗
from L` and Lg respectively. If no such en- • Compute HdrGKM as hHdrmID−KEM ⊕
tries are present, return ⊥. Else obtain SIDi by gtChallenge , rtChallenge i.14
mID−KEM
querying OExtract (IDi ) and return SKIDi = AmID−KEM returns (HdrGKM
∗
, K0 , K1 ) as the chal-
mID−KEM f s−GKM
(SKIDi , gtLeave (IDi ) ). lenge to A .
2) When type = bs, retrieve if present, the entries
(IDi , tJoin (IDi )) and (tJoin (IDi ), gtJoin (IDi ) ) 6) Guess Phase — Af s−GKM outputs a bit b0 ∈ {0, 1}
from Lj and Lg respectively. If no such en- as its guess. AmID−KEM passes on b0 as its guess to
tries are present, return ⊥. Else obtain SIDi by C mID−KEM .
mID−KEM
querying OExtract (IDi ) and return SKIDi = It is easy to see that the advantage of Af s−GKM in break-
mID−KEM
(SKIDi , gtJoin (IDi ) ). ing the forward secrecy of GKM is the same as that of
AmID−KEM in breaking the CCA security of mID − KEM.
3) When type = pfs, retrieve the last entry (t, gt )
mID−KEM
from Lg , query OExtract (IDi ) to obtain SIDi ¯ ¯
and return SKIDi = (SKID mID−KEM
, gt ). ¯ 1 ¯¯
f s−CCA
AdvGKM = CCA
AdvmID−KEM = ¯¯P r[b = b0 ] −
2¯
i

We now present the four security theorems and their formal

proofs. This means that if there exists no adversary AmID−KEM
who can break the CCA security of mID − KEM with
Theorem 1. GKM is fs-CCA secure if mID − KEM is at non-negligible advantage, then there cannot be any adversary
least CCA secure. Af s−GKM who can break the forward secrecy of GKM with
non-negligible advantage.
Proof. Here, we describe how the adversary AmID−KEM
on one side acts as the challenger C f s−GKM who inter-
Theorem 2. GKM is bs-CCA secure if mID − KEM is at
acts with Af s−GKM , while simultaneously interacting with
least CCA secure.
C mID−KEM on the other side, trying to win against him. Since
the two games are being run in parallel and we describe the Proof. Here, we describe how the adversary AmID−KEM on
events in chronological order, the description below switches one side acts as the challenger C bs−GKM who interacts with
between the phases of the two games. To ensure some clarity, Abs−GKM , while simultaneously interacting with C mID−KEM
we present the description from the point of view of the game on the other side, trying to win against him. Since the two
f s−GKM games are being run in parallel and we describe the events in
GCCA .
1) Setup Phase — The challenger C mID−KEM runs 14 g
tChallenge is retrieved from the list Lg . Since gtChallenge =
SetupmID−KEM (k, N ) to obtain P K mID−KEM , and rtChallenge · F (gt− ), it can be seen that rtChallenge can be
Challenge
gives it to AmID−KEM , who constructs P K = computed using gtChallenge and gt− , both of which are available
Challenge
hP K mID−KEM , F, mID − KEMi and gives it to in Lg .
chronological order, the description below switches between Theorem 3. GKM is pfs-CCA secure if inverting F is hard.
the phases of the two games. Again, we present the description Proof. This proof differs somewhat from the other proofs
bs−GKM
from the point of view of the game GCCA . because we are reducing the security of GKM to the
1) Setup Phase — The challenger C mID−KEM runs one-wayness of F. Here, we describe how the challenger
SetupmID−KEM (k, N ) to obtain P K mID−KEM , and C pf s−GKM interacts with Apf s−GKM and forces him to invert
gives it to AmID−KEM , who constructs P K = the one-way function F in order for him to win against
pf s−GKM
hP K mID−KEM , F, mID − KEMi and gives it to C pf s−GKM . The game that is being described is GCCA .
Abs−GKM . He also picks a random seed g from 1) Setup Phase — C pf s−GKM runs
Z∗p and sets the master secret key M SK to SetupmID−KEM (k, N ) to obtain P K mID−KEM . He
hM SKmID−KEM , gi. constructs P K = hP K mID−KEM , F, mID − KEMi
2) Query Phase 1 — Abs−GKM is allowed to query the and gives it to Apf s−GKM . He also picks a random
oracles OJoin , OLeave , OCiphertext and ODecrypt . seed g from Z∗p and sets the master secret key M SK
to hM SKmID−KEM , gi.
3) Corrupt Phase — Abs−GKM chooses IDic , an iden-
tity which he wants to corrupt and makes the query 2) Query Phase 1 — Apf s−GKM is allowed to query the
OCorrupt (IDic , bs) at time tCorrupt (which is the oracles OJoin , OLeave , OCiphertext and ODecrypt .
choice of Abs−GKM ). 3) Corrupt Phase — Apf s−GKM chooses IDic , an iden-
4) Query Phase 2 — Abs−GKM can query the oracles as tity which he wants to corrupt and makes the query
in Query Phase 1. OCorrupt (IDic , bs) at time tCorrupt (which is the
choice of Apf s−GKM ).
5) Challenge Phase — Abs−GKM issues one challenge
4) Query Phase 2 — Apf s−GKM can query the oracles as
query to its challenger AmID−KEM , specifying a time
in Query Phase 1.
tChallenge (which is the choice of Abs−GKM ), sub-
ject to the restrictions that IDic ∈ / StChallenge and 5) Challenge Phase — Apf s−GKM issues one challenge
tChallenge ≤ tJoin (IDic ). Now, AmID−KEM does the query to C pf s−GKM , specifying a time tChallenge
following before responding with the challenge. (which is the choice of Apf s−GKM ), subject to the
• Retrieve the set StChallenge from the list Ls . restrictions that IDic ∈ StChallenge and tJoin (IDic ) <
• Issue a challenge query, specifying the set
tChallenge < tCorrupt . Now, C pf s−GKM does the fol-
StChallenge , to the challenger C mID−KEM . lowing before responding with the challenge.
∗ • Retrieve the set StChallenge from the list Ls .
• Receive the challenge (HdrmID−KEM , K0 , K1 ).
∗ ∗ • Obtain a (HdrmID−KEM , DEK) pair by running
• Compute HdrGKM as hHdrmID−KEM ⊕
15 EncapsulatemID−KEM (StChallenge , P K mID−KEM ).
gtChallenge , rtChallenge i.
∗
• Compute HdrGKM ← hHdrmID−KEM ⊕
AmID−KEM returns (HdrGKM
∗
, K0 , K1 ) as the chal- gtChallenge , rtChallenge i.15
bs−GKM
lenge to A .
• Randomly select a bit b ∈ {0, 1} and set Kb =

6) Guess Phase — Abs−GKM outputs a bit b0 ∈ {0, 1} DEK and K1−b to a random element from the key
as its guess. AmID−KEM passes on b0 as its guess to space K.
C mID−KEM . Now, C pf s−GKM returns (HdrGKM
∗
, K0 , K1 ) as the
It is easy to see that the advantage of Abs−GKM in break- challenge to Apf s−GKM
.
ing the backward secrecy of GKM is the same as that of
AmID−KEM in breaking the CCA security of mID − KEM. 6) Guess Phase — Apf s−GKM outputs a bit b0 ∈ {0, 1} as
its guess.
¯ ¯ Note that since gtChallenge = rtChallenge · F(gt− ) and
¯ 1 ¯¯
bs−CCA CCA
= ¯¯P r[b = b0 ] −
Challenge
AdvGKM = AdvmID−KEM rtChallenge is random in Z∗p , gtChallenge is also random. There-
2¯ ∗
fore, the challenge HdrGKM is also random. So, the only
This means that if there exists no adversary AmID−KEM way by which the adversary Apf s−GKM can get any informa-
who can break the CCA security of mID − KEM with tion about from HdrGKM∗
about the DEK corresponding to
non-negligible advantage, then there cannot be any adversary HdrmID−KEM is by obtaining HdrmID−KEM itself. This
Abs−GKM who can break the backward secrecy of GKM with implies that, if he is able to obtain HdrmID−KEM , then
non-negligible advantage. he is also able to obtain gtChallenge 16 from gtCorrupt . Since
15 g
tChallenge < tCorrupt , this shows the ability of the adversary
tChallenge is retrieved from the list Lg . Since gtChallenge =
rtChallenge · F (gt− ), it can be seen that rtChallenge can be to invert the one-way function F. Hence the advantage of the
Challenge
computed using gtChallenge and gt− , both of which are available 16 Obtaining g ∗
Challenge tChallenge from HdrGKM and HdrmID−KEM just in-
in Lg . volves an XOR operation
adversary Apf s−GKM is at most his advantage in inverting the It is easy to see that the advantage of Acr−GKM in breaking
one-way function F. the collusion resistance of GKM is the same as that of
AmID−KEM in breaking the CCA security of mID − KEM.
pf s−CCA inv
AdvGKM < AdvF
¯ ¯
¯ 1 ¯¯
This means that if there exists no algorithm that can invert a cr−CCA
AdvGKM = CCA
AdvmID−KEM = ¯¯P r[b = b0 ] −
one-way function F with non-negligible advantage, then there 2¯
cannot be any adversary Apf s−GKM who can break the perfect This means that if there exists no adversary AmID−KEM
forward secrecy of GKM with non-negligible advantage. who can break the CCA security of mID − KEM with
non-negligible advantage, then there cannot be any adversary
Theorem 4. GKM is cr-CCA secure if mID − KEM is at Acr−GKM who can break the collusion resistance of GKM
least CCA secure. with non-negligible probability.
Proof. Here, we describe how the adversary AmID−KEM on
VIII. A N I LLUSTRATION OF THE G ENERIC C ONVERSION
one side acts as the challenger C cr−GKM who interacts with
TO C ENTRALIZED GKM
Acr−GKM , while simultaneously interacting with C mID−KEM
on the other side, trying to win against him. Since the two In this section, we present an example of the generalized
games are being run in parallel and we describe the events in transformation to centralized GKM that was presented in
chronological order, the description below switches between Section VI. We first recall the efficient mID-KEM that was
the phases of the two games. As usual, we present the proposed by Delerablée [10] in 2007, and then construct the
cr−GKM
description from the point of view of the game GCCA . most efficient centralized GKM scheme proposed till date
using this mID-KEM. This is the first efficient and scalable
1) Setup Phase — The challenger C mID−KEM runs
GKM scheme to achieve a constant size rekeying message.
SetupmID−KEM (k, N ) to obtain P K mID−KEM , and
gives it to AmID−KEM , who constructs P K = A. Delerablée’s mID-KEM
hP K mID−KEM , F, mID − KEMi and gives it to
Acr−GKM . He also picks a random seed g from Setup(k, N) — Given the security parameter k and the
Z∗p and sets the master secret key M SK to maximum number of receivers N , a bilinear map group
hM SKmID−KEM , gi. system B = (p, G1 , G2 , GT , ê(·, ·)) is constructed such that
|p| = k. Also, two generators f ∈ G1 and h ∈ G2 and
2) Query Phase — Acr−GKM is allowed to query the a secret value γ ∈ Z∗p are randomly selected. Choose a
oracles OJoin , OLeave , OCiphertext and ODecrypt . cryptographic hash function H : {0, 1}∗ → Z∗p . The master
3) Challenge Phase — Acr−GKM issues one challenge secret key is defined as M SK = (f, γ). The public key is
N
query to its challenger AmID−KEM at time tChallenge P K = (ω, v, h, hγ , . . . , hγ ) where ω = f γ , and v = ê(f, h).
(which is the choice of Acr−GKM ). Now, AmID−KEM Extract(MSK, IDi , PK) — Given M SK = (f, γ), the
does the following before responding with the challenge. public key P K and the identity IDi , this algorithm outputs
1
• Retrieve the set StChallenge from the list Ls , and SKIDi = f γ+H(IDi )
gtLeave (IDi ) from the list Lg , for all IDi ∈ /
Encapsulate(S, PK) — Assume for notational simplicity
StChallenge .
that S = {IDj }sj=1 , with s ≤ N . Given P K, this algorithm
• For each identity IDi ∈ / StChallenge , issue the
mID−KEM
randomly picks r ∈ Z∗p and computes Hdr = (C1 , C2 ) and
query OExtract (IDi ) to obtain SIDi and return DEK ∈ K where
SKIDi = (SIDi , gtLeave (IDi ) ). Q
s
α· (γ+H(IDi ))
−α
• Issue a challenge query, specifying the set C1 = ω , C2 = h i=1 , DEK = v α
StChallenge , to the challenger C mID−KEM .
∗
and outputs (Hdr, DEK).
• Receive the challenge (HdrmID−KEM , K0 , K1 ).

• Compute
∗
HdrGKM ∗
as hHdrmID−KEM ⊕ Decapsulate(S, IDi , SKIDi , Hdr, PK) — In order to re-
gtChallenge , rtChallenge i.17 trieve the DEK encapsulated in the header Hdr = (C1 , C2 ),
the user with identity IDi and the corresponding private key
AmID−KEM returns (HdrGKM ∗
, K0 , K1 ) as the chal- 1
cr−GKM SKIDi = f γ+H(IDi ) (with IDi ∈ S) computes the data
lenge to A .
encryption key as follows.
4) Guess Phase — Acr−GKM outputs a bit b0 ∈ {0, 1} 1

as its guess. AmID−KEM passes on b0 as its guess to ³ ´ Qs H(IDj )

DEK = ê(C1 , hpi,S (γ) ) · ê(skIDi , C2 ) j=1,j6=i
C mID−KEM .
17 g
tChallenge is retrieved from the list Lg . Since gtChallenge =
with
 
rtChallenge · F (gt− ), it can be seen that rtChallenge can be s s
Challenge 1  Y Y
computed using gtChallenge and gt− , both of which are available pi,S (γ) = · (γ + H(IDj )) − H(IDj )
in Lg .
Challenge γ
j=1,j6=i j=1,j6=i
Delerablée has shown this scheme to be secure against static with
 
chosen plaintext attacks. Because of this, the centralized GKM s s
scheme that we derive from this mID-KEM will also enjoy 1  Y Y
pi,S (γ) = · (γ + H(IDj )) − H(IDj )
only identity-static CPA security. However, our GKM scheme γ
j=1,j6=i j=1,j6=i
will be secure against time-adaptive attacks. As noted in [10],
to obtain DEK.
her mID-KEM can be converted to one that is secure against
chosen ciphertext attacks by using the result of [26], on using Join(IDi , S, PK)
which the resultant GKM scheme would also be CCA secure. • Input. Take as input the identity IDi of a member who
wishes to join the group, the set S of identities of current
B. The Centralized GKM Scheme from Delerablée group members, and the public key P K.
Now, we present, without much ado, the identity-static, • The joining member establishes a secure connection with
time-adaptive CPA secure centralized GKM scheme that is the CA, who may perform some checks before authoriz-
constructed out of Delerablée’s mID-KEM. While describing ing the member to join the group. If authorized, compute
1
this GKM scheme, we follow the general framework that we SKi = (f γ+H(IDi ) , g) and securely send it to the joining
presented in Section III. member.
• Update the set of identities of current group members as
Setup(k, N, Sinit )
S ← S ∪ {IDi }.
• Input. Take as input the security parameter k, the maxi-
• Run Rekey(S, PK).
mum number of group members N , the set Sinit of the
identities of initial group members. Leave(L, S, PK)
• A bilinear map group system B = (p, G1 , G2 , GT , ê(·, ·))
• Input. Take as input the set L of identities of members
is constructed such that |p| = k. who wish to leave the group or are revoked, the set S of
• Two generators f ∈ G1 and h ∈ G2 and a secret value
identities of current group members, and the public key
γ ∈ Z∗p are randomly selected. P K.
∗ ∗
• Choose a cryptographic hash function H : {0, 1} → Zp
• Update the set of identities of current group members as
∗ ∗
and a one-way function F : Zp → Zp . S ← S − L.
∗
• Pick a random g ∈ Zp , a seed for the one-way function.
• Run Rekey(S, PK).
• The master secret key is defined as M SK = (f, γ, g)
N
and P K = (ω, v, h, hγ , . . . , hγ , H, F) is the public key IX. C ONCLUSION
where ω = f γ , and v = ê(f, h). In this paper, we have identified the lack of a formal
• Choose a data encryption key DEK at random from the framework and security model for Group Key Management. To
key space K. fill this gap, we proposed a generic framework for GKM and
1
• Compute SKi = (f γ+H(IDi ) , g) for all IDi ∈ Sinit and a fitting formal security model in which we defined the vital
securely send these keys to the corresponding members. security properties that any GKM scheme should satisfy. We
Also send the initial DEK securely to these members. have also shown how to convert any multi-receiver ID-based
key encapsulation mechanism to a centralized GKM scheme
Rekey(S, PK) and formally prove its security properties, assuming the secu-
• Input. Take as input the set S of the identities of current rity of the mID-KEM and the existence of one-way functions.
group members, and the public key P K. Future work can now concentrate on the relatively simpler
∗
• Pick a random r ∈ Zp and update the dynamic key by problem of constructing mID-KEMs which are efficient and
using the one-way function F as g ← r · F(g). secure against adaptive attacks. Though simple and efficient, a
• Compute drawback of our generic conversion is that the GKM inherits
Q
s
the security strength of the underlying mID-KEM only up
−α
α· (γ+H(IDi )) to CCA. The generic conversion from mID-KEM to GKM
C1 = ω , C2 = h i=1 , DEK = v α
would be complete if the security-inheritance of the resulting
• Construct HdrGKM = hHdr ⊕ g, ri, where Hdr = GKM goes further to CCA2. Another open problem is to
(C1 , C2 ) and broadcast it to the group. investigate if mKEMs (that are not ID-based) can also be
• Every group member parses HdrGKM as (C0 , r), up- converted to GKM schemes. Decentralized schemes come in
dates the second component of his secret key (the dy- handy when the system becomes huge and there is pressure
namic key) as g ← r · F (g), and securely erases any on the central authority who manages the entire group. While
copies of older g values. some form of formal framework and security models do exist
• Every group member with identity IDi will retrieve for decentralized GKM in the form of security models for
Hdr = C0 ⊕ g, parse Hdr = (C1 , C2 ), and compute Dynamic Group Key Exchange (which is a larger class of
1
protocols) in [22], it is nevertheless worthwhile to investigate if
³ ´ Qs H(IDj ) a simpler, more personalized security model for decentralized
pi,S (γ)
DEK = ê(C1 , h ) · ê(skIDi , C2 ) j=1,j6=i GKM can be derived by extending that of centralized GKM.
 R EFERENCES [14] R. Canetti, J. Garay, G. Itkis, D. Micciancio, M. Naor, and B. Pinkas,
“Multicast Security: A Taxonomy and Some Efficient Constructions,” in
[1] B.Quinn, “Ip multicast applications: Challenges and solutions,” Bob Proceedings of the IEEE INFOCOM, vol. 2, 1999, pp. 708–716.
Quinn, IP Multicast Applications: Challenges and Solutions, draft-quinn- [15] R. Canetti, T. Malkin, and K. Nissim, “Efficient Communication-Storage
multicastapps-00.txt, November 1998. Tradeoffs for Multicast Encryption,” in EUROCRYPT. New York, NY,
[2] A. J. Menezes, P. C. van Oorschot, and S. A. Vanstone, Handbook of USA: Springer-Verlag New York, Inc., 1999, pp. 459–474.
Applied Cryptography. CRC Press, 1996. [16] G. huei Chiou and W.-T. Chen, “Secure broadcasting using the secure
[3] S. Rafaeli and D. Hutchison, “A Survey of Key Management for Secure lock,” IEEE Trans. Softw. Eng., vol. 15, no. 8, pp. 929–934, 1989.
Group Communication,” ACM Comput. Surv., vol. 35, no. 3, pp. 309– [17] M. Steiner, G. Tsudik, and M. Waidner, “Cliques: A new approach to
329, 2003. group key agreement,” in ICDCS, 1998, pp. 380–387.
[4] N. P. Smart, “Efficient key encapsulation to multiple parties,” in SCN, [18] R. Molva and A. Pannetrat, “Scalable multicast security in dynamic
2004, pp. 208–219. groups,” in ACM Conference on Computer and Communications Secu-
[5] J. Baek, R. Safavi-Naini, and W. Susilo, “Efficient multi-receiver rity, 1999, pp. 101–112.
identity-based encryption and its application to broadcast encryption,” [19] M. Waldvogel, G. Caronni, D. Sun, N. Weiler, and B. Plattner, “The
in Public Key Cryptography, 2005, pp. 380–397. VersaKey Framework: Versatile Group Key Management,” IEEE Journal
[6] M. Barbosa and P. Farshim, “Efficient identity-based key encapsulation on Selected Areas in Communications, vol. 17, no. 9, pp. 1614–1631,
to multiple parties,” in IMA Int. Conf., 2005, pp. 428–441. sep 1999.
[7] S. Chatterjee and P. Sarkar, “Multi-receiver identity-based key encapsu- [20] I. Chang, R. Engel, D. D. Kandlur, D. E. Pendarakis, and D. Saha,
lation with shortened ciphertext,” in INDOCRYPT, 2006, pp. 394–408. “Key management for secure internet multicast using boolean function
[8] M. Abdalla, E. Kiltz, and G. Neven, “Generalized key delegation for minimization techniques,” in INFOCOM, 1999, pp. 689–698.
hierarchical identity-based encryption,” in ESORICS, 2007, pp. 139–154. [21] L. Cheung, J. A. Cooley, R. Khazan, and C. Newport, “Collusion-
[9] R. Sakai and J. Furukawa, “Identity-based broadcast encryption,” Cryp- Resistant Group Key Management Using Attribute-Based Encryption,”
tology ePrint Archive, Report 2007/217, 2007. in 1st International Workshop on Group-Oriented Cryptographic Proto-
[10] C. Delerablée, “Identity-based broadcast encryption with constant size cols, 2007.
ciphertexts and private keys,” in ASIACRYPT, 2007, pp. 200–215. [22] M. Manulis, Provably Secure Group Key Exchange. Europäischer
[11] H. Harney and C. Muckenhirn, Group Key Management Protocol Universitätsverlag, 2007.
(GKMP) Specification. United States: RFC Editor, 1997. [23] G. Steel, “Group protocol attacks,” 2006.
[12] C. K. Wong, M. G. Gouda, and S. S. Lam, “Secure Group Communi- [24] D. Boneh and M. K. Franklin, “Identity-Based Encryption from the Weil
cations using Key Graphs,” IEEE/ACM Trans. Netw., vol. 8, no. 1, pp. Pairing,” in CRYPTO, 2001, pp. 213–229.
16–30, 2000. [25] S. D. Galbraith, K. Harrison, and D. Soldera, “Implementing the Tate
[13] A. T. Sherman and D. A. McGrew, “Key Establishment in Large Pairing,” in ANTS. Springer-Verlag, 2002, pp. 324–337.
Dynamic Groups Using One-Way Function Trees,” IEEE Trans. Softw. [26] R. Canetti, S. Halevi, and J. Katz, “Chosen-ciphertext security from
Eng., vol. 29, no. 5, pp. 444–458, 2003. identity-based encryption,” in EUROCRYPT, 2004, pp. 207–222.