- ...Kim
- Research supported by the Defense Advanced
Research Project Agency, Information Technology Office (DARPA-ITO), under
contract
DABT63-97-C-0031.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
- ...Perrig
- This publication was supported in part by Contract Number
102590-98-C-3513 from the United States Postal Service. The contents of
this publication are solely the responsibility of the author and do not
necessarily reflect the official views of the United States Postal Service.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
- ...trees,
- Note that the tree needs to be binary, since our protocol uses
the two-party Diffie-Hellman key exchange to derive a node key from
the contribution of the two children.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
- ...nodes.
- Even though the key tree is
not balanced, we assume a perfectly balanced tree for node numbering.
Thus, a node's left and right children have indexes
and , respectively.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
- ...share
- This prevents the
group from reusing old keys. For example, if a member joins and immediately
leaves, the group key would be the same before the join and after the leave.
Although, in practice, this is not always a problem and might even be a
desirable feature, we choose to err on the side of caution and change the key.
In more concrete terms, changing the key upon all membership changes preserves
key independence [16, 3].
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
- ...sponsor.
- The terms group controller or group leader would be a
misnomer because they are too strong in this context.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
- ...keys.
- Alternatively, we may broadcast only blinded keys which have been
changed after the join to reduce the bandwidth. However, we need to send, at
least, the whole tree to the new member in this case.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
- ...tree.
- To impose an ordering on the two trees, we compare the
identifiers of the sponsors.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
- ...tree.
- The rationale for this
policy is explained in section 5.6.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
- ...events.
- In GDH.2,
merge requires rounds and exponentiations, where is the
number of new members.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.