Security

 

Recall that we defined the desired security properties in section 4. Our goal is to show that TGDHoffers group key secrecy as well as weak forward and backward secrecy.

Group key secrecy means that even an attacker who knows all blinded keys cannot derive the group key. This property has been proven in the random-oracle model [5]. The proof itself can be found in a companion technical report [8]. (Due to size constraints we are unable to include it in this paper.) We also refer the reader to the proof of Becker and Wille [4]. Their group key is very similar to our TGDHkey and the accompanying proof is applicable to TGDH. In brief, they show that group key secrecy is reducible to the Decision Diffie-Hellman (DDH) problem [10].

We now give an informal argument that TGDHsatisfies weak forward and backward secrecy. We first consider weak backward secrecy, which states that a new member who knows the current group key cannot derive any previous group key.

The group key secrecy property implies that the group key cannot be derived from the blinded keys alone. At least one secret key $K$ is needed to compute all secret keys from $K$ up to the root key. Hence, we need to show that the joining member $M$ cannot obtain any keys of the previous key tree. First, $M$ picks its secret share $r$, blinds it and broadcasts $r$ as part of its join request. Once $M$ receives all blinded keys on its co-path, it can compute all secret keys on its key path. Clearly, all these keys will contain $M$'s contribution ($r$); hence, they are independent of previous secret keys on that path. Therefore, $M$ cannot derive any previous keys.

Similarly, we show that TGDHprovides weak forward secrecy. When a member $M$ leaves the group, the rightmost member of the subtree rooted at the sibling node changes its secret share, $M$'s leaf node is deleted and its parent node is replaced with its sibling node. This operation causes all of $M$'s contribution to removed from each key on $M$'s former key path. Hence, $M$ only knows all blinded keys, and the group key secrecy property prevents $M$ from deriving the new group key.