We use the following notation:
number of protocol parties (group members) | |
-th group member; | |
height of a tree | |
-th node at level in a tree | |
's view of the key tree | |
's modified tree after membership operation | |
prime integers | |
exponentiation base |
Key trees have been suggested in the past for centralized group key distribution systems; the work of Wallner et al. [17] is the earliest such proposal. One of the key features of our work is the adaptation of key trees for use in fully distributed, contributory key agreement. Figure 1 shows an example of a key tree. The root is located at level and the lowest leaves are at level . Since we use binary trees, every node is either a leaf or a parent of two nodes. The nodes are denoted , where since each level hosts at most nodes. Each node is associated with the key and the blinded key where the function is modular exponentiation in prime order groups, i.e., (analogous to the Diffie-Hellman protocol). Assuming a leaf node hosts the member , then the node has 's session random key . Furthermore, the member at node knows every key along the path from to , referred to as the key-path and denoted . In figure 1, if a member owns the tree , then knows every key in and every blinded key on . Every key is computed recursively as follows:
In other words, computing a key at requires the knowledge of the key of one of the two child nodes and the blinded key of the other child node. at the root node is the group secret shared by all members. We note that this value is never used as a cryptographic key for the purposes of encryption, authentication or integrity. Instead, such keys are derived from the group secret, e.g., by setting where is a cryptographically strong hash function.For example, in figure 1, can compute and using , , and . The final group key is:
To simplify our subsequent protocol description, we introduce the term co-path, denoted as , which is the set of siblings of each node in the key-path of member For example, the co-path of member in figure 1 is the set of nodes . Consequently, every member at leaf node can derive the group secret from all blinded keys on the co-path and its session random .