Notation and Definitions

  

We use the following notation:

$N$ number of protocol parties (group members)

$M$_i $i$-th group member;

$h$ height of a tree

$l,v$ $v$-th node at level $l$ in a tree

$T$_i $M$_i's view of the key tree

$T$_i $M$_i's modified tree after membership operation

$p,q$ prime integers

$\alpha$ exponentiation base

Key trees have been suggested in the past for centralized group key distribution systems; the work of Wallner et al. [17] is the earliest such proposal. One of the key features of our work is the adaptation of key trees for use in fully distributed, contributory key agreement. Figure 1 shows an example of a key tree. The root is located at level $0$ and the lowest leaves are at level $h$. Since we use binary trees, every node is either a leaf or a parent of two nodes. The nodes are denoted $l,v$, where $0\; \le v\; \le 2l-1$ since each level $l$ hosts at most $2l$ nodes. Each node $l,v$ is associated with the key $K$_l,v and the blinded key $BK$_l,v =f(K_l,v ) where the function $f()$ is modular exponentiation in prime order groups, i.e., $f(k)=\alpha kp$ (analogous to the Diffie-Hellman protocol). Assuming a leaf node $l,v$ hosts the member $M$_i, then the node $l,v$ has $M$_i's session random key $K$_l,v . Furthermore, the member $M$_i at node $l,v$ knows every key along the path from $l,v$ to $0,0$, referred to as the key-path and denoted $KEY$_i. In figure 1, if a member $M$₂ owns the tree $T$₂, then $M$₂ knows every key $\{\; K$_3,1 , K_2,0 , K_1,0 , K_0,0 } in $KEY$₂={ 3,1 , 2,0 , 1,0 , 0,0 } and every blinded key $BK$₂={BK_0,0 , BK_1,0 ,&ldots;,BK_3,7 } on $T$₂. Every key $K$_l,v is computed recursively as follows:

$K$_l,v = (BK_l+1,2v+1 )³⁷³K_l+1,2v p = (BK_l+1,2v )³⁷⁹K_l+1,2v+1 p = K_l+1,2v K_l+1,2v+1 p = f(K_l+1,2v K_l+1,2v+1 )

In other words, computing a key at $l,v$ requires the knowledge of the key of one of the two child nodes and the blinded key of the other child node. $K$_0,0 at the root node is the group secret shared by all members. We note that this value is never used as a cryptographic key for the purposes of encryption, authentication or integrity. Instead, such keys are derived from the group secret, e.g., by setting $K$_group=h(K_0,0 ) where $h$ is a cryptographically strong hash function.

For example, in figure 1, $M$₂ can compute $K$_2,0 , K_1,0 and $K$_0,0 using $BK$_3,0 , BK_2,1 , $BK$_1,1 , and $K$_3,1 . The final group key $K$_0,0 is:

$K$_0,0 = ²{(²r₃(^<r₁r₂)} {(r₄(r₅r₆)}.

To simplify our subsequent protocol description, we introduce the term co-path, denoted as $CO$_i, which is the set of siblings of each node in the key-path of member $M$_i For example, the co-path $CO$₂ of member $M$₂ in figure 1 is the set of nodes $\{3,0\; ,\; 2,1\; ,\; 1,1\; \}$. Consequently, every member $M$_i at leaf node $l,v$ can derive the group secret $K$_0,0 from all blinded keys on the co-path $CO$_i and its session random $K$_l,v .

  
Figure 1: Notation for tree