Group key management protocols come in two different flavors: contributory key agreement protocols for small groups and centralized, server-based key distribution protocols for large groups. Since the focus of this work is on group key agreement protocols, we only consider the latter below.
In one of the early results, Steer et al.propose a group key agreement protocol - referred to as STR [15] - based on the extension of the two-party Diffie-Hellman (DH) key exchange. This protocol is of particular interest since its group key structure is similar to that in TGDH.
STR is well-suited for adding new group members as it takes only two rounds and two modular exponentiations. Member exclusion, however, is relatively difficult (for example, consider excluding from the group key).A more recent result is due to Burmester and Desmedt[6]. They construct an efficient protocol which takes only three rounds and two modular exponentiations per member to generate a group key. This efficiency allows all members to re-compute the group key for any membership change by performing this protocol. However, according to [16], most (at least half) of the members need to change their session random on every membership event. The group key in this protocol is different from STR and TGDH:
Becker and Wille analyze the minimal communication complexity of contributory group key agreement in general [4] and propose two protocols: octopus and hypercube. Their group key has the same structure as the key in TGDH. For example, for eight users their group key is:
The Becker/Wille protocols handles join and merge operations efficiently, but the member leave operation is inefficient. Also, the hypercube protocol requires the group to be of size (for some integer ); otherwise, the efficiency slips.Steiner et al.address dynamic membership issues [3, 16] in group key agreement and propose a family of Group Diffie Hellman (GDH) protocols based on straight-forward extensions of the two-party Diffie-Hellman. GDH provides contributory authenticated key agreement, key independence, key integrity, resistance to known key attacks, and perfect forward secrecy. Their protocol suite is fairly efficient in leave and partition operation, but the merge protocol requires as many rounds as the number of new members to complete key agreement.
Perrig extends the work of one-way function trees (OFT, originally introduced by McGrew and Sherman [9]) to design a tree-based key agreement scheme for peer groups [13]. However, this work lacked the facilities for handling group partitions and merges.
Rodeh et al.[14] propose a distributed group key distribution protocol. It tolerates network partitions and other network events. In this protocol, a specific group member (leader) chooses the group key and distributes it to all other members, hence the protocol does not offer contributory key agreement. Furthermore, it requires the leader to establish secure two-party channels between itself and other group members in order to securely distribute the new key. Maintaining such channels in dynamic groups can be expensive ( new channels need to be set up if the group leader leaves) since setting up each channel involves a separate two-party key agreement.