We use the following notation:
number of protocol parties (group members) | |
-th group member; | |
height of a tree | |
-th node at level in a tree | |
's view of the key tree | |
's modified tree after membership operation | |
prime integers | |
exponentiation base |
Key trees have been suggested in the past for centralized group key
distribution systems; the work of Wallner et al. [17] is the
earliest such proposal. One of the key features of our work is the adaptation
of key trees for use in fully distributed, contributory key agreement.
Figure 1 shows an example of a key tree. The root is located
at level and the lowest leaves are at level . Since we use binary
trees,
every node is either a leaf or a parent of two nodes. The nodes are denoted
, where since
each level hosts at most nodes.
Each node is associated with the key and the
blinded key where the function is modular
exponentiation in prime order groups, i.e., (analogous
to the Diffie-Hellman protocol). Assuming a leaf node hosts
the member , then the node has 's session random key
. Furthermore, the member at node knows every
key along the path from to , referred to as the
key-path and denoted . In figure 1, if
a member owns the tree , then knows every key in and every blinded key
on . Every
key is computed recursively as follows:
For example, in figure 1, can compute and using , , and . The final group key is:
To simplify our subsequent protocol description, we introduce the term co-path, denoted as , which is the set of siblings of each node in the key-path of member For example, the co-path of member in figure 1 is the set of nodes . Consequently, every member at leaf node can derive the group secret from all blinded keys on the co-path and its session random .