Assume that a group푅푚is merged into a group퐶푛where푛≥푚,andthemerged
group퐶푛+푚=퐶푛∪푅푚.푀푠耠is the master of푅푚and푀푠is the master of퐶푛.
Step 1.푀푠耠selects a random number푥푠耠inZ푞,computes푋푠耠=푔푥푠耠modp,andupdates
the locker list into푋퐿푅={푋 1 ,푋 2 ,...,푋푚}∪푋푠耠.
(delegation)푀푠耠→푀푠:푋퐿푅
Step 2.푀푠selects random푘耠inZ푞for new group key and computes key-locks with updated locker list.
푀푠⇒퐶푛+푚:{(푋푖)푘
耠
|푖∈[1,푛+푚],푖=푠}̸
Box 4: Group merging.
Assume that a current group퐶푛is partitioned into two groups,푃푚(⊂퐶푛)and퐶푛−푚(=퐶푛\푃푚).
The master of푅푚is푀푠耠and the master of퐶푛is푀푠(∉푃푚)
Step 1.푀푠generate푋퐿푃={푋푗|푀푗∈푃푚,푗=푠}̸from푋퐿퐶.
(delegation)푀푠→푀푠耠:푋퐿푃
Step 2.푀푠and푀푠耠select random푘耠,푘耠耠inZ푞respectively and compute key-locks with their locker list.
푀푠⇒퐶푛−푚:{(푋푖)푘
耠
|푖∈[1,푛] ∧ 푀푖∉푃푚,푖=푠}̸
푀푠耠⇒푃푚:{(푋푗)푘
耠耠
|푀푗∈푃푚,푗=푠}̸
Box 5: Group partition.
푅 3 .InFigure 2, the number in a circle indicates members’
index (such as by a joined order). Before they are merged, the
number of the current group퐶is four including the group
master (i.e.,푛=4,퐶 4 ) and the number of members of
joining group is three (i.e.,푚=3,푅 3 ). To be merged, the
master of푅 3 sends the master of퐶 4 the locker list푋퐿푅for
푀 1 and푀 2 .Notethatthemaster푀푠of푅푚must forward its
locker after changing its own secret because it was used as the
former group key. The master of퐶 4 becomes the master for
the merged group. It updates푋퐿퐶and generates key-locks
푋퐿푘퐶with a new selected random푘.
As shown inFigure 3, the current group will be divided
into two groups. When the number of left members is푚,the
current group will have (푛−푚) members after the partition
process. Group partition requires one more master푀푠耠for
aseparatedsubgroup푃푚⊂퐶푛(푀푠∉푃푚). Group partition
process can be easily conducted through delegation, from the
master푀푠of group퐶푛to the fresh master푀푠耠of subgroup
푃푚.Thedividedgroupsperformagroupkeyinitialphaseafter
thedelegationprocess,asinBox 5.
3.5. Implicit Key Authentication.For the secure key authenti-
cation, the messages sent from all members should be signed
with a signature key. Hash-based signature such as message
authentication code (MAC) is fairly efficient in terms of
computation cost. However, it is too costly to share one-to-
one pairwise keys between all of group members in advance.
We assume that a member holds long-term private and
public keys certified by a trusted certificate authority (CA).
(Each member can use a different signature algorithm such
as RSA-based signature algorithm, digital signature algo-
rithm (DSA), and elliptic curve digital signature algorithm
(ECDSA). Note that some of them do not provide message
encryption; that is, it is used for message signing and
verifying. We consider that DSA is better for our scheme since
itspublickeyincludes푔푥mod푝.) The group members send to
the master the signed messages with their own private key; for
example, in the first step ofBox 1,amember,푀푖,sendstothe
master{푋푖,푆푖푔푀푖(푋푖)}which푀푖signs for푋푖with its private
key. Note that this process runs one-time at initial phase or it
can be precomputed with푋푖.
Members can obtain the group key securely by verifying
the messages of the master with signature signed with the
master’s private key. All of messages from the master come
with a master-signed signature for the origin and integrity of
a group key. For example, in the second step ofBox 1,the
master broadcasts{푋푘 1 ,푋푘 2 ,...,푋푘푛,푆푖푔푀푠(GK)}.Themaster
produces a locked set for the group key using verified
members’ locker. It implies that outsiders cannot recover the
group key from the master’s messages.
4. Evaluation
Wemeasureperformanceoftheproposedschemethrough
communication and computation cost spent for all group
members to complete group rekeying by membership change.
Table 1 shows summary of comparison with other DH-
based key management protocols: CKD, GDH, BD, STR,
and TGDH. InTable 1,푛,푚,and푝denote the number of
current group members, joining or merged-group members,
and leaving or partitioned-group members, respectively.
Therefore,푚=1or푝=1indicates the single-member event.
For TGDH, the height of the key tree is denoted asℎ,and,for
STR,푠is denoted as the index of the sponsor, which helps
other members to calculate group keys. Group merging is a
case where a group of푚members is merged into a group of푛
members (푛≥푚),andgrouppartitionisacasewhereagroup
of푛members is divided into separate subgroups:(1)agroup