1 Introduction
Secure group communications are useful in both wired and wireless networks, because they facilitate protected transmission of messages from a sender to multiple receivers. One important property of secure group communications is to ensure that only the legitimate members (or users, receivers) can have access to the multicast or broadcast data. There have been many secure group communication schemes in the setting of wired networks; popular ones include the stateful LKH [28, 27] and OFT [25, 2] as well as stateless ones [22, 12]. These schemes can be directly adopted in, or appropriately adapted to, the setting of wireless networks such as mobile ad hoc networks (MANETs) and sensor networks. The core component of a secure group communication scheme is its key management method. A common feature among these schemes’ key management methods is that each user holds a set of keys that are then utilized to help establish some group keys (which are common to all the group members and are used to encrypt actual messages).
In this paper we show that these group communication schemes, or more specifically their key management methods, are subject to the following attack: An outside adversary who compromises a certain legitimate group member could obtain all past and present group keys (and thus the data encrypted using these keys). This is in sharp contrast to the widelyaccepted belief that such an adversary can only obtain the present group key. This attack is powerful also because it provides the adversary the following flexibility: There are potentially many legitimate group members such that compromising any (or a small number) of them leads to the exposure of both past and present group keys. This flexibility may be particularly relevant in the setting of MANETs and sensor networks because they are typically deployed in a small area and the adversary can capture and compromise the easiesttoobtain node(s).
1.1 Motivating Problems
Now we explore some attack scenarios against the stateful LKH [28, 27] and OFT [25, 2], and against stateless ones [22, 12]. The emphasis is on the case of LKH.
Vulnerability of the LKH and LKH+ schemes: Let’s first briefly review the LKH group communication scheme. Following the notations of [28], we let
denote that sends the users (via multicast or unicast) the encryption of plaintext using key , namely the ciphertext .
Consider the simple scenario, as shown in Figure 1.(a), of a group consisting of a key server and users . The server is responsible for initiating and maintaining the group in the presence of user dynamics (i.e., joins and leaves). The keys are organized as a key tree, where the leaves are the users and the inner nodes are the keys. Moreover, each user holds the keys corresponding to the inner nodes on the path starting from the parent of the user and ending at the root. For example, in Figure 1.(a), user holds keys , , and , where is the group key that can be used to encrypt the communications within the group.
In order to maintain secure communications, each join or leave would require the key server to change some keys that also need to be securely distributed to certain users (via some rekeying messages
). Ignoring for a moment certain details such as authorization of joining the group and authentication of the messages sent by the key server, in what follows we explain how the key server responds to group dynamics.
After granting a join request from user , server shares a key with user . Certain keys need to be changed and sent to certain relevant users. As shown in Figure 1.(b), in order to prevent from accessing past communications, and are changed to and , respectively. Moreover, the new group key needs to be securely sent to users , and needs to be securely sent to users , , and . One efficient way to do this is the following algorithm (which corresponds to the socalled grouporiented rekeying strategy):
Furthermore, is securely erased by , and is securely erased by and .
Now suppose leaves. To prevent from accessing future communications, as shown in Figure 1.(c), server needs to change and to and , respectively. Moreover, the new group key needs to be securely sent to users , and needs to be securely sent to and . One efficient way to do this is the following algorithm (which also corresponds to the grouporiented rekeying strategy):
Furthermore, is securely erased by , and is securely erased by and .
Now suppose leaves also. To prevent from accessing future communications, as shown in Figure 1.(d), server needs to change and to and , respectively. Moreover, the new group key needs to be securely sent to users , and needs to be securely sent to users and . One efficient way to do this is the following algorithm (which also corresponds to the grouporiented rekeying strategy):
Furthermore, is securely erased by , and is securely erased by and .
Given the above system setting, let us now examine the consequences of a legitimate user being compromised.

Suppose an adversary compromises user . It is of course true that the adversary is able to obtain the present group key , no matter how the group rekeying scheme works. Moreover, the adversary can obtain and . We observe that the adversary who has recorded the network traffic is also able to obtain the past group keys and , because it can decrypt the messages incurred by the events that joins the group and that leaves the group:
We stress that this is true even though the past group keys and were securely erased by . As a consequence, the adversary can decrypt the communications encrypted using the past and present group keys , , and . We notice that the initial group key is never accessible to .

Suppose an adversary compromises user . Then, the adversary knows , , and . Note that the adversary can obtain from the recorded traffic corresponding to the event that leaves the group:
We stress that this is true even though the past group key was securely erased by . We notice that the above analysis is based on the implicit assumption that the initial group key was “magically” sent to . In practice, might have been sent to via its individual key . This means that the adversary can obtain , and thus through the recorded traffic corresponding to the event that joins the group:
As a consequence, all past and present group keys, namely , , and , are compromised even if the first three were securely erased by .

Suppose is compromised. Then, the adversary knows , , and . Further, if was sent to through an encryption using its individual key , then is exposed. Moreover, can be obtained by the adversary from the recorded traffic corresponding to the event that joins the group:
As a consequence, the past and present group keys, namely , and are compromised, even if they were securely erased by .
A similar analysis applies to the case that is compromised.

Suppose is compromised. Then , , and are obtained by the adversary. This means that the adversary can further obtain from the recorded traffic corresponding to the event that leaves the group:
Further, the above analysis is based on the implicit assumption that the initial group key was “magically” sent to . In practice, might have been sent to via its individual key . This means that the adversary can obtain , and thus through the recorded traffic corresponding to the event that joins the group:
As a consequence, all past and present group keys, namely , , and , are compromised even if the first three were securely erased by .
A similar analysis applies to the case that or is compromised.
In summary, the above discussion shows, in sharp contrast to the desired property that the adversary can only obtain the present group key , that compromising any of could lead to the exposure of all past and present group keys, and compromising any of leads to the exposure of most past and present group keys. This means that the adversary has considerable flexibility in selecting the weakest node(s) to compromise. Finally, we remark that the attack is not fundamentally related to the grouporiented rekeying strategy, and that LKH+ [26], which was seemingly motivated from an efficiency perspective, resolves only a piece of the problem because the above attack remains effective when the group dynamics are incurred by leaving events.
Remark 1
While there could be other methods to bootstrap the initial keys (e.g., is not protected by ), the following scenario would still support the above conclusion. Suppose at system initialization there is no user but the server, then users join the system one by one via LKH’s join protocol (cf. Appendix A). In this case, transmission of group keys is always protected by individual keys, meaning that compromise of some user (or users) could lead to the exposure of all past and present group keys.
Remark 2
One may observe that the compromise of past group keys may not be a serious problem. This is so because if a node stored all the past communication content, it will be leaked to the adversary when the node is compromised. However, there are situations, such as sensitive applications, where the nodes do not, or even are not allowed to, store past communication content. We notice that this issue is also relevant to [4, 7].
Vulnerability of the Oneway Function Tree (OFT) scheme: OFT [25, 2] is a stateful group communication scheme. The basic idea underlying the OFT scheme is the following (we refer the reader to [25, 2] for details). The center maintains a binary tree, each node of which is associated with two cryptographic keys: a node key and a blinded node key , where is an appropriate oneway function. Every leaf of the tree is associated with a group member, and the center assigns a randomly chosen key to each member . Let be a “mixing” function (e.g., ). The interior node keys are defined by the rule
where and are the left and right children of the node , respectively. This way, the node key associated with the root of the tree is the group key. In order for a member to derive the group key, the center (or server, sender) sends the blinded node keys of nodes adjacent to the nodes on (i.e., of the nodes “hanging” off) the path from to the root.
When a new member joins the group, an existing leaf node is split, the member associated with is now associated with , and the new member is associated with . Both members are given new keys. The new blinded node keys that have been changed are securely sent to the appropriate subgroups of members.
When the member associated with a node is evicted from the group, the member assigned to the sibling of is reassigned to the parent of and given a new leaf key. If the sibling of is the root of a subtree, then becomes , moving the subtree closer to the root, and one of the leaves of this subtree is given a new key. The new blinded node keys are securely sent to the appropriate subgroups of members.
Now we show why the OFT scheme is also vulnerable to a similar attack. The key observation is that whenever there is a change to any blinded node key, the center needs to securely send the new blinded node keys to certain other legitimate nodes. It seems that any reasonable method would be based on the keys possessed by the respective nodes (e.g., ). Since can derive the new group key after receiving the rekeying message, an outsider adversary could use the following strategy to recover the group key: it first records the rekeying message, and then breaks into ’s computer after the next rekeying event (assuming that is still legitimate). Moreover, compromising any of the nodes that have not been evicted enables the adversary to recover past and present group keys.
Vulnerability of the stateless subsetcover framework: Naor et al. [22] presented the first practical stateless group communication scheme, which has its roots in broadcast encryption [9]. Compared with the stateful group communication schemes discussed above, stateless schemes have the nice feature that they do not assume the receivers (or users, members) being always online. Since the receivers do not necessarily update their state from session to session, stateless schemes are especially good for applications over lossy channels (e.g., MANETs and sensor networks). We stress that the security analysis presented in [22] remains sound in its adversarial model; whereas the present paper considers a strictly stronger adversarial model.
The subsetcover framework of [22] is reviewed in Fig. 2, where is the set of all users, is a group of users whose decryption privileges should be revoked, and and are two appropriate symmetric key cryptosystems (whose properties will be specified later). The goal of a stateless group communication scheme is to allow a center to transmit a message to all users such that any user can decrypt the message correctly, while even a coalition consisting of all members of cannot decrypt it. Suppose are a collection of subsets of users, where for , and each is assigned a longlived key such that each should be able to deduce from its secret information . Given a revoked set , if one can partition into (ideally disjoint) sets such that , then a session key can be encrypted times with , and each user can obtain and thus .
The subsetcover framework has a vulnerability similar to the one against the stateful group schemes. Specifically, suppose an adversary records all the encrypted communications over the channels. If breaks into a legitimate user at a later point in time, then obtains , which allows it to recover the (and thus the encrypted ) that was entitled to obtain. In the extreme case that has never been revoked, can recover all past and present keys.
1.2 Our Contributions
We trace the above vulnerability of group communication schemes back to that their security models (if any) are not sufficient. We formalize two adversarial models. One is called the passive attack model, in which the adversary is passive in the sense that it is only allowed to join and leave the group in an arbitrary fashion, but not allowed to corrupt any legitimate members. This model has seemingly been implicitly adopted in the existing group communication literature. The other more realistic one is called the active outsider attack model, in which the adversary is further allowed to corrupt legitimate members. This model aids understanding and dealing with the aforementioned attack. In each of the two models, we define two security notions, namely forwardsecurity meaning that the revoked or evicted members, even if they collude, cannot obtain the future group keys, and backwardsecurity meaning that a newly admitted member cannot obtain the past group keys.^{1}^{1}1The terms follow the group communication literature (see, e.g., [28, 27]). Their meanings are indeed different from the ones adopted in the cryptographic literature [1, 3, 4]. This allows us to obtain the following interesting results about the relationships between these security notions, which are equally applicable to both stateful and stateless group communication schemes (see Sections 3.3 and 6.2, respectively).

In the active outsider attack model, backwardsecurity (also called strongsecurity) is strictly stronger than forwardsecurity (also called security). This means that in the active outsider attack model one only needs to prove the backwardsecurity property.

In the passive attack model, backwardsecurity is equivalent to forwardsecurity.

Backwardsecurity in the active outsider attack model (i.e., strongsecurity) is strictly stronger than backwardsecurity in the passive attack model. However, we do not know whether forwardsecurity in the active outsider attack model is also strictly stronger than its counterpart in the passive attack model (we only know that when the adversary is static they are equivalent).

The security achieved in existing group communication schemes (e.g., [28, 25, 22, 12]) is indeed, as we will show, forwardsecurity in the active outsider attack model (i.e., security). This has not become clear until now because there were no formal models specified before (in spite of the fact that the passive attack model has seemingly been implicitly adopted in the literature). The achieved security property is at least as strong as what we call backwardsecurity in the passive attack model, but strictly weaker than what we call backwardsecurity in the active outsider attack model (i.e., strongsecurity) — a property that blocks the attack discussed above.
Besides the above general results, we show that some practical methods can transform a subclass of the group communication schemes (including LKH [28, 27], LKH+ [26], and the complete subtree method [22]) into ones that achieve the desired strongsecurity. The methods are based on two general compilers. The extra complexity imposed by the compilers is typically that at each rekeying event a group member conducts logarithmicallymany pseudorandom function evaluations. This should not jeopardize their utility even in the setting of MANETs and sensor networks, as pseudorandom functions may be implemented with block ciphers in practice. We also present instantiations of the compilers, which lead to concrete schemes that achieve the desired strongsecurity.
Although the technical means underlying the transformation is to evolve the keys based on a secure pseudorandom function family — an idea inspired by [4], there are some subtle issues in our settings. First, we must allow the adversary to corrupt some group keys that are used to encrypt the communications before the rekeying message of interest. Of course, the corrupt members must have been revoked before that rekeying message. On the other hand, in [4] no such corruption is allowed before the event of interest. Second, from an adversary’s perspective, there could be many “valuable” users in our settings, meaning that an adversary only needs to compromise the weakest one(s) of them. Whereas, no such flexibility is given to the adversary in the setting of [4].
1.3 Related Work
LKH was independently invented in [28, 27]. Although these schemes are mainly invented for secure multicast applications, we believe that many other applications can utilize such a scheme; we refer the reader to [23, 6] for a survey, including the relationship between the schemes of [28, 27] and the schemes of [9, 22]. We notice that the stateless schemes (e.g., [22, 12]) are perhaps more useful in an environment of lossy channels. Although the LKH scheme has been extended in several directions, these extensions are motivated to improve performance rather than to achieve strictly stronger security. For example, performance can be improved by periodic group rekeying [24] or batch rekeying [19], and improved tradeoffs between storage and communication are available in [8, 6, 21]. Nevertheless, these techniques may also be utilized in our stronglysecure group communication schemes. To the best of our knowledge, our work is the first one that identifies a new and realistic attack, and presents solutions for (a subclass of) the popular group communication schemes. The variant presented in [26] (which is also known as LKH+) is similar to our performance optimization in that the communication complexity incurred by joining events can be substantially reduced. However, there was no formal treatment of the utilized key evolvement, nor was their scheme resistant against the attack introduced in Section 1.1.
While secure grouporiented communications have been extensively investigated in the setting of wired networks, their counterparts in the setting of wireless networks have yet to be thoroughly explored. Although the aforementioned schemes can be directly deployed in wireless settings, a simpleminded adoption may not lead to the desired performance (see, e.g., [31, 17]). Fortunately, there have been some interesting investigations that show that these schemes can be adapted (e.g., by taking into account some physical characteristics of ad hoc networks [18, 16, 15, 17]) so that better performance can be achieved. One of the practical values of the present paper is that the significantly improved security guarantee in the popular group communication schemes can be seamlessly integrated into the methods for improving performance [18, 16, 15, 17]. Indeed, our schemes can be easily integrated into any other methods for improving performance to achieve better security, as long as the methods assume “blackbox” access to an underlying security group communication scheme. There have been a few other attempts at securing group communications in such settings: [14] presented a scheme for secure multicast communications in MANETs based on public key cryptosystems; [31] investigated a different approach to secure group communications.
A similar study on enhancing security of public key cryptography based broadcast encryption was investigated in [30].
1.4 Outline
The rest of the paper is organized as follows. In Section 2 we briefly review some cryptographic preliminaries. In Section 3 we present formal models and security definitions of stateful group communication schemes, as well as the relationships between the security notions. In Section 4 we present a compiler for stateful group communication schemes and investigate its properties. The compiler is utilized in Section 5 to derive a concrete stronglysecure stateful group communication scheme from the merely secure LKH, which is reviewed in Appendix A for completeness. In Section 6 we explore stateless group communication schemes in parallel to their stateful counterparts. We conclude the paper in Section 7.
2 Cryptographic Preliminaries
A function is negligible if .
We will base security of group communication schemes on the security of pseudorandom function families. For a security parameter , a pseudorandom function (PRF) family parameterized by a secret value has the following property [10]: A probabilistic polynomialtime adversary has only a negligible (in ) advantage in distinguishing from a perfect random function (with the same domain and range). It is wellknown that pseudorandom functions can be naturally used to construct symmetric key encryption schemes that are secure against chosenplaintext attacks (which suffices for our treatment of LKH). Informally, this means that no adversary is able to learn any significant information about the encrypted content. We refer the reader to [13] for a thorough treatment on this subject.
Definition 2.1
(computational independence) Consider a set of secret binary strings of length , where for some polynomial . We say are computationally independent of each other if for any probabilistic polynomialtime algorithm ,
where are uniformly drawn at random, and is a negligible function.
3 Model and Definition of Stateful Secure Group Communications
In Section 3.1 we present a formal security model for stateful (and symmetric key cryptography based) group communications. In Section 3.2 we specify the adversarial models and desired security properties. In Section 3.3 we explore the relationships between the security notions.
3.1 Model
Let be a security parameter, and be the set of possible group members (i.e., users, receivers, or principals) such that is polynomiallybounded in . There is a special entity called a Group Controller (i.e., key server, center, server, or sender), denoted by , such that .
Since a stateful group communication scheme is driven by “rekeying” events (because of joining or leaving operations below), it is convenient to treat the events as occurring at “virtual time” , because the group controller is able to maintain such an execution history. This indeed accommodates the following important two cases: (1) all the parties periodically update their keys, even if there are no joining or leaving operations — this is relevant when a scheme achieves what we call strongsecurity specified below; (2) the lengths of the time periods do not have to be the same — this is the case when the rekeying events occur in an arbitrary fashion. At time , let denote the set of legitimate group members, the group key,^{2}^{2}2It is also known as a session key in the group communication literature. the set of keys held by the , the set of keys held by , and the state indicating whether has successfully received the rekeying message. Initially, , set . We assume that the treats joining and leaving operation separately (e.g., first fulfilling the leaving operation and then immediately the joining one), even if the requests are made simultaneously. This strategy has indeed been adopted in the group communication literature.
To simplify the presentation, we assume that during the system initialization (i.e., below) or the admission of a joining user, the can communicate with each legitimate member through an authenticated private channel, and that after the system initialization the can communicate with any through an authenticated channel. We notice that authenticated channels can by implemented by a digital signature scheme [28], and digital signatures are sometimes necessary [5].
We will not make any synchronization assumption about the underlying communication model, which could therefore be asynchronous [20]. However, known practical schemes (e.g., [28, 27, 8]) assume reliable delivery, which would require some (loose) clock synchronization.
A group communication scheme has the following components:
 Setup:

The group controller generates a set of keys , and distributes appropriate subsets of to the present group members (that may be determined by the adversary), , through the authenticated private channels. Each member holds a set of keys denoted by , and there is a key, that is common to all the present members, namely .
 Join:

This algorithm is executed by group controller at time, say, due to some join request(s) (we abstract away the outofband authentication and establishment of an individual key for each of the new members). It takes as input: (1) identities of previous group members, , (2) identities of newly admitted group members, , (3) keys held by the group controller, , and (4) keys held by group members, .
It outputs updated system state information, including: (1) identities of new group members, , (2) new keys for the itself, , (3) new keys for new group members, , which are sent to the legitimate users through the authenticated channels, (4) new group key .
Formally, denote it by .
 Leave:

This algorithm is executed by the group controller at time, say, due to leave or revocation operation(s). It takes as input: (1) identities of previous group members, , (2) identities of leaving group members, , (3) keys held by the controller, , and (4) keys held by group members, .
It outputs updated system state information, including: (1) identities of new group members, , (2) new keys for , , (3) new keys for new group members, , which are sent to the legitimate users through the authenticated channels, (4) a new group key .
Formally, denote it by .
 Rekey:

This algorithm is executed by the legitimate group members belonging to at time , where is derived from a Join or Leave event. Specifically, runs this algorithm upon receiving the message from the over the authenticated channel. The algorithm takes as input the received message and ’s secrets, and is supposed to output the updated keys for the group member. If the execution of the algorithm is successful, sets: (1) , (2) , where is supposed to be the new group key.
If the rekeying event is incurred by a Join event, every erases and any temporary storage after obtaining . If the rekeying event is incurred by a Leave event, every erases and any temporary storage after obtaining , and every honest leaving group member erases (although a corrupt one does not have to follow this protocol).
We require that any group communication scheme satisfy the following correctness requirement: for any and , if , then and .
3.2 Security Definitions
We consider an adversary that has complete control over all the communications in the network. To simplify the definition, we assume that the group controller is never compromised; this is not necessarily a restriction because the adversary could have compromised all the group members (and thus have obtained the secrets the group controller holds).
An adversary’s interaction with principals in the network is modeled by allowing it to have access to (some of) the following oracles:

: Send a message to at time , and output its reply, where meaning that will execute according to the corresponding protocol, and specifies the needed information for executing the protocol. Of course, the query of type Setup is only made at time .
These oracle accesses are meant to capture that the adversary can observe the reactions of the noncorrupt participants (e.g., the incurred message exchanges). For example, the adversary can let some honest (i.e., noncorrupt) users join or leave the group in question.

: Output the group key held by at time , namely .

: Output the keys held by at time , namely .

: This oracle may be queried only once, at any time during the adversary’s execution. A random bit is generated: if the adversary is given where , and if the adversary is given a random key of length .
Now we define the active outsider attack model that is strictly more powerful than the passive outsider attack model that has been implicitly utilized in the literature.
Definition 3.1
(active outsider attack model) In this model, the adversary may have access to all the oracles specified above. In particular, an “outsider” is allowed to issue an or query for some .
Definition 3.2
(passive attack model) In this model, the adversary is only allowed to make and queries. In other words, the adversary is only allowed to join and leave the group (in an arbitrary fashion though).
In each of the two models, we define two security notions: backwardsecurity and forwardsecurity. This leads to four security notions: (1) forwardsecurity in the active outsider attack model or simply security, (2) backwardsecurity in the active outsider attack model or simply strongsecurity, (3) forwardsecurity in the passive attack model, and (4) backwardsecurity in the passive attack model.
Definition 3.3
(security) Intuitively, it means that learns no information about a group key if (1) with respect to the corresponding rekeying event there is no corrupt legitimate member (this implicitly implies that all the members that were corrupted by must have been revoked), and (2) no member is corrupted by after the rekeying event. Formally, consider the following event Succ:
 (1)

The adversary can make arbitrary oracle queries at any time , except the following restrictions hold.
 (2)

The adversary queries the oracle with , and correctly guesses the bit used by the oracle in answering this query.
 (3)

There is no query for any . (Otherwise, the group key is trivially compromised.)
 (4)

For every query where , there must have been an query where . This captures that the corrupt members must have been revoked before the rekeying message at time .
 (5)

There is no query for any and .
The advantage of the adversary in attacking the group communication scheme is defined as , where
is the probability that the event
Succ occurs, and the probability is taken over the coins used by and by . We say a scheme is secure if for all probabilistic polynomialtime adversary it holds that is negligible in .Definition 3.4
(strongsecurity) Intuitively, it means that an adversary learns no information about a group key if, with respect to the rekeying event of interest there is no corrupt legitimate member (this implicitly implies that all the previously corrupt members have been revoked). Formally, consider the following event Succ:
 (1)(4)

The same as in the definition of security.
 (5)

There is no query for and . (This does not rule out that there could be some query for .)
The advantage of the adversary in attacking the group communication scheme is defined as , where is the probability that the event Succ occurs, and the probability is taken over the coins used by and by . We say a scheme is stronglysecure if for all probabilistic polynomialtime adversary it holds that is negligible in .
Definition 3.5
(forwardsecurity in the passive attack model) Intuitively, it means that , which is not allowed to make any or query, learns no information about any group key after leaving the group. Formally, consider the following event Succ:
 (1)

The adversary arbitrarily queries the oracle for any . Moreover, the adversary itself can arbitrarily join or leave the group at time , provided that the following restriction holds.
 (2)

The adversary queries the oracle, where (1) for an honest user , and (2) . Then, the adversary correctly guesses the bit used by the oracle in answering this query.
The advantage of the adversary in attacking the group communication scheme is defined as , where is the probability that the event Succ occurs, and the probability is taken over the coins used by and by . We say a scheme is secure if for all probabilistic polynomialtime adversary it holds that is negligible in .
Definition 3.6
(backwardsecurity in the passive attack model) Intuitively, it means that , which is not allowed to make any or query, learns no information about any group key before joining the group (again). Formally, consider the following event Succ:
 (1)

The adversary may arbitrarily query the oracle for any . Moreover, can arbitrarily join or leave the group at time , provided that the following restriction holds.
 (2)

The adversary queries the oracle, where (1) for an honest user , and (2) .
 (3)

The adversary queries the oracle for any . Moreover, can arbitrarily join or leave the group at time .
 (4)

The adversary correctly guesses the bit used by the oracle in answering this query.
The advantage of the adversary in attacking the group communication scheme is defined as , where is the probability that the event Succ occurs, and the probability is taken over the coins used by and by . We say a scheme is secure if for all probabilistic polynomialtime adversary it holds that is negligible in .
It is trivial to see that strongsecurity implies backwardsecurity in the passive model, and that security implies forwardsecurity in the passive attack model.
3.3 Relationships between the Security Notions
We summarize the relationships between the security notions of stateful group communication schemes in Fig. 3, where means is stronger than , means is equivalent to , means does not imply , and means it is unclear where does not imply . Below we elaborate on the nontrivial relationships showed in Fig. 3.
Proposition 3.1
If a stateful group communication scheme is stronglysecure, then it is also secure.
Proof. This is almost immediate because, on one hand, the definition of strongsecurity ensures the secrecy of even if corrupts some where , and on the other hand, the definition of security ensures the secrecy of only if does not corrupt any for any .
Proposition 3.2
A stateful group communication scheme that is secure is not necessarily strongsecure.
Proof. The fact that security does not imply strongsecurity is implied by Theorem 5.1, which states that LKH is secure, and that LKH is insecure against an active outside attacker (cf. the attack scenario in Section 1.1).
The above proposition implies that for a stateful group communication scheme, one only needs to show that it is stronglysecure.
Proposition 3.3
A stateful group communication scheme is backwardsecure in the passive attack model iff it is forwardsecure in the passive attack model.
Proof. First we show that a group communication scheme that is not forwardsecure in the passive attack model is also not backwardsecure in the passive attack model. Suppose first joins the group at time and then leaves the group at time where . Since the scheme is not forwardsecure in the passive attack model, can distinguish from a random string for some with a nonnegligible probability. Now suppose rejoins the group at time for some . Then, with respect to this rejoining event, can distinguish from a random string with a nonnegligible probability. Since did not make any or query, the scheme is not backwardsecure in the passive attack model.
Now we show that a group communication scheme that is not backwardsecure in the passive attack model is also not forwardsecure in the passive attack model. Suppose first joins the group at time , leaves the group at time , and rejoins the group at time , where . Since the scheme is not backwardsecure in the passive attack model, can distinguish from a random string for some with a nonnegligible probability. This also means that, with respect to the leaving event at time , can distinguish from a random string for some with a nonnegligible probability. Since does not make any or query, the scheme is not forwardsecure in the passive attack model.
We do not know whether forwardsecurity in the passive attack mode also implies forwardsecurity in the active outsider attack model. The relationship may seem trivial at a first glance, since all the corrupt members are revoked before the “challenge” session, and the adversary is not allowed to corrupt any member after the “challenge” session. Although it can indeed be shown that the implication holds, provided that the adversary is static (meaning that the adversary decides which principals in it will corrupt at system initialization), in the more interesting case that the adversary is adaptive, we do not know how to prove it.
Theorem 3.1
There exists a group communication scheme that is backwardsecure in the passive attack model but not stronglysecure (i.e., backwardsecure in the active outsider attack model).
Proof. Theorem 5.1 shows that LKH is secure (i.e., forwardsecure in the active outsider attack model), which trivially means that it is also forwardsecure in the passive attack model. Then, Proposition 3.3 shows that it is also backwardsecure in the passive attack model.
On the other hand, the attack scenario shown in Section 1.1 states that LKH is not backwardsecure in the active outsider attack model.
4 A Compiler for Stateful Group Communication Schemes
Suppose is a secure pseudorandom function family. Now we present a compiler that transforms a secure group communication scheme, , into a stronglysecure one, . The compiler applies to the subclass of stateful group communication schemes where the different keys belong to are computationally independent of each other, where . In what follows “a key needs to be changed” means that it should be substituted with a random key that is informationtheoretically independent of .
The key idea behind the compiler is to update the keys, which are possibly used to encrypt the new keys that need to be securely sent to the legitimate users, at each join, leave, or rekey event via an appropriate family of pseudorandom functions. As a result, compromise of a current key does not allow the adversary to recover the corresponding past keys.
 :

This is the same as .
 :

This algorithm is executed by at time, say, . Let be the set of keys that need to be changed (including the group key ), be the set of common key(s) shared between the and the joining user(s), and be the new keys (including the new group key ) that are used to replace the keys in .

Execute except for the following: (1) for every , let play the role of in ; (2) for every that is used as an encryption key in , let play the role of .

Every individual key is replaced by .

 :

This algorithm is executed by at time, say, . Let be the set of keys that need to be changed (including the group key ) or eliminated, and be the new keys (including the new group key ) that are used to replace (possibly a subset of) the keys in .

Execute except for the following: (1) for every , let play the role of in ; (2) for every that is used as an encryption key in , let play the role of .

Every individual key is replaced by .

 :

There are two cases.

The rekeying event is incurred by a Leave event at time . In this case, every honest leaving user should erase all the secrets as in , and every remaining user, , executes the following. Denote by the subset of keys that need to be changed to a set of new keys . (We notice that both and can be derived by after receiving the rekeying message and that .) First, executes except for letting play the role of under the circumstance that or is used as an encryption key, and updates every as . Second, erases the outdated keys (except ) as in .

The rekeying event is incurred by a Join event at time . We notice that user holds a set of keys (in the case of being a joining user, consists of the only common key between and ), of which a subset of keys (which may be empty) are to be changed to a set of new keys . (We notice that both and can be derived by after receiving the rekeying message and that .) First, executes

Comments
There are no comments yet.