An Efficient Group Key Agreement Protocol for Ad hoc Networks



Similar documents
Efficient Redundancy Techniques for Latency Reduction in Cloud Systems

Chapter 3 Savings, Present Value and Ricardian Equivalence

Timing Synchronization in High Mobility OFDM Systems

Things to Remember. r Complete all of the sections on the Retirement Benefit Options form that apply to your request.

Effect of Contention Window on the Performance of IEEE WLANs

Concept and Experiences on using a Wiki-based System for Software-related Seminar Papers

Research Article A Reputation-Based Identity Management Model for Cloud Computing

Software Engineering and Development

ON THE (Q, R) POLICY IN PRODUCTION-INVENTORY SYSTEMS

The transport performance evaluation system building of logistics enterprises

Ilona V. Tregub, ScD., Professor

HEALTHCARE INTEGRATION BASED ON CLOUD COMPUTING

How to recover your Exchange 2003/2007 mailboxes and s if all you have available are your PRIV1.EDB and PRIV1.STM Information Store database

Over-encryption: Management of Access Control Evolution on Outsourced Data

STUDENT RESPONSE TO ANNUITY FORMULA DERIVATION

Optimizing Content Retrieval Delay for LT-based Distributed Cloud Storage Systems

Uncertain Version Control in Open Collaborative Editing of Tree-Structured Documents

Scheduling Hadoop Jobs to Meet Deadlines

An Approach to Optimized Resource Allocation for Cloud Simulation Platform

Reduced Pattern Training Based on Task Decomposition Using Pattern Distributor

Continuous Compounding and Annualization

THE DISTRIBUTED LOCATION RESOLUTION PROBLEM AND ITS EFFICIENT SOLUTION

An Analysis of Manufacturer Benefits under Vendor Managed Systems

Energy Efficient Cache Invalidation in a Mobile Environment

UNIT CIRCLE TRIGONOMETRY

A framework for the selection of enterprise resource planning (ERP) system based on fuzzy decision making methods

Give me all I pay for Execution Guarantees in Electronic Commerce Payment Processes

Towards Automatic Update of Access Control Policy

INITIAL MARGIN CALCULATION ON DERIVATIVE MARKETS OPTION VALUATION FORMULAS

Chris J. Skinner The probability of identification: applying ideas from forensic statistics to disclosure risk assessment

Financing Terms in the EOQ Model

Secure Smartcard-Based Fingerprint Authentication

Data Center Demand Response: Avoiding the Coincident Peak via Workload Shifting and Local Generation

Optimal Peer Selection in a Free-Market Peer-Resource Economy

Episode 401: Newton s law of universal gravitation

2 r2 θ = r2 t. (3.59) The equal area law is the statement that the term in parentheses,

An Introduction to Omega

Database Management Systems

The Supply of Loanable Funds: A Comment on the Misconception and Its Implications

The Binomial Distribution

9:6.4 Sample Questions/Requests for Managing Underwriter Candidates

Questions & Answers Chapter 10 Software Reliability Prediction, Allocation and Demonstration Testing

On the Security of A Provably Secure Certificate Based Ring Signature Without Pairing

AN IMPLEMENTATION OF BINARY AND FLOATING POINT CHROMOSOME REPRESENTATION IN GENETIC ALGORITHM

MULTIPLE SOLUTIONS OF THE PRESCRIBED MEAN CURVATURE EQUATION

Analyzing Ballistic Missile Defense System Effectiveness Based on Functional Dependency Network Analysis

ENABLING INFORMATION GATHERING PATTERNS FOR EMERGENCY RESPONSE WITH THE OPENKNOWLEDGE SYSTEM

How to Encrypt Properly with RSA

Alarm transmission through Radio and GSM networks

Dual channel closed-loop supply chain coordination with a reward-driven remanufacturing policy

Peer-to-Peer File Sharing Game using Correlated Equilibrium

Power Monitoring and Control for Electric Home Appliances Based on Power Line Communication

Fixed Income Attribution: Introduction

Automatic Testing of Neighbor Discovery Protocol Based on FSM and TTCN*

An Energy Efficient and Accurate Slot Synchronization Scheme for Wireless Sensor Networks

An application of stochastic programming in solving capacity allocation and migration planning problem under uncertainty

est using the formula I = Prt, where I is the interest earned, P is the principal, r is the interest rate, and t is the time in years.

Fast FPT-algorithms for cleaning grids

Tracking/Fusion and Deghosting with Doppler Frequency from Two Passive Acoustic Sensors

Top K Nearest Keyword Search on Large Graphs

CONCEPTUAL FRAMEWORK FOR DEVELOPING AND VERIFICATION OF ATTRIBUTION MODELS. ARITHMETIC ATTRIBUTION MODELS

Modeling and Verifying a Price Model for Congestion Control in Computer Networks Using PROMELA/SPIN

Distributed Computing and Big Data: Hadoop and MapReduce

883 Brochure A5 GENE ss vernis.indd 1-2

Firstmark Credit Union Commercial Loan Department

Comparing Availability of Various Rack Power Redundancy Configurations

Channel selection in e-commerce age: A strategic analysis of co-op advertising models

YARN PROPERTIES MEASUREMENT: AN OPTICAL APPROACH

Comparing Availability of Various Rack Power Redundancy Configurations

Transmittal 198 Date: DECEMBER 9, SUBJECT: Termination of the Existing Eligibility-File Based Crossover Process at All Medicare Contractors

Memory-Aware Sizing for In-Memory Databases

They aim to select the best services that satisfy the user s. other providers infrastructures and utility services to run

A Two-Step Tabu Search Heuristic for Multi-Period Multi-Site Assignment Problem with Joint Requirement of Multiple Resource Types

Trading Volume and Serial Correlation in Stock Returns in Pakistan. Abstract

INVESTIGATION OF FLOW INSIDE AN AXIAL-FLOW PUMP OF GV IMP TYPE

Questions for Review. By buying bonds This period you save s, next period you get s(1+r)

High Availability Replication Strategy for Deduplication Storage System

SUPPORT VECTOR MACHINE FOR BANDWIDTH ANALYSIS OF SLOTTED MICROSTRIP ANTENNA

Loyalty Rewards and Gift Card Programs: Basic Actuarial Estimation Techniques

Promised Lead-Time Contracts Under Asymmetric Information

The LCOE is defined as the energy price ($ per unit of energy output) for which the Net Present Value of the investment is zero.

Cloud Service Reliability: Modeling and Analysis

VISCOSITY OF BIO-DIESEL FUELS

How To Find The Optimal Stategy For Buying Life Insuance

METHODOLOGICAL APPROACH TO STRATEGIC PERFORMANCE OPTIMIZATION

Risk Sensitive Portfolio Management With Cox-Ingersoll-Ross Interest Rates: the HJB Equation

Adaptive Queue Management with Restraint on Non-Responsive Flows

A Capacitated Commodity Trading Model with Market Power

Load Balancing in Processor Sharing Systems

Load Balancing in Processor Sharing Systems

Review Graph based Online Store Review Spammer Detection

Instructions to help you complete your enrollment form for HPHC's Medicare Supplemental Plan

The impact of migration on the provision. of UK public services (SRG ) Final Report. December 2011

Approximation Algorithms for Data Management in Networks

Deflection of Electrons by Electric and Magnetic Fields

AgentTime: A Distributed Multi-agent Software System for University s Timetabling

Office of Family Assistance. Evaluation Resource Guide for Responsible Fatherhood Programs

Experiment MF Magnetic Force

Converting knowledge Into Practice

How Much Should a Firm Borrow. Effect of tax shields. Capital Structure Theory. Capital Structure & Corporate Taxes

Transcription:

An Efficient Goup Key Ageement Potocol fo Ad hoc Netwoks Daniel Augot, Raghav haska, Valéie Issany and Daniele Sacchetti INRIA Rocquencout 78153 Le Chesnay Fance {Daniel.Augot, Raghav.haska, Valéie.Issany, Daniele.Sacchetti}@inia.f Abstact A Goup Key Ageement () potocol is a mechanism to establish a cyptogaphic key fo a goup of paticipants, based on each one s contibution, ove a public netwok. The key, thus deived, can be used to establish a secue channel between the paticipants. When the goup composition changes (o othewise), one can employ supplementay potocols to deive a new key. Thus, they ae well-suited to the key establishment needs of dynamic pee-to-pee netwoks as in ad hoc netwoks. While many of the poposed potocols ae too expensive to be employed by the constained devices often pesent in ad hoc netwoks, othes lack a fomal secuity analysis. In this pape, we pesent a simple, secue and efficient potocol well suited to dynamic ad hoc netwoks. We also pesent esults of ou implementation of the potocol in a pototype application. 1. Intoduction Ad hoc netwoks ae netwoks composed of constained devices communicating ove wieless channels in the (patial) absence of any fixed infastuctue. Moeove, netwok composition is highly dynamic with devices leaving/joining the netwok quite fequently. Secuing such netwoks becomes a moe difficult task with additional challenges in the fom of: lack of tusted thid paties, expensive communication, ease of inteception of messages and limited computational capabilities of the devices. Key establishment is a vital step in secuing in any netwok. In ad hoc netwoks, key distibution techniques ae not useful as thee is not enough tust in the netwok so as to agee on a key decided by one membe o some cental authoity. Goup Key Ageement () [8] potocols, which enable the paticipants to agee on a common secet value, based on each paticipant s public contibution, seem to povide a good solution. They don t equie the pesence of a cental authoity. Also, when the goup composition changes (as in case of mege o patition of goups), one can employ supplementay key ageement potocols to get a new goup key. Thus a tansient secue channel can be constucted duing the lifetime of one session of a goup. 1.1. Related Wok Many potocols [5, 11, 7, 4, 6, 3] have been poposed in liteatue, most being deived fom the two-paty Diffie-Hellman (DH) key ageement potocol. While some ae secue against passive advesaies only, othes do not have a igoous secuity poof. A secuity poof typically involves showing that an attack on a potocol can be used to solve a well-known had poblem unde some standad assumptions. Povably secue potocols in a well-defined model of secuity wee fist povided by esson et al. [4]. Thei secuity model extended the ealie wok of ellae et al. [1]. The numbe of ounds in these potocols is linea in the numbe of paticipants, thus making them unsuitable fo lage ad hoc netwoks. Yung et al. [6] poposed the fist povably-secue constant ound potocol inspied fom the woks of umeste et al. [5]. In the same wok, they also poposed a scalable compile to tansfom a potocol, secue against a passive advesay, into one which is secue against an active advesay. ut one ound in thei potocol consists of 1 boadcast and n 1 simultaneous eceives by each use. Achieving this is not possible in most netwoks. Also it lacks pocedues to handle goup dynamism. oyd et al. [3] poposed an efficient constant ound potocol whee the bulk of the computation is done by one paticipant, thus making it efficient fo heteogeneous ad hoc netwoks. It is povably secue in the Random Oacle model [1] but lacks pefect fowad sececy (i.e., compomise of long-tem key compomises all past session 1 keys). We popose a povably secue and efficient potocol which goup. 1 A session efes to one instance of potocol execution in some

Potocol Expo pe U i Rounds PS (Max Expo) (Messages) [11] 3 (m) m + 1 (2m 3) No [7] log 2 m + 1 log 2 m (m) No [4] i + 1 m (m) Yes [6] 3 2 (2m) Yes [9] 2 (2m ) 2 (m) Yes Ous 2 (m) 2 (m) Yes m: Numbe of paticipants : 3 ounds fo authenticated : m invese calculations o O(m 2 ) multiplications apat fom m exponentiations Table 1. Efficiency Compaison of potocols (PS: Povably Secue) achieves pefect fowad sececy as well. Subsequent to ou wok, Won et al. [9] also solve this poblem but thei poposition tuns out to be expensive computationally. In table 1, the numbe of exponentiations pe membe fo ou potocol ae compaed with some well-known potocols (including maximum numbe of exponentiations by any membe fo asymmetic potocols). Also the numbe of ounds (multiple independent messages can be sent in a ound) and total numbe of messages ae povided. 1.2. Outline The pape is oganized as follows: In Section 2, we pesent a new key ageement potocol fo ad hoc envionments. It is efficient both in communication and computation tems. Also, most of the exchanged messages ae independent of each othe, thus making it possible to collect them befoe the goup is defined. In Section 3 we pesent a secuity analysis of the same and convet it into an authenticated key ageement potocol. In Section 4, we pesent ou implementation esults. Finally, we conclude in Section 5. 2. A New Goup Key Ageement Potocol We popose a new potocol in this section. This potocol is unauthenticated and secue against passive advesaies only. We fist intoduce the notations used, illustate the basic pinciple of key exchange, followed by detailed explanation of how it is employed to deive Initial Key Ageement (IKA), Join/Mege and Delete/Patition pocedues fo ad hoc goups. 2.1. Notation G: A subgoup (of pime ode q with geneato g) of some mathematical goup. M i : i th paticipant in the cuent session. M l : The goup leade: A membe that is elected to coodinate goup-level computation such as goup-membeship and goup key management. Can be chosen andomly o by some application specific citeia. i : A andom numbe (fom [1, q 1]) geneated by membe M i fo each session. Also called the secet fo M i. g i : The blinded secet fo M i, which is a public quantity. M: The set of indices of the paticipants in the cuent session (the session being consideed). J : The set of indices of the joining paticipants (joining the cuent session). D: The set of indices of the leaving paticipants (leaving the cuent session). x y: x is assigned y. x S: x is andomly dawn fom the unifom distibution S. M i M j : {M}: M i sends message M to paticipant M j. M i M : {M}: Mi boadcasts message M to all paticipants indexed by M. 2.2. A Two Round Potocol Potocol Steps: Round 1: Each M i esponds to the initial equest, INIT, with its blinded secet g i to the initiato. Round 2: The goup composition is calculated and the goup leade M l is elected and passed all the eceived data 2. M l aises each joining membe s blinded secet to its secet ( l ) and boadcasts them along with the oiginal contibutions to the goup, i.e., it sends {g i, g i l } fo all i M \ {l}. Key Calculation: Each M i checks if its contibution is included coectly and then emoves its secet i fom g i l to get g l. The goup key is Key = g l Π i M\{l} g i l = g l(1+ i M\{l} i). Note: 1) The oiginal contibutions g i ae included in the last message as they ae equied fo key calculation in case of goup modifications (see below). 2) Even though Π i M\{l} g i l is publicly known, it is included in key computation, to deive a key composed of eveyone s contibution. The potocol is fomally defined in table 2. We now see how this potocol can be used to deive IKA, Join/Mege and Delete/Patition pocedues fo ad hoc netwoks. IKA: Secue ad hoc goup fomation pocedues typically involve pee discovey and connectivity checks befoe a 2 Note this is pat of the goup management potocol.

Round 0 j M, M j M : {INIT } Round 1 i M \ {j}, i [1, q 1], Mi M j : {g i } Round 2 l M, l [1, q 1] M l M : {g i, g i l } i M\{l} Key = g l(1+ i) i M\{l} Table 2. IKA goup key is deived. Thus, a discovey equest is issued by a membe (possibly multiple membes) and all inteested pees espond. The esponses ae collected and connectivity checks ae caied out to ensue that all membes can listen/boadcast to the goup (see fo instance [2, 10]). Afte the goup membeship is defined, pocedues ae implemented to deive a goup key. Such an appoach is quite a dain on the limited esouces of ad hoc netwok devices. Thus an appoach which integates the two sepaate pocedues of goup fomation and goup key ageement is equied. The above potocol fits well with this appoach. Round 0 and Round 1 of the above potocol can take place in the discovey stage as the exchanged messages ae independent of each othe. In this way, blinded secets, g i s, of all potential membes, M i s, ae collected befoe the goup composition is defined. When the fully connected ad hoc goup is defined, a single message (Round 2 in table 2) fom the goup leade, M l, (using contibutions of only the joining membes) helps evey membe to compute the goup key. Note that if in the goup management potocol, the initiato and the leade ae diffeent entities, the leade will be passed on all the blinded secets (along with othe management data) duing the goup management stage. An example is povided below. Suppose M 1 initiates the goup discovey and initially 5 membes expess inteest and send g 2, g 3, g 4, g 5 and g 6 espectively. Finally only 3 join because of connectivity constaints. Suppose the membes who finally join ae M 2, M 4 and M 5. Then the goup leade, say M 1, boadcasts the following message:{g 2, g 4, g 5, (g 2 ) 1, (g 4 ) 1, (g 5 ) 1 } On eceiving this message, each membe can deive g 1 using his espective secet. Thus the key g 1(1+2+4+5) can be computed. Join/Mege: Join is quite simila to IKA. Each joining membe, M i (i J ), sends a JOIN equest along with its blinded secet, g i to the existing goup. The goup leade (M l ) chooses a new andom secet, l, and sends all the blinded secets to the new goup leade 3, M l. The new 3 Fo each session, one may want to elect a new leade. Round 0 i J, i [1, q 1], M i M : {JOIN, g i } Round 1 l [1, q 1], M = M J, l M M l M l : {g i } i M\{l } Round 2 l l, l [1, q 1] M l M : {g i, g i l } i M\{l} Key = g l(1+ i) i M\{l} Table 3. Join/Mege goup leade boadcasts a message simila to the ound 2 message in IKA, i.e., all the blinded secets and the blinded secets aised to his (new) secet. It is woth noting that when a membe, whose blinded secet is public, is chosen as the goup leade, he chooses a new pai of secet and blinded secet. See table 3 fo fomal specification and below fo an example. Suppose new membes, M 9 and M 10 join the goup of M 1, M 2, M 4 and M 5 with thei contibutions g 9 and g 10 espectively. Then the pevious goup leade (M 1 ) changes its secet to 1 and sends g 1, g 2, g 4, g 5, g 9 to M 10 (say the new goup leade). M 10 geneates a new secet 10 and boadcasts the following message to the goup: {g 1, g 2, g 4, g 5, g 9, g 10 1, g 10 2, g 10 4, g 10 5, g 10 9 }. And the new key is g 10 (1+ 1 +2+4+5+9). Delete/Patition: Delete is quite simila to Join. When membes leave the goup, a new goup leade is andomly chosen fom the emaining membes and he changes his secet contibution and sends an IKA Round 2 like message to the goup, omitting the leaving membes contibutions. We omit the details. 3. Secuity Result The potocol pesented in the ealie section is povably secue against passive advesaies in the model of [4], fom whee the notations and definitions ae taken. Theoem 1: Let P be the potocol as defined above. Let A be a passive advesay making q ex = (q ika +q join +q delete ) Execute queies to the paties and unning in time t. Then Potocol P is a secue potocol. Namely: Adv A P (t, q ex) 2q ex Succ DDH (t ) whee t t + q ex P t exp, t exp is the time to pefom an exponentiation in G and P being the maximum numbe of paticipants in the potocol.

Poof: Due to lack of space, we only give a sketch of the poof. The complete poof will appea in the full vesion 4. We show that an advesay who achieves an advantage in calculating the session key, can be used to build an attacke which gains an advantage in solving an instance of the Decisional Diffie-Hellman (DDH) Poblem. The Send and Coupt queies ae not applicable as we ae dealing with a passive advesay and thee ae no long-tem secets. Thus the only elevant queies ae the Execute, Reveal and Test queies. Assume the advesay A distinguishes the session key with a pobability non-negligibly geate than 0.5. We constuct fom A a DDH attacke that eceives as input an instance D = {g, g 1, g 2, g 3 } and pedicts if it is an instance fom (g, g a, g b, g a b ) o (g, g a, g b, g c ) with a non-negligible advantage. The Attacke feeds A with elements deived fom the instance D in the eply to the Execute quey of the session fo which A will make the Test quey. So picks at andom c test fom [1, q ex ] which is its guess fo the numbe of the Execute quey, coesponding to the session, fo which A makes the Test quey. Fo all othe sessions, esponds to Execute queies with andomly geneated data. eplies to the Test quey with a session key, sk, constucted using data fom the instance D. sk is a valid session key only if the instance D is a DH tuple. Thus, if the advesay A coectly identifies sk as the session key, the tuple (g, g 1, g 2, g 3 ) is indeed a DH tuple othewise it is a andom tuple. The success pobability of is the pobability that it coectly guesses the session fo which A makes the Test quey (1/q ex ), multiplied by the success pobability of A. Thus if we denote by p the pobability of advesay A distinguishing the session key, the pobability of success of is: Succ DDH (t ) p/q ex. The unning time of is bounded by the unning time of A and the time to pefom at most P exponentiations duing q ex queies. 3.1. An authentication compile In [6], Yung et al. intoduced a scalable compile which tansfoms any potocol P, secue against passive advesay, to an authenticated potocol P, secue against an active advesay. It achieves this by enhancing the potocol to include a (pe-)ound whee eveyone boadcasts its identity and a andom nonce. Theeafte each message is accompanied by a signatue on the message, identities of the paticipants and thei nonces (see [6] fo details). Then if P is a secue potocol, then the potocol P is a secue Authenticated potocol. Namely, Theoem 2: Adv A P (t, q ex, q s ) qs 2 AdvA P (t, 1) + Adv A P (t, q ex ) + P Succ Σ (t ) + q2 s +qexqs 2 k 4 http://www.inia.f/t/index.en.html whee: q ex and q s ae the numbe of Execute and Send queies espectively. t = t + ( P q ex + q s ).t P, t P is the time to execute P. AdvP A (t, q ex, q s ): Advantage of an active advesay (A ) against the authenticated potocol P, making q ex Execute queies and q s Send queies in time t. AdvP A(t, 1): Advantage of a passive advesay (A) against the potocol P, making 1 Execute quey in time t. AdvP A(t, q ex): Advantage of a passive advesay (A) against the potocol P, making q ex Execute queies in time t. Succ DDH (t ): Success pobability of an advesay against an instance of the DDH poblem in time t. Succ Σ (t ): Success pobability of an advesay against the signatue scheme Σ in time t. and k is the secuity paamete. 3.2. Authenticated potocol Thus applying the above compile to ou potocol yields a 3-ound authenticated potocol, P with the following secuity eduction: Theoem 3: Adv A P (t, q ex, q s ) (q s + 2q ex ) Succ DDH (t ) + P Succ Σ (t ) + q2 s +qexqs 2 k 4. Implementation To test the pefomance of this new potocol, we incopoated it in the goup management potocol of [2]. The goup management of [2] consists of thee communication ounds: DISC, JOIN and GROUP. The DISC stage initiates the goup fomation by calling fo inteested paticipants. Each inteested paticipant esponds with a JOIN message. The goup membeship is defined and announced by the goup leade (chosen andomly) by the GROU P message. The design of the new potocol allowed us to piggy-back data on goup management messages, thus membe contibutions towads the goup key ae collected duing JOIN messages while the GROU P message caies the message fom the goup leade which enables eveyone to compute the goup key. Thus no additional communication ound is equied to deive a goup key, iespective of the goup size. It is woth mentioning that it would not have been possible with most of the potocols pesented in table 1, as the messages sent by goup membes ae dependent on messages sent by othe membes. A compaison of the computation times on a device in the absence and pesence of pocedues is plotted in table 4. The data shown is fo an expeimental setup consisting of laptops (Compaq 500 Mhz unning Linux) and palmtops (Compaq ipaq 400MHz unning Linux familia 0.7). All andom contibutions fo the goup key wee cho-

1400 1200 1000 800 600 400 200 no 0 14000 12000 10000 8000 6000 4000 2000 1400 1200 1000 800 600 400 200 Laptop - Leade and non-leade no no 0 14000 12000 10000 8000 6000 4000 2000 no Palmtop - Leade and non-leade Table 4. Computation time pe device with and without fo laptop and palmtop sen fom a Diffie-Hellman goup of pime ode of 1024 bits. The code was witten in Java except the exponentiation function which was implemented in native code with the GMP libay 5. The gaphs in table 4 plot computation time (in milliseconds on Y axis) against goup-size with and without. Thee ae sepaate plots fo the cases when the device was a leade/non-leade. Leade fo goup management was andomly chosen. As expected, the time fo non-leade membes inceases (when employing potocol) by an almost constant facto (ode of time to pefom two 1024 bit exponentiations), while fo a leade it inceases linealy as the goup size inceases. As most ad hoc netwoks ae expected to be composed of devices of unequal computing powe, moe poweful devices (like laptops) can assume the ole of a leade moe often. 5. Conclusion along with goup management pocedues), and also efficient in computational tems. It can be, using Yung et al. compile, tansfomed into a thee ound potocol secue against an active advesay. This adds to the cost of the potocol, by adding one ound of boadcasts. The potocol is simple and we have povided a secuity poof in the famewok of [4], using the standad model and the Decisional Diffie-Hellman assumption in any goup. Expeimental esults show that ou potocol esults in a easonable computational ovehead duing goup fomation with hadly any communication buden. Futhe eductions in tems of computation ovehead can be made by using Elliptic cuve goups. Refeences [1] M. ellae and P. Rogaway. Random oacles ae pactical: A paadigm fo designing efficient potocols. ACM Confeence on Compute and Communications Secuity, 1993. [2] M. oulkenafed, D. Sacchetti, and V. Issany. Using goup management to tame mobile ad hoc netwoks. IFIP TC8 Woking Confeence on Mobile Infomation Systems, 2004. [3] C. oyd and J. Nieto. Round-optimal contibutoy confeence key ageement. 6th Intenational Wokshop on Pactice and Theoy in Public Key Cyptogaphy, 2003. [4] E. esson, O. Chevassut, and D. Pointcheval. Dynamic goup Diffie Hellman key exchange unde standad assumptions. In Advances in Cyptology - EUROCRYPT, 2002. [5] M. umeste and Y. Desmedt. A secue and efficient confeence key distibution system. Advances in Cyptology - EUROCRYPT, 1994. [6] J. Katz and M. Yung. Scalable potocols fo authenticated key exchange - full vesion. Advances in Cyptology - CRYPTO, 2003. [7] Y. Kim, A. Peig, and G. Tsudik. Simple and fault-toleant key ageement fo dynamic collaboative goups. ACM CCS, 2000. [8] A. J. Menezes, P. C. van Ooschot, and S. Vanstone. Hand- ook of Applied Cyptogaphy. CRC Pess, 1996. [9] J. Nam, J. Lee, S. Kim, and D. Won. DDH based goup key ageement fo mobile computing. http://epint.iac.og/2004/127, 2004. [10] G.-C. Roman, Q. Huang, and A. Hazemi. Consistent goup membeship in ad hoc netwoks. Intenational Confeence on Softwae Engineeing, 2001. [11] M. Steine, G. Tsudik, and M. Waidne. Key ageement in dynamic pee goups. IEEE Tansactions on Paallel and Distibuted Systems, 2000. We have poposed a new goup key ageement potocol, paticulaly well suited to ad hoc netwoks, and secue against a passive advesay. It is efficient in the numbe of ounds (only two ounds, the fist ound may be executed 5 http://www.swox.com/gmp/

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information