On Constructing Dynamic and Forward Secure Authenticated Group Key Agreement Scheme from Multikey Encapsulation Mechanism

The approach of instantiating authenticated group key exchange (GAKE) protocol from the multikey encapsulation mechanism (mKEM) has an important advantage of achieving classical requirement of GAKE security in one communication round. In spite of the limitations of this approach, for example, lack of forward secrecy, it is very useful in group environments when maximum communication efficiency is desirable. To enrich this mKEM-based GAKE construction, we suggest an efficient solution to convert this static GAKE framework into a partially dynamic scheme. Furthermore, to address the associated lack of forward-secrecy, we propose two variants of this generic construction which can also provide a means of forward secrecy at the cost of extra communication round. In addition, concerning associated implementation cost of deploying this generic GAKE construction in elliptic curve cryptosystem, we compare the possible instantiations of this model from existing mKEM algorithms in terms of the number of elliptic curve scalar multiplications.


Introduction
A reliable and secure shared-key distribution scheme is arguably the most import step toward establishing any cryptographic channel among group of communicating parties. The group key exchange protocol (GKE) allows the members to calculate the shared-key over a public communication medium. An authenticated group key exchange (GAKE) scheme ensures that the resultant shared-key is kept indistinguishable to nonlegitimate peers and provides the participants with resistance against impersonation attack. A recently proposed approach [1] to achieve the classical requirement of authenticated key exchange security [2][3][4] for group scenario in one communication round is to construct it from the multikey encapsulation mechanism (mKEM). We refer to this generic framework by mkGAKE model. An mKEM [5] is a multipeer cryptographic solution that assumes receivers with long-term certified private/public-key pairs, and enables one entity to generate and efficiently encapsulate the same random session key for multiple receivers. The mkGAKE framework is basically constructed by parallel execution of a secure mKEM scheme among parties. While this communicationally efficient GAKE construction provides the participants with basic requirements of key-confidentiality and impersonation resistance, it has two important limitations that can essentially affect the security and functionality of this model. These shortcomings and their undesirable effects are described below: (1) Lack of forward secrecy (FS): This implies compromising long-term keying materials of peers affects the confidentiality of previously established shared session keys. Since the existing mKEM solutions that used as building block of this framework are not FS, the resultant GAKE construction is not FS as well. FS is a desirable feature of a GAKE solution as it ensures the shared-key history remains confidential even after revealing the long-term keying materials of participants.

2
The Scientific World Journal (2) Inability to provide an efficient solution for dynamic group environments: This implies the participants need to reexecute the GAKE protocol when new members join or existing members leave. It is desirable for a GAKE protocol to provide an efficient mechanism for join/leave operations rather than reexecuting the scheme in dynamic group environment.
Another fundamental factor in analyzing the practicality of this framework is the computational cost of instantiating this generic model. Implementing this framework with the elliptic curve cryptosystem (ECC) can significantly reduce keys/parameters/messages size compared to the non-ECC variants [6]. It is therefore desirable to evaluate the ECC related deployment cost of this generic GAKE construction.
1.1. Our Contribution. In this paper we propose a generic framework to convert the existing static mkGAKE model to a partially dynamic scheme which provides a more efficient mechanism in the operation of joining new members to an already established session. In addition, to enrich the existing mkGAKE construction, we propose two variants of this model to achieve the important goal of forward secrecy at the cost of an extra communication round. As a further contribution, we evaluate the implementation cost of instantiating this model in ECC from existing mKEM schemes.

Related Works.
Most of the group key exchange protocols in literature are based on either DH [11] or Joux [12] algorithms and require multiple rounds to establish the sharedkey. Constructing a one-round, yet secure, GAKE is very desirable due to its appealing bandwidth efficiency compared to other multiround solutions. One of the first attempts to formalize one-round GAKE protocols was made in [13] that divides protocols into three different classes: (1) In the first class, peers are assumed to hold a preshared secret which is impractical and unreasonable in real environments [14].
(2) In the second class one party encrypts its nonce to other participants together with digital signature on its encrypted nonce while other parties send their random values in the clear. An instantiation of such a scheme is given in [15]. It suffers from intensive computational overhead imposed by using digital signature as well as an inherent security concern resulting from unequal distribution of the key exchange responsibilities and giving extreme power to the encryptor party.
(3) In the third class, which equally distributes the power and responsibility between participants, all peers encrypt their nonce to other entities using other participants' certified public-keys. A generic model to efficiently instantiate this class of one-round GAKE scheme from mKEM construction is given in [1] (referred to as mkGAKE model). So far, this mkGAKE model is the only practical one and provably secures one-round implicitly authenticated group key exchange construction in literature to date (while it is theoretically possible to construct a one-round GKE scheme by using multilinear map [16] and then converting it to an implicitly authenticated GAKE scheme in a similar way as MQV [17] or HMQV [18]; but, in spite of some recent improvements in constructing a plausible multilinear map [19,20], these schemes are still far from being efficiently practical).

1.3.
Organization. The next section discusses ECC and mKEM schemes and reviews the operation of dynamic GAKE protocols. In this section we also study the existing mKEMbased GAKE framework. In Section 3 we present our two variants of mKEM-based GAKE model with forward secrecy. In Section 4 we propose a generic framework to convert this existing static GAKE framework to a partially dynamic scheme. Finally, in Section 5 we compare the implementation cost of this framework from the possible ECC translation of existing mKEM solutions. Section 6 gives a summary of our work and highlights the important points.

Elliptic
Curve. An elliptic curve over the prime field of ( ℎ ( ) ̸ = 2, 3) is defined by a short Weierstrass equation : 2 = 3 + + , where the parameters , ∈ are chosen such that Δ ̸ = 4 3 + 27 2 (Δ is the discriminant of the equation). The group of points of over is denoted by ( ) and the order of ( ) is indicated by # ( ). An elliptic curve is described by set of parameters ( , , , , , ℎ), where specifies the finite field of , and are coefficient of , = ( , ) is the generator of a cyclic subgroup of ⟨ ⟩ ⊂ ( ) of prime order , and ℎ = # ( )/ is the cofactor of elliptic curve. Elliptic curve DH assumptions are described as follows: (i) A Diffie-Hellman (DH) tuple in is ( , , , ) ∈ for some , , ∈ * satisfying = mod .
(ii) Computational Diffie-Hellman (CDH) problem: given any three elements from the four elements in a DH tuple compute the remaining element.

mKEM.
An mKEM scheme allows a peer to efficiently encapsulate a single session key to parties. A typical KEM scheme is presented by (g , E , D ) tuples and consists of three core algorithms: private/public-key generation (g ), key encapsulation (E ), and key decapsulation (D ). The probabilistic algorithm of g takes domain parameters and generates public/private-key pairs ( , ). The probabilistic algorithm of E takes set of public-keys The Scientific World Journal 3 of receivers and returns the encapsulation pair ( , ), where = { 1 , . . . , } and is encapsulation of with . The deterministic algorithm of D takes private-key and the encapsulation and outputs . For a KEM scheme to be secure it is required to be sound, which means, for all key pairs ( , ) generated by g ( ) and all encapsulation pair ( , ) generated by E ( , ), we assume all possible range of is generated by D ( , , ).

Dynamic Group Key
Exchange. The GKE algorithms are divided into two groups of and in terms of their capability to reform the session key with updated group membership. In static GKE the number of peers remains constant during the session whereas in dynamic GKE participants are allowed to join or leave the session at any time during the active session. A typical dynamic GKE consists of three algorithms, namely, shared-key establishment scheme, join operation, and leave operation. The shared-key establishment scheme operates the same as typical static GKE scheme and allows parties to securely calculate confidential shared-key. The operation allows new member to jointly establish new key with existing members in the way that the new member should not be able to extract the previously established session keys between those peers. The V operation removes one of the members from the existing session and allows the remaining members to calculate a fresh key for the session. The leaving group members should be capable of calculating or distinguishing updated session key. Whilst it is possible to convert any static GKE to a dynamic GKE by reexecuting the static GKE with updated members, it is desirable for a GKE protocol to provide more efficient solution for join/leave operations rather than trivial approach of reexecuting the GKE scheme in dynamic environment.

mKEM-Based One-Round GAKE Construction (mkGAKE Model
). The generic model proposed by Gorantla et al. in [1] provides a framework to construct a one-round implicitly authenticated group key exchange (GAKE) from an mKEM scheme. Consider set of parties U = { 1 , . . . , } as participants in the GAKE scheme, where ∈[1, ] is the identity of a participant and U is set of identities of all parties. This generic model assumes an IND-CCA secure KEM(g , E , D ) as the core algorithm and is designed to let the members of U establish a shared session key through parallel execution KEM(g , E , D ). Since mKEM guarantees to the sender that only the legitimate receiver can decapsulate the session key, this generic model constructed from parallel execution of mKEM among multiple participants can provide all parties with implicit authentication on computed symmetric-key. This model consists of four phases as shown below: (i) Initiation: (ii) Computation: (iii) Communication: (iv) Key calculation: ( ∈ U) calculate the shared-key as follows In the Initiation phase, each GAKE participant ∈ U executes g KEM (D) to obtain private/public-key pairs of ( , ), and authentic set of public-keys = { 1 , . . . , } is known to all peers. In the Computation phase, each ∈ U executes mKEM encapsulation algorithm with other participants' public-key to obtain the symmetric-key and encapsulation pair. In the Communication phase each ∈ U broadcasts its computed encapsulation together with its id to all other peers. Finally, in the Key calculation phase each ∈ U executes the mKEM decapsulation algorithm on each of the incoming encapsulations using its private-key to obtain ( − 1) number of the symmetric-keys. Then, set sid to be the concatenation of all the incoming and outgoing exchanged messages sid ← ( 1 ‖ ⋅ ⋅ ⋅ ‖ ‖ U), where U is the set of identities of all the users. Finally, sid and decapsulated keys are fed to a pseudorandom function to calculate the session key.

Two-Round GAKE with Forward Secrecy
The generic one-round mKEM-based framework cannot provide forward secrecy, but it can be extended to a tworound unauthenticated scheme to achieve this additional goal. In this approach, the authenticated and certified longterm private/public-key pairs are replaced with ephemeral key pairs. In the two-round variance, the participants execute the KEM in parallel with on-demand generated ephemeral keys. Using ephemeral and uncertified asymmetric-keys will result in a GKE protocol without an implicit authentication property. In this case an adversary can impersonate any honest participant to other peers by replacing the ephemeral private/public values and resultant protocol is only secure in the presence of a passive adversary. To provide the GKE protocol with authentication, one of the two following approaches may be adopted.

4
The Scientific World Journal

Using Digital Signature in the First Round.
In this approach the peer ∈ U is assumed to hold a certified longterm private/public-key pair of (SK , PK ) corresponding to the employed digital signature scheme. The signing/verification algorithms of the corresponding digital signature scheme are denoted by (Sign, Verify). The key exchange procedure is carried out in two rounds as shown below.
Round 1. Peer runs the g KEM function to obtain ephemeral private/public-key pair of ( , ) and then use SK to compute the digital signature on . Then, broadcasts the signature together with its id and ephemeral public-key of to the other users. The generic framework for the first round interaction is shown below: (i) Setup: ( ∈ U) : obtains long-term signing verification keys of (SK , PK ) .
(iv) Communication 1: Round 2. In the second round, other peers verify the authenticity of by validating the received signature using the publicly available certified verification key of PK and then run the one-round protocol with authentic ephemeral public-keys. The generic framework for the second-round interaction of this approach is shown below: (i) Verification: Verif y PK (( , ) , ) = 1.

Using Digital Signature in the Second Round.
A variant of this approach is (also) suggested in [21] and the core idea is originally borrowed from [22]. In this framework, peer ∈ U is assumed to have a pair of certified long-term signing/verification key pair of (SK , PK ) corresponding to the employed digital signature scheme. The generic framework for the first-round interaction is shown below.

Round 1.
In the first round, peer runs the KEM function to obtain ephemeral private/public-key pair of ( , ) and broadcast it to other peers: (i) Setup: ( ∈ U) : obtains long-term signing verification keys of (SK , PK ) .
(ii) Initiation: (iii) Communication: Round 2. In the second round, each ∈ U executes mKEM encapsulation algorithm with other participants' publickeys to obtain the symmetric-key and encapsulation pair.
To provide the authentication property, uses SK to compute digital signature on session key encapsulation concatenated with ephemeral public-keys in the system and broadcast signature and to other participants. Other peers verify the authenticity of received encapsulation of (and corresponding embedded key) by validating the received signature using the publicly available certified verification key of PK . After validating the authenticity of all received The Scientific World Journal 5 encapsulations, each peer extracts the embedded-keys by using mKEM decapsulation algorithm and finally computes the shared session key. The generic framework for the second round interaction is shown below: (i) Computation: (ii) Signature: (iii) Communication: (iv) Verification: (v) Key calculation: ( ∈ U) calculate the shared-key as follows 3.3. Security Analysis. The provided security of both approaches relies on the security of the underlying digital signature scheme. Both approaches assume each peer ∈ U possesses a certified long-term private/public-key pair of (SK , PK ) corresponding to the employed digital signature scheme. The relevant private-key, which is tasked to sign either ephemeral public-key (first approach) or encapsulation of the session key (second approach), should be kept secret as revealing this key to a potential adversary would result in revealing the session key. If we assume the employed signature scheme is secure against existential forgery under an adaptive chosen message attack, and the corresponding signing private-keys are kept secret from potential adversaries, then we can conclude both approaches are forwardsecure authenticated group key exchange schemes. In fact, both approaches use a hierarchy of signatures where the first authenticated exchange authenticates the next exchange.
It should be noted that the ephemeral session keys are independent of the long-term keying materials, and the longterm keys are only tasked to authenticate the session key and not to take a role in the calculation of these keys. Thus, if an adversary manages to compromise a long-term keying material of any participating peers in a random session, he/she cannot reveal any information about the ephemeral keys of previous sessions in which the corrupted party has been participating in the past. However, the future session keys will not be secure against this adversary as he/she can fake the corrupted party and fool any other party(ies) to enter session key calculation phase with her/him. It should be noted that a forward-secure group key exchange is expected to keep the previous session keys unaccessible, not the future keys. Based on this notion, both of the described approaches are forward-secure key exchange schemes. Note that while the first approach (Section 3.1) is basically simpler and more convenient, the second method (Section 3.2) is stronger as it provides mean of mutual authentication on all the sessionrelated ephemeral values.

Achieving Dynamic Group Operation
While it is possible to construct a dynamic protocol from this GAKE model by reexecuting (from scratch) the scheme in or V procedure, we propose a solution to perform the operation more efficiently. The V operation still requires the member to reexecute the protocol.
Consider a scenario where a new member , with knowledge of domain parameters D, KDF, and , decides to join an ongoing session between U parties with the shared session key of . Peer is required to run the g KEM (D) function to obtain the private/public-key pair ( , ). The members of U are required to have access to the certified public-key of . The members of U also should have access to a secure symmetric encryption algorithm denoted by ( , ). To join the ongoing session, each of U members together with should follow the corresponding procedure as described below.
Peer . This new member executes the one-round protocol with respect to U public-keys of = { 1 , . . . , }: (i) Initiation: is known to all peers.
(ii) Computation: (iii) Communication: (iv) Key calculation: ( ) calculate the shared-key as follows 6 The Scientific World Journal Peer ∈ U. Each member of U executes the one-round protocol with respect to public-key of and use a symmetric encryption scheme with already established session key to distribute the new keys among themselves: (i) Computation: (ii) Communication: (iii) Key calculation: ( ∈ U) calculate the shared-key as follows It should be noted that in reexecuting the GAKE protocol from scratch each member needs to execute the associated mKEM protocol with public-keys of all existing and new members. However, with the help of the proposed framework, each of existing members of U executes the associated mKEM protocol, in the joining of new member(s), only with public-key(s) of that (those) member(s) and does not include the public-keys of other existing members {U \ }. Considering the expensive computational cost of mKEM schemes which is dependent on the number of inputted publickeys, this framework can significantly reduce the associated computational overhead in dynamic group environments. While this construction results in better efficiency compared to rerunning the algorithm in joining a new member, the security of this scheme solely depends on the security of the employed symmetric encryption scheme and security of the generic mKEM-based GAKE model (Section 2.4). The joining new peer of executes the mKEM-based GAKE model with the existing members; thus, the security of the calculated key with this node is the same as the generic framework. Furthermore, other nodes of ∈ U execute the mKEM-based GAKE model with the new peer of and, in the meantime, distribute their ephemeral values among themselves through a CCA2 symmetric encryption scheme; thus, the security of calculated session key with these peers relies on the security of the mKEM-based GAKE framework and employed symmetric encryption scheme, combined.

Efficiency Comparison of Instantiating GAKE Model from Different KEMs
In Table 1 we compare the efficiency of instantiating the mkGAKE model from existing provably secure mKEM schemes. The table compares the computation cost of such constructions in terms of number of associated EC point scalar multiplications which is denoted by SM. The SM calculation refers to computing where is an integer and is an EC point. The multiscalar multiplication denoted by MSM refers to computing ∑ . We found it easier and more consistent to represent the computational efficiency of different schemes by a single element of SM. However, since many factors contribute to computation of various MSM cases, then it is very difficult to precisely describe the computation cost of MSM in terms of calculation cost of SM. One approach to roughly estimate this relation, as described in [23], is by considering the unsigned binary representation of scalars and calculate MSM with a sliding window technique. An estimation from this approach is described in [24] and in windows size of 2 and bit-length of 256 it is assumed that one MSM calculation is roughly equal to 1.39 SM calculation. It should be noted that this optimistic estimation enables us to conveniently compare the computation efficiency of different EC-based schemes in a unified system.

Conclusion
Through this contribution, we propose an efficient and practical generic framework to convert static mKEM-based The Scientific World Journal 7 GAKE construction into a partially dynamic scheme. Our framework provides a more efficient solution for the join operation rather than the naive approach of reexecuting the original GAKE model with updated memberships. Furthermore, in order to enrich existing mKEM-based GAKE framework, we propose two variants of this generic model which can also provide a means of forward secrecy at the cost of an extra communication round. Finally, to evaluate the computational cost of deploying this generic model in elliptic curve cryptosystem, we compared the associated EC-related calculation cost of possible instantiations of this model from existing mKEM algorithms.