On the Minimum Communication Effort for Secure Group Key Exchange

Group key exchange protocols (GKE) allow a set of parties to establish a common key over an insecure network. So far the research on GKE mainly focused on identifying and formalizing appropriate security definitions that has led to a variety of different security models. Besides reaching a high security level, another important aspect is to reduce the communication effort. In many practical scenarios it is preferable (or possibly even indispensable) to reduce the number of messages to a minimum, e.g., to save time and/or energy. We prove that any n-party GKE that provides forward security (FS) and mutual authentication (MA) against insider attackers needs at least two communication rounds and in that case at least 1 2 n+ 1 2 n−3 messages. Observe that FS and MA are today accepted as basic security recommendations. Hence these bounds hold automatically as well for more elaborate security definitions. Then, we describe a 2-round-GKE that requires n + 1 messages more than the derived lower bound. We prove that the protocol achieves UC-security (in the model by Katz and Shin (CCS’05)) in the common reference string (CRS) model. To the best of our knowledge, this represents the most communication efficient (in terms of number of rounds and messages) UC-secure GKE so far.