# Changes

## Np1sec

,Fix session key computation

Deniable authentication is derived from the Triple Diffie-Hellman algorithm presented in [Sys14]. Joining the room is a variation of the two-round mBD+P protocol presented in [ACMP10] where the authentication step has been made deniable. Leaving the room is the one-round mBD+S from [ACMP10].

5*-/*12+-+*+-*-++-++==VIII.1 Schematic view of the key exchange==

The protocol computes a unified session key for all participants. This imposes, in particular, the necessity that all <math>plist_i</math>' is identical for all participants. ~~However~~-*++-However, as consistent view is part of ''(n+1)sec'' security model, it does not impose extra limitation on the protocol. For more information please see [[#Participatory_vs_individually_independent_computation_of_group_keys|Appendix B: Participatory vs individually independent computation of group keys]].

For simplicity, group operation is written multiplicatively (even though it is actually an elliptic curve point operation traditionally represented by addition).

|align="center"|8

|align="right" |Encrypt shares

|align="center"|{{Font color|black|pink|<math>z_i \leftarrow GroupEnc(k_{i_j} for j \in \{1,\dots,n\}, z'_i)</math>}}

|align="center"|Computation

|-

|align="center"|14

|align="right"| Generate session key

|align="center"|{{Font color|black|pink|<math>sk_{i} \leftarrow H(GroupDec(k_{i,~~j~~l}\forall l, z_j ~~\; ~~) \forall j~~)~~,sid_i~~, U_j~~) =H(z'_1, \~~; \forall j \neq i~~dots, z'_n, sid_i) </math>}}

|align="center"|Computation

|}

===''GroupEnc'' and ''GroupDec'' functions===

For the high level design of the protocol we do not specify the primitives for ''GroupEnc'' and ''GroupDec'' used in steps '''~~XX~~8''' and '''~~XX~~14''' of Alogrithm 1 as a part of the protocol, as we do not specifies the Hash function and the block cipher. We explain their property here. We choose a candidate in section IX.4.

The ''GroupEnc'' and ''GroupDec'' functions are primitives which are called collectively by all instances involved in the session and are supposed to satisfies the following goal:

# <math>z'_i</math> remains unknown for any <math>\mathcal{A} \not \in G</math> eavesdropping the channel <math>\mathcal{C}</math>.

===(n+1)sec key exchange vs original Flexible Group Key Exchange of [ACMP10]===