58 bytes added, 5 years ago
Fix session key computation
Deniable authentication is derived from the Triple Diffie-Hellman algorithm presented in [Sys14]. Joining the room is a variation of the two-round mBD+P protocol presented in [ACMP10] where the authentication step has been made deniable. Leaving the room is the one-round mBD+S from [ACMP10].
5*-/*12+-+*+-*-++-++==VIII.1 Schematic view of the key exchange==
The protocol computes a unified session key for all participants. This imposes, in particular, the necessity that all <math>plist_i</math>' is identical for all participants. However-*++-However, as consistent view is part of ''(n+1)sec'' security model, it does not impose extra limitation on the protocol. For more information please see [[#Participatory_vs_individually_independent_computation_of_group_keys|Appendix B: Participatory vs individually independent computation of group keys]].
For simplicity, group operation is written multiplicatively (even though it is actually an elliptic curve point operation traditionally represented by addition).
|align="right" |Encrypt shares
|align="center"|{{Font color|black|pink|<math>z_i \leftarrow GroupEnc(k_{i_j} for j \in \{1,\dots,n\}, z'_i)</math>}}
|align="right"| Generate session key
|align="center"|{{Font color|black|pink|<math>sk_{i} \leftarrow H(GroupDec(k_{i,jl}\forall l, z_j \; ) \forall j),sid_i, U_j) =H(z'_1, \; \forall j \neq idots, z'_n, sid_i) </math>}}
===''GroupEnc'' and ''GroupDec'' functions===
For the high level design of the protocol we do not specify the primitives for ''GroupEnc'' and ''GroupDec'' used in steps '''XX8''' and '''XX14''' of Alogrithm 1 as a part of the protocol, as we do not specifies the Hash function and the block cipher. We explain their property here. We choose a candidate in section IX.4.
The ''GroupEnc'' and ''GroupDec'' functions are primitives which are called collectively by all instances involved in the session and are supposed to satisfies the following goal:
# <math>z'_i</math> remains unknown for any <math>\mathcal{A} \not \in G</math> eavesdropping the channel <math>\mathcal{C}</math>.
To this end each member <math>U_i</math> compute <math>z_i := GroupEnc(k_{i,j} for j \in \{1,...,n\}, z'_i)</math> and broadcast <math>z_i</math> on <math>\mathcal{C}</math>. Later on when <math>U_i</math> receives all <math>z_j</math>. It recovers all secrets <math>z'_i</math> by computing <math>GroupDec(k_{i,j} for j \in \{1,...,n\}, z'_iz_i)</math>.
===(n+1)sec key exchange vs original Flexible Group Key Exchange of [ACMP10]===