We consider the fundamental problem of authenticated group key exchange among n parties within a larger and insecure public network. A number of solutions to this problem have been proposed; however, all provably-secure solutions thus far are not scalable and, in particular, require O(n) rounds. Our main contribution is the first scalable protocol for this problem along with a rigorous proof of security in the standard model under the DDH assumption; our protocol uses a constant number of rounds and requires only O(1) "full" modular exponentiations per user. Toward this goal and of independent interest, we first present a scalable compiler that transforms any group key-exchange protocol secure against a passive eavesdropper to an authenticated protocol which is secure against an active adversary who controls all communication in the network. This compiler adds only one round and O(1) communication (per user) to the original scheme. We then prove secure --- against a passive adversary --- a variant of the two-round group key-exchange protocol of Burmester and Desmedt.

We investigate secure routing in ad hoc networks in which security associations exist only between a subset of all pairs of nodes. We focus on source routing protocols. We show that to establish secure routes, it is in general not necessary that security associations exist between all pairs of nodes; a fraction of security associations is su#cient. We analyze the performance of existing proposals for secure routing in such conditions. We also propose a new protocol, designed specifically for ad hoc networks with an incomplete set of security associations between the nodes. We call this protocol BISS: a protocol for Building Secure Routing out of an Incomplete Set of Security Associations. We present a detailed analysis of this protocol, based on simulations, and show that it can be as secure as the existing proposals that rely on a complete set of security associations.

This paper proposes several integrated security architecture designs for client-server group communication systems. In an integrated architecture, security services are implemented in servers, in contrast to a layered architecture where the same services are implemented in clients. We discuss the performance and accompanying trust issues of each proposed architecture and present experimental results that demonstrate the superior scalability of an integrated architecture.

Abstract — Group communication systems are high-availability distributed systems providing reliable and ordered message delivery as well as a membership service, to group-oriented applications. Many such systems are built using a distributed client-server architecture where a relatively small set of servers provide service to numerous clients. In this work, we show how group communication systems can be enhanced with security services without sacrificing robustness and performance. More specifically, we propose several integrated security architectures for distributed client-server group communication systems. In an integrated architecture, security services are implemented in servers, in contrast to a layered architecture where the same services are implemented in clients. We discuss performance and accompanying trust issues of each proposed architecture and present experimental results that demonstrate the superior scalability of an integrated architecture.

In recent years, mobile ad-hoc networks have received a great deal of attention in both academia and industry because they provide anytime-anywhere networking services. As wireless networks are rapidly deployed in the future, secure wireless environment will be mandatory. In this paper, we describe a group key management architecture and key agreement protocols for secure communication in mobile ad-hoc wireless networks (MANETs) overseen by Unmanned Aerial Vehicles (UAVs). We use the Implicitly Certified Public Keys method, which reduces the overhead of the certificate validation checking process and improves computational efficiency. The architecture uses a two-layered key management approach, where a group of nodes is divided into: 1) cell groups consisting of ground nodes, and 2) control groups consisting of cell group managers. The chief benefit of this approach is that the effects of a membership change are restricted to the single cell group.

A group key agreement protocol is designed to e#ciently implement secure multicast channels for a group of parties communicating over an untrusted, open network by allowing them to agree on a common secret key. In the past decade many problems related to group key agreement have been tackled and solved (diminished if not solved), and recently some constant-round protocols have been proven secure in concrete, realistic setting. However, all forward-secure protocols so far are still too expensive for small mobile devices. In this paper we propose a new constant-round protocol well suited for a mobile environment and prove its security under the Decisional Di#e-Hellman assumption. The protocol meets simplicity, e#ciency, and all the desired security properties.

We propose and analyze a scalable and efficient region-based group key management protocol for secure group communications in mobile ad hoc networks. For scalability and dynamic reconfigurability, we take a region-based approach by which group members are broken into region-based subgroups and leaders in subgroups securely communicate with each other to agree on a group key in response to membership change and member mobility events. We show that the secrecy requirement for group communication is satisfied. Further, there exists an optimal regional size that minimizes the total network communication cost as a result of efficiently trading inter-regional vs. intraregional group key management overheads. We give an analytical expression of the cost involved which allows the optimal regional size to be identified, when given a set of parameter values characterizing a group communicating system in mobile ad hoc networks. 1

In this paper we overview a large number of currently known group key ex-change protocols while focusing on the protocols designed for more than three par-ticipants (for an overview of two- and three-party key exchange protocols we refer to [BM03, DB05c]). For each mentioned protocol we briefly describe the current state of security based on the original analysis as well as later results appeared in the liter-ature. We distinguish between (i) protocols with heuristic security arguments based on informally defined security requirements and (ii) protocols that have been proven secure in one of the existing security models for group key exchange. Note, this paper continues the work started in [Man06] which provides an analytical survey on security requirements and currently known models for group key exchange. We emphasize that the following survey focuses on the security aspects of the protocols and does not aim to provide any efficiency comparison. The reader interested in this kind of surveys we

Group key agreement protocols are designed to solve the fundamental problem of securely establishing a session key among a group of parties communicating over a public channel. Although a number of protocols...

A few group key protocols are analyzed, implemented and deployed, but the costs associated with them have been poorly understood. Their analysis of group key agreements performance is based on the cost of performing a single operation. In this paper we extend this analysis to examine the performance behavior of five group key protocols after execution of multiple operation. We report our experimental results for 100 operations consist of combinations of join, leave, mass join, mass leave, merge, and partition. In order to thoroughly compare the performance of five protocols, we simulate three group operations: join-leave-mass joinmass leave, merge-partition, and join-leave-mass join-mass leave-merge-partition to observe what is not apparent from the theoretical analysis. KEY WORDS group key management, group communications, cryptographic protocols 1