Revisiting pairing based group key exchange

Secure communication within a large group of users such as participants in a phone or video conference relies on the availability of secure data and efficient data transmission. Group key exchange protocols allow a (large) group of n users to establish a joint secret key which can be used in symmetric systems to efficiently en- and decrypt messages to and from the group. To deal with varying constellations of the groups and to ensure key freshness it is essential that the group key exchange protocol is efficient. Most protocols are generalizations of two-party protocols like Diffie-Hellman key exchange. The Burmester and Desmedt I protocol establishes a key in a constant number of rounds independent of the size of the group of users and in O(n) complexity of computation per user. After Joux's proposal to use pairings to enable a one-round tripartite key exchange (KE) several extensions of existing group KE and authenticated key exchange (AKE) protocols were published. However, quite a few turned out to be flawed and the complexity is often worse than for the original scheme. In this paper we propose a new constant round pairing based group AKE protocol which requires a lower computational complexity per user compared to previous proposals. Furthermore, the scheme is particularly interesting for groups in which some members enjoy more computational power than others. The protocol is most efficient if these members constitute roughly half of the group. We also provide a pairing-based version of the Burmester-Desmedt II group key exchange which runs in 3 rounds and requires only O(log n) computation and communication. Both protocols are faster than any published pairing-based key exchange protocols. If the parameters are chosen appropriately so that the pairing computations are fast the protocols can outperform the respective DL-based Burmester-Desmedt key exchange protocols.