New construction of affiliation-hiding authenticated group key agreement

In CT-RSA 2007, Jarecki, Kim, and Tsudik introduced the notion of affiliation-hiding authenticated group key agreement (AH-AGKA) protocols and presented two concrete AH-AGKA protocols. In this paper, we will show that these protocols have some drawbacks. We will also introduce the notion of affiliation-hiding authenticated asymmetric group key agreement (AH-AAGKA) and present an AH-AAGKA protocol. AH-AAGKA protocols allow the participants of a group to establish a common encryption key associated with several decryption keys; each of which can only be computed by the corresponding legitimate participant. Meanwhile, any party is assured that its affiliation is revealed to the participants that belong to the same group only. Compared with previous AH-AGKA protocols, if invalid players participate in our protocol, legitimate participants can identify these invalid players. In contrast to existing AH-AGKA protocols, our protocol holds perfect forward secrecy, which is proven in a novel security model we proposed. Additionally, we present a new privacy model to prove that our protocol achieves linkable affiliation-hiding property.