Constructing UC Secure and Constant-Round Group Key Exchange Protocols via Secret Sharing

Group key exchange (GKE) is one of the basic building blocks in securing group communication. A number of solutions to GKE problem have been proposed, but most of them are not scalable and require a number of rounds linear with the number of group members. We present a method of constructing constant-round and identity-based protocol via secret sharing for GKE within universally composability (UC) framework. The resultant protocol focuses on round e ﬃ ciency and three rounds of communication are required. The protocol allows the batch veriﬁcation of messages signed by all other group participants. Moreover, compared with other identity-based protocols, the key generation center (KGC) in our protocol is not always online.


INTRODUCTION
In many modern group-oriented and distributed applications, such as distributed simulation, multiuser games, and collaborative tools, scalable and reliable group communication is one of the critical problems. Regardless of the concrete applications environment, security services are necessarily required to provide communication privacy and integrity, which are impossible without secure and efficient key distribution. A group key exchange (GKE) protocol allows a group of participants to establish a common session key which is used to protect the sensible information.
Among the existing authentication systems, asymmetric technologies such as public key infrastructure (PKI) and identity-based (ID-based) system are commonly adopted. The concept of ID-based cryptosystem was firstly proposed by Shamir [1]. Such a scheme has a unique property that a user's public key can be easily calculated from his identity, while the private key can be calculated by a trusted authority called key generation center (KGC). In a typical PKI system, a user should apply for his public key certificate from a certificate authority (CA) and other partners can use this certificate to authenticate the user. In an ID-based system, however, the partner only needs the public identity of the user, such as email address. Thus, compared with certificate-based PKI system, an ID-based system greatly simplifies the procedure of key management.
Communication security is a very important issue when we design a group key exchange protocol in peer group. Only recently have Bresson, Chevassut, Pointcheval, and Quisquater (BCPQ) given the first provably secure model and protocol [2][3][4] for group key exchange setting. Their protocol is based on the protocol of Steiner et al. [5], and requires n rounds to establish a key among a group of n users. The BCPQ model is an important step and very helpful in analyzing and designing group key exchange protocols.

Group key exchange
A number of studies [5][6][7][8][9][10][11][12][13][14][15][16][17][18][19][20][21] have considered the problem of extending the two-party Diffie-Hellman (DH) protocol [22] to the multiparty setting. A class of generic n-party DH protocols is defined in [5] and extended to provide implicit key authentication in [17], and one practical protocol of which is A-GDH.2. A tree-based DH group key exchange protocol has been proposed by Kim et al. [16,23] which is shown to be secure against passive adversaries. Also several papers have attempted to establish ID-based authenticated key exchange 2 EURASIP Journal on Wireless Communications and Networking protocol. Joux presented a one-round tripartite key exchange protocol [10] using pairings. But it is vulnerable to "manin-the-middle" attack. Zhang et al. [14] proposed a new ID-based authenticated three-party key exchange protocol, in which the authenticity is assured by a special signature scheme from pairing. Recently, an ID-based group key exchange protocol which uses the one-way function trees and a pairing is proposed by Reddy and Nalla [7] with informal security analysis. Barua et al. [6] introduced an IDbased multiparty key exchange scheme which uses ternary trees. But the protocols of Reddy and Barua have log 2 n and log 3 n communications rounds, respectively, and are not scalable. Wang and Wu [21] proposed an efficient IDbased multicast scheme which needs a group controller. However, in this paper, we will focus on the peer groups and contributory key exchange.
There are two kinds of famous constant-round group key agreement protocols, one is based on the BD scheme which was proposed by Burmester and Desmedt [13], and the other is based on secret sharing scheme. In PKC'04, Choi et al. [8] presented an efficient ID-based group key exchange schemes from bilinear pairings which is an authenticated bilinear variant of BD scheme, but soon found to be flawed by Zhang and Chen [24]. Tzeng and Pieprzyk and Li [25,26] have shown how secret sharing scheme can be exploited as a building block in group key establishment. Bresson and Catalano proposed a practical and simple group key exchange scheme which combines the ElGamal encryption scheme and the secret sharing technique [19]. Nevertheless, in the protocol of Pieprzyk and Li [26], confidence in fresh of the key depends on a random value supplied by a trusted third party, and this protocol does not provide forward secrecy. Also the scheme [25] of Tzeng lacks forward secrecy.

Provable security for protocols
The basic idea of proving the security of a protocol in a model in which the parties have a random oracle and then instantiating that oracle with an appropriate cryptographic primitive originates in [27,28]. In 1993, Bellare and Rogaway [29] proposed a formal model for proving security of protocols in a two-party setting. A modular approach is presented by Bellare et al. [30] to design and analyze key exchange protocols. The modularity is achieved by applying an authenticator to protocols which have been proven secure in a much simplified adversarial setting where authentication of communication links is not required. Based on these works, Bresson et al. (BCPQ) defined a sound formalization [3] for the authenticated group DH key exchange and provided provably secure protocols within this model. We refer to protocols secure in BCPQ model as AKE-secure. But AKEsecure does not take into account any notion of protection against "insider attack," and AKE-secure protocols may be completely insecure against attacks by malicious insiders. Katz and Shin [31] proposed a solution within the universally composability (UC) framework [32,33] which can guarantee the security of a protocol when it runs concurrently with other protocols.

Our contribution
The purpose of this paper is to present a method of constructing UC-secure constant-round ID-based group key exchange protocols. The resultant protocol is round efficient and only needs three rounds. It allows the batch verification of messages signed by all other group participants, which greatly improves computational efficiency. In addition, the protocol is a contributory key exchange, hence it does not impose a heavy computational burden on a particular party. The most important is that the new protocol is UCsecure and most secret sharing schemes could be adopted to construct our protocol.

Admissible bilinear map [34]
Let G 1 be a cyclic additive group of prime order q and G 2 be a cyclic multiplicative group of same order q. Let P be an arbitrary generator of G 1 . We assume that discrete logarithm problem in both G 1 and G 2 are intractable. A map e: G 1 × G 1 → G 2 satisfying the following properties is called an admissible bilinear map: (i) bilinearity: e(aP, bQ) = e(P, Q) ab ∀P, Q ∈ G 1 and a, b ∈ Z * q , (ii) nondegeneracy: if P is a generator of G 1 , then e(P, P) is a generator of G 2 , that is, e(P, P) / = 1, (iii) computability: there exists an efficient algorithm to compute e(P, Q) ∀P, Q ∈ G 1 .

Computational DH (CDH) problem in G 1
Input: (P, aP, bP) for some a, b ∈ Z * q . Output: abP. The success probability of any probabilistic polynomial time adversary A in solving CDH problem in G 1 is defined to be:

CDH assumption
There exists no algorithm running in expected polynomial time, which can solve the CDH problem with nonnegligible probability. Namely, for any probabilistic polynomial time (PPT) adversary A, Succ CDH A,G1 is negligible.

Aggregate signature
In the construction of our authenticated protocol, we use the bilinear aggregate signature scheme firstly introduced by Boneh et al. [35]. But the base signature scheme is the IDbased bilinear signature scheme proposed by Hess [36]. An aggregate signature scheme is a digital signature that supports aggregation. Concretely, given n signatures on n distinct messages from n distinct participants, it is possible Chunjie Cao et al. 3 to aggregate all these signatures into a single short signature. This single signature and the n original messages will convince the verifier that participant u i indeed signed message m i . The aggregate signature scheme is formally denoted as Λ = {G, K, Sig, Ver, ASig, AVer}, where {G, K, Sig, Ver} is a standard digital signature scheme, which is called the base signature scheme. Here G is a randomized system parameters generator algorithm, K is a randomized key generation algorithm, Sig is a randomized signing algorithm, and Ver is a deterministic algorithm. The aggregation signature algorithm and the aggregation verification algorithm are, respectively, ASig and AVer. The aggregate signature is generated as follows: where δ i is the signature of message m i relative to public key PK i and δ is the single aggregate signature. The verification is done by checking whether Aver PK 1 , PK 2 , . . . , PK i ; m 1 , m 2 , . . . , m n ; Note that we set the co-GDH gap groups are equivalent, so the computational co-DH and decisional co-DH problems [37] reduce to the standard CDH and DDH problems [35].

THE MODEL
The model described in this section is a static group security model extended from one of Bresson et al. [4] which follows the approach of Bellare and Rogaway [29,38,39].

Adversarial model
. . , U n } and ID = {ID 1 , ID 2 , . . . , ID n } be a set of n users and their identities, respectively. Each user U i has a unique identity ID i , which is known to all the other users, and all these identities are distinct. Each user can execute the protocol multiple times with different partners: this is modeled by allowing each user an unlimited number of instances with which to execute the protocol. We denote instance t of U i , called an oracle, as t i for an integer t ∈ N.

Initialization
In this phase, each user U i ∈ U gets his long-term public and private keys. ID-based protocol requires the following initialization phase: (1) the KGC randomly chooses a secret key s ∈ Z q as master key, then computes, and publishes P pub = sP, (2) when each user with identity ID wants to obtain public/private key pair, the KGC uses its master secret key s to compute the corresponding private key S ID and transmits it to the user through a secure channel.

Queries
Normally, the security of a protocol is related to the adversary's ability, which is formally modeled by queries issued by the adversary. We assume that a probabilistic polynomial time adversary A can completely control the communications and make queries to any instance. We now explain the capability that each kind of query captures.
(i) Extract (ID i ): this query allows the adversary to get the long-term private key corresponding to ID i , where ID i / ∈ ID.
(ii) Send ( t i , M): this query allows the adversary to make the user ID i run the protocol normally and send message M to instance t i which will return a reply. (iii) Reveal ( t i ): this query models the adversary's ability to find session group keys. If an oracle has accepted, holding a session key K, then K is returned to the adversary. Note that we say that an oracle accepts when it has enough information to compute a session key. At any time, an oracle can accept and it accepts at most once in executing an operation. As soon as an oracle accepts in executing an operation, the session key is defined. (iv) Corrupt (ID i ): this query models the attacks revealing the long-term private key S i . This does not output any internal data of ID i . (v) Test ( t i ): this query models the semantic security of a session key. This query is allowed only once by the adversary. A random bit b is chosen, if b = 1, then the session key is returned, otherwise a random value is returned.
In this model, we consider two types of adversaries according to their attack types. The attack types are simulated by the queries issued by the adversaries. A passive adversary is allowed to issue "Reveal," "Corrupt," and "Test" queries, while an active adversary is additionally allowed to issue "Send" and "Extract" queries.

Security notions
Definition 1 (partner IDS). Partner identities for instance t i which consist of the users (including ID i himself) with whom t i intends to establish a session key. Partner identities of instance t i are denoted by pid ( t i ).
Definition 2 (session IDS). The session ID is the unique identity of a session, which is denoted by sid ( t i ). To achieve the goal of UC-security, we follow [30,33] in assuming that sid is provided by some higher-level protocol when the GKE protocol is first initiated.
Definition 3 (freshness). An oracle is called fresh (or holds a fresh key) if the following two conditions are satisfied. First, nobody in U has ever been asked for a "Corrupt" query from the beginning of the game. Second, in the current operation execution, t i has accepted and neither U i nor his partners have been asked for a "Reveal" query.
F SS-GKE proceeds as follows, running on security parameter k, with players U 1 , . . . , U n , and an ideal adversary S. Initialization: upon receiving (sid, pid, new-session) from player U i for the first time (where pid is a set of at least two distinct user identities containing U i ), record (sid, pid, U i ), and send this to S. In addition, if there are already |pid| − 1 recorded tuples (sid, pid, U j ) for U j ∈ pid \ {U i }, then store (sid, pid, Initialized) and send this to S. Secret Distribution: upon receiving a message (Share, sid, pid, U i ) from U i , where there is a recorded tuple (sid, pid, Initialized), do the following: (i) if all U ∈ pid are uncorrupted, choose k i ← {0, 1} k and compute P i = g(k i ), where g is a function that can generate |pid| − 1 secret shares. Afterward record (shared, sid, pid, U i , P i ) and send it to all players and S. If there are already |pid| − 1 recorded tuples (shared, sid, pid, U i , P i ,) then store (sid, pid, SecretDistributed) and send this to S, (ii) if U i is corrupted, wait for S to send k i , P i and then record (shared, sid, pid, U i , P i ). Key Generation: upon receiving a message (KeyGeneration) from S where there is a recorded tuple (sid, pid, SecretDistributed), do the following: (i) if all U ∈ pid are uncorrupted, compute key = f (k 1 , k 2 , . . . , k |pid|−1 ), finally, store (sid, pid, key), (ii) if any of the U ∈ pid are corrupted, send the corresponding secret k i to S, wait for S to send a message (SecretKey, key ) and then store (sid, pid, key ). Key Delivery: if S sends a message (deliverKey, U i ), where there is a recorded tuple (sid, pid, key) and U i ∈ pid, then send (sid, pid, key) to player U i . Player Corruption: if S corrupts U i ∈ pid where there is a recorded tuple (sid, pid, key) and message (sid, pid, key) has not yet been sent to U i , then the adversary is given key. Otherwise, S is given nothing.
Let F be a collision-resistant pseudorandom function, and assume that v 0 , v 1 ← {0, 1} k are publicly known and v 0 / = v 1 . Initialization Phase: each player U i generates long-term verification/signing keys (PK i ; SK i ) (in addition to any keys needed for π). The Protocol: players run protocol π. If U i would terminate without accepting in π, then it terminates without accepting in π . Otherwise, if U i would accept in protocol π with output (sid i , pid i , key i ), this player performs the following additional steps: (i) U i computes ack i = F(key i , v 0 ) and sk i = F(key i , v 1 ). Next, U i erases all its local state except for ack i ; sk i , sid i , and pid i . Then, U i computes a signature σ i = Sign(SK i , (U i ; sid i , pid i , ack i )) and sends the message (U i ; σ i ) to all players in pid i , (ii) upon receipt of |pid i | − 1 messages (U j ; σ j ) from all other players U j ∈ pid i \ {U i }, U i checks that Verify (PK j , (U j ; sid j , pid j , ack j ), σ j ) = 1 ∀U j ∈ pid i . If all verifications are successful, then U i accepts and erases its internal state, and outputs (sid i , pid i , sk i ). Otherwise, U i terminates without accepting. Definition 4 (authenticated key exchange security (AKE security)). We say that event Succ occurs if the adversary issues "Test" query to a fresh oracle and correctly guesses the bit b (distinguishing the key from a random string). The advantage of an adversary A in attacking protocol P is defined as Adv P A (k) = |2 Pr[Succ] − 1|. A protocol P is AKE secure, if the following two properties are satisfied: (i) consistency: in the presence of an adversary, all partner oracles accept the same key, (ii) Secrecy: for any PPT adversary A, Adv P A (k) is negligible.
Definition 5 (perfect forward secrecy). A protocol provides perfect forward secrecy if an adversary does not get nonnegligible knowledge information about session keys previously established when making "Corrupt" queries to all group members. We define Adv P A (t, q s , q h ) to be the maximal advantage of any active adversary attacking protocol P, running in time t and making q s "Send" queries and q h "Hash" queries.
Note that we do not define any notion of explicit authentication or, equivalently, confirmation that the other members of the group have computed the common key. However, explicit authentication in our protocol can be achieved at little additional cost. Previous work [4] shows how to achieve explicit authentication for any group authenticated key exchange protocol using one additional round and minimal extra computation.

UNIVERSAL COMPOSABLE GKE PROTOCOLS VIA SECRET SHARING
In this section, we introduce the ideal functionality for group key exchange protocol via secret sharing within the UC Round 1. Initialization: each participant U i picks randomly r i , r i ∈ Z * q , computes, and broadcasts (sid, O i = r i P, O i = r i P). Round 2. Secret Distribution: on receiving O j with the correct sid, each participant U i picks randomly K i ∈ Z q and computes a polynomial f i (x) = K i + a i1 x + a i2 x 2 + · · · + a in−1 x n−1 passing points ( j, H 3 (r i O j )), 1 ≤ j ≤ n, j / = i and (0, K i ). Then computes and broadcasts (sid, P i , δ i ).

Round 3. Key Confirmation
On receiving (P jl , δ l ) with correct sid, 1 ≤ l ≤ n, l / = j / = i, each participant U i computes polynomial f j (x) of degree n that passes (n + l, P jl ) and (i, H 3 (r i O j )). Then U i computes K ij = f j (0) and checks e n j=1 δ j , P = e n j=1 O j + h j Q j , P pub .
If the above aggregate signature is verified successfully, U i computes When receiving |pid| − 1 messages from other participants, U i verifies the aggregate signature as above. If the verification is successful, U i accepts with (sid, pid, sk i ).
framework [32,33]. Then, we show that an AKE-secure GKE protocol based on secret sharing can be compiled to be a UC-secure protocol by applying the compiler (depicted in Algorithm 2 proposed by Katz and Shin [31]. Our secret sharing-based GKE ideal functionality F SS-GKE is depicted in Algorithm 1. In the following, we assume that (1) the underlying group communication system is resistant to failstop failures, which means that the system should provide a consistent membership view to all group members and reliable and causally ordered multicasts; (2) unicast and multicast are reliable. We assume that any user can broadcast messages to others in the broadcast network. In ACM CCS 2005, Katz and Shin proposed a compiler and [31] for GKE protocol, where an AKE-secure GKE protocol π can be compiled to be a UC-secure protocol π . To construct our UC-secure and constant-round GKE protocol via secret sharing, this compiler is involved in our protocol and is a key component. The compiler is depicted in Algorithm 2.
From Theorem 1, we can get the following corollary.

Corollary 1.
If π is an AKE-secure GKE protocol based on secret sharing, then applying the AKE → UC compiler to π results in a UC-secure protocol π .

THE PROTOCOL ID-SS
To construct the UC-secure ID-based GKE protocol via secret sharing, we are motivated by the scheme of Shamir [1]. The resultant protocol is denoted as ID-SS. We assume that there exists an authenticated secure channel between the user and KGC for the distribution of the long-term private key.

System setup
Given the security parameter q, the KGC chooses groups G 1 and G 2 of prime order q, a generator P of G 1 , and a bilinear map e: be other two hash functions, and H 4 be a key derivation function. H 1 , H 2 , H 3 , and H 4 are considered as random oracles. Also the KGC randomly selects v 0 , v 1 ← {0, 1} q , the master secret key s ∈ Z q and computes P pub = sP ∈ G 1 that is made public. Then KGC publishes the following system parameters: e, G 1 , G 2 , q, P, P pub , H 1 ,

Extract
Given a public identity ID ∈ {0, 1} * , the KGC computes Q ID = H 1 (ID) ∈ G 1 and associated private key S ID = sQ ID ∈ G 1 that is transmitted to the user.

EURASIP Journal on Wireless Communications and Networking
Let U = {U 1 , U 2 , . . . , U n } be a set of users who want to establish a common session key and ID i be the identity of U i . Then the public and private key pair of U i is (ID i , S i = sQ i ). Now we describe the protocol in Algorithm 3. H 1 , H 2 , H 3 , and H 4 are random oracles. Then the protocol ID-SS is an AKEsecure protocol providing perfect forward secrecy under the CDH assumption. Concretely,

Theorem 2. Suppose that the hash functions
Proof. Firstly, we prove the correctness of the protocol. In other words, if all users follow the process of the protocol, they can compute a common group key. Because of r i O j = r i r j P = r j O i , user U i can compute the polynomial f j (x) passing (n + l, P jl ), 1 ≤ l ≤ n and (i, r i O j ) according to the messages related to user U j . Then U i computes K j = f j (0). By verifying aggregate signature δ, U i can check whether K j is correct or not. So all participants can derive the same group key K = H 4 (K 1 + K 2 + · · · + K n ). Secondly, we prove that the protocol is a GK secure protocol in the presence of an adversary A, (1) assuming that A modifies the flows, then we build a forger Γ, (2) assuming that A does not modify the flows, then we build a CDH-solver Ψ.

Forger Γ
Assume that A breaks the protocol ID-SS by forging a signature at least with the probability ϕ. We can construct a forger Γ that generates a valid message pair (ID, m, δ) from A. Γ receives ID as the input and accesses a (public) signing oracle. Γ randomly picks i ∈ [1, n] and honestly generates all other public and private keys for the system. However, for user U i , Γ sets ID as U i 's public key. Then Γ starts running A as a subroutine and answers the oracle queries made by A as follows: (i) when A makes "Send ( * , m)" queries, Γ responds in a straightforward way. When A makes "Send ( * , m, δ)" queries, Γ responds in a straightforward way using long-term keys to sing the flows except if A makes the query of the form "Send ( t j , m, δ)." If this occurs, Γ goes through the signing oracle and stores the response in a variable α, (ii) when A makes a "Reveal" query, Γ gives the session key to A, (iii) when A makes a "Corrupt" query, Γ answers in a straightforward way except if A makes the query of "Corrupt (ID)". If this occurs, Γ stops and outputs "Fail," (iv) when A makes a "Hash" query, Γ answers as a random oracle in a straightforward way, (v) when A makes a "Test" query, since all the accepted session keys are known from "Reveal" queries, the query can be answered with the correct session key.
If A has already issued the query of "Send ( t j , m, δ)," where δ is a valid signature on m with respect to ID and (m, δ) / ∈ α, then Γ stops and outputs (m, δ) as a forgery. Otherwise, Γ simply aborts. So the probability Succ Forgery Λ Γ (t) of Γ outputting a forgery is the product of the probability that A generates a valid signature and the probability that A correctly guesses the value of i: CDH-attacker Ψ Next, we assume that A breaks the protocol ID-SS without generating a forgery of signature. Thus from A, we can construct a CDH-attacker Ψ that breaks the protocol by solving an instance of the CDH problem. Let l be an upper bound on the number of sessions invoked by A, then Ψ randomly chooses and γ ∈ [1, l] representing a guess that as to which query of A activates the instance for which A will ask its "Test" query.
Ψ receives an instance (P, aP, and bP) of the CDH problem as input and randomly selects i, j ∈ [1, n].
Then Ψ starts running A as a subroutine and answers the oracle queries made by A. We now describe the simulation of the oracle queries of A in detail.
(i) When A makes a "Send ( * , m)" query, Ψ proceeds as in protocol ID-SS using a random value except if the query is "Send (Π i , m)" or "Send (Π j , m)" query in the γth session. If this occurs, Ψ sets O i = aP, O j = bp. When A makes "Send ( * , m, δ)" queries, Ψ responds in a straightforward way using long-term keys to sing the flows except if the query is "Send (Π i , m, δ)" or "Send (Π j , m, δ)" query in the γth session. If this occurs, Ψ responds using a random value and long-term keys to sing the flows, (ii) when A makes a "Corrupt query," Ψ answers with the corresponding long-term private key in a straightforward way, (iii) when A makes a "Reveal query," Ψ answers in a straightforward way except if the session key is of the γth session. In the latter case, Ψ stops and outputs "Fail," (iv) when A makes a "Hash query," Ψ answers as a random oracle in a straightforward way, (v) when A makes a "Test query," Ψ answers with a random string.
Since Ψ knows all the keys except for one execution of ID-SS, this simulation is perfectly indistinguishable from an execution of the real protocol ID-SS.
At some stage, A completes and returns a value b . The probability that Ψ correctly guesses on which session key A Chunjie Cao et al. 7 will make the "Test query" is the probability that Ψ correctly guesses the value γ. That is μ = 1/l.
Let ask H be the event that A makes a "Hash query" on (K 1 + K 2 + · · · + K n ) and Forge be the event that A forges a signature with regard to some participant's long-term public key. We emphasize that, in the random oracle model, A cannot get any advantage on a random value without asking for it. The success probability of Ψ is the probability that A asks the correct value to the hash oracle multiplied by the probability that Ψ correctly chooses the "Hash query" and multiplied by the probability that Ψ correctly guesses the value γ. That is: Finally, we have: Then from the definition Adv P A (k) = 2 Pr[Succ] − 1 and above three equations, we can get the result as follows: We next show that the authentication scheme Λ is secure against existential forgery on adaptively chosen ID attack. Lemma 1. Let G 1 be an additive group with order q and the map-to-point hash function H 1 be a random oracle. We assume that the PPT forger A breaks the bilinear aggregate signature scheme Λ for an adaptively chosen ID with advantage ε 0 and running time t 0 . Suppose that A makes at most q H1 queries to the hash function H 1 . Then from A, we can construct a PPT forger B for a given ID with advantage ε 0 ≤ ε 1 (1 − 1/q)/q H1 and running time t 1 ≤ t 0 . Lemma 2. Let the hash function H 1 , H 2 be random oracles. Suppose that B is a PPT forger for a given ID with advantage ε 1 ≥ 10q H1 (q s +q H2 )/(q −1) and running time t 1 . Suppose that B makes at most q H1 , q H2 , q s , and q ex queries to the H 1 , H 2 , "Send" and "Extract" oracles, respectively. Then from B, we can construct a PPT attacker C that can solve the CDH problem within time t 2 ≤ 120686q H2 t 1 /ε 1 .
The security analysis of Lemmas 1 and 2 is similar to that of [8], for space limitation, we omit the proof of them. Then, we can directly obtain the following theorem from the above two lemmas. Theorem 3. Let H 1 , H 2 be random oracles. Then the bilinear aggregate signature scheme Λ on G 1 is secure against existential forgery on adaptively chosen ID attack under the CDH assumption.
Then from Theorem 2 and Corollary 1, we deduce the following theorem.

CONCLUSION
In this paper, a method of constructing UC secure and constant-round GKE protocol was presented. It allows modular design and analysis of the GKE protocol and the resultant protocol only needs three communication rounds to compute a common group key. Moreover, most secret sharing schemes could be adopted to construct UC secure and constant-round GKE protocol according to our method.
The efficiency of protocols with UC security is usually low for their high security rank. As future work, we plan to formally examine the possibility of extending this security model to improve the performance of protocols by analyzing the relation between security and efficiency under UC framework.