TreeKEM
mls implementations
After processing the update, however, parties do not erase or modify the PKE secret keys used to decrypt the update information, since they might need them to process future updates. Hence, corrupting any party other than the update initiator will completely reveal I to an attacker, thereby violating FS.
Fixing TreeKEM
This kind of key evolution ensures that after decryption, the (evolved) secret key leaks no information about the original message, thereby thwarting the above attack.
Global ordering of messages
public bulletin board model like blockchain
Adaptive security
being able to corrupt on-the-fly depending on values and messages produced by the protocol
Backgrounds
Double ratchet
Updatable PKE
ART Protocol
BE (Broadcast Encryption) scheme
the trusted group manager distributed all the secret keys, as well as message content. Moreover, users do not need to update their secret keys (meaning the schemes are stateless), as the trusted manager can add or revoke users at will.
allows group members (and, in fact, anybody) to deliver content, but the group management is still done by the trusted authority.
ME (Multicast Encryption) scheme
improve the efficiency of BE schemes.
group management is still done by the trusted authority, and no PCS is considered.
CGKA security
Correctness
Privacy
FS
PCS
The four oracles(create-group, add-user, remove-user, send-update) allow the adversary to instruct parties to initiate new epochs, whereas the deliver oracle makes parties actually proceed to the next epoch.
refs