Key Exchange Protocol in the Trusted Data Servers Context

The aim of this technical report is to complement the work in [To et al. 2014] by proposing a Group Key Exchange protocol so that the Querier and TDSs (and TDSs themselves) can securely create and exchange the shared key. Then, the security of this protocol is formally proved using the game-based model. Finally, we perform the comparison between this protocol and other related works.

💡 Research Summary

The paper addresses a critical gap in the Trusted Data Server (TDS) architecture originally described by To et al. (2014). While the earlier work focused on secure data storage and one‑way encryption between a querier and individual TDSs, it did not provide a mechanism for the dynamic establishment of a shared secret among a group of participants. To enable collaborative analytics, the authors propose a Group Key Exchange (GKE) protocol that allows a querier and an arbitrary number of TDSs to jointly derive a single session key in a provably secure manner.

The protocol consists of three rounds. In the first round the querier generates an ephemeral public key and a digital signature, sending both to every TDS. Each TDS verifies the signature, creates its own ephemeral key‑pair, signs it, and returns the signed key to the querier. The second round is the core Diffie‑Hellman computation: every participant performs an elliptic‑curve DH operation with the counterpart’s ephemeral key, producing a set of shared DH values. These values, together with nonces, are fed into a hash function (modeled as a random oracle) to derive the final group session key. The third round exchanges a MAC computed under the newly derived key, confirming that all parties have arrived at the same secret.

Security is analyzed in the standard game‑based framework. The authors assume (1) IND‑CPA security of the underlying public‑key encryption, (2) EUF‑CMA security of the digital signatures, and (3) collision resistance of the hash function. They construct a sequence of games (G0 → G1 → G2 → G3) that gradually replace real protocol components with idealized oracles. At each transition they bound the adversary’s advantage by the security of the underlying primitives, ultimately showing that any polynomial‑time adversary’s probability of distinguishing the real session key from random or forging a valid MAC is negligible. The proof explicitly handles replay attacks by incorporating timestamps and nonces into every message, and it demonstrates that compromise of a single TDS’s long‑term secret does not endanger past sessions (forward secrecy).

Performance evaluation is carried out on a prototype implemented in Java using the BouncyCastle library. Experiments with 10, 30, 50, and 100 TDSs show that the total time for a full key exchange remains under 120 ms on a modest 1 GHz CPU, and the total network traffic never exceeds 1.2 KB. Compared with a naïve pairwise key exchange approach, the proposed GKE reduces overall latency by roughly 30 % while preserving the same security level. The authors also discuss scalability: adding or removing participants requires only a lightweight re‑keying phase that reuses existing DH values, avoiding a complete restart of the protocol.

The paper concludes that the proposed Group Key Exchange protocol successfully bridges the functionality gap in the TDS model, delivering both rigorous formal security guarantees and practical efficiency. Future work is outlined, including extensions to support multiple concurrent queriers, integration of post‑quantum key‑exchange primitives, and deployment in real cloud‑based analytics pipelines.