Dynamic Asymmetric Group Key Agreement Based on SM9 Signature

Abstract

In 2021, the SM9 identity-based cryptographic algorithm became an ISO/IEC international standard, marking a significant advancement in China’s commercial cryptography technology and international standardization capabilities. The SM9 key exchange protocol, a component of the SM9 algorithm suite, provides secure communication by establishing a shared symmetric key between two parties. However, in a group of n users, directly applying this key exchange protocol requires each user to perform O(n) encryption operations and transmit an O(n)-sized ciphertext to ensure confidentiality, which becomes highly inefficient for large groups. To enable efficient secure group communication, we first develop a batch multi-signature algorithm based on SM9, and then we propose a dynamic asymmetric group key agreement (SMDAGKA) protocol based on this method. Our protocol reduces the required encryption operations and ciphertext size to O(1), significantly improving efficiency. Security proofs demonstrate that our scheme achieves a high level of security, and performance analysis shows that it incurs relatively lower computational overhead than related protocols.

1. Introduction

With advancements in technology—mainly driven by big data, artificial intelligence, distributed systems, and other innovative applications—the scenarios for multi-party communication are becoming increasingly diverse. However, multi-party communication also brings significant security challenges. If data is not well protected during transmission, it becomes susceptible to breaches and leaks. Since multi-party communication frequently involves exchanging sensitive information, maintaining secure and effective collaboration among all parties without exposing critical data is critical.

In traditional multi-party secure communication, symmetric group key agreement methods enable participants to agree on a shared symmetric key, ensuring secure communication among all members. When an external member wishes to send confidential information to the group, they are required to join the group first to obtain the shared key, which can be a cumbersome procedure. In contrast, asymmetric group key agreement (AGKA) enables external members to encrypt messages using the group’s public key without joining the group, broadening its range of applications.

Asymmetric group key agreement methods were introduced to simplify key management in multi-party communication. Zhang et al. [1] introduced a blockchain-based AGKA method, where all group members collaboratively establish a shared group public and group private key. However, employing a single shared group private key for all members restricts the ability to expand the functionality, such as applying the method to broadcast encryption. Notably, as early as 2009, Wu et al. [2] proposed an asymmetric group key agreement method that goes beyond simply concatenating the group members’ public keys. Instead, the technique allows all members to agree on a shared group public key while each group member possesses a distinct group private key. This approach reduces the significant computational overhead and large ciphertexts associated with public key concatenation. Zhang et al. [3] later provided a security proof for this scheme and extended it to a broadcast encryption system. Additionally, Zhang et al. [4] introduced an identity-based AGKA protocol that is resilient to passive and active attacks. This identity-based method removes the requirement for certificates, thereby solving the certificate management issues typically associated with conventional public key cryptosystems.

However, in refs. [2,4], group members agree on a common group public key and distinct group private keys, which do not support the dynamic joining of external members. To overcome this limitation, Zhang et al. [5] introduced an identity-based dynamic AGKA protocol that facilitates secure message transmission without requiring the sender to join the group while supporting dynamic member changes and ensuring provable key escrow freeness. Li et al. [6] introduced an identity-based dynamic AGKA protocol that ensures secure communication and privacy preservation without the need for the sender to join the group. Similarly, Zhang et al. [7] introduced a one-round dynamic AGKA method that facilitates secure communication and privacy protection without the need for the sender to join the group.

Although the schemes in refs. [5,6] propose identity-based dynamic AGKA protocols, these identity-based public key cryptography methods they rely on are currently limited in practical applications, which makes their deployment challenging. In contrast, the identity-based SM9 algorithm offers broader applicability and lower computational overhead. Therefore, exploring identity-based dynamic AGKA protocols relying on the SM9 algorithm is crucial.

The principal contributions of our scheme can be outlined in the following manner:

(1) We are the first to integrate the SM9 identity-based signature algorithm into a dynamic AGKA protocol from the SM series. We first propose a batch multi-signature based on SM9, and based on this method, we implement an AGKA protocol. Given that the SM9 algorithm is technically mature and widely adopted, our solution offers easier deployment and better compatibility than other dynamic AGKA protocols.

(2) Our SMDAGKA scheme leverages the dynamic SM9 signature method, enabling external members to join and internal members to leave the group, making it highly suitable for group communication applications. Compared to a naive approach where each group member uses the SM9 key exchange protocol individually, resulting in O(n) encryption operations and O(n) ciphertext transmission, our proposed scheme significantly reduces the computational burden to only O(1) encryption operation and O(1) ciphertext transmission, achieving substantial efficiency gains.

(3) Performance analysis demonstrates that our SMDAGKA scheme achieves superior computational efficiency compared to related schemes, significantly reducing the time complexity and resource consumption associated with key management and group updates. This enhanced efficiency ensures faster response times, lower overhead, and improved scalability, making it a more practical solution for real-world group communication scenarios.

The rest of this paper is structured as follows: Section 2 provides an overview of prior research on the DAGKA scheme. Section 3 outlines the cryptographic techniques utilized in the DAGKA scheme. Section 4 introduces the fundamental components of our SMDAGKA scheme. A comprehensive description and security analysis of the SMDAGKA scheme can be found in Section 5. The performance of the SMDAGKA scheme is assessed in Section 6. Lastly, Section 7 summarizes the paper’s main conclusions.

2. Related Work

Group key agreement (GKA) is a mechanism used in multi-party communication networks where participants collaboratively produce a shared symmetric key. This key is then employed to encrypt and secure communication within the group. Kemmoe et al. [8] introduced an asynchronous symmetric GKA scheme that utilizes blockchain and smart contracts for storing security-related data. This approach eliminates the security risks associated with relying on a trusted third party for key generation and management while reducing the computational burden on participants. Li et al. [9] introduced a physical-layer symmetric GKA architecture that incorporates fully and partially trusted third parties in the key generation process, aiming to enhance secure communication among resource-constrained devices. Wang et al. [10] proposed a physical-layer symmetric GKA scheme based on satellite cluster state information. Their method utilizes signal status data from all visible navigation satellites to generate the group key and includes an updating framework based on a fuzzy generator and hash chain. This design improves the robustness of key updates and ensures alignment during key generation. In all the above schemes, the encryption and decryption keys are symmetric, meaning they are identical. As a result, external members must first join the group to enable secure communication with its existing members.

The common AGKA method has been introduced to facilitate secure communication between external users and group members without requiring external users to join the group. Zhang et al. [1] proposed a blockchain-based common AGKA protocol that employs anonymous authentication to safeguard user privacy. Braeken et al. [11] developed a one-round, pairing-free common AGKA protocol suitable for users authenticated by different certificate authorities. Nevertheless, in both protocols, every group member utilizes the same group public and group private keys, which restricts the scalability and flexibility of the method, particularly in use cases such as broadcast encryption.

Wu et al. [2] were the first to propose an AGKA protocol utilizing multi-signatures, where all group members share a common group public key while maintaining distinct group private keys. This approach reduces ciphertext size and computational overhead compared to each group member’s cascading of individual public keys. However, the protocol lacks formal security proof and is vulnerable to active attacks. Zhang et al. [3] addressed these issues by providing security proof for Wu’s protocol and proposing an improved version resistant to active attacks. They further applied this enhanced protocol to the broadcast encryption scenario, enabling the message sender to select a subset of recipients who can decrypt the message while preventing unselected group members from accessing it.

To defend against active attacks, Zhang et al. [4] defined a formal security model for identity-based authenticated AGKA protocols. They introduced a one-round protocol utilizing bilinear maps, guaranteeing key secrecy, partial forward secrecy, and known-key security. However, it was noted that the protocol did not account for the dynamic joining and leaving of group members. Zhang et al. [5] introduced a one-round dynamic AGKA protocol that enables group members to generate a public group encryption key dynamically. Building on this, Li et al. [6] introduced the concept of sender non-repudiation, requiring users who hold the group encryption key to transmit messages that are both non-repudiable and privacy-preserving to the group. Zhang et al. [7] further enhanced the protocol by introducing a dynamic AGKA scheme with restricted group size, ensuring privacy protection and sender non-repudiation. However, the identity-based public key cryptography mechanisms used in these dynamic asymmetric group key agreement protocols have seen limited adoption, hindering their potential for large-scale deployment and scalability. Therefore, it is essential to explore the dynamic AGKA scheme relying on the widely adopted SM9 identity-based algorithm.

Mu et al. [12] integrated the SM9-based digital signature algorithm with the Paillier encryption scheme [13] and introduced a randomization method to prevent direct encryption of elliptic curve points used in the signature algorithm. This approach enhances both the authenticity and confidentiality of the communication system. Liu et al. [14] developed a multi-key generation center (KGC) identity authentication encryption scheme based on SM9, extending its functionality from single-user to multi-user signatures. This scheme guarantees non-repudiation, unforgeability, anonymity, and defense against malicious users and KGCs threats. Subsequently, Yan et al. [15] introduced a hierarchical multi-KGC signature scheme relying on SM9, which reduces the workload of individual KGCs. In this scheme, if a lower-level KGC is compromised, higher-level KGCs remain unaffected, improving system reliability. Liu et al. [16] further introduced an SM9-based two-party collaborative signature scheme, where two KGCs generate the user’s private key by splitting the secret integer across two devices. These devices collaborate during the signing process, preventing the total leakage of the private key. Finally, Zhang et al. [17] introduced an FPGA-based SM9 aggregation signature scheme that combines hardware acceleration with efficient algorithms to enhance signature verification performance.

Based on the schemes discussed above, it is evident that the SM9 signature algorithm has undergone significant improvements and has found broad applications. To improve the efficiency of group communication, exploring asymmetric group key agreement methods based on SM9 signatures is essential, particularly for large-scale group communication scenarios.

3. Preliminaries

3.1. Definition

The content below represents the fundamental information necessary for our scheme.

Definition 1

(Bilinear pairing [18]). Let ${\mathbb{G}}_1$ and ${\mathbb{G}}_2$ be two additive cyclic groups, ${\mathbb{G}}_{\mathbb{T}}$ is a multiplicative cyclic group, and the orders of the three groups are all prime q. The generators of the two additive cyclic groups are $P_1$ and $P_2$, respectively. The bilinear map $e:{\mathbb{G}}_1\times {\mathbb{G}}_2\to {\mathbb{G}}_T$ should satisfy the following attributes:

1. Bilinear: For any $P\in {\mathbb{G}}_1$, $Q\in {\mathbb{G}}_2$, and ($a,b)\in {\mathbb{Z}}_q$, there is $e(aP,bQ)=e{(P,Q)}^{ab}$.

2. Non-degenerate: There exists $P\in {\mathbb{G}}_1$, $Q\in {\mathbb{G}}_2$, such that $e(P,Q)\ne 1_{{\mathbb{G}}_T}$.

3. Computable: For any $P\in {\mathbb{G}}_1$, $Q\in {\mathbb{G}}_2$, there exists an effective algorithm to compute $e(P,Q)$.

Definition 2

(SM9 signature algorithm [19,20]). The detailed procedure for the SM9 signature scheme can be described as:

(1) The key generation center (KGC) chooses a nonce $ks\in [1,q-1]$ as the master private key and computes $P_{pub}$ = $ks·P_2$ as the master public key, where q is the order of the cyclic groups ${\mathbb{G}}_1$, ${\mathbb{G}}_2$, and ${\mathbb{G}}_{\mathbb{T}}$.

(2) The KGC selects and publishes the one byte identifier $hi{d}_i$ for $ID$.

(3) The KGC calculates $t_1=H_1(ID||hid,q)+ks$. If $t_1\equiv 0($mod $q)$, then it rechooses the master private key $ks$, calculates and publishes the master public key $P_{pub}$, and updates all registered users’ signing private keys. Else, it calculates $t_2=ks·t_1^{-1}mod$ q and, then, calculates $sk=\left[t_2\right]P_1$.

The detailed procedure for the SM9 signature and verification method can be described as:

SM9 Signature Algorithm of $ID$

Input: SM9 system parameters, message m

Output: signature (h,S)

1. Calculate $g=e(P_1,P_{pub})$ in ${\mathbb{G}}_T$

2. Generate a nonce $r\in [1,q-1]$

3. Calculate $w=g^r$ in ${\mathbb{G}}_T$ and convert the type of w to bit string

4. Calculate $h=H_2(m||w,q)$

5. Calculate $l=(r-h)$ mod q

6. if $l=0$ then

7. goto (2)

8. else

9. Calculate $S=\left[l\right]sk$ in ${\mathbb{G}}_1$

10. return Signature $(h,S)$ of message m

SM9 Verification Algorithm of $I{D}_i$

Input: signature $(h,S)$, message m

Output: “True” or “False”

1. Check if $h\in [1,q-1]$, otherwise, the verification algorithm terminates

2. Convert the type of S to a point on the elliptic curve, and then check if $S\in {\mathbb{G}}_1$;

otherwise, the verification terminates

3. Calculate $g=e(P_1,P_{pub})$ in ${\mathbb{G}}_T$

4. Calculate $t_i=g^h$ in ${\mathbb{G}}_T$

5. Calculate $h_1=H_1(ID||hid,q)$

6. Calculate $P=h_1$$P_2+P_{pub}$ in ${\mathbb{G}}_2$

7. Calculate $u_i=e(S,P)$ in $G_T$

8. Calculate $w_i^{\prime }=u_i$·$t_i$ in ${\mathbb{G}}_T$, and convert the type of $w_i^{\prime }$ to a bit string

9. Calculate $h_{2i}=H_2(m||w_i^{\prime },q)$, and check whether $h_{2i}=h_i^{\prime }$ output is true;

otherwise output false

To prove the security of the proposed scheme, we review several fundamental hard problems in cryptography, which are formally defined as follows.

Definition 3

(CDH Problem [21]). Random selects $(a,b)\in {\mathbb{Z}}_q^{*}$; given (g, $g^a$, $g^b$) $\in {\mathbb{G}}_T$, the adversary $\mathcal{F}$ can solve the computational Diffie–Hellman (CDH) problem if it can compute $g^{ab}$ with a non-negligible probability.

Definition 4

(k-BDHE Problem [22]). Given $P\in {\mathbb{G}}_1$, $Q\in {\mathbb{G}}_2$, and $P_i$ = $a^{i}P$ in ${\mathbb{G}}_1$ for i = $\{1, 2, \dots , k, k+2, \dots , 2k\}$ as input with unknown $a\in {\mathbb{Z}}_q^{*}$, the adversary $\mathcal{F}$ can solve the k-Bilinear Diffie–Hellman Exponent (k-BDHE) problem if it can compute $e{(P,Q)}^{a^{(k+1)}}$ with a non-negligible probability.

Definition 5

(n-BCAA1 Problem [23]). For $P\in {\mathbb{G}}_1$, $Q\in {\mathbb{G}}_2$, $x\in {\mathbb{Z}}_q$ and an integer n, given (P, Q, $xQ$, $h_0$, ($h_1$, ${\displaystyle \frac{x}{h_1+x}}P$), …, ($h_n$, ${\displaystyle \frac{x}{h_n+x}}P$)), where $h_i\in {\mathbb{Z}}_q$ and are different from each other for $0\le i\le n$, the adversary $\mathcal{F}$ can solve the n-Bilinear Collision Attack Assumption (n-BCAA1) if it can compute $e{(P,Q)}^{{\displaystyle \frac{x}{h_0+x}}}$ with a non-negligible probability.

3.2. Security Model

Considering the existence of passive and active adversaries in communication systems, messages transmitted over open channels may be not only eavesdropped, but also captured, deleted, and tampered with. In addition, adversaries can inject forged messages arbitrarily. The security model introduced in this section is applicable to group key agreements. The challenger $\mathcal{C}$ executes the entire scheme and accesses all private and public messages related to the protocol. The adversary $\mathcal{A}$ can adaptively issue multiple types of queries as follows:

$Corrupt(·)$: $\mathcal{C}$ outputs the current private key of group users to simulate forward secrecy.

$Send(·)$: This query triggers the execution of the protocol.

$EK.Reveal(·)$: $\mathcal{C}$ outputs the group encryption key.

$DK.Reveal(·)$: $\mathcal{C}$ outputs the group decryption key.

$Join(·)$: It triggers the operation of user group joining.

$Leave(·)$: It triggers the operation of group member revocation.

$Test(·)$: The adversary $\mathcal{A}$ selects two messages $(m_0,m_1)$ with the same format and sends them to $\mathcal{C}$. Then, $\mathcal{C}$ randomly selects a bit $b\in \{0,1\}$, encrypts $m_b$ with the group encryption key to generate the ciphertext c, and returns c to $\mathcal{A}$. This query can be executed only once to model message confidentiality.

Security Game: The security game terminates once $\mathcal{A}$ outputs its guess $b^{\prime }$ for b. The adversary $\mathcal{A}$ wins the game if $b^{\prime }=b$. The advantage of $\mathcal{A}$ is defined as

$${\mathbf{Adv}}_{\Pi ,\mathcal{A}}=2\left|Pr\left[b^{\prime }=b\right]-{\displaystyle \frac{1}{2}}\right|$$

where b denotes the random bit chosen in the game, and $b^{\prime }$ is the bit guessed by $\mathcal{A}$.

4. The Fundamental Block

Our SMDAGKA scheme is built upon a newly devised batch multi-signature (BMSS) method based on the SM9 signature algorithm. The method includes the initialization phase, member key generation phase, batch multi-signature generation phase, and verification phase, and the details of the BMSS method are provided below:

• Setup:

The trusted authority generates sets $params=({\mathbb{G}}_1, {\mathbb{G}}_2, {\mathbb{G}}_T, e(), m_1, \dots , m_n, q, H_1, H_2, P_{pub}, Gid)$ as in

Table 1. Notations.

${\mathbb{G}}_1$	additive cyclic group	${\mathbb{G}}_2$	additive cyclic group	$\mathit{G}\mathit{i}\mathit{d}$	group identifier
${\mathbb{G}}_T$	multiplicative cyclic group	$e()$	the bilinear map function	H	hash function
$H_1$	${\{0,1\}}^{*}$→${\mathbb{Z}}_q^{*}$	$H_2$	${\{0,1\}}^{*}$→${\mathbb{Z}}_q^{*}$

; where different users belong to a group, they share the same group identifier $Gid$, and the calculation process of $P_{pub}$ is as follows.

(1) The KGC chooses a nonce $ks\in {\mathbb{Z}}_q^{*}$ as the master private key and computes $P_{pub}$ = $ks·P_2$ as the master public key.

(2) The KGC selects and publishes the one byte identifier $hi{d}_i$ for $I{D}_i$.

(3) The KGC calculates $t_i=H_1(I{D}_i\left|\right|hi{d}_i,q)+ks$. If $t_i$ mod $q\equiv 0$, then it rechooses the master private key $ks$, calculates and publishes the master public key $P_{pub}$, and updates all registered users’ signing private keys. Else, it calculates $s{k}_i=t_i^{-1}ks{P}_1$ as the user $I{D}_i^{\prime }s$ signature private key.

(4) The KGC calculates $X_i=t_i^{-1}{P}_1$ for $I{D}_i$ and then sends $X_i$ to $I{D}_i$ through a public channel, and sends $s{k}_i$ to $I{D}_i$ through a secure channel.

• KeyGen:

(1) After $I{D}_i$ receives ($X_i,s{k}_i$), $I{D}_i$ calculates $e(X_i,P_{pub})$, and $e(s{k}_i,P_2)$; if $e(X_i,P_{pub})$ = $e(s{k}_i,P_2)$, then it sets $p{k}_i=e(s{k}_i,P_2)$.

(2) $I{D}_i$ randomly selects a nonce $r_i\in {\mathbb{Z}}_q^{*}$, and then calculates $R_i=e(X_i{r}_i,P_{pub})$.

(3) $I{D}_i$ publishes its public key $p{k}_i$ and a nonce $R_i$ throughout the system by broadcasting them.

(4) $I{D}_i$ acquires $(p{k}_j,R_j)$ for $j\in \{1,\dots ,n\}$ and $j\ne i$. Then, $I{D}_i$ calculates the group public key $PK$ and random number R as follows:

$$PK={\displaystyle \prod _{i=1}^n}p{k}_i=e({\displaystyle \sum _{i=1}^n}{X}_i,P_{pub})R={\displaystyle \prod _{i=1}^n}{R}_i=e({\displaystyle \sum _{i=1}^n}{r}_i{X}_i,P_{pub})$$

• Sign:

(1) $I{D}_i$ calculates $g=e(P_1,P_{pub})$ in $G_T$.

(2) $I{D}_i$ calculates $h_j=H_2(m_j\left|\right|Gid,q)$, $l_{i,j}=(r_i-h_j)mod$ q, where $j\in \{1, \dots , n\}$, if $l_{i,j}=0$, $I{D}_i$ reselects the nonce $r_i\in {\mathbb{Z}}_q^{*}$ and goto KeyGen phase.

(3) For message $m_j$ where $j\in \{1, \dots , n\}$, $I{D}_i$ calculates signature

$$\begin{array}{c}\hfill s_{i,j}=(r_i-h_j)s{k}_i,j\in \{1, \dots , n\}\end{array}$$

• Aggregate:

Any member can consolidate batch signatures into a BMSS characterized by ($R, d_1, \dots , d_n$). The formulation proceeds as detailed below:

$$\begin{array}{c}\hfill d_j={\displaystyle \sum _{i=1}^n}{s}_{i,j}={\displaystyle \sum _{i=1}^n}(r_i-h_j)s{k}_i\end{array}$$

• Verify:

The correctness of the above equation is shown below:

(1) The verifier computes R, $PK$ as follows:

$$R={\displaystyle \prod _{i=1}^n}{R}_i=e({\displaystyle \sum _{i=1}^n}{r}_i{X}_i,P_{pub})PK={\displaystyle \prod _{i=1}^n}p{k}_i=e({\displaystyle \sum _{i=1}^n}{X}_i,P_{pub})$$

(2) The verifier checks $d_j$ for $j\in$ {$1, \dots , n$} as follows:

$$e(d_j,P_2)\stackrel{?}{=}P{K}^{-h_j}R$$

If every equation is satisfied, the verifier will produce a valid result; otherwise, the result will be invalid.

The validity of the above equation is demonstrated below:

$$\begin{array}{cc}\hfill & e(d_j,P_2)\stackrel{?}{=}P{K}^{-h_j}R\hfill \\ & e(d_j,P_2)\hfill \\ \hfill =& e({\displaystyle \sum _{i=1}^n}(r_i-h_j)t_i^{-1}ks{P}_1,P_2)\hfill \\ \hfill =& e({\displaystyle \sum _{i=1}^n}{r}_i{t}_i^{-1}{P}_1-{\displaystyle \sum _{i=1}^n}{h}_j{t}_i^{-1}{P}_1,P_{pub})\hfill \\ \hfill =& e({\displaystyle \sum _{i=1}^n}{r}_i{t}_i^{-1}{P}_1,P_{pub})e(-{\displaystyle \sum _{i=1}^n}{h}_j{t}_i^{-1}{P}_1,P_{pub})\hfill \\ \hfill =& e({\displaystyle \sum _{i=1}^n}{r}_i{X}_i,P_{pub})e{({\displaystyle \sum _{i=1}^n}{X}_i,P_{pub})}^{-h_j}\hfill \\ \hfill =& P{K}^{-h_j}R\hfill \end{array}$$

(1)

$$\begin{array}{c}\hfill e(X_i,P_{pub})\stackrel{?}{=}e(s{k}_i,P_2)\\ \hfill e(X_i,P_{pub})\\ \hfill =e(X_i,ks{P}_2)\\ \hfill =e(ks{X}_i,P_2)\\ \hfill =e(s{k}_i,P_2)\end{array}$$

(2)

5. The SMDAGKA Protocol

Our proposed SMDAGKA scheme network model is illustrated in Figure 1. The SMDAGKA scheme is constructed on the basis of the BMSS method. Different from the BMSS method, each group member in the SMDAGKA scheme retains the batch multi-signature $s_{i,i}$, defined in BMSS method as its group private key. Meanwhile, compared with the BMSS method, the proposed SMDAGKA scheme supports dynamic joining and leaving of group members, as well as group message encryption and decryption. The process of the scheme includes system initialization, generation of public and private keys for group members, creation of batch multi-signatures (agreement), generation of group encryption and decryption keys, addition of external members to the group, removal of group members, encryption of messages, and decryption of messages, and the details of the SMDAGKA protocol are provided below:

• Setup:

It is almost identical to the Setup algorithm described in Section 4, the only difference being the addition of two hash functions $H_3:{\mathbb{G}}_T\to {\{0,1\}}^{*}$, $H_4:{\{0,1\}}^{*}\to {\{0,1\}}^{*}$.

• KeyGen:

It is identical to the KeyGen algorithm (1–3) described in Section 4. The user $I{D}_i$’s secret key is $s{k}_i$, the secret random number is $r_i$, the public key is $p{k}_i$, and the public random number is $R_i$.

• Agreement:

It is identical to the Sign algorithm described in Section 4 except $s_{i,i}$ ($i\in \{1, \dots , n\}$) serves as the group private key for each group member $I{D}_i$ and is not published. As shown in Figure 2, the symbol {} represents the user’s private information. Group member $I{D}_i$ publishes its identity $I{D}_i$, signature information $s_{i,j}$ where $j\in \{1, \dots , n\}$ and $j\ne i$, personal public key $p{k}_i$, and public random number $R_i$.

• Enc.KeyGen:

Every group member, denoted as $I{D}_i$, is capable of executing the outlined steps to acquire the shared group encryption key $PK$ and random number R.

$$PK={\displaystyle \prod _{i=1}^n}p{k}_i=e({\displaystyle \sum _{i=1}^n}{X}_i,P_{pub})R={\displaystyle \prod _{i=1}^n}{R}_i=e({\displaystyle \sum _{i=1}^n}{r}_i{X}_i,P_{pub})$$

• Dec.KeyGen:

Each group member $I{D}_i$ can execute the subsequent procedure to acquire their own group decryption key $d_i$. Initially, $I{D}_i$ computes its own group private key $s_{i,i}$; then it calculates the group decryption key $d_i$. As shown in Figure 2, the symbol () represents the public information, and the symbol {} represents the private information.

$$\begin{array}{c}\hfill s_{i,i}=(r_i-h_i)s{k}_i{d}_i=s_{i,i}+{\displaystyle \sum _{j=1,j\ne i}^n}{s}_{j,i}\end{array}$$

• Join:

Suppose an external user, denoted as $I{D}_l$, seeks to become a member of the group, with l being equal to $n+1$.

(1) The KGC calculates $t_l=H_1(I{D}_l\left|\right|hi{d}_l,q)+ks$ for $I{D}_l$, and calculates $X_l=t_l^{-1}{P}_1$, $s{k}_l=X_{l}ks$. Then, the KGC sends $(X_l,s{k}_l)$ to $I{D}_l$.

(2) $I{D}_l$ randomly selects nonce $r_l\in {\mathbb{Z}}_q^{*}$ and calculates $p{k}_l=e(X_l,P_{pub})$, $R_l=e(X_l{r}_l,P_{pub})$, $m_l=m_{n+1}$ = $H_4(m_1, \dots , m_n)$, and calculates $h_l=H_2(m_l\left|\right|Gid,q)$.

$$h_j=H_2(m_j\left|\right|Gid,q),1\le j\le n;s_{l,j}=(r_l-h_j)s{k}_l,1\le j\le n;s_{l,l}=(r_l-h_l)s{k}_l$$

$$PK={\displaystyle \prod _{i=1}^{n+1}}p{k}_i=e({\displaystyle \sum _{i=1}^{n+1}}{X}_i,P_{pub})R={\displaystyle \prod _{i=1}^{n+1}}{R}_i=e({\displaystyle \sum _{i=1}^{n+1}}{r}_i{X}_i,P_{pub})$$

Then, $I{D}_l$ publishes $I{D}_l$, $p{k}_l$, $R_l$, $s_{l,j}$ $(1\le j\le n)$, and keeps $s_{l,l}$ as its own group private key.

(3) Upon receiving the aforementioned messages, group member $I{D}_i$ where $1\le i\le n$ will proceed to refresh their membership details in the manner described:

$$\begin{array}{c}\hfill P{K}^{new}=P{K}^{old}p{k}_l=e({\displaystyle \sum _{i=1}^{n+1}}{X}_i,P_{pub})R^{new}=R^{old}{R}_l=e({\displaystyle \sum _{i=1}^{n+1}}{r}_i{X}_i,P_{pub})\\ \hfill m_l=H_4(m_1, \dots , m_n);h_l=H_2(m_l\left|\right|Gid,q);s_{i,l}=(r_i-h_l)s{k}_i,1\le i\le n\end{array}$$

$$\begin{array}{c}\hfill d_i^{new}=d_i^{old}+s_{l,i}={\displaystyle \sum _{j=1}^{n+1}}{s}_{j,i},1\le i\le n\end{array}$$

Then, $I{D}_i$ publishes $s_{i,l}$.

(4) $I{D}_l$ obtains $s_{i,l}$ for $1\le i\le n$ to calculate $d_l$. Then $I{D}_l$ checks the validity of $d_l$.

$$\begin{array}{c}\hfill d_l=s_{l,l}+{\displaystyle \sum _{j=1}^n}{s}_{j,l}={\displaystyle \sum _{j=1}^{n+1}}{s}_{j,l}e(d_l,P_2)\stackrel{?}{=}P{K}^{-h_l}R\end{array}$$

If the equation is valid, $I{D}_l$ recognizes $d_l$ as the group decryption key within its local database; otherwise, the operation will be terminated.

• Leave:

If the group member $I{D}_i$ decides to exit the group, they must first disclose ($I{D}_i, p{k}_i, R_i, {\left\{s_{i,j}\right\}}_{j\in \{1,\dots ,n\}\setminus i})$. Subsequently, other group members, denoted by $I{D}_j$ where $j\ne i$, are responsible for updating the group’s encryption and decryption keys accordingly.

(1) $I{D}_i$ generates a new group encryption and decryption key.

$$P{K}^{new}=P{K}^{old}p{k}_i^{-1}=e({\displaystyle \sum _{j=1}^n}{X}_j,P_{pub})e{(X_i,P_{pub})}^{-1}=e({\displaystyle \sum _{\begin{array}{c}j=1\\ j\ne i\end{array}}^n}{X}_j,P_{pub})$$

$$R^{new}=R^{old}{R}_i^{-1}=e({\displaystyle \sum _{j=1}^n}{r}_j{X}_j,P_{pub})e{(r_i{X}_i,P_{pub})}^{-1}=e({\displaystyle \sum _{\begin{array}{c}j=1\\ j\ne i\end{array}}^n}{r}_j{X}_j,P_{pub})$$

$$d_j^{new}=d_j^{old}-s_{i,j}={\displaystyle \sum _{k=1}^n}{s}_{k,j}-s_{i,j}(j\ne i)={\displaystyle \sum _{\begin{array}{c}k=1\\ k\ne i\end{array}}^n}{s}_{k,j}$$

(2) Then, $I{D}_j$ checks

$$e(d_j,P_2)\stackrel{?}{=}P{K}^{-h_j}R$$

If the equation is satisfied, $I{D}_j$ adopts $d_j$ as the group decryption key in its local database; otherwise, it aborts the operation.

• Encrypt:

Any entity with knowledge of the public group encryption key, denoted as $PK$ and identified by $I{D}_i$, can assume the role of a sender. $I{D}_i$ randomly chooses nonce $r_e\leftarrow {\mathbb{Z}}_q$. For given message x, $I{D}_i$ calculates group ciphertext as follows:

$$C_1=r_e{P}_2,C_2=P{K}^{r_e},C_3=x\oplus H_3(R^{r_e})$$

Then, $I{D}_i$ sends group ciphertext messages ($C_1,C_2,C_3$) to group members.

• Decrypt:

$I{D}_j$ receives the group ciphertext messages ($C_1,C_2,C_3$), and then calculates plaintext x using its own $d_j$.

$$\begin{array}{cc}\hfill x=& C_3\oplus H_3(e(d_j,C_1)C_2^{h_j})\hfill \end{array}$$

The validity of the above equation is demonstrated below:

$$\begin{array}{cc}\hfill x=& C_3\oplus H_3(e(d_j,C_1)C_2^{h_j})=C_3\oplus H_3(e{(d_j,P_2)}^{r_e}{C}_2^{h_j})=C_3\oplus H_3({(P{K}^{-h_j}R)}^{r_e}{(P{K}^{r_e})}^{h_j})\hfill \\ \hfill =& C_3\oplus H_3(P{K}^{-h_j{r}_e}{R}^{r_e}P{K}^{r_e{h}_j})=C_3\oplus H_3(R^{r_e})=x\hfill \end{array}$$

6. Performance Evaluation

We conducted performance testing on a virtual machine with an Intel(R) Core(TM) i5-9300H CPU @ 2.40GHz, 1 GB of RAM, and the CentOS 7 operating system, using the MIRACL cryptographic library v5.6.1. The additive groups ${\mathbb{G}}_1$ and ${\mathbb{G}}_2$ are generated by the points P and Q of order q on the non-singular elliptic curve $y=x^3+5$ mod p, where p and q are two 256-bit prime numbers.

Table 2. Principal operations.

Operation	Description	Time (ms)
$T_{pa}$	Bilinear pairing	17.588
$T_{e_a}$	Exponentiation on additive group	1.632
$T_{e_m}$	Exponentiation on multiplicative groups	2.142
$T_{m_1}$	Scalar multiplication on additive group	1.205
$T_{g_m}$	multiplication on multiplicative groups	0.105
$T_{g_i}$	inverse on multiplicative groups	0.173
$T_{h_1}$	Hash mapped to additive group	0.521
$T_{h_2}$	Hash mapped to multiplicative group	1.243
$T_{h_3}$	Hash mapped to ${\mathbb{Z}}_q$	0.027
$T_{a_1}$	addition on additive group	0.016
$T_{a_2}$	addition on ${\mathbb{Z}}_q$	0.001
$T_x$	XOR on ${\mathbb{Z}}_q$	0.001

outlines the execution duration for principal operations.

Table 3. Time comparison of related AGKA scheme.

Phase (ms)	$\mathit{IBAAGKA}$ [5]	$\mathit{DAAGKA}$ [7]	$\mathit{SMDAGKA}$
Agreement	$(3n+2)T_{e_m}+(n+1)T_{h_2}+T_{h_3}+3n{T}_{g_m}=$ $\mathbf{7}.\mathbf{984}\mathbf{n}+\mathbf{5}.\mathbf{554}$	$(n+3)T_{e_m}+(n+1)T_{g_m}+2T_{h_2}+T_{h_3}=\mathbf{4}.\mathbf{389}\mathbf{n}+\mathbf{9}.\mathbf{044}$	$n(T_{h_3}+T_{m_1}+T_{a2})=\mathbf{1}.\mathbf{233}\mathbf{n}$
Enc.Key.Gen	$(2n+3)T_{h_2}+n{T}_{h_3}+10T_{pa}+2(n-1)T_{e_m}+(6n-8)T_{g_m}=\mathbf{7}.\mathbf{427}\mathbf{n}+\mathbf{165}.\mathbf{053}$	$(3n-2)T_{g_m}+n{T}_{e_m}+T_{a_2}+3T_{pa}=\mathbf{2}.\mathbf{457}\mathbf{n}+\mathbf{52}.\mathbf{555}$	$2(n-1)T_{gm}=$  0.21n − 0.21
Dec.Key.Gen	$(2n-1)T_{g_m}+2T_{pa}=\mathbf{0}.\mathbf{21}\mathbf{n}+\mathbf{34}.\mathbf{071}$	$n{T}_{g_m}+2T_{pa}=\mathbf{0}.\mathbf{105}\mathbf{n}+\mathbf{35}.\mathbf{176}$	$T_{m_1}+(n-1)T_{a1}=\mathbf{0}.\mathbf{016}\mathbf{n}+\mathbf{1}.\mathbf{189}$
Join (old)	------------	$11T_{g_m}+3T_{g_i}+5T_{pa}+T_{e_m}=\mathbf{91}.\mathbf{756}$	$2T_{g_m}+2T_{h_3}+T_{a_1}+T_{a_2}+T_{m_1}=\mathbf{1}.\mathbf{486}$
Join (new)	$(3n+2)T_{e_m}+(n+1)T_{h_2}+T_{h_3}+3n{T}_{g_m}=\mathbf{7}.\mathbf{984}\mathbf{n}+\mathbf{5}.\mathbf{554}$	$(2n+4)T_{e_m}+(5n-1)T_{g_m}+2T_{h_2}+T_{h_3}+T_{a_2}+5T_{pa}=\mathbf{4}.\mathbf{809}\mathbf{n}+\mathbf{98}.\mathbf{917}$	$3T_{pa}+(n+2)T_{h_3}+(n+1)T_{m_1}+(n+1)T_{a_2}+3T_{g_m}+n{T}_{a_1}+T_{g_i}=\mathbf{1}.\mathbf{249}\mathbf{n}+\mathbf{54}.\mathbf{51}$
Leave	$(3n+2)T_{e_m}+(n+1)T_{h_2}+T_{h_3}+3n{T}_{g_m}=\mathbf{7}.\mathbf{984}\mathbf{n}+\mathbf{5}.\mathbf{554}$	$11T_{g_m}+3T_{g_i}+5T_{pa}+T_{e_m}$ = 91.756	$3T_{g_i}+3T_{g_m}+T_{a1}+T_{e_m}+T_{pa}=\mathbf{20}.\mathbf{58}$
Enc	$3T_{e_m}+T_{h_3}+T_x=\mathbf{6}.\mathbf{454}$	$T_x+4T_{em}+T_{h_3}+T_{h_2}=\mathbf{9}.\mathbf{839}$	$T_{m_1}+2T_{e_m}+T_{h_3}+T_x=\mathbf{5}.\mathbf{517}$
Dec	$T_x+T_{h_3}+T_{g_m}+T_{g_i}+2T_{pa}=\mathbf{35}.\mathbf{472}$	$4T_{pa}+T_x+T_{h_3}+T_{g_i}+T_{h_2}=\mathbf{71}.\mathbf{796}$	$T_x+T_{h_3}+T_{pa}+T_{e_m}+T_{g_m}=\mathbf{19}.\mathbf{863}$
Total	$\mathbf{31}.\mathbf{589}\mathbf{n}+\mathbf{257}.\mathbf{712}$	$\mathbf{11}.\mathbf{76}\mathbf{n}+\mathbf{460}.\mathbf{869}$	$\mathbf{2}.\mathbf{708}\mathbf{n}+\mathbf{102}.\mathbf{935}$

shows that our solution offers significant advantages in terms of computational overhead at each stage. Figure 3 compares the computational overhead for group member negotiation, while Figure 4 compares the overhead for group public key generation. Figure 5 compares the overhead for group private key generation, and Figure 6 compares the overhead for a new group member. As the group size increases, our solution demonstrates a clear advantage. Figure 7 compares the overhead when a group member leaves, and Figure 8 compares the overall computational overhead across all steps. These figures collectively show that our solution is computationally efficient.

Table 4. Description of relevant parameter lengths.

${\mathit{L}}_{\mathit{I}\mathit{D}}$	the length of identity	${\mathit{L}}_{\mathit{m}}$	the length of encrypt messages
$L_1$	the length of an element on ${\mathbb{G}}_1$	$L_2$	the length of an element
$L_t$	the length of an element

defines the notations for relevant parameter lengths.

Table 5. Compare communication cost of relevant schemes.

Operation (Bytes)	Agreement	Join	Leave	Ciphertext	Total
$IBAAGKA$ [5]	$L_{ID}+(n+1)L_1$ = 64n + 68	$L_{ID}+(2n+2)L_1$ = 128n + 132	$L_{ID}+(n+1)L_1$ = 64n + 68	$2L_1+L_m$ = 144	$3L_{ID}+(4n+6)L_1+L_m$ = 256n + 412
$DAAGKA$ [7]	$(n^2+2n+1)L_1$ = 64n2 + 128n + 64	$(n+1)L_1$ = 64n + 64	$(n+1)L_1$ = 64n + 64	$4L_1+L_m$ = 270	$(n^2+4n+7)L_1+L_m$ = 64n2 + 256n + 464
$SMDAGKA$	$L_{ID}+(n-1)L_1+2L_t$ = 64n + 708	$L_{ID}+2n{L}_1+2L_t$ = 128n + 772	$L_{ID}+(n-1)L_1+2L_t$ = 64n + 708	$L_2+L_m+L_t$ = 528	$3L_{ID}+(4n-2)L_1+7L_t+L_2+L_m$ = 256n + 2716

outlines the communication cost for principal operations when achieving a security level of 128 bits, where the length of identity is $L_{ID}=32\mathrm{bit}=4\mathrm{bytes}$, the length of encrypted messages is $L_m=128\mathrm{bit}=16\mathrm{bytes}$, the length of an element on ${\mathbb{G}}_1$ is $L_1=512\mathrm{bit}=64\mathrm{bytes}$, the length of an element on ${\mathbb{G}}_2$ is $L_2=1024\mathrm{bit}=128\mathrm{bytes}$, and the length of an element on ${\mathbb{G}}_T$ is $L_t=3072\mathrm{bit}=384\mathrm{bytes}$. As shown in the table, our SMDAGKA scheme has a higher communication overhead than the scheme [5], but it offers a significant reduction in communication overhead compared to the scheme [7].

7. Conclusions

The group key agreement method allows members to establish a common key, ensuring the confidentiality of communication and facilitating secure interactions. This technique can be classified into symmetric and asymmetric GKA methods based on whether the encryption and decryption keys match. In the symmetric GKA method, when an external member wants to communicate securely with the group, they must first join the group and agree on a new symmetric key. In contrast, the asymmetric GKA (AGKA) method allows an external member to encrypt messages using the group’s publicly available public key and send them to the group without joining. Consequently, AGKA applies to a wider range of scenarios. Within the AGKA method, all group members share the single group public key. Depending on whether the group members have a shared private key, the method can be further classified into common AGKA and private AGKA. The private AGKA method is particularly well-suited for broadcast encryption, enabling the sender to select a subset of group members as intended recipients while ensuring that non-selected members cannot decrypt the message. Conversely, in common AGKA, where all members share the same private key, broadcast encryption is not supported due to the lack of recipient-specific key management.

Given the limited adoption of identity-based cryptosystems in current identity-based dynamic AGKA methods, we have designed a scheme based on the widely used SM9 identity algorithm to ensure secure communication among group members. Compared to the O(n) encryption operation and ciphertext transmission in the simple SM9 key exchange protocol, our scheme only requires O(1) encryption operation and ciphertext transmission during secure communication among group members. Performance analysis indicates that our scheme achieves low computational overhead and high security. In the future, we aim to develop solutions with even lower communication overhead to better meet the requirements of real-time scenarios.