5888 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 56, NO. 11, NOVEMBER 2010
(or more precisely, the seed) is used in the Join protocol. As a result,there exists an adversary that can easily win in the adversarial model(i.e., guess correctly the value of ). The adversaryworks as follows:
1) The adversary asks an query to form a group withgroup key
2) issues a query and obtains a response which is either
or a random key.3) also issues a query to add a new user into the group ,
and obtains the communication transcript of the join protocol.4) then computes
in the transcript of the join protocol. If they are equal,returns 1, indicating that
. Otherwise, returns 0.It is easy to see that with a overwhelming probability
for a random . Hence, the (passive) adversary has a over-whelming probability to guess correctly the value of and win thegame. It is worth noting that the adversary even doesnt perform any or queries.
5) Flaws in the Security Proof: Since the attack above can besimulated in the model, there must be some mistakes in the securityproof of . When carefully reading the proof, one can find that thesecurity proof in  fails to analyze the winning probability of the ad-versary in some attacking scenarios, such as a join or leave query isperformed to the test session.
6) Conclusion: In this letter, we revisited the Dutta-Barua dy-namic group key agreement protocol  and showed a flaw inside theprotocol. Different from the existing attacks against the protocol, ourattack is based on adversarial model defined by Dutta and Barua in. It would be an interesting task to design a more complete securitymodel as well as a secure and practical protocol for group key agree-ment in the dynamic setting.
 R. Dutta and R. Barua, Constant round dynamic group key agree-ment, in Proc. ISC 2005, 2005, vol. 3650, Lecture Notes in ComputerScience, pp. 7488.
 R. Dutta and R. Barua, Provably secure constant round contributorygroup key agreement in dynamic setting, IEEE Trans. Inform. Theory,vol. 54, no. 5, pp. 20072025, May 2008.
 C. M. Teo Joseph, C. H. Tan, and J. M. Ng, Security analysis ofprovably secure constant round dynamic group key agreement, IEICETrans., vol. E89-A, no. 11, pp. 33483350, Nov. 2006.
Comments on New Results on Frame-Proof Codesand Traceability Schemes
Jacob Lfvenberg and Jan-ke Larsson
The paper New Results on Frame-Proof Codes and TraceabilitySchemes  claims to give results for two code classes, frame-proofcodes and traceability schemes, in the form of lower bounds onthe maximum code size, and explicit code constructions. We willhere briefly review the four claims of , noting that the proofs andconstructions presented in  fail, and that the claims also contradictpreviously published upper bounds , .
We apologize for being terse here; details can be found in our three-page paper  originally submitted in 2005. We have been asked byIEEE IT to keep this letter to only one page, but are grateful for thisopportunity to voice our concerns about .
We use the same setting and notation as : binary constant-weightcodes of length , weight , minimum Hamming distance , and anumber of cooperating copy-distributing users. The binary entropyfunction is denoted , and logarithms are in base 2. We first con-sider [1, Theor. 6] that reads as follows.
Theorem 6: Let be a prime power. Suppose there existsa -frame-proof code with length , constant weight , and
. Then, for any and satisfying
the maximum number of codewords satisfies
There is no proof of [1, Theor. 6]; the chain of lemmas precedingTheorem 6 is (we believe) intended as a proof, but the implication in[1, Lemma 3] is needed in the reverse direction, and Lemma 3 is notan equivalence . Also, Theorem 6 contradicts a previously publishedupper bound 
To see this, let and note that a 2-frame-proof code exists with , , and , see . With , the aboveinequalities read and , aclear contradiction.
Even if Theorem 6 does not hold, there is an explicit constructionunderlying [1, Theor. 10], also providing lower bounds for the numberof codewords :
Manuscript received March 05, 2010; revised May 17, 2010. Date of currentversion October 20, 2010.
J. Lfvenberg was with the Department of Electrical Engineering, LinkpingUniversity, SE-581 83 Linkping, Sweden. He is now with the FOI: SwedishDefence Research Agency, Division of Information Systems, SE-581 11Linkping, Sweden (e-mail: email@example.com).
J.-. Larsson was with the Department of Mathematics, Linkping Univer-sity, SE-581 83 Linkping, Sweden. He is now with the Department of ElectricalEngineering, Linkping University, SE-581 83 Linkping, Sweden (e-mail: firstname.lastname@example.org).
Communicated by R. Safavi-Naini, Associate Editor for Complexity andCryptography.
Digital Object Identifier 10.1109/TIT.2010.2070632
0018-9448/$26.00 2010 IEEE
IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 56, NO. 11, NOVEMBER 2010 5889
Theorem 10: For a given integer , there exists a -frame-proof code with constant weight and length , restricted by(:6) with
that has codewords.Unfortunately, with the given parameter relations it is not possible
to choose the parameters so that (:20) is satisfied. Inserting and into (:20) we obtain
and using the inequality it can be shown that this enforcesweight , see . Furthermore, even the underlying constructionscheme fails, which can be verified with the same technique and somepatience . The construction used in  establishes two parameterregions, one where the -frame-proof property holds and another thatensures a large number of codewords; the problem is that the intersec-tion is empty, except for codes with weight . The constructedcodes can either be made -frame-proof or be given a number of code-words but are never guaranteed both properties.
There are also two claims for -traceability schemes in . Theorem7 claims a lower bound for the maximum number of codewords, butthe intended proof of Theorem 7 needs the implication in Lemma 5 inin the reverse direction , and the claim violates another previouslypublished upper bound . Similarly as above, an explicit constructionunderlies Theorem 11 that claims existence of a -traceability schemewith a large number of codewords. Also here, unless , the givenparameter relations cannot be satisfied, and the construction schemecan either ensure -traceability or a large number of codewords, neverboth .
REFERENCES R. Safavi-Naini and Y. Wang, New results on frame-proof codes and
traceability schemes, IEEE Trans. Inform. Theory, vol. 47, no. 11, pp.30293033, Nov. 2001.
 J. N. Staddon, D. R. Stinson, and R. Wei, Combinatorial properties offrameproof and traceability codes, IEEE Trans. Inform. Theory, vol.47, no. 3, pp. 10421049, Mar. 2001.
 D. R. Stinson and R. Wei, Combinatorial properties and constructionsof traceability schemes and frameproof codes, SIAM J. Discrete Math.,vol. 11, pp. 4153, Feb. 1998.
 J.-. Larsson and J. Lfvenberg, Comment on New Results onFrame-Proof Codes and Traceability Schemes 2009 [Online]. Avail-able: http://arxiv.org/abs/0912.1440