Internet of things group formation using a key-based join protocol

We claim: 1 . A device comprising: a group enroller to determine a first key associated with a first group; a policy manager to determine a first resource exposure policy for the device with respect to the first group; and a data reporter to use the first key to send first operational data to a first dynamic group verifier in accordance with the first resource exposure policy. 2 . The device of claim 1 , further including a context monitor to detect local context change, wherein the group enroller is to determine a second key associated with a second group, the policy manager is to determine a second resource exposure policy for the device with respect to the second group, and the data reporter is to use the second key to send, in response to the local context change, second operational data to a second dynamic group verifier in accordance with the second resource exposure policy. 3 . The device of claim 1 , further including: a join session manager to conduct a join protocol session with a group management service; a credential handler to receive a group credential from the group management service during the join protocol session; and a key generator to generate the first key as a pairwise key based on the group credential and a local secret associated with the join protocol. 4 . The device of claim 3 , wherein the join protocol session is to be conducted in accordance with a zero knowledge proof of knowledge protocol. 5 . The device of claim 3 , wherein the group credential is to include a group public key and a group identifier. 6 . The device of claim 1 , further including a collection session manager to establish a set of symmetric session keys including pairwise symmetric session keys and one or more symmetric group keys in context of a sigma protocol session with each group member by the dynamic group verifier. 7 . The device of claim 6 , further including an identifier manager to use the set of symmetric session keys to negotiate a temporal identifier of the device. 8 . The device of claim 6 , further including a trusted execution environment, wherein the device is to maintain the set of symmetric session keys, the first key and the first resource exposure policy in the trusted execution environment. 9 . A method of operating a device, comprising: determining a first key associated with a first group; determining a first resource exposure policy for the device with respect to the first group; and using the first key to send first operational data to a first dynamic group verifier in accordance with the first resource exposure policy. 10 . The method of claim 9 , further including: determining a second key associated with a second group; determining a second resource exposure policy for the device with respect to the second group; detecting a local context change; and using the second key to send, in response to the local context change, second operational data to a second dynamic group verifier in accordance with the second resource exposure policy. 11 . The method of claim 9 , wherein determining the first key includes: conducting a join protocol session with a group management service; receiving a group credential from the group management service during the join protocol session; and generating the first key based on the group credential and a local secret associated with the join protocol session. 12 . The method of claim 11 , wherein the join protocol session is conducted in accordance with a zero knowledge proof of knowledge protocol. 13 . The method of claim 11 , wherein the group credential includes a group public key and a group identifier. 14 . The method of claim 11 , further including: identifying a third key on the device, wherein the third key is an enhanced privacy identifier; using the third key to attest to membership of the device in a third group during the join protocol session, wherein the third group corresponds to a manufacturer of the device. 15 . The method of claim 9 , further including establishing a set of symmetric session keys including pairwise symmetric session keys and one or more symmetric group keys in context of a sigma protocol session with each group member by the dynamic group verifier. 16 . The method of claim 15 , further including using the set of symmetric session keys to negotiate a temporal identifier of the device. 17 . The method of claim 15 , further including maintaining the set of symmetric session keys, the first key and the first resource exposure policy to a trusted execution environment on the device. 18 . At least one computer readable storage medium comprising a set of instructions which, when executed by a device, cause the device to: determine a first key associated with a first group; determine a first resource exposure policy for the device with respect to the first group; and use the first key to send first operational data to a first dynamic group verifier in accordance with the first resource exposure policy. 19 . The at least one computer readable storage medium of claim 18 , wherein the instructions, when executed, cause the device to: determine a second key associated with a second group; determine a second resource exposure policy for the device with respect to the second group; detect a local context change; and use the second key to send, in response to the local context change, second operational data to a second dynamic group verifier in accordance with the second resource exposure policy. 20 . The at least one computer readable storage medium of claim 18 , wherein the instructions, when executed, cause the device to: conduct a join protocol session with a group management service; receive a group credential from the group management service during the join protocol session; and generate the first key based on the group credential and a local secret associated with the join protocol session. 21 . The at least one computer readable storage medium of claim 20 , wherein the join protocol session is to be conducted in accordance with a zero knowledge proof of knowledge protocol. 22 . The at least one computer readable storage medium of claim 20 , wherein the group credential is to include a group public key and a group identifier. 23 . The at least one computer readable storage medium of claim 18 , wherein the instructions, when executed, cause the device to establish a set of symmetric session keys including pairwise symmetric session keys and one or more symmetric group keys in context of a sigma protocol session with each group member by the dynamic group verifier. 24 . The at least one computer readable storage medium of claim 23 , wherein the instructions, when executed, cause the device to use the set of symmetric session keys to negotiate a temporal identifier of the device. 25 . The at least one computer readable storage medium of claim 23 , wherein the instructions, when executed, cause the device to maintain the set of symmetric session keys, the first key and the first resource exposure policy in a trusted execution environment on the device.