PGK

ProSe Group Key

Security →
Introduced in Rel-12

PGK is the ProSe Group Key, a security key used in LTE Proximity Services for authenticating and encrypting secure one-to-many group communications between nearby devices, independent of the cellular network.

Category
Security
Introduced
Rel-12
Where
User Equipment › SIM/USIM
Specifications
3 specs
PGK Description Purpose Related Classification Detected Changes Specifications

Description

The ProSe Group Key (PGK) is a cryptographic key defined within the 3GPP security architecture for Proximity Services (ProSe). ProSe enables Device-to-Device (D2D) communication where User Equipments (UEs) can discover each other and communicate directly over the PC5 interface, either with or without network coverage. The PGK is specifically used for securing group communications within the ProSe feature set. It is a group-level key, meaning a single PGK is shared among all members of a defined ProSe group. This group could be formed for public safety scenarios (e.g., a firefighter squad) or commercial applications (e.g., a social media group at an event).

The lifecycle of a PGK is managed by a central entity. For network-authorized ProSe, this is typically the ProSe Function in the core network. The ProSe Function generates or obtains the PGK and securely provisions it to authorized group members. The provisioning can occur over the LTE-Uu interface when the UE is in network coverage. For ProSe communication without network coverage (UE-to-Network Relay or direct communication in coverage holes), the PGK must be pre-provisioned or provisioned via a relay. The key is used in conjunction with a ProSe Group IP Multicast address and a ProSe Layer 2 Group ID to identify the communication group.

In operation, the PGK serves two primary security functions: authentication and confidentiality. For authentication, it is used to derive a ProSe Group Integrity Key (PGIK). The PGIK is used to compute integrity protection values for group messages, allowing receiving UEs to verify that the message originated from a legitimate group member. For confidentiality, the PGK is used to derive a ProSe Group Encryption Key (PGEK). The PGEK is used to encrypt the payload of group messages, ensuring that only members possessing the PGK can decipher the content. This dual use provides a secure channel for group broadcasts, protecting against eavesdropping and message injection by unauthorized devices.

Purpose & Motivation

The PGK was created to address the security requirements of group-oriented Device-to-Device communication, a cornerstone of LTE-based public safety networks and commercial proximity services. Traditional cellular security relies on a permanent, point-to-point security context between the UE and the network (e.g., using keys like KASME). This model breaks down in D2D scenarios, especially when communicating directly without network involvement. Previous ad-hoc communication methods lacked standardized, robust security, making them unsuitable for sensitive public safety communications.

The problems it solves are twofold. First, it provides efficient and scalable security for one-to-many communication. Using individual pairwise keys for each member in a large group would be inefficient for broadcast traffic. A single group key allows a transmitting UE to secure a message once for reception by the entire group. Second, it enables secure operation outside network coverage. By pre-provisioning the PGK, a group of first responders can maintain secure communication in disaster areas where the cellular infrastructure is damaged. Its creation was motivated by the mission-critical needs of public safety organizations, driving its standardization in 3GPP Release 12 and beyond, ensuring interoperability and a high level of security for life-critical communications.

Classification

Part ofProSe
Specific typesUKEK

Detected Changes Across Releases

from 3GPP Change Requests

Specific changes extracted from the „Change history“ tables of 3GPP specifications (8 CRs across 2 releases). Complements the general historical overview above with the evidence-based evolution of this function.

Studied in Rel-12, normative work from Rel-17.

Rel-17 6 changes

In Release 17, the PGK (ProSe Group Key) function was enhanced through updates to 5G ProSe configuration services and files, including corrections to Elementary Files (EFs). Specifically, the release introduced support for TLS version 1.3 within ProSe communications to strengthen security. Furthermore, the specifications were updated to fix procedures for restricted discovery and to correct the ProSe discovery figure in the technical documentation.

  • 5G ProSe configuration related services and files TS 31.102CR0929
  • Introducing support of TLS v1.3 in ProSe TS 33.303 TS 33.303CR0135
  • 5G ProSe EFs update TS 31.102CR0949
  • 5G ProSe EFs update-Correction of FIDs violating ETSI rules and former reservations TS 31.102CR0959
  • Correction figure in ProSe discovery in TS33.303 TS 33.303CR0138
  • Fix the restricted discovery procedures in 4G ProSe TS 33.303CR0139
Rel-18 2 changes

In Release 18, the PGK (ProSe Group Key) function was enhanced to support 5G ProSe User-to-User (U2U) relay operations. Furthermore, a new service was introduced for the UICC to report usage information specifically for 5G ProSe direct communication. These additions expanded the security and management framework for proximity-based services within the 5G System.

  • DF for 5G ProSe U2U relay TS 31.102CR0989
  • Adding service for UICC 5G ProSe direct communication usage information reporting TS 31.102CR1048

Explore further

Broader topics and technologies where PGK plays a role.

Topics
Authentication (5G-AKA, EAP)Mission Critical (MCPTT)Encryption & IntegrityLTE / LTE-AdvancedLawful InterceptServices & Applications
Technologies
LTE

Defining Specifications

3GPP specifications that define or reference PGK, with the latest known release. Sourced from the 3GPP document catalog — see methodology.

SpecificationTitleRelease
TS 31.102 vj40 USIM Application Specification Rel-19
TS 33.303 vj00 ProSe Security Specification for EPS Rel-19
TS 36.323 vj00 PDCP Protocol Specification Rel-19