Efcient and Self-Healing Key Distribution with Revocation for

Efficient and Self-Healing Key Distribution with Revocation forTactical Wireless Networks

Donggang Liu Peng NingDepartment of Computer ScienceNorth Carolina State University

Raleigh, NC 27695-7534Emails: [email protected], [email protected]

AbstractThis paper presents group key distribution techniques for highly mobile, volatile and hostile wire-

less networks in tactical situations (e.g., anti-terrorist operations, battle fields). The techniques pro-posed here are based on the self-healing key distribution methods (with revocation capability) recentlydeveloped by Staddon et al. [37]. By introducing a novel personal key distribution technique, thispaper reduces (1) the communication overhead of personal key share distribution from O(t2 log q) toO(t log q), (2) the communication overhead of self-healing key distribution with t-revocation capabilityfrom O((mt2 + tm) log q) to O(mt log q), and (3) the storage overhead of the self-healing key distribu-tion with t-revocation capability at each group member from O(m2 log q) to O(m log q), where t is themaximum number of colluding group members, m is the number of sessions, and q is a prime numberthat is large enough to accommodate a cryptographic key. All these results are achieved without sac-rificing the unconditional security of key distribution. In addition, this paper presents two techniquesthat allow to trade off the broadcast size with the recoverability of lost session keys. These two methodsfurther reduce the broadcast message size in situations where there are frequent but short-term disrup-tions of communication and where there are long-term but infrequent disruptions of communication,respectively.

1 Introduction

Wireless networks, especially wireless ad-hoc networks, are ideal candidates for communication in tacti-cal situations such as anti-terrorist operations, rescue missions, and battlefields, where there is usually nonetwork infrastructure support. In situations where there are adversaries who may want to intercept and/orinterrupt the communication, security of wireless networks becomes one of the top concerns. In particular,it is critical to make sure that the adversaries cannot access or interrupt the wireless communication, andeven if they do, it is possible to recover from such compromises quickly.

A common way to ensure communication security is to encrypt and authenticate the wireless commu-nication. In typical applications in tactical wireless networks, a sender may broadcast encrypted and/orauthenticated messages to his/her team members, and only wireless nodes with valid keys can have accessto and/or verify these messages. The remaining challenge is how to distribute the cryptographic keys tovalid wireless nodes.

Theoretically, techniques developed for secure group communication in wired networks (e.g., LKH [42,43]) can be used for key distribution in tactical wireless networks. However, some unique features of tacticalwireless networks introduce new problems that haven’t been fully resolved. First, tactical wireless networksare highly mobile in nature. Wireless nodes may move in and out of range frequently, and sometimes

1

be completely separate from the network. Moreover, the adversary may intentionally disrupt the wirelesscommunication using various methods. Thus, traditional techniques such as error correction codes cannotfully address this problem. Second, devices in tactical wireless networks are typically powered by batteries.It will reduce the lifetime of the batteries, and thus the availability of wireless devices, to adopt some power-consuming techniques such as public key cryptography.

Due to these problems, existing group key management techniques for wired networks cannot fully ad-dress the key management problem in tactical wireless networks. In particular, the majority of the existinggroup key distribution techniques assume reliable communication (e.g., [42, 33, 25, 11, 13]), or use errorcorrection codes to improve the reliability of key distribution and rely on unicast-based communication toensure reliable key distribution (e.g., [44, 22, 45, 46]). While current reliable group communication tech-niques entail large overheads and cannot scale to large groups, relying on error correction codes cannot dealwith bursts of message losses or, more severely, temporary network partition. Wireless nodes that desireto recover session keys can certainly contact the key distribution service individually (e.g., KeyStone [44]);however, such unicast-based communication not only introduces substantial communication overhead, butalso consumes the limited power resource in wireless nodes. Thus, it is necessary to seek more efficientways to distribute group session keys.

In this paper, we propose to develop novel group key distribution schemes that can cope with the highlymobile, volatile, and hostile wireless networks in tactical situations (e.g., anti-terrorist operations, rescuemissions, and battlefields). The techniques proposed here are based on the self-healing key distributionmethods (with revocation capability) recently developed by Staddon et al. [37]. By introducing a novelpersonal key distribution technique, we reduce (1) the communication overhead of personal key share distri-bution from O(t2 log q) to O(t log q), (2) the communication overhead of self-healing key distribution witht-revocation capability from O((mt2 + tm) log q) to O(mt log q, and (3) the storage overhead of the self-healing key distribution with t-revocation capability at each group member from O(m2 log q) to O(m log q),where t is the maximum number of colluding group members, m is the number of sessions, and q is a primenumber that is large enough to accommodate a cryptographic key. All these results are achieved withoutsacrificing the unconditional security of key distribution. In addition, we develop two techniques that allowus to trade off the broadcast size with the recoverability of lost session keys. These two methods addressthe situations where there are frequent but short-term disruptions of communication and where there arelong-term but infrequent disruptions of communication, respectively.

The proposed key distribution schemes have several advantages, including those inherited from [37],which make these schemes very attractive for tactical wireless networks. First, the proposed techniquesare self-healing. A wireless node can recover lost keys even if it is separated from the network when thekey is distributed. Second, the proposed techniques do not require heavy computation, and wireless nodescan get or recover keys by passively listening to broadcast key distribution messages. This is particularlyimportant to devices in tactical wireless networks, which are typically powered by batteries. Reducing thecomputation and active communication can significantly reduce the power consumption and prolong thelife time of wireless devices. Third, the proposed techniques distribute keys via true broadcast, conformingto the broadcast nature of wireless networks. Only select receivers of the messages can recover the keyfrom the broadcast messages. Finally, the proposed techniques are scalable to very large groups. Theprocessing, communication, and storage overheads do not depend on the size of the group, but on thenumber of compromised group members that may collude together.

Our contribution in this paper is three-fold. The first, and most important contribution is the novel per-sonal key distribution scheme that allows efficient distribution of different key shares to different groupmembers via a broadcast channel. Second, based on this scheme, we develop an efficient self-healing keydistribution scheme that requires less storage and communication overhead than those in [37]. Third, we fur-ther develop two ways to trade off the self-healing capability with broadcast size, thus allowing the schemes

2

to have less communication overhead in bandwidth constrained applications.

The rest of this paper is organized as follows. Section 2 presents our communication model as well asnotations to be used in this paper. Section 3 gives the details of our approaches. Section 4 discusses practicalissues about the proposed schemes. Section 5 reviews existing techniques related to group key distribution,and Section 6 concludes this paper and points out some future directions.

2 Our Model

To focus on the key distribution problem, we adopt a simplified group communication model. We assumethat communication entities in a wireless network form groups to control access to broadcast messages.There may be more than one group with certain relationships between them (e.g., members of the captaingroup are also members of the soldier group). Without loss of generality, we will focus on the case of onegroup unless it is necessary to discuss multiple groups. The lifetime of a wireless network is partitionedinto time intervals called sessions. The duration of sessions may be fixed or dynamic due to the changeof group membership. There is one or several group managers that are responsible for distributing (group)session keys to a large number of authorized group members. Only group members with valid group keyscan broadcast authenticated messages to other group members and access encrypted broadcast messages. Asender of a group may transmit a broadcast message directly to the other group members (i.e., receivers),or may rely on some network components (e.g., wireless routers) or some group members to forward themessage to other group members.

Wireless networks in tactical situations are usually highly mobile and volatile. Wireless nodes may movein and out of range frequently, and there is usually no infrastructure support to guarantee reliable delivery ofmessages. Thus, we do not assume reliable communication in our system; a message sent to a group may ormay not reach all the group members. One of our goals is to develop key distribution techniques that workin such extreme situations.

Note that the aforementioned research goal is fundamentally different from key distribution via reliablegroup communication systems such as Horus [32], Rampart [31], and Spread [1]. Reliable group communi-cation can only guarantee that all group members have the same knowledge of the set of currently live andaccessible members (i.e. Virtual Synchrony [8]) or all group members see the same set of messages betweentwo sequential group membership events (i.e., Extended Virtual Synchrony [26] or View Synchrony [15]).If a node is indeed separate from the network, reliable group communication cannot deliver the messages.In addition, reliable group communication usually incur large overhead and does not scale to large groupsdue to its high reliability requirement (see, e.g., [7]). It is difficult and expensive to provide reliable groupcommunication in tactical wireless networks, if not entirely impossible. In contrast, our proposed techniquesallow group members to either receive or recover group keys without reliable communication support, aslong as they receive some of the key distribution messages.

Threat Model. We adopt the following threat model in our research. We assume an adversary maypassively listen to, or actively insert, intercept and modify, or drop broadcast messages. Our goal is toensure the group manager can distribute group keys to group members as long as the group members canget some of the broadcast messages. Certainly, our approach won’t work if the adversary completely jamsthe communication channel. We assume there are other means to defeat signal jamming (e.g., frequencyhopping). Moreover, we consider the possibility that the adversary may compromise one or more groupmembers (e.g., by capturing and analyzing the devices). Our goal is to ensure that once detected, such groupmembers will be revoked from the group, and the adversary has to compromise more than t devices to defeatour approach, where t is a system parameter. We can certainly deploy tamper resistant hardware to make itdifficult for the adversary to collect the secret information stored in the wireless devices.

3

Notations. We assume each group member is uniquely identified by an ID number i, where i ∈ {1, ..., n}and n is the largest ID number, and denote the group member as Ui. All of our operations take place in afinite field Fq , where q is a sufficiently large prime number. Each group member Ui stores a personal secretSi ⊆ Fq , which represents all information the group member may use to recover the session keys. We useH(·) to denote the entropy function of information theory [14]. We use Kj to denote the session key that thegroup manager distributes to the group members in session j. We use ki to denote the personal key of groupmember Ui. The group manager distributes the session key among the group via a broadcast message. Weuse Bj to denote the broadcast message, called the session key distribution message, that the group manageruses to distribute the group session key during session j. We use zi,j to denote what the group member Ui

learns from its own personal secret Si and Bj . We use Rj to denote the set of revoked group members insession j, which contains all of the revoked members since the beginning of session key distribution. Wereserve the letter t to represent the number of compromised group members. We would like to developtechniques that are resistant to adversary who is able to compromise t group members (or, equivalently, thecoalition of up to t revoked group members).

Research Goals. Our general research goal is to develop efficient and unconditionally secure key distribu-tion schemes for tactical wireless networks. The resulting techniques should be able to tolerate the mobileand volatile nature of tactical wireless networks. Moreover, the resulting techniques should also be able totolerate compromise of past group members. We are particularly interested in practical solutions that can beimplemented and deployed in the current or next generation wireless networks.

To further clarify our goals and facilitate the later presentation, we give the following definitions.

Definition 1 (Personal Key Distribution [37]) Let t, i ∈ {1, ..., n}. In a personal key distribution schemeD, the group manager seeks to establish a new key ki ∈ Fq with each group member Ui through a broadcastmessage B.

1. D is a personal key distribution scheme if the following are true:

(a) For any group member Ui, ki is determined by Si and B (i.e., H(ki|B, Si) = 0),

(b) For any set B ⊆ {U1, ..., Un}, |B| ≤ t, and any Ui /∈ B, the group members in B are not ableto learn anything about Si (i.e., H(ki, Si|{Si′}Ui′∈B ,B) = H(ki, Si)), and

(c) No information on {ki}i∈{1,...,n} is learned from either the broadcast or the personal secretsalone (i.e., H(k1, ..., kn|B) = H(k1, ..., kn) = H(k1, ..., kn|S1, ..., Sn)).

2. D has t-revocation capability if given any set R ⊆ {U1, ..., Un} such that |R| ≤ t, the group managercan generate a broadcast B, such that for all Ui /∈ R, Ui can recover ki (i.e., H(ki|B, Si) = 0),but the revoked group members cannot recover any of the keys (i.e., H(k1, ..., kn|B, {Si′}Ui′∈R) =H(k1, ..., kn)).

Definition 2 (Session Key Distribution with b-bit privacy, adapted from [37]) Let t, i ∈ {1, ..., n} andj ∈ {1, ...,m}.

1. D is a key distribution scheme with b-bit privacy if the following are true:

(a) For any member Ui, Kj is determined by zi,j , which in turn is determined by Bj and Si (i.e.,H(Kj |zi,j) = 0 and H(zi,j |Bj, Si) = 0).

(b) For any set B ⊆ {U1, ..., Un}, |B| ≤ t, and Ui /∈ B, the uncertainty of the members in B todetermine Si is at least b bits (i.e., H(Si|{Si′}Ui′∈B ,B1, ...,Bm) ≥ b).

4

(c) What members U1, ..., Un learn from Bj can’t be determined from the broadcasts or personalkeys alone (i.e., H(zi,j |B1, ...,Bm) = H(zi,j) = H(zi,j |S1, ..., Sn)).

2. D has t-revocation capability if given any set R ⊆ {U1, ..., Un}, where |R| ≤ t, the group managercan generate a broadcast Bj , such that for all Ui /∈ R, Ui can recover Kj (i.e., H(Kj |Bj, Si) = 0),but the revoked members cannot (i.e., H(Kj |Bj, {Si′}Ui′∈R) = H(Kj)).

3. D is self-healing if the following are true for any 1 ≤ j1 < j < j2 ≤ m:

(a) For any Ui who is a member in sessions j1 and j2, Kj is determined by the set, {zi,j1 , zi,j2} (i.e.,H(Kj |zi,j1 , zi,j2) = 0).

(b) For any disjoint subsets B,C ⊂ {U1, ..., Un}, where |B ∪ C| ≤ t, the set {zi′,j}Ui′∈B,1≤j≤j1

∪{zi′,j}Ui′∈C,m≥j≥j2 contains no information on the key Kj (i.e., H(Kj |{zi′ ,j}Ui′∈B,1≤j≤j1 ∪{zi′,j}Ui′∈C,m≥j≥j2) = H(Kj)).

The only difference between the notion of session key distribution in [37] and our Definition 2 is in item1(b). The concept of session key distribution in [37] requires that any coalition of at most t valid groupmembers cannot get any information about another member’s personal secret, while Definition 2 in ourpaper requires that the uncertainty of such a coalition to determine another member’s personal secret is atleast b bits. Nevertheless, the goal of our research is still to achieve unconditional security, as evidenced bythe bound of the uncertainty of the personal secret.

Indeed, we noted that Construction 3 in [37] doesn’t meet their criteria of session key distribution due toa flaw in their proof of Theorem 1. Though they have shown that the coalition of at most t group memberscannot get any information of another member’s share on each individual two-dimensional polynomial,the uncertainty of the shares of all these polynomials together decreases when the coalition receives thebroadcast messages, since multiple polynomials are used to protect the same secret information. In spiteof this problem, Construction 3 in [37] still meets the criteria specified in our Definition 2 with m log q-bitprivacy.

Security properties of a group key management system have been considered in the past [39, 29, 20].These security properties consist of (1) group key secrecy, which guarantees that it is at least computationallyinfeasible for an adversary to discover any group key, (2) forward secrecy, which guarantees that a passiveadversary who knows a contiguous subset of old group keys cannot discover subsequent group keys, (3)backward secrecy, which guarantees that a passive adversary who knows a contiguous subset of group keyscannot discover preceding group keys, and (4) key independence, which is the combination of forward andbackward secrecy.

These security properties have been studied for group key management systems such as CLIQUES [38]and ELK [29]. However, they are not sufficient in our framework, since each group member also has accessto some secret information (i.e., Si for Ui), which is used to compute the group keys. In particular, forwardsecrecy doesn’t imply that the adversary cannot discover the subsequent group keys if he/she further has thesecret information only known to some past group members, and backward secrecy doesn’t guarantee thatthe adversary cannot discover the preceding group keys if he/she is further provided the secret informationonly known to some new group members. To clarify these requirements, we introduce the notions of t-wiseforward and backward secrecy.

Definition 3 (t-wise forward and backward secrecy) Let t, i ∈ {1, ..., n} and j ∈ {1, ...,m}.

• A key distribution scheme guarantees t-wise forward secrecy if for any set R ⊆ {U1, ..., Un}, where|R| ≤ t, and all r ∈ R are revoked before session j, the members in R together cannot get any

5

information about Kj , even with the knowledge of group keys before session j (i.e., H(Kj |B1, ...,Bm,{Si}Ui∈R, K1, ...,Kj−1) = H(Kj)).

• A key distribution scheme guarantees t-wise backward secrecy if for any set R ⊆ {U1, ..., Un}, where|R| ≤ t, and all r ∈ R join after session j, the members in R together cannot get any informationabout Kj , even with the knowledge of group keys after session j (i.e., H(Kj |B1, ...,Bm, {Si}Ui∈R,Kj+1, ...,Km) = H(Kj)).

Note that t-wise forward (backward) secrecy implies forward (backward) secrecy. Thus, ensuring t-wiseforward and backward secrecy guarantees forward and backward secrecy, and thus key independence aswell as group key secrecy. In addition, it is easy to see that t-wise forward secrecy also implies t-revocationcapability.

3 Efficient Session Key Distribution with Revocation

In this section, we present our techniques for self-healing key distribution with revocation capability. Ourtechniques start with a novel personal key distribution scheme, in which the communication complexity isonly O(t log q) to provide t-revocation capability. We then apply this technique to develop an efficient keydistribution scheme in Section 3.2, and further reduce its storage requirement in Section 3.3. To furtherreduce the broadcast message size, we propose two kinds of trade-offs between the self-healing capabilityand broadcast message size in Section 3.4.

3.1 A Novel Personal Key Share Distribution Scheme

The purpose of personal key share distribution is to distribute keys to select group members so that each ofthe select (or non-revoked) group members shares a distinct personal key with the group manager, but theother (revoked) group members (as well as the adversary) cannot get any information of the keys. In ourapproach, the group manager broadcasts a message, and all the select group members derive their keys fromthe message.

Our approach chooses a random t-degree polynomial f(x) from Fq[x], and select f(i) to be the personalkey share for each group member Ui. The group manager constructs a single broadcast polynomial w(x)such that for a select group member Ui, f(i) can be recovered from the knowledge of w(x) and the personalsecret Si, but for any revoked group member Ui′ , f(i′) cannot be determined from w(x) and Si′ .

Specifically, we construct w(x) from f(x) with the help of a revocation polynomial g(x) and a maskingpolynomial h(x) by computing w(x) = g(x)f(x) + h(x). The revocation polynomial g(x) is constructedin such a way that for any select group member Ui, g(i) 6= 0, but for any revoked group member Ui′ ,g(i′) = 0. Each group member Uv has its own personal secret Sv = {h(v)}, which may be distributed bythe group manager during setup via the secure communication channel between each group member andthe group manager. Thus, for any select group member Ui, new personal key f(i) can be computed byf(i) = w(i)−h(i)

g(i) , but for any revoked group member Ui′ , new personal key cannot be computed becauseg(i′) = 0. This scheme has the properties of unconditional security and t-revocation capability, which areguaranteed by Theorem 1.

Scheme 1 Personal key distribution with t-revocation capability. The purpose of this scheme is to distributedistinct shares of a target t-degree polynomial, f(x), to non-revoked group members.

6

1. Setup: The group manager randomly picks a 2t-degree masking polynomial, h(x) = h0 +h1x+ ...+h2tx

2t, from Fq[x]. Each group member Ui gets the personal secret, Si = {h(i)}, from the groupmanager via the secure communication channel between them.

2. Broadcast: Given a set of revoked group members, R = {r1, r2, ..., rw}, |R| ≤ t, the group managerdistributes the shares of t-degree polynomial f(x) to non-revoked group members via the followingbroadcast message:B = {R} ∪ {w(x) = g(x)f(x) + h(x)}, where the revocation polynomial g(x) is constructed asg(x) = (x − r1)(x − r2)...(x − rw).

3. Personal key recovery: If any non-revoked group member Ui receives such a broadcast message, itevaluates the polynomial w(x) at point i and gets w(i) = g(i)f(i) + h(i). Because Ui knows h(i)

and g(i) 6= 0, it can compute the new personal key f(i) = w(i)−h(i)g(i) .

In Scheme 1, each non-revoked group member Ui can only recover its own personal share f(i), sincecomputing the personal key of another non-revoked member Uj requires the knowledge of the personalsecret {h(j)} . The coalition of no more than t revoked members has no way to determine any share onf(x), because no matter what f(x) is, for any revoked group member Ui′ , we have h(i′) = w(i′), whichimplies that any f(x) is possible from the knowledge of the coalition of the revoked group members.

It is noted that the degree of g(x), f(x) and h(x) are w, t and 2t, respectively. If w < t, after the broad-cast of w(x), we actually disclose h2t, h2t−1, ..., ht+w+1 to anybody who receives the broadcast message.Fortunately, this information disclosure does not give the coalition of no more than t revoked members anyinformation that they are not entitled to. This is guaranteed by Theorem 1. In fact, t + w degree is enoughfor the masking polynomial h(x). However, at the setup stage, the group manager does not know the exactnumber of revoked group members in a particular session. Thus, a practical way to address this problem isto choose the degree of h(x) as 2t.

Theorem 1 Scheme 1 is an unconditionally secure personal key distribution scheme with t-revocation ca-pability.

Proof: We need to prove that Scheme 1 satisfies all the conditions listed in Definition 1.

1. (a) The personal key recovery is described in step 3 of Scheme 1. Thus, H(ki = f(i)|B, Si) = 0.

(b) For any set B ⊆ {U1, ..., Un}, |B| ≤ t, and any non-revoked member Ui /∈ B, the coalitionof B knows at most t points on f(x). Actually, we can randomly pick ki = f(i) and t − |B|other points, and then construct a polynomial f ′(x) from these t + 1 shares (the randomly pickedones and the |B| shares from the coalition) based on Lagrange interpolation. Then, we constructh′(x) = g(x)f(x) + h(x) − g(x)f ′(x). It is easy to verify that w(x) = g(x)f ′(x) + h′(x) and forany Uv ∈ B, h′(v) = h(v). It follows that any value of ki = f(i) is possible for the coalition of B.Moreover, since Si = h(i) = w(i) − g(i)f(i), it also follows that any value of Si is possible for thecoalition of B. Thus, H(ki, Si|{Si′}Ui′∈B ,B) = H(ki, Si).

(c) Since f(x) is picked randomly and independent of S1, ..., Sn, and group member Ui’s personal keyis ki = f(i), we have H(k1, ..., kn|S1, ..., Sn) = H(k1, ..., kn). Moreover, since h(x) is also pickedrandomly, the broadcast B doesn’t disclose any information about f(x). Thus, we have H(f(x)|B) =H(f(x)), which implies H(k1, ..., kn|B) = H(k1, ..., kn).

2. Assume a collection of t revoked group members, R = {Ur1 , ..., Urt}, work together. They know{h(ri)}i=1,...,t, g(x), and w(x). However, we can randomly pick a t-degree polynomial f ′(x) and

7

construct h′(x) = g(x)f(x)+h(x)− g(x)f ′(x). Then we can verify that w(x) = g(x)f ′(x)+h′(x)and h′(ri) = g(ri)f(ri) + h(ri) − g(ri)f

′(ri) = h(ri) for 1 ≤ i ≤ t. This is to say thatany t-degree polynomial is a possible candidate of f(x) for the coalition of R. It follows thatH(k1, ..., kn|B, {Si′}Ui′∈R) = H(k1, ..., kn). 2

In the setup stage, each group member Ui needs to store its ID i and one share of the masking polynomialh(i). Thus, the storage requirement in each group member is O(log q). The broadcast message consists ofa set of no more than t IDs and one 2t degree polynomial. Thus, the communication overhead for Scheme1 is O(t log q). This is a significant improvement over the scheme in [37], in which the communicationcomplexity is O(t2 log q).

3.2 Self-Healing Key Distribution with Revocation Capability

The technique in Scheme 1 is an efficient scheme to distribute personal key shares to select group members.Here we further extend it to enable the group manager to distribute group session keys to select groupmembers, at the same time allowing group members to recover lost session keys from other key distributionmessages. This technique combines the technique in Scheme 1 with the self-healing method in [37].

Intuitively, the group manager randomly splits each group session key Kj into two t-degree polynomials,pj(x) and qj(x), such that Kj = pj(x) + qj(x). The group manager then distributes shares pj(i) and qj(i)to each select group member Ui (via broadcast). This allows a group member that has both pj(i) and qj(i)to recover Kj by computing Kj = pj(i)+qj(i). Thus, assuming there are m sessions, we can build (m+1)broadcast polynomials in session j to distribute the shares of {p1(x), ..., pj(x), qj(x), ..., qm(x)} to all selectgroup members. If any Ui receives the broadcast message, it can recover all {p1(i), ..., pj(i), qj(i), ..., qm(i)}and compute session key Kj = pj(i)+qj(i). But the revoked group members get nothing from this broadcastmessage. Furthermore, if a select group member Ui receives session key distribution messages in sessionsj1 and j2, where j1 < j2, but not the session key distribution message for session j, where j1 < j < j2, itcan still recover the lost session key Kj by first recovering pj(i) and qj(i) from the broadcast messages insessions j2 and j1, respectively, and then computing Kj = pj(i) + qj(i).

Scheme 2 Self-healing session key distribution scheme with t-revocation capability.

1. Setup: The group manager randomly picks m · (m + 1) 2t-degree masking polynomials from Fq[x],{hi,j(x)}i=1,...,m,j=1,...,m+1. Each Uv gets its personal secret, Sv = {hi,j(v)}i=1,...,m,j=1,...,m+1,from the group manager via the secure communication channel between them. The group man-ager also picks m random session keys, {Ki}i=1,...,m ⊂ Fq and m random t-degree polynomialsp1(x), ..., pm(x) from Fq[x]. For each pi(x), the group manager constructs qi(x) = Ki − pi(x).

2. Broadcast: In the jth session key distribution, given a set of revoked member IDs, Rj = {r1, r2, ..., rwj},

|Rj | = wj ≤ t, the group manager broadcasts the following message:

Bj={Rj} ∪ {Pj,i(x) = gj(x)pi(x) + hj,i(x)}i=1,...,j ∪ {Qj,i(x) = gj(x)qi(x) + hj,i+1(x)}i=j,...,m

where gj(x) = (x − r1)(x − r2)...(x − rwj).

3. Session key and shares recovery: When a non-revoked group member Uv receives the jth session keydistribution message, it evaluates the polynomials {Pj,i(x)}i=1,...,j and {Qj,i(x)}i=j,...,m at point v,recovers the shares {p1(v), ..., pj(v)} and {qj(v), ..., qm(v)}, and computes the current session keyby Kj = pj(v) + qj(v). Then it stores all the items that it doesn’t have in {p1(v), ..., pj−1(v), Kj ,qj+1(v), ..., qm(v)}.

8

4. Add group members: When the group manager wants to add a group member starting from sessionj, it picks an ID id ∈ Fq, which is never used before, computes all {hi,k(id)}i=j,...,m,k=j,...,m+1, andgives {id, {hi,k(id)}i=j,...,m,k=j,...,m+1} to this group member via the secure communication channelbetween them.

A requirement of Scheme 2 is that the sets of revoked group members must change monotonically. Thatis, Rj1 ⊆ Rj2 for 1 ≤ j1 ≤ j2 ≤ m. Otherwise, a group member that is revoked in session j and rejoins thegroup in a later session can recover the key for session j, due to the self-healing capability of Scheme 2. Thisrequirement also applies to the later schemes. Scheme 2 has the properties of unconditional security, self-healing, t-revocation capability, t-wise forward secrecy and t-wise backward secrecy, as shown in Theorems2 and 3.

Theorem 2 Scheme 2 is an unconditionally secure, self-healing session key distribution scheme with m log q-bit privacy and t-revocation capability.

Proof: We need to prove that Scheme 2 satisfies all the conditions listed in Definition 2.

1. (a) Session key recovery is described in step 3 of Scheme 2. Thus, H(Kj |Bj , Si) = H(Kj |zi,j) = 0.

(b) For any set B ⊆ {U1, ..., Un}, |B| ≤ t, and any non-revoked member Uv /∈ B, we will showthat the coalition of B knows nothing about Sv. First, we have {hj,i(v) = Pj,i(v) − gj(v)pi(v)}i≤j ,{hj,i+1(v) = Qj,i(v) − gj(v)qi(v)}i≥j , {pi(v) + qi(v) = Ki}i=1,...,m. Since all Pj,i(v), Qj,i(v), Ki

and gj(v) are known values after the broadcast of all {B1, ...,Bm}, we have

H(Sv|{Si′}Ui′∈B ,B1, ...,Bm) =H({hj,i(v)}j=1,...,m,i=1,...,m+1|{Si′}Ui′∈B ,B1, ...,Bm)=H({pi(v), qi(v)}i=1,...,m|{Si′}Ui′∈B,B1, ...,Bm)=H({pi(v)}i=1,...,m|{Si′}Ui′∈B ,B1, ...,Bm)

Second, we randomly pick all {p′i(v)}i=1,...,m. Because the coalition of B knows at most t pointson each {pi(x)}i=1,...,m, we can construct {p′i(x)}i=1,...,m based on Lagrange interpolation on thesepoints. Thus, we construct {q′i(x) = Ki − p′i(x)}i=1,...,m, {h′

j,i(x) = Pj,i(x) − gj(x)p′i(x)}i≤j and{h′

j,i+1(x) = Qj,i(x) − gj(x)q′i(x)}i≥j . We can easily verify that the following constraints, whichare all the knowledge that the coalition of B knows.

(i) {p′i(x) + q′i(x) = Ki}i=1,...,m

(ii) {gj(x)p′i(x) + h′j,i(x) = Pj,i(x)}i≤j

(iii) {gj(x)q′i(x) + h′j,i+1(x) = Qj,i(x)}i≥j

(iv) For any Ui′ ∈ B, {h′j,i(i

′) = hj,i(i′)}j=1,...,m,i=1,...,m+1.

Since {p′i(v)}i=1,...,m are picked randomly, we have H({pi(v)}i=1,...,m|{Si′}Ui′∈B,B1, ...,Bm) =H({pi(v)}i=1,...,m). Thus, H(Sv|{Si′}Ui′∈B , B1, ...,Bm) =H({pi(v)}i=1,...,m) = m log q.

(c) Since {pi(x)}i=1,...,m and {hj,i(x)}1≤i≤m,1≤j≤m+1 are all randomly picked, zi,j = {p1(i), ...,pj(i), qj(i), ..., qm(i)} cannot be determined only by broadcast messages or personal keys. It followsthat H(zi,j |B1, ...,Bm) = H(zi,j) = H(zi,j |S1, ..., Sn).

2. Assume a collection R of t revoked group members work together. Thus, the coalition of R knowsat most t points on qj(x) and nothing on pj(x) before the broadcast of Bj . Based on Lagrangeinterpolation, we randomly construct a polynomial q ′j(x) from these t points. Then we randomly pick

9

K ′j , and construct p′j(x) = K ′

j−q′j(x) and h′j,j(x) = Pj,j(x)−gj(x)p′j(x). After the broadcast of Bj ,

we can verify that gj(x)p′j(x)+h′j,j(x) = Pj,j(x). In addition, for any Ui′ ∈ R, q′j(i

′) = qj(i′) (from

the construction of q′j(x)), and since gj(i′) = 0, h′

j,j(i′) = Pj,j(i

′)−gj(i′)p′j(x) = Pj,j(i

′) = hj,j(i′).

Since K ′j is randomly chosen, we know that any value is possible from what the coalition knows about

Kj . Thus, H(Kj |B1, ...,Bj , {Si′}Ui′∈R) = H(Kj).

3. (a) From step 3 of Scheme 2, for any Ui that is a member in sessions j1 and j2 (1 ≤ j1 < j < j2 ≤ m),Ui can recover {p1(i), ..., pj1(i), qj1(i), ..., qj(i), ..., qm(i)} and {p1(i), ..., pj(i), ... , pj2(i), qj2(i),..., qm(i)}, and recover Kj by computing Kj = pj(i) + qj(i). Thus, H(Kj |zi,j1 , zi,j2) = 0.

(b) For any disjoint subsets B,C ⊂ {U1, ..., Un}, where |B ∪ C| ≤ t and 1 ≤ j1 < j < j2 ≤ m, theset {zi′,j}Ui′∈B,1≤j≤j1 contains {qj(i)}Ui∈B , and the set {zi′,j}Ui′∈C,m≥j≥j2 contains {pj(i)}Ui∈C .Thus, for session j, the coalition B ∪ C knows at most |B| points on qj(x) and |C| points on pj(x).Because pj(x), qj(x) are two t-degree polynomials and |B ∪ C| ≤ t, the coalition of B ∪ C cannotrecover Kj . That is, H(Kj |{zi′,j}Ui′∈B,1≤j≤j1 ∪ {zi′,j}Ui′∈C,m≥j≥j2) = H(Kj). 2

Theorem 3 Scheme 2 has the properties of t-wise forward secrecy and t-wise backward secrecy.

Proof: Assume a collection R of t group members work together.

• If R are revoked before session j, from the proof of Theorem 2, the coalition of R knows at most tpoints on t-degree polynomial qj(x). In addition, from the proof of Theorem 1, the coalition knowsnothing on pj(x) from the later session key distribution message. It follows that the session key,Kj = pj(x) + qj(x), still appears to be random for the coalition. Thus, H(Kj |B1, ...,Bm, {Si}Ui∈R,K1, ...,Kj−1) = H(Kj).

• If R join the group after session j. From step 4 of Scheme 2, we know that the group member cannotget the personal shares on the masking polynomials for the sessions j. Thus, the coalition of R knowsnothing on pj(x) and qj(x). Therefore, Kj = pj(x) + qj(x) still appears to be random for thecoalition. Thus, H(Kj |B1, ...,Bm, {Si}Ui∈R, Kj+1, ...,Km) = H(Kj). 2

The storage requirement in Scheme 2 comes from two parts. First, at the setup step, each group memberis required to store the personal secret, which occupies m(m + 1) log q memory space. (Note that the groupmembers that join later need to store less data.) Second, after receiving the session key distribution messagein session j, each group member Uv need store the session key Kj and {q′j(v)}j′∈{j+1,...,m}. The latter isnecessary to recover future lost session keys. This takes at most m log q memory space. Hence, the totalstorage overhead in each group member is at most m(m + 2) log q.

The broadcast message in step 2 consists of the set of IDs of all revoked group members and (m + 1)2t-degree polynomials. To deal with no more than t compromised group members, we know that the size ofrevocation set is no more than t. In addition, we only require the uniqueness of the ID of a particular groupmember. Thus the ID of each group member can actually be picked from a much smaller finite set than Fq.Therefore, we can ignore the overhead for storing or broadcasting the IDs in this scheme. Thus, the broadcastmessage size is (m + 1)(2t + 1) log q, which almost reaches the lower bound max{t2 log q,mt log q}presented in [37].

3.3 Reducing Storage Requirement

In Scheme 2, the storage overhead in each group member is O(m2 log q). The majority of this storageoverhead comes from the personal secret that each group member has to keep, which is determined by thenumber of masking polynomials.

10

By carefully evaluating the broadcast messages in scheme 2, we note that each pi(x) is masked by dif-ferent masking polynomials (i.e. {hj,i(x)}j=i,...,m) in different sessions. Though having multiple maskingpolynomials seems to make it more difficult to attack, it does not contribute to the security of this scheme.

Indeed, having one masking polynomial for each pi(x) is sufficient to protect pi(x) and its shares in ourscheme. In Scheme 2, the purpose of the broadcast polynomial gj(x)pi(x) + hj,i(x) is to make sure thatall non-revoked members in session j can recover one share on pi(x), but all revoked members cannot.Consider a given pi(x). The members who are valid in session i but revoked after session i are expected tocompute their shares on pi(x). (Even if such revoked members may lose the broadcast message in sessioni, they can still recover the corresponding key and shares if they somehow get a copy of that message later.)Therefore, it is unnecessary to protect the same pi(x) multiple times with different masking polynomials. Inother words, once a broadcast polynomial gi(x)pi(x)+hi,i(x) is constructed in session i, the group managermay reuse it for the remaining sessions. This implies that we need only one masking polynomial for eachpi(x). As a result, the total number of masking polynomials for {pi(x)}i=1,...,m, and thus the number ofpersonal shares that each group member has to keep are both reduced.

Similarly, the number of masking polynomials for each qi(x) can also be reduced. First, in Scheme 2,the members that join in or before session i are expected to compute all their shares on qi(x), ..., qm(x).Thus, we can reuse the masking polynomials as discussed earlier. Second, it is easier to prevent later addedgroup members from accessing shares of earlier qi(x), since the group manager already knows which groupmembers to deal with. In particular, the group manager doesn’t need to use any revoking polynomial, butjust need to keep the shares of the masking polynomials for {pi(x)}i=1,...,j away from the group membersadded after session j. Thus, the broadcast polynomial in Scheme 2, {gj(x)qi(x) + hj,i+1(x)}i=j,...,m, canbe replaced with {qi(x) + hi,i+1(x)}i=j,...,m.

Based on the above discussion, we propose the following scheme, which reduces the storage requirementin each member from O(m2 log q) in Scheme 2 to O(m log q).

Scheme 3 Improved self-healing session key distribution scheme with t-revocation capability.

1. Setup: The group manager randomly picks m 2t-degree masking polynomials, {hi(x)}i=1,...,m, andm t-degree polynomials, {fi(x)}i=1,...,m, from Fq[x]. Each Uv gets its personal secret, Sv = {hi(v),fi(v)}i=1,...,m, from the group manager via the secure communication channel between them. Thegroup manager also picks m random session keys, {Ki}i=1,...,m ⊂ Fq and m random t-degree polyno-mials p1(x), ..., pm(x) from Fq[x]. For each pi(x), the group manager constructs qi(x) = Ki−pi(x).

2. Broadcast: In the jth session key distribution, given the sets of revoked member IDs for sessions inand before session j, Ri = {r1, r2, ..., rwi

}i=1,...,j , where |Ri| = wi ≤ t for i = 1, ..., j, the groupmanager broadcasts the following message:

Bj={Ri}i=1,...,j ∪{Pi(x) = gi(x)pi(x) + hi(x)}i=1,...,j ∪{Qi(x) = qi(x) + fi(x)}i=j,...,m,

where gi(x) = (x − r1)(x − r2)...(x − rwi), 1 ≤ i ≤ j.

3. Session key and shares recovery: When a non-revoked group member Uv receives the jth sessionkey distribution message, it evaluates the polynomials {Pi(x)}i=1,...,j and {Qi(x)}i=j,...,m at point v,recovers the shares {p1(v), ..., pj(v)} and {qj(v), ..., qm(v)}, and computes the current session keyKj = pj(v) + qj(v). It then stores the items that it doesn’t have in {p1(v), ..., pj−1(v),Kj , qj+1(v),..., qm(v)}.

4. Add group members: When the group manager wants to add a group member starting from session j,it picks an ID id ∈ Fq , which is never used before, computes all {hi(id)}i=j,...,m and {fi(id)}i=j,...,m,

11

and gives {id, {hi(id)}i=j,...,m, {fi(id)}i=j,...,m} to this group member via the secure communicationchannel between them.

Though Scheme 3 requires less storage then Scheme 2, it still retains the nice security properties such asunconditional security and t-wise forward and backward secrecy, as shown in Theorems 4 and 5.

Theorem 4 Scheme 3 is an unconditionally secure, self-healing session key distribution scheme with m log q-bit privacy and t-revocation capability.

Proof: The above scheme is similar scheme 2. The only difference is that the constructed polynomial P i(x)and Qi(x) are reused in other sessions. No further information is disclosed. Thus, the self-healing propertyis thus inherited from scheme 2. We only need to prove property 1(b) and 2 in Definition 2.

1. (b) For any set B ⊆ {U1, ..., Un}, |B| ≤ t, and any non-revoked member Uv /∈ B, we willshow that the coalition of B knows nothing about Sv . Similar to the proof of Theorem 2, we haveH(Sv|{Si′}Ui′∈B ,B1, ...,Bm) =H({pi(v)}i=1,...,m|{Si′}Ui′∈B ,B1, ...,Bm). We randomly pick all{p′i(v)}i=1,...,m and construct {p′i(x)}i=1,...,m, {q′i(x) = Ki − p′i(x)}i=1,...,m, {h′

i(x) = Pi(x) −gi(x)p′i(x)}i=1,...,m and {f ′

i(x) = Qi(x) − q′i(x)}i=1,...,m. We can easily verify that the followingconstraints, which are all the knowledge of the coalition of B, are satisfied.

(i) {p′i(x) + q′i(x) = Ki}i=1,...,m

(ii) {gi(x)p′i(x) + h′i(x) = Pi(x)}i=1,...,m

(iii) {q′i(x) + f ′i(x) = Qi(x)}i=1,...,m

(iv) For any Ui′ ∈ B, {h′i(i

′) = hi(i′), f ′

i(i′) = fi(i

′)}i=1,...,m.

Since {p′i(v)}i=1,...,m are picked randomly, we have H({pi(v)}i=1,...,m|{Si′}Ui′∈B,B1, ...,Bm) =H({pi(v)}i=1,...,m. Thus, H(Sv|{Si′}Ui′∈B , B1, ...,Bm) =H({pi(v)}i=1,...,m) = m log q.

2 Assume a collection R of t revoked group members work together. Thus, the coalition of R knowsat most t points on qj(x) and nothing on pj(x) before the broadcast of Bj . We randomly con-struct a polynomial q′j(x) from these t points, randomly pick K ′

j , and construct p′j(x) = K ′j −

q′j(x) and h′j(x) = Pj(x) − gj(x)p′j(x). Similar to the proof of Theorem 2, after the broadcast of

Bj , we can verify the above constructions satisfy what the coalition of R knows about Kj . Thus,H(Kj |B1, ...,Bj , {Si′}Ui′∈R) = H(Kj) 2

Theorem 5 Scheme 3 has the properties of t-wise forward secrecy and t-wise backward secrecy.

Proof: Assume a collection R of t group members work together. If all members in R are revoked beforesession j, they know at most t points on the t-degree polynomial qj(x) according to the proof of Theorem 4,and nothing on pj(x) according to the proof of Theorem 1. If all members in R join the group after sessionj, they knows nothing about the t-degree polynomials pj(x) and qj(x) according to the step 4 of Scheme3. Thus, similar to the proof of Theorem 3, the t-wise forward secrecy and t-wise backward secrecy areensured. 2

During the setup stage, each group member needs to store 1 share of each of the masking polynomials,which totally occupy 2m log q space. Moreover, in order to recover from message loss, each member needsto store one share (out of the two shares) of each session key, or the session key itself if it has both shares,which totally require m log q space. Hence, the overall storage overhead in each member is at most 3m log q,which is much less than m(m + 2) log q in Scheme 2.

12

The broadcast message in session j consists of j revocation sets {Ri}i=1,...,j and m + 1 polynomials.Since R1 ⊆ R2 ⊆, ...,⊆ Rm and |Rm| ≤ t, we can use a one-dimensional array with j elements to indicatethe number of revoked members in each session. In other words, we can represent all {Ri}i=1,...,j by Rj

and this array. In addition, the member IDs can be picked from a small finite field. Therefore, we can ignorethe communication overhead for the broadcast of all those revocation sets here. Thus, the broadcast size insession j is ((m + j + 1)t + m + 1) log q, which is a little smaller than that in Scheme 2. The reason isthat the degree of polynomials {Qj(x)}j=1,...,m is reduced from 2t to t. The largest broadcast size (whenj = m) is ((2m + 1)t + m + 1) log q.

As we discussed earlier, in Scheme 3, if a revoked group member doesn’t receive a broadcast messagebefore it is revoked, it may recover the corresponding session key by receiving broadcast messages after it isrevoked. This doesn’t introduce security problem, since the revoked member is entitled to that information.However, such a revoked member cannot do the same thing in Scheme 2 unless it gets the lost broadcast mes-sage, because different masking polynomials are used in different sessions. This is the difference betweenScheme 2 and Scheme 3.

3.4 Trading Off Self-healing Capability for Less Broadcast size

In our previous schemes, each key distribution message contains redundant information for all the otherm − 1 sessions. However, in certain situations, having redundant information for all the sessions may beunnecessary and consume too much bandwidth. For example, when there are only short term communicationfailures, which are never longer than a fraction of the m sessions, it is only necessary to include redundantinformation to prepare for the maximum number of such sessions. As another example, when there arerelatively long term but infrequent communication failures, always preparing for such failures may generatemore-than-necessary overhead.

In this subsection, we study two possible ways to further reduce the broadcast message size based on theabove observation. Our first technique is targeted at possibly frequent but short term communication failures.We assume that after a wireless node receives a broadcast key distribution message, it takes no more thanl− 1 sessions for it to receive another one, where l− 1 << m. The basic approach is to introduce a “slidingwindow”1 so that only redundant information for the sessions that fall into this window is broadcasted. Thekey distribution message in each session includes the recovery information on the current session key andshares of the previous and the future l − 1 session keys. The valid member can recover any lost key in thesessions between two successfully received key distribution messages.

Obviously, with the “sliding window” technique, we cannot ensure the same self-healing property as inour previous schemes. In the following, we extend the notion of self-healing to l-session self-healing toclarify the capability of the new scheme.

Definition 4 (l-session self-healing) Let t, i ∈ {1, ..., n} and j, l ∈ {1, ...,m}. D is l-session self-healing ifthe following are true.

(a) For any max(j − l + 1, 1) ≤ j1 < j < j2 ≤ min(j + l − 1,m) and any Ui who is a member insessions j1 and j2, Kj is determined by the set, {zi,j1 , zi,j2} (i.e., H(Kj |zi,j1 , zi,j2) = 0).

(b) For any 1 ≤ j1 < j < j2 ≤ m and any disjoint subsets B,C ⊂ {U1, ..., Un} where |B ∪ C| ≤ t, theset {zi′,j}Ui′∈B,1≤j≤j1 ∪{zi′,j}Ui′∈C,m≥j≥j2 contains no information on Kj (i.e., H(Kj |{zi′ ,j}Ui′∈B ,1≤j≤j1 ∪{zi′,j}Ui′∈C , m≥j≥j2) = H(Kj)).

1The term “sliding window” was also mentioned in [37]. However, no specific technique has been presented there.

13

Based on the above discussion, we develop the following scheme to trade off self-healing capability withbroadcast size.

Scheme 4 Session key distribution with t-revocation capability for short term communication failures. Thesetup and adding group members steps are the same as Scheme 3.

• Broadcast: In the jth session key distribution, given the sets of revoked member IDs for sessionsin and before session j, Ri = {r1, r2, ..., rwi

}i=max(j−l+1,1),...,j , where |Ri| = wi ≤ t for i =max(j − l + 1, 1), ..., j, the group manager broadcasts the following message:

Bj=̄{Ri}i=max(j−l+1,1),...,j ∪{Pi(x) = gi(x)pi(x) + hi(x)}i=max(j−l+1,1),...,j

∪{Qi(x) = qi(x) + fi(x)}i=j,...,min(j+l−1,m)

where gi(x) = (x − r1)(x − r2)...(x − rwi),max(j − l + 1, 1) ≤ i ≤ j.

• Session key and shares recovery: When a non-revoked group member Uv receives the jth key distribu-tion message, it evaluates the polynomials {Pi(x)}i=max(j−l+1,1),...,j and {Qi(x)}i=j,...,min(j+l−1,m)

at point v, recovers the shares {pmax(j−l+1,1)(v), ..., pj(v)} and {qj(v), ..., qmin(j+l−1,m)(v)}, andcomputes the current session key Kj = pj(v) + qj(v). It then stores the items that it doesn’t have in{pmax(j−l+1,1)(v), ..., pj−1(v),Kj , qj+1(v), ..., qmin(j+l−1,m)(v)}.

Theorem 6 Scheme 4 is an unconditionally secure, l-session self-healing session key distribution schemewith m log q-bit privacy and t-revocation capability, t-wise forward and backward secrecy.

Proof: The only difference between Scheme 3 and Scheme 4 is that each key distribution message in Scheme3 contains the information on the current session key and shares of all the other session keys, but in Scheme4, it only contains the information on the current session key and shares of old and future l− 1 session keys.Thus, the properties of unconditional security, t-revocation capability, t-wise forward and backward secrecyare inherited from Theorem 4. Since from each broadcast message, a valid user can only get the currentkey, shares of old and future l − 1 session keys, the property of l-session self-healing can be easily derivedaccording to Definition 4 and the proof of Theorem 4. 2

In Scheme 4, the size of personal secret in each member is at most 2m log q. In addition, it need additional(2l − 1) log q memory space to store the session key and shares. Therefore, the total storage overhead isat most (2m + 2l − 1) log q. The broadcast message consists of l 2t-degree polynomials and l t-degreepolynomials, which occupies l(3t + 2) log q in the communication bandwidth.

Our second technique is aimed at situations where there are relatively long term but infrequent communi-cation failures. Specifically, we assume that each wireless node can receive at least d consecutive broadcastkey distribution messages, and after a wireless node receives a broadcast key distribution message, it takesno more than (l − 1)d sessions for it to receive another one.

Intuitively, the second technique is to selectively include the same amount of redundant information froma large “window” of sessions (i.e., 2(l−1)d+1 instead of 2l−1 sessions) in each key distribution message.Specifically, the group manager picks one from every d consecutive sessions in a particular window ofsessions and includes key shares for those selected sessions in the key distribution message. In other words,the recovery information for a particular session key is evenly distributed among a large number of sessions.Given the window size 2(l − 1)d + 1, the key distribution message for session j will contain key shares forsessions j − (l − 1)d, j − (l − 2)d, ..., j − d and j + d, j + 2d, ..., j + (l − 1)d. Thus, any d consecutivesession key distribution messages contain shares of the previous and the future (l − 1)d sessions. A group

14

member may not find the necessary information to recover a particular session key in one key distributionmessage; however, it is guaranteed to find one in the next d − 1 key distribution messages. In general, thisidea is to trade off the key recovery delay with the number of recoverable sessions.

Scheme 4 can be viewed as a special case of this technique (when d = 1). To clarify the self-healingcapability of this new technique, we generalize Definition 4 into the following notion of (l,d) self-healing.

Definition 5 ((l,d) self-healing) Let t, i ∈ {1, ..., n} and j, l, d ∈ {1, ...,m}. D is (l,d) self-healing if thefollowing are true.

(a) For any max(j − (l − 1) · d, 1) ≤ j − j1 · d < j < j + j2 · d ≤ min(j + (l − 1) · d,m) and any Ui

who is a member in sessions j − j1 · d and j + j2 · d, Kj is determined by the set, {zi,j−j1·d, zi,j+j2·d}(i.e., H(Kj |zi,j−j1·d, zi,j+j2·d) = 0).

(b) For any 1 ≤ j1 < j < j2 ≤ m and any disjoint subsets B,C ⊂ {U1, ..., Un} where |B ∪ C| ≤ t, theset {zi′,j}Ui′∈B,1≤j≤j1 ∪{zi′,j}Ui′∈C,m≥j≥j2 contains no information on Kj (i.e., H(Kj |{zi′ ,j}Ui′∈B ,1≤j≤j1 ∪{zi′,j}Ui′∈C , m≥j≥j2) = H(Kj)).

The scheme build on the above idea is a natural generalization of Scheme 4.

Scheme 5 Session key distribution with t-revocation capability for relatively long term but infrequent com-munication failures. The setup and adding group members steps are the same as Scheme 3.

• Broadcast: Let Gpj = {j − i · d}0≤i<min(j/d,l), and Gq

j = {j + i · d}0≤i<min((m−j)/d,l). In the jth

session key distribution, given the sets of revoked member IDs for sessions in and before session j, R i

= {r1, r2, ..., rwi}i∈Gp

j, where |Ri| = wi ≤ t for i ∈ Gp

j , the group manager broadcasts the followingmessage:

Bj={Ri}i∈Gpj∪{Pi(x) = gi(x)pi(x) + hi(x)}i∈Gp

j∪{Qi(x) = qi(x) + fi(x)}i∈Gq

j

where gi(x) = (x − r1)(x − r2)...(x − rwi), i ∈ Gp

j .

• Session key and shares recovery: When a non-revoked group member Uv receives the jth session keydistribution message, it evaluates the polynomials {Pi(x)}i∈Gp

jand {Qi(x)}i∈Gq

jat point v, recovers

the shares {pi(v)}i∈Gpj

and {qi(v)}i∈Gqj, and computes the current session key Kj = pj(v) + qj(v).

It then stores the items that it doesn’t have in {pi(v)}i∈Gpj

and {qi(v)}i∈Gqj.

Theorem 7 Scheme 5 is an unconditionally secure, (l,d) self-healing session key distribution scheme withm log q-bit privacy and t-revocation capability, t-wise forward and backward secrecy.

Proof: Similar to the proof of Theorem 6, the group manager actually disclose less informations in each keydistribution message. Thus, the properties of unconditional security, t-revocation capability, t-wise forwardand backward secrecy are inherited from Theorem 4. The property of (l,d) self-healing can be easily derivedaccording to Definition 5 and the proof of Theorem 4. 2

From the broadcast step in Scheme 5, it is obvious that the communication of this generalized scheme isthe same as Scheme 4. As for the storage overhead, the group member needs to buffer the key and shares of2(l − 1)d + 1 consecutive sessions, thus the total storage overhead is (2m + 2(l − 1)d + 1) log q.

Generally, the above two extensions (Scheme 4 and Scheme 5) allow small key distribution messages,which are independent of the total number of sessions. The choice of window size depends mainly on the

15

C3 C4 Scheme 3Communication overhead (mt2 + 2mt + m) log q (3mt + t2 + 2m + t) log q (2mt + m + t + 1) log q

Storage overhead (m2 + m) log q (m2 + m) log q 3m log q

Self-healing Yes Yes YesSecurity unconditional computational unconditional

Revocation capability Yes Yes Yes

Table 1: Comparison among different self-healing key distribution scheme.

network environment. Thus, it is possible to have a large number of sessions and still have a reasonablebroadcast message size and self-healing capability. Nevertheless, the storage overhead in each member stilllimits the total number of sessions.

A special case of the above two scheme is to let m = t, and have the group manager update the sessionkey if and only if at least one compromised member is newly detected. On the one hand, it is possible tocover a long network lifetime. On the other hand, the compromised member can be revoked immediately.This customization may be suitable for the applications that cannot afford a large number of sessions, butstill want to cover a long period of time.

3.5 Comparison with Previous Methods

In this subsection, we give a simple comparison between Scheme 3 and Constructions 3 and 4 presentedin [37]. Since Schemes 4 and 5 are mainly about trade offs between self-healing capability and broadcastmessage size, we do not include them here. Note that the long-lived construction (Construction 5) in [37] isalso applicable to our schemes. Thus, we do not consider it here either.

Table 1 summarizes several properties for these three self-healing key distribution methods. We useC3 to denote Construction 3 in [37], which is the basic unconditionally secure self-healing scheme witht-revocation capability, and C4 to denote Construction 4 in [37], which is the less broadcast size variantof C3. Note that C4 reduces the broadcast size by sacrificing the unconditional security property of C3

(for computational security), while our Scheme 3 can achieve unconditional security. In contrast, Scheme3 proposed in this paper reduces the communication and storage overhead without sacrificing any securityproperty. From Table 1 it is easy to see that our scheme has less communication and storage overhead thanboth constructions in [37]. Figure 1 further shows the possible values for m and t given a maximum of64KB packet size2. It is easy to see that our scheme gives more space to the choices of m and t.

4 Implementation Issues

In this section, we discuss some implementation issues of our schemes in real-world applications. We givea simple analysis of the final schemes presented in section 3.4 (i.e., Schemes 4 and 5) in terms of variousparameters, including the session key recovery rate (i.e., the average number of recovered session keys ateach member over the total number of sessions), the revocation capability (t), the packet loss rate, and thecommunication overhead.

In the following discussion, we assume an IPv4 based wireless network with f bytes MTU size. Thus, the

2The values for C3 and C4 are slightly larger than those given in Figure 3 in [37]; we compute the values purely from theformula given in Table 1 for the purpose of fair comparison.

16

Possible values of m and t with 64KB packet size

0

100

200

300

400

500

10 30 50 70 90

t

m

C3 C4 Scheme 3

Figure 1: Possible values of m and t for different self-healing key distribution schemes, which are the areasunder the corresponding lines. Assume that q is a 64-bit integer. C4 can only guarantee computationalsecurity, while the other two can guarantee unconditional security.

IP packet with more than f −20 bytes payload will be fragmented into multiple datagrams. We also assumea group member receives each datagram at an independent and fixed loss rate when it stays in range3.

One option to transmit a broadcast key distribution message is to encapsulate it in a single packet. How-ever, due to the fragmentation in the network, larger packets are less likely to reach their destinations, sinceif one fragment is lost, the whole packet will be dropped. As a result, the window size should be increasedaccordingly so that the group members still have reasonable recovery rates. But a large window size in turnleaves less space for t, which impairs our initial purpose of high revocation capability. In the following, wetry to understand how these constraints may fit together and the restrictions they impose.

Assume the packet size is s, which means that each packet will be split into d sf−20e fragments when

transmitted over the network. Thus, the loss rate for a whole packet is r = 1− (1− p)ds

f−20e, where p is the

loss rate of a single fragment. For a particular session i, besides the ith session key distribution message,there are l − 1 key distribution messages that contain the information on pi(x) and l − 1 key distributionmessages that contain the information on qi(x). Thus, the probability of recovering a particular session keyKi is

Pi = 1 − r · (rl−1 + rl−1 − rl−1 · rl−1) = 1 − 2rl + r2l−1,

where r is the loss rate of a single key distribution message computed earlier. The recovery probability forthe first and the last l − 1 sessions are different from the above equation. However, we assume the totalnumber of sessions is much larger than l, and use above formula as the estimate of the average session keyrecovery rate. If the minimum requirement for the average recovery rate is Pex, then we have 1 − 2rl +r2l−1 ≥ Pex. By solving this inequality, we get

l ≥{

1 , r ≤ 1 − Pex

dlogr(r −√

r2 − r + rPex)e , Otherwise

We also consider the overhead introduced by the broadcast of the set of revoked member IDs. Assumethe ID of each member is chosen from a finite field, Fq′ . As we mentioned before, the sets of revokedmember IDs in sessions j − l + 1, ..., j can be represented by an array with l elements and Rj , whichoccupy (l + t) log q′ communication bandwidth. Thus, l(3t + 2) log q + (t + l) log q ′ = 8 · s. It follows that

3This is certainly an overly simplified assumption in tactical wireless networks. We make this assumption to understand thebasic performance issues. We will consider a more realistic model for tactical wireless networks in our future work.

17

Maximum achievable t vs. broadcast size given the minimum of 99% recovery rate

0

20

40

60

80

100

120

0 10000 20000 30000 40000 50000 60000 70000

Broadcast size (bytes)

t

5% Loss Rate 10% Loss Rate 15% Loss Rate 20% Loss Rate

(a) Option 1: Encapsulating the whole key distributionmessage in a single large packet

Maximum achievable t vs. broadcast size given the minimum of 99% recovery rate

0

100

200

300

400

500

600

700

0 10000 20000 30000 40000 50000 60000 70000

Broadcast size (bytes)

t

5% Loss Rate 10% Loss Rate 15% Loss Rate 20% Loss Rate

(b) Option 2: Deliver the key distribution message inmultiple small packets

Figure 2: Maximum achievable revocation capability under different fragment loss rate given a minimumrequirement of 99% session key recovery rate and an IPv4 based Ethernet network environment. Assumethat q is a 64-bit integer.

t=8s−l(2 log q+log q′)3l log q+log q′ . Thus, together with the inequality for l, we have

t ≤

8s−2 log q3 log q+2 log q′ , r ≤ 1 − Pex

8s−dlogr(r−√

r2−r+rPex)e(2 log q+log q′)

3dlogr(r−√

r2−r+rPex)e log q+log q′, Otherwise

Assume f is 1500, which is a typical value of Ethernet protocol, and q ′ is a 16-bit number, which canaccommodate about 65,535 group members. Figure 2(a) shows the relationship between the maximumachievable values of t and the broadcast size given the minimum session key recovery rate of 99%. Thereason for the irregular shapes in the figure is that the value of l is rounded up to a positive integer. Asshown in the figure, a larger broadcast size does not necessary lead to a higher revocation capability giventhe minimum requirement on recovery rate. Instead, there is an optimal broadcast size that can maximize therevocation capability. This figure actually gives a guideline for the choice of broadcast size for our schemein a Ethernet network environment. The same methodology applies to the other types of networks.

Encapsulating the whole key distribution message in a single large packet doesn’t give the best perfor-mance. In particular, it results in high loss rate when there is fragmentation, and incomplete packets mayhave useful information though some fragments are lost. Another option is to deliver the key distribu-tion message in small packets. Specifically, each small packet contain all necessary information for therecovery of one share for a particular session key. Thus, the whole key distribution message is deliveredby 2l small packets. The packet carrying information on pi(x) also carries the set Ri of revoked mem-ber IDs. We use 16-bit number to represent the member ID, and thus can totally accommodate 65,535members. The prime number q is chosen in the same way as before. Thus, the size of such a packet is(2t + 1) · 64 + t · 16 = 144t + 64 bits, and the loss rate is ra = 1 − (1 − p)d

18t+8f−20

e. The packet carryinginformation on qi(x) only contains the coefficients of a t-degree polynomial. Thus, the broadcast size is

64(t + 1), and the loss rate is rb = 1 − (1 − p)d8(t+1)f−20

e. The probability of recovering a session key at thegroup member is P (i) = (1 − rl

a)(1 − rlb), which means the member should at least receive two packets,

one contains the information on pi(x) and the other contains the information on qi(x). If the minimumrequirement for the average recovery rate is Pex, we have (1 − rl

a)(1 − rlb) ≥ Pex. Thus, from the above

18

inequality and the equations of ra and rb, for each expected t, we can find a minimum value of l, and thusthe broadcast size, to achieve a minimum of 99% recovery rate.

Figure 2(b) shows the relationship between the maximum achievable t and the broadcast size (i.e., the sumof all small packets for a particular session) give different fragment loss rate and the minimum requirementof 99% session key recovery rate. Comparing Figure 2(a) and Figure 2(b), we can see a significant improve-ment on the performance of our scheme by delivering the whole key distribution message in multiple smallpackets.

5 Related Work

Early approaches to group key management (e.g., Group Key Management Protocol (GKMP) [17, 18]) relyon a group controller, which shares a pairwise key with each group member and distributes group keysto group members on a one-to-one basis. These approaches cannot scale to large groups. The ScalableMulticast Key Distribution (SMKD) [4], developed to work with the Core Based Tree [3], allows delegationof the group controller’s role to participating routers, partially addressing the scalability problem. However,SMKD (as well as the above approaches) does not address re-key problem properly, especially when somegroup members are evicted.

To address the scalability problem, Iolus organizes the multicast group into a hierarchy of subgroups toform a virtual secure multicast group [25]. The group hierarchy can be used for both group communicationand distribution of group keys. The limitation of Iolus is that it requires infrastructure level support; somereliable, trusted group security agents (GSAs) must exist to facilitate the communication between subgroups.

Wallner et al. [42] and Wong et al. [43] independently discovered the Logical Key Hierarchy (LKH) (orKey Graph) approach. In this approach, individual and auxiliary keys are organized into a hierarchy, whereeach group member is assigned to a leaf and holds all the keys from its leaf to the root. The root key is sharedby all group members and thus used as the group key. A rekey operation in LKH requires 2 log2 n messages,where n is the number of group members. Canetti et al. further reduce the number of rekey messages tolog2 n using a pseudo-random generator [12]. The resulting technique is often called LKH+.

Techniques have been proposed to further improve the LKH like approaches. Keystone uses ForwardError Correction (FEC) to reduce message loss, and employs unicast-based re-synchronization to help groupmembers recover lost keys [44]. Periodic (or batch) rekey was proposed to reduce the rekey cost for groupswith frequent joins and leaves [22, 35, 45, 46, 47]. Moreover, several issues about scalable and reliabledistribution of group keys have been thoroughly studied, including how to determine where to add, deleteor update keys in a key tree (for individual or batch rekey) [22, 27, 45, 47], how to place encrypted keys inmulticast rekey packets to reduce the number of rekey packets [45, 47], and how to adjust rekey parameters(e.g., the amount of redundant information and the rekey interval duration) to reduce unicast-based re-synchronization [46].

A few other variations of LKH were also proposed, including associating keys with each level in the keyhierarchy (instead of each node) [13], combining a-ary LKH+ (i.e., key tree with degree a) with unicast-based rekey to trade-off between communication and storage cost [30], decentralized management of groupkeys [33], One-way Function Trees (OFT) in which the key associated with an internal node is derived fromblinded versions of its children’s keys via one way functions [24, 2], and the ELK protocol which inserts“hints” (i.e., key verification information) into data packets to help recover group keys [29].

All the previous methods need at least O(log n) computation and communication to remove a groupmember. MARKS only requires constant computation by distributing seeds of a sequence of group keys[11]. MARKS generates a sequence of group keys with Binary Hash Tree (BHT) and its variations, and

19

gives a member only the seeds that can generate the group keys for designated periods of time. However,MARKS only works if the duration that a member is in the group is known when the member joins thegroup. In [5], Banerjee and Bhattacharjee proposed to organize group members into different levels ofclusters, in which the cluster head can communicate with cluster members via both unicast and multicast.By limiting the size of each cluster and isolating the changes to the related clusters, this approach onlyincurs constant processing, communication and storage overhead for single member joins or leaves, andlogarithmic overhead for batch joins and/or leaves [5].

Group key distribution is closely related to broadcast encryption studied in the cryptography community.An overview of early results can be found in [40]. Berkovits presented a way to broadcast a secret to a prede-termined set of receivers using secret sharing technique [6]. Fiat and Naor developed broadcast encryptionschemes resilient to one bad member, and then proposed approaches to building high resilient schemes fromlow resilient ones based on Perfect Hash Families (PHF) [16]. Safavi-Naini and Wang applied PHF to con-struct group rekey schemes directly [34]. Blundo et al. developed a family of one-time broadcast encryptionschemes based on the key predistribution scheme in [9], and then extended them to allow interactive groupkey distribution [10]. Trade off between storage and communication requirements as well as their lowerbounds in the proposed schemes are also studied in [10] and [23]. Stinson and van Trung continued thework in [10] and presented new constructions of key predistribution and broadcast encryption schemes [41].Just et al. studied group key distribution via broadcast encryption and derived a lower bound on the broad-cast message size using information theoretic techniques [19]. Kumar et al. proposed two schemes that canrevoke up to t group members with storage overhead O(t log n), and communication overhead O(t log n)and O(t2), respectively, where n is the group size [21]. Naor et al. developed a subset-difference based bulkrekey method, which requires log2 n keys being stored at members and 2t communication overhead [28].

Our work in this paper is based on the self-healing key distribution approach (with revocation capability)in [37]. The technique in [37] uses secret sharing [36] based on two dimensional polynomials to distributegroup keys, enabling group members to recover lost session group keys as long as they have received onebroadcast rekey message before and one after the above session. The constructions in [37] are uncondition-ally (or computationally) secure, and resistant to collusion of up to t evicted group members, where t isthe highest degree of each variable in the polynomials. As discussed in Section 3, our techniques are moreefficient than those in [37], and thus are able to deal with coalition of more evicted members.

6 Conclusion and Future Work

In this paper, we presented several group key distribution schemes for highly mobile, volatile and hos-tile wireless networks in tactical situations. By introducing a novel personal key distribution technique,we developed several efficient unconditionally secure and self-healing group key distribution schemes thatsignificantly improve over the previous approaches. In addition, we developed two techniques that allowtrade-offs between the broadcast message size and the recoverability of lost session keys, which can furtherreduce the broadcast message size in situations where there are frequent but short-term disruptions of com-munication and where there are long-term but infrequent disruptions of communication, respectively. Wealso studied approaches to determining parameters in our schemes in real-world applications.

Our future work includes development of a model that characterizes the failures in tactical wireless net-works and further investigation of the performance of the proposed schemes using this model. In addition,we would like to seek more efficient ways to perform the initial key distribution at the setup stage.

20

References

[1] Y. Amir, C. Danilov, and J. Stanton. A low latency, loss tolerant architecture and protocol for widearea group communication. In Proceedings of the International Conference on Dependable Systemsand Networks, pages 327–336, June 2000.

[2] D. Balenson, D. McGrew, and A. Sherman. Key management for large dynamic groups: One-wayfunction trees and amortized initialization. Internet Draft, draft-balenson-groupkeymgmt-oft-00.txt,February 2000. Work in Progress.

[3] A. Ballardie. Core based trees (CBT) multicast routing architecture. IETF Request For Comments,RFC 2201, May 1996.

[4] A. Ballardie. Scalable multicast key distribution. IETF Request For Comments, RFC 1949, September1997.

[5] S. Banerjee and B. Bhattacharjee. Scalable secure group communication over ip mulitcast. In Pro-ceedings of Internation Conference on Network Protocols, November 2001.

[6] S. Berkovit. How to broadcast a secret. In Advances in Cryptology – Eurocrypt ’91, LNCS 547, pages536–541, 1991.

[7] K.P. Birman, M. Hayden, O. Ozkasap, Z. Xiao, M. Budiu, and Y. Minsky. Bimodal multicast. ACMTransactions on Computer Systems, 17(2):41–88, May 1999.

[8] K.P. Birman and T.A. Joseph. Exploiting virtual synchrony in distributed systems. In Proceedings ofthe 11th ACM Symposium on Operating Systems Principles, December 1987.

[9] C. Blundo, A. De Santis, Amir Herzberg, S. Kutten, U. Vaccaro, and M. Yung. Perfectly-secure keydistribution for dynamic conferences. In Advances in Cryptology – CRYPTO ’92, LNCS 740, pages471–486, 1993.

[10] C. Blundo, L. Mattos, and D. R. Stinson. Trade-offs between communication and storage in uncon-ditionally secure schemes for broadcast encryption and interactive key distribution. In Advances inCryptology – Crypto ’96, LNCS 1109, pages 387–400, 1996.

[11] B. Briscoe. MARKS: Zero side-effect multicast key management using arbitrarily revealed key se-quences. In Proceedings of 1st International Workshop on Networked Group Communication, 1999.

[12] R. Canetti, J. Garay, G. Itkis, D. Micciancio, M. Naor, and B. Pinkas. Multicast security: A taxonomyand some efficient constructions. In Proceedings of IEEE INFOCOMM, pages 708–716, 1999.

[13] I. Chang, R. Engel, D. Kandlur, D. Pendarakis, and D. Saha. Key management for secure internet mul-ticast using boolean function minimization techniques. In Proceedings IEEE Infocomm’99, volume 2,pages 689–698, 1999.

[14] T. Cover and J. Thomas. Elements of Information Theory. John Wiley and Sons, Inc., 1991.

[15] A. Fekete, N. Lynch, and A. Shvartsman. Specifying and using a partitionable group communicationservice. In Proceedings of the 16th Annual ACM Symposium on Principles of Distributed Computing,pages 53–62, August 1997.

21

[16] A. Fiat and M. Naor. Broadcast encryption. In Advances in Cryptology – CRYPTO ’93, LNCS 773,pages 480–491, 1994.

[17] H. Harney and C. Muckenhirn. Group key management protocol (GKMP) architecture. IETF Requestfor Comments, RFC 2094, July 1997.

[18] H. Harney and C. Muckenhirn. Group key management protocol (GKMP) specification. IETF RequestFor Comments, RFC 2093, July 1997.

[19] M. Just, E. Kranakis, D. Krizanc, and P. van Oorschot. On key distribution via true broadcasting. InProceedings of ACM Conference on Computer and Communications Security, pages 81–88, 1994.

[20] Y. Kim, A. Perrig, and G. Tsudik. Tree-based group key agreement. Submitted for publication, 2002.

[21] R. Kumar, S. Rajagopalan, and A. Sahai. Coding constructions for blacklisting problems withoutcomputational assumptions. In Advances in Cryptology – Crypto ’99, LNCS 1666, pages 609–623,1999.

[22] X. S. Li, Y. R. Yang, M. Gouda, and S. S. Lam. Batch rekeying for secure group communications. InProceedings 10th International World Wide Web Conference, May 2001.

[23] M. Luby and J. Staddon. Combinatorial bounds for broadcast encryption. In Advances in Cryptology– EUROCRYPT ’98, Lecture Notes in Computer Science, volume 1403, pages 512–526, 1998.

[24] D. A. McGrew and A. T. Sherman. Key establishment in large dynamic groups using one-way functiontrees. Technical Report TIS Report No. 0755, TIS Labs at Network Associates, Inc., May 1998.

[25] S. Mittra. Iolus: A framework for scalable secure multicasting. In Proceedings of ACM SIGCOMM’97 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communi-cation, pages 277–288, 1997.

[26] L.E. Moser, Y. Amir, P.M. Melliar-Smith, and D.A. Agarwal. Extended virtual synchrony. In Proceed-ings of the IEEE 14th International Conference on Distributed Computing Systems, pages 56–65, June1994.

[27] M. J. Moyer, J. R. Rao, and P. Rohatgi. Maintaining balanced key trees for secure multicast. InternetDraft, draft-irtf-smug-key-tree-balance-00.txt, June 1999.

[28] D. Naor, M. Naor, and J. Lotspiech. Revocation and tracing schemes for stateless receivers. In Ad-vances in Cryptology – CRYPTO 2001, LNCS 2139, pages 41–62, 2001.

[29] A. Perrig, D. Song, and J.D. Tygar. ELK, a new protocol for efficient large-group key distribution. InProceedings of IEEE Symposium on Security and Privacy, pages 247–262, 2001.

[30] T. Malkin R. Canetti and K. Nissim. Efficient communications-storage tradeoffs for multicast encryp-tion. In Advances in Cryptology – Eurocrypt ’99, LNCS 1592, pages 459–474, 1999.

[31] M. K. Reiter. Secure agreement protocols: Reliable and atomic group multicast in rampart. In Proceed-ings of the 2nd ACM Conference on Computer and Communications Security, pages 68–80, November1994.

[32] R.V. Renesse, K.P. Birman, and S. Maffeis. Horus, a flexible group communication system. Commu-nications of the ACM, 39(4):76–83, April 1996.

22

[33] O. Rodeh, K. Birman, and D. Dolev. Optimized group rekey for group communication systems. InProceedings of ISOC Network and Distributed Systems Security Symposium, 2000.

[34] R. Safavi-Naini and H. Wang. New constructions of secure multicast re-keying schemes using perfecthash families. In Proceedings of the 7th ACM Conference on Computer and Communications Security,pages 228–234, 2000.

[35] S. Setia, S. Koussih, and S. Jajodia. Kronos: A scalable group re-keying approach for secure multicast.In Proceedings of IEEE Symposium on Security and Privacy, pages 215–228, 2000.

[36] A. Shamir. How to share a secret. Communications of the ACM, 22(11):612–613, 1979.

[37] J. Staddon, S. Miner, M. Franklin, D. Balfanz, M. Malkin, and D. Dean. Self-healing key distributionwith revocation. In Proceedings of 2002 IEEE Symposium on Security and Privacy, pages 224–240,2002.

[38] M. Steiner, G. Tsudik, and M. Waidner. CLIQUES: A new approach to group key agreement. InProceedings of the International Conference on Distributed Computing Systems, pages 380–387, 1998.

[39] M. Steiner, G. Tsudik, and M. Waidner. Key agreement in dynamic peer groups. IEEE Transactionson Parallel and Distributed Systems, 11(8):769–780, August 2000.

[40] D. R. Stinson. On some methods for unconditionally secure key distribution and broadcast encryption.Designs, Codes and Cryptology, 12:215–243, 1997.

[41] D. R. Stinson and T. van Trung. Some new results on key distribution patterns and broadcast encryp-tion. Designs, Codes and Cryptography, 14:261–279, 1998.

[42] D. Wallner, E. Harder, and R. Agee. Key management for multicast: Issues and architectures. IETFRequest For Comments, RFC 2627, June 1999.

[43] C. K. Wong, M. G. Gouda, and S. S. Lam. Secure group communications using key graphs. InProceedings of the ACM SIGCOMM ’98 Conference on Applications, Technologies, Architectures,and Protocols for Computer Communication, pages 68–79, 1998.

[44] C. K. Wong and S. S. Lam. Keystone: A group key management service. In International Conferenceon Telecommunications, ICT 2000, 2000.

[45] Y. R. Yang, X. S. Li, X. B. Zhang, and Simon S. Lam. Reliable group rekeying: A performanceanalysis. In Proceedings of the ACM SIGCOMM ’01 Conference on Applications, Technologies, Ar-chitectures, and Protocols for Computer Communication, pages 27–38, 2001.

[46] X. B. Zhang, S. S. Lam, and D. Lee. Group rekeying with limited unicast recovery. Technical ReportTR-02-36, Department of Computer Science, University of Texas at Austin, July 2002.

[47] X. B. Zhang, S. S. Lam, D. Lee, and Y. R. Yang. Protocol design for scalable and reliable grouprekeying. In Proceedings SPIE Conference on Scalability and Traffic Control in IP Networks, August2001.

23