Optimal Communication Complexity of Generic Multicast Key Distribution Saurabh Panjwani UC San Diego (Joint Work with Daniele Micciancio)
Dec 18, 2015
Optimal Communication Complexity of
Generic Multicast Key Distribution
Saurabh Panjwani
UC San Diego
(Joint Work with Daniele Micciancio)
Multicast Multicast is a primitive which enables a source of
information to communicate with multiple receivers in a network with efficiency better than sending data individually to all the receivers.
(Efficiency means better utilization of sender resources and bandwidth.)
= Sender
= Receiver
Three unicast flows
= Others
Multicast Multicast is a primitive which enables a source of
information to communicate with multiple receivers in a network with efficiency better than sending data individually to all the receivers.
(Efficiency means better utilization of sender resources and bandwidth.)
= Sender
= Receiver
One multicast flow
= Others
Multicast Example Applications:
Electronic Conferences, Virtual rooms PayTV or Video-on-demand services Stock quotes
Security in multicast involves new challenges: How does one keep group communication secret ? How do multiple receivers authenticate a single sender
efficiently ? How do we authorize anyone to send data on a multicast
channel ?
Secrecy in Multicast In unicast, secrecy can be achieved by sharing a key
between the parties and using symmetric-key encryption.k
Ek(data)
A ?
data
Secrecy in Multicast Can we do the same for multicast ?
If group membership changes, the key should also change.
A?
data
data
data
k
Ek(data)
Multicast Key Distribution A group center distributes a shared ‘group key’ to all
members (senders & receivers). Sends messages to change the key whenever membership changes :
= Group member= Non-member
CenterRekey messages
? ?? k kk Goal: At any instant of time, only the members should
“know” the group key.
k' k' k'
Multicast Key Distribution Setup: Each user ui has a unique key ki that it shares
with the center.
u1
Center
u2 u5u4u3 u6u2
? ?? k kk
E (k); E (k); E (k)k1 k3 k5
= Group member= Non-member
For group with n members, center sends n rekey messages (per membership update).
Generate k
But we can do better…
k1 k2 k3 k4 k5 k6
Previous Work – Upper Bounds Wong, Gouda, Lam [WGL98]; Wallner, Harder,
Agee [WHA99] gave a protocol in which every join/leave operation in a group of size n involves sending 2log2(n) rekey messages.
Canetti, Garay, Itkis, Micciancio, Naor, Pinkas [CGIMNP99] improved this to log2(n). (Used pseudorandom generators in creation of rekey messages).
Best known upper bound – log2(n)
Previous Work – Lower Bounds Canetti, Malkin, Nissim [CMN99] gave the first
non-trivial lower bound: for a restricted class of protocols, in a group of size n, center must send (log(n)) rekey messages (per membership update).
Snoeyink, Suri and Varghese [SSV01] proved a bound for more general protocols. For groups of size n, rekey cost must be at leastlog3(n).
Best known lower bound – 3log3(n)
Interestingly, 3log3(n) > log2(n) (lower bound is higher than upper bound)
Why is this so? In the model used in [SSV01], every rekey
message must be of the form Ek(k').
Centerk
Eg: Take G(k) = G0(k) G1(k)…Gm(k)
G0(k)
Gm(k)
k
..G0(k)
Gm(k)
k
..G0(k)
Gm(k)
k
..
Why can’t pseudorandom generators be used?
Best known protocol uses
PRGs.
Why is this so? In the model used in [SSV01], every rekey
message must be of the form Ek(k').
Eg: Two auxiliary keys, k, k'. Center wants to send a key k'' to members u1 and u2
Why can’t nested encryption be used?
u1
Center
u2 u4u3
kk k' k k' k'
?k'' ?k''
E (k'');k1E
(k'')k2
One Possibility
k1 k2 k4k3
Why is this so? In the model used in [SSV01], every rekey
message must be of the form Ek(k').
Eg: Two auxiliary keys, k, k'. Center wants to send a key k'' to members u1 and u2
Why can’t nested encryption be used?
u1
Center
u2 u4u3
Ek(Ek'(k''))
Nested encryption has been used in
some protocols.
kk k' k k' k'
?k'' ?k''Saves communication by a factor of 2
Better possibility
k1 k2 k4k3
A More General Model
u1
Center
u3 u6u5k1 k3k2
Rekey messages can be generated by arbitrary combination of pseudorandom generators and symmetric-key encryption.
u2
E E (k'', G1(k'))G0(k2 )G1(k1 )
u4k4 k5 k6
Question: How good can you do under this model? We answer:
log2(n) is optimal
Our Model
u1
Center
u3 u6u5
Every user shares unique key with center. At any instant, a finite set of users are members.
All parties have black-box access to a pseudorandom generator G and an encryption-decryption pair (E,D) .
u2 u4k1 k2 k3 k4 k5 k6
Our Model
u1
Center
u3 u6u5
Membership is controlled by an adversary who issues one of three commands at every instant:
u2 u4k1 k2 k3 k4 k5 k6
Leave – Delete a member from the group.
Leave
Join – Add a non-member to the group.
Join
Replace – Replace a member with a non-member (keeps the group size same).
Replace
A
Our Model
u1
Center
u3 u6u5
Center responds by sending rekey messages. A rekey message is derived from the grammar:
u2
E E (k'')G0(k2 )G1(k1 )
u4k1 k2 k3 k4 k5 k6
M K | EK(M)K random_key | G0(K) | G1(K) | .. | Gm(K)
Our Model – Security Definition
Center
u3 u5
What are the keys a user “knows” at any instant?
u2 u4k2 k3k4 k5
k; G0(k')k; k' G0(k') k; G1(k')
E E (kg )kG0(k' )
+
kg
E E (kg )kG0(k' )
+
?
E E (kg )kG0(k' )
+
?
E E (kg )kG0(k' )
+
kg
u1k1
E E (kg )kG0(k' ) E (kg );k1
E (kg )k1
+
kg
Our Model – Security Definition
u1
Center
u3 u5
What are the keys a user “knows” at any instant?
u2 u4k1 k2 k3k4 k5
E E (kg )kG0(k' ) E (kg );k1
Use an abstract encryption model for defining this notion (Similar to Dolev-Yao logic).
Connections between such an abstract framework and complexity-theoretic framework has been studied by Abadi-Rogaway [AR02], Micciancio-Warinschi [MW04], Abadi-Jurjens [AJ01], Gligor-Horvitz [GH03] etc.
Our Model – Security Definition Definition: A multicast key distribution protocol is secure
if for every sequence of adversarial commands, at every time instant t, there is a key kt such that -
Every member at time t knows kt
NO non-member at time t knows kt A very liberal definition !
Security against collusions of non-members?
But a weak definition only makes our lower bound stronger.
Our Result Theorem: The amortized communication complexity of
secure multicast key distribution is log2(n) - c. (c tends to 0 as number of adversarial commands increases).
Matches the cost of the best known protocol up to small ‘additive’ constant.
Amortized complexity means number of rekey messages sent per update command for a sequence of update commands.
Proof Idea View a multicast key distribution protocol as a game
played between center and adversary.
ACenter
Some of the root keys are labeled either member or non-member.
member
non-member
member
The playing board is an infinite forest on keys. A tree in this forest represents the set of pseudorandom keys derived from the root key.
Proof Idea View a multicast key distribution protocol as a game
played between center and adversary.
ACenter member
non-member
member
Adversary changes labels on the keys which are labeled member or non-member.
Center introduces rekey messages, modeled as hyper-edges over the keys.
k1
k
k'
Ek(Ek'(k1)
Proof Idea View a multicast key distribution protocol as a game
played between center and adversary.
ACenter member
non-member
member
A hyper-edge becomes useless once the key it points to becomes “reachable” from any non-member node.
Show that the adversary can select to delete and add members in a way such that a lot of hyper-edges become useless in every move.
Open Questions Does the bound hold even without replace
operations ? What about average-case communication
complexity ? What if other cryptographic primitives are used
for generating rekey messages (eg. PRFs, secret sharing) ?
References [AR] M. Abadi, P. Rogaway. Reconciling Two Views of
Cryptography (or the Computational Soundness of Formal Encryption). Journal of Cryptology 15(2), 2002.
[CGIMNP] R. Canetti, J. Garay, G. Itkis, D. Micciancio, M. Naor, B. Pinkas. Multicast Security: A taxonomy and some efficient constructions. In Proc. of INFOCOM 1999.
[CMN] R. Canetti, T. Malkin, K. Nissim. Efficient communication-storage tradeoffs for multicast encryption. In Advances in Cryptology – EUROCRYPT 1999.
[MW] D. Micciancio, B. Warinschi. Completeness theorems for the Abadi-Rogaway Logic of Encrypted Expressions. Journal of Computer Security, 12(1), 2004.
[AJ] M.Abadi, J.Jurjens. Formal eavesdropping and its computational interpretation. In TACS 2001.
[SSV] J. Snoeyink, S. Suri, G. Varghese. A lower bound for Multicast Key Distribution. In Proc. of INFOCOM 2001.
[GH] V.Gligor, D.O.Horvitz. Weak Key Authenticity and the Computational Completeness of Formal Encryption. In CRYPTO 2003.
[WHA] D. Wallner, E. Harder, R. Agee. Key management for Multicast: Issues and Architecture. RFC 2627, June 1999.
[WGL] C. Wong, M. Gouda, S. Lam. Secure Group Communication using Key graphs. In Proc. of SIGCOMM 1998.
References