Optimal Communication Complexity of
Generic Multicast Key Distribution
Saurabh Panjwani
UC San Diego
(Joint Work with Daniele Micciancio)
Multicast Multicast is a primitive which enables a source of
information to communicate with multiple receivers in a network with efficiency better than sending data individually to all the receivers.
(Efficiency means better utilization of sender resources and bandwidth.)
= Sender
= Receiver
Three unicast flows
= Others
Multicast Multicast is a primitive which enables a source of
information to communicate with multiple receivers in a network with efficiency better than sending data individually to all the receivers.
(Efficiency means better utilization of sender resources and bandwidth.)
= Sender
= Receiver
One multicast flow
= Others
Multicast Example Applications:
Electronic Conferences, Virtual rooms PayTV or Video-on-demand services Stock quotes
Security in multicast involves new challenges: How does one keep group communication secret ? How do multiple receivers authenticate a single sender
efficiently ? How do we authorize anyone to send data on a multicast
channel ?
Secrecy in Multicast In unicast, secrecy can be achieved by sharing a key
between the parties and using symmetric-key encryption.k
Ek(data)
A ?
data
Secrecy in Multicast Can we do the same for multicast ?
If group membership changes, the key should also change.
A?
data
data
data
k
Ek(data)
Multicast Key Distribution A group center distributes a shared ‘group key’ to all
members (senders & receivers). Sends messages to change the key whenever membership changes :
= Group member= Non-member
CenterRekey messages
? ?? k kk Goal: At any instant of time, only the members should
“know” the group key.
k' k' k'
Multicast Key Distribution Setup: Each user ui has a unique key ki that it shares
with the center.
u1
Center
u2 u5u4u3 u6u2
? ?? k kk
E (k); E (k); E (k)k1 k3 k5
= Group member= Non-member
For group with n members, center sends n rekey messages (per membership update).
Generate k
But we can do better…
k1 k2 k3 k4 k5 k6
Previous Work – Upper Bounds Wong, Gouda, Lam [WGL98]; Wallner, Harder,
Agee [WHA99] gave a protocol in which every join/leave operation in a group of size n involves sending 2log2(n) rekey messages.
Canetti, Garay, Itkis, Micciancio, Naor, Pinkas [CGIMNP99] improved this to log2(n). (Used pseudorandom generators in creation of rekey messages).
Best known upper bound – log2(n)
Previous Work – Lower Bounds Canetti, Malkin, Nissim [CMN99] gave the first
non-trivial lower bound: for a restricted class of protocols, in a group of size n, center must send (log(n)) rekey messages (per membership update).
Snoeyink, Suri and Varghese [SSV01] proved a bound for more general protocols. For groups of size n, rekey cost must be at leastlog3(n).
Best known lower bound – 3log3(n)
Interestingly, 3log3(n) > log2(n) (lower bound is higher than upper bound)
Why is this so? In the model used in [SSV01], every rekey
message must be of the form Ek(k').
Centerk
Eg: Take G(k) = G0(k) G1(k)…Gm(k)
G0(k)
Gm(k)
k
..G0(k)
Gm(k)
k
..G0(k)
Gm(k)
k
..
Why can’t pseudorandom generators be used?
Best known protocol uses
PRGs.
Why is this so? In the model used in [SSV01], every rekey
message must be of the form Ek(k').
Eg: Two auxiliary keys, k, k'. Center wants to send a key k'' to members u1 and u2
Why can’t nested encryption be used?
u1
Center
u2 u4u3
kk k' k k' k'
?k'' ?k''
E (k'');k1E
(k'')k2
One Possibility
k1 k2 k4k3
Why is this so? In the model used in [SSV01], every rekey
message must be of the form Ek(k').
Eg: Two auxiliary keys, k, k'. Center wants to send a key k'' to members u1 and u2
Why can’t nested encryption be used?
u1
Center
u2 u4u3
Ek(Ek'(k''))
Nested encryption has been used in
some protocols.
kk k' k k' k'
?k'' ?k''Saves communication by a factor of 2
Better possibility
k1 k2 k4k3
A More General Model
u1
Center
u3 u6u5k1 k3k2
Rekey messages can be generated by arbitrary combination of pseudorandom generators and symmetric-key encryption.
u2
E E (k'', G1(k'))G0(k2 )G1(k1 )
u4k4 k5 k6
Question: How good can you do under this model? We answer:
log2(n) is optimal
Our Model
u1
Center
u3 u6u5
Every user shares unique key with center. At any instant, a finite set of users are members.
All parties have black-box access to a pseudorandom generator G and an encryption-decryption pair (E,D) .
u2 u4k1 k2 k3 k4 k5 k6
Our Model
u1
Center
u3 u6u5
Membership is controlled by an adversary who issues one of three commands at every instant:
u2 u4k1 k2 k3 k4 k5 k6
Leave – Delete a member from the group.
Leave
Join – Add a non-member to the group.
Join
Replace – Replace a member with a non-member (keeps the group size same).
Replace
A
Our Model
u1
Center
u3 u6u5
Center responds by sending rekey messages. A rekey message is derived from the grammar:
u2
E E (k'')G0(k2 )G1(k1 )
u4k1 k2 k3 k4 k5 k6
M K | EK(M)K random_key | G0(K) | G1(K) | .. | Gm(K)
Our Model – Security Definition
Center
u3 u5
What are the keys a user “knows” at any instant?
u2 u4k2 k3k4 k5
k; G0(k')k; k' G0(k') k; G1(k')
E E (kg )kG0(k' )
+
kg
E E (kg )kG0(k' )
+
?
E E (kg )kG0(k' )
+
?
E E (kg )kG0(k' )
+
kg
u1k1
E E (kg )kG0(k' ) E (kg );k1
E (kg )k1
+
kg
Our Model – Security Definition
u1
Center
u3 u5
What are the keys a user “knows” at any instant?
u2 u4k1 k2 k3k4 k5
E E (kg )kG0(k' ) E (kg );k1
Use an abstract encryption model for defining this notion (Similar to Dolev-Yao logic).
Connections between such an abstract framework and complexity-theoretic framework has been studied by Abadi-Rogaway [AR02], Micciancio-Warinschi [MW04], Abadi-Jurjens [AJ01], Gligor-Horvitz [GH03] etc.
Our Model – Security Definition Definition: A multicast key distribution protocol is secure
if for every sequence of adversarial commands, at every time instant t, there is a key kt such that -
Every member at time t knows kt
NO non-member at time t knows kt A very liberal definition !
Security against collusions of non-members?
But a weak definition only makes our lower bound stronger.
Our Result Theorem: The amortized communication complexity of
secure multicast key distribution is log2(n) - c. (c tends to 0 as number of adversarial commands increases).
Matches the cost of the best known protocol up to small ‘additive’ constant.
Amortized complexity means number of rekey messages sent per update command for a sequence of update commands.
Proof Idea View a multicast key distribution protocol as a game
played between center and adversary.
ACenter
Some of the root keys are labeled either member or non-member.
member
non-member
member
The playing board is an infinite forest on keys. A tree in this forest represents the set of pseudorandom keys derived from the root key.
Proof Idea View a multicast key distribution protocol as a game
played between center and adversary.
ACenter member
non-member
member
Adversary changes labels on the keys which are labeled member or non-member.
Center introduces rekey messages, modeled as hyper-edges over the keys.
k1
k
k'
Ek(Ek'(k1)
Proof Idea View a multicast key distribution protocol as a game
played between center and adversary.
ACenter member
non-member
member
A hyper-edge becomes useless once the key it points to becomes “reachable” from any non-member node.
Show that the adversary can select to delete and add members in a way such that a lot of hyper-edges become useless in every move.
Open Questions Does the bound hold even without replace
operations ? What about average-case communication
complexity ? What if other cryptographic primitives are used
for generating rekey messages (eg. PRFs, secret sharing) ?
References [AR] M. Abadi, P. Rogaway. Reconciling Two Views of
Cryptography (or the Computational Soundness of Formal Encryption). Journal of Cryptology 15(2), 2002.
[CGIMNP] R. Canetti, J. Garay, G. Itkis, D. Micciancio, M. Naor, B. Pinkas. Multicast Security: A taxonomy and some efficient constructions. In Proc. of INFOCOM 1999.
[CMN] R. Canetti, T. Malkin, K. Nissim. Efficient communication-storage tradeoffs for multicast encryption. In Advances in Cryptology – EUROCRYPT 1999.
[MW] D. Micciancio, B. Warinschi. Completeness theorems for the Abadi-Rogaway Logic of Encrypted Expressions. Journal of Computer Security, 12(1), 2004.
[AJ] M.Abadi, J.Jurjens. Formal eavesdropping and its computational interpretation. In TACS 2001.
[SSV] J. Snoeyink, S. Suri, G. Varghese. A lower bound for Multicast Key Distribution. In Proc. of INFOCOM 2001.
[GH] V.Gligor, D.O.Horvitz. Weak Key Authenticity and the Computational Completeness of Formal Encryption. In CRYPTO 2003.
[WHA] D. Wallner, E. Harder, R. Agee. Key management for Multicast: Issues and Architecture. RFC 2627, June 1999.
[WGL] C. Wong, M. Gouda, S. Lam. Secure Group Communication using Key graphs. In Proc. of SIGCOMM 1998.
References