Slides in PPT Format

Optimal Communication Complexity
of
Generic Multicast Key Distribution
Saurabh Panjwani
UC San Diego
(Joint Work with Daniele Micciancio)
Multicast

Multicast is a primitive which enables a source of
information to communicate with multiple receivers in a
network with efficiency better than sending data
individually to all the receivers.
(Efficiency means better utilization of sender resources and bandwidth.)
Three unicast flows
= Sender
= Receiver
= Others
Multicast

Multicast is a primitive which enables a source of
information to communicate with multiple receivers in a
network with efficiency better than sending data
individually to all the receivers.
(Efficiency means better utilization of sender resources and bandwidth.)
One multicast flow
= Sender
= Receiver
= Others
Multicast

Example Applications:




Electronic Conferences, Virtual rooms
PayTV or Video-on-demand services
Stock quotes
Security in multicast involves new challenges:

How does one keep group communication secret ?

How do multiple receivers authenticate a single sender
efficiently ?

How do we authorize anyone to send data on a multicast
channel ?
Secrecy in Multicast

In unicast, secrecy can be achieved by sharing a key
between the parties and using symmetric-key encryption.
k
Ek(data)
data
A ?
Secrecy in Multicast

Can we do the same for multicast ?
k
Ek(data)
data
data
? A
data
If group membership changes, the key
should also change.
Multicast Key Distribution

A group center distributes a shared ‘group key’ to all
members (senders & receivers). Sends messages to
change the key whenever membership changes :
Rekey messages
Center
k'
k'
k'
k

= Group member
= Non-member
?
k
?
k
?
Goal: At any instant of time, only the members should
“know” the group key.
Multicast Key Distribution
Setup: Each user ui has a unique key ki that it shares
with the center.
= Group member
= Non-member
Generate k

Ek1 (k); Ek3(k); Ek5(k)
Center
k1
u1
k
k2
u2
?
k3
u3
k
k4
u4
?
k5
u5
k
k6
u6
?
But we can do better…
Previous Work – Upper Bounds

Wong, Gouda, Lam [WGL98]; Wallner, Harder,
Agee [WHA99] gave a protocol in which every
join/leave operation in a group of size n involves
sending 2log2(n) rekey messages.

Canetti, Garay, Itkis, Micciancio, Naor, Pinkas
[CGIMNP99] improved this to log2(n).
(Used pseudorandom generators in creation of rekey messages).
Best known upper bound – log2(n)
Previous Work – Lower Bounds

Canetti, Malkin, Nissim [CMN99] gave the first
non-trivial lower bound: for a restricted class of
protocols, in a group of size n, center must send
W(log(n)) rekey messages (per membership update).

Snoeyink, Suri and Varghese [SSV01] proved a
bound for more general protocols. For groups of
size n, rekey cost must be at least 3log3(n).
Best known lower bound – 3log3(n)
Interestingly, 3log3(n) > log2(n)
(lower bound is higher than upper bound)
Why is this so?


In the model used in [SSV01], every rekey
message must be of the form Ek(k').
Why can’t pseudorandom generators be used?
Eg: Take G(k) = G0(k) G1(k)…Gm(k)
k
Center
k
G0(k)
..
Gm(k)
k
G0(k)
..
Gm(k)
Best known protocol
uses PRGs.
k
G0(k)
..
Gm(k)
Why is this so?


In the model used in [SSV01], every rekey
message must be of the form Ek(k').
Why can’t nested encryption be used?
Eg: Two auxiliary keys, k, k'. Center wants to send a key k'' to
members u1 and u2
One Possibility
E k1(k''); E k2(k'')
Center
k1
u1
k k'
k''
u
k2 2
k k'
k''
k3
u3
k
?
k4
u4
k'
?
Why is this so?


In the model used in [SSV01], every rekey
message must be of the form Ek(k').
Why can’t nested encryption be used?
Eg: Two auxiliary keys, k, k'. Center wants to send a key k'' to
members u1 and u2
Nested encryption
Better possibility
has been used in
some protocols.
Ek(Ek'(k''))
Center
k1
u1
k k'
k''
u
k2 2
k k'
k''
k3
u3
k
?
k4
u4
k'
?
Saves communication by a factor of 2
A More General Model

Rekey messages can be generated by arbitrary
combination of pseudorandom generators and
symmetric-key encryption.
EG1(k1 ) EG0(k2 )(k'', G1(k'))
Center
k1
u1
k2
u2
k3
u3
k4
u4
k5
u5
k6
u6

Question: How good can you do under this model?

We answer: log2(n) is optimal
Our Model


Every user shares unique key with center. At any
instant, a finite set of users are members.
All parties have black-box access to a
pseudorandom generator G and an encryptiondecryption pair (E,D) .
Center
k1
u1
k2
u2
k3
u3 k u4 k u5 k u6
4
5
6
Our Model

Membership is controlled by an adversary who
issues one of three commands at every instant:



Join – Add a non-member to the group.
Leave – Delete a member from the group.
Replace – Replace a member with a non-member
(keeps the group size same).
Join
Leave
Replace
Center
k1
u1
k2
u2
k3
u3 k u4 k u5 k u6
4
5
6
A
Our Model

Center responds by sending rekey messages. A
rekey message is derived from the grammar:
M
K
K | EK(M)
random_key | G0(K) | G1(K) | .. | Gm(K)
EG1(k1 ) EG0(k2 )(k'')
Center
k1
u1
k2
u2
k3
u3 k u4 k u5 k u6
4
5
6
Our Model – Security Definition

What are the keys a user “knows” at any instant?
E k (kg ); EG0(k' ) E k (kg )
1
Center
k1 u 1
u
k2 2
+
k3
u3
k4 u 4
k5 u 5
k; k'
G0(k')
k; G1(k')
k; G0(k')
+
+
+
+
E k (kg ) EG (k' )E k(kg ) EG (k' )E k(kg ) EG (k' )E k(kg ) EG (k' )E k(kg )
1
kg
0
0
kg
0
?
0
?
kg
Our Model – Security Definition

What are the keys a user “knows” at any instant?
E k (kg ); EG0(k' ) E k (kg )
1
Center
k1 u 1
u
k2 2
k3
u3
k4 u 4
k5 u 5

Use an abstract encryption model for defining this notion
(Similar to Dolev-Yao logic).

Connections between such an abstract framework and
complexity-theoretic framework has been studied by
Abadi-Rogaway [AR02], Micciancio-Warinschi [MW04],
Abadi-Jurjens [AJ01], Gligor-Horvitz [GH03] etc.
Our Model – Security Definition

Definition: A multicast key distribution protocol is secure
if for every sequence of adversarial commands, at every
time instant t, there is a key kt such that  Every member at time t knows kt
 NO non-member at time t knows kt

A very liberal definition !

Security against collusions of non-members?
But a weak definition only makes our lower bound stronger.
Our Result

Theorem: The amortized communication complexity of
secure multicast key distribution is log2(n) - c.
(c tends to 0 as number of adversarial commands increases).

Amortized complexity means number of rekey messages
sent per update command for a sequence of update
commands.
Matches the cost of the best known
protocol up to small ‘additive’ constant.
Proof Idea
View a multicast key distribution protocol as a game
played between center and adversary.

non-member
Center
A
member
member


The playing board is an infinite forest on keys. A tree in this forest
represents the set of pseudorandom keys derived from the root key.
Some of the root keys are labeled either member or non-member.
Proof Idea

View a multicast key distribution protocol as a game
played between center and adversary.
k1
non-member
Center
A
member
k
member
Ek(Ek'(k1)
k'


Adversary changes labels on the keys which are labeled member or
non-member.
Center introduces rekey messages, modeled as hyper-edges over
the keys.
Proof Idea

View a multicast key distribution protocol as a game
played between center and adversary.
non-member
Center
A
member
member


A hyper-edge becomes useless once the key it points to becomes
“reachable” from any non-member node.
Show that the adversary can select to delete and add members in a
way such that a lot of hyper-edges become useless in every move.
Open Questions



Does the bound hold even without replace
operations ?
What about average-case communication
complexity ?
What if other cryptographic primitives are used
for generating rekey messages (eg. PRFs, secret
sharing) ?
Questions?
References





[AR] M. Abadi, P. Rogaway. Reconciling Two Views of
Cryptography (or the Computational Soundness of Formal
Encryption). Journal of Cryptology 15(2), 2002.
[CGIMNP] R. Canetti, J. Garay, G. Itkis, D. Micciancio, M.
Naor, B. Pinkas. Multicast Security: A taxonomy and some
efficient constructions. In Proc. of INFOCOM 1999.
[CMN] R. Canetti, T. Malkin, K. Nissim. Efficient
communication-storage tradeoffs for multicast encryption. In
Advances in Cryptology – EUROCRYPT 1999.
[MW] D. Micciancio, B. Warinschi. Completeness theorems for
the Abadi-Rogaway Logic of Encrypted Expressions. Journal of
Computer Security, 12(1), 2004.
[AJ] M.Abadi, J.Jurjens. Formal eavesdropping and its
computational interpretation. In TACS 2001.
References




[SSV] J. Snoeyink, S. Suri, G. Varghese. A lower bound for
Multicast Key Distribution. In Proc. of INFOCOM 2001.
[GH] V.Gligor, D.O.Horvitz. Weak Key Authenticity and the
Computational Completeness of Formal Encryption. In
CRYPTO 2003.
[WHA] D. Wallner, E. Harder, R. Agee. Key management for
Multicast: Issues and Architecture. RFC 2627, June 1999.
[WGL] C. Wong, M. Gouda, S. Lam. Secure Group
Communication using Key graphs. In Proc. of SIGCOMM
1998.