Optimal Communication Complexity of Generic Multicast Key Distribution Saurabh Panjwani UC San Diego (Joint Work with Daniele Micciancio) Multicast Multicast is a primitive which enables a source of information to communicate with multiple receivers in a network with efficiency better than sending data individually to all the receivers. (Efficiency means better utilization of sender resources and bandwidth.) Three unicast flows = Sender = Receiver = Others Multicast Multicast is a primitive which enables a source of information to communicate with multiple receivers in a network with efficiency better than sending data individually to all the receivers. (Efficiency means better utilization of sender resources and bandwidth.) One multicast flow = Sender = Receiver = Others Multicast Example Applications: Electronic Conferences, Virtual rooms PayTV or Video-on-demand services Stock quotes Security in multicast involves new challenges: How does one keep group communication secret ? How do multiple receivers authenticate a single sender efficiently ? How do we authorize anyone to send data on a multicast channel ? Secrecy in Multicast In unicast, secrecy can be achieved by sharing a key between the parties and using symmetric-key encryption. k Ek(data) data A ? Secrecy in Multicast Can we do the same for multicast ? k Ek(data) data data ? A data If group membership changes, the key should also change. Multicast Key Distribution A group center distributes a shared ‘group key’ to all members (senders & receivers). Sends messages to change the key whenever membership changes : Rekey messages Center k' k' k' k = Group member = Non-member ? k ? k ? Goal: At any instant of time, only the members should “know” the group key. Multicast Key Distribution Setup: Each user ui has a unique key ki that it shares with the center. = Group member = Non-member Generate k Ek1 (k); Ek3(k); Ek5(k) Center k1 u1 k k2 u2 ? k3 u3 k k4 u4 ? k5 u5 k k6 u6 ? But we can do better… Previous Work – Upper Bounds Wong, Gouda, Lam [WGL98]; Wallner, Harder, Agee [WHA99] gave a protocol in which every join/leave operation in a group of size n involves sending 2log2(n) rekey messages. Canetti, Garay, Itkis, Micciancio, Naor, Pinkas [CGIMNP99] improved this to log2(n). (Used pseudorandom generators in creation of rekey messages). Best known upper bound – log2(n) Previous Work – Lower Bounds Canetti, Malkin, Nissim [CMN99] gave the first non-trivial lower bound: for a restricted class of protocols, in a group of size n, center must send W(log(n)) rekey messages (per membership update). Snoeyink, Suri and Varghese [SSV01] proved a bound for more general protocols. For groups of size n, rekey cost must be at least 3log3(n). Best known lower bound – 3log3(n) Interestingly, 3log3(n) > log2(n) (lower bound is higher than upper bound) Why is this so? In the model used in [SSV01], every rekey message must be of the form Ek(k'). Why can’t pseudorandom generators be used? Eg: Take G(k) = G0(k) G1(k)…Gm(k) k Center k G0(k) .. Gm(k) k G0(k) .. Gm(k) Best known protocol uses PRGs. k G0(k) .. Gm(k) Why is this so? In the model used in [SSV01], every rekey message must be of the form Ek(k'). Why can’t nested encryption be used? Eg: Two auxiliary keys, k, k'. Center wants to send a key k'' to members u1 and u2 One Possibility E k1(k''); E k2(k'') Center k1 u1 k k' k'' u k2 2 k k' k'' k3 u3 k ? k4 u4 k' ? Why is this so? In the model used in [SSV01], every rekey message must be of the form Ek(k'). Why can’t nested encryption be used? Eg: Two auxiliary keys, k, k'. Center wants to send a key k'' to members u1 and u2 Nested encryption Better possibility has been used in some protocols. Ek(Ek'(k'')) Center k1 u1 k k' k'' u k2 2 k k' k'' k3 u3 k ? k4 u4 k' ? Saves communication by a factor of 2 A More General Model Rekey messages can be generated by arbitrary combination of pseudorandom generators and symmetric-key encryption. EG1(k1 ) EG0(k2 )(k'', G1(k')) Center k1 u1 k2 u2 k3 u3 k4 u4 k5 u5 k6 u6 Question: How good can you do under this model? We answer: log2(n) is optimal Our Model Every user shares unique key with center. At any instant, a finite set of users are members. All parties have black-box access to a pseudorandom generator G and an encryptiondecryption pair (E,D) . Center k1 u1 k2 u2 k3 u3 k u4 k u5 k u6 4 5 6 Our Model Membership is controlled by an adversary who issues one of three commands at every instant: Join – Add a non-member to the group. Leave – Delete a member from the group. Replace – Replace a member with a non-member (keeps the group size same). Join Leave Replace Center k1 u1 k2 u2 k3 u3 k u4 k u5 k u6 4 5 6 A Our Model Center responds by sending rekey messages. A rekey message is derived from the grammar: M K K | EK(M) random_key | G0(K) | G1(K) | .. | Gm(K) EG1(k1 ) EG0(k2 )(k'') Center k1 u1 k2 u2 k3 u3 k u4 k u5 k u6 4 5 6 Our Model – Security Definition What are the keys a user “knows” at any instant? E k (kg ); EG0(k' ) E k (kg ) 1 Center k1 u 1 u k2 2 + k3 u3 k4 u 4 k5 u 5 k; k' G0(k') k; G1(k') k; G0(k') + + + + E k (kg ) EG (k' )E k(kg ) EG (k' )E k(kg ) EG (k' )E k(kg ) EG (k' )E k(kg ) 1 kg 0 0 kg 0 ? 0 ? kg Our Model – Security Definition What are the keys a user “knows” at any instant? E k (kg ); EG0(k' ) E k (kg ) 1 Center k1 u 1 u k2 2 k3 u3 k4 u 4 k5 u 5 Use an abstract encryption model for defining this notion (Similar to Dolev-Yao logic). Connections between such an abstract framework and complexity-theoretic framework has been studied by Abadi-Rogaway [AR02], Micciancio-Warinschi [MW04], Abadi-Jurjens [AJ01], Gligor-Horvitz [GH03] etc. Our Model – Security Definition Definition: A multicast key distribution protocol is secure if for every sequence of adversarial commands, at every time instant t, there is a key kt such that Every member at time t knows kt NO non-member at time t knows kt A very liberal definition ! Security against collusions of non-members? But a weak definition only makes our lower bound stronger. Our Result Theorem: The amortized communication complexity of secure multicast key distribution is log2(n) - c. (c tends to 0 as number of adversarial commands increases). Amortized complexity means number of rekey messages sent per update command for a sequence of update commands. Matches the cost of the best known protocol up to small ‘additive’ constant. Proof Idea View a multicast key distribution protocol as a game played between center and adversary. non-member Center A member member The playing board is an infinite forest on keys. A tree in this forest represents the set of pseudorandom keys derived from the root key. Some of the root keys are labeled either member or non-member. Proof Idea View a multicast key distribution protocol as a game played between center and adversary. k1 non-member Center A member k member Ek(Ek'(k1) k' Adversary changes labels on the keys which are labeled member or non-member. Center introduces rekey messages, modeled as hyper-edges over the keys. Proof Idea View a multicast key distribution protocol as a game played between center and adversary. non-member Center A member member A hyper-edge becomes useless once the key it points to becomes “reachable” from any non-member node. Show that the adversary can select to delete and add members in a way such that a lot of hyper-edges become useless in every move. Open Questions Does the bound hold even without replace operations ? What about average-case communication complexity ? What if other cryptographic primitives are used for generating rekey messages (eg. PRFs, secret sharing) ? Questions? References [AR] M. Abadi, P. Rogaway. Reconciling Two Views of Cryptography (or the Computational Soundness of Formal Encryption). Journal of Cryptology 15(2), 2002. [CGIMNP] R. Canetti, J. Garay, G. Itkis, D. Micciancio, M. Naor, B. Pinkas. Multicast Security: A taxonomy and some efficient constructions. In Proc. of INFOCOM 1999. [CMN] R. Canetti, T. Malkin, K. Nissim. Efficient communication-storage tradeoffs for multicast encryption. In Advances in Cryptology – EUROCRYPT 1999. [MW] D. Micciancio, B. Warinschi. Completeness theorems for the Abadi-Rogaway Logic of Encrypted Expressions. Journal of Computer Security, 12(1), 2004. [AJ] M.Abadi, J.Jurjens. Formal eavesdropping and its computational interpretation. In TACS 2001. References [SSV] J. Snoeyink, S. Suri, G. Varghese. A lower bound for Multicast Key Distribution. In Proc. of INFOCOM 2001. [GH] V.Gligor, D.O.Horvitz. Weak Key Authenticity and the Computational Completeness of Formal Encryption. In CRYPTO 2003. [WHA] D. Wallner, E. Harder, R. Agee. Key management for Multicast: Issues and Architecture. RFC 2627, June 1999. [WGL] C. Wong, M. Gouda, S. Lam. Secure Group Communication using Key graphs. In Proc. of SIGCOMM 1998.
© Copyright 2026 Paperzz