optimal communication complexity of generic multicast key distribution

Optimal Communication Complexity of

Generic Multicast Key Distribution

Saurabh Panjwani

UC San Diego

(Joint Work with Daniele Micciancio)

Multicast Multicast is a primitive which enables a source of

information to communicate with multiple receivers in a network with efficiency better than sending data individually to all the receivers.

(Efficiency means better utilization of sender resources and bandwidth.)

= Sender

= Receiver

Three unicast flows

= Others

Multicast Multicast is a primitive which enables a source of

information to communicate with multiple receivers in a network with efficiency better than sending data individually to all the receivers.

(Efficiency means better utilization of sender resources and bandwidth.)

= Sender

= Receiver

One multicast flow

= Others

Multicast Example Applications:

Electronic Conferences, Virtual rooms PayTV or Video-on-demand services Stock quotes

Security in multicast involves new challenges: How does one keep group communication secret ? How do multiple receivers authenticate a single sender

efficiently ? How do we authorize anyone to send data on a multicast

channel ?

Secrecy in Multicast In unicast, secrecy can be achieved by sharing a key

between the parties and using symmetric-key encryption.k

Ek(data)

A ?

data

Secrecy in Multicast Can we do the same for multicast ?

If group membership changes, the key should also change.

A?

data

data

data

k

Ek(data)

Multicast Key Distribution A group center distributes a shared ‘group key’ to all

members (senders & receivers). Sends messages to change the key whenever membership changes :

= Group member= Non-member

CenterRekey messages

? ?? k kk Goal: At any instant of time, only the members should

“know” the group key.

k' k' k'

Multicast Key Distribution Setup: Each user ui has a unique key ki that it shares

with the center.

u1

Center

u2 u5u4u3 u6u2

? ?? k kk

E (k); E (k); E (k)k1 k3 k5

= Group member= Non-member

For group with n members, center sends n rekey messages (per membership update).

Generate k

But we can do better…

k1 k2 k3 k4 k5 k6

Previous Work – Upper Bounds Wong, Gouda, Lam [WGL98]; Wallner, Harder,

Agee [WHA99] gave a protocol in which every join/leave operation in a group of size n involves sending 2log2(n) rekey messages.

Canetti, Garay, Itkis, Micciancio, Naor, Pinkas [CGIMNP99] improved this to log2(n). (Used pseudorandom generators in creation of rekey messages).

Best known upper bound – log2(n)

Previous Work – Lower Bounds Canetti, Malkin, Nissim [CMN99] gave the first

non-trivial lower bound: for a restricted class of protocols, in a group of size n, center must send (log(n)) rekey messages (per membership update).

Snoeyink, Suri and Varghese [SSV01] proved a bound for more general protocols. For groups of size n, rekey cost must be at leastlog3(n).

Best known lower bound – 3log3(n)

Interestingly, 3log3(n) > log2(n) (lower bound is higher than upper bound)

Why is this so? In the model used in [SSV01], every rekey

message must be of the form Ek(k').

Centerk

Eg: Take G(k) = G0(k) G1(k)…Gm(k)

G0(k)

Gm(k)

k

..G0(k)

Gm(k)

k

..G0(k)

Gm(k)

k

..

Why can’t pseudorandom generators be used?

Best known protocol uses

PRGs.



Eg: Two auxiliary keys, k, k'. Center wants to send a key k'' to members u1 and u2

Why can’t nested encryption be used?

u1

Center

u2 u4u3

kk k' k k' k'

?k'' ?k''

E (k'');k1E

(k'')k2

One Possibility

k1 k2 k4k3



Eg: Two auxiliary keys, k, k'. Center wants to send a key k'' to members u1 and u2

Why can’t nested encryption be used?

u1

Center

u2 u4u3

Ek(Ek'(k''))

Nested encryption has been used in

some protocols.

kk k' k k' k'

?k'' ?k''Saves communication by a factor of 2

Better possibility

k1 k2 k4k3

A More General Model

u1

Center

u3 u6u5k1 k3k2

Rekey messages can be generated by arbitrary combination of pseudorandom generators and symmetric-key encryption.

u2

E E (k'', G1(k'))G0(k2 )G1(k1 )

u4k4 k5 k6

Question: How good can you do under this model? We answer:

log2(n) is optimal

Our Model

u1

Center

u3 u6u5

Every user shares unique key with center. At any instant, a finite set of users are members.

All parties have black-box access to a pseudorandom generator G and an encryption-decryption pair (E,D) .

u2 u4k1 k2 k3 k4 k5 k6

Our Model

u1

Center

u3 u6u5

Membership is controlled by an adversary who issues one of three commands at every instant:

u2 u4k1 k2 k3 k4 k5 k6

Leave – Delete a member from the group.

Leave

Join – Add a non-member to the group.

Join

Replace – Replace a member with a non-member (keeps the group size same).

Replace

A

Our Model

u1

Center

u3 u6u5

Center responds by sending rekey messages. A rekey message is derived from the grammar:

u2

E E (k'')G0(k2 )G1(k1 )

u4k1 k2 k3 k4 k5 k6

M K | EK(M)K random_key | G0(K) | G1(K) | .. | Gm(K)

Our Model – Security Definition

Center

u3 u5

What are the keys a user “knows” at any instant?

u2 u4k2 k3k4 k5

k; G0(k')k; k' G0(k') k; G1(k')

E E (kg )kG0(k' )

+

kg

E E (kg )kG0(k' )

+

?

E E (kg )kG0(k' )

+

?

E E (kg )kG0(k' )

+

kg

u1k1

E E (kg )kG0(k' ) E (kg );k1

E (kg )k1

+

kg

Our Model – Security Definition

u1

Center

u3 u5

What are the keys a user “knows” at any instant?

u2 u4k1 k2 k3k4 k5

E E (kg )kG0(k' ) E (kg );k1

Use an abstract encryption model for defining this notion (Similar to Dolev-Yao logic).

Connections between such an abstract framework and complexity-theoretic framework has been studied by Abadi-Rogaway [AR02], Micciancio-Warinschi [MW04], Abadi-Jurjens [AJ01], Gligor-Horvitz [GH03] etc.

Our Model – Security Definition Definition: A multicast key distribution protocol is secure

if for every sequence of adversarial commands, at every time instant t, there is a key kt such that -

Every member at time t knows kt

NO non-member at time t knows kt A very liberal definition !

Security against collusions of non-members?

But a weak definition only makes our lower bound stronger.

Our Result Theorem: The amortized communication complexity of

secure multicast key distribution is log2(n) - c. (c tends to 0 as number of adversarial commands increases).

Matches the cost of the best known protocol up to small ‘additive’ constant.

Amortized complexity means number of rekey messages sent per update command for a sequence of update commands.

Proof Idea View a multicast key distribution protocol as a game

played between center and adversary.

ACenter

Some of the root keys are labeled either member or non-member.

member

non-member

member

The playing board is an infinite forest on keys. A tree in this forest represents the set of pseudorandom keys derived from the root key.



ACenter member

non-member

member

Adversary changes labels on the keys which are labeled member or non-member.

Center introduces rekey messages, modeled as hyper-edges over the keys.

k1

k

k'

Ek(Ek'(k1)



ACenter member

non-member

member

A hyper-edge becomes useless once the key it points to becomes “reachable” from any non-member node.

Show that the adversary can select to delete and add members in a way such that a lot of hyper-edges become useless in every move.

Open Questions Does the bound hold even without replace

operations ? What about average-case communication

complexity ? What if other cryptographic primitives are used

for generating rekey messages (eg. PRFs, secret sharing) ?

Questions?

References [AR] M. Abadi, P. Rogaway. Reconciling Two Views of

Cryptography (or the Computational Soundness of Formal Encryption). Journal of Cryptology 15(2), 2002.

[CGIMNP] R. Canetti, J. Garay, G. Itkis, D. Micciancio, M. Naor, B. Pinkas. Multicast Security: A taxonomy and some efficient constructions. In Proc. of INFOCOM 1999.

[CMN] R. Canetti, T. Malkin, K. Nissim. Efficient communication-storage tradeoffs for multicast encryption. In Advances in Cryptology – EUROCRYPT 1999.

[MW] D. Micciancio, B. Warinschi. Completeness theorems for the Abadi-Rogaway Logic of Encrypted Expressions. Journal of Computer Security, 12(1), 2004.

[AJ] M.Abadi, J.Jurjens. Formal eavesdropping and its computational interpretation. In TACS 2001.

[SSV] J. Snoeyink, S. Suri, G. Varghese. A lower bound for Multicast Key Distribution. In Proc. of INFOCOM 2001.

[GH] V.Gligor, D.O.Horvitz. Weak Key Authenticity and the Computational Completeness of Formal Encryption. In CRYPTO 2003.

[WHA] D. Wallner, E. Harder, R. Agee. Key management for Multicast: Issues and Architecture. RFC 2627, June 1999.

[WGL] C. Wong, M. Gouda, S. Lam. Secure Group Communication using Key graphs. In Proc. of SIGCOMM 1998.

References

optimal communication complexity of generic multicast key distribution

Documents