management ?
SandroRafaeli,LaurentMathy,andDavidHut hison
ComputingDepartment,Lan asterUniversity,LA14YR,Lan aster,UK
Abstra t. Severalproto olshavebeenproposedtodealwiththegroup
keymanagement problem.The most promising are thosebased on
hi-erar hi al binary trees. A hierar hi al binary tree of keys redu es the
sizeofthe rekeymessages,redu ing alsothestorageandpro essing
re-quirements.Inthispaper,wedes ribeaneweÆ ienthierar hi albinary
tree(EHBT)proto ol.Using EHBT,agroupmanager anusekeys
al-readyinthetreetoderivenewkeys.Usingpreviouslyknownkeyssaves
informationto betransmittedto memberswhenamembership hange
o ursandnewkeyshavetobe reatedorupdated.EHBT ana hieve
(Ilog
2
n)messagesize(Iisthesizeofakeyindex)forjoin operations
and(Klog
2
n)messagesize(Kisthesizeofakey)forleaveoperations.
WealsoshowthattheEHBTproto oldoesnotin reasethestorageand
pro essingrequirementswhen omparedtootherHBTs hemes.
1 Introdu tion
With IPmulti ast ommuni ation,agroupmessageistransmitted toall
mem-bersofthegroup.EÆ ien yis learlya hievedasonlyonetransmissionisneeded
to rea hallmembers.Theproblems startbe auseanyma hine anjoin a
mul-ti ast group and start re eiving the messages sent to the group without the
sender'sknowledge. This hara teristi raises on ernsaboutpriva yand
se u-ritysin enoteverysenderwantstoalloweveryonetohavea esstoits
ommu-ni ation.
Cryptographi tools an be used to prote tgroup ommuni ation. An
en- ryptionalgorithmtakesinputdata (e.g.agroupmessage)and performssome
transformationsonitusingakey(wherethekeyisarandomlygenerated
num-ber).Thispro essgeneratesa ipheredmessage.Thereisnoeasywaytore over
theoriginalmessagefrom the ipheredtextotherthanbyknowingthekey[9℄.
Whenapplyingsu hte hnique,itispossibletorunse uremulti astsessions.
Group messages are prote ted by en ryption using a hosen key (group key).
Only those who knowthe group key are able to re overthe original message.
However, distributing the group key to valid members is a omplexproblem.
Althoughrekeyingagroupbefore thejoin ofanewmemberis trivial(sendthe
new group key to the old group membersen rypted with the old group key),
?
annotbeusedto distributeanewone,be ausetheleavingmemberknowsthe
oldkey.Agroupmanagermust,therefore,provideothers alableme hanismsto
rekeythegroup.
Severalresear hershavestudiedtheuseofahierar hi albinarytree(HBT)
for the group key management problem. Using an HBT, the key distribution
entre(KDC)maintainsatreeofkeys,wheretheinternalnodesofthetreehold
keyen ryptionkeys(KEKs)andtheleaves orrespondtogroupmembers.Ea h
leaf holds a KEKasso iated to that one member. Ea h memberre eives and
maintainsa opyoftheKEKasso iatedtoitsleafandtheKEKs orrespondent
to ea h an estor nodein thepath from its parent nodeto theroot. All group
memberssharekeyheldbytherootofthetree.Forabalan edtree,ea hmember
stores log
2
n+1 keys, where n is the number of members. This hierar hy is
exploredto a hievebetterperforman ewhenupdatingkeys.
Inthis paper, we propose aproto olto eÆ iently builtan HBT,whi h we
alltheEHBTproto ol.TheEHBTproto ola hieves(Ilog
2
n)messagesizefor
additionoperationsand(Klog
2
n)messagesizeforremovaloperationskeeping
the storageand pro essingon both, lient and serversidesto aminimum. We
a hievethesebounds usingwell-knownte hniques,su h asaone{wayfun tion
andthexoroperator.
2 Related Work
Wallneretal[13℄werethersttoproposetheuseofanHBT.Intheirapproa h,
everytime thegroupmembership hanges, internal node keys(ae ted bythe
membership hange)are updatedandeverynewkeyisen rypted with ea h of
its hildren'skeysand then multi ast. A rekeymessage onveys2log
2 n keys
forin ludingorremovingamember.
Caronniet al[12℄ proposed averysimilar proto ol to that of Wallner,but
theya hieveabetterperforman eregardingthe sizeof multi ast messagesfor
joining operations. We refer to this proto ol as HBT+. Instead of en rypting
new key values with their respe tive hildren's key, Caronni proposes to pass
thosekeysintoaone{wayfun tion.Onlytheindexesoftherefreshedkeysneed
to bemulti astandanindexsizeissmallerthanthekeysize.
An improvement to the hierar hi al binary tree approa h is the one{way
fun tiontree(OFT)proposedbyM GrewandSherman[5℄.Thekeysofanode's
hildren are blinded using a one{way fun tion and then mixed together using
the xoroperator.Theresultof this mixing is theKEKheld by thenode. The
improvementisduetothefa tthatwhenthekeyofanode hanges,itsblinded
versionisonlyen ryptedwiththekeyofitssiblingnode.Thus,therekeymessage
arriesjustlog
2 nkeys.
Canettietal[3℄proposedaslightlydierentapproa hthata hievesthesame
ommuni ationoverhead.Theirs hemeusesapseudo{random{generator(PRG)
ELK proto ol is verysimilar tothe OFT,but ELK usespseudo{random
fun -tions (PRFs) 1
to build and manipulate the keys in the tree. ELK employs a
timelyrekey,hen e,ateverytimeinterval,theKDCrefreshestherootkeyusing
thePRFfun tionandthenusesittoupdatethewholekeytree.Byderivingall
keys,ELKdoesnotrequireanymulti astmessagesduringajoin operation.All
members anrefreshtheirownkeys,hen enorekeymessageis required.When
membersaredeleted,asinOFT,newkeysaregeneratedfrombothits hildren's
keys.
3 EÆ ient Hierar hi al Binary Tree Proto ol
IntheEHBTproto ol,aKDCmaintainsatreeofkeys.Theinternalnodesofthe
treeholdKEKsandtheleaves orrespondtogroupmembers.Keysareindexed
byrandomly hosennumbers.Ea h leafholds ase retkeythatisasso iatedto
that member.Therootofthetreeholds a ommonkeytoallmembers.
An estorsofanodearethosenodesinthepathfromitsparentnodetothe
root. Theset of an estor ofanodeis alled an estorset. Ea h memberknows
only its own key (asso iated to itsleaf node) and keys orrespondent to ea h
nodeinitsan estorset.Forabalan edtree,ea hmemberstoreslog
2
n+1keys,
wherenisthenumberof members.
Inordertoguaranteeba kwardandforwardse re y[11℄,thekeysrelatedto
joining members orleaving membersshould be hanged every time thegroup
membership hanges. The new keys in the an estor set of an ae ted leaf are
generatedupwardsfromthekeyheldbytheae tedleaf'ssiblinguptotheroot.
Using keysthat arealreadyin thetree ansaveinformationto betransmitted
to members when a membership o urs and new keys have to be reated or
updated.
The formulaF(x;y) =h(xy) is used to generate keysfrom other keys,
wherehisaone{wayhashfun tionandisanormalxoroperator.Theobvious
fun tionalityoffun tionhistohidetheoriginalvalueofxandyintovaluezin
awaythat ifoneknowsonlyz he annotndtheoriginalvaluesx andy.The
fun tionalityofisto mixx andy andgenerateanewvalue.
We say that a key k
i an be refreshed by doing k 0 i = F(k i ;i), where i is
the index (or identier) of key k
i
or key k
i
an be updated by derivingone of
its hildrenkeybydoingk 0 i =F(k leftjright i ;i), wherek leftjright i
isthekeyof i's
either left orright hild. Appendix A des ribesthe reasonfor using index iin
fun tion F.
3.1 RekeyMessage Format
A member anre eivetwotypesofinformationin arekeymessage,onetelling
himtorefreshorupdatethevalueofakey,theothertellinghimthenewvalue
he re eives a key value. After deriving a key, amember will try to derive all
otherkeysbyhimself (fromthatkeyupto theroot) unlesshere eivesanother
informationtellinghimsomethingdierent.Forexample,ifkeyK
i
isrefreshed,
theKDCneedstosendtoK'sholderstheidenti ationofthekeysothatthey
anperformtherefreshoperationthemselves.Or,ifanodenhasitskeyupdated
(K 0
n =F(k
L
;n)),then itimpliessending to memberLthe indexn andto the
other hild,namelyR ,thenewkeyvalueK 0
n
(be auseRdoesnotknowL'skey).
` ` `
indexes and
commands
keys
+
i
+ j
` ` `
i
{K
j
}
Ki
Fig.1.Exampleofarekeymessage.
Therekeymessagethatrelaysthisinformationhastwoparts.Therstpart
arries ommands and the se ond arries keys. Ea h pie e of information is
indexed byakeyindex. Keysare en rypted withthe keyindi atedby thekey
index(seeFigure1),but ommandsarenoten ryptedbe ausetheydonot arry
vitalinformation. Based on ommands and keys, members annd outwhi h
keystheymustrefreshorupdate,orjustsubstitute,be ausetheyhavere eived
anewkeyvaluetoaspe i key.
Algorithm1:Readingrekeymessagealgorithm.
(1) re eiverekeymessage
(2) setlast ommandto"keepkey"
(3) whilethereisakeytobederived
(4) getakeyindexfromkey{list
(5) sear hindexespartofrekeymessage forkeyindex
(6) if thereisa ommand
(7) exe utethe ommandonthespe i key
(8) setlast ommandtothis ommand
(9) else
(10) sear hkeyspartoftherekeymessageforkeyindex
(11) if thereisakey
(12) substituteitinthekeylist
(13) setlast ommandto"update"
(14) if thereisno ommandorkey
(15) exe utelast ommandin urrentkey
Thealgorithmtohandlerekeymessagesstartswithamemberholdingalist
ofknownkeys(key{list).Afterexe utingthealgorithm,amemberwillhaveall
+ior iori are ommandstobeapplied onkeyi R(k i ) refreshk i applyingF(k i ;i) U(k i ) updatek j applyingF(k i ;j) fxg k en ryptionofx withk
j : ommand ommandtokeyj'sholder
[ ommands;keys℄ message ontaining ommandsandkeys
4 Basi Operations
Inthisse tion,wedes ribethebasi algorithmsforjoinandleaveoperationsfor
singleandmultiple ases.
u1
n14
K14
n18
K18
n1
k1
n34
K34
n2
k2
u1
n14
K'14
n18
K'18
n58
K58
n12
K12
n1
k'1
n34
K34
n58
K58
u2
Fig.2.Useru2 joinsthetree.
n1
k'1
n14
K'14
n12
K12
u1
u2
n2
k2
n43
K43
n58
K58
n18
K'18
n3
k3
n4
k'4
u4
u3
n1
k1
n14
K14
u1
u4
n4
k4
n58
K58
n18
K18
Fig.3.Usersu2 andu3 jointhetree.
Single Member Join Algorithm.Whenamemberjoins thegroup,it is
asso iatedto aleafnode n. TheKDCassigns arandomly hosenkeyk
n to n.
Leaf n is then in luded in the treeat the parent of the shallowest leaf node s
(to keepthetree asshortaspossible).Leafs isremovedfrom thetree, andin
its pla ea newnode pis inserted.Leavessand n areinserted asp's hildren.
Weseeanexamplein Figure2:Member2ispla edinleafn
2 ,whi hisinserted at noden 12 . Noden 12
be omesthenewparentofleavesn
1 andn 2 .Leaf n 2 is assignedkeyk 2 .
In order to keep the ba kward se re y, keys in n
1
's an estor set need to
re eivenewvalues.Keyk
1 isrefreshed(k 0 1 =R(k 1 )),K 12
re eivesavaluebased
onk 0 1 (K 12 =U(k 0 1 )) andkeysK 14 and K 18 are refreshed(K 0 14 =R(K 14 ) and K 0 18 =R(K 18 )).
Notethat duringajoin operation,keys,whi hwerealreadyin thetree,are
just refreshed. Members holding those keys only need to be told those keys'
indexestobeabletogeneratetheirnewvalues,whi hmeansthatthesekeysdo
nothavetobetransmitted.Inthesameway,membersthathadtheirkeysused
forgeneratingnewkeysjust haveto betoldtheindexofthenewkeyandthey
an generatethat keybythemselves.
TheKDCgeneratesuni astmessagesformembern
2 ([k 2 ;K 12 ;K 0 14 ;K 0 18 ℄)and
2 1
re eives its uni ast message and derives key K
12
, in luding it in its key{list.
MembersholdingkeysK
14 andK
18
refreshthesekeys.
MultipleMembersJoin Algorithm.Several newmembersareinserted
inthetreeasinthesinglememberjoinalgorithm.Theyareasso iatedtonodes
and the nodes are pla ed at the parent of the shallowest leaves. However,the
keysinthetreearemodiedinaslightlydierentmanner.Newnodes'an estor
sets onvergeatsomepointandallkeysthat areinmorethanonean estorset
aremodiedonlyon e.
SeeFigure3foranexample.Membersu
2 andu
3
joined thegroupandhave
beenpla edatnodesn
12 andn
43
,respe tively.Followingthesinglememberjoin
algorithm, thekeysin memberu
2
'san estorsetare hanged:rst,k 0 1 =R(k 1 ), andthen,K 12 =U(k 0 1 ),K 14 =R(K 14 ),K 0 18 =R(K 18
).Inthesameway,keysin
memberu
3
'san estorsetare hanged:rst,k 0 4 =R(k 4 ),andthen,K 43 =U(k 0 4 ). KeysK 12 andK 18
havealreadybeen hangedbe auseofmemberu
2
,hen ethey
arenot hangedagain.
The KDC generates uni ast messages for member n
2 ([k2;K12;K 0 14 ;K 0 18 ℄), membern 3 ([k3;K43;K 0 14 ;K 0 18 ℄),memberu 1 ([+12℄)andmemberu 4 ([+43℄),and multi astmessage[14:14;18:18℄. Membersu 2 andu 3
re eivetheiruni astmessagesand reatetheirrespe tive
key{lists.Memberu
1
re eivestheuni astmessage,deriveskeyK
12
,andin ludes
itinitskey{list.Memberu
4
doesthesamewithkeyK
43
.Membersholdingkeys
K
14 andK
18
refreshthesekeys.
u1
n14
K'14
n18
K'18
n1
k'1
n34
K34
n2
k2
u1
n14
K14
n18
K18
n58
K58
n12
K12
n1
k1
n34
K34
n58
K58
u2
Fig.4.Useru2 leavesthetree.
n1
k'1
n14
K'14
u1
n34
K34
u5
n58
K'58
n78
K78
n5
k'5
n18
K'18
n1
k'1
n14
K14
n12
K12
u1
u2
n2
k2
n34
K34
u5
n56
K56
n58
K58
n78
K78
n5
k5
u6
n6
k6
n18
K'18
Fig.5.Usersu2andu6 leavethetree.
SingleMemberLeaveAlgorithm.Whenamemberuleavesorisremoved
from thegroup,its siblingsrepla esitsparentp.Moreover,allkeysknownby
u should beupdated to guarantee forwardse re y. For example,see Figure 4:
u
2
leaves(orisremovedfrom)thegroupanditsnodeisremovedfromthetree.
Noden
12
isalsoremovedandleafn
1
ispromotedtoitspla e.
Inordertokeeptheforwardse re y,keysinn
1
'san estorsetneedtore eive
new values.Keys K
14 andK 18 have to be updated:k 0 1 =R(k 1 ),K 0 14 =U(k 0 1 ) andK 0 18 =U(K 0 14 ).
thenewvaluesareallgeneratedfrom theremovedmember'ssiblingkey,whi h
wasnotknownby theremovedmember,theremovedmember annot ndthe
newvalues.
TheKDCgeneratesmulti astmessage[1: 12;fK 0 14 g K 34 ;fK 0 18 g K 58 ℄. Membern 1 refreshes k 0 1
and, be ause it has removed K
12
, it updates K
14
andK
18
.MembersholdingkeyK
34
getnewkeyK 0
14
andthenupdate keyK
18 .
MembersholdingkeyK
58
getnewkeyK 0
18 .
Multiple Members Leave Algorithm. This algorithm is handled
simi-larlytothesinglememberleavealgorithm.Theleavingnodesareremovedand
thetree shapeisadjusted a ordingly.Asin themultiple join algorithm, there
anbeseveraldierentpathfromremovednodestotheroot,whi hmeansthat
therootkey anbeupdatedbyseveralnodes(seeFigure5).
Inordertoavoidseveralrootkeyversions forthesameoperation,theKDC
hooses one of the paths and use it to update the root key. For example, in
Figure5,n
2 andn
6
leavethegroupandnodesn
1 andn
5
arepromotedtotheir
respe tiveparents'pla es(n
12 andn
56
).Bothareusedtoderivetheirnewparent
keysK 0 14 andK 0 58
,butthentheyboth annotbeusedtoupdatekeyK 0
18
.Inthis
ase,theKDC hoosesoneofthemtoupdatekeyK 0
18
andtheotherwillre eive
theupdatedkey.Forinstan e,theKDC hoosesnoden
1
andthenthekeysare
updatedas follows:k 0 1 =R(k 1 ),K 0 14 =U(k 0 1 ), K 0 18 =U(K 0 14 ),k 0 5 =R(k 5 ) and K 0 58 =U(k 0 5 ).
TheKDCgeneratesmulti ast message[1: 12;5: 56;f K 0 14 g K 34 ;fK 0 58 g K 78 ; fK 0 18 g K 0 58 ℄. Membern 1 refreshes k 0 1
and, be ause it has removed K
12 , it updates K 0 14 andK 0 18 .KeyK 34 'sholdersre overK 0 14 andupdate K 0 18 .Membern 5 refreshes k 0 5 andupdatesK 0 58
,but sin ethere isanewkeyen ryptedwithK 0
58 ,n
5 stops
updating its keys and just re oversK 0 18 . Key K 78 's holders re over K 0 58 and,
sin ethereisakeyen rypted withit,theyjustre overK 0
18 .
Rebalan ing.The eÆ ien y of thekeytree depends ru ially on whether
thetreeremainsbalan edornot.Atreeissaidtobebalan edifnoleafismu h
furtherawayfromtherootthananyotherleaf.Ingeneral,forabalan edbinary
tree with n leaves, the distan e from theroot to any leaf is log
2
n, but if the
tree isunbalan ed,thedistan e from theroot to aleaf anbe ome ashigh as
n.Therefore,itisdesirableto keepakeytreeasbalan edaspossible.
Therebalan ingworksbygettingtheshallowestanddeepest internalnodes
and omparingtheirdepths. If thedepth gap islargerthantwothen itmeans
thatthetreeisunbalan edandneedstobelevelled.Forbalan ingthetree,the
deepestleafnodeisremoved,whi hmakesitssiblingtogoonelevelup(similarly
totheremovingalgorithm),andinsertedattheshallowestnode(similarlytothe
insertingalgorithm).Thispro edureisrepeateduntilthedieren ebetweenthe
depthsoftheshallowestandthedeepestnodesissmallerthantwo.
Ina rebalan ing operation, the deepest node, whi h has beenmovedfrom
deletion areperformedsimultaneously.
n1
k1
n18
K'18
n12
K12
u1
u2
n2
k2
n38
K38
u5
n56
K56
n59
K'59
n79
K'79
n5
k5
u6
n6
k6
u7
n7
k7
n9
k'9
u9
n19
K'19
n8
k8
n3
k'3
u3
u8
n1
k1
n18
K18
n12
K12
u1
u2
n2
k2
n89
K89
u5
n56
K56
n59
K59
n79
K79
n5
k5
u6
n6
k6
u7
n7
k7
n9
k9
u9
n19
K19
n8
k8
n3
k3
u3
u8
Fig.6.Rebalan ingthetree.
See Figure 6 for an example. The tree needs a rebalan ing, so leaf n
8 is
deleted from its original position (n
89
)and insertedinto anew position (n
38 ).
Thedeletionstartsaremovaloperationwithleafn
9
updatingthenewkeys.At
the same time, leaf n
3
starts refreshing the keys on its path (as an insertion
requires). The new keysare al ulated as follows: k 0 9 = R(k 9 ), K 0 79 = U(k 0 9 ), K 0 59 =U(K 0 79 ),k 0 3 =R(k 3 ),K 38 =U(k 0 3 )andK 0 18 =R(K 0 18 ).KeyK 0 19 doesnot needtobe hanged.
TheKDCgeneratesuni astmessagesformembern
8 ([K 38 ;K 0 18 ℄andmember u 3
([+38℄),andmulti ast message[9: 89;18:18;fK 0 79 g k 7 ;fK 0 59 g K 56 ℄. Membern 8
deletes all its known keys and repla es them by those just
re- eived.Membern
9
updatesitskeys.Membersn
7
andkeyk
56
'sholdersextra t
their parts and update their keys. Membern
3 derives K 0 38 . Key K 18 's holders refreshK 0 18 . 5 Evaluation
Inthisse tion,we omparethepropertiesoftheEHBTalgorithmwiththeother
algorithmsintrodu edinse tion2:PRGT 2
(Canettiet al.),HBT+(Caronniet
al),OFT (M Grew and Sherman) andELK (Perrig).We fo us our riteriaon
KDC omputation,joinedmember omputation(forinsertions),sibling
ompu-tation (sibling to the joining/leaving member), size of the multi ast message,
sizeoftheuni astmessagesandstorageatbothKDCandmembers.
Thenotationsusedinthis se tionare:
2
d heightofthetree(forabalan edtreed=log
2 n)
I sizeofakeyindexinbits
K sizeofakeyinbits
G keygeneration
H hashfun tionexe ution
X xoroperation
E en ryptionoperation
D de ryptionoperation
Table1summarizes the omputationrequired from theKDC,joined
mem-berandsiblingtojoinedmember,andmessagesizeofjoiningmember'suni ast
message,sibling'suni astmessageandmulti astmessageduringsinglejoin
op-erations.
Table1.Singlejoinoperationequations.
S heme/ Computation Messagesize
Resour e KDC Joinmemb er Sibmemb er Joinuni astSibuni astMulti ast
EHBT G+(d+1)(X+H+E) (d+1)D (d+1)(X+H) (d+1)K I dI
PRGT 2G+dH+(d+1)E (d+1)D D+dH (d+1)K I+K dI
HBT+ 2G+dH+(d+1)E (d+1)D D+dH (d+1)K I+K dI
OFT G+(d+1)H+dX+3dE (d+1)D+d(H+X)2D+d(H+X) (d+1)K I+2K (d+1)K
ELK G+(4n 2)Eand(d+3)E (d+1)D 2dEand2E (d+1)K I 0
Table2summarisesmultiplejoinoperationequations.Theparameters
anal-ysedarethesameparametersusedin Table1.Theequationsarevalidfor
mul-tiplejoinswhentheoriginalnumberofmembersisdoubledafterthemassjoin,
whi hmeansthat everyoldmembergetsanewsibling(a newmember)andall
thekeysin thetreeareae ted. Thisrepresentstheworst asepossibleforjoin
operations.Forthesakeoftheequationsin thistable,n istheoriginalnumber
ofmembersin thegrouppreviouslytothemassjoin,butdisthenewheightof
thetreeafterthemassjoin.
Table 2.Multiplejoinoperationequations.
S heme/ Computation Messagesize
Resour e KDC Joinmemb er Sibmemb er Joinuni ast Sibuni ast Multi ast
EHBT nG+(3n 1)(X+H)+n(d+1)E (d+1)D (d+1)(X+H) n:(d+1)K n:I (n 1)I
PRGT 2nG+(n 1)H+n(d+2)E (d+1)D D+dH n:(d+1)K n:I+K (n 1)I HBT+ 2nG+(n 1)H+n(d+2)E (d+1)D D+dH n:(d+1)K n:I+K (n 1)I nG+(4n 2)(H+X)+ (d+1)D + 2D + OFT (nd+5n 1)E d(H+X) d(H+X) n:(d+1)K n:I+2K (2n 2)K
ELK (8n 2)EandnG+n(d+3)E (d+1)D 2dEand2E n:(d+1)K n:I 0
EHBT requires less omputation than the other s hemes, but it loses out
insertedneedstobesenttothesiblingofthejoiningmember.However,thisrises
twoissues:rst,ateveryintervaltheKDChastorefreshallits2n-1keys,whi h
implies unne essary work for the KDC; se ond, this s heme does notsupport
rekey on membership hanges (regarding join operations). Additionally, ELK
imposessomedelayonthejoining memberbeforehere eivesthegroupkey.
Table 3.Singleleaveoperationequations.
S heme/ Computation
Resour e KDC Sibmemb er
Multi ast
EHBT d(X+H+E) d(X+H) I+dK
PRGT (2d+1)E D+dE I+(d+1)K
HBT+ 2dE dD I+2dK
OFT d(H+X+E)D+d(H+X) I+(d+1)K
ELK 8dE dD+5dE I+d(n
1 +n
2 )
Table3summarizestheKDC omputation, sibling omputation and
multi- astmessagesizeduring singleleaveoperations.Wealsoanalysetheequations
ofmultiple leaveoperations,andweshowtheresultsinTable4.Formass
leav-ing,we onsiderthesituationwhenexa tlyhalf ofthegroupmembersleavethe
group.Thesibling of everyleavingmember remainsin thetree,and hen e,all
keysin thetreeareae ted.
Table4.Multipleleaveoperationequations.
S heme/ Computation
Resour e KDC Sibmemb er
Multi ast
EHBT (2n 1)(X+H)+(n 1)E D+(d+1)(X+H) nI+(n 1)K
PRGT (5n=2 2)E D+dE (3n=2 1)K
HBT+ (2n 2)E dD nI+2(n 1)K
OFT (2n 2)H+(n 1)X+(3n 2)E(d+1)D+d(H+X) nI+(3n 2)K
ELK (7n 3)E dD+5dE nI+(n 1)(n
1 +n
2 )
Forleaving operations, again EHBTa hievesbetter resultsthan the other
s hemesregardingthe omputationsinvolved,butloses outtoELKwhen
om-paringthemulti astmessagesize.ELKhasaslightlysmallermulti astmessage
thanEHBT,be auseitsa ri esse urity.ELKusesonlyn
1 +n
2
bitsofatotal
K possiblebits forgeneratinganew keyandthis pro edure weakensthat key,
Consequently,anexpelledmemberneedsto omputeonly2 n1+n2
possibilitiesto
re overthenewkey.InEHBT,however,anexpelledmemberneedsto ompute
thefull2 K
operationstobrute-for ethenewkey.
Wehavesimulatedagroupwith8192 members.Forthe al ulationsofthe
multiple join operations,wedoubled the size of the group to 16384members,
WeusedJavaversion1.3andIAIK[4℄ ryptographi toolkitona850MhzMobile
PentiumIII pro essor.Ittakes1:7210 2
ms for RC5 to en rypt a16-bit key
with a16-bitkey, and1:7310 2
ms to de ryptit. Hashinga16-bit keytakes
4:9510 3
ms and xoring it takes1:5910 3
ms. Finally, generating a 16-bit
keystakes7:3310 3.ApplyingthesenumbersintoTables2and4produ esthe
resultsinTable5thatshowthatEHBTingeneralisfasterto omputethanthe
otherproto ols.
Table5.Timeinmillise ondsformultiplejoinsandleaves.
S heme/ MultipleJoin MultipleLeave
Resour e KDC Joinmemb erSibMemb er KDC Sibmemb er
EHBT 2334 0:25 0:09 248:03 0:10
PRGT 2415 0:25 0:08 352:22 0:24
HBT+ 2415 0:25 0:08 281:77 0:22
OFT 2951 0:35 0:12 516:78 0:32
ELK 1140+2455 0:25 0:48+0:031105:46 1:34
Finally,EHBTandtheothers hemesrequiretheKDCtostore2n 1keys
andmembersto stored+1keys.
6 Se urity Considerations
These urityoftheEHBTproto olreliesonthe ryptographi propertiesofthe
h fun tion. One{way hash fun tions, unfortunately, are not proven se ure [2℄;
nevertheless, for the time being, there has not been any su essful atta k on
eitherthefullMD5[7℄orSHA[1℄algorithms[10℄.
Taking intoa ounttheuseof hashfun tions asfun tion h,atta ksonthe
hiddenkeyarelimitedtobrute-for eatta k.Su hanatta k antake2 n
hashes
tondtheoriginalkey,withnbeingthenumberofbitsoftheoriginalkeyused
asinput.
Inordertoguaranteeba kwardse re yandforwardse re y,everytimethere
isamembership hange,thekeysrelatedtojoiningmembersorleavingmembers
are hanged.
Whenamemberisadded tothetree, allkeysheldby nodesin itsan estor
setare hangedtoavoidgivingthenewmembera esstopastinformation.For
example,seeFigure2,whenmembern
2
isinsertedinthetree,keyK
12 is reated and keysK 0 14 and K 0 18
arerefreshed. Node n
2
doesnothavea ess to the old
values, be ause it only re eivesthe new key values,whi h were hiddenby the
hashfun tion,andassumingthehashfun tion isse ure,n
2
hasnootherwayto
re overtheoldkeybut brute-for ingit.Thesameruleapplieswhen n
2 leaves;
keyK
12
is deleted from thetree andkeysK 0
14 andK
0
18
are updatedandsin e
n
2
Using one{way hash fun tions and xor operations, we onstru ted an eÆ ient
HBTproto olthat a hievesbetter overall performan e thanotherHBT
proto- ols. Ourproto ol, alledEHBT,requires only(Ilog
2
n)messagesizeforjoin
operations and (Klog
2
n) message size for leaving operations. Additionally,
EHBT requires thesame keystorage asother HBTproto ols, and it requires
mu hless omputationtorekeythetreeaftermembership hanges.
Referen es
1. N.F.P.180-1. Se ureHashStandard. NationalInstituteofStandardsand
Te h-nology,U.S.DepartmentofCommer e,DRAFT,May1994.
2. S.Bakhtiari,R.Safavi-Naini,andJ.Pieprzyk. Cryptographi HashFun tions:A
Survey. Te hni alReport95-09,UniversityofWollongong,July1995.
3. R.Canetti,J.Garay,G.Itkis,D.Mi ian io, M.Naorr,andB.Pinkas. Multi ast
Se urity:A Taxonomyand SomeEÆ ient Constru tions. InPro .ofINFOCOM
99,volume2,pages708{716,NewYok,NY,USA,Mar h1999.
4. I.-J. Group. IAIK, java{ rypto toolkit. Web site at
http://j ewww.iaik.tu-graz.a .at/index.htm.
5. D.A.M GrewandA.T.Sherman. KeyEstablishmentinLargeDynami Groups
UsingOne-WayFun tionTrees. Te hni alReportNo.0755,TISLabsatNetwork
Asso iates,In .,Glenwood,MD,May1998.
6. A. Perrig, D. Song, and J.D. Tygar. ELK,a New Proto ol for EÆ ient
Large-GroupKeyDistribution.In2001IEEESymposiumonSe urityandPriva y,
Oak-land,CA,USA,May2001.
7. R.Rivest. TheMD5Message-DigestAlgorithm. RFC1321,April1992.
8. R.Rivest. TheRC5en ryptionalgorithm. InFast SoftwareEn ryption,2 nd
Int.
Workshop, LNCS1008,pages86{96.Springer-Verslag,De ember1995.
9. B. S hneier. Applied Cryptography Se ond Edition: proto ols, algorithms, and
sour e ode inC. JohnWiley&Sons,In .,1996. ISBN0-471-11709-9.
10. W. Stallings. Cryptography and Network Se urity. Prenti e{Hall, 1998. ISBN
0-138-69017-0.
11. M. Steiner, G.Taudik, and M. Waidner. Cliques: A newapproa hto groupkey
agreement. Te hni alReportRZ2984,IBMResear h,De ember1997.
12. M. Waldvogel, G.Caronni, D. Sun, N. Weiler, and B. Plattner. TheVersaKey
Framework:VersatileGroupKey Management. IEEE Journal onSele ted Areas
inCommuni ations(Spe ialIssueonMiddleware),17(9):1614{1631,August1999.
13. D. Wallner,E. Harder,andR.Agee. KeyManagement forMulti ast:Issues and
Ar hite tures. RFC2627, June1999.
A Reasoning on Using Index i in Fun tion F
Indexiisin ludedintheformulaFtoavoidgivingthepossibilityformembersto
havea esstokeysthattheyarenotmeantto.Forexample,removingmember
n
2
inFigure4,meansnewkeysk 0 1 =U(k 1 ),k 0 14 =R(k 0 1 )andk 0 18 =R(k 0 14 ).
If,immediatelyaftermembern
2
hasleft thegroup,membern
0
joins itand
isinsertedasasibling ofn
1
,thenit meansnewkeysk 00 1 =U(k 0 1 ),k 10 =R(k 00 1 ) (newnoden 10 ),k 00 14 =U(k 0 14 )andk 00 18 =U(k 0 18 ).
Ifweremovei from fun tion F and insteadonly apply asimple hashh to
update keysthen the keysfrom the removal abovebe omek 0 1 =h(k 1 ), k 0 14 = h(k 0 1 )(orh(h(k 1 )))andk 0 18 =h(k 0 14 )(orh(h(h(k 1
))))andthekeysfromthejoin
be ome k 00 1 =h(k 0 1 ) (or h(h(k 1 ))), k 10 = h(k 00 1 ) (or h(h(h(k 1 )))), k 00 14 =h(k 0 14 ) and k 00 18 =h(k 0 18
). As one an see, key k
10 and k
0
18
are identi al, whi h means
that membern
0
anhavea ess topastmessagesen ryptedwithk 0
(ork
10 ).