EHBT: An efficient protocol for group key management

management ?

SandroRafaeli,LaurentMathy,andDavidHut hison

ComputingDepartment,Lan asterUniversity,LA14YR,Lan aster,UK

Abstra t. Severalproto olshavebeenproposedtodealwiththegroup

keymanagement problem.The most promising are thosebased on

hi-erar hi al binary trees. A hierar hi al binary tree of keys redu es the

sizeofthe rekeymessages,redu ing alsothestorageandpro essing

re-quirements.Inthispaper,wedes ribeaneweÆ ienthierar hi albinary

tree(EHBT)proto ol.Using EHBT,agroupmanager anusekeys

al-readyinthetreetoderivenewkeys.Usingpreviouslyknownkeyssaves

informationto betransmittedto memberswhenamembership hange

o ursandnewkeyshavetobe reatedorupdated.EHBT ana hieve

(I
log

2

n)messagesize(Iisthesizeofakeyindex)forjoin operations

and(K
log

2

n)messagesize(Kisthesizeofakey)forleaveoperations.

WealsoshowthattheEHBTproto oldoesnotin reasethestorageand

pro essingrequirementswhen omparedtootherHBTs hemes.

1 Introdu tion

With IPmulti ast ommuni ation,agroupmessageistransmitted toall

mem-bersofthegroup.EÆ ien yis learlya hievedasonlyonetransmissionisneeded

to rea hallmembers.Theproblems startbe auseanyma hine anjoin a

mul-ti ast group and start re eiving the messages sent to the group without the

sender'sknowledge. This hara teristi raises on ernsaboutpriva yand

se u-ritysin enoteverysenderwantstoalloweveryonetohavea esstoits

ommu-ni ation.

Cryptographi tools an be used to prote tgroup ommuni ation. An

en- ryptionalgorithmtakesinputdata (e.g.agroupmessage)and performssome

transformationsonitusingakey(wherethekeyisarandomlygenerated

num-ber).Thispro essgeneratesa ipheredmessage.Thereisnoeasywaytore over

theoriginalmessagefrom the ipheredtextotherthanbyknowingthekey[9℄.

Whenapplyingsu hte hnique,itispossibletorunse uremulti astsessions.

Group messages are prote ted by en ryption using a hosen key (group key).

Only those who knowthe group key are able to re overthe original message.

However, distributing the group key to valid members is a omplexproblem.

Althoughrekeyingagroupbefore thejoin ofanewmemberis trivial(sendthe

new group key to the old group membersen rypted with the old group key),

?

annotbeusedto distributeanewone,be ausetheleavingmemberknowsthe

oldkey.Agroupmanagermust,therefore,provideothers alableme hanismsto

rekeythegroup.

Severalresear hershavestudiedtheuseofahierar hi albinarytree(HBT)

for the group key management problem. Using an HBT, the key distribution

entre(KDC)maintainsatreeofkeys,wheretheinternalnodesofthetreehold

keyen ryptionkeys(KEKs)andtheleaves orrespondtogroupmembers.Ea h

leaf holds a KEKasso iated to that one member. Ea h memberre eives and

maintainsa opyoftheKEKasso iatedtoitsleafandtheKEKs orrespondent

to ea h an estor nodein thepath from its parent nodeto theroot. All group

memberssharekeyheldbytherootofthetree.Forabalan edtree,ea hmember

stores log

2

n+1 keys, where n is the number of members. This hierar hy is

exploredto a hievebetterperforman ewhenupdatingkeys.

Inthis paper, we propose aproto olto eÆ iently builtan HBT,whi h we

alltheEHBTproto ol.TheEHBTproto ola hieves(I
log

2

n)messagesizefor

additionoperationsand(K
log

2

n)messagesizeforremovaloperationskeeping

the storageand pro essingon both, lient and serversidesto aminimum. We

a hievethesebounds usingwell-knownte hniques,su h asaone{wayfun tion

andthexoroperator.

2 Related Work

Wallneretal[13℄werethersttoproposetheuseofanHBT.Intheirapproa h,

everytime thegroupmembership hanges, internal node keys(ae ted bythe

membership hange)are updatedandeverynewkeyisen rypted with ea h of

its hildren'skeysand then multi ast. A rekeymessage onveys2
log

2 n keys

forin ludingorremovingamember.

Caronniet al[12℄ proposed averysimilar proto ol to that of Wallner,but

theya hieveabetterperforman eregardingthe sizeof multi ast messagesfor

joining operations. We refer to this proto ol as HBT+. Instead of en rypting

new key values with their respe tive hildren's key, Caronni proposes to pass

thosekeysintoaone{wayfun tion.Onlytheindexesoftherefreshedkeysneed

to bemulti astandanindexsizeissmallerthanthekeysize.

An improvement to the hierar hi al binary tree approa h is the one{way

fun tiontree(OFT)proposedbyM GrewandSherman[5℄.Thekeysofanode's

hildren are blinded using a one{way fun tion and then mixed together using

the xoroperator.Theresultof this mixing is theKEKheld by thenode. The

improvementisduetothefa tthatwhenthekeyofanode hanges,itsblinded

versionisonlyen ryptedwiththekeyofitssiblingnode.Thus,therekeymessage

arriesjustlog

2 nkeys.

Canettietal[3℄proposedaslightlydierentapproa hthata hievesthesame

ommuni ationoverhead.Theirs hemeusesapseudo{random{generator(PRG)

ELK proto ol is verysimilar tothe OFT,but ELK usespseudo{random

fun -tions (PRFs) 1

to build and manipulate the keys in the tree. ELK employs a

timelyrekey,hen e,ateverytimeinterval,theKDCrefreshestherootkeyusing

thePRFfun tionandthenusesittoupdatethewholekeytree.Byderivingall

keys,ELKdoesnotrequireanymulti astmessagesduringajoin operation.All

members anrefreshtheirownkeys,hen enorekeymessageis required.When

membersaredeleted,asinOFT,newkeysaregeneratedfrombothits hildren's

keys.

3 EÆ ient Hierar hi al Binary Tree Proto ol

IntheEHBTproto ol,aKDCmaintainsatreeofkeys.Theinternalnodesofthe

treeholdKEKsandtheleaves orrespondtogroupmembers.Keysareindexed

byrandomly hosennumbers.Ea h leafholds ase retkeythatisasso iatedto

that member.Therootofthetreeholds a ommonkeytoallmembers.

An estorsofanodearethosenodesinthepathfromitsparentnodetothe

root. Theset of an estor ofanodeis alled an estorset. Ea h memberknows

only its own key (asso iated to itsleaf node) and keys orrespondent to ea h

nodeinitsan estorset.Forabalan edtree,ea hmemberstoreslog

2

n+1keys,

wherenisthenumberof members.

Inordertoguaranteeba kwardandforwardse re y[11℄,thekeysrelatedto

joining members orleaving membersshould be hanged every time thegroup

membership hanges. The new keys in the an estor set of an ae ted leaf are

generatedupwardsfromthekeyheldbytheae tedleaf'ssiblinguptotheroot.

Using keysthat arealreadyin thetree ansaveinformationto betransmitted

to members when a membership o urs and new keys have to be reated or

updated.

The formulaF(x;y) =h(xy) is used to generate keysfrom other keys,

wherehisaone{wayhashfun tionandisanormalxoroperator.Theobvious

fun tionalityoffun tionhistohidetheoriginalvalueofxandyintovaluezin

awaythat ifoneknowsonlyz he annotndtheoriginalvaluesx andy.The

fun tionalityofisto mixx andy andgenerateanewvalue.

We say that a key k

i an be refreshed by doing k 0 i = F(k i ;i), where i is

the index (or identier) of key k

i

or key k

i

an be updated by derivingone of

its hildrenkeybydoingk 0 i =F(k leftjright i ;i), wherek leftjright i

isthekeyof i's

either left orright hild. Appendix A des ribesthe reasonfor using index iin

fun tion F.

3.1 RekeyMessage Format

A member anre eivetwotypesofinformationin arekeymessage,onetelling

himtorefreshorupdatethevalueofakey,theothertellinghimthenewvalue

he re eives a key value. After deriving a key, amember will try to derive all

otherkeysbyhimself (fromthatkeyupto theroot) unlesshere eivesanother

informationtellinghimsomethingdierent.Forexample,ifkeyK

i

isrefreshed,

theKDCneedstosendtoK'sholderstheidenti ationofthekeysothatthey

anperformtherefreshoperationthemselves.Or,ifanodenhasitskeyupdated

(K 0

n =F(k

L

;n)),then itimpliessending to memberLthe indexn andto the

other hild,namelyR ,thenewkeyvalueK 0

n

(be auseRdoesnotknowL'skey).

` ` `

indexes and

commands

keys

+

i

+ j

` ` `

i

{K

j

}

Ki

Fig.1.Exampleofarekeymessage.

Therekeymessagethatrelaysthisinformationhastwoparts.Therstpart

arries ommands and the se ond arries keys. Ea h pie e of information is

indexed byakeyindex. Keysare en rypted withthe keyindi atedby thekey

index(seeFigure1),but ommandsarenoten ryptedbe ausetheydonot arry

vitalinformation. Based on ommands and keys, members annd outwhi h

keystheymustrefreshorupdate,orjustsubstitute,be ausetheyhavere eived

anewkeyvaluetoaspe i key.

Algorithm1:Readingrekeymessagealgorithm.

(1) re eiverekeymessage

(2) setlast ommandto"keepkey"

(3) whilethereisakeytobederived

(4) getakeyindexfromkey{list

(5) sear hindexespartofrekeymessage forkeyindex

(6) if thereisa ommand

(7) exe utethe ommandonthespe i key

(8) setlast ommandtothis ommand

(9) else

(10) sear hkeyspartoftherekeymessageforkeyindex

(11) if thereisakey

(12) substituteitinthekeylist

(13) setlast ommandto"update"

(14) if thereisno ommandorkey

(15) exe utelast ommandin urrentkey

Thealgorithmtohandlerekeymessagesstartswithamemberholdingalist

ofknownkeys(key{list).Afterexe utingthealgorithm,amemberwillhaveall

+ior iori are ommandstobeapplied onkeyi R(k i ) refreshk i applyingF(k i ;i) U(k i ) updatek j applyingF(k i ;j) fxg k en ryptionofx withk

j : ommand ommandtokeyj'sholder

[ ommands;keys℄ message ontaining ommandsandkeys

4 Basi Operations

Inthisse tion,wedes ribethebasi algorithmsforjoinandleaveoperationsfor

singleandmultiple ases.

u1

n14

K14

n18

K18

n1

k1

n34

K34

n2

k2

u1

n14

K'14

n18

K'18

n58

K58

n12

K12

n1

k'1

n34

K34

n58

K58

u2

Fig.2.Useru2 joinsthetree.

n1

k'1

n14

K'14

n12

K12

u1

u2

n2

k2

n43

K43

n58

K58

n18

K'18

n3

k3

n4

k'4

u4

u3

n1

k1

n14

K14

u1

u4

n4

k4

n58

K58

n18

K18

Fig.3.Usersu2 andu3 jointhetree.

Single Member Join Algorithm.Whenamemberjoins thegroup,it is

asso iatedto aleafnode n. TheKDCassigns arandomly hosenkeyk

n to n.

Leaf n is then in luded in the treeat the parent of the shallowest leaf node s

(to keepthetree asshortaspossible).Leafs isremovedfrom thetree, andin

its pla ea newnode pis inserted.Leavessand n areinserted asp's hildren.

Weseeanexamplein Figure2:Member2ispla edinleafn

2 ,whi hisinserted at noden 12 . Noden 12

be omesthenewparentofleavesn

1 andn 2 .Leaf n 2 is assignedkeyk 2 .

In order to keep the ba kward se re y, keys in n

1

's an estor set need to

re eivenewvalues.Keyk

1 isrefreshed(k 0 1 =R(k 1 )),K 12

re eivesavaluebased

onk 0 1 (K 12 =U(k 0 1 )) andkeysK 14 and K 18 are refreshed(K 0 14 =R(K 14 ) and K 0 18 =R(K 18 )).

Notethat duringajoin operation,keys,whi hwerealreadyin thetree,are

just refreshed. Members holding those keys only need to be told those keys'

indexestobeabletogeneratetheirnewvalues,whi hmeansthatthesekeysdo

nothavetobetransmitted.Inthesameway,membersthathadtheirkeysused

forgeneratingnewkeysjust haveto betoldtheindexofthenewkeyandthey

an generatethat keybythemselves.

TheKDCgeneratesuni astmessagesformembern

2 ([k 2 ;K 12 ;K 0 14 ;K 0 18 ℄)and

2 1

re eives its uni ast message and derives key K

12

, in luding it in its key{list.

MembersholdingkeysK

14 andK

18

refreshthesekeys.

MultipleMembersJoin Algorithm.Several newmembersareinserted

inthetreeasinthesinglememberjoinalgorithm.Theyareasso iatedtonodes

and the nodes are pla ed at the parent of the shallowest leaves. However,the

keysinthetreearemodiedinaslightlydierentmanner.Newnodes'an estor

sets onvergeatsomepointandallkeysthat areinmorethanonean estorset

aremodiedonlyon e.

SeeFigure3foranexample.Membersu

2 andu

3

joined thegroupandhave

beenpla edatnodesn

12 andn

43

,respe tively.Followingthesinglememberjoin

algorithm, thekeysin memberu

2

'san estorsetare hanged:rst,k 0 1 =R(k 1 ), andthen,K 12 =U(k 0 1 ),K 14 =R(K 14 ),K 0 18 =R(K 18

).Inthesameway,keysin

memberu

3

'san estorsetare hanged:rst,k 0 4 =R(k 4 ),andthen,K 43 =U(k 0 4 ). KeysK 12 andK 18

havealreadybeen hangedbe auseofmemberu

2

,hen ethey

arenot hangedagain.

The KDC generates uni ast messages for member n

2 ([k2;K12;K 0 14 ;K 0 18 ℄), membern 3 ([k3;K43;K 0 14 ;K 0 18 ℄),memberu 1 ([+12℄)andmemberu 4 ([+43℄),and multi astmessage[14:14;18:18℄. Membersu 2 andu 3

re eivetheiruni astmessagesand reatetheirrespe tive

key{lists.Memberu

1

re eivestheuni astmessage,deriveskeyK

12

,andin ludes

itinitskey{list.Memberu

4

doesthesamewithkeyK

43

.Membersholdingkeys

K

14 andK

18

refreshthesekeys.

u1

n14

K'14

n18

K'18

n1

k'1

n34

K34

n2

k2

u1

n14

K14

n18

K18

n58

K58

n12

K12

n1

k1

n34

K34

n58

K58

u2

Fig.4.Useru2 leavesthetree.

n1

k'1

n14

K'14

u1

n34

K34

u5

n58

K'58

n78

K78

n5

k'5

n18

K'18

n1

k'1

n14

K14

n12

K12

u1

u2

n2

k2

n34

K34

u5

n56

K56

n58

K58

n78

K78

n5

k5

u6

n6

k6

n18

K'18

Fig.5.Usersu2andu6 leavethetree.

SingleMemberLeaveAlgorithm.Whenamemberuleavesorisremoved

from thegroup,its siblingsrepla esitsparentp.Moreover,allkeysknownby

u should beupdated to guarantee forwardse re y. For example,see Figure 4:

u

2

leaves(orisremovedfrom)thegroupanditsnodeisremovedfromthetree.

Noden

12

isalsoremovedandleafn

1

ispromotedtoitspla e.

Inordertokeeptheforwardse re y,keysinn

1

'san estorsetneedtore eive

new values.Keys K

14 andK 18 have to be updated:k 0 1 =R(k 1 ),K 0 14 =U(k 0 1 ) andK 0 18 =U(K 0 14 ).

thenewvaluesareallgeneratedfrom theremovedmember'ssiblingkey,whi h

wasnotknownby theremovedmember,theremovedmember annot ndthe

newvalues.

TheKDCgeneratesmulti astmessage[1: 12;fK 0 14 g K 34 ;fK 0 18 g K 58 ℄. Membern 1 refreshes k 0 1

and, be ause it has removed K

12

, it updates K

14

andK

18

.MembersholdingkeyK

34

getnewkeyK 0

14

andthenupdate keyK

18 .

MembersholdingkeyK

58

getnewkeyK 0

18 .

Multiple Members Leave Algorithm. This algorithm is handled

simi-larlytothesinglememberleavealgorithm.Theleavingnodesareremovedand

thetree shapeisadjusted a ordingly.Asin themultiple join algorithm, there

anbeseveraldierentpathfromremovednodestotheroot,whi hmeansthat

therootkey anbeupdatedbyseveralnodes(seeFigure5).

Inordertoavoidseveralrootkeyversions forthesameoperation,theKDC

hooses one of the paths and use it to update the root key. For example, in

Figure5,n

2 andn

6

leavethegroupandnodesn

1 andn

5

arepromotedtotheir

respe tiveparents'pla es(n

12 andn

56

).Bothareusedtoderivetheirnewparent

keysK 0 14 andK 0 58

,butthentheyboth annotbeusedtoupdatekeyK 0

18

.Inthis

ase,theKDC hoosesoneofthemtoupdatekeyK 0

18

andtheotherwillre eive

theupdatedkey.Forinstan e,theKDC hoosesnoden

1

andthenthekeysare

updatedas follows:k 0 1 =R(k 1 ),K 0 14 =U(k 0 1 ), K 0 18 =U(K 0 14 ),k 0 5 =R(k 5 ) and K 0 58 =U(k 0 5 ).

TheKDCgeneratesmulti ast message[1: 12;5: 56;f K 0 14 g K 34 ;fK 0 58 g K 78 ; fK 0 18 g K 0 58 ℄. Membern 1 refreshes k 0 1

and, be ause it has removed K

12 , it updates K 0 14 andK 0 18 .KeyK 34 'sholdersre overK 0 14 andupdate K 0 18 .Membern 5 refreshes k 0 5 andupdatesK 0 58

,but sin ethere isanewkeyen ryptedwithK 0

58 ,n

5 stops

updating its keys and just re oversK 0 18 . Key K 78 's holders re over K 0 58 and,

sin ethereisakeyen rypted withit,theyjustre overK 0

18 .

Rebalan ing.The eÆ ien y of thekeytree depends ru ially on whether

thetreeremainsbalan edornot.Atreeissaidtobebalan edifnoleafismu h

furtherawayfromtherootthananyotherleaf.Ingeneral,forabalan edbinary

tree with n leaves, the distan e from theroot to any leaf is log

2

n, but if the

tree isunbalan ed,thedistan e from theroot to aleaf anbe ome ashigh as

n.Therefore,itisdesirableto keepakeytreeasbalan edaspossible.

Therebalan ingworksbygettingtheshallowestanddeepest internalnodes

and omparingtheirdepths. If thedepth gap islargerthantwothen itmeans

thatthetreeisunbalan edandneedstobelevelled.Forbalan ingthetree,the

deepestleafnodeisremoved,whi hmakesitssiblingtogoonelevelup(similarly

totheremovingalgorithm),andinsertedattheshallowestnode(similarlytothe

insertingalgorithm).Thispro edureisrepeateduntilthedieren ebetweenthe

depthsoftheshallowestandthedeepestnodesissmallerthantwo.

Ina rebalan ing operation, the deepest node, whi h has beenmovedfrom

deletion areperformedsimultaneously.

n1

k1

n18

K'18

n12

K12

u1

u2

n2

k2

n38

K38

u5

n56

K56

n59

K'59

n79

K'79

n5

k5

u6

n6

k6

u7

n7

k7

n9

k'9

u9

n19

K'19

n8

k8

n3

k'3

u3

u8

n1

k1

n18

K18

n12

K12

u1

u2

n2

k2

n89

K89

u5

n56

K56

n59

K59

n79

K79

n5

k5

u6

n6

k6

u7

n7

k7

n9

k9

u9

n19

K19

n8

k8

n3

k3

u3

u8

Fig.6.Rebalan ingthetree.

See Figure 6 for an example. The tree needs a rebalan ing, so leaf n

8 is

deleted from its original position (n

89

)and insertedinto anew position (n

38 ).

Thedeletionstartsaremovaloperationwithleafn

9

updatingthenewkeys.At

the same time, leaf n

3

starts refreshing the keys on its path (as an insertion

requires). The new keysare al ulated as follows: k 0 9 = R(k 9 ), K 0 79 = U(k 0 9 ), K 0 59 =U(K 0 79 ),k 0 3 =R(k 3 ),K 38 =U(k 0 3 )andK 0 18 =R(K 0 18 ).KeyK 0 19 doesnot needtobe hanged.

TheKDCgeneratesuni astmessagesformembern

8 ([K 38 ;K 0 18 ℄andmember u 3

([+38℄),andmulti ast message[9: 89;18:18;fK 0 79 g k 7 ;fK 0 59 g K 56 ℄. Membern 8

deletes all its known keys and repla es them by those just

re- eived.Membern

9

updatesitskeys.Membersn

7

andkeyk

56

'sholdersextra t

their parts and update their keys. Membern

3 derives K 0 38 . Key K 18 's holders refreshK 0 18 . 5 Evaluation

Inthisse tion,we omparethepropertiesoftheEHBTalgorithmwiththeother

algorithmsintrodu edinse tion2:PRGT 2

(Canettiet al.),HBT+(Caronniet

al),OFT (M Grew and Sherman) andELK (Perrig).We fo us our riteriaon

KDC omputation,joinedmember omputation(forinsertions),sibling

ompu-tation (sibling to the joining/leaving member), size of the multi ast message,

sizeoftheuni astmessagesandstorageatbothKDCandmembers.

Thenotationsusedinthis se tionare:

2

d heightofthetree(forabalan edtreed=log

2 n)

I sizeofakeyindexinbits

K sizeofakeyinbits

G keygeneration

H hashfun tionexe ution

X xoroperation

E en ryptionoperation

D de ryptionoperation

Table1summarizes the omputationrequired from theKDC,joined

mem-berandsiblingtojoinedmember,andmessagesizeofjoiningmember'suni ast

message,sibling'suni astmessageandmulti astmessageduringsinglejoin

op-erations.

Table1.Singlejoinoperationequations.

S heme/ Computation Messagesize

Resour e KDC Joinmemb er Sibmemb er Joinuni astSibuni astMulti ast

EHBT G+(d+1)(X+H+E) (d+1)D (d+1)(X+H) (d+1)K I dI

PRGT 2G+dH+(d+1)E (d+1)D D+dH (d+1)K I+K dI

HBT+ 2G+dH+(d+1)E (d+1)D D+dH (d+1)K I+K dI

OFT G+(d+1)H+dX+3dE (d+1)D+d(H+X)2D+d(H+X) (d+1)K I+2K (d+1)K

ELK G+(4n 2)Eand(d+3)E (d+1)D 2dEand2E (d+1)K I 0

Table2summarisesmultiplejoinoperationequations.Theparameters

anal-ysedarethesameparametersusedin Table1.Theequationsarevalidfor

mul-tiplejoinswhentheoriginalnumberofmembersisdoubledafterthemassjoin,

whi hmeansthat everyoldmembergetsanewsibling(a newmember)andall

thekeysin thetreeareae ted. Thisrepresentstheworst asepossibleforjoin

operations.Forthesakeoftheequationsin thistable,n istheoriginalnumber

ofmembersin thegrouppreviouslytothemassjoin,butdisthenewheightof

thetreeafterthemassjoin.

Table 2.Multiplejoinoperationequations.

S heme/ Computation Messagesize

Resour e KDC Joinmemb er Sibmemb er Joinuni ast Sibuni ast Multi ast

EHBT nG+(3n 1)(X+H)+n(d+1)E (d+1)D (d+1)(X+H) n:(d+1)K n:I (n 1)I

PRGT 2nG+(n 1)H+n(d+2)E (d+1)D D+dH n:(d+1)K n:I+K (n 1)I HBT+ 2nG+(n 1)H+n(d+2)E (d+1)D D+dH n:(d+1)K n:I+K (n 1)I nG+(4n 2)(H+X)+ (d+1)D + 2D + OFT (nd+5n 1)E d(H+X) d(H+X) n:(d+1)K n:I+2K (2n 2)K

ELK (8n 2)EandnG+n(d+3)E (d+1)D 2dEand2E n:(d+1)K n:I 0

EHBT requires less omputation than the other s hemes, but it loses out

insertedneedstobesenttothesiblingofthejoiningmember.However,thisrises

twoissues:rst,ateveryintervaltheKDChastorefreshallits2n-1keys,whi h

implies unne essary work for the KDC; se ond, this s heme does notsupport

rekey on membership hanges (regarding join operations). Additionally, ELK

imposessomedelayonthejoining memberbeforehere eivesthegroupkey.

Table 3.Singleleaveoperationequations.

S heme/ Computation

Resour e KDC Sibmemb er

Multi ast

EHBT d(X+H+E) d(X+H) I+dK

PRGT (2d+1)E D+dE I+(d+1)K

HBT+ 2dE dD I+2dK

OFT d(H+X+E)D+d(H+X) I+(d+1)K

ELK 8dE dD+5dE I+d(n

1 +n

2 )

Table3summarizestheKDC omputation, sibling omputation and

multi- astmessagesizeduring singleleaveoperations.Wealsoanalysetheequations

ofmultiple leaveoperations,andweshowtheresultsinTable4.Formass

leav-ing,we onsiderthesituationwhenexa tlyhalf ofthegroupmembersleavethe

group.Thesibling of everyleavingmember remainsin thetree,and hen e,all

keysin thetreeareae ted.

Table4.Multipleleaveoperationequations.

S heme/ Computation

Resour e KDC Sibmemb er

Multi ast

EHBT (2n 1)(X+H)+(n 1)E D+(d+1)(X+H) nI+(n 1)K

PRGT (5n=2 2)E D+dE (3n=2 1)K

HBT+ (2n 2)E dD nI+2(n 1)K

OFT (2n 2)H+(n 1)X+(3n 2)E(d+1)D+d(H+X) nI+(3n 2)K

ELK (7n 3)E dD+5dE nI+(n 1)(n

1 +n

2 )

Forleaving operations, again EHBTa hievesbetter resultsthan the other

s hemesregardingthe omputationsinvolved,butloses outtoELKwhen

om-paringthemulti astmessagesize.ELKhasaslightlysmallermulti astmessage

thanEHBT,be auseitsa ri esse urity.ELKusesonlyn

1 +n

2

bitsofatotal

K possiblebits forgeneratinganew keyandthis pro edure weakensthat key,

Consequently,anexpelledmemberneedsto omputeonly2 n1+n2

possibilitiesto

re overthenewkey.InEHBT,however,anexpelledmemberneedsto ompute

thefull2 K

operationstobrute-for ethenewkey.

Wehavesimulatedagroupwith8192 members.Forthe al ulationsofthe

multiple join operations,wedoubled the size of the group to 16384members,

WeusedJavaversion1.3andIAIK[4℄ ryptographi toolkitona850MhzMobile

PentiumIII pro essor.Ittakes1:72
10 2

ms for RC5 to en rypt a16-bit key

with a16-bitkey, and1:73
10 2

ms to de ryptit. Hashinga16-bit keytakes

4:95
10 3

ms and xoring it takes1:59
10 3

ms. Finally, generating a 16-bit

keystakes7:33
10 3.ApplyingthesenumbersintoTables2and4produ esthe

resultsinTable5thatshowthatEHBTingeneralisfasterto omputethanthe

otherproto ols.

Table5.Timeinmillise ondsformultiplejoinsandleaves.

S heme/ MultipleJoin MultipleLeave

Resour e KDC Joinmemb erSibMemb er KDC Sibmemb er

EHBT 2334 0:25 0:09 248:03 0:10

PRGT 2415 0:25 0:08 352:22 0:24

HBT+ 2415 0:25 0:08 281:77 0:22

OFT 2951 0:35 0:12 516:78 0:32

ELK 1140+2455 0:25 0:48+0:031105:46 1:34

Finally,EHBTandtheothers hemesrequiretheKDCtostore2n 1keys

andmembersto stored+1keys.

6 Se urity Considerations

These urityoftheEHBTproto olreliesonthe ryptographi propertiesofthe

h fun tion. One{way hash fun tions, unfortunately, are not proven se ure [2℄;

nevertheless, for the time being, there has not been any su essful atta k on

eitherthefullMD5[7℄orSHA[1℄algorithms[10℄.

Taking intoa ounttheuseof hashfun tions asfun tion h,atta ksonthe

hiddenkeyarelimitedtobrute-for eatta k.Su hanatta k antake2 n

hashes

tondtheoriginalkey,withnbeingthenumberofbitsoftheoriginalkeyused

asinput.

Inordertoguaranteeba kwardse re yandforwardse re y,everytimethere

isamembership hange,thekeysrelatedtojoiningmembersorleavingmembers

are hanged.

Whenamemberisadded tothetree, allkeysheldby nodesin itsan estor

setare hangedtoavoidgivingthenewmembera esstopastinformation.For

example,seeFigure2,whenmembern

2

isinsertedinthetree,keyK

12 is reated and keysK 0 14 and K 0 18

arerefreshed. Node n

2

doesnothavea ess to the old

values, be ause it only re eivesthe new key values,whi h were hiddenby the

hashfun tion,andassumingthehashfun tion isse ure,n

2

hasnootherwayto

re overtheoldkeybut brute-for ingit.Thesameruleapplieswhen n

2 leaves;

keyK

12

is deleted from thetree andkeysK 0

14 andK

0

18

are updatedandsin e

n

2

Using one{way hash fun tions and xor operations, we onstru ted an eÆ ient

HBTproto olthat a hievesbetter overall performan e thanotherHBT

proto- ols. Ourproto ol, alledEHBT,requires only(I
log

2

n)messagesizeforjoin

operations and (K
log

2

n) message size for leaving operations. Additionally,

EHBT requires thesame keystorage asother HBTproto ols, and it requires

mu hless omputationtorekeythetreeaftermembership hanges.

Referen es

1. N.F.P.180-1. Se ureHashStandard. NationalInstituteofStandardsand

Te h-nology,U.S.DepartmentofCommer e,DRAFT,May1994.

2. S.Bakhtiari,R.Safavi-Naini,andJ.Pieprzyk. Cryptographi HashFun tions:A

Survey. Te hni alReport95-09,UniversityofWollongong,July1995.

3. R.Canetti,J.Garay,G.Itkis,D.Mi ian io, M.Naorr,andB.Pinkas. Multi ast

Se urity:A Taxonomyand SomeEÆ ient Constru tions. InPro .ofINFOCOM

99,volume2,pages708{716,NewYok,NY,USA,Mar h1999.

4. I.-J. Group. IAIK, java{ rypto toolkit. Web site at

http://j ewww.iaik.tu-graz.a .at/index.htm.

5. D.A.M GrewandA.T.Sherman. KeyEstablishmentinLargeDynami Groups

UsingOne-WayFun tionTrees. Te hni alReportNo.0755,TISLabsatNetwork

Asso iates,In .,Glenwood,MD,May1998.

6. A. Perrig, D. Song, and J.D. Tygar. ELK,a New Proto ol for EÆ ient

Large-GroupKeyDistribution.In2001IEEESymposiumonSe urityandPriva y,

Oak-land,CA,USA,May2001.

7. R.Rivest. TheMD5Message-DigestAlgorithm. RFC1321,April1992.

8. R.Rivest. TheRC5en ryptionalgorithm. InFast SoftwareEn ryption,2 nd

Int.

Workshop, LNCS1008,pages86{96.Springer-Verslag,De ember1995.

9. B. S hneier. Applied Cryptography Se ond Edition: proto ols, algorithms, and

sour e ode inC. JohnWiley&Sons,In .,1996. ISBN0-471-11709-9.

10. W. Stallings. Cryptography and Network Se urity. Prenti e{Hall, 1998. ISBN

0-138-69017-0.

11. M. Steiner, G.Taudik, and M. Waidner. Cliques: A newapproa hto groupkey

agreement. Te hni alReportRZ2984,IBMResear h,De ember1997.

12. M. Waldvogel, G.Caronni, D. Sun, N. Weiler, and B. Plattner. TheVersaKey

Framework:VersatileGroupKey Management. IEEE Journal onSele ted Areas

inCommuni ations(Spe ialIssueonMiddleware),17(9):1614{1631,August1999.

13. D. Wallner,E. Harder,andR.Agee. KeyManagement forMulti ast:Issues and

Ar hite tures. RFC2627, June1999.

A Reasoning on Using Index i in Fun tion F

Indexiisin ludedintheformulaFtoavoidgivingthepossibilityformembersto

havea esstokeysthattheyarenotmeantto.Forexample,removingmember

n

2

inFigure4,meansnewkeysk 0 1 =U(k 1 ),k 0 14 =R(k 0 1 )andk 0 18 =R(k 0 14 ).

If,immediatelyaftermembern

2

hasleft thegroup,membern

0

joins itand

isinsertedasasibling ofn

1

,thenit meansnewkeysk 00 1 =U(k 0 1 ),k 10 =R(k 00 1 ) (newnoden 10 ),k 00 14 =U(k 0 14 )andk 00 18 =U(k 0 18 ).

Ifweremovei from fun tion F and insteadonly apply asimple hashh to

update keysthen the keysfrom the removal abovebe omek 0 1 =h(k 1 ), k 0 14 = h(k 0 1 )(orh(h(k 1 )))andk 0 18 =h(k 0 14 )(orh(h(h(k 1

))))andthekeysfromthejoin

be ome k 00 1 =h(k 0 1 ) (or h(h(k 1 ))), k 10 = h(k 00 1 ) (or h(h(h(k 1 )))), k 00 14 =h(k 0 14 ) and k 00 18 =h(k 0 18

). As one an see, key k

10 and k

0

18

are identi al, whi h means

that membern

0

anhavea ess topastmessagesen ryptedwithk 0

(ork

10 ).