Group Key Management Scheme for Simultaneous Multiple Groups with Overlapped Membership Andrew Moore 9/27/2011

Review of Group Communication Background Information Overview Review of Group Communication Background Information Scheme Definitions Protocol Discussion Example Results Conclusion

Secure group communication Group communication is a means for members of a group to exchange messages with one another Static group Dynamic group Secure group communication Forward access control Backward access control Rekeying 1) Static group: In the static group, existing group members never leave and new members never join the group for the entire lifetime of the group. 2) Dynamic group: In dynamic group, new members join the group and existing members leave the group during the lifetime of the group. Forward access control: old member cannot read future messages Backward access control: new member cannot read past messages Rekeying: change group keys to facilitate access control

Group Communication (cont.) Group key management Centralized group key management Decentralized group key management Distributed group key management Example of centralized group key management Key Distribution Center (KDC) manages groups by organizing keys in a key tree Each leaf is a user that has a private key and a group key to encrypt/decrypt Centralized group key management schemes or pro- tocols: These schemes employ a trusted centralized entity called Key Distribution Center (KDC) which controls the whole group [2][3]. ∙  Decentralized group key management schemes or pro- tocols: In these schemes the responsibility of managing the large group is divided among subgroup managers[4]. ∙  Distributed or contributory group key management schemes and protocols: There is no KDC in this scheme and all group members contribute in generating the group key [5] [6]. Access control is also done by the group members.

Group Communication (cont.) Multiple users in multiple groups Shamir’s secret sharing Key-User Tree (KUT) Multiple groups are a collection of subgroups Each subgroup consists of distinct users and is secure Group members communicate with group key Secure multiple groups are a collection of secure subgroups

Overlapping Membership Group A (8 users) Overlapping membership is defined as the members of Group i for whom the Group i is the parent group and want to communicate with members of other groups Group j, where i ∕= j and 𝑖,𝑗 =1,2,3. 1) The overlapping memberships of the group members of parent group A, ∙  One of the member of Group A (colored green) wants to communicate with (Group C). This can be seen in the area 𝐴∩𝐶 of Fig 1. So, that user is said to have a overlapping membership with the Group C. ∙  Likewise, a member of Group A in 𝐴 ∩ 𝐵 has overlapping membership with the Group B. 2) The overlapping membership of the group members of parent Group B, ∙  A member of Group B in 𝐵 ∩ 𝐴 has a overlapping membership with Group A. ∙  A member of Group B in 𝐵 ∩ 𝐶 has a overlapping membership with Group C. 3) The overlapping membership of the group members of parent Group C, ∙  A member of Group C in 𝐶 ∩ 𝐴 has a overlapping membership with Group A. ∙  A member of Group C in 𝐶 ∩ 𝐵 has a overlapping membership with Group B. ∙  A member of Group C in 𝐶∩𝐵∩𝐴 has a over- lapping memberships with both the groups Group A and Group B. The group members who have the overlapping member- ship with non-parental groups (groups other than the group member’s parent group) should be given the group keys of the non-parental groups. The group member with overlapping membership could communicate using these group keys with non-parental group. Group B (9 users) Group C (9 users)

LaGrange Form of the Interpolation Polynomial Interpolation – given a set of points, find a polynomial that goes through all points in the set LaGrange Form – the polynomial with the least degree that each x corresponds to a y Not unique No x can be the same Given k points, distinct polynomials are constructed using the following equations (1)

No xi in P1 is the same (same for P2) Let: LaGrange (cont.) P1= {(x1,y1),…,(xk,yk)} P2= {(x1,y1),…,(xm,ym)} |P1| = |P2| = k No xi in P1 is the same (same for P2) Let: 𝑃1∩𝑃2 = {(𝑥1,𝑦1),...,(𝑥𝑘−1,𝑦𝑘−1)} 𝑎𝑛𝑑 ∣𝑃1∩𝑃2∣ = 𝑘−1 𝑃1∪𝑃2 = (𝑃1∩𝑃2)∪{(𝑥𝑘, 𝑦𝑘), (𝑥𝑚, 𝑦𝑚)} 𝑎𝑛𝑑 ∣𝑃1∪𝑃2∣ = 𝑘+1 P1 and P2 are DISTINCT SETS OF POINTS ∩ = and ∪ = or 𝑃1 ∩ 𝑃2 contains all the points common to both 𝑃1 and 𝑃2. By adding the point (𝑥𝑘,𝑦𝑘) to the set 𝑃1 ∩𝑃2 and using (1) a polynomial 𝑃1(𝑥) of degree 𝑘 − 1 can be constructed. Likewise, by adding the point (𝑥𝑚, 𝑦𝑚) to 𝑃1 ∩ 𝑃2 and using (1) another distinct polynomial 𝑃2(𝑥) of degree 𝑘 − 1 can be constructed.

𝑃1 ∩ 𝑃2 contains all the points common to both 𝑃1 and 𝑃2 LaGrange (cont.) 𝑃1 ∩ 𝑃2 contains all the points common to both 𝑃1 and 𝑃2 Adding (xk,yk) to 𝑃1 ∩ 𝑃2 and using (1) from 7 yields a polynomial P1(x) where the degree is k-1 Adding (xm,ym) to 𝑃1 ∩ 𝑃2 and using (1) from 7 yields a polynomial P2(x) where the degree is k-1 P1(x) and P2(x) share y-intercept

LaGrange (cont.) Lemma S = {(x1,y1},…,(xk-1,yk-1} where each xi and yi, i = 1,…k-1, are chosen from GF(p) Each xi is unique Add point (xk,yk), such that xk ≠ xj for all j = 1,…,k-1 in S Using (1), a polynomial of degree k-1 can be constructed For each distinct (xi,yi), i=1…,n not in S, n polynomials can be constructed n polynomials for n + k – 1 points p is a sufficently large prime

U = {u1,…,un} is the set of n users Scheme Definitions U = {u1,…,un} is the set of n users S1,…Sm are m groups compromising of distinct subsets of users x -> y: z denotes sending a message from x to y (unicast or multicast) {M}K : Encrypt message M with key K userset(K) : users who have key K

Scheme Definitions (cont.) uk -> KDC : (J,Si), join request from user uk to group Si (could be set of users) uk -> KDC : (L,Si), leave request from user uk to whose parent group is Si uk -> KDC : (J,Si,Sj), join request from user uk to group Sj whose parent group is Si uk -> KDC : (L,ε,Sj), leave request from user uk who has no parent group to leave group Sj

Scheme Definitions (cont.) Joining Point: node of KUT where newly joined user is attached Parent group: joining point of user is defined in the right subtree of the corresponding KUT for the group Non-parental group: joining point of user is defined in the left subtree of the corresponding KUT for the group Storage cost: number of points used to construct group keys and the number of auxiliary keys

Constructed by the KDC for each group Key User Tree Constructed by the KDC for each group Partially based on Logical Key Tree (LKT) User categories Parent group users Non-parental group users In a multiple group with overlapping membership scenario, we categorize the users of a group into two. 1) Parent group users: Who initially join the group and the users who have only one joining point at the right subtree of the 𝐾𝑈𝑇. 2) Non-parental group users: Users joining from other groups.

t parent group users, height of LKT is Key User Tree (cont.) Arbitrary key K of KDC User Node Group key G LKT The 𝐿𝐾𝑇 is constructed as in [2] by the 𝐾𝐷𝐶 for the parent group users. The group key 𝐺 of the parent group users is the root of the constructed 𝐿𝐾𝑇. Suppose, 𝑡 is the number of parent group users, then the height of constructed 𝐿𝐾𝑇 is ⌈𝑙𝑜𝑔2𝑡⌉. 𝐾𝐷𝐶 constructs the 𝐾𝑈𝑇 as follows. Reader is instructed to refer Fig 2. It chooses an arbitrary key 𝐾. This is made as the root of the 𝐾𝑈𝑇. ∙ The right child of the root node 𝐾 of 𝐾𝑈𝑇 is the tree 𝐿𝐾𝑇 constructed by the 𝐾𝐷𝐶 rooted at the group key 𝐺 of the group. ∙ The left child of the root node 𝐾 of 𝐾𝑈𝑇 is the binary tree of the user nodes of the non-parental groups. This left child subtree is rooted at any user node. In particular, it is the user node of the non- parental user who has sent the first non-parental group join request. t parent group users, height of LKT is k non-parental group users, binary tree with ui, i=1,…k, as nodes with u1 being the root

Key User Tree (cont.) KUT of S1 KUT of S2 KUT of S3 Overlapping memberships

Multiple Group Key Management Scheme (Step 1) One KDC Manages the multiple secure groups Uses KUT to manage keys Handles all join/leave requests and rekeying process Chooses security parameter k and fixes GF(p) Initially there are no users in any group Set U of n users that want to join m groups

Multiple Group Key Management Scheme (Step 2) Assume user is authenticated and a secure channel initially exists between each user and the KDC KDC generates a Ki for each user ui Ki is a private key Ki enables ui to securely communicate with KDC

Multiple Group Key Management Scheme (Step 3) KDC chooses k-2 points (xi,yi), i = 1,..,k-2 (xi,yi) are chosen randomly and independently from GF(p) such that no values of xi are the same All points are distinct Prepositioned base shares Sent to all users KDC chooses another point (xk-1, yk-1) such that xk-1 ≠ xi Polynomial construction trigger share

Multiple Group Key Management Scheme (Step 4) KDC selects m points (xSj,ySj), j = 1,…,m by picking xSj and ySj from GF(p) All points are distinct No xi can equal xSj Group specific share of a user who is joining Sj

Multiple Group Key Management Scheme (Step 5) KDC constructs LKT for each group Sj Auxiliary keys computed Group keys computed using {(x1,y1),…, (xk-2,yk-2),(xk-1,yk-1), (xSj,ySj)} and applying (1) to obtain Sj(x) Sj(x=0) is group key Gj for Sj KDC sends auxiliary keys to respective users Auxiliary keys are represented as the intermediate nodes of the LKT Each user has -1 auxiliary keys, for t users in Sj LKT for Sj rooted at Gj Apart from group key and private key, rest of the keys along the path are known as auxiliary keys and are used solely for the purpose of updating the group key and other auxiliary keys.

Multiple Group Key Management Scheme (Step 5 cont.) KDC constructs KUT rooted at K LKT is rooted at Gj as right subtree of KUT Initially, left subtree is empty

Multiple Group Key Management Scheme (Step 6) KDC sends (xSj,ySj) to all users who request to join group Sj A user who has sent a request to join Sj will have the prepositioned base shares and a group specific share {(x1, y1),…,(xk-2,yk-2)} {xSj,ySj} KDC sends polynomial construction trigger share to all users of group Sj (xk-1,yk-1)

Multiple Group Key Management Scheme (Step 7) User constructs Sj(x) from three shares using (1) to make polynomial of degree k-1 Solve for x = 0 to obtain Gj

S1 = {u1,…,u7}∪ {u9,…,u13} S2 = {u9,…,u15}∪ {u1,…,u4} Example S1 = {u1,…,u7}∪ {u9,…,u13} {u1,…,u7} are parent group members {u9,…,u13} have overlapping membership S2 = {u9,…,u15}∪ {u1,…,u4} {u9,…,u15} are parent group members {u1,…,u4} have overlapping membership

KUT of S1 Example (cont.) K1 K2 K3 K4 K5 K6 K7 u1 u2 u3 u4 u5 u6 u7 u9 KS1 u9 K1-8 u10 u11 K1-4 K5-8 u12 u13 K1-2 K3-4 K5-6 K7-8 𝐾𝐷𝐶 constructs the 𝐾𝑈𝑇 for 𝑆1 as in Fig 4. It constructs , 𝐿𝐾𝑇 for {𝑢1, . . . , 𝑢7}. 𝐾𝐷𝐶 chooses arbitrary root key 𝐾𝑠1 for 𝐾𝑈𝑇. It makes 𝐿𝐾𝑇 as right subtree of 𝐾𝑠1 and a binary subtree of users {𝑢9,...,𝑢13} is made as the left subtree. K1 K2 K3 K4 K5 K6 K7 u1 u2 u3 u4 u5 u6 u7

KUT of S2 Example (cont.) K9 u9 u10 u11 u12 u13 u14 u15 u1 u2 u3 u4 KS2 u1 K9-16 u2 u3 K9-12 K13-16 u4 K9-10 K11-12 K13-14 K15-16 𝐾𝐷𝐶 constructs the 𝐾𝑈𝑇 for 𝑆1 as in Fig 4. It constructs , 𝐿𝐾𝑇 for {𝑢1, . . . , 𝑢7}. 𝐾𝐷𝐶 chooses arbitrary root key 𝐾𝑠1 for 𝐾𝑈𝑇. It makes 𝐿𝐾𝑇 as right subtree of 𝐾𝑠1 and a binary subtree of users {𝑢9,...,𝑢13} is made as the left subtree. K9 K10 K11 K12 K13 K14 K15 u9 u10 u11 u12 u13 u14 u15

User sends join request Example Join Consider u8 joining S1 Parent group join (not in S1 or S2) User sends join request KDC finds the joining point K7-8, changes K7-8, K5-8, and K1-8 Chooses new group specific share (x’s1,y’s1)K1-8 Must be distinct Sends to all users in S1 Generates new auxiliary keys K’5-8 and K’7-8

KDC sends {(x’S1,y’S1)}K1-8 to all users Example Join (cont.) KDC sends {(x’S1,y’S1)}K1-8 to all users KDC sends {K’5-8}K5-8 to {u5,u6,u7} KDC sends {K’7-8}K7-8 to {u7} KDC sends {{(x1,y1),…,(xk-1,yk-1)},K’5-8,K’7-8}K8 to {u8} All users construct new group key

KUT of S1 after join Example Join (cont.) K1 K2 K3 K4 K5 K6 K7 K8 u1 KS1 u9 K1-8 u10 u11 K1-4 K5-8 u12 u13 K1-2 K3-4 K5-6 K7-8 K1 K2 K3 K4 K5 K6 K7 K8 u1 u2 u3 u4 u5 u6 u7 u8

KDC finds the joining point in the left subtree Example Join 2 Consider u5 joining S2 Joining non-parental group KDC finds the joining point in the left subtree KDC finds new group specific share (x’S2,y’S2) KDC sends {(x’S2,y’S2)}K9-16 to {u9,…,u15}∪ {u1,…,u4} KDC sends {(x’S2,y’S2)}K5 to u5 All users compute new group key

KUT of S2 after join Example Join 2(cont.) K9 u9 u10 u11 u12 u13 u14 KS2 u1 K9-16 u2 u3 K9-12 K13-16 u4 u5 K9-10 K11-12 K13-14 K15-16 𝐾𝐷𝐶 constructs the 𝐾𝑈𝑇 for 𝑆1 as in Fig 4. It constructs , 𝐿𝐾𝑇 for {𝑢1, . . . , 𝑢7}. 𝐾𝐷𝐶 chooses arbitrary root key 𝐾𝑠1 for 𝐾𝑈𝑇. It makes 𝐿𝐾𝑇 as right subtree of 𝐾𝑠1 and a binary subtree of users {𝑢9,...,𝑢13} is made as the left subtree. K9 K10 K11 K12 K13 K14 K15 u9 u10 u11 u12 u13 u14 u15

KDC changes keys K5-6, K’5-8,K’1-8 Example Leave Consider u6 leaving S1 KDC removes node KDC changes keys K5-6, K’5-8,K’1-8 KDC chooses new distinct group specific share (x’’S1,y’’S1) KDC sends {(x’’S1,y’’S1),K’’5-8, K5-6}K5 to {u5} KDC sends {(x’’S1,y’’S1),K’’5-8}K’7-8 to {u7,u8} KDC sends {(x’’S1,y’’S1),}K1-4 to {u1,…,u4} KDC sends {(x’’S1,y’’S1),}K9-12 to {u9,…,u12} KDC sends {(x’’S1,y’’S1),}K13 to {u13}

All members construct the new group key Example Leave (cont.) All members construct the new group key All changed keys are sent to the appropriate user

KUT of S1 after leave Example Leave(cont.) K1 K2 K3 K4 K5 K7 K8 u1 u2 KS1 u9 K1-8 u10 u11 K1-4 K5-8 u12 u13 K1-2 K3-4 K5-6 K7-8 K1 K2 K3 K4 K5 K7 K8 u1 u2 u3 u4 u5 u7 u8

KDC chooses new distinct group specific share Leave Example 2 Consider u5 leaving S2 Non-parent group member leave KDC removes node KDC chooses new distinct group specific share (x’’Sj,y’’Sj) KDC sends {(x’’Sj,y’’Sj)}K9-12 to {u9,…,u12} KDC sends {(x’’Sj,y’’Sj)}K13-16 to {u13,…,u15} KDC sends {(x’’Sj,y’’Sj)}K1-4 to {u1,…,u4}

All users compute new group key No auxiliary keys are changed Leave Example 2 (cont.) All users compute new group key No auxiliary keys are changed

KUT of S2 after leave Example Leave 2 (cont.) K9 u9 u10 u11 u12 u13 KS2 u1 K9-16 u2 u3 K9-12 K13-16 u4 K9-10 K11-12 K13-14 K15-16 𝐾𝐷𝐶 constructs the 𝐾𝑈𝑇 for 𝑆1 as in Fig 4. It constructs , 𝐿𝐾𝑇 for {𝑢1, . . . , 𝑢7}. 𝐾𝐷𝐶 chooses arbitrary root key 𝐾𝑠1 for 𝐾𝑈𝑇. It makes 𝐿𝐾𝑇 as right subtree of 𝐾𝑠1 and a binary subtree of users {𝑢9,...,𝑢13} is made as the left subtree. K9 K10 K11 K12 K13 K14 K15 u9 u10 u11 u12 u13 u14 u15

Number of Rekey-Messages Analysis of Join Number of Encryptions Parent group join Atmost + 1 Non-Parent group join 2 Number of Key Changes Atmost 1 Number of Rekey-Messages Atmost + 1 Number of encryptions a) Parent group join: When the user joins the parent group with 𝑛 parent group users and any number of non-parent group users , the number of encryptions performed are atmost ⌈𝑙𝑜𝑔2𝑛⌉ + 1 . b) Non-Parent group join: When the non-parent group user joins the group with any number of parent group users and any number of non-parent group users, the number of encryptions performed is a constant 2. 2) Number of key changes: a) Parent group join: If there are 𝑛 parent group users and any number of non-parental group users, the number of key changes upon a parent group user join is atmost ⌈𝑙𝑜𝑔2𝑛⌉. b) Non-Parent group join: Irrespective number of parent group users and non-parental group users , the number of keys changed upon non-parent group user join is constant 1. 3) Number of Rekey-Messages: Parent group join: The number of re-key messages constructed upon a parent group user join is atmost ⌈𝑙𝑜𝑔2𝑛⌉ + 1, where 𝑛 is the number of parent group users. b) Non-Parent group join: The number of re-key messages constructed upon non-parental group user join is a constant 2.

Number of Rekey-Messages Analysis of Leave Number of Encryptions Parent group leave ≤ 2 + t Non-Parent group leave ≤ t + 2 Number of Key Changes ≤ 1 Number of Rekey-Messages ≤ + t Number of encryptions a) Parent group leave: When the parent group user leaves the parent group with 𝑛 parent group users and 𝑡 non-parent group users , # of encryptions performed ≤ 2 ⌈𝑙𝑜𝑔2𝑛⌉+𝑡. Reader should note that the # of encryptions ranges over {2⌈𝑙𝑜𝑔2𝑛⌉ + 1, 2⌈𝑙𝑜𝑔2𝑛⌉ + 2, . . . , 2⌈𝑙𝑜𝑔2𝑛⌉ + 𝑡} b) Non-Parent group leave: When the non-parent group user leaves the group with 𝑛 parent group users and 𝑡 non-parent group users, # of encryptions performed ≤ 𝑡 + 2. The # of encryptions ranges over {3,4,...,𝑡+2} 2) Number of key changes: a) Parent group leave: If there are 𝑛 parent group users and 𝑡 non-parental group users, upon parent group user leave, # of keys changed ≤ ⌈𝑙𝑜𝑔2𝑛⌉ (This comprises of 𝑙𝑜𝑔2𝑛 − 1 auxiliary keys and one parent group specific key). b) Non-Parent group leave: Irrespective of number of parent group users and non-parental group users , upon non-parent group user leave, # of keys changed = 1. 3) Number of Rekey-Messages: a) Parent group leave: When the parent group user leaves the parent group with 𝑛 parent group users and 𝑡 non-parent group users , # of re-key messages constructed ≤ ⌈𝑙𝑜𝑔2𝑛⌉ + 𝑡. The # of re-key messages ranges over {⌈𝑙𝑜𝑔2𝑛⌉ + 1,⌈𝑙𝑜𝑔2𝑛⌉+2,...,⌈𝑙𝑜𝑔2𝑛⌉+𝑡} b) Non-Parent group leave: When the non-parent group user leaves the group with 𝑛 parent group users and 𝑡 non-parent group users, # of re-key messages constructed ≤ 𝑡 + 2. The # of re-key messages ranges over {3, 4, . . . , 𝑡+ 2}

Storage Cost Estimation User of a parent group without overlapping membership User of a parent group with m overlapping memberships User who has left parent group and has m overlapping memberships

Storage Cost Estimation (cont.) User of a parent group without any overlapping memberships (k-2) prepositioned base shares 1 polynomial construction trigger share 1 group specific share of the parent group - 1 auxiliary keys Private key User of a parent group without any overlapping membership: The user 𝑢 who is a member of parent group with 𝑛 parent group users, 𝑡 non-parent group users and not having any overlapping memberships with any other non-parental groups will store the following . Key material= (k-2) prepositioned base shares + 1 polynomial construction trigger share + 1 group specific shareoftheparentgroup+⌈𝑙𝑜𝑔2𝑛⌉−1 auxiliarykeys + 𝑢’s private shared key. Therefore, the key material stored at the user 𝑢 = 𝑘 + ⌈𝑙𝑜𝑔2𝑛⌉

Storage Cost Estimation (cont.) User of a parent group with m overlapping memberships (k-2) prepositioned base shares 1 polynomial construction trigger share 1 group specific share of the parent group - 1 auxiliary keys Private key m group specific share of other groups User of a parent group with 𝑚 overlapping member- ships: The user 𝑢 who is the member of the parent group with 𝑛 parent group users, 𝑡 non-parent group users and having 𝑚 overlapping memberships with other 𝑚 non-parental groups will store the following. Key ma- terial= (k-2) prepositioned base shares + 1 polynomial construction trigger share + 1 group specific share of the parent group + ⌈𝑙𝑜𝑔2𝑛⌉ − 1 auxiliary keys + 𝑢’s private shared key + 𝑚 group specific shares of other 𝑚 groups with which 𝑢 has overlapping memberships. The key material stored at 𝑢 = (𝑘 + 𝑚) + ⌈𝑙𝑜𝑔2𝑛⌉

Storage Cost Estimation (cont.) User who has left parent group and has m overlapping memberships (k-2) prepositioned base shares 1 polynomial construction trigger share Private key m group specific share of other groups User who has left it’s parent group and has 𝑚 overlapping memberships: The user 𝑢 who has left it’s parent group will not have any auxiliary keys. As evident, 𝑢 will store the following. Key material= (k-2) prepositioned base shares + 1 polynomial construction trigger share + 𝑢’s private shared key + 𝑚 group specific shares of other 𝑚 groups with which 𝑢 has overlapping memberships. So, the key material stored at u = (𝑘+𝑚)+1.

Suppose n users with m groups Results Suppose n users with m groups Each parent group member of every group has an overlapping membership with every other group A group has (m-1)n non-parent group members and n parent group members

Results Scheme in [1] Our Scheme based on 𝐾𝑈𝑇 # of encryptions # of Key Changes Join of a parent group user 2⌈𝑙𝑜𝑔2 𝑚𝑛⌉ ⌈𝑙𝑜𝑔2 𝑚𝑛⌉ 2⌈𝑙𝑜𝑔2𝑛⌉ + 1 ⌈𝑙𝑜𝑔2 𝑛⌉ Join of a non-parent group user 2 1 Leave of a parent group user 2⌈𝑙𝑜𝑔2𝑛⌉ + 𝑚 − 2 Leave of a non-parent group user ≤ (𝑚 + 2^[(𝑙𝑜𝑔2 𝑛−1) / 2] ) Storage at a user (𝑚 + 𝑘 − 1) shares and 𝑚𝑙𝑜𝑔2𝑛 auxiliary keys (𝑚 + 𝑘 − 1) shares and 𝑙𝑜𝑔2𝑛 auxiliary keys Result 1: Let, each of ⌊ 𝑛/m ⌋ members of (𝑚 − 1) groups are having overlapping membership with group 𝑆𝑗,𝑤h𝑒𝑟𝑒 𝑗 =∕ 𝑖,𝑖 = 1,...,𝑚. So, upon a parent group user leave from 𝑆𝑗, the number of encryptions required to distribute the new group specific share (𝑥′ ,𝑦′ ) to 𝑠𝑗 𝑠𝑗 all members having membership with 𝑆𝑗 is ⌈𝑙𝑜𝑔2⌊ 𝑛 /m⌋⌉+ (m-1) Result 2: Let 𝑡 be the number of non-parent group users of some group 𝑆𝑗. Suppose, a parent group member of 𝑆𝑗 leaves 𝑆𝑗, then the number of encryptions required to send the changed group specific share (𝑥′ ,𝑦′ ) to 𝑡 𝑠𝑗 𝑠𝑗 non-parent group users follows, lim𝑡→(𝑚−1)⌊ 𝑛/m ⌋ # 𝑜𝑓 𝑒𝑛𝑐𝑟𝑦𝑝𝑡𝑖𝑜𝑛𝑠 = 𝑚 − 1 Result 3: Let 𝑡 be the number of non-parent group users 𝑆𝑗 leaves 𝑆𝑗, then the number of encryptions required to send the changed group specific share (𝑥′ ,𝑦′ ) to the 𝑠𝑗 𝑠𝑗 parent group users of 𝑆𝑗 is 2. Interestingly, if 𝑙 be the number of parent group users such that 𝑙 = 2𝑥,𝑥 = 1,2,...# 𝑜𝑓 𝑒𝑛𝑐𝑟𝑦𝑝𝑡𝑖𝑜𝑛𝑠 𝑟𝑒𝑞𝑢𝑖𝑟𝑒𝑑 = 2 Result 4: Irrespective of number of parent group users and non-parent group users in a group, the number of encryptions performed when a new parent group user joins is atmost ⌊𝑙𝑜𝑔2𝑛⌋ + 1 and is 2 when a new non- parent user joins. Result 5: The storage at a user of a group who has membership with 𝑚 groups is (𝑚 + 𝑘 − 1) shares and 𝑙𝑜𝑔2𝑙 auxiliary keys. Where, 𝑙 is the number of parent group users in the group.

Scheme scales well as overlapping membership increases rapidly Conclusion Scheme scales well as overlapping membership increases rapidly Significant reduction in rekeying cost, storage, and number of encryptions