Optimal Communication Complexity of Generic Multicast Key Distribution Saurabh Panjwani UC San Diego (Joint Work with Daniele Micciancio)

Multicast Multicast is a primitive which enables a source of information to communicate with multiple receivers in a network with efficiency better than sending data individually to all the receivers. (Efficiency means better utilization of sender resources and bandwidth.) = Sender = Receiver Three unicast flows = Others

Multicast Multicast is a primitive which enables a source of information to communicate with multiple receivers in a network with efficiency better than sending data individually to all the receivers. (Efficiency means better utilization of sender resources and bandwidth.) = Sender = Receiver One multicast flow = Others

Multicast Example Applications:  Electronic Conferences, Virtual rooms  PayTV or Video-on-demand services  Stock quotes Security in multicast involves new challenges:  How does one keep group communication secret ?  How do multiple receivers authenticate a single sender efficiently ?  How do we authorize anyone to send data on a multicast channel ?

Secrecy in Multicast In unicast, secrecy can be achieved by sharing a key between the parties and using symmetric-key encryption. k E k (data) A ? data

Secrecy in Multicast Can we do the same for multicast ? If group membership changes, the key should also change. A ? data k E k (data)

Multicast Key Distribution A group center distributes a shared ‘group key’ to all members (senders & receivers). Sends messages to change the key whenever membership changes : = Group member = Non-member Center Rekey messages ? ? ? kkk Goal: At any instant of time, only the members should “know” the group key. k'

Multicast Key Distribution Setup: Each user u i has a unique key k i that it shares with the center. u1u1 Center u2u2 u5u5 u4u4 u3u3 u6u6 u2u2 ? ? ? kkk E (k); E (k); E (k) k1k1 k3k3 k5k5 = Group member = Non-member For group with n members, center sends n rekey messages ( per membership update ). Generate k But we can do better… k1k1 k2k2 k3k3 k4k4 k5k5 k6k6

Previous Work – Upper Bounds Wong, Gouda, Lam [WGL98]; Wallner, Harder, Agee [WHA99] gave a protocol in which every join/leave operation in a group of size n involves sending 2log 2 (n) rekey messages. Canetti, Garay, Itkis, Micciancio, Naor, Pinkas [CGIMNP99] improved this to log 2 (n). (Used pseudorandom generators in creation of rekey messages). Best known upper bound – log 2 (n)

Previous Work – Lower Bounds Canetti, Malkin, Nissim [CMN99] gave the first non-trivial lower bound: for a restricted class of protocols, in a group of size n, center must send  (log(n)) rekey messages (per membership update). Snoeyink, Suri and Varghese [SSV01] proved a bound for more general protocols. For groups of size n, rekey cost must be at least  log 3 (n). Best known lower bound – 3log 3 (n) Interestingly, 3log 3 (n) > log 2 (n) (lower bound is higher than upper bound)

Why is this so? In the model used in [SSV01], every rekey message must be of the form E k (k'). Center k Eg: Take G(k) = G 0 (k) G 1 (k)…G m (k) G 0 (k) G m (k) k.. G 0 (k) G m (k) k.. G 0 (k) G m (k) k.. Why can’t pseudorandom generators be used? Best known protocol uses PRGs.

Why is this so? In the model used in [SSV01], every rekey message must be of the form E k (k'). Eg: Two auxiliary keys, k, k'. Center wants to send a key k'' to members u 1 and u 2 Why can’t nested encryption be used? u1u1 Center u2u2 u4u4 u3u3 k k k' k' ? k'' ? E (k''); k1k1 E (k'') k2k2 One Possibility k1k1 k2k2 k4k4 k3k3

Why is this so? In the model used in [SSV01], every rekey message must be of the form E k (k'). Eg: Two auxiliary keys, k, k'. Center wants to send a key k'' to members u 1 and u 2 Why can’t nested encryption be used? u1u1 Center u2u2 u4u4 u3u3 E k (E k' (k'')) Nested encryption has been used in some protocols. k k k' k' ? k'' ? Saves communication by a factor of 2 Better possibility k1k1 k2k2 k4k4 k3k3

A More General Model u1u1 Center u3u3 u6u6 u5u5 k1k1 k3k3 k2k2 Rekey messages can be generated by arbitrary combination of pseudorandom generators and symmetric-key encryption. u2u2 E E (k'', G 1 (k')) G 0 (k 2 )G 1 (k 1 ) u4u4 k4k4 k5k5 k6k6 Question : How good can you do under this model? We answer : log 2 (n) is optimal

Our Model u1u1 Center u3u3 u6u6 u5u5 Every user shares unique key with center. At any instant, a finite set of users are members. All parties have black-box access to a pseudorandom generator G and an encryption- decryption pair (E,D). u2u2 u4u4 k1k1 k2k2 k3k3 k4k4 k5k5 k6k6

Our Model u1u1 Center u3u3 u6u6 u5u5 Membership is controlled by an adversary who issues one of three commands at every instant: u2u2 u4u4 k1k1 k2k2 k3k3 k4k4 k5k5 k6k6  Leave – Delete a member from the group. Leave  Join – Add a non-member to the group. Join  Replace – Replace a member with a non-member (keeps the group size same). Replace A

Our Model u1u1 Center u3u3 u6u6 u5u5 Center responds by sending rekey messages. A rekey message is derived from the grammar: u2u2 E E (k'') G 0 (k 2 )G 1 (k 1 ) u4u4 k1k1 k2k2 k3k3 k4k4 k5k5 k6k6 M K | E K (M) K random_key | G 0 (K) | G 1 (K) |.. | G m (K)

Our Model – Security Definition Center u3u3 u5u5 What are the keys a user “knows” at any instant? u2u2 u4u4 k2k2 k3k3 k4k4 k5k5 k; G 0 (k') k; k' G 0 (k') k; G 1 (k') E E (k g ) kG 0 (k' ) + kgkg E E (k g ) kG 0 (k' ) + ? E E (k g ) kG 0 (k' ) + ? E E (k g ) kG 0 (k' ) + kgkg u1u1 k1k1 E E (k g ) kG 0 (k' ) E (k g ); k1k1 E (k g ) k1k1 + kgkg

Our Model – Security Definition u1u1 Center u3u3 u5u5 What are the keys a user “knows” at any instant? u2u2 u4u4 k1k1 k2k2 k3k3 k4k4 k5k5 E E (k g ) kG 0 (k' ) E (k g ); k1k1 Use an abstract encryption model for defining this notion (Similar to Dolev-Yao logic). Connections between such an abstract framework and complexity-theoretic framework has been studied by Abadi-Rogaway [AR02], Micciancio-Warinschi [MW04], Abadi-Jurjens [AJ01], Gligor-Horvitz [GH03] etc.

Our Model – Security Definition Definition : A multicast key distribution protocol is secure if for every sequence of adversarial commands, at every time instant t, there is a key k t such that - Every member at time t knows k t NO non-member at time t knows k t A very liberal definition ! Security against collusions of non-members? But a weak definition only makes our lower bound stronger.

Our Result Theorem: The amortized communication complexity of secure multicast key distribution is log 2 (n) - c. ( c tends to 0 as number of adversarial commands increases). Matches the cost of the best known protocol up to small ‘additive’ constant. Amortized complexity means number of rekey messages sent per update command for a sequence of update commands.

Proof Idea View a multicast key distribution protocol as a game played between center and adversary. A Center Some of the root keys are labeled either member or non-member. member non-member member The playing board is an infinite forest on keys. A tree in this forest represents the set of pseudorandom keys derived from the root key.

Proof Idea View a multicast key distribution protocol as a game played between center and adversary. A Center member non-member member Adversary changes labels on the keys which are labeled member or non-member. Center introduces rekey messages, modeled as hyper-edges over the keys. k1k1 k k' E k (E k' (k 1 )

Proof Idea View a multicast key distribution protocol as a game played between center and adversary. A Center member non-member member A hyper-edge becomes useless once the key it points to becomes “reachable” from any non-member node. Show that the adversary can select to delete and add members in a way such that a lot of hyper-edges become useless in every move.

Open Questions Does the bound hold even without replace operations ? What about average-case communication complexity ? What if other cryptographic primitives are used for generating rekey messages (eg. PRFs, secret sharing) ?

Questions?

References [AR] M. Abadi, P. Rogaway. Reconciling Two Views of Cryptography (or the Computational Soundness of Formal Encryption). Journal of Cryptology 15(2), [CGIMNP] R. Canetti, J. Garay, G. Itkis, D. Micciancio, M. Naor, B. Pinkas. Multicast Security: A taxonomy and some efficient constructions. In Proc. of INFOCOM [CMN] R. Canetti, T. Malkin, K. Nissim. Efficient communication-storage tradeoffs for multicast encryption. In Advances in Cryptology – EUROCRYPT [MW] D. Micciancio, B. Warinschi. Completeness theorems for the Abadi-Rogaway Logic of Encrypted Expressions. Journal of Computer Security, 12(1), [AJ] M.Abadi, J.Jurjens. Formal eavesdropping and its computational interpretation. In TACS 2001.

[SSV] J. Snoeyink, S. Suri, G. Varghese. A lower bound for Multicast Key Distribution. In Proc. of INFOCOM [GH] V.Gligor, D.O.Horvitz. Weak Key Authenticity and the Computational Completeness of Formal Encryption. In CRYPTO [WHA] D. Wallner, E. Harder, R. Agee. Key management for Multicast: Issues and Architecture. RFC 2627, June [WGL] C. Wong, M. Gouda, S. Lam. Secure Group Communication using Key graphs. In Proc. of SIGCOMM References