Download presentation
Presentation is loading. Please wait.
Published byJoella Tyler Modified over 9 years ago
1
KAIS T Distributed Collaborative Key Agreement and Authentication Protocols for Dynamic Peer Groups IEEE/ACM Trans. on Netw., Vol. 14, No. 2, April 2006 Patrick P. C. Lee, at el. Hyeongseop Shim NS Lab, Div. of CS November 6, 2007
2
2 / 21 Contents Introduction Tree-Based Group Diffie-Hellman (TGDH) Protocol Interval-Based Distributed Rekeying Algorithms Rebuild Algorithm Batch Algorithm Queue-Batch Algorithm Performance Evaluation Authenticated TGDH Conclusion
3
3 / 21 Introduction Emergence of group-oriented distributed applications Necessity to provide group communication privacy Distributed group key group key agreement Comparison with centralized group key management No centralized key server Increase in system reliability
4
4 / 21 TGDH Protocol (1/2) Key tree in tree-based group Diffie-Hellman protocol Blinded key BK v BK v = α Kv mod p Secret key K v K v = (BK 2v+1 ) K 2v+2 mod p = (BK 2v+2 ) K 2v+1 mod p = α K 2v+1 K 2v+2 mod p Secret key at a leaf node is selected randomly Every member M i can compute the keys along its key path to the root Sponsor Responsible for updating keys held by the new or departed member Rightmost member under the subtree rooted at the sibling of the join and leave nodes
5
5 / 21 TGDH Protocol (2/2) Rekeying operation Single leave Single join
6
6 / 21 Interval-Based Rekeying Algorithms (1/4) Overview Constant rekeying frequency regardless of the dynamic join and leave Delay of the update of the group key Tradeoff of weakening both backward and forward secrecy Proposed algorithms Rebuild algorithm Batch algorithm Queue-batch algorithm
7
7 / 21 Interval-Based Rekeying Algorithms (2/4) Rebuild algorithm Reconstructs the whole key tree with the remaining and joining members Resulting tree is a left-complete tree
8
8 / 21 Interval-Based Rekeying Algorithms (3/4) Batch algorithm L > J > 0 J > L > 0
9
9 / 21 Interval-Based Rekeying Algorithms (4/4) Queue-batch algorithm Reduces rekeying load by pre-processing the joining members Two phases Queue-subtree phase Queue-merge phase
10
10 / 21 Performance Evaluation (1/6) Mathematical analysis Two performance measures Number of exponentiation operations Number of renewed nodes Average numbers of exponentiation (J = 128 / 256 / 384) Average number of renewed nodes (J = 128 / 256 / 384)
11
11 / 21 Performance Evaluation (2/6) Experiment 1 Comparison between individual and interval-based rekeying
12
12 / 21 Performance Evaluation (3/6) Experiment 2 Average number of exponentiation (P J = 0.25 / 0.5 / 0.75) Average number of renewed nodes (P J = 0.25 / 0.5 / 0.75)
13
13 / 21 Performance Evaluation (4/6) Experiment 3 Instantaneous number of exponentiation (P J = P L = 0.25 / 0.5 / 0.75) Instantaneous number of renewed nodes (P J = P L = 0.25 / 0.5 / 0.75)
14
14 / 21 Performance Evaluation (5/6) Experiment 4 Performance of Queue-batch at different reset intervals (P J = 0.5) Reconstruction of the key tree using Rebuild every T R rekeying intervals Robustness in maintaining a relatively balanced tree
15
15 / 21 Performance Evaluation (6/6) Experiment 5 Average number of rounds (P J = 0.25 / 0.5 / 0.75) Period during which the group members compute the secret key as far up the key tree as they can
16
16 / 21 Authenticated TGDH (1/5) Overview Provides key authentication for interval-based algorithms Basic idea To couple the session-based group key with the certified permanent private components of the group members Two types of keys Short-term secret and blinded keys Long-term private and public keys Satisfies Perfect forward secrecy Known-key security Key authentication
17
17 / 21 Authenticated TGDH (2/5) Notations Secret key K v Blinded key BK v Blinded key set BK v ’ Set of BK v ’s respectively encrypted by the long-term private key of every descendant of the sibling of the node v Set of descendants of node v, M v ith member, M i, holds Short-term secret key r Mi, and blinded key α r Mi mod p Long-term private key x Mi, and public key α x Mi mod p Two-party, two-pass AK protocol M1M1 M2M2 α r M1 α r M2 Compute (α x M2 ) r M1 * (α r M2 ) r M1 +x M1 = α r M1 r M2 +r M1 x M2 +r M2 x M1 Compute (α x M1 ) r M2 * (α r M1 ) r M2 +x M2 = α r M1 r M2 +r M1 x M2 +r M2 x M1
18
18 / 21 Authenticated TGDH (3/5) A-TGDH protocol Association of a node v with K v and BK v ’ Case 1) v is a nonleaf node with child nodes 2v+1 and 2v+2 Case 2) v is a leaf node associated with member M i
19
19 / 21 Authenticated TGDH (4/5) How A-TGDH works After rekeying, nodes 0, 1 and 2 are renewed 1. Secrete keys of nodes 1 and 2 are computed K 1 = α r M1 r M2 +r M1 x x2 +r M2 x M1 K 2 = α r M3 r M4 +r M3 x x4 +r M4 x M3 2. Sponsor M 1 broadcasts α K 1 x M3 and α K 1 x M4 Sponsor M 2 broadcasts α K 2 x M1 and α K 2 x M2 3. M 1 and M 2 can retrieve α K 2 from α K 2 x M1 and α K 2 x M2 M 3 and M 4 can retrieve α K 1 from α K 1 x M3 and α K 1 x M4 4. Members can compute K 0 = α K 1 K 2 +K 1 (x M3 +x M4 )+K 2 (x M1 +x M2 )
20
20 / 21 Authenticated TGDH (5/5) Comparison between nonauth and auth Queue-batch (P j = 0.25)
21
21 / 21 Conclusion Interval-based distributed rekeying algorithms Rebuild Batch algorithm Queue-batch algorithm Evaluation of interval-based algorithms Authenticated group key agreement protocol
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.