Optimal Communication Complexity of Generic Multicast Key Distribution

We prove a tight lower bound for generic protocols for secure multicast key distribution where the messages sent by the group manager for rekeying the group are obtained by arbitrarily nested application of a symmetric-key encryption scheme, with random or pseudorandom keys. Our lower bound shows that the amortized cost of updating the group key for a secure multicast protocol (measured as the number of messages transmitted per membership change) is log2(n) + o(1). This lower bound matches (up to a small additive constant) the upper bound of Canetti, Garay, Itkis, Micciancio, Naor and Pinkas (Infocomm 1999), and is essentially optimal.

[1]  Martín Abadi,et al.  Security analysis of cryptographically controlled access to XML documents , 2005, PODS '05.

[2]  Alan T. Sherman,et al.  Key Establishment in Large Dynamic Groups Using One-Way Function Trees , 2003, IEEE Trans. Software Eng..

[3]  Mostafa H. Ammar,et al.  HySOR: group key management with collusion-scalability tradeoffs using a hybrid structuring of receivers , 2002, Proceedings. Eleventh International Conference on Computer Communications and Networks.

[4]  Mohamed G. Gouda,et al.  Secure group communications using key graphs , 2000, TNET.

[5]  Amos Fiat,et al.  Broadcast Encryption , 1993, CRYPTO.

[6]  Yevgeniy Dodis,et al.  Public Key Broadcast Encryption for Stateless Receivers , 2002, Digital Rights Management Workshop.

[7]  Avishai Wool,et al.  Long-Lived Broadcast Encryption , 2000, CRYPTO.

[8]  Matthew K. Franklin,et al.  Lower Bounds for Multicast Message Authentication , 2001, EUROCRYPT.

[9]  Rosario Gennaro A Protocol to Achieve Independence in Constant Rounds , 2000, IEEE Trans. Parallel Distributed Syst..

[10]  Silvio Micali,et al.  How to construct random functions , 1986, JACM.

[11]  George Varghese,et al.  A lower bound for multicast key distribution , 2001, Proceedings IEEE INFOCOM 2001. Conference on Computer Communications. Twentieth Annual Joint Conference of the IEEE Computer and Communications Society (Cat. No.01CH37213).

[12]  Eric J. Harder,et al.  Key Management for Multicast: Issues and Architectures , 1999, RFC.

[13]  Danny Dolev,et al.  On the security of public key protocols , 1981, 22nd Annual Symposium on Foundations of Computer Science (sfcs 1981).

[14]  Dawn Xiaodong Song,et al.  ELK, a new protocol for efficient large-group key distribution , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[15]  Suvo Mittra,et al.  Iolus: a framework for scalable secure multicasting , 1997, SIGCOMM '97.

[16]  Yang Richard Yang,et al.  A Secure Group Key Management Protocol Communication Lower Bound , 2000 .

[17]  Roberto Tamassia,et al.  Computational Bounds on Hierarchical Data Processing with Applications to Information Security , 2005, ICALP.

[18]  Yang Richard Yang,et al.  Reliable group rekeying: a performance analysis , 2001, SIGCOMM 2001.

[19]  Ran Canetti,et al.  Efficient Communication-Storage Tradeoffs for Multicast Encryption , 1999, EUROCRYPT.

[20]  Bogdan Warinschi,et al.  Completeness Theorems for the Abadi-Rogaway Language of Encrypted Expressions , 2004, J. Comput. Secur..

[21]  Adi Shamir,et al.  The LSD Broadcast Encryption Scheme , 2002, CRYPTO.

[22]  Dilip D. Kandlur,et al.  Key management for secure lnternet multicast using Boolean function minimization techniques , 1999, IEEE INFOCOM '99. Conference on Computer Communications. Proceedings. Eighteenth Annual Joint Conference of the IEEE Computer and Communications Societies. The Future is Now (Cat. No.99CH36320).

[23]  Jessica Staddon,et al.  Combinatorial Bounds for Broadcast Encryption , 1998, EUROCRYPT.

[24]  Jessica Staddon,et al.  Efficient Methods for Integrating Traceability and Broadcast Encryption , 1999, CRYPTO.

[25]  Ashok Samal,et al.  Scalable secure one-to-many group communication using dual encryption , 2000, Comput. Commun..

[26]  Douglas R. Stinson,et al.  Trade-offs Between Communication and Storage in Unconditionally Secure Schemes for Broadcast Encryption and Interactive Key Distribution , 1996, CRYPTO.

[27]  Moni Naor,et al.  Efficient Trace and Revoke Schemes , 2000, Financial Cryptography.

[28]  Manuel Blum,et al.  How to generate cryptographically strong sequences of pseudo random bits , 1982, 23rd Annual Symposium on Foundations of Computer Science (sfcs 1982).

[29]  Brent Waters,et al.  Collusion Resistant Broadcast Encryption with Short Ciphertexts and Private Keys , 2005, CRYPTO.

[30]  Andrew Chi-Chih Yao,et al.  Theory and application of trapdoor functions , 1982, 23rd Annual Symposium on Foundations of Computer Science (sfcs 1982).

[31]  Adi Shamir,et al.  How to share a secret , 1979, CACM.

[32]  Michael T. Goodrich,et al.  Efficient Tree-Based Revocation in Groups of Low-State Devices , 2004, CRYPTO.

[33]  Moni Naor,et al.  Multicast security: a taxonomy and some efficient constructions , 1999, IEEE INFOCOM '99. Conference on Computer Communications. Proceedings. Eighteenth Annual Joint Conference of the IEEE Computer and Communications Societies. The Future is Now (Cat. No.99CH36320).

[34]  Matthew K. Franklin,et al.  Self-healing key distribution with revocation , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.