Design of Self-Healing Key Distribution Schemes

A self-healing key distribution scheme enables dynamic groups of users of an unreliable network to establish group keys for secure communication. In such a scheme, a group manager, at the beginning of each session, in order to provide a key to each member of the group, sends packets over a broadcast channel. Every user, belonging to the group, computes the group key by using the packets and some private information. The group manager can start multiple sessions during a certain time-interval, by adding/removing users to/from the initial group. The main property of the scheme is that, if during a certain session some broadcasted packet gets lost, then users are still capable of recovering the group key for that session simply by using the packets they have received during a previous session and the packets they will receive at the beginning of a subsequent one, without requesting additional transmission from the group manager. Indeed, the only requirement that must be satisfied, in order for the user to recover the lost keys, is membership in the group both before and after the sessions in which the broadcast messages containing the keys are sent. This novel and appealing approach to key distribution is quite suitable in certain military applications and in several Internet-related settings, where high security requirements need to be satisfied. In this paper we continue the study of self-healing key distribution schemes, introduced by Staddon et al. [37]. We analyze some existing constructions: we show an attack that can be applied to one of these constructions, in order to recover session keys, and two problems in another construction. Then, we present a new mechanism for implementing the self-healing approach, and we present an efficient construction which is optimal in terms of user memory storage. Finally, we extend the self-healing approach to key distribution, and we present a scheme which enables a user to recover from a single broadcast message all keys associated with sessions in which he is member of the communication group.

[1]  Ran Canetti,et al.  Efficient Communication-Storage Tradeoffs for Multicast Encryption , 1999, EUROCRYPT.

[2]  Tsutomu Matsumoto,et al.  A Quick Group Key Distribution Scheme with "Entity Revocation" , 1999, ASIACRYPT.

[3]  Arjen K. Lenstra,et al.  Selecting Cryptographic Key Sizes , 2000, Journal of Cryptology.

[4]  Douglas R. Stinson,et al.  On Some Methods for Unconditionally Secure Key Distribution and Broadcast Encryption , 1997, Des. Codes Cryptogr..

[5]  Moni Naor,et al.  Digital signets: self-enforcing protection of digital information (preliminary version) , 1996, STOC '96.

[6]  Amos Fiat,et al.  Broadcast Encryption , 1993, CRYPTO.

[7]  Amit Sahai,et al.  Coding Constructions for Blacklisting Problems without Computational Assumptions , 1999, CRYPTO.

[8]  Shimshon Berkovits,et al.  How To Broadcast A Secret , 1991, EUROCRYPT.

[9]  Moni Naor,et al.  Multicast security: a taxonomy and some efficient constructions , 1999, IEEE INFOCOM '99. Conference on Computer Communications. Proceedings. Eighteenth Annual Joint Conference of the IEEE Computer and Communications Societies. The Future is Now (Cat. No.99CH36320).

[10]  Reihaneh Safavi-Naini,et al.  New constructions for multicast re-keying schemes using perfect hash families , 2000, CCS.

[11]  Douglas R. Stinson,et al.  Generalized Beimel-Chor Schemes for Broadcast Encryption and Interactive Key Distribution , 1998, Theor. Comput. Sci..

[12]  Matthew K. Franklin,et al.  Self-healing key distribution with revocation , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[13]  Dan Boneh,et al.  The Decision Diffie-Hellman Problem , 1998, ANTS.

[14]  Jessica Staddon,et al.  Combinatorial Bounds for Broadcast Encryption , 1998, EUROCRYPT.

[15]  Douglas R. Stinson,et al.  Some New Results on Key Distribution Patterns and Broadcast Encryption , 1998, Des. Codes Cryptogr..

[16]  Aggelos Kiayias,et al.  Self Protecting Pirates and Black-Box Traitor Tracing , 2001, CRYPTO.

[17]  Carlo Blundo,et al.  A new self-healing key distribution scheme , 2003, Proceedings of the Eighth IEEE Symposium on Computers and Communications. ISCC 2003.

[18]  Aggelos Kiayias,et al.  Traitor Tracing with Constant Transmission Rate , 2002, EUROCRYPT.

[19]  Adi Shamir,et al.  The LSD Broadcast Encryption Scheme , 2002, CRYPTO.

[20]  Amos Fiat,et al.  Dynamic Traitor Tracing , 2001, Journal of Cryptology.

[21]  T. Elgamal A public key cryptosystem and a signature scheme based on discrete logarithms , 1984, CRYPTO 1984.

[22]  Douglas R. Stinson,et al.  An Application of Ramp Schemes to Broadcast Encryption , 1999, Inf. Process. Lett..

[23]  Reihaneh Safavi-Naini,et al.  A Secure Re-keying Scheme with Key Recovery Property , 2002, ACISP.

[24]  Birgit Pfitzmann,et al.  Trials of Traced Traitors , 1996, Information Hiding.

[25]  Thomas M. Cover,et al.  Elements of Information Theory , 2005 .

[26]  Dawn Xiaodong Song,et al.  ELK, a new protocol for efficient large-group key distribution , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[27]  Avishai Wool,et al.  Long-Lived Broadcast Encryption , 2000, CRYPTO.

[28]  Moti Yung,et al.  Perfectly Secure Key Distribution for Dynamic Conferences , 1998, Inf. Comput..

[29]  Jessica Staddon,et al.  Combinatorial properties of frameproof and traceability codes , 2001, IEEE Trans. Inf. Theory.

[30]  Douglas R. Stinson,et al.  Key Preassigned Traceability Schemes for Broadcast Encryption , 1998, Selected Areas in Cryptography.

[31]  Moni Naor,et al.  Revocation and Tracing Schemes for Stateless Receivers , 2001, CRYPTO.

[32]  Carlo Blundo,et al.  Space Requirements for Broadcast Encryption , 1994, EUROCRYPT.

[33]  Donggang Liu,et al.  Efficient self-healing group key distribution with revocation capability , 2003, CCS '03.

[34]  Douglas R. Stinson,et al.  Combinatorial Properties and Constructions of Traceability Schemes and Frameproof Codes , 1998, SIAM J. Discret. Math..

[35]  Douglas R. Stinson,et al.  Fault Tolerant and DistributedBroadcast Encryption , 2003, CT-RSA.

[36]  Eric J. Harder,et al.  Key Management for Multicast: Issues and Architectures , 1999, RFC.

[37]  Carlo Blundo,et al.  A flaw in a self-healing key distribution scheme , 2003, Proceedings 2003 IEEE Information Theory Workshop (Cat. No.03EX674).

[38]  Reihaneh Safavi-Naini,et al.  Sequential Traitor Tracing , 2000, CRYPTO.

[39]  Alfredo De Santis,et al.  Definitions and Bounds for Self-Healing Key Distribution Schemes , 2004, ICALP.

[40]  Moni Naor,et al.  Efficient Trace and Revoke Schemes , 2000, Financial Cryptography.

[41]  Jessica Staddon,et al.  Efficient Methods for Integrating Traceability and Broadcast Encryption , 1999, CRYPTO.