Presentation is loading. Please wait.

Presentation is loading. Please wait.

Optimal Communication Complexity of Generic Multicast Key Distribution Saurabh Panjwani UC San Diego (Joint Work with Daniele Micciancio)

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Optimal Communication Complexity of Generic Multicast Key Distribution Saurabh Panjwani UC San Diego (Joint Work with Daniele Micciancio)"— Presentation transcript:

1 Optimal Communication Complexity of Generic Multicast Key Distribution Saurabh Panjwani UC San Diego (Joint Work with Daniele Micciancio)

2 Multicast Multicast is a primitive which enables a source of information to communicate with multiple receivers in a network with efficiency better than sending data individually to all the receivers. (Efficiency means better utilization of sender resources and bandwidth.) = Sender = Receiver Three unicast flows = Others

3 Multicast Multicast is a primitive which enables a source of information to communicate with multiple receivers in a network with efficiency better than sending data individually to all the receivers. (Efficiency means better utilization of sender resources and bandwidth.) = Sender = Receiver One multicast flow = Others

4 Multicast Example Applications:  Electronic Conferences, Virtual rooms  PayTV or Video-on-demand services  Stock quotes Security in multicast involves new challenges:  How does one keep group communication secret ?  How do multiple receivers authenticate a single sender efficiently ?  How do we authorize anyone to send data on a multicast channel ?

5 Secrecy in Multicast In unicast, secrecy can be achieved by sharing a key between the parties and using symmetric-key encryption. k E k (data) A ? data

6 Secrecy in Multicast Can we do the same for multicast ? If group membership changes, the key should also change. A ? data k E k (data)

7 Multicast Key Distribution A group center distributes a shared ‘group key’ to all members (senders & receivers). Sends messages to change the key whenever membership changes : = Group member = Non-member Center Rekey messages ? ? ? kkk Goal: At any instant of time, only the members should “know” the group key. k'

8 Multicast Key Distribution Setup: Each user u i has a unique key k i that it shares with the center. u1u1 Center u2u2 u5u5 u4u4 u3u3 u6u6 u2u2 ? ? ? kkk E (k); E (k); E (k) k1k1 k3k3 k5k5 = Group member = Non-member For group with n members, center sends n rekey messages ( per membership update ). Generate k But we can do better… k1k1 k2k2 k3k3 k4k4 k5k5 k6k6

9 Previous Work – Upper Bounds Wong, Gouda, Lam [WGL98]; Wallner, Harder, Agee [WHA99] gave a protocol in which every join/leave operation in a group of size n involves sending 2log 2 (n) rekey messages. Canetti, Garay, Itkis, Micciancio, Naor, Pinkas [CGIMNP99] improved this to log 2 (n). (Used pseudorandom generators in creation of rekey messages). Best known upper bound – log 2 (n)

10 Previous Work – Lower Bounds Canetti, Malkin, Nissim [CMN99] gave the first non-trivial lower bound: for a restricted class of protocols, in a group of size n, center must send  (log(n)) rekey messages (per membership update). Snoeyink, Suri and Varghese [SSV01] proved a bound for more general protocols. For groups of size n, rekey cost must be at least  log 3 (n). Best known lower bound – 3log 3 (n) Interestingly, 3log 3 (n) > log 2 (n) (lower bound is higher than upper bound)

11 Why is this so? In the model used in [SSV01], every rekey message must be of the form E k (k'). Center k Eg: Take G(k) = G 0 (k) G 1 (k)…G m (k) G 0 (k) G m (k) k.. G 0 (k) G m (k) k.. G 0 (k) G m (k) k.. Why can’t pseudorandom generators be used? Best known protocol uses PRGs.

12 Why is this so? In the model used in [SSV01], every rekey message must be of the form E k (k'). Eg: Two auxiliary keys, k, k'. Center wants to send a key k'' to members u 1 and u 2 Why can’t nested encryption be used? u1u1 Center u2u2 u4u4 u3u3 k k k' k' ? k'' ? E (k''); k1k1 E (k'') k2k2 One Possibility k1k1 k2k2 k4k4 k3k3

13 Why is this so? In the model used in [SSV01], every rekey message must be of the form E k (k'). Eg: Two auxiliary keys, k, k'. Center wants to send a key k'' to members u 1 and u 2 Why can’t nested encryption be used? u1u1 Center u2u2 u4u4 u3u3 E k (E k' (k'')) Nested encryption has been used in some protocols. k k k' k' ? k'' ? Saves communication by a factor of 2 Better possibility k1k1 k2k2 k4k4 k3k3

14 A More General Model u1u1 Center u3u3 u6u6 u5u5 k1k1 k3k3 k2k2 Rekey messages can be generated by arbitrary combination of pseudorandom generators and symmetric-key encryption. u2u2 E E (k'', G 1 (k')) G 0 (k 2 )G 1 (k 1 ) u4u4 k4k4 k5k5 k6k6 Question : How good can you do under this model? We answer : log 2 (n) is optimal

15 Our Model u1u1 Center u3u3 u6u6 u5u5 Every user shares unique key with center. At any instant, a finite set of users are members. All parties have black-box access to a pseudorandom generator G and an encryption- decryption pair (E,D). u2u2 u4u4 k1k1 k2k2 k3k3 k4k4 k5k5 k6k6

16 Our Model u1u1 Center u3u3 u6u6 u5u5 Membership is controlled by an adversary who issues one of three commands at every instant: u2u2 u4u4 k1k1 k2k2 k3k3 k4k4 k5k5 k6k6  Leave – Delete a member from the group. Leave  Join – Add a non-member to the group. Join  Replace – Replace a member with a non-member (keeps the group size same). Replace A

17 Our Model u1u1 Center u3u3 u6u6 u5u5 Center responds by sending rekey messages. A rekey message is derived from the grammar: u2u2 E E (k'') G 0 (k 2 )G 1 (k 1 ) u4u4 k1k1 k2k2 k3k3 k4k4 k5k5 k6k6 M K | E K (M) K random_key | G 0 (K) | G 1 (K) |.. | G m (K)

18 Our Model – Security Definition Center u3u3 u5u5 What are the keys a user “knows” at any instant? u2u2 u4u4 k2k2 k3k3 k4k4 k5k5 k; G 0 (k') k; k' G 0 (k') k; G 1 (k') E E (k g ) kG 0 (k' ) + kgkg E E (k g ) kG 0 (k' ) + ? E E (k g ) kG 0 (k' ) + ? E E (k g ) kG 0 (k' ) + kgkg u1u1 k1k1 E E (k g ) kG 0 (k' ) E (k g ); k1k1 E (k g ) k1k1 + kgkg

19 Our Model – Security Definition u1u1 Center u3u3 u5u5 What are the keys a user “knows” at any instant? u2u2 u4u4 k1k1 k2k2 k3k3 k4k4 k5k5 E E (k g ) kG 0 (k' ) E (k g ); k1k1 Use an abstract encryption model for defining this notion (Similar to Dolev-Yao logic). Connections between such an abstract framework and complexity-theoretic framework has been studied by Abadi-Rogaway [AR02], Micciancio-Warinschi [MW04], Abadi-Jurjens [AJ01], Gligor-Horvitz [GH03] etc.

20 Our Model – Security Definition Definition : A multicast key distribution protocol is secure if for every sequence of adversarial commands, at every time instant t, there is a key k t such that - Every member at time t knows k t NO non-member at time t knows k t A very liberal definition ! Security against collusions of non-members? But a weak definition only makes our lower bound stronger.

21 Our Result Theorem: The amortized communication complexity of secure multicast key distribution is log 2 (n) - c. ( c tends to 0 as number of adversarial commands increases). Matches the cost of the best known protocol up to small ‘additive’ constant. Amortized complexity means number of rekey messages sent per update command for a sequence of update commands.

22 Proof Idea View a multicast key distribution protocol as a game played between center and adversary. A Center Some of the root keys are labeled either member or non-member. member non-member member The playing board is an infinite forest on keys. A tree in this forest represents the set of pseudorandom keys derived from the root key.

23 Proof Idea View a multicast key distribution protocol as a game played between center and adversary. A Center member non-member member Adversary changes labels on the keys which are labeled member or non-member. Center introduces rekey messages, modeled as hyper-edges over the keys. k1k1 k k' E k (E k' (k 1 )

24 Proof Idea View a multicast key distribution protocol as a game played between center and adversary. A Center member non-member member A hyper-edge becomes useless once the key it points to becomes “reachable” from any non-member node. Show that the adversary can select to delete and add members in a way such that a lot of hyper-edges become useless in every move.

25 Open Questions Does the bound hold even without replace operations ? What about average-case communication complexity ? What if other cryptographic primitives are used for generating rekey messages (eg. PRFs, secret sharing) ?

26 Questions?

27 References [AR] M. Abadi, P. Rogaway. Reconciling Two Views of Cryptography (or the Computational Soundness of Formal Encryption). Journal of Cryptology 15(2), 2002. [CGIMNP] R. Canetti, J. Garay, G. Itkis, D. Micciancio, M. Naor, B. Pinkas. Multicast Security: A taxonomy and some efficient constructions. In Proc. of INFOCOM 1999. [CMN] R. Canetti, T. Malkin, K. Nissim. Efficient communication-storage tradeoffs for multicast encryption. In Advances in Cryptology – EUROCRYPT 1999. [MW] D. Micciancio, B. Warinschi. Completeness theorems for the Abadi-Rogaway Logic of Encrypted Expressions. Journal of Computer Security, 12(1), 2004. [AJ] M.Abadi, J.Jurjens. Formal eavesdropping and its computational interpretation. In TACS 2001.

28 [SSV] J. Snoeyink, S. Suri, G. Varghese. A lower bound for Multicast Key Distribution. In Proc. of INFOCOM 2001. [GH] V.Gligor, D.O.Horvitz. Weak Key Authenticity and the Computational Completeness of Formal Encryption. In CRYPTO 2003. [WHA] D. Wallner, E. Harder, R. Agee. Key management for Multicast: Issues and Architecture. RFC 2627, June 1999. [WGL] C. Wong, M. Gouda, S. Lam. Secure Group Communication using Key graphs. In Proc. of SIGCOMM 1998. References

Download ppt "Optimal Communication Complexity of Generic Multicast Key Distribution Saurabh Panjwani UC San Diego (Joint Work with Daniele Micciancio)"

Similar presentations

TCC 2006 Research on Password-Authenticated Group Key Exchange Jeong Ok Kwon, Ik Rae Jeong, and Dong Hoon Lee (CIST, Korea Univ.) Kouchi Sakurai (Kyushu.

TCC 2006 Research on Password-Authenticated Group Key Exchange Jeong Ok Kwon, Ik Rae Jeong, and Dong Hoon Lee (CIST, Korea Univ.) Kouchi Sakurai (Kyushu.
Universally Composable Symbolic Analysis of Cryptographic Protocols

Universally Composable Symbolic Analysis of Cryptographic Protocols
A Survey of Key Management for Secure Group Communications Celia Li.

A Survey of Key Management for Secure Group Communications Celia Li.
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
Computer Science Dr. Peng NingCSC 774 Adv. Net. Security1 CSC 774 Advanced Network Security Topic 5.3 Group Key Distribution Acknowledgment: Slides on.

Computer Science Dr. Peng NingCSC 774 Adv. Net. Security1 CSC 774 Advanced Network Security Topic 5.3 Group Key Distribution Acknowledgment: Slides on.
Group Protocols for Secure Wireless Ad hoc Networks Srikanth Nannapaneni Sreechandu Kamisetty Swethana pagadala Aparna kasturi.

Group Protocols for Secure Wireless Ad hoc Networks Srikanth Nannapaneni Sreechandu Kamisetty Swethana pagadala Aparna kasturi.
Distribution and Revocation of Cryptographic Keys in Sensor Networks Amrinder Singh Dept. of Computer Science Virginia Tech.

Distribution and Revocation of Cryptographic Keys in Sensor Networks Amrinder Singh Dept. of Computer Science Virginia Tech.
Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Computer Science Dr. Peng NingCSC 774 Adv. Net. Security1 CSC 774 Advanced Network Security Topic 5 Group Key Management.

Computer Science Dr. Peng NingCSC 774 Adv. Net. Security1 CSC 774 Advanced Network Security Topic 5 Group Key Management.
1 Vipul Goyal Abhishek Jain Rafail Ostrovsky Silas Richelson Ivan Visconti Microsoft Research India MIT and BU UCLA University of Salerno, Italy Constant.

1 Vipul Goyal Abhishek Jain Rafail Ostrovsky Silas Richelson Ivan Visconti Microsoft Research India MIT and BU UCLA University of Salerno, Italy Constant.
Henric Johnson1 Ola Flygt Växjö University, Sweden +46 470 70 86 49 IP Security.

Henric Johnson1 Ola Flygt Växjö University, Sweden IP Security.
Roberto Di Pietro, Luigi V. Mancini and Alessandro Mei.

Roberto Di Pietro, Luigi V. Mancini and Alessandro Mei.
CSCE 715 Ankur Jain 11/16/2010. Introduction Design Goals Framework SDT Protocol Achievements of Goals Overhead of SDT Conclusion.

CSCE 715 Ankur Jain 11/16/2010. Introduction Design Goals Framework SDT Protocol Achievements of Goals Overhead of SDT Conclusion.
Lecture 6. Bandwidth allocation in multirate multicast is significantly more complicated than the unicast network. There can be several bandwidth allocation.

Lecture 6. Bandwidth allocation in multirate multicast is significantly more complicated than the unicast network. There can be several bandwidth allocation.
Soundness And Completeness of Formal Logics of Symmetric Encryption ** Andre Scedrov ** University of Pennsylvania **Gergei Bana ** University of Pennsylvania.

Soundness And Completeness of Formal Logics of Symmetric Encryption ** Andre Scedrov ** University of Pennsylvania **Gergei Bana ** University of Pennsylvania.
Secure Multicast Xun Kang. Content Why need secure Multicast? Secure Group Communications Using Key Graphs Batch Update of Key Trees Reliable Group Rekeying.

Secure Multicast Xun Kang. Content Why need secure Multicast? Secure Group Communications Using Key Graphs Batch Update of Key Trees Reliable Group Rekeying.
Towards Scalable and Reliable Secure Multicast Presenter: Yang Richard Yang Network Research Lab Department of Computer Sciences The University of Texas.

Towards Scalable and Reliable Secure Multicast Presenter: Yang Richard Yang Network Research Lab Department of Computer Sciences The University of Texas.
Computational and Information- Theoretic Soundness and Completeness of the Expanded Logics of Formal Encryption ** Andre Scedrov ** University of Pennsylvania.

Computational and Information- Theoretic Soundness and Completeness of the Expanded Logics of Formal Encryption ** Andre Scedrov ** University of Pennsylvania.
Secure Multimedia Multicast: Interface and Multimedia Transmission GROUP 2: Melissa Barker Norman Lo Michael Mullinix server router client router client.

Secure Multimedia Multicast: Interface and Multimedia Transmission GROUP 2: Melissa Barker Norman Lo Michael Mullinix server router client router client.

Similar presentations

Ads by Google