Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
Group Key Management Scheme for Simultaneous Multiple Groups with Overlapped
Membership
Andrew Moore9/27/2011
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
2Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Review of Group CommunicationBackground InformationScheme DefinitionsProtocol DiscussionExampleResultsConclusion
Overview
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
3Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Group communication is a means for members of a group to exchange messages with one another Static group Dynamic group
Secure group communication Forward access control Backward access control Rekeying
Group Communication
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
4Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Group key management Centralized group key management Decentralized group key management Distributed group key management
Example of centralized group key management Key Distribution Center (KDC) manages groups by
organizing keys in a key tree Each leaf is a user that has a private key and a
group key to encrypt/decrypt
Group Communication (cont.)
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
5Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Multiple users in multiple groups Shamir’s secret sharing Key-User Tree (KUT)
Multiple groups are a collection of subgroupsEach subgroup consists of distinct users and is
secureGroup members communicate with group keySecure multiple groups are a collection of
secure subgroups
Group Communication (cont.)
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
6Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Overlapping Membership
Group A(8 users)
Group B(9 users)
Group C(9 users)
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
7Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Interpolation – given a set of points, find a polynomial that goes through all points in the set
LaGrange Form – the polynomial with the least degree that each x corresponds to a y Not unique No x can be the same Given k points, distinct polynomials are constructed using
the following equations
LaGrange Form of the Interpolation Polynomial
(1)
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
8Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
P1= {(x1,y1),…,(xk,yk)}P2= {(x1,y1),…,(xm,ym)}|P1| = |P2| = kNo xi in P1 is the same (same for P2)Let:
𝑃1∩𝑃2 = {(𝑥1,𝑦1),...,(𝑥 −1𝑘 ,𝑦 −1𝑘 )} 𝑎𝑛𝑑 ∣𝑃1∩𝑃2 ∣= −1 𝑘
𝑃1∪𝑃2 = (𝑃1∩𝑃2) {(∪ 𝑥𝑘, 𝑦𝑘), (𝑥𝑚, 𝑦𝑚)} 𝑎𝑛𝑑∣𝑃1∪𝑃2 = +1 ∣ 𝑘
LaGrange (cont.)
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
9Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
𝑃1 ∩ 2 contains all the points common to 𝑃both 1 and 2 𝑃 𝑃
Adding (xk,yk) to 1 ∩ 2 and using (1) from 𝑃 𝑃7 yields a polynomial P1(x) where the degree is k-1
Adding (xm,ym) to 1 ∩ 2 and using (1) from 𝑃 𝑃7 yields a polynomial P2(x) where the degree is k-1
P1(x) and P2(x) share y-intercept
LaGrange (cont.)
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
10Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Lemma S = {(x1,y1},…,(xk-1,yk-1} where each xi and yi, i = 1,…k-1,
are chosen from GF(p) Each xi is unique Add point (xk,yk), such that xk ≠ xj for all j = 1,…,k-1 in S Using (1), a polynomial of degree k-1 can be
constructed For each distinct (xi,yi), i=1…,n not in S, n polynomials
can be constructed n polynomials for n + k – 1 points
LaGrange (cont.)
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
11Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
U = {u1,…,un} is the set of n usersS1,…Sm are m groups compromising of distinct
subsets of usersx -> y: z denotes sending a message from x to
y (unicast or multicast){M}K : Encrypt message M with key Kuserset(K) : users who have key K
Scheme Definitions
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
12Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
uk -> KDC : (J,Si), join request from user uk to group Si (could be set of users)
uk -> KDC : (L,Si), leave request from user uk to whose parent group is Si
uk -> KDC : (J,Si,Sj), join request from user uk to group Sj whose parent group is Si
uk -> KDC : (L,ε,Sj), leave request from user uk
who has no parent group to leave group Sj
Scheme Definitions (cont.)
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
13Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Joining Point: node of KUT where newly joined user is attached
Parent group: joining point of user is defined in the right subtree of the corresponding KUT for the group
Non-parental group: joining point of user is defined in the left subtree of the corresponding KUT for the group
Storage cost: number of points used to construct group keys and the number of auxiliary keys
Scheme Definitions (cont.)
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
14Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Constructed by the KDC for each groupPartially based on Logical Key Tree (LKT)User categories
Parent group users Non-parental group users
Key User Tree
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
15Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Key User Tree (cont.)
Arbitrary key K of KDC
Group key GUser Node
LKT
t parent group users, height of LKT isk non-parental group users, binary tree with ui, i=1,
…k, as nodes with u1 being the root
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
16Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Key User Tree (cont.)
KUT of S1
KUT of S2 KUT of S3
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
17Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
One KDC Manages the multiple secure groups Uses KUT to manage keys Handles all join/leave requests and rekeying
processChooses security parameter k and fixes GF(p)Initially there are no users in any groupSet U of n users that want to join m groups
Multiple Group Key Management Scheme (Step 1)
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
18Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Assume user is authenticated and a secure channel initially exists between each user and the KDC
KDC generates a Ki for each user ui
Ki is a private keyKi enables ui to securely communicate with
KDC
Multiple Group Key Management Scheme (Step 2)
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
19Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
KDC chooses k-2 points (xi,yi), i = 1,..,k-2(xi,yi) are chosen randomly and independently
from GF(p) such that no values of xi are the same All points are distinct Prepositioned base shares Sent to all users
KDC chooses another point (xk-1, yk-1) such that xk-1 ≠ xi
Polynomial construction trigger share
Multiple Group Key Management Scheme (Step 3)
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
20Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
KDC selects m points (xSj,ySj), j = 1,…,m by picking xSj and ySj from GF(p) All points are distinct No xi can equal xSj
Group specific share of a user who is joining Sj
Multiple Group Key Management Scheme (Step 4)
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
21Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
KDC constructs LKT for each group Sj
Auxiliary keys computed Group keys computed using {(x1,y1),…, (xk-2,yk-2),(xk-
1,yk-1), (xSj,ySj)} and applying (1) to obtain Sj(x) Sj(x=0) is group key Gj for Sj
KDC sends auxiliary keys to respective users• Auxiliary keys are represented as the intermediate
nodes of the LKT• Each user has -1 auxiliary keys, for t users in Sj
LKT for Sj rooted at Gj
Multiple Group Key Management Scheme (Step 5)
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
22Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
KDC constructs KUT rooted at K LKT is rooted at Gj as right subtree of KUT Initially, left subtree is empty
Multiple Group Key Management Scheme (Step 5 cont.)
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
23Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
KDC sends (xSj,ySj) to all users who request to join group Sj
A user who has sent a request to join Sj will have the prepositioned base shares and a group specific share {(x1, y1),…,(xk-2,yk-2)} {xSj,ySj}
KDC sends polynomial construction trigger share to all users of group Sj
(xk-1,yk-1)
Multiple Group Key Management Scheme (Step 6)
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
24Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
User constructs Sj(x) from three shares using (1) to make polynomial of degree k-1
Solve for x = 0 to obtain Gj
Multiple Group Key Management Scheme (Step 7)
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
25Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
S1 = {u1,…,u7} {u∪ 9,…,u13} {u1,…,u7} are parent group members {u9,…,u13} have overlapping membership
S2 = {u9,…,u15} {u∪ 1,…,u4} {u9,…,u15} are parent group members {u1,…,u4} have overlapping membership
Example
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
26Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
KUT of S1
Example (cont.)
KS1
u9 K1-8
u10 u11
u12 u13
K1-4 K5-8
K1-2 K3-4 K5-6 K7-8
K1 K2 K3 K5K4 K6 K7
u1 u2 u3 u4 u5 u6 u7
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
27Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
KUT of S2
Example (cont.)
KS2
u1 K9-16
u2 u3
u4
K9-12 K13-16
K9-10 K11-12 K13-14 K15-16
K9 K10 K11 K13K12 K14 K15
u9 u10 u11 u12 u13 u14 u15
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
28Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Consider u8 joining S1
Parent group join (not in S1 or S2)User sends join requestKDC finds the joining point K7-8, changes K7-8,
K5-8, and K1-8
Chooses new group specific share (x’s1,y’s1)K1-8
• Must be distinct• Sends to all users in S1
Generates new auxiliary keys K’5-8 and K’7-8
Example Join
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
29Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
KDC sends {(x’S1,y’S1)}K1-8 to all usersKDC sends {K’5-8}K5-8 to {u5,u6,u7}KDC sends {K’7-8}K7-8 to {u7}KDC sends {{(x1,y1),…,(xk-1,yk-1)},K’5-8,K’7-8}K8 to
{u8}All users construct new group key
Example Join (cont.)
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
30Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Example Join (cont.)
KUT of S1 after joinKS1
u9 K1-8
u10 u11
u12 u13
K1-4 K5-8
K1-2 K3-4 K5-6 K7-8
K1 K2 K3 K5K4 K6 K7
u1 u2 u3 u4 u5 u6 u7
K8
u8
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
31Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Consider u5 joining S2
Joining non-parental groupKDC finds the joining point in the left subtreeKDC finds new group specific share (x’S2,y’S2)
KDC sends {(x’S2,y’S2)}K9-16 to {u9,…,u15} {u∪ 1,…,u4} KDC sends {(x’S2,y’S2)}K5 to u5
All users compute new group key
Example Join 2
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
32Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
KUT of S2 after join
Example Join 2(cont.)
KS2
u1 K9-16
u2 u3
u4
K9-12 K13-16
K9-10 K11-12 K13-14 K15-16
K9 K10 K11 K13K12 K14 K15
u9 u10 u11 u12 u13 u14 u15
u5
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
33Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Consider u6 leaving S1
KDC removes nodeKDC changes keys K5-6, K’5-8,K’1-8
KDC chooses new distinct group specific share (x’’S1,y’’S1)
KDC sends {(x’’S1,y’’S1),K’’5-8, K5-6}K5 to {u5}KDC sends {(x’’S1,y’’S1),K’’5-8}K’7-8 to {u7,u8}KDC sends {(x’’S1,y’’S1),}K1-4 to {u1,…,u4}KDC sends {(x’’S1,y’’S1),}K9-12 to {u9,…,u12}KDC sends {(x’’S1,y’’S1),}K13 to {u13}
Example Leave
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
34Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
All members construct the new group keyAll changed keys are sent to the appropriate
user
Example Leave (cont.)
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
35Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Example Leave(cont.)
KUT of S1 after leaveKS1
u9 K1-8
u10 u11
u12 u13
K1-4 K5-8
K1-2 K3-4 K5-6 K7-8
K1 K2 K3 K5K4 K7
u1 u2 u3 u4 u5 u7
K8
u8
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
36Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Consider u5 leaving S2
Non-parent group member leaveKDC removes nodeKDC chooses new distinct group specific share
(x’’Sj,y’’Sj)
KDC sends {(x’’Sj,y’’Sj)}K9-12 to {u9,…,u12}KDC sends {(x’’Sj,y’’Sj)}K13-16 to {u13,…,u15}KDC sends {(x’’Sj,y’’Sj)}K1-4 to {u1,…,u4}
Leave Example 2
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
37Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
All users compute new group keyNo auxiliary keys are changed
Leave Example 2 (cont.)
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
38Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
KUT of S2 after leave
Example Leave 2 (cont.)
KS2
u1 K9-16
u2 u3
u4
K9-12 K13-16
K9-10 K11-12 K13-14 K15-16
K9 K10 K11 K13K12 K14 K15
u9 u10 u11 u12 u13 u14 u15
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
39Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Number of Encryptions Parent group join
• Atmost + 1 Non-Parent group join
• 2 Number of Key Changes
Parent group join• Atmost
Non-Parent group join• 1
Number of Rekey-Messages Parent group join
• Atmost + 1 Non-Parent group join
• 2
Analysis of Join
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
40Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Number of Encryptions Parent group leave
• ≤ 2 + t Non-Parent group leave
• ≤ t + 2 Number of Key Changes
Parent group leave• ≤
Non-Parent group leave• 1
Number of Rekey-Messages Parent group leave
• ≤ + t Non-Parent group leave
• ≤ t + 2
Analysis of Leave
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
41Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
User of a parent group without overlapping membership
User of a parent group with m overlapping memberships
User who has left parent group and has m overlapping memberships
Storage Cost Estimation
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
42Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
User of a parent group without any overlapping memberships (k-2) prepositioned base shares 1 polynomial construction trigger share 1 group specific share of the parent group - 1 auxiliary keys Private key
Storage Cost Estimation (cont.)
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
43Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
User of a parent group with m overlapping memberships (k-2) prepositioned base shares 1 polynomial construction trigger share 1 group specific share of the parent group - 1 auxiliary keys Private key m group specific share of other groups
Storage Cost Estimation (cont.)
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
44Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
User who has left parent group and has m overlapping memberships (k-2) prepositioned base shares 1 polynomial construction trigger share Private key m group specific share of other groups
Storage Cost Estimation (cont.)
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
45Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Suppose n users with m groupsEach parent group member of every group has
an overlapping membership with every other group
A group has (m-1)n non-parent group members and n parent group members
Results
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
46Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Scheme in [1] Our Scheme based on 𝐾𝑈𝑇# of encryptions # of Key Changes # of encryptions # of Key Changes
Join of a parent group user 2⌈ 2 𝑙𝑜𝑔 ⌉ 𝑚𝑛 ⌈𝑙𝑜𝑔2 ⌉ 𝑚𝑛 2⌈ 2 ⌉ + 1 𝑙𝑜𝑔 𝑛 ⌈𝑙𝑜𝑔2 ⌉ 𝑛Join of a non-parent group user 2⌈ 2 𝑙𝑜𝑔 ⌉ 𝑚𝑛 ⌈𝑙𝑜𝑔2 ⌉ 𝑚𝑛 2 1
Leave of a parent group user 2⌈ 2 𝑙𝑜𝑔 ⌉ 𝑚𝑛 ⌈𝑙𝑜𝑔2 ⌉ 𝑚𝑛 2⌈ 2 ⌉ + 𝑙𝑜𝑔 𝑛 𝑚
− 2 ⌈𝑙𝑜𝑔2 ⌉ 𝑛Leave of a non-parent group user 2⌈ 2 𝑙𝑜𝑔 ⌉ 𝑚𝑛 ⌈𝑙𝑜𝑔2 ⌉ 𝑚𝑛 ≤ ( + 𝑚
2^[( 2 𝑙𝑜𝑔−1)𝑛 / 2] )
1
Storage at a user ( + 𝑚 𝑘 − 1) shares and 2 𝑚𝑙𝑜𝑔 𝑛auxiliary keys
( + 𝑚 𝑘 − 1) shares and 2 𝑙𝑜𝑔 𝑛auxiliary keys
Results
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
47Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Scheme scales well as overlapping membership increases rapidly
Significant reduction in rekeying cost, storage, and number of encryptions
Conclusion