1 / 28

Optimal Communication Complexity of Generic Multicast Key Distribution

Optimal Communication Complexity of Generic Multicast Key Distribution. Saurabh Panjwani UC San Diego. (Joint Work with Daniele Micciancio). Multicast.

rasul
Download Presentation

Optimal Communication Complexity of Generic Multicast Key Distribution

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Optimal Communication Complexity of Generic Multicast Key Distribution Saurabh Panjwani UC San Diego (Joint Work with Daniele Micciancio)

  2. Multicast • Multicast is a primitive which enables a source of information to communicate with multiple receivers in a network with efficiency better than sending data individually to all the receivers. (Efficiency means better utilization of sender resources and bandwidth.) Three unicast flows = Sender = Receiver = Others

  3. Multicast • Multicast is a primitive which enables a source of information to communicate with multiple receivers in a network with efficiency better than sending data individually to all the receivers. (Efficiency means better utilization of sender resources and bandwidth.) One multicast flow = Sender = Receiver = Others

  4. How does one keep group communication secret ? • How do multiple receivers authenticate a single sender efficiently ? • How do we authorize anyone to send data on a multicast channel ? Multicast • Example Applications: • Electronic Conferences, Virtual rooms • PayTV or Video-on-demand services • Stock quotes • Security in multicast involves new challenges:

  5. Ek(data) A Secrecy in Multicast k • In unicast, secrecy can be achieved by sharing a key between the parties and using symmetric-key encryption. data ?

  6. k Ek(data) data data A data • If group membership changes, the key • should also change. Secrecy in Multicast • Can we do the same for multicast ? ?

  7. Rekey messages k k k ? ? ? Multicast Key Distribution • A group centerdistributes a shared ‘group key’ to all members (senders & receivers). Sends messages to change the key whenever membership changes : = Group member = Non-member Center k' k' k' • Goal: At any instant of time, only the members should “know” the group key.

  8. E (k); E (k); E (k) k1 k3 k5 k k k ? ? ? k4 k1 k3 k5 k6 k2 Multicast Key Distribution • Setup: Each user ui has a unique keyki that it shares with the center. = Group member = Non-member Generate k Center u1 u2 u2 u3 u4 u5 u6 For group with n members, center sends n rekey messages (per membership update). But we can do better…

  9. Previous Work – Upper Bounds • Wong, Gouda, Lam [WGL98]; Wallner, Harder, Agee [WHA99] gave a protocol in which every join/leave operation in a group of size n involves sending 2log2(n)rekey messages. • Canetti, Garay, Itkis, Micciancio, Naor, Pinkas [CGIMNP99] improved this to log2(n). (Used pseudorandom generators in creation of rekey messages). Best known upper bound –log2(n)

  10. Previous Work – Lower Bounds • Canetti, Malkin, Nissim [CMN99] gave the first non-trivial lower bound: for a restricted class of protocols, in a group of size n, center must send W(log(n))rekey messages (per membership update). • Snoeyink, Suri and Varghese [SSV01] proved a bound for more general protocols. For groups of size n, rekey cost must be at least 3log3(n). Best known lower bound –3log3(n) Interestingly,3log3(n) > log2(n) (lower bound is higher than upper bound)

  11. k k k k G0(k) G0(k) G0(k) . . . . . . Gm(k) Gm(k) Gm(k) Why is this so? • Why can’t pseudorandom generators be used? • In the model used in [SSV01], every rekey message must be of the form Ek(k'). Eg: TakeG(k) = G0(k) G1(k)…Gm(k) Best known protocol uses PRGs. Center

  12. E(k'') E(k''); k2 k1 k k k' k k' k' k'' k'' ? ? Why is this so? • Why can’t nested encryptionbe used? • In the model used in [SSV01], every rekey message must be of the form Ek(k'). Eg: Two auxiliary keys, k, k'. Center wants to send a key k'' to members u1 andu2 One Possibility Center u1 u2 u3 u4 k1 k2 k3 k4

  13. Ek(Ek'(k'')) k k k' k k' k' k'' k'' ? ? Why is this so? • Why can’t nested encryptionbe used? • In the model used in [SSV01], every rekey message must be of the form Ek(k'). Eg: Two auxiliary keys, k, k'. Center wants to send a key k'' to members u1 andu2 Nested encryption has been used in some protocols. Better possibility Center u1 u2 u3 u4 k1 k2 k3 k4 Saves communication by a factor of 2

  14. E E(k'', G1(k')) G1(k1 ) G0(k2 ) log2(n)is optimal • We answer: A More General Model • Rekey messages can be generated by arbitrary combinationof pseudorandom generators and symmetric-key encryption. Center u1 u3 u2 u4 u5 u6 k1 k6 k5 k4 k2 k3 • Question: How good can you do under this model?

  15. k4 k1 k3 k5 k6 k2 Our Model • Every user shares unique key with center. At any instant, a finite set of users are members. • All parties have black-box access to a pseudorandom generator Gand an encryption-decryption pair (E,D) . Center u1 u3 u2 u4 u5 u6

  16. A • Join – Add a non-member to the group. • Leave – Delete a member from the group. • Replace – Replace a memberwith a non-member(keeps the group size same). Join Leave Replace k4 k1 k3 k5 k6 k2 Our Model • Membership is controlled by an adversary who issues one of three commands at every instant: Center u1 u3 u2 u4 u5 u6

  17. M K | EK(M) K random_key | G0(K) | G1(K) | .. | Gm(K) E E(k'') G1(k1 ) G0(k2 ) k4 k1 k3 k5 k6 k2 Our Model • Center responds by sending rekey messages. A rekey message is derived from the grammar: Center u1 u3 u2 u4 u5 u6

  18. E E(kg ) E(kg ); G0(k') k k1 + + + + + E (kg ) E E(kg ) E E(kg ) E E(kg ) E E(kg ) k1 G0(k') G0(k') G0(k') G0(k') k k k k kg ? ? kg kg Our Model – Security Definition Center • What are the keys a user “knows” at any instant? u3 u2 u4 u5 u1 k4 k1 k5 k3 k2 k; G0(k') k; k' k; G1(k') G0(k')

  19. E E(kg ) E(kg ); G0(k') k k1 Our Model – Security Definition Center • What are the keys a user “knows” at any instant? u3 u2 u4 u5 u1 k4 k1 k5 k3 k2 • Use an abstract encryption model for defining this notion (Similar to Dolev-Yao logic). • Connections between such an abstract framework and complexity-theoretic framework has been studied by Abadi-Rogaway [AR02], Micciancio-Warinschi [MW04], Abadi-Jurjens [AJ01], Gligor-Horvitz [GH03] etc.

  20. Our Model – Security Definition • Definition: A multicast key distribution protocol is secure if for every sequence of adversarial commands, at every time instant t, there is a key kt such that - • Every member at time t knows kt • NO non-member at time t knows kt • A very liberal definition ! • Security against collusions of non-members? But a weak definition only makes our lower bound stronger.

  21. Our Result • Theorem: The amortized communication complexity of secure multicast key distribution is log2(n) - c. (ctends to 0 as number of adversarial commands increases). • Amortized complexity means number of rekey messages sent per update command for a sequence of update commands. Matches the cost of the best known protocol up to small ‘additive’ constant.

  22. non-member member member Proof Idea • View a multicast key distribution protocol as a game played between center and adversary. A Center • The playing board is an infinite forest on keys. A tree in this forest represents the set of pseudorandom keys derived from the root key. • Some of the root keys are labeled either member or non-member.

  23. k1 k k' Proof Idea • View a multicast key distribution protocol as a game played between center and adversary. A non-member Center member member Ek(Ek'(k1) • Adversary changes labels on the keys which are labeled member or non-member. • Center introduces rekey messages, modeled as hyper-edges over the keys.

  24. Proof Idea • View a multicast key distribution protocol as a game played between center and adversary. A non-member Center member member • A hyper-edge becomes useless once the key it points to becomes “reachable” from any non-member node. • Show that the adversary can select to delete and add members in a way such that a lot of hyper-edges become useless in every move.

  25. Open Questions • What about average-case communication complexity ? • Does the bound hold even without replace operations ? • What if other cryptographic primitives are used for generating rekey messages (eg. PRFs, secret sharing) ?

  26. Questions?

  27. References • [AR] M. Abadi, P. Rogaway. Reconciling Two Views of Cryptography (or the Computational Soundness of Formal Encryption). Journal of Cryptology 15(2), 2002. • [CGIMNP] R. Canetti, J. Garay, G. Itkis, D. Micciancio, M. Naor, B. Pinkas. Multicast Security: A taxonomy and some efficient constructions. In Proc. of INFOCOM 1999. • [CMN] R. Canetti, T. Malkin, K. Nissim. Efficient communication-storage tradeoffs for multicast encryption. In Advances in Cryptology – EUROCRYPT 1999. • [MW] D. Micciancio, B. Warinschi. Completeness theorems for the Abadi-Rogaway Logic of Encrypted Expressions. Journal of Computer Security, 12(1), 2004. • [AJ] M.Abadi, J.Jurjens. Formal eavesdropping and its computational interpretation. In TACS 2001.

  28. References • [SSV] J. Snoeyink, S. Suri, G. Varghese. A lower bound for Multicast Key Distribution. In Proc. of INFOCOM 2001. • [GH] V.Gligor, D.O.Horvitz. Weak Key Authenticity and the Computational Completeness of Formal Encryption. In CRYPTO 2003. • [WHA] D. Wallner, E. Harder, R. Agee. Key management for Multicast: Issues and Architecture. RFC 2627, June 1999. • [WGL] C. Wong, M. Gouda, S. Lam. Secure Group Communication using Key graphs. In Proc. of SIGCOMM 1998.

More Related