Abstract
Key trees are often the best solution in terms of transmission cost and storage requirements for managing keys in a setting where a group needs to share a secret key, while being able to efficiently rotate the key material of users (in order to recover from a potential compromise, or to add or remove users). Applications include multicast encryption protocols like LKH (Logical Key Hierarchies) or group messaging like the current IETF proposal TreeKEM.
A key tree is a (typically balanced) binary tree, where each node is identified with a key: leaf nodes hold users’ secret keys while the root is the shared group key. For a group of size N, each user just holds \(\log (N)\) keys (the keys on the path from its leaf to the root) and its entire key material can be rotated by broadcasting \(2\log (N)\) ciphertexts (encrypting each fresh key on the path under the keys of its parents).
In this work we consider the natural setting where we have many groups with partially overlapping sets of users, and ask if we can find solutions where the cost of rotating a key is better than in the trivial one where we have a separate key tree for each group.
We show that in an asymptotic setting (where the number m of groups is fixed while the number N of users grows) there exist more general key graphs whose cost converges to the cost of a single group, thus saving a factor linear in the number of groups over the trivial solution.
As our asymptotic “solution” converges very slowly and performs poorly on concrete examples, we propose an algorithm that uses a natural heuristic to compute a key graph for any given group structure. Our algorithm combines two greedy algorithms, and is thus very efficient: it first converts the group structure into a “lattice graph”, which is then turned into a key graph by repeatedly applying the algorithm for constructing a Huffman code.
To better understand how far our proposal is from an optimal solution, we prove lower bounds on the update cost of continuous group-key agreement and multicast encryption in a symbolic model admitting (asymmetric) encryption, pseudorandom generators, and secret sharing as building blocks.
B. Auerbach, M.A. Baig and K. Pietrzak—received funding from the European Research Council (ERC) under the European Union’s Horizon 2020 research and innovation programme (682815 - TOCNeT); Karen Klein was supported in part by ERC CoG grant 724307 and conducted part of this work at IST Austria, funded by the ERC under the European Union’s Horizon 2020 research and innovation programme (682815 - TOCNeT); Guillermo Pascual-Perez was funded by the European Union’s Horizon 2020 research and innovation programme under the Marie Skłodowska-Curie Grant Agreement No. 665385; Michael Walter conducted part of this work at IST Austria, funded by the ERC under the European Union’s Horizon 2020 research and innovation programme (682815 - TOCNeT).
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
\(\mathcal{S}(N)\) is only well defined if N/n is an integer, we ignore this technicality as we will be interested in the case \(N\rightarrow \infty \).
- 2.
The question whether a polynomial time algorithm for computing \(\mathrm {Opt}(\mathcal{S})\) exists can be naturally asked in various ways. We discuss it in more detail in Sect. 7.
- 3.
In order to ensure authenticity of update messages and to prevent the server from sending users inconsistent update messages these protocols employ additional techniques. We leave the question how to adapt these to key-derivation graphs for multiple groups to future work (See Sect. 7).
- 4.
Regarding PCFS it might even be advantageous to include \( K_{S'} \) for all \( S'\supseteq S \).
- 5.
\(\mathcal{S}(N)\) is only well defined if \(N\cdot p_I\) is an integer for all I, we ignore this technicality as we are interested in the case \(N\rightarrow \infty \).
- 6.
Formally, the algorithm as described in Sect. 4.1 collects all users that are only in group \( S_i \) in a tree before computing the tree for \( S_i \), while in the lattice-graph variant these users are directly included in the tree for \( S_i \). Note, however, that the latter approach can only improve the total update cost.
- 7.
Naturally, one would require that the resulting key-derivation graph satisfies correctness. However, this is not necessary for our analysis of its update cost.
References
Alwen, J., Coretti, S., Dodis, Y., Tselekounis, Y.: Security analysis and improvements for the IETF MLS standard for group messaging. In: Micciancio, D., Ristenpart, T. (eds.) CRYPTO 2020. LNCS, vol. 12170, pp. 248–277. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-56784-2_9
Alwen, J., Coretti, S., Jost, D., Mularczyk, M.: Continuous group key agreement with active security. In: Pass, R., Pietrzak, K. (eds.) TCC 2020. LNCS, vol. 12551, pp. 261–290. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64378-2_10
Alwen, J., et al.: Grafting key trees: efficient key management for overlapping groups. Cryptology ePrint Archive, Report 2021/1158 (2021). https://ia.cr/2021/1158
Barnes, R., Beurdouche, B., Millican, J., Omara, E., Cohn-Gordon, K., Robert, R.: The Messaging Layer Security (MLS) Protocol. Internet-Draft draft-ietf-mls-protocol-11, Internet Engineering Task Force (December 2020). Work in Progress. https://datatracker.ietf.org/doc/html/draft-ietf-mls-protocol-11
Bhargavan, K., Barnes, R., Rescorla, E.: TreeKEM: Asynchronous Decentralized Key Management for Large Dynamic Groups (May 2018)
Bienstock, A., Dodis, Y., Rösler, P.: On the price of concurrency in group ratcheting protocols. In: Pass, R., Pietrzak, K. (eds.) TCC 2020. LNCS, vol. 12551, pp. 198–228. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64378-2_8
Canetti, R., Garay, J.A., Itkis, G., Micciancio, D., Naor, M., Pinkas, B.: Multicast security: a taxonomy and some efficient constructions. In: IEEE INFOCOM 1999, New York, NY, USA, 21–25 March 1999, pp. 708–716 (1999)
Cohn-Gordon, K., Cremers, C., Garratt, L., Millican, J., Milner, K.: On ends-to-ends encryption: asynchronous group messaging with strong security guarantees. In: Lie, D., Mannan, M., Backes, M., Wang, X. (eds.) ACM CCS 2018, pp. 1802–1819. ACM Press (October 2018)
Cremers, C., Hale, B., Kohbrok, K.: Efficient post-compromise security beyond one group. Cryptology ePrint Archive, Report 2019/477 (2019). https://eprint.iacr.org/2019/477
Dolev, D., Yao, A.: On the security of public key protocols. IEEE Trans. Inf. Theor. 29(2), 198–208 (1983)
Huffman, D.A.: A method for the construction of minimum-redundancy codes. Proc. IRE 40(9), 1098–1101 (1952)
Jukna, S.: Boolean Function Complexity. Advances and Frontiers, vol. 27. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-24508-4
Mapoka, T.T., Shepherd, S., Abd-Alhameed, R., Anoh, K.O.: Novel rekeying approach for secure multiple multicast groups over wireless mobile networks. In: 2014 International Wireless Communications and Mobile Computing Conference (IWCMC), pp. 839–844. IEEE (2014)
Micciancio, D., Panjwani, S.: Optimal communication complexity of generic multicast key distribution. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 153–170. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24676-3_10
Wallner, D.M., Harder, E.J., Agee, R.C.: Key management for multicast: issues and architectures. Internet Draft (September 1998). http://www.ietf.org/ID.html
Wong, C.K., Gouda, M., Lam, S.S.: Secure group communications using key graphs. IEEE/ACM Trans. Netw. 8(1), 16–30 (2000)
Zhong, H., Luo, W., Cui, J.: Multiple multicast group key management for the internet of people. Concurrency Comput. Pract. Exp. 29(3), e3817 (2017). e3817 CPE-15-0502.R1. https://doi.org/10.1002/cpe.3817
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 International Association for Cryptologic Research
About this paper
Cite this paper
Alwen, J. et al. (2021). Grafting Key Trees: Efficient Key Management for Overlapping Groups. In: Nissim, K., Waters, B. (eds) Theory of Cryptography. TCC 2021. Lecture Notes in Computer Science(), vol 13044. Springer, Cham. https://doi.org/10.1007/978-3-030-90456-2_8
Download citation
DOI: https://doi.org/10.1007/978-3-030-90456-2_8
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-90455-5
Online ISBN: 978-3-030-90456-2
eBook Packages: Computer ScienceComputer Science (R0)
