Skip to main content
SpringerLink
Log in

Multicast Key Agreement, Revisited

  • Conference paper
  • First Online:
Topics in Cryptology – CT-RSA 2022 (CT-RSA 2022)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 13161))

Included in the following conference series:

Abstract

Multicast Key Agreement (MKA) is a long-overlooked natural primitive of large practical interest. In traditional MKA, an omniscient group manager privately distributes secrets over an untrusted network to a dynamically-changing set of group members. The group members are thus able to derive shared group secrets across time, with the main security requirement being that only current group members can derive the current group secret. There indeed exist very efficient MKA schemes in the literature that utilize symmetric-key cryptography. However, they lack formal security analyses, efficiency analyses regarding dynamically changing groups, and more modern, robust security guarantees regarding user state leakages: forward secrecy (FS) and post-compromise security (PCS). The former ensures that group secrets prior to state leakage remain secure, while the latter ensures that after such leakages, users can quickly recover security of group secrets via normal protocol operations.

       More modern Secure Group Messaging (SGM) protocols allow a group of users to asynchronously and securely communicate with each other, as well as add and remove each other from the group. SGM has received significant attention recently, including in an effort by the IETF Messaging Layer Security (MLS) working group to standardize an eponymous protocol. However, the group key agreement primitive at the core of SGM protocols, Continuous Group Key Agreement (CGKA), achieved by the TreeKEM protocol in MLS, suffers from bad worst-case efficiency and heavily relies on less efficient (than symmetric-key cryptography) public-key cryptography. We thus propose that in the special case of a group membership change policy which allows a single member to perform all group additions and removals, an upgraded version of classical Multicast Key Agreement (MKA) may serve as a more efficient substitute for CGKA in SGM.

We therefore present rigorous, stronger MKA security definitions that provide increasing levels of security in the case of both user and group manager state leakage, and that are suitable for modern applications, such as SGM. We then construct a formally secure MKA protocol with strong efficiency guarantees for dynamic groups. Finally, we run experiments which show that the left-balanced binary tree structure used in TreeKEM can be replaced with red-black trees in MKA for better efficiency.

The full version [9] is available as entry 2021/1570 in the IACR eprint archive.

A. Bienstock—Partially supported by a National Science Foundation Graduate Research Fellowship.

Y. Dodis—Partially supported by gifts from VMware Labs and Google, and NSF grants 1619158, 1319051, 1314568.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 89.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 119.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    Most constructions informally claim to have “fair-weather” \(O(\log n_\text {max})\) communication complexity [2], i.e., in some (undefined) good conditions, they have \(O(\log n_\text {max})\) communication.

  2. 2.

    See https://github.com/abienstock/Multicast-Key-Agreement for the code.

  3. 3.

    FS eRAM is also known in the literature as, e.g., “secure deletion” [4, 25, 27,28,29], “how to forget a secret” [16], “self-destruction” [18], and “revocability” [11].

  4. 4.

    We could easily allow for batch operations – as the latest MLSv11 draft does through the “propose-then-commit” framework [5] – which would be more efficient than the corresponding sequential execution of those operations, but we choose not to for simplicity. We also note that updating one user at a time in case of their corruption is of course much more efficient (and just as secure) than updating the whole group in case just that user was corrupted.

  5. 5.

    Any expression containing \(\bot \) evaluates to \(\mathsf {false}\).

  6. 6.

    Where we use the standard PRF security of a dPRF \(\mathsf {dprf}\) on the child’s key (see the full version [9]).

  7. 7.

    We only need to use a dPRF at leaves of the MKA tree for updates in which the corresponding oob message is corrupted (we could use a PRG elsewhere), but we use one at all nodes, for all operations, for simplicity.

  8. 8.

    Note: we do not actually have to include the skeleton, since the tree does not actually change after updates, but we do for ease of exposition. It should not affect the complexity of the scheme since its size should be proportional to that of \(\mathsf {CT}\).

  9. 9.

    See https://github.com/abienstock/Multicast-Key-Agreement for the code.

  10. 10.

    Note that 12.5% is the threshold such that the group size does not approach zero in expectation, as the number of operations \(10 \cdot 2^i\) is 20 times more than the initial group size \(2^{i-1}\) and thus the difference between the probabilities of Remove and Add operations needs to be less than \(1/20 = 5\%\).

  11. 11.

    In the full version [9], we also show how to retain \(\mathsf {GUS}\)’s \(O(\log n)\) computational complexity.

References

  1. Alwen, J., Coretti, S., Dodis, Y., Tselekounis, Y.: Security analysis and improvements for the IETF MLS standard for group messaging. In: Micciancio, D., Ristenpart, T. (eds.) CRYPTO 2020, Part I. LNCS, vol. 12170, pp. 248–277. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-56784-2_9

    Chapter  Google Scholar 

  2. Alwen, J., Coretti, S., Jost, D., Mularczyk, M.: Continuous group key agreement with active security. In: Pass, R., Pietrzak, K. (eds.) TCC 2020, Part II. LNCS, vol. 12551, pp. 261–290. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64378-2_10

    Chapter  Google Scholar 

  3. Alwen, J., et al.: Keep the dirt: tainted treekem, adaptively and actively secure continuous group key agreement. In: 2021 IEEE Symposium on Security and Privacy (SP). IEEE (2021)

    Google Scholar 

  4. Bajaj, S., Sion, R.: Ficklebase: looking into the future to erase the past. In: 2013 IEEE 29th International Conference on Data Engineering (ICDE), pp. 86–97. IEEE

    Google Scholar 

  5. Barnes, R., Beurdouche, B., Millican, J., Omara, E., Cohn-Gordon, K., Robert, R.: The Messaging Layer Security (MLS) Protocol. Internet-Draft draft-ietf-mls-protocol-11, Internet Engineering Task Force, December 2020, work in Progress

    Google Scholar 

  6. Bellare, M., Lysyanskaya, A.: Symmetric and dual PRFs from standard assumptions: A generic validation of an HMAC assumption. Cryptology ePrint Archive, Report 2015/1198 (2015). https://eprint.iacr.org/2015/1198

  7. Bellare, M., Yee, B.: Forward-security in private-key cryptography. In: Joye, M. (ed.) CT-RSA 2003. LNCS, vol. 2612, pp. 1–18. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-36563-X_1

    Chapter  Google Scholar 

  8. Bhargavan, K., Barnes, R., Rescorla, E.: TreeKEM: Asynchronous decentralized key management for large dynamic groups (2018). https://mailarchive.ietf.org/arch/msg/mls/e3ZKNzPC7Gxrm3Wf0q96dsLZoD8

  9. Bienstock, A., Dodis, Y., Tang, Y.: Multicast key agreement, revisited. Cryptology ePrint Archive, Report 2021/1570 (2021). https://eprint.iacr.org/2021/1570

  10. Bienstock, A., Dodis, Y., Yeo, K.: Forward secret encrypted RAM: lower bounds and applications. In: Nissim, K., Waters, B. (eds.) TCC 2021, Part III. LNCS, vol. 13044, pp. 62–93. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-90456-2_3

    Chapter  Google Scholar 

  11. Boneh, D., Lipton, R.J.: A revocable backup system. In: USENIX Security Symposium, pp. 91–96 (1996)

    Google Scholar 

  12. Bresson, E., Chevassut, O., Pointcheval, D.: Provably authenticated group Diffie-Hellman key exchange—the dynamic case. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 290–309. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-45682-1_18

    Chapter  Google Scholar 

  13. Bresson, E., Chevassut, O., Pointcheval, D.: Dynamic group Diffie-Hellman key exchange under standard assumptions. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 321–336. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-46035-7_21

    Chapter  Google Scholar 

  14. Bresson, E., Chevassut, O., Pointcheval, D.: Security proofs for an efficient password-based key exchange. In: Jajodia, S., Atluri, V., Jaeger, T. (eds.) ACM CCS 2003, pp. 241–250. ACM Press, Washington, DC, 27–30 October 2003

    Google Scholar 

  15. Canetti, R., Garay, J., Itkis, G., Micciancio, D., Naor, M., Pinkas, B.: Multicast security: a taxonomy and some efficient constructions. In: IEEE INFOCOM 1999. Conference on Computer Communications. Proceedings. Eighteenth Annual Joint Conference of the IEEE Computer and Communications Societies. The Future is Now (Cat. No.99CH36320), vol. 2, pp. 708–716 (1999)

    Google Scholar 

  16. Di Crescenzo, G., Ferguson, N., Impagliazzo, R., Jakobsson, M.: How to forget a secret. In: Meinel, C., Tison, S. (eds.) STACS 1999. LNCS, vol. 1563, pp. 500–509. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-49116-3_47

    Chapter  Google Scholar 

  17. Dodis, Y., Karthikeyan, H., Wichs, D.: Updatable public key encryption in the standard model. In: Nissim, K., Waters, B. (eds.) TCC 2021, Part III. LNCS, vol. 13044, pp. 254–285. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-90456-2_9

    Chapter  Google Scholar 

  18. Geambasu, R., Kohno, T., Levy, A.A., Levy, H.M.: Vanish: increasing data privacy with self-destructing data. In: USENIX Security Symposium, vol. 316 (2009)

    Google Scholar 

  19. Harney, H., Muckenhirn, C.: RFC2093: Group Key Management Protocol (GKMP) Specification (1997)

    Google Scholar 

  20. Jost, D., Maurer, U., Mularczyk, M.: Efficient ratcheting: almost-optimal guarantees for secure messaging. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019, Part I. LNCS, vol. 11476, pp. 159–188. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17653-2_6

    Chapter  Google Scholar 

  21. Katz, J., Yung, M.: Scalable protocols for authenticated group key exchange. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 110–125. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-45146-4_7

    Chapter  Google Scholar 

  22. Micciancio, D., Panjwani, S.: Optimal communication complexity of generic multicast key distribution. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 153–170. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24676-3_10

    Chapter  Google Scholar 

  23. Mittra, S.: Iolus: A framework for scalable secure multicasting. In: Proceedings of the ACM SIGCOMM 1997 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communication, SIGCOMM 1997, pp. 277–288. Association for Computing Machinery, New York (1997)

    Google Scholar 

  24. Perrin, T., Marlinspike, M.: The double ratchet algorithm (2016). https://signal.org/docs/specifications/doubleratchet/

  25. Peterson, Z.N., Burns, R.C., Herring, J., Stubblefield, A., Rubin, A.D.: Secure deletion for a versioning file system. In: FAST, vol. 5 (2005)

    Google Scholar 

  26. Porambage, P., Braeken, A., Schmitt, C., Gurtov, A., Ylianttila, M., Stiller, B.: Group key establishment for enabling secure multicast communication in wireless sensor networks deployed for IoT applications. IEEE Access 3, 1503–1511 (2015)

    Article  Google Scholar 

  27. Reardon, J., Basin, D., Capkun, S.: Sok: secure data deletion. In: 2013 IEEE Symposium on Security and Privacy, pp. 301–315. IEEE (2013)

    Google Scholar 

  28. Reardon, J., Ritzdorf, H., Basin, D., Capkun, S.: Secure data deletion from persistent media. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security, pp. 271–284 (2013)

    Google Scholar 

  29. Roche, D.S., Aviv, A., Choi, S.G.: A practical oblivious map data structure with secure deletion and history independence. In: 2016 IEEE Symposium on Security and Privacy (SP), pp. 178–197. IEEE (2016)

    Google Scholar 

  30. Sedgewick, R.: Left-leaning red-black trees (2008)

    Google Scholar 

  31. Sherman, A.T., McGrew, D.A.: Key establishment in large dynamic groups using one-way function trees. IEEE Trans. Softw. Eng. 29(5), 444–458 (2003)

    Article  Google Scholar 

  32. Tselekounis, Y., Coretti, S., Alwen, J., Dodis, Y.: Modular design of secure group messaging protocols and the security of MLS. In: ACM CCS 2021 (2021)

    Google Scholar 

  33. Wallner, D., Harder, E., Agee, R.: RFC2627: Key management for multicast: Issues and architectures (1999)

    Google Scholar 

  34. Weidner, M., Kleppmann, M., Hugenroth, D., Beresford, A.R.: Key agreement for decentralized secure group messaging with strong security guarantees. Cryptology ePrint Archive, Report 2020/1281 (2020). https://eprint.iacr.org/2020/1281

  35. Wong, C.K., Gouda, M., Lam, S.S.: Secure group communications using key graphs. In: Proceedings of the ACM SIGCOMM 1998 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communication, SIGCOMM 1998, pp. 68–79. Association for Computing Machinery, New York (1998)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. New York University, New York, USA

    Alexander Bienstock & Yevgeniy Dodis

  2. University of Michigan, Ann Arbor, USA

    Yi Tang

Authors
  1. Alexander Bienstock
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Yevgeniy Dodis
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Yi Tang
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Alexander Bienstock .

Editor information

Editors and Affiliations

  1. University of Auckland, Auckland, New Zealand

    Steven D. Galbraith

Rights and permissions

Reprints and permissions

Copyright information

© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Bienstock, A., Dodis, Y., Tang, Y. (2022). Multicast Key Agreement, Revisited. In: Galbraith, S.D. (eds) Topics in Cryptology – CT-RSA 2022. CT-RSA 2022. Lecture Notes in Computer Science(), vol 13161. Springer, Cham. https://doi.org/10.1007/978-3-030-95312-6_1

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-95312-6_1

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-95311-9

  • Online ISBN: 978-3-030-95312-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation