an extension of secure group communication using key graph
TRANSCRIPT
![Page 1: An extension of secure group communication using key graph](https://reader038.vdocuments.us/reader038/viewer/2022100509/57501f631a28ab877e957788/html5/thumbnails/1.jpg)
Information Sciences 176 (2006) 3060–3078
www.elsevier.com/locate/ins
An extension of secure groupcommunication using key graph q
Zhang Jun *, Zhou Yu, Ma Fanyuan,Gu Dawu, Bai Yingcai
Department of Computer Science and Engineering, Shanghai Jiaotong University,
Shanghai 200030, China
Received 17 November 2004; received in revised form 18 October 2005; accepted 16 December 2005
Abstract
With the continuously emerging of Internet applications based on secure group com-munication, the design of secure group communication becomes an important Internetdesign topic. Group key management is important for secure group communication.Previous work focuses on key tree, which is an important type of key graphs. In thispaper, we first propose another type of key graph—key link-tree, which shows betterperformance than key tree in single rekeying. Considering that the adoption of keylink-tree results in worse than key tree in batch rekey, we propose two transform algo-rithms between key tree and key link-tree, which can get better rekey performance.� 2005 Elsevier Inc. All rights reserved.
Keywords: Group security; Key graph; Rekey; Batch rekey
0020-0255/$ - see front matter � 2005 Elsevier Inc. All rights reserved.doi:10.1016/j.ins.2005.12.008
q This paper is granted by National Nature Science Foundation of China (60203012) andShanghai Rising-Star Program in Science and Technology (02QD14027).
* Corresponding author. Tel.: +86 21 65457714.E-mail address: [email protected] (Z. Jun).
![Page 2: An extension of secure group communication using key graph](https://reader038.vdocuments.us/reader038/viewer/2022100509/57501f631a28ab877e957788/html5/thumbnails/2.jpg)
Z. Jun et al. / Information Sciences 176 (2006) 3060–3078 3061
0. Introduction
Many emerging Internet applications, such as Internet Content Service,payment per view, teleconferencing, real-time information services benefit fromthe application of the secure group communication model. Secure groupcommunication (i.e., providing confidentiality, authenticity, and integrity ofmessages delivered between group members) becomes a vital Internet designtopic. In the group communication model, group members share a symmetrickey called group key which is limited to be known among the group users andthe key server. The group key can be applied to encrypt data traffic amonggroup members and restrict the access to resources intended for the groupmembers only. The group key is distributed by a group key managementsystem, which changes the group key named group rekeying from time totime. In order to prevent a new user from reading former communication(backward secrecy) and a departed user from reading future communication(forward secrecy), rekey is obliged to be adopted in the system whenever themembers within the group change. Based on the aforementioned facts, the effi-ciency of the rekeying system plays a key role in the group key managementsystem.
Previous works present us with several different approaches of group keymanagement. Ref. [2] divides them into three main categories: Centralizedgroup key management protocols, decentralized architectures and distributedkey management protocols. By comparison of many protocols, it shows thatthe best solutions for the group key management protocol appear to be thoseusing a hierarchical tree of KEKs, since they achieve good overall results with-out compromising any aspect of security.
The key graph approach [1,5,6], which is the most important scheme amongthese protocols, is initially introduced by Wong [1] in 1997. It is a centralizedgroup key management protocol. Ref. [1] demonstrates two important types ofthe key graph: key star and key tree. For a single leave or join request, key treereduces the server processing time complexity from O(N) to O(logd(N)), whereN is the group size and d is the key tree degree. It shows that the 4-degree keytree is the best structure.
Several approaches have been proposed to improve the key tree approach.One is [3], which uses periodic batch rekeying algorithm to solve two major
drawbacks in individual rekeying: synchronization problem and inefficiency.Another improvement in the 2-degree tree approach is the one-way function
tree (OFT) [7] and was proposed by McGrew and Sherman. Their schemereduces the size of the rekey message from 2log2(N) to only log2(N). Herethe key is generated differently. The key held by a node’s children are blindedin the one-way function and then mixed together in a mixing function. Canettiet al. proposed an approach with slight revision that achieves the same commu-nication overhead. Their scheme uses a pseudo-random-generator to generate
![Page 3: An extension of secure group communication using key graph](https://reader038.vdocuments.us/reader038/viewer/2022100509/57501f631a28ab877e957788/html5/thumbnails/3.jpg)
3062 Z. Jun et al. / Information Sciences 176 (2006) 3060–3078
the new key rather than a one-way function and it is only applied to userremoval. This scheme is known as the one-way function chain tree [8].
Refs. [9–11] suggested distributed approaches based on the key graph. Intheir approaches, the main difference lies in that there is no centralized control-ling entity.
Based on the key graph approach, we introduce a new type of key graph—key link-tree in this paper, which shows better rekeying performance than keytree in individual rekeying. Then we demonstrate batch rekeying. Finally weshow two transform algorithms between key tree and key link-tree, whichcan improve the efficiency of the group key management using key graph.
The rest of the paper is presents as follows.
• In Section 1, we briefly review the key graph approaches, and demonstratetwo former types of key graph: key star, key tree, and a new type: key link-tree.
• In Section 2, we present batch rekeying algorithm for key tree and key link-tree, and analyze its performance.
• In Section 3, we show two transform algorithms between key tree and keylink-tree, which can improve the efficiency of the group key management.
• Our conclusions are included in Section 4.
1. Key graph approach
The key graph approach [1] assumes that there is a single trusted and securekey server, and the key server uses a key graph for group key management. Keygraph is a directed acyclic graph with two types of nodes: u-nodes, whichrepresent users, and k-nodes, which represent keys. User u is given key k onlywhen there is a directed path from u-node u to k-node k in the key graph. Keytree and key star are two important types of key graph. In a key tree, the k-nodes and u-nodes are organized as a tree. Key star is a special key tree whosetree degree equals the group size. We will demonstrate these two types in a nut-shell, and introduce a new key graph type: key link-tree.
1.1. Key star [1]
Key star is the basic key graph approach. In a key star, every member has twokeys: the individual key and the group key. A member negotiates an individualkey with the key server when it is added to a group. Fig. 1(a) shows a key star forfour members. Suppose U4 is leaving the group (from Fig. 1(a) to (b)), key ser-ver updates the group key, constructs the following rekey message and thenmulticasts to the whole group: S ! U 1;U 2;U 3 : fK13gK1
; fK13gK2; fK13gK3
. Here{K 0}K means key K 0 encrypted with key K. Upon receiving the rekey message, a
![Page 4: An extension of secure group communication using key graph](https://reader038.vdocuments.us/reader038/viewer/2022100509/57501f631a28ab877e957788/html5/thumbnails/4.jpg)
K14 Group Key
U1 U2 U3 U4 Users
Individualkeys
(a)
K13
U1 U2 U3
U4 joins
U4 leaves
(b)
k-node
u-nodesK1 K2 K3 K4 K1 K2 K3
Fig. 1. Example of a key star.
Z. Jun et al. / Information Sciences 176 (2006) 3060–3078 3063
member extracts the encrypted keys that it requires. For example, U1 onlyrequires fK13gK1
.Similarly, suppose U4 joins a group with three members (from Fig. 1(b) to
(a)), key server will send: S ! U 1; . . . ;U 4 : fK14gK13; fK14gK4
.Key star is simple and easy to implement. From the above example, we can
conclude that both the server’s communication and computation costs are pro-portional to the number of encryptions to perform (three for leave, two forjoin). So we use server cost to represent the number of encryptions that key ser-ver has to perform. Using a key star, it is clear that the server cost is 2 for a joinand N � 1 (N is the size of group) for a leave.
1.2. Key tree [1]
In a key tree, the root is the group key, leaf nodes are individual keys, andthe other nodes are auxiliary keys. A 9-member 3-degree key tree is shown inFig. 2(a). Member U9 is given three keys along the path from U9 to K19:K9,K79,K19. K9 is U9’s individual key, which is shared only by U9 and thekey server; K19 is the group key; K79 is an auxiliary key, which is shared byU7, U8, U9. Assuming that U9 wants to leave the group (from Fig. 2(a) to(b)), the key server needs to change the keys that U9 knows: K19 to K18, andK79 to K78. There are three strategies to distribute the new keys: user-oriented,key-oriented, and group-oriented. For convenience, we only consider group-oriented rekeying in this paper. Key server constructs the following rekey mes-sage and multicasts it to the whole group: S ! U 1; . . . ;U 8 : fK78gK7
; fK78gK8;
fK18gK13; fK18gK46
; fK18gK78.
Assume that U9 intends to join a group of eight members (from Fig. 2(b) to(a)), the key server finds a joining point (K78) for the new member, constructsthe rekey message, and then multicasts it to the whole group: S ! U 1; . . . ;U 9 : fK19gK18
; fK79gK78; fK19gK9
; fK79gK9.
In a case that the key tree degree is d and there are N users, and the tree is acompletely balanced one, the server cost is 2 logd(N) for a join andd logd(N) � 1 for a leave. Ref. [1] shows that d = 4 is the optimal degree forkey tree. However the above-mentioned demonstration lies in the hypothesis
![Page 5: An extension of secure group communication using key graph](https://reader038.vdocuments.us/reader038/viewer/2022100509/57501f631a28ab877e957788/html5/thumbnails/5.jpg)
Group Key
Auxiliarykeys
Individualkeys
K13 K46 K79
K19
K1 K9K8K7K6K5K4K3K2
U1 U9U8U7U6U5U4U3U2
k-node
k-nodes
u-nodes
(a)
K13 K46 K78
K18
K1 K8K7K6K5K4K3K2
U1 U8U7U6U5U4U3U2
k-node
k-nodes
u-nodes
(b)
U9 joinsU9 leaves
Fig. 2. Example of a key tree.
3064 Z. Jun et al. / Information Sciences 176 (2006) 3060–3078
that the tree is in a balanced manner by not considering the situation that thetree would be unbalanced when members left the group. Ref. [4] focuses onhow to keep the tree in balance during the dynamic changes with the loss ofefficiency.
1.3. Key link-tree
Key link-tree is a variation of key tree, which applies to unbalanced treestructure. It shows a better performance than key tree without as many as trou-blesome problems as keeping the tree in balance dose.
A d-degree link-tree LTd,N is a forest made up of several sub-forests Fd,k,which links to the link-tree’s root node. Every sub-forest Fd,k consists of severald-degree complete trees Td,k, which link to the sub-forest’s root node; and Td,k
is a complete d-degree tree which has dk leafs. Assume N = xkdk + xk�1dk�1 +� � � + x1d + x0 (xk > 0, 0 6 xi < d). Thus link-tree LTd,N consists of at mostk + 1 forests (Fd,k,Fd,k�1, . . . ,Fd,0,Fk consists of xkTd,k, Fk�1 consists ofxk�1Td,k�1, . . ., and F0 consists of x0Td,0), and all these forests link to one rootnode. The root node denotes the group key, every forest’s leaf denotes individ-
ual keys, and other nodes are auxiliary keys. For example 14 = 32 + 3 + 2, thus
![Page 6: An extension of secure group communication using key graph](https://reader038.vdocuments.us/reader038/viewer/2022100509/57501f631a28ab877e957788/html5/thumbnails/6.jpg)
K1eGroup Key
Auxiliarykeys
Individual keys
K13 K46
Kac
K79
K19
K1
KeKdKcKbKa
K9K8K7K6K5K4K3K2
U1
UeUdUcUbUa
U9U8U7U6U5U4U3U2
K1f
K13 K46 KacK79
K19
K1 KcKbKaK9K8K7K6K5K4K3K2
U1 UcUbUaU9U8U7U6U5U4U3U2
(a)
Kdf
KfKeKd
UfUeUd
(b)
Uf join
K2f
K79 Kac
K46
Kdf
K7f
K7
K3K2K6K5K4
KfKeKdKcKbKaK9K8
U7
U3U2U6U5U4
UfUeUdUcUbUaU9U8
(c)
U1 leave
Kde
Kaf
K23
Fig. 3. Example of a key link-tree.
Z. Jun et al. / Information Sciences 176 (2006) 3060–3078 3065
a 14-member 3-degree link-tree LT3,14 consists of three forests F3,2, F3,1, F3,0,which is shown in Fig. 3(a).
1.3.1. Joining a key link-tree
When a new member joins the group, the link-tree will reconstruct and sendrekey message. The algorithm is shown as follows:
![Page 7: An extension of secure group communication using key graph](https://reader038.vdocuments.us/reader038/viewer/2022100509/57501f631a28ab877e957788/html5/thumbnails/7.jpg)
3066 Z. Jun et al. / Information Sciences 176 (2006) 3060–3078
1. Construct a new node for the new member. The node is a complete tree Td,0,and it is also a sub-forest Fd,0. We link it to the link-tree’s root.
2. Assume that there are two sub-forests Fd,i, Fd,i of equal size and each sub-forest contains j and k complete trees Td,i respectively. There are three cases:(1) j + k < d, we will unite two Fd,i to form one Fd,i, which contains j + kTd,i;(2) j + k = d, we will unite two Fd,i to form one Fd,i;+;1, which contains oneTd,i+1; (3) j + k > d, we will unite two Fd,i to form one Fd,i+1, which containsone Td,i+1 and one Fd,i, which contains j + k � dTd,i. At the same time, theserver constructs a rekey message: encrypting the root key of Fd,i with theroot key of the old sub-tree Td,i. This process repeats until there are notwo forests in equal size.
3. Construct a new group key, encrypt with the new node’s individual keyand old group key, and send the rekey message to all the members in thegroup.
For example, member Uf intends to join a 14-member group which appliesto a 3-degree link-tree structure (from Fig. 3(a) to (b)). Key server directly linksit to the root and unites it with the equal size sub-forest Kde to Kdf. Then Kdf
unites the equal size forest Kac to Kaf. After updating the key structure, key ser-ver constructs the rekey message and multicasts it to the whole group:S ! U 1; . . . ;Uf : fKdf gKde
; fKdf gKf; fKaf gKac
; fKaf gKdf; fK1fgK1e
; fK1fgKf.
1.3.1.1. Performance. Assuming that the server cost for joining an N-memberd-degree key link-tree is CLTP
join ðN ; dÞ, where N = xkdk + xk�1dk�1 + � � � + x1d +x0 (xk > 0, 0 6 xi < d).
We compute the union times of a join process by function f1(N,d).
f1ðN ; dÞ ¼
0 if x0 ¼ 0
1 if 0 < x0 < d � 1
iþ 1 if xi ¼ xi�1 ¼ � � � ¼ x0 ¼ d � 1; xiþ1 ¼ 0
iþ 2 if xi ¼ xi�1 ¼ � � � ¼ x0 ¼ d � 1; 0 < xiþ1 < d � 1
k if xk�1 ¼ xk�2 ¼ � � � ¼ x0 ¼ d � 1
8>>>>>><>>>>>>:
Every union requests two encryptions, CLTPjoin ðN ; dÞ ¼ 2þ 2 � f1ðN ; dÞ.
1.3.2. Leaving a key link-tree
When a member leaves the group, link-tree will also reconstruct, and send arekey message. The algorithm is shown as follows:
1. Find the sub-forest Fd,i, who contains the leaving member and delete theleaving member’s node and its ancestors. Then separate Fd,i’s other nodesto i sub-forests Fd,i�1,Fd,i�2, . . . ,Fd,0, and link these sub-forests to the link-tree’s root.
![Page 8: An extension of secure group communication using key graph](https://reader038.vdocuments.us/reader038/viewer/2022100509/57501f631a28ab877e957788/html5/thumbnails/8.jpg)
Z. Jun et al. / Information Sciences 176 (2006) 3060–3078 3067
2. If there are two forests Fd,i, Fd,i of equal size and each contain j and k com-plete tree Td,i. There are three cases: (1) j + k < d, we will unite two Fd,i toform one Fd,i, which contains j + kTd,i; (2) j + k = d, we will unite two Fd,i
to form one Fd,i+1, which contains one Td,i+1; (3) j + k > d, we will unitetwo Fd,i to form one Fd,i+1, which contains one Td,i+1 and one Fd,i, whichcontains j + k � dTd,i. Meanwhile server constructs a rekey message:encrypting the root key of Fd,i with the root key of the old sub-tree Td,i. Thisprocess repeats until there are no two forests of equal size.
3. Construct a new group key, encrypt it with every sub-forest’s root key, andsend the rekey message to all the members in the group.
For example, member U1 intends to leave a 15-member group (from Fig. 3(b)to (c)). Key server will divides sub-forest K19 into K23 and K49 (K46 and K79);then links them to the root and unites K49 and Kaf to form K7f and K46. Thenconstructs the following message and multicasts it: S ! U 2; . . . ;Uf : fK7fgK79
;fK7fgKaf
; fK23gK2; fK23gK3
; fK2f gK7f; fK2fgK46
; fK2fgK23.
1.3.2.1. Performance. The average cost is applied by considering that thecost may be affected by the position from where a member leaves. Assumethat the average server cost for leaving an N-member d-degree key link-tree is CLTP
leaveðN ; dÞ, where N = xkdk + xk�1dk�1 + � � � + x1d + x0 (xk > 0,0 6 xi < d).
We assume that the member leaves sub-forest Fd,i and the average cost isCLTP
leaveðN ; d; iÞ. Function f2 and f3 is applied considering that leaving processinclude link-tree division and union.
The result of function f2 is the smallest sized forest. f2(N,d) ={Min(i)jxi 5 0}.
Function f3 judges whether the forest of a certain size exists. If so, the resultis 1, or it will be 0.
f3ðxiÞ ¼0 if xi ¼ 0
1 if xi 6¼ 0
�
After a leaving member leaves Fd,i, Fd,i is divided into a Fd,i�1 which containsd � 1Td,i�1, a Fd,i�2 which contains d � 1Td,i�2, . . ., and a Fd,0 which containsd � 1Td,0. F d;0; F d;1; . . . ; F d;f2ðN ;dÞ�1 link to the root of LT d;N�1; F d;f2ðN ;dÞ;
F d;f2ðN ;dÞþ1; . . . ; F d;i�1 unite with the other original sub-forests. The cost of sep-
aration and union is Cex&un(N,d, i).
Cex&unðN ; d; iÞ ¼ðd � 1Þ � iþ xi � 1 if i ¼ f2ðN ; dÞ; d > 2
d � i� f2ðN ; dÞ þ xi if i > f2ðN ; dÞ; d > 2
d � ði� f2ðN ; dÞÞ if d ¼ 2
8><>:
![Page 9: An extension of secure group communication using key graph](https://reader038.vdocuments.us/reader038/viewer/2022100509/57501f631a28ab877e957788/html5/thumbnails/9.jpg)
3068 Z. Jun et al. / Information Sciences 176 (2006) 3060–3078
The cost of encrypting the group key is
CgpðN ; d; iÞ ¼
P0j¼k
f3ðxjÞ þ f2ðN ; dÞ if xf2ðN ;dÞ > 1
P0j¼k
f3ðxjÞ � 1þ f2ðN ; dÞ if xf2ðN ;dÞ ¼ 1
8>>><>>>:
)CLTPleaveðN ; d; iÞ ¼ Cex&unðN ; d; iÞ þ CgpðN ; d; iÞ
And the average cost is CLTPleaveðN ; dÞ ¼
Pki¼0xid
i=N � CLTPleaveðN ; d; iÞ.
1.4. Performance comparison
We make comparison between the key tree and the key link-tree as an exam-ple due to the huge quantity generated from that the key star’s cost for a leaveis N � 1.
We compute the cost 2blogdðNÞc þ 2 for a join and dblogdðNÞc � 1 for aleave in key tree to give a more accurate view.
Fig. 4. Performance comparison (a) join (b) leave (c) join + leave.
![Page 10: An extension of secure group communication using key graph](https://reader038.vdocuments.us/reader038/viewer/2022100509/57501f631a28ab877e957788/html5/thumbnails/10.jpg)
Z. Jun et al. / Information Sciences 176 (2006) 3060–3078 3069
We draw the figure for the costs when d = 2, 1 6 N < 1000. Fig. 4(a) repre-sents the cost for a join; Fig. 4(b) represents the cost for a leave; and Fig. 4(c)represents the total. Fig. 4 shows when d = 2, it is better for key tree’s leavingperformance, key link-tree’s joining performance, and the total of key link-tree’s leaving and joining performance respectively. This is mainly due to thatboth key star and key tree’s merits are integrated by key link-tree. The first levelof key link-tree act as key star, which makes joining protocol optimized; and thefull structure of key link-tree act as key tree, so its leaving performance is similarto that of key tree. After a member joins the group, it must leave the group. Thetotal of leaving and joining performance should be primary as a consequence.
Then we calculate the sum of all the costs when 1 6 N < 1000, 2 6 d < 6 toget Table 1.
Table 1 illustrates that 4-degree key tree leads to the best result in key tree,which matches with [1]’s result. 3-degree key link-tree leads to the best amongall the key trees and key link-trees. In general, key link-tree shows a better per-formance than key tree. It does not give rise to key tree’s troublesome prob-lems—keeping the tree balanced, because of key link-tree’s structure.
1.5. Simulation
We built a simulator for key tree and key link-tree. For each experimentwith an initial group size n, the simulator built a key structure with initial keys.After randomly picking one user to leave or join, the simulator simulates a keyserver that processes group member joins or leaves, sends rekey messagesencrypted with DES algorithm, and records the server cost. It simulates fourstructures: 2-degree and 4-degree key tree, 2-degree and 3-degree key link-tree.The rekey algorithm of the key tree lies in [1]’s group-oriented strategy. Therekey algorithm of the key link-tree lies in Section 1.3.
Simulations were done on a Redhat Linux 9.0 with 1.7 GHz CPU and256 MB memory. We ran the simulation for 100 times and calculated the totalof server cost.
Fig. 5 gives the views of four structures’ server cost for the total of a leaveand a join. It matches with the analysis result in Section 1.4.
Table 1Performance comparison
1 6 N < 1000 Key tree Key link-tree
d Join Leave Total Join Leave Total
2 17974 14974 32948 3970 17684 216543 11828 13742 25570 3970 17586 215564 9328 13656 22984 3964 18395 223595 8448 15120 23568 3964 19509 23473
![Page 11: An extension of secure group communication using key graph](https://reader038.vdocuments.us/reader038/viewer/2022100509/57501f631a28ab877e957788/html5/thumbnails/11.jpg)
0 200 400 600 800 1000
Group size
40000
60000
80000
100000
120000
140000
160000M
icro
seco
nds
tree d=2tree d=4ltree d=2ltree d=3
Fig. 5. Leave + join.
3070 Z. Jun et al. / Information Sciences 176 (2006) 3060–3078
2. Batch rekeying
2.1. Batch rekeying algorithm [3]
In spite of the efficiency of the key graph approach for one-to-many appli-cations, changing the group key after each join or leave, individual rekeyinghas two major drawbacks: synchronization problem and inefficiency [3].
• Synchronization problem: If the group is rekeyed after each join or leave,synchronization will be difficult to maintain because of the interdependen-cies among rekey messages and also between rekey and data messages. Ifthe delay in rekey message delivery is high and the join/leave requests arefrequent, a member may need to have memory space for a large numberof rekey and data messages that cannot be decrypted.
• Inefficiency: For authentication, each rekey message may be digitally signedby the sender. Generation of digital signatures is a costly process in terms ofcomputation and communication. A high rate of join/leave requests mayresult in a performance degradation.
Ref. [3] presents the batch rekeying algorithm to minimize these two prob-lems. In this approach, join or leave requests are collected during a rekey inter-val and are rekeyed in a batch. The out-of-sync problems are alleviated bydelaying the use of a new group key until the next rekey interval. Batch pro-cessing also leads to a performance advantage.
![Page 12: An extension of secure group communication using key graph](https://reader038.vdocuments.us/reader038/viewer/2022100509/57501f631a28ab877e957788/html5/thumbnails/12.jpg)
Z. Jun et al. / Information Sciences 176 (2006) 3060–3078 3071
Batch rekeying algorithm provides a trade-off between performanceimprovement and delayed group access control. A new member has to waitlonger to join the group and a leaving member can stay longer with the group.It generates a rekey sub-tree at the end of each rekey interval with a collectionof J join requests and L leave requests and updates the key tree. The objectivesare to reduce the number of encrypted keys, to keep the balance of the updatedkey tree, and to make it more efficient for the users to identify the encryptedkeys they need. In order to fulfil these objectives, the server uses the followingsteps:
1. Update the tree by processing join and leave requests in a batch. If J 6 L, J
of the departed members with the smallest IDs are replaced with the J newlyjoined members. If J > L, L departed members are replaced with L of thenewly joined members. For the insertion of the remaining J–L new mem-bers, three strategies have been further illustrated in [3].
2. Mark the key nodes with one of the following states: unchanged, join, leaveand replace.
3. Prune the tree to obtain the rekey sub-tree.4. Traverse the rekey sub-tree, generate new keys, and construct the rekey
message.
Since batch rekey algorithm also fits in key link-tree, no further detail of keylink-tree’s batch rekey algorithm is described in this section.
2.2. Performance analysis
2.2.1. Key tree
The performance analysis of key tree is based on balanced trees, and theresult is measured by the average server cost. Ref. [3] calculated the results:
CtreeðN ; d; J ; LÞ ¼
dPh�1
l¼0
dl 1�CL
N�N=dl
CLN
� �if J ¼ L
dPh�1
l¼0
dl 1�CL
N�N=dl
CLN
� ��Phl¼0
dl CN=dl
L�J
CN=dl
N
if J < L
dJd�1
� �þ 2logdN if J > L; L ¼ 0
dPh�1
l¼0
dl 1�CL
N�N=dl
CLN
� �þ dðJ�LÞ
d�1
l mif J > L; L > 0
8>>>>>>>>>>><>>>>>>>>>>>:
2.2.2. Key link-tree
The server cost relies on the changed nodes’ position and the size of the sub-forest which changed nodes belong to.
![Page 13: An extension of secure group communication using key graph](https://reader038.vdocuments.us/reader038/viewer/2022100509/57501f631a28ab877e957788/html5/thumbnails/13.jpg)
3072 Z. Jun et al. / Information Sciences 176 (2006) 3060–3078
Assume that link-tree LTd,N has N leafs (N = akdk + ak�1dk�1 + � � � + a1d +a0, ak > 0, 0 6 ai < d), it has k sub-forests at most (Fd,k,Fd,k�1, . . . ,Fd,0,Fk con-tains akTd,k, . . . ,F0 contains a0Td,0). Two auxiliary functions apply to calculatethe server cost as follows:
f4ðxiÞ ¼0 if xi ¼ 0;
1 if xi 6¼ 0;
�f 5ðxiÞ ¼
0 if xi < 2
xi if xi P 2
�(1) Worst case analysis. According to the joining protocol of key link-tree,
joining member links to the root of link-tree. It is easy to compute. Howeverthe position of leaving member is at random, it is hard to compute. The worstcase is that leaving members are in all the sub-forests averagely. After the link-tree is updated, assume that group size is N + J � L = bkdk + bk�1dk�1 +� � � + b0.
At the beginning, LTd,N hasPk
i¼0f4ðaiÞ sub-forests,Pk
i¼0ai complete sub-trees.
After L members leave the link-tree, when 0 < L 6 ak, link-tree hasPki¼0ai � Lþ L � k � ðd � 1Þ complete sub-trees.When ak < L 6 akd + ak�1, there are
Pk�1i¼0 aiþ ak � d�LþL � ðk� 1Þ � ðd� 1Þ
complete sub-trees.When
P0i¼lak�lþid
i < L 6P0
i¼lþ1ak�l�1þidi, there are
Pk�l�1i¼0 ai þ
Pki¼k�lai�
diþ1�kþl � Lþ Lðk � l� 1Þðd � 1Þ complete sub-trees.
Let NðN ; J ; L; lÞ ¼Pk�l�1
i¼0 ai þPk
i¼k�lai � diþ1�kþl � Lþ Lðk � l� 1Þðd � 1Þ,when
P0i¼lak�lþid
i < L 6P0
i¼lþ1ak�l�1þidi.
Then J members join, there are N(N,J,L, l) + J complete sub-trees.The next step is to unite equal size sub-trees. Every union reduces d � 1 sub-
trees at most, and requests d encryptions. Finally, there arePk
i¼0bi completesub-trees and
Pki¼0f4ðbiÞ sub-forests.
So, server cost is dðNðN ; J ; L; lÞ þ J �Pk
i¼0biÞ � d=ðd � 1Þe þPk
i¼0f4ðbiÞ forthe worst case.
(2) Average case analysis. The server cost depends on the number of nodesbelonging to the rekey sub-tree, and the number of children each node has.Thus, our technique for average case analysis is to consider the probability thatan individual node belongs to the rekey sub-tree, and to consider the node’sexpected number of children. We illustrate the following three cases.
• Case 1: J = L
This case is the basis of all the analysis. Assume that sub-forest Fi of link-tree has ai complete sub-tree Td,i, Td,i’s height is i. Let the root of Td,i beat level 0, and the leaf nodes are at level i. Consider a node v at level l,0 6 l 6 i � 1. v should be updated if and only if there is at least one leavein v’s children. Assuming every current user has equal probability of leaving,there are CL
N ways to pick leaving L users out of N users. Among these ways,CL
N�dl of them have no leaves in v’s children. Thus, the probability that v
![Page 14: An extension of secure group communication using key graph](https://reader038.vdocuments.us/reader038/viewer/2022100509/57501f631a28ab877e957788/html5/thumbnails/14.jpg)
Z. Jun et al. / Information Sciences 176 (2006) 3060–3078 3073
should be updated is 1� CLN�dl=CL
N . It comes to the updating probability ofthe Fi’s root. Finally, add the root of link-tree, and the average cost is:
CLT ðN ;d;L;LÞ¼Xk
i¼0
d �ai
Xi�1
l¼0
dl 1�CL
N�di�l
CLN
� �" #þ f5ðaiÞ � 1�
CLN�aidi
CLN
!( )
þ f5
Xk
i¼0
f4ðaiÞ !
• Case 2: J > L
Assume that group size is N + J � L = akdk + � � � + aj+1dj+1 +bjd
j + � � � + b0 after updating the link-tree. Thus, the analysis of sub-forestFi(j < i 6 k) is same as case 1; sub-forest Fi (0 6 i < j) is newly built, everynodes should rekey; and Fj is built by old sub-forest F0, . . . ,Fj and newJ � L members, the probability of rekey is the same as case 1 or equal 1.Finally, add the root of link-tree, the average cost is:
CLT ðN ;d;J ;LÞ¼Xk
i¼jþ1
d �ai
Xi�1
l¼0
dl 1�CL
N�di�l
CLN
� �" #þf5ðaiÞ � 1�
CLN�aidi
CLN
!( )
þXj�1
i¼0
d �bi
Xi�1
l¼0
dlþf5ðbiÞ( )
þXj
i¼0
d �ai
Xi�1
l¼0
dl 1�CL
N�di�l
CLN
� �" #
þd bj �Xj�1
l¼0
dl�Xj
i¼0
ai �Xi�1
l¼0
dl
! !
þf5ðbjÞþf5
Xk
i¼jþ1
f4ðaiÞþXj
i¼0
f4ðbiÞ !
¼CLT ðN ;d;L;LÞ
þf2
Xk
i¼jþ1
f1ðaiÞþXj
i¼0
f1ðbiÞ !
�f2
Xk
i¼0
f1ðaiÞ !
þXj
i¼0
ðbi�aiÞ � ðdiþ1�dÞ=ðd�1Þ
þXj
i¼0
f2ðbiÞ�f2ðaiÞ � 1�CL
N�aidi
CLN
!" #
• Case 3: J < L
In this case, it is hard to make an analysis. We use the worst case analysis asan alternative:
CLT ðN ; d; J ; LÞ 6 NðN ; J ; L; lÞ �Xk
i¼0
bi
!� d,ðd � 1Þ
& ’
![Page 15: An extension of secure group communication using key graph](https://reader038.vdocuments.us/reader038/viewer/2022100509/57501f631a28ab877e957788/html5/thumbnails/15.jpg)
3074 Z. Jun et al. / Information Sciences 176 (2006) 3060–3078
2.3. Performance comparison
The performance of key link-tree is worse than key tree for these above threecases. The performance of key link-tree is better than that of key tree only whenJ > 0 and L = 0, which is because the performance of batch rekeying is propor-tional to maximum of leave and join operations, and the performance queue ofthese two structures’ operation is: join of key link-tree < join of key tree < leaveof key tree < leave of key link-tree. Though the performance of key link-tree isbetter in single rekeying (join + leave of key link-tree < join + leave of key tree),the performance of key tree is better in batch rekeying (max (join of key tree,leave of key tree) < max (join of key link-tree, leave of key link-tree)).
3. Transform algorithm
The results in last two sections are: the performance of key link-tree is betterthan that of key tree in single rekeying, but the performance of key tree is betterin batch rekeying. In single rekeying, the performance of key link-tree’s joiningoperation and overall are better, the performance of key tree’s leaving opera-tion is better.
No protocol can fit in all environments, different environment requires dif-ferent protocol. For example, when a new group is born, the join rate must belarge than the leave rate, we choose key link-tree due to its better performancefor a join; when a group will die, the leave rate must be larger than the join rate,we choose key tree due to its better performance for a leave. And if it requiresbatch rekeying, we choose key tree.
This section proposes two transform algorithms which can satisfy therequirement. The algorithms allow the key server adopt key link-tree or key treewhenever necessary, the key server can be more efficient. We show the transformalgorithms between key link-tree and key tree in the following sections.
3.1. Key link-tree to key tree
The objective of the algorithm is to transform key link-tree to key tree.
1. d-degree link-tree LTd,N is a forest, which has several sub-forests Fd,k link toone root. Let these sub-forests array by size.
2. If the number of sub-forests is larger than d, select two minimum size sub-for-ests Fd,i and Fd,j (i > j), unite Fd,i and Fd,j to a new sub-forest F 0d;i, and link F 0d;ito the root of link-tree. Then construct the rekey message: encrypt F 0d;i’s rootkey with two original sub-forests Fd,i and Fd,j’s root keys. This process repeatsuntil the link-tree has d sub-forests. Now the link-tree is a d-degree tree.
3. Multicast the rekey message to all the members.
![Page 16: An extension of secure group communication using key graph](https://reader038.vdocuments.us/reader038/viewer/2022100509/57501f631a28ab877e957788/html5/thumbnails/16.jpg)
Z. Jun et al. / Information Sciences 176 (2006) 3060–3078 3075
Next are the algorithm’s pseudo-codes:
LT_trans_to_Tree(N,d){
While (forest_number() > d) {(i,j) = (find_min_forest);//find two minimum size sub-forestsUnion (Fi, Fj); //unite these two sub-forestsConstruct_rekey(Fi); //encrypt new Fi’s root key with Fi and Fj’s rootkey
}send_rekey();
}
For example, transform an 11-member 2-degree key link-tree to a 2-degreekey tree (Fig. 6(a) to (b)). Because it has three sub-forests, two minimum size
K1b
K4
K56
Group Key
U1
K1 K2
U2 U3Users
Individualkeys
K78K34K12
K58K14
K3 K8K7K6K5
Auxiliarykeys
U4 U8U7U6U5
K18 K9a Kb
KaK9 Ub
UaU9
K1c
K4
K56
Group Key
U1
K1 K2
U2 U3Users
K78K34K12
K58K14
K3 K8K7K6K5
Auxiliarykeys
U4 U8U7U6U5
K18
K9a
KaK9 Ub
UaU9Individualkeys
Kb
K9c
(a)
(b)
Fig. 6. An example switch.
![Page 17: An extension of secure group communication using key graph](https://reader038.vdocuments.us/reader038/viewer/2022100509/57501f631a28ab877e957788/html5/thumbnails/17.jpg)
3076 Z. Jun et al. / Information Sciences 176 (2006) 3060–3078
sub-forests are Kb and K9a, then unite them to K9b. The rekey message is as fol-lows: S ! U 1; . . . U b : fK9bgK9a
; fK9bgKb.
3.2. Key tree to key link-tree
The objective of the algorithm is to transform key tree to key link-tree.
1. Decompose d-degree tree Td,k. If Td,k is not a complete d-degree sub-tree,then decompose it to dd-degree sub-tree Td,k�1 at most. This process repeatsuntil every sub-tree is a complete d-degree tree.
2. Unite d-degree tree. If there are d complete d-degree trees Td,i, then unitethem to a complete d-degree tree Td,i+1, and encrypt Td,i+1’s root key withoriginal d tree Td,i. This process repeats until the number of equal sized-degree complete tree less than d.
3. Unite equal size d-degree tree Td,i to a sub-forest Fd,i, and encrypt Fd,i’s rootkey with original Td,i’s.
4. Link all the sub-forests to one root, construct a link-tree, and encrypt link-tree’s root key with all the sub-forests’ root key.
5. Multicast the rekey message to all the members.
Next are the algorithm’s pseudo-codes:
Tree_trans_to_LT(N,d){
Decompose(T);While (equal_size_forest_number()>=d) {Union (i); //unite d tree Ti to Ti+1Construct_rekey(Ti+1); //encrypt new Ti+1’s root key with d Ti’s rootkey
}//unite equal size tree to forest; encrypt new tree’s root keyUnion_tree_and_Construct_rekey();Link_and_Construct_rekey(); //construct link-tree, and encrypt link-tree’s root keysend_rekey();
}
For example, transform an 11-member 2-degree key tree to a 2-degree keylink-tree (Fig. 6(b) to (a)). K1b is not a complete tree, then decompose it toK18 and K9b. K18 is a complete tree, then do not decompose it. K9b is decom-posed to K9a and Kb, there are no two equal size complete trees, we do not uniteequal size trees. Then we link these trees K18, K9a and Kb to the root node K1b,it comes to be a link-tree. The rekey message is: S ! U 1; . . . U b : fK1bgK18
;fK1bgK9a
; fK1bgKb.
![Page 18: An extension of secure group communication using key graph](https://reader038.vdocuments.us/reader038/viewer/2022100509/57501f631a28ab877e957788/html5/thumbnails/18.jpg)
Z. Jun et al. / Information Sciences 176 (2006) 3060–3078 3077
3.3. Performance analysis
(1) Key link-tree to key treeA d-degree link-treeLTd,N has logdN þ 1 sub-for-ests at most; it requires logdN þ 1� d times of unions to allow logdN þ 1sub-forests unite to d sub-forests. Every union needs two encryptions toform rekey message, so the server cost for transform algorithm islogdN þ 1� dð Þ � 2 at most. Because the server run transform algorithm
when necessary, the algorithm do not reduce the efficiency of the keymanagement system much.
(2) Key tree to key link-treeA d-degree tree which has N leaf nodes can bedecomposed to N single nodes at most. That N nodes uniting to ad-degree link-tree needs N + N/d + N/d2� � � = N Æ d/(d � 1) times ofencryptions, so the server cost for transform algorithm is N Æ d/(d � 1)at most. Its performance is worst than that of the transform algorithmof key link-tree to key tree. And its affection to the key management sys-tem is also limited.
4. Conclusion
This paper demonstrates key graph approaches for secure group communi-cation, presenting the key link-tree scheme, which has better performance thankey tree in single rekeying. At last, this paper introduces the transform algo-rithm between key tree and key link-tree to get a better rekeying performance.
References
[1] C.K. Wong, M. Gouda, S.S. Lam, Secure group communications using key graphs, in: ACMSIGCOMM’98, 1998.
[2] S. Rafaeli, D. Hutchison, A survey of key management for secure group communication,ACM Computing Surveys 35 (3) (2003) 309–329.
[3] X.S. Li, Y.R. Yang, M.G. Gouda, S.S. Lam, Batch rekeying for secure group communica-tions, in: Proceedings of 10th International WWW Conference, Hong Kong, China, May 2001,pp. 525–534.
[4] M. Moyer, J. Rao, P. Rohatgi, Maintaining balanced key trees for secure multicast, Internetdraft, draft-irtf-smug-key-tree-balance-00.txt, June 1999.
[5] M. Waldvogel, G. Caronni, D. Sun, N. Weiler, B. Plattner, The Versakey framework: versatilegroup key management, IEEE Journal on Selected Areas in Communications 17 (8) (1999).
[6] D. Wallner, E. Harder, R. Agee, Key Management for Multicast: Issues and Architectures,RFC 2627, 1999.
[7] D.A. Mcgrew, A.T. Sherman, Key establishment in large dynamic groups using onewayfunction trees, Technical Report No. 0755 (May), TIS Labs at Network Associates, Inc.,Glenwood, MD, 1998.
[8] R. Canetti, J. Garay, G. Itkis, D. Micciancio, M. Naor, B. Pinkas, Multicast security: ataxonomy and some efficient constructions, in: Proceedings of the IEEE Infocom, vol. 2, NewYork, NY, March 1999, pp. 708–716.
![Page 19: An extension of secure group communication using key graph](https://reader038.vdocuments.us/reader038/viewer/2022100509/57501f631a28ab877e957788/html5/thumbnails/19.jpg)
3078 Z. Jun et al. / Information Sciences 176 (2006) 3060–3078
[9] O. Rodeh, K. Birman, D. Dolev, Optimized group rekey for group communication systems,Network and Distributed System Security, San Diego, CA, February 2000.
[10] L. Dondeti, S. Mukherjee, A. Samal, A distributed group key management scheme for securemany-to-many communication, Technical Report PINTL-TR-207-99, Department of Com-puter Science, University of Maryland, 1999.
[11] Y. Kim, A. Perrig, G. Tsudik, Simple and fault-tolerant key agreement for dynamiccollaborative groups, in: S. Jajodia, P. Samarati (Eds.), Proceedings of the 7th ACMConference in Computer and Communication Security, Athens, Greece, November 2000, pp.235–241.