an extension of secure group communication using key graph

Information Sciences 176 (2006) 3060–3078

www.elsevier.com/locate/ins

An extension of secure groupcommunication using key graph q

Zhang Jun *, Zhou Yu, Ma Fanyuan,Gu Dawu, Bai Yingcai

Department of Computer Science and Engineering, Shanghai Jiaotong University,

Shanghai 200030, China

Received 17 November 2004; received in revised form 18 October 2005; accepted 16 December 2005

Abstract

With the continuously emerging of Internet applications based on secure group com-munication, the design of secure group communication becomes an important Internetdesign topic. Group key management is important for secure group communication.Previous work focuses on key tree, which is an important type of key graphs. In thispaper, we first propose another type of key graph—key link-tree, which shows betterperformance than key tree in single rekeying. Considering that the adoption of keylink-tree results in worse than key tree in batch rekey, we propose two transform algo-rithms between key tree and key link-tree, which can get better rekey performance.� 2005 Elsevier Inc. All rights reserved.

Keywords: Group security; Key graph; Rekey; Batch rekey

0020-0255/$ - see front matter � 2005 Elsevier Inc. All rights reserved.doi:10.1016/j.ins.2005.12.008

q This paper is granted by National Nature Science Foundation of China (60203012) andShanghai Rising-Star Program in Science and Technology (02QD14027).

* Corresponding author. Tel.: +86 21 65457714.E-mail address: [email protected] (Z. Jun).

mailto:[email protected]

Z. Jun et al. / Information Sciences 176 (2006) 3060–3078 3061

0. Introduction

Many emerging Internet applications, such as Internet Content Service,payment per view, teleconferencing, real-time information services benefit fromthe application of the secure group communication model. Secure groupcommunication (i.e., providing confidentiality, authenticity, and integrity ofmessages delivered between group members) becomes a vital Internet designtopic. In the group communication model, group members share a symmetrickey called group key which is limited to be known among the group users andthe key server. The group key can be applied to encrypt data traffic amonggroup members and restrict the access to resources intended for the groupmembers only. The group key is distributed by a group key managementsystem, which changes the group key named group rekeying from time totime. In order to prevent a new user from reading former communication(backward secrecy) and a departed user from reading future communication(forward secrecy), rekey is obliged to be adopted in the system whenever themembers within the group change. Based on the aforementioned facts, the effi-ciency of the rekeying system plays a key role in the group key managementsystem.

Previous works present us with several different approaches of group keymanagement. Ref. [2] divides them into three main categories: Centralizedgroup key management protocols, decentralized architectures and distributedkey management protocols. By comparison of many protocols, it shows thatthe best solutions for the group key management protocol appear to be thoseusing a hierarchical tree of KEKs, since they achieve good overall results with-out compromising any aspect of security.

The key graph approach [1,5,6], which is the most important scheme amongthese protocols, is initially introduced by Wong [1] in 1997. It is a centralizedgroup key management protocol. Ref. [1] demonstrates two important types ofthe key graph: key star and key tree. For a single leave or join request, key treereduces the server processing time complexity from O(N) to O(logd(N)), whereN is the group size and d is the key tree degree. It shows that the 4-degree keytree is the best structure.

Several approaches have been proposed to improve the key tree approach.One is [3], which uses periodic batch rekeying algorithm to solve two major

drawbacks in individual rekeying: synchronization problem and inefficiency.Another improvement in the 2-degree tree approach is the one-way function

tree (OFT) [7] and was proposed by McGrew and Sherman. Their schemereduces the size of the rekey message from 2log2(N) to only log2(N). Herethe key is generated differently. The key held by a node’s children are blindedin the one-way function and then mixed together in a mixing function. Canettiet al. proposed an approach with slight revision that achieves the same commu-nication overhead. Their scheme uses a pseudo-random-generator to generate

3062 Z. Jun et al. / Information Sciences 176 (2006) 3060–3078

the new key rather than a one-way function and it is only applied to userremoval. This scheme is known as the one-way function chain tree [8].

Refs. [9–11] suggested distributed approaches based on the key graph. Intheir approaches, the main difference lies in that there is no centralized control-ling entity.

Based on the key graph approach, we introduce a new type of key graph—key link-tree in this paper, which shows better rekeying performance than keytree in individual rekeying. Then we demonstrate batch rekeying. Finally weshow two transform algorithms between key tree and key link-tree, whichcan improve the efficiency of the group key management using key graph.

The rest of the paper is presents as follows.

• In Section 1, we briefly review the key graph approaches, and demonstratetwo former types of key graph: key star, key tree, and a new type: key link-tree.

• In Section 2, we present batch rekeying algorithm for key tree and key link-tree, and analyze its performance.

• In Section 3, we show two transform algorithms between key tree and keylink-tree, which can improve the efficiency of the group key management.

• Our conclusions are included in Section 4.

1. Key graph approach

The key graph approach [1] assumes that there is a single trusted and securekey server, and the key server uses a key graph for group key management. Keygraph is a directed acyclic graph with two types of nodes: u-nodes, whichrepresent users, and k-nodes, which represent keys. User u is given key k onlywhen there is a directed path from u-node u to k-node k in the key graph. Keytree and key star are two important types of key graph. In a key tree, the k-nodes and u-nodes are organized as a tree. Key star is a special key tree whosetree degree equals the group size. We will demonstrate these two types in a nut-shell, and introduce a new key graph type: key link-tree.

1.1. Key star [1]

Key star is the basic key graph approach. In a key star, every member has twokeys: the individual key and the group key. A member negotiates an individualkey with the key server when it is added to a group. Fig. 1(a) shows a key star forfour members. Suppose U4 is leaving the group (from Fig. 1(a) to (b)), key ser-ver updates the group key, constructs the following rekey message and thenmulticasts to the whole group: S ! U 1;U 2;U 3 : fK13gK1

; fK13gK2; fK13gK3

. Here{K 0}K means key K 0 encrypted with key K. Upon receiving the rekey message, a

K14 Group Key

U1 U2 U3 U4 Users

Individualkeys

(a)

K13

U1 U2 U3

U4 joins

U4 leaves

(b)

k-node

u-nodesK1 K2 K3 K4 K1 K2 K3

Fig. 1. Example of a key star.


member extracts the encrypted keys that it requires. For example, U1 onlyrequires fK13gK1

.Similarly, suppose U4 joins a group with three members (from Fig. 1(b) to

(a)), key server will send: S ! U 1; . . . ;U 4 : fK14gK13; fK14gK4

.Key star is simple and easy to implement. From the above example, we can

conclude that both the server’s communication and computation costs are pro-portional to the number of encryptions to perform (three for leave, two forjoin). So we use server cost to represent the number of encryptions that key ser-ver has to perform. Using a key star, it is clear that the server cost is 2 for a joinand N � 1 (N is the size of group) for a leave.

1.2. Key tree [1]

In a key tree, the root is the group key, leaf nodes are individual keys, andthe other nodes are auxiliary keys. A 9-member 3-degree key tree is shown inFig. 2(a). Member U9 is given three keys along the path from U9 to K19:K9,K79,K19. K9 is U9’s individual key, which is shared only by U9 and thekey server; K19 is the group key; K79 is an auxiliary key, which is shared byU7, U8, U9. Assuming that U9 wants to leave the group (from Fig. 2(a) to(b)), the key server needs to change the keys that U9 knows: K19 to K18, andK79 to K78. There are three strategies to distribute the new keys: user-oriented,key-oriented, and group-oriented. For convenience, we only consider group-oriented rekeying in this paper. Key server constructs the following rekey mes-sage and multicasts it to the whole group: S ! U 1; . . . ;U 8 : fK78gK7

; fK78gK8;

fK18gK13; fK18gK46

; fK18gK78.

Assume that U9 intends to join a group of eight members (from Fig. 2(b) to(a)), the key server finds a joining point (K78) for the new member, constructsthe rekey message, and then multicasts it to the whole group: S ! U 1; . . . ;U 9 : fK19gK18

; fK79gK78; fK19gK9

; fK79gK9.

In a case that the key tree degree is d and there are N users, and the tree is acompletely balanced one, the server cost is 2 logd(N) for a join andd logd(N) � 1 for a leave. Ref. [1] shows that d = 4 is the optimal degree forkey tree. However the above-mentioned demonstration lies in the hypothesis

Group Key

Auxiliarykeys

Individualkeys

K13 K46 K79

K19

K1 K9K8K7K6K5K4K3K2

U1 U9U8U7U6U5U4U3U2

k-node

k-nodes

u-nodes

(a)

K13 K46 K78

K18

K1 K8K7K6K5K4K3K2

U1 U8U7U6U5U4U3U2

k-node

k-nodes

u-nodes

(b)

U9 joinsU9 leaves

Fig. 2. Example of a key tree.


that the tree is in a balanced manner by not considering the situation that thetree would be unbalanced when members left the group. Ref. [4] focuses onhow to keep the tree in balance during the dynamic changes with the loss ofefficiency.

1.3. Key link-tree

Key link-tree is a variation of key tree, which applies to unbalanced treestructure. It shows a better performance than key tree without as many as trou-blesome problems as keeping the tree in balance dose.

A d-degree link-tree LTd,N is a forest made up of several sub-forests Fd,k,which links to the link-tree’s root node. Every sub-forest Fd,k consists of severald-degree complete trees Td,k, which link to the sub-forest’s root node; and Td,k

is a complete d-degree tree which has dk leafs. Assume N = xkdk + xk�1dk�1 +� � � + x1d + x0 (xk > 0, 0 6 xi < d). Thus link-tree LTd,N consists of at mostk + 1 forests (Fd,k,Fd,k�1, . . . ,Fd,0,Fk consists of xkTd,k, Fk�1 consists ofxk�1Td,k�1, . . ., and F0 consists of x0Td,0), and all these forests link to one rootnode. The root node denotes the group key, every forest’s leaf denotes individ-

ual keys, and other nodes are auxiliary keys. For example 14 = 32 + 3 + 2, thus

K1eGroup Key

Auxiliarykeys

Individual keys

K13 K46

Kac

K79

K19

K1

KeKdKcKbKa

K9K8K7K6K5K4K3K2

U1

UeUdUcUbUa

U9U8U7U6U5U4U3U2

K1f

K13 K46 KacK79

K19

K1 KcKbKaK9K8K7K6K5K4K3K2

U1 UcUbUaU9U8U7U6U5U4U3U2

(a)

Kdf

KfKeKd

UfUeUd

(b)

Uf join

K2f

K79 Kac

K46

Kdf

K7f

K7

K3K2K6K5K4

KfKeKdKcKbKaK9K8

U7

U3U2U6U5U4

UfUeUdUcUbUaU9U8

(c)

U1 leave

Kde

Kaf

K23

Fig. 3. Example of a key link-tree.


a 14-member 3-degree link-tree LT3,14 consists of three forests F3,2, F3,1, F3,0,which is shown in Fig. 3(a).

1.3.1. Joining a key link-tree

When a new member joins the group, the link-tree will reconstruct and sendrekey message. The algorithm is shown as follows:


1. Construct a new node for the new member. The node is a complete tree Td,0,and it is also a sub-forest Fd,0. We link it to the link-tree’s root.

2. Assume that there are two sub-forests Fd,i, Fd,i of equal size and each sub-forest contains j and k complete trees Td,i respectively. There are three cases:(1) j + k < d, we will unite two Fd,i to form one Fd,i, which contains j + kTd,i;(2) j + k = d, we will unite two Fd,i to form one Fd,i;+;1, which contains oneTd,i+1; (3) j + k > d, we will unite two Fd,i to form one Fd,i+1, which containsone Td,i+1 and one Fd,i, which contains j + k � dTd,i. At the same time, theserver constructs a rekey message: encrypting the root key of Fd,i with theroot key of the old sub-tree Td,i. This process repeats until there are notwo forests in equal size.

3. Construct a new group key, encrypt with the new node’s individual keyand old group key, and send the rekey message to all the members in thegroup.

For example, member Uf intends to join a 14-member group which appliesto a 3-degree link-tree structure (from Fig. 3(a) to (b)). Key server directly linksit to the root and unites it with the equal size sub-forest Kde to Kdf. Then Kdf

unites the equal size forest Kac to Kaf. After updating the key structure, key ser-ver constructs the rekey message and multicasts it to the whole group:S ! U 1; . . . ;Uf : fKdf gKde

; fKdf gKf; fKaf gKac

; fKaf gKdf; fK1fgK1e

; fK1fgKf.

1.3.1.1. Performance. Assuming that the server cost for joining an N-memberd-degree key link-tree is CLTP

join ðN ; dÞ, where N = xkdk + xk�1dk�1 + � � � + x1d +x0 (xk > 0, 0 6 xi < d).

We compute the union times of a join process by function f1(N,d).

f1ðN ; dÞ ¼

0 if x0 ¼ 0

1 if 0 < x0 < d � 1

iþ 1 if xi ¼ xi�1 ¼ � � � ¼ x0 ¼ d � 1; xiþ1 ¼ 0

iþ 2 if xi ¼ xi�1 ¼ � � � ¼ x0 ¼ d � 1; 0 < xiþ1 < d � 1

k if xk�1 ¼ xk�2 ¼ � � � ¼ x0 ¼ d � 1

8>>>>>><>>>>>>:

Every union requests two encryptions, CLTPjoin ðN ; dÞ ¼ 2þ 2 � f1ðN ; dÞ.

1.3.2. Leaving a key link-tree

When a member leaves the group, link-tree will also reconstruct, and send arekey message. The algorithm is shown as follows:

1. Find the sub-forest Fd,i, who contains the leaving member and delete theleaving member’s node and its ancestors. Then separate Fd,i’s other nodesto i sub-forests Fd,i�1,Fd,i�2, . . . ,Fd,0, and link these sub-forests to the link-tree’s root.


2. If there are two forests Fd,i, Fd,i of equal size and each contain j and k com-plete tree Td,i. There are three cases: (1) j + k < d, we will unite two Fd,i toform one Fd,i, which contains j + kTd,i; (2) j + k = d, we will unite two Fd,i

to form one Fd,i+1, which contains one Td,i+1; (3) j + k > d, we will unitetwo Fd,i to form one Fd,i+1, which contains one Td,i+1 and one Fd,i, whichcontains j + k � dTd,i. Meanwhile server constructs a rekey message:encrypting the root key of Fd,i with the root key of the old sub-tree Td,i. Thisprocess repeats until there are no two forests of equal size.

3. Construct a new group key, encrypt it with every sub-forest’s root key, andsend the rekey message to all the members in the group.

For example, member U1 intends to leave a 15-member group (from Fig. 3(b)to (c)). Key server will divides sub-forest K19 into K23 and K49 (K46 and K79);then links them to the root and unites K49 and Kaf to form K7f and K46. Thenconstructs the following message and multicasts it: S ! U 2; . . . ;Uf : fK7fgK79

;fK7fgKaf

; fK23gK2; fK23gK3

; fK2f gK7f; fK2fgK46

; fK2fgK23.

1.3.2.1. Performance. The average cost is applied by considering that thecost may be affected by the position from where a member leaves. Assumethat the average server cost for leaving an N-member d-degree key link-tree is CLTP

leaveðN ; dÞ, where N = xkdk + xk�1dk�1 + � � � + x1d + x0 (xk > 0,0 6 xi < d).

We assume that the member leaves sub-forest Fd,i and the average cost isCLTP

leaveðN ; d; iÞ. Function f2 and f3 is applied considering that leaving processinclude link-tree division and union.

The result of function f2 is the smallest sized forest. f2(N,d) ={Min(i)jxi 5 0}.

Function f3 judges whether the forest of a certain size exists. If so, the resultis 1, or it will be 0.

f3ðxiÞ ¼0 if xi ¼ 0

1 if xi 6¼ 0

�

After a leaving member leaves Fd,i, Fd,i is divided into a Fd,i�1 which containsd � 1Td,i�1, a Fd,i�2 which contains d � 1Td,i�2, . . ., and a Fd,0 which containsd � 1Td,0. F d;0; F d;1; . . . ; F d;f2ðN ;dÞ�1 link to the root of LT d;N�1; F d;f2ðN ;dÞ;

F d;f2ðN ;dÞþ1; . . . ; F d;i�1 unite with the other original sub-forests. The cost of sep-

aration and union is Cex&un(N,d, i).

Cex&unðN ; d; iÞ ¼ðd � 1Þ � iþ xi � 1 if i ¼ f2ðN ; dÞ; d > 2

d � i� f2ðN ; dÞ þ xi if i > f2ðN ; dÞ; d > 2

d � ði� f2ðN ; dÞÞ if d ¼ 2

8><>:


The cost of encrypting the group key is

CgpðN ; d; iÞ ¼

P0j¼k

f3ðxjÞ þ f2ðN ; dÞ if xf2ðN ;dÞ > 1

P0j¼k

f3ðxjÞ � 1þ f2ðN ; dÞ if xf2ðN ;dÞ ¼ 1

8>>><>>>:

)CLTPleaveðN ; d; iÞ ¼ Cex&unðN ; d; iÞ þ CgpðN ; d; iÞ

And the average cost is CLTPleaveðN ; dÞ ¼

Pki¼0xid

i=N � CLTPleaveðN ; d; iÞ.

1.4. Performance comparison

We make comparison between the key tree and the key link-tree as an exam-ple due to the huge quantity generated from that the key star’s cost for a leaveis N � 1.

We compute the cost 2blogdðNÞc þ 2 for a join and dblogdðNÞc � 1 for aleave in key tree to give a more accurate view.

Fig. 4. Performance comparison (a) join (b) leave (c) join + leave.


We draw the figure for the costs when d = 2, 1 6 N < 1000. Fig. 4(a) repre-sents the cost for a join; Fig. 4(b) represents the cost for a leave; and Fig. 4(c)represents the total. Fig. 4 shows when d = 2, it is better for key tree’s leavingperformance, key link-tree’s joining performance, and the total of key link-tree’s leaving and joining performance respectively. This is mainly due to thatboth key star and key tree’s merits are integrated by key link-tree. The first levelof key link-tree act as key star, which makes joining protocol optimized; and thefull structure of key link-tree act as key tree, so its leaving performance is similarto that of key tree. After a member joins the group, it must leave the group. Thetotal of leaving and joining performance should be primary as a consequence.

Then we calculate the sum of all the costs when 1 6 N < 1000, 2 6 d < 6 toget Table 1.

Table 1 illustrates that 4-degree key tree leads to the best result in key tree,which matches with [1]’s result. 3-degree key link-tree leads to the best amongall the key trees and key link-trees. In general, key link-tree shows a better per-formance than key tree. It does not give rise to key tree’s troublesome prob-lems—keeping the tree balanced, because of key link-tree’s structure.

1.5. Simulation

We built a simulator for key tree and key link-tree. For each experimentwith an initial group size n, the simulator built a key structure with initial keys.After randomly picking one user to leave or join, the simulator simulates a keyserver that processes group member joins or leaves, sends rekey messagesencrypted with DES algorithm, and records the server cost. It simulates fourstructures: 2-degree and 4-degree key tree, 2-degree and 3-degree key link-tree.The rekey algorithm of the key tree lies in [1]’s group-oriented strategy. Therekey algorithm of the key link-tree lies in Section 1.3.

Simulations were done on a Redhat Linux 9.0 with 1.7 GHz CPU and256 MB memory. We ran the simulation for 100 times and calculated the totalof server cost.

Fig. 5 gives the views of four structures’ server cost for the total of a leaveand a join. It matches with the analysis result in Section 1.4.

Table 1Performance comparison

1 6 N < 1000 Key tree Key link-tree

d Join Leave Total Join Leave Total

2 17974 14974 32948 3970 17684 216543 11828 13742 25570 3970 17586 215564 9328 13656 22984 3964 18395 223595 8448 15120 23568 3964 19509 23473

0 200 400 600 800 1000

Group size

40000

60000

80000

100000

120000

140000

160000M

icro

seco

nds

tree d=2tree d=4ltree d=2ltree d=3

Fig. 5. Leave + join.


2. Batch rekeying

2.1. Batch rekeying algorithm [3]

In spite of the efficiency of the key graph approach for one-to-many appli-cations, changing the group key after each join or leave, individual rekeyinghas two major drawbacks: synchronization problem and inefficiency [3].

• Synchronization problem: If the group is rekeyed after each join or leave,synchronization will be difficult to maintain because of the interdependen-cies among rekey messages and also between rekey and data messages. Ifthe delay in rekey message delivery is high and the join/leave requests arefrequent, a member may need to have memory space for a large numberof rekey and data messages that cannot be decrypted.

• Inefficiency: For authentication, each rekey message may be digitally signedby the sender. Generation of digital signatures is a costly process in terms ofcomputation and communication. A high rate of join/leave requests mayresult in a performance degradation.

Ref. [3] presents the batch rekeying algorithm to minimize these two prob-lems. In this approach, join or leave requests are collected during a rekey inter-val and are rekeyed in a batch. The out-of-sync problems are alleviated bydelaying the use of a new group key until the next rekey interval. Batch pro-cessing also leads to a performance advantage.


Batch rekeying algorithm provides a trade-off between performanceimprovement and delayed group access control. A new member has to waitlonger to join the group and a leaving member can stay longer with the group.It generates a rekey sub-tree at the end of each rekey interval with a collectionof J join requests and L leave requests and updates the key tree. The objectivesare to reduce the number of encrypted keys, to keep the balance of the updatedkey tree, and to make it more efficient for the users to identify the encryptedkeys they need. In order to fulfil these objectives, the server uses the followingsteps:

1. Update the tree by processing join and leave requests in a batch. If J 6 L, J

of the departed members with the smallest IDs are replaced with the J newlyjoined members. If J > L, L departed members are replaced with L of thenewly joined members. For the insertion of the remaining J–L new mem-bers, three strategies have been further illustrated in [3].

2. Mark the key nodes with one of the following states: unchanged, join, leaveand replace.

3. Prune the tree to obtain the rekey sub-tree.4. Traverse the rekey sub-tree, generate new keys, and construct the rekey

message.

Since batch rekey algorithm also fits in key link-tree, no further detail of keylink-tree’s batch rekey algorithm is described in this section.

2.2. Performance analysis

2.2.1. Key tree

The performance analysis of key tree is based on balanced trees, and theresult is measured by the average server cost. Ref. [3] calculated the results:

CtreeðN ; d; J ; LÞ ¼

dPh�1

l¼0

dl 1�CL

N�N=dl

CLN

� �if J ¼ L

dPh�1

l¼0

dl 1�CL

N�N=dl

CLN

� ��Phl¼0

dl CN=dl

L�J

CN=dl

N

if J < L

dJd�1

� �þ 2logdN if J > L; L ¼ 0

dPh�1

l¼0

dl 1�CL

N�N=dl

CLN

� �þ dðJ�LÞ

d�1

l mif J > L; L > 0

8>>>>>>>>>>><>>>>>>>>>>>:

2.2.2. Key link-tree

The server cost relies on the changed nodes’ position and the size of the sub-forest which changed nodes belong to.


Assume that link-tree LTd,N has N leafs (N = akdk + ak�1dk�1 + � � � + a1d +a0, ak > 0, 0 6 ai < d), it has k sub-forests at most (Fd,k,Fd,k�1, . . . ,Fd,0,Fk con-tains akTd,k, . . . ,F0 contains a0Td,0). Two auxiliary functions apply to calculatethe server cost as follows:

f4ðxiÞ ¼0 if xi ¼ 0;

1 if xi 6¼ 0;

�f 5ðxiÞ ¼

0 if xi < 2

xi if xi P 2

�(1) Worst case analysis. According to the joining protocol of key link-tree,

joining member links to the root of link-tree. It is easy to compute. Howeverthe position of leaving member is at random, it is hard to compute. The worstcase is that leaving members are in all the sub-forests averagely. After the link-tree is updated, assume that group size is N + J � L = bkdk + bk�1dk�1 +� � � + b0.

At the beginning, LTd,N hasPk

i¼0f4ðaiÞ sub-forests,Pk

i¼0ai complete sub-trees.

After L members leave the link-tree, when 0 < L 6 ak, link-tree hasPki¼0ai � Lþ L � k � ðd � 1Þ complete sub-trees.When ak < L 6 akd + ak�1, there are

Pk�1i¼0 aiþ ak � d�LþL � ðk� 1Þ � ðd� 1Þ

complete sub-trees.When

P0i¼lak�lþid

i < L 6P0

i¼lþ1ak�l�1þidi, there are

Pk�l�1i¼0 ai þ

Pki¼k�lai�

diþ1�kþl � Lþ Lðk � l� 1Þðd � 1Þ complete sub-trees.

Let NðN ; J ; L; lÞ ¼Pk�l�1

i¼0 ai þPk

i¼k�lai � diþ1�kþl � Lþ Lðk � l� 1Þðd � 1Þ,when

P0i¼lak�lþid

i < L 6P0

i¼lþ1ak�l�1þidi.

Then J members join, there are N(N,J,L, l) + J complete sub-trees.The next step is to unite equal size sub-trees. Every union reduces d � 1 sub-

trees at most, and requests d encryptions. Finally, there arePk

i¼0bi completesub-trees and

Pki¼0f4ðbiÞ sub-forests.

So, server cost is dðNðN ; J ; L; lÞ þ J �Pk

i¼0biÞ � d=ðd � 1Þe þPk

i¼0f4ðbiÞ forthe worst case.

(2) Average case analysis. The server cost depends on the number of nodesbelonging to the rekey sub-tree, and the number of children each node has.Thus, our technique for average case analysis is to consider the probability thatan individual node belongs to the rekey sub-tree, and to consider the node’sexpected number of children. We illustrate the following three cases.

• Case 1: J = L

This case is the basis of all the analysis. Assume that sub-forest Fi of link-tree has ai complete sub-tree Td,i, Td,i’s height is i. Let the root of Td,i beat level 0, and the leaf nodes are at level i. Consider a node v at level l,0 6 l 6 i � 1. v should be updated if and only if there is at least one leavein v’s children. Assuming every current user has equal probability of leaving,there are CL

N ways to pick leaving L users out of N users. Among these ways,CL

N�dl of them have no leaves in v’s children. Thus, the probability that v


should be updated is 1� CLN�dl=CL

N . It comes to the updating probability ofthe Fi’s root. Finally, add the root of link-tree, and the average cost is:

CLT ðN ;d;L;LÞ¼Xk

i¼0

d �ai

Xi�1

l¼0

dl 1�CL

N�di�l

CLN

� �" #þ f5ðaiÞ � 1�

CLN�aidi

CLN

!( )

þ f5

Xk

i¼0

f4ðaiÞ !

• Case 2: J > L

Assume that group size is N + J � L = akdk + � � � + aj+1dj+1 +bjd

j + � � � + b0 after updating the link-tree. Thus, the analysis of sub-forestFi(j < i 6 k) is same as case 1; sub-forest Fi (0 6 i < j) is newly built, everynodes should rekey; and Fj is built by old sub-forest F0, . . . ,Fj and newJ � L members, the probability of rekey is the same as case 1 or equal 1.Finally, add the root of link-tree, the average cost is:

CLT ðN ;d;J ;LÞ¼Xk

i¼jþ1

d �ai

Xi�1

l¼0

dl 1�CL

N�di�l

CLN

� �" #þf5ðaiÞ � 1�

CLN�aidi

CLN

!( )

þXj�1

i¼0

d �bi

Xi�1

l¼0

dlþf5ðbiÞ( )

þXj

i¼0

d �ai

Xi�1

l¼0

dl 1�CL

N�di�l

CLN

� �" #

þd bj �Xj�1

l¼0

dl�Xj

i¼0

ai �Xi�1

l¼0

dl

! !

þf5ðbjÞþf5

Xk

i¼jþ1

f4ðaiÞþXj

i¼0

f4ðbiÞ !

¼CLT ðN ;d;L;LÞ

þf2

Xk

i¼jþ1

f1ðaiÞþXj

i¼0

f1ðbiÞ !

�f2

Xk

i¼0

f1ðaiÞ !

þXj

i¼0

ðbi�aiÞ � ðdiþ1�dÞ=ðd�1Þ

þXj

i¼0

f2ðbiÞ�f2ðaiÞ � 1�CL

N�aidi

CLN

!" #

• Case 3: J < L

In this case, it is hard to make an analysis. We use the worst case analysis asan alternative:

CLT ðN ; d; J ; LÞ 6 NðN ; J ; L; lÞ �Xk

i¼0

bi

!� d,ðd � 1Þ

& ’


2.3. Performance comparison

The performance of key link-tree is worse than key tree for these above threecases. The performance of key link-tree is better than that of key tree only whenJ > 0 and L = 0, which is because the performance of batch rekeying is propor-tional to maximum of leave and join operations, and the performance queue ofthese two structures’ operation is: join of key link-tree < join of key tree < leaveof key tree < leave of key link-tree. Though the performance of key link-tree isbetter in single rekeying (join + leave of key link-tree < join + leave of key tree),the performance of key tree is better in batch rekeying (max (join of key tree,leave of key tree) < max (join of key link-tree, leave of key link-tree)).

3. Transform algorithm

The results in last two sections are: the performance of key link-tree is betterthan that of key tree in single rekeying, but the performance of key tree is betterin batch rekeying. In single rekeying, the performance of key link-tree’s joiningoperation and overall are better, the performance of key tree’s leaving opera-tion is better.

No protocol can fit in all environments, different environment requires dif-ferent protocol. For example, when a new group is born, the join rate must belarge than the leave rate, we choose key link-tree due to its better performancefor a join; when a group will die, the leave rate must be larger than the join rate,we choose key tree due to its better performance for a leave. And if it requiresbatch rekeying, we choose key tree.

This section proposes two transform algorithms which can satisfy therequirement. The algorithms allow the key server adopt key link-tree or key treewhenever necessary, the key server can be more efficient. We show the transformalgorithms between key link-tree and key tree in the following sections.

3.1. Key link-tree to key tree

The objective of the algorithm is to transform key link-tree to key tree.

1. d-degree link-tree LTd,N is a forest, which has several sub-forests Fd,k link toone root. Let these sub-forests array by size.

2. If the number of sub-forests is larger than d, select two minimum size sub-for-ests Fd,i and Fd,j (i > j), unite Fd,i and Fd,j to a new sub-forest F 0d;i, and link F 0d;ito the root of link-tree. Then construct the rekey message: encrypt F 0d;i’s rootkey with two original sub-forests Fd,i and Fd,j’s root keys. This process repeatsuntil the link-tree has d sub-forests. Now the link-tree is a d-degree tree.

3. Multicast the rekey message to all the members.


Next are the algorithm’s pseudo-codes:

LT_trans_to_Tree(N,d){
While (forest_number() > d) {
(i,j) = (find_min_forest);//find two minimum size sub-forestsUnion (Fi, Fj); //unite these two sub-forestsConstruct_rekey(Fi); //encrypt new Fi’s root key with Fi and Fj’s rootkey

}send_rekey();

}

For example, transform an 11-member 2-degree key link-tree to a 2-degreekey tree (Fig. 6(a) to (b)). Because it has three sub-forests, two minimum size

K1b

K4

K56

Group Key

U1

K1 K2

U2 U3Users

Individualkeys

K78K34K12

K58K14

K3 K8K7K6K5

Auxiliarykeys

U4 U8U7U6U5

K18 K9a Kb

KaK9 Ub

UaU9

K1c

K4

K56

Group Key

U1

K1 K2

U2 U3Users

K78K34K12

K58K14

K3 K8K7K6K5

Auxiliarykeys

U4 U8U7U6U5

K18

K9a

KaK9 Ub

UaU9Individualkeys

Kb

K9c

(a)

(b)

Fig. 6. An example switch.


sub-forests are Kb and K9a, then unite them to K9b. The rekey message is as fol-lows: S ! U 1; . . . U b : fK9bgK9a

; fK9bgKb.

3.2. Key tree to key link-tree

The objective of the algorithm is to transform key tree to key link-tree.

1. Decompose d-degree tree Td,k. If Td,k is not a complete d-degree sub-tree,then decompose it to dd-degree sub-tree Td,k�1 at most. This process repeatsuntil every sub-tree is a complete d-degree tree.

2. Unite d-degree tree. If there are d complete d-degree trees Td,i, then unitethem to a complete d-degree tree Td,i+1, and encrypt Td,i+1’s root key withoriginal d tree Td,i. This process repeats until the number of equal sized-degree complete tree less than d.

3. Unite equal size d-degree tree Td,i to a sub-forest Fd,i, and encrypt Fd,i’s rootkey with original Td,i’s.

4. Link all the sub-forests to one root, construct a link-tree, and encrypt link-tree’s root key with all the sub-forests’ root key.

5. Multicast the rekey message to all the members.

Next are the algorithm’s pseudo-codes:

Tree_trans_to_LT(N,d){
Decompose(T);While (equal_size_forest_number()>=d) {
Union (i); //unite d tree Ti to Ti+1Construct_rekey(Ti+1); //encrypt new Ti+1’s root key with d Ti’s rootkey

}//unite equal size tree to forest; encrypt new tree’s root keyUnion_tree_and_Construct_rekey();Link_and_Construct_rekey(); //construct link-tree, and encrypt link-tree’s root keysend_rekey();

}

For example, transform an 11-member 2-degree key tree to a 2-degree keylink-tree (Fig. 6(b) to (a)). K1b is not a complete tree, then decompose it toK18 and K9b. K18 is a complete tree, then do not decompose it. K9b is decom-posed to K9a and Kb, there are no two equal size complete trees, we do not uniteequal size trees. Then we link these trees K18, K9a and Kb to the root node K1b,it comes to be a link-tree. The rekey message is: S ! U 1; . . . U b : fK1bgK18

;fK1bgK9a

; fK1bgKb.


3.3. Performance analysis

(1) Key link-tree to key treeA d-degree link-treeLTd,N has logdN þ 1 sub-for-ests at most; it requires logdN þ 1� d times of unions to allow logdN þ 1sub-forests unite to d sub-forests. Every union needs two encryptions toform rekey message, so the server cost for transform algorithm islogdN þ 1� dð Þ � 2 at most. Because the server run transform algorithm

when necessary, the algorithm do not reduce the efficiency of the keymanagement system much.

(2) Key tree to key link-treeA d-degree tree which has N leaf nodes can bedecomposed to N single nodes at most. That N nodes uniting to ad-degree link-tree needs N + N/d + N/d2� � � = N Æ d/(d � 1) times ofencryptions, so the server cost for transform algorithm is N Æ d/(d � 1)at most. Its performance is worst than that of the transform algorithmof key link-tree to key tree. And its affection to the key management sys-tem is also limited.

4. Conclusion

This paper demonstrates key graph approaches for secure group communi-cation, presenting the key link-tree scheme, which has better performance thankey tree in single rekeying. At last, this paper introduces the transform algo-rithm between key tree and key link-tree to get a better rekeying performance.

References

[1] C.K. Wong, M. Gouda, S.S. Lam, Secure group communications using key graphs, in: ACMSIGCOMM’98, 1998.

[2] S. Rafaeli, D. Hutchison, A survey of key management for secure group communication,ACM Computing Surveys 35 (3) (2003) 309–329.

[3] X.S. Li, Y.R. Yang, M.G. Gouda, S.S. Lam, Batch rekeying for secure group communica-tions, in: Proceedings of 10th International WWW Conference, Hong Kong, China, May 2001,pp. 525–534.

[4] M. Moyer, J. Rao, P. Rohatgi, Maintaining balanced key trees for secure multicast, Internetdraft, draft-irtf-smug-key-tree-balance-00.txt, June 1999.

[5] M. Waldvogel, G. Caronni, D. Sun, N. Weiler, B. Plattner, The Versakey framework: versatilegroup key management, IEEE Journal on Selected Areas in Communications 17 (8) (1999).

[6] D. Wallner, E. Harder, R. Agee, Key Management for Multicast: Issues and Architectures,RFC 2627, 1999.

[7] D.A. Mcgrew, A.T. Sherman, Key establishment in large dynamic groups using onewayfunction trees, Technical Report No. 0755 (May), TIS Labs at Network Associates, Inc.,Glenwood, MD, 1998.

[8] R. Canetti, J. Garay, G. Itkis, D. Micciancio, M. Naor, B. Pinkas, Multicast security: ataxonomy and some efficient constructions, in: Proceedings of the IEEE Infocom, vol. 2, NewYork, NY, March 1999, pp. 708–716.


[9] O. Rodeh, K. Birman, D. Dolev, Optimized group rekey for group communication systems,Network and Distributed System Security, San Diego, CA, February 2000.

[10] L. Dondeti, S. Mukherjee, A. Samal, A distributed group key management scheme for securemany-to-many communication, Technical Report PINTL-TR-207-99, Department of Com-puter Science, University of Maryland, 1999.

[11] Y. Kim, A. Perrig, G. Tsudik, Simple and fault-tolerant key agreement for dynamiccollaborative groups, in: S. Jajodia, P. Samarati (Eds.), Proceedings of the 7th ACMConference in Computer and Communication Security, Athens, Greece, November 2000, pp.235–241.

an extension of secure group communication using key graph

Documents