Professional Documents
Culture Documents
2, FEBRUARY 2005
Abstract—Multicast is used to deliver packets to a group of users. To prevent users outside the group from eavesdropping, a group key
is maintained to encrypt the group communication, and the group key is changed (rekeying) when a new member joins the group or an
existing member leaves the group. Rekeying costs could be as high as n for a group with n members. The hierarchical key-tree approach
is widely used to achieve logarithmic rekeying costs. However, the key tree has to be kept balanced in order to keep logarithmic rekeying
costs. Goshi and Ladner [8] propose the height-balanced 2-3 tree (a B-tree of order m ¼ 3) and found that it has the best performance
among the balancing strategies tested. However, balancing a B-tree [8] after member joining involves splitting oversized tree nodes and
results in ðm þ 2Þh worst-case rekeying cost, where h is the tree height. We propose an NSBHO (Non-Split Balancing High-Order) tree in
which balancing tree after member joining does not involve node splitting, thus having 2h worst-case rekeying cost. An NSBHO tree is
always balanced and its nodes may not satisfy the node properties of a standard B-tree. Our proposed NSBHO tree has the same worst-
case rekeying cost incurred by a member removing as a B-tree [8] does. Our experiments show that the NSBHO tree has better average-
case rekeying performance and far superior worst-case rekeying performance than a B-tree.
Index Terms—Group key management, secure multicast, dynamic group, high-order tree, balanced tree, rekeying.
1 INTRODUCTION
2 RELATED WORK
We use the following notations:
. K{action}: action encrypted using secret key K. Any Fig. 1. Key trees for member u3 leaving and joining the group.
member receiving Kfactiong and possessing key K
will decrypt the message and perform the action. operations, which is too high for software implementation.
. action includes: The widely used hierarchical key-tree approaches [23], [24],
[2], [1], [3], [12], [13], [14], [20], [19] have logarithmic
- k1 ! k2 : change key k1 to key k2 .
rekeying costs when the key trees are balanced. It is this
- add k1 : add key k1 to the key list.
approach upon which this paper focuses. Canetti et al. [2]
- setGroupKey k1 : use key k1 as the group key.
modify the key-tree scheme proposed by Wallner et al. [23]
We will introduce the hierarchical key-tree approach in and enable the trade off between message costs and storage.
Section 2.1. Readers who are familiar with it can skip this Snoeyink et al. [21] prove a ðlog nÞ lower bound for
subsection. Section 2.2 discusses existing approaches to rekeying costs under the key-based multicast model [2] and
rebalancing the key tree after adding/deleting a member. show that the 3-ary tree is optimal for group key
Section 2.3 explains why node splitting should be avoided distribution without considering the message cost due to
during tree rebalancing. tree rebalancing. The broadcast encryption [7] takes a
2.1 Rekeying Approaches different approach than the hierarchical key-tree approach.
The group key needs to be securely conveyed to the group Its rekeying message cost is independent of the number of
members every time the group key is changed. A simple members left. However, it is only resilient against any
approach is for the server to assign each group member a coalition of k past members. High resilience requires a large
unique member key. When a new member joins in, a new value of k, which greatly increases the message cost. In
group key is generated to achieve past confidentiality. Since contrast, the hierarchical key-tree approaches with past
the new member does not know the old group key, the confidentiality are often secure against the coalition of any
server can use the old group key to encrypt the new group number of past members.
key and to multicast the result to all group members. The Chen and Dondeti [5] compare the performance of
server also uses the member key of the new member to stateful and stateless group rekeying algorithms. Eskicioglu
encrypt the new group key and to unicast the result to the [6] reviews the security issues in group multimedia
new member. When an existing group member leaves, the communication, including group key management.
server generates a new group key to achieve future Below, we will illustrate the idea of hierarchical key-tree
confidentiality. This time the server can’t use the old group approach proposed by Wallner et al. [23] and independently
key to encrypt the new group key because the leaving by Wong et al. [24]. The server maintains a tree to organize the
member knows the old group key. A straightforward existing group members. Fig. 1 shows two key trees. Each
solution is for the server to encrypt the new group key member (square node) has a unique member key, e.g., u3 has a
using the unique member key of each of the remaining member key (k3 ). Each internal (round) node has a unique
members and to send a unicast message to each member. subgroup key that is known only to the group members in the
n 1 unicast messages are needed. This poses a scalability subtree rooted at this node, e.g., sk2 is known only to u8 , u9 ,
problem for large dynamic groups. u10 , and u11 . Therefore, ui knows only the keys on the path
Public key rekeying approaches such as group Diffie- from the root to the square node for ui . In Fig. 1, member u1
Hellman [22] require a linear number of public key knows only gk, sk1 , sk3 in addition to k1 . The key at the tree
root is used as the group key and other subgroup keys are
1. The order is the maximum number of children a tree node can have. used for rekeying purposes.
Authorized licensed use limited to: Arulmigu Kalasalingam College of Engineering. Downloaded on February 5, 2010 at 23:16 from IEEE Xplore. Restrictions apply.
216 IEEE TRANSACTIONS ON COMPUTERS, VOL. 54, NO. 2, FEBRUARY 2005
Authorized licensed use limited to: Arulmigu Kalasalingam College of Engineering. Downloaded on February 5, 2010 at 23:16 from IEEE Xplore. Restrictions apply.
LU: A NOVEL HIGH-ORDER TREE FOR SECURE MULTICAST KEY MANAGEMENT 217
Definition 1. An empty tree is an NSBHO (Non-Split Proof. It is easy to see that mh n since each internal node
Balancing High-Order) tree of order m. A tree with only one can have at most m children.
external node and no internal nodes is an NSBHO tree of order Since all the internal B-tree nodes except the root have
m. If an NSBHO tree of order m is not empty and has more at least d children and the root has at least two children,
than one external node, it has the following properties the minimum number of nodes at level 0, 1, 2, 3, . . . , h is
(d ¼ dm=2e): 1; 2; 2d; 2d2 ; . . . ; 2dh1 , respectively. Therefore, there are
at least 2dh1 external nodes.
P1. The root has at least two children and at most The bound on h follows the bound on n. u
t
m children.
Authorized licensed use limited to: Arulmigu Kalasalingam College of Engineering. Downloaded on February 5, 2010 at 23:16 from IEEE Xplore. Restrictions apply.
218 IEEE TRANSACTIONS ON COMPUTERS, VOL. 54, NO. 2, FEBRUARY 2005
TABLE 1 internal nodes are full (i.e., having m children each), a new
Rekeying Message Costs of the B-Tree [8] root will be created which becomes the insert point.
and the NSBHO Tree The algorithm for inserting an external node z is listed
in Fig. 5. If the tree is empty, z becomes the root.
Otherwise, getInsertP oint (Fig. 6) is invoked. If
getInsertP oint returns null, a new root y is created and
the current root becomes a child of the new root. Now, y
has fewer than m children. A chain of internal nodes
h is the height of the corresponding B-tree or the NSBHO tree, m is the (x0 ; x1 ; . . . ; xl ) is created, where xi ¼ xiþ1 :parent for
order of the tree, and d ¼ dm=2e. 0 i < l, x0 :level ¼ y:level þ 1, and xl :level ¼ h 1. The
purpose of the chain is to put z at the correct level of the
From Lemmas 1 and 2, the difference between the worst- external nodes. The new external node z becomes a child of
case height of an order-m NSBHO tree and that of an order-m xl and x0 becomes a child of y. In the case of y:level ¼ h 1,
B-tree is there is no need to create a chain and, thus, z itself becomes
a child of y.
ðlogd ðn 1Þ þ 1Þ ðlogd ðn=2Þ þ 1Þ ¼ logd ð2ðn 1Þ=nÞ: Fig. 6 gives the algorithm for getInsertP oint. The
When n 1, logd ð2ðn 1Þ=nÞ ¼ logd 2 1. This means, in algorithm returns null if there is no internal node or all
the worst case, an NSBHO tree is at most one level taller internal nodes are full. If SP is not empty, a node 2 SP with
than a B-tree of the same order. In our experiment the largest level (e.g., z1 in Fig. 3) is returned. Otherwise, a
(Section 5), we rarely find any height difference between nonfull internal node 62 SP is returned.
these two trees. The tree height is related to the rekeying Special path SP can be maintained by a simple array of
cost of each tree (see Table 1 for comparison). size h. Adding (removing) a node to (from) SP can be done
in Oð1Þ time. Returning the node 2 SP with the largest level
3.2 Insert an External Node is the key to making the insertion algorithm work.
When a new member joins the group, an external node z is Lemma 3. If the tree is an NSBHO tree of order m, it is still an
created for the new member and is inserted into the NSBHO NSBHO tree of order m after inserting an external node using
tree. The general idea is to create a chain of nodes with z as the algorithm in Fig. 5.
the tail and then attach the head of the chain as a child of a
Proof. If the tree is empty, it has one external node after
suitable internal node of the current NSBHO tree. The
insertion. It is an NSBHO tree of order m. When
purpose of the chain is to put z at the correct level of the
getInsertP oint returns null, either there is no internal
external nodes, thus the length of the chain is such that the
node or all internal nodes are full. In the former case, the
new external node z is at the same level as the existing tree has only one external node and no internal nodes.
external nodes. Thus, following the insertion, it has a root and two
The key is to find a suitable insert point (internal node) such that external nodes that are the children of the root. It is an
the resulting tree is still an NSBHO tree. When the special path NSBHO tree of order m. In the latter case, there is no
SP is not empty, a node 2 SP with the largest level is the special path in the current tree. A new root is created and
suitable insert point. Recall that x:level ¼ x:parent:level þ 1 the newly created chain (x0 ; x1 ; . . . ; xl ) becomes the only
and root:level ¼ 0. In Fig. 3, the special path is (z0 ; z1 ), special path. Therefore, the tree is still an NSBHO tree of
z0 :level ¼ 1, and z1 :level ¼ 2, thus z1 is the suitable insert order m.
point. Fig. 4b shows the resulting tree using z1 as the insert If SP is not empty, a node 2 SP with the largest level
point. One may verify that it is an NSBHO tree. z0 can’t be is returned by getInsertP oint. The newly created chain
used as the insert point because, otherwise, the resulting (x0 ; x1 ; . . . ; xl ) becomes the tail of the existing special
tree (as shown in Fig. 4a) has two special paths, (z1 ) and path. Since x0 becomes a child of the insert point and xi ,
(x0 ). The root can’t be used as the insert point either 0 i l, has larger level than that of the existing node
because, otherwise, the resulting tree (as shown in Fig. 4c) 2 SP , there is only one special path after insertion.
has two special paths, (z0 , z1 ) and (x0 , x1 ). When the special If SP is empty, a node 62 SP is returned. This node has
path SP is empty, an arbitrary internal node that has fewer fewer than m children. The newly created chain
than m children can be the insert point. When all the (x0 ; x1 ; . . . ; xl ) becomes the only special path. Apparently,
Fig. 4. An external node z is inserted into the NSBHO tree in Fig. 3 using the insert point. (a) z0 . (b) z1 . (c) root. The resulting trees at (a) and (c) are
not NSBHO trees. The resulting tree at (b), however, is an NSBHO tree.
Authorized licensed use limited to: Arulmigu Kalasalingam College of Engineering. Downloaded on February 5, 2010 at 23:16 from IEEE Xplore. Restrictions apply.
LU: A NOVEL HIGH-ORDER TREE FOR SECURE MULTICAST KEY MANAGEMENT 219
Authorized licensed use limited to: Arulmigu Kalasalingam College of Engineering. Downloaded on February 5, 2010 at 23:16 from IEEE Xplore. Restrictions apply.
220 IEEE TRANSACTIONS ON COMPUTERS, VOL. 54, NO. 2, FEBRUARY 2005
Fig. 8. (a) Remove the rightmost external node in Fig. 3. (b) Remove shaded node in (a). (c) Remove shaded node in (b).
and line 21). If the deficiency propagates up to the root, the b. z 62 SP . Thus, z:size ¼¼ d 1. Lines 12-22 deal
tree height is decreased by one (lines 25-26). with this case. There are two possible subcases, z
Fig. 8a is the result of removing the rightmost external either has or does not have a rich sibling.
node in Fig. 3, Fig. 8b is the result of removing the shaded b1. z has a rich sibling. Lines 14-15 deal with this
node in Fig. 8a, and Fig. 8c is the result of removing the case. A rich sibling can give z a child without
shaded node in Fig. 8b. affecting its own status (i.e., after giving z a
child, it still has at least one child if it is in SP
Lemma 4. If the tree is an NSBHO tree of order m, it is still an
and at least d children if it is not in SP ).
NSBHO tree of order m after removing an external node using Hence, removing a child from the rich sibling
the algorithm in Fig. 7. does not introduce new violations. Adding a
Proof. If z ¼¼ root (line 1), the tree has only one external child to z raises the size of z to d. Thereafter,
there are no more violations in the tree. We
node and no internal nodes. After removing z, the tree is
simply set z to the root to end the while loop.
empty and is an NSBHO tree. b2. z does not have a rich sibling. Hence, the size of
The loop invariant for the while loop in lines 5-23 is: the sibling of z is either d or 1. There are two
subcases, either pz:size > 1 or pz:size ¼¼ 1.
1. z is an internal node.
2. Property 2 of Definition 1 is not violated (i.e., all b2.1pz:size > 1. We merge a sibling of z with
external nodes are at the same level). z in line 17. After merging, the size of z is
3. If there is a violation, it is because z lost a child either d or 2d 1 and pz loses one child.
and is now one child short. Thus, z is no longer one child short and
“z is one child short” means z:size ¼¼ 1 if z is the root, recovers its status as one of the nodes
z:size ¼¼ d 1 if z 62 SP [ frootg, and z:size ¼¼ 0 if 62 SP . Notice that we did not touch other
z 2 SP . internal nodes except z, pz, and the
Initialization: sibling of z that was merged with z. If
there is a violation, it is because pz lost a
1. When line 2 is executed, the tree has at least one
child and is now one child short. The
internal node. After line 4 is executed, z points to
pointer z moves one level up in line 18.
an internal node.
b2.2pz:size ¼¼ 1 (i.e., z is the only child of
2. Lines 2-4 do not change the levels of the external
pz). Thus, pz is in SP . Adding z to SP in
nodes.
line 21 allows z to legitimately have d 1
3. Lines 2-4 remove a child from pz and do not touch
children (i.e., z is no longer one child
other internal nodes. Therefore, if there is a
short). Therefore, the violation caused by z
violation, it is because z ¼ pz (line 4) lost a child
is fixed. Adding z to SP could potentially
and is now one child short.
introduce violation of property 4. How-
Maintenance: Since the loop is entered, z 6¼ root. ever, since z is the only child of pz and pz is
Thus, pz ¼ z:parent is an internal node. There are two in SP , adding z to SP will not create a
cases, z 2 SP and z 62 SP . Note that property 2 is never different SP , but rather it will extend the
violated since the loop does not change the level of any length of the existing SP by one. There-
external node. fore, there are no more violations after line
a. z 2 SP . Thus, z:size ¼¼ 0. Lines 7-11 deal with 21 and we simply set z to the root in order
this case. Since z has no children, z is deleted in to end the while loop.
line 9 and there is no further violation due to z. pz Termination: When the loop terminates, either z ¼¼
loses a child in line 9. Lines 7-11 do not touch root or (z 6¼ root and z:size 6¼ d 1 and z:size 6¼ 0). In the
other internal nodes except z and pz. Therefore, if former case, z is the root. If there is a violation,
there is a violation after lines 7-11, it is because pz root:size ¼¼ 1 by the loop invariant. Lines 24-26 fix this
lost a child and is now one child short. After violation and do not introduce any new violations.
lines 7-11, z (¼ pz) is still an internal node. (Although the levels of external nodes are decreased by
Authorized licensed use limited to: Arulmigu Kalasalingam College of Engineering. Downloaded on February 5, 2010 at 23:16 from IEEE Xplore. Restrictions apply.
LU: A NOVEL HIGH-ORDER TREE FOR SECURE MULTICAST KEY MANAGEMENT 221
Fig. 10. Merging two internal nodes (d ¼ 3). The rekeying message cost
is d.
Authorized licensed use limited to: Arulmigu Kalasalingam College of Engineering. Downloaded on February 5, 2010 at 23:16 from IEEE Xplore. Restrictions apply.
222 IEEE TRANSACTIONS ON COMPUTERS, VOL. 54, NO. 2, FEBRUARY 2005
Authorized licensed use limited to: Arulmigu Kalasalingam College of Engineering. Downloaded on February 5, 2010 at 23:16 from IEEE Xplore. Restrictions apply.
LU: A NOVEL HIGH-ORDER TREE FOR SECURE MULTICAST KEY MANAGEMENT 223
Fig. 13. Rekeying message costs for 100,000 random insertions (50 percent)/deletions (50 percent). Initial tree size is 10,000. Each point represents
the (a) max/(b) average cost over 2,000 operations. Btree3 stands for order-3 B-tree.
Fig. 14. Rekeying message costs for the first 50 operations in Fig. 13. (a) Comparison between an order-3 B-tree and an order-3 NSBHO tree.
(b) Comparison between an order-4 B-tree and an order-4 NSBHO tree.
B-tree is about 52, while that of an order-3 NSBHO tree is 2-3 tree, as discussed in [8]). For member leaving, the B-tree
about 22. The worst-case rekeying cost of an order-4 B-tree scheme and our NSBHO-tree scheme have the same worst-
is 50, while that of an order-4 NSBHO tree is only 18. case rekeying cost (dm=2e 1 þ mh). Our experiments
confirm that the NSBHO-tree is superior to the B-tree in
6 CONCLUSION terms of the worst-case rekeying performance. In addition,
The hierarchical key-tree approach is an efficient way to it has better average-case rekeying performance. Goshi and
achieve logarithmic rekeying costs for secure multicast key Ladner [8] show that the height-balanced 2-3 tree has the
management given that the underlying tree is balanced. We performance advantage over other balancing strategies.
have developed an NSBHO (Non-Split Balancing High-
Order) tree. Unlike the B-tree scheme [8], our NSBHO tree
REFERENCES
does not use node splitting to balance the tree. As a result,
[1] R. Canetti, J. Garay, G. Itkis, D. Micciancio, M. Naor, and B.
the worst-case rekeying cost of our NSBHO tree for a new Pinkas, “Multicast Security: A Taxonomy and Efficient Authenti-
member joining is 2h, while that of the B-tree scheme is cation,” Proc. IEEE Infocom, 1999.
[2] R. Canetti, T. Malkin, and K. Nissim, “Efficient Communication-
ðm þ 2Þh, where h is the corresponding tree height and m is Storage Tradeoffs for Multicast Encryption,” Proc. Advances in
the order of the tree (an order-3 B-tree is a height-balanced Cryptology—EUROCRYPT 1999, 1999
Authorized licensed use limited to: Arulmigu Kalasalingam College of Engineering. Downloaded on February 5, 2010 at 23:16 from IEEE Xplore. Restrictions apply.
224 IEEE TRANSACTIONS ON COMPUTERS, VOL. 54, NO. 2, FEBRUARY 2005
[3] G. Caronni, M. Waldvogel, D. Sun, and B. Plattner, “Efficient Haibin Lu received the BE and ME degrees in
Security for Large and Dynamic Multicast Groups,” Proc. IEEE electronic engineering from Tsinghua University,
Seventh Workshop Enabling Technologies: Infrastructure for Collabora- Beijing, China, in 1997 and 1999, respectively,
tive Enterprises, 1998. and the PhD degree in computer engineering
[4] I. Chang, R. Engel, D. Kandlur, D. Pendarakis, and D. Saha, “Key from the University of Florida in 2003. He joined
Management for Secure Internet Multicast Using Boolean Func- the faculty of the Department of Computer
tion Minimization Techniques,” Proc. IEEE Infocomm, 1999. Science, University of Missouri-Columbia, as
[5] W. Chen and L.R. Dondeti, “Performance Comparison of Stateful an assistant professor in 2003. His primary
and Stateless Group Rekeying Algorithms,” Proc. Fourth Int’l research focus lies in algorithmic aspects of
Workshop Networked Group Comm. (NGC ’02), 2002. computer network and multimedia communica-
[6] A.M. Eskicioglu, “Multimedia Security in Group Communica- tion. He is a member of the IEEE.
tions: Recent Progress in Key Management, Authentication, and
Watermarking,” ACM Multimedia Systems J., special issue on
multimedia security, pp. 239-248, Sept. 2003.
[7] A. Fiat and M. Naor, “Broadcast Encryption,” Proc. Advances in
Cryptology—CRYPTO ’92, pp. 257-270, 1994.
[8] J. Goshi and R.E. Ladner, “Algorithms for Dynamic Multicast Key . For more information on this or any other computing topic,
Distribution Trees,” Proc. ACM Symp. Principles of Distributed please visit our Digital Library at www.computer.org/publications/dlib.
Computing (PODC 2003), 2003.
[9] H. Harney and C. Muckenhirn, “Group Key Management
Protocol (GKMP) Specification,” RFC 2093, July 1997.
[10] H. Harney and C. Muckenhirn, “Group Key Management
Protocol (GKMP) Architecture,” RFC 2094, July 1997.
[11] X. Li, Y. Yang, M.G. Gouda, and S.S. Lam, “Batch Rekeying For
Secure Group Communications,” Proc. 10th Int’l World Wide Web
Conf., 2001.
[12] S. Mittra, “Iolus: A Framework for Scalable Secure Multicasting,”
Proc. ACM SIGCOMM, 1997.
[13] M. Moyer, J. Rao, and P. Rohatgi, “Maintaining Balanced Key
Trees for Secure Multicast,” Internet draft, draft-irtf-smug-key-
tree-balance-00.txt, June 1999,
[14] M. Moyer, J. Rao, and P. Rohatgi, “A Survey of Security Issues in
Multicast Communications,” IEEE Network, Nov./Dec. 1999.
[15] S. Paul, Multicast on the Internet and Its Applications. Kluwer
Academic, 1998.
[16] O. Rodeh, K.P. Birman, and D. Dolev, “Using AVL Trees for Fault
Tolerant Group Key Management,” Int’l J. Information Security,
pp. 84-99, Nov. 2001.
[17] S. Sahni, Data Structures, Algorithms, and Applications in Java.
McGraw-Hill, 2000.
[18] S. Setia, S. Koussih, S. Jajodia, and E. Harder, “Kronos: A Scalable
Group Re-Keying Approach for Secure Multicast,” Proc. IEEE
Symp. Security and Privacy, 2000.
[19] A.T. Sherman and D.A. McGrew, “Key Establishment in Large
Dynamic Groups Using One-Way Function Trees,” IEEE Trans.
Software Eng., vol. 29, no. 5, pp. 444-458, May 2003.
[20] C. Shields and J.J. Garcia-Luna-Aceves fclay, “KHIP—A Scalable
Protocol for Secure Multicast Routing,” Proc. ACM SIGCOMM,
1999.
[21] J. Snoeyink, S. Suri, and G. Varghese, “A Lower Bound for
Multicast Key Distribution,” Proc. IEEE Infocom, 2001.
[22] M. Steiner, G. Tsudik, and M. Waidner, “Diffie-Hellman Key
Distribution Extended to Group Communication,” Proc. Third
ACM Conf. Computer and Comm. Security, 1996.
[23] D. Wallner, E. Harder, and R. Agee, “Key Management for
Multicast: Issues and Architectures,” IETF, RFC 2627, June 1999.
[24] C.K. Wong, M. Gouda, and S.S. Lam, “Secure Group Commu-
nication Using Key Graphs,” IEEE/ACM Trans. Networking, vol. 8,
no. 1, pp. 16-30, Feb. 2000.
[25] Y.R. Yang, X.S. Li, X.R. Zhang, and S.S. Lam, “Reliable Group
Rekeying: A Performance Analysis,” Proc. ACM SIGCOMM, 2001.
Authorized licensed use limited to: Arulmigu Kalasalingam College of Engineering. Downloaded on February 5, 2010 at 23:16 from IEEE Xplore. Restrictions apply.