This Article 
   
 Share 
   
 Bibliographic References 
   
 Add to: 
 
Digg
Furl
Spurl
Blink
Simpy
Google
Del.icio.us
Y!MyWeb
 
 Search 
   
Key Establishment in Large Dynamic Groups Using One-Way Function Trees
May 2003 (vol. 29 no. 5)
pp. 444-458

Abstract—We present, implement, and analyze a new scalable centralized algorithm, called OFT, for establishing shared cryptographic keys in large, dynamically changing groups. Our algorithm is based on a novel application of one-way function trees. In comparison with the top-down logical key hierarchy (LKH) method of Wallner et al., our bottom-up algorithm approximately halves the number of bits that need to be broadcast to members in order to rekey after a member is added or evicted. The number of keys stored by group members, the number of keys broadcast to the group when new members are added or evicted, and the computational efforts of group members, are logarithmic in the number of group members. Among the hierarchical methods, OFT is the first to achieve an approximate halving in broadcast length, an idea on which subsequent algorithms have built. Our algorithm provides complete forward and backward security: Newly admitted group members cannot read previous messages, and evicted members cannot read future messages, even with collusion by arbitrarily many evicted members. In addition, and unlike LKH, our algorithm has the option of being member contributory in that members can be allowed to contribute entropy to the group key. Running on a Pentium II, our prototype has handled groups with up to 10 million members. This algorithm offers a new scalable method for establishing group session keys for secure large-group applications such as broadcast encryption, electronic conferences, multicast sessions, and military command and control.

[1] J. Alves-Foss, “An Efficient Secure Authenticated Group Key Exchange Algorithm for Large and Dynamic Groups,” Proc. 23rd Nat'l Information Systems Security Conf. (NISSC), pp. 254-266, Oct. 2000.
[2] Y. Amir, C. Danilov, and J. Stanton, “A Low Latency, Loss Tolerant Architecture and Protocol for Wide Area Group Communication,” Proc. Int'l Conf. Dependable Systems and Networks, June 2000.
[3] G. Ateniese, M. Steiner, and G. Tsudik, “Authentication Group Key Agreement and Friends,” Proc. Fifth Conf. Computer and Communications Security, pp. 17-26 1998.
[4] D.M. Balenson, D.K. Branstad, D.A. McGrew, and A.T. Sherman, “Dynamic Cryptographic Context Management (DCCM): Report #1: Architecture and System Design,” TIS Report, 0709, TIS Labs at Network Associates, Inc., Glenwood, Md., June 1998.
[5] D.M. Balenson, D.A. McGrew, and A.T. Sherman, “Key Management for Large Dynamic Groups: One-Way Function Trees and Amortized Initialization,” Advanced Security Research J.—NAI Labs, vol. 1, no. 1, pp. 27-46, 1998.
[6] D.M. Balenson, D.A. McGrew, and A.T. Sherman, “Key Management for Large Dynamic Groups: One-Way Function Trees and Amortized Initialization,” Internet Draft (work in progress), Internet Engineering Task Force, draft-irtf-smug-groupkeymgmt-oft-00.txt., July 2000.
[7] A. Ballardie, “Scalable Multicast Key Distribution,” Request for Comments (RFC) 1949, Internet Eng. Task Force, May 1996.
[8] A. Ballardie, “Core Based Tree (CBT) Multicast Routing Architecture,” Request for Comments (RFC) 2201, Internet Eng. Task Force, Sept. 1997.
[9] M. Bellare and P. Rogaway, “Entity Authentication and Key Distribution” Advances in Cryptology: Proc. Crypto 93, D.R. Stinson, ed., pp. 232-249, 1993.
[10] T. Berson, D. Dean, M. Franklin, R. Merkle, and J. Staddon, “Self-Healing Key Distribution with Applications to Secure Multicast,” Xerox PARC, manuscript, June 2001.
[11] C. Blundo, A.D. Santis, A. Herzberg, S. Kutten, U. Vaccaro, and M. Yung, “Perfectly-Secure Key Distribution for Dynamic Conferences,” Proc. Advances in Cryptology—Crypto '92, pp. 471-486, 1993.
[12] B. Briscoe, “MARKS: Zero Side Effect Multicast Key Management Using Arbitrarily Revealed Sequences,” BT Research, Ipswich, England, 1999.
[13] M. Burmester and Y. Desmedt, “A Secure and Efficient Conference Key Distribution System,” Advances in Cryptology: Proc. Eurocrypt 94, A. De Santis, ed., pp. 275-286, 1994.
[14] M. Burmester and Y.G. Desmedt, “Efficient and Secure Conference Key Distribution,” Secure Protocols, M. Lomas, ed., pp. 119-130, 1997.
[15] R. Canetti, J. Garay, G. Itkis, D. Micciancio, M. Naor, and B. Pinkas, “Multicast Security: A Taxonomy and Some Efficient Constructions,” Proc. INFOCOMM '99, Mar. 1999.
[16] R. Canetti, T. Malkin, and K. Nissim, “Efficient Communication-Storage Tradeoffs for Multicast Encryption,” Advances in Cryptology: Proc. Eurocrypt 99, Jacques Stern, ed., pp. 459-474, 1999.
[17] R. Canetti and B. Pinkas, “A Taxonomy of Multicast Security Issues,” Internet Draft (work in progress), draft-canetti-securemulticast-taxonomy-00.txt, Internet Engineering Task Force, May 1998.
[18] G. Caronni, M. Waldvogel, D. Sun, and B. Plattner, “Efficient Security for Large and Dynamic Multicast Groups,” Proc. Seventh Workshop Enabling Technologies (WET ICE 98), 1998, .
[19] I. Chang, R. Engel, D. Kandlur, D. Pendarakis, and D. Saha, “Key Management for Secure Internet Multicast Using Boolean Function Minimization Techniques,” Proc. IEEE Infocom 99, 1999.
[20] B. Chor, A. Fiat, and M. Naor, "Tracing Traitors," Advances in Cryptology, LNCS 839, Springer-Verlag, 1994, pp. 257-270.
[21] P. Dinsmore, D.M. Balenson, M. Meyman, P.S. Kruus, C.D. Scace, and A.T. Sherman, “Policy-Based Security Management for Large Dynamic Groups: An Overview of the DCCM Project,” Proc. DARPA Information Survivability Conf. and Exposition (DISCEX '00), pp. 64-73, Jan. 2000.
[22] A. Fiat and M. Naor, "Broadcast Encryption," Advances in Cryptology, LNCS 773, Springer-Verlag, 1994, pp. 480-491.
[23] FIPS Publication 180-1, “Secure Hash Standard,” NIST, US Dept. of Commerce, Washington, D.C., Apr. 1995.
[24] P. Flajolet and A.M. Odlyzko, “Random Mapping Statistics” Advances in Cryptology: Eurocrypt 89 Proc., J.J. Quisquater and J. Vandewalle, eds., pp. 329-354, 1989.
[25] A.T. Sherman, M. Harding, and D.A. McGrew, “A New Key-Management Algorithm for Large Dynamic Groups,” transparencies from talk given by Alan Sherman at US NSA, Nov. 1997.
[26] D. Harkins and D. Carrel, “The Internet Key Exchange (IKE),” Internet Draft (work in progress), draft-ietf-ipsec-isakmp-oakley-08.txt, Internet Eng. Task Force, June 1998.
[27] D. Harkins and N. Doraswamy, “A Secure, Scalable Multicast Key Management Protocol (MKMP),” Draft (work in progress), Cisco Systems and Bay Networks, Mar. 1998.
[28] H. Harney and E. Harder, “Multicast Security Management Protocol (MSMP): Requirements and Policy,” Draft (work in progress), draft-harney-sparta-msmp-sec-00.txt, SPARTA, Inc., Mar. 1999.
[29] H. Harney and E. Harder, “Logical Key Hierarchy Protocol,” Internet Draft (work in progress), draft-harney-sparta-lkhp-sec-00. txt, Internet Engineering Task Force, Mar. 1999.
[30] H. Harney and E. Harder, “Group Secure Association Key Management Protocol,” Draft (work in progress), draft-harney-sparta-gsakmp-sec-00, SPARTA, Inc., Apr. 1999.
[31] H. Harney, C. Muckenhirn, and T. Rivers, “Group Key Management Protocol (GKMP) Specification,” Request for Comments (RFC) 2093, Internet Eng. Task Force, July 1997.
[32] H. Harney, C. Muckenhirn, and T. Rivers, “Group Key Management Protocol (GKMP) Architecture,” Request for Comments (RFC) 2094, Internet Eng. Task Force, July 1997.
[33] S. Kent and R. Atkinson, “Security Architecture for the Internet Protocol (IPsec),” Request for Comments (RFC) 2401, Internet Eng. Task Force, Nov. 1998, http://skip.incog.com/wetice98/HacknSlash.htmhttp:/ /www.ieft.org/rfcrfc2401.txt .
[34] Y. Kim, A. Perrig, and G. Tsudik, “Communication-Efficient Group Key Agreement,” Dept. of Information and Computer Science, Univ. of California, Irvine, 2001.
[35] Y. Kim, A. Perrig, and G. Tsudik, “Simple and Fault-Tolerant Key Agreement for Dynamic Collaborative Groups,” Proc. ACM Conf. Computer and Comm. Security, 2000.
[36] K. Kurosawa and Y. Desmedt, “Optimum Traitor Tracing and Asymmetric Schemes with Arbiter,” Draft (work in progress), Spring, 1998.
[37] J. Lotspiech, M. Naor, and D. Naor, “Subset-Difference Based Key Management for Secure Multicast,” Internet Draft (work in progress), draft-irtf-smug-subsetdifference-00.txt, Internet Research Task Force, July 2001.
[38] D.A. McGrew and A.T. Sherman, “Key Establishment in Large Dynamic Groups Using One-Way Function Trees,” TIS Report No. 0755, TIS Labs at Network Associates, Inc., Glenwood, Md., May 1998.
[39] A.J. Menezes, P.C. van Oorschot, and S.A. Vanstone, Handbook of Applied Cryptography, CRC Press, Boca Raton, Fla., 1996, pp. 543-590.
[40] R.C. Merkle, “Secrecy, Authentication, and Public-Key Cryptosystems,” Technical Report No. 1979-1, Information Systems Laboratory, Stanford Univ., Palo Alto, Calif., 1979.
[41] M.J. Moyer, J.R. Rao, and P. Rohatgi, “Maintaining Balanced Key Trees for Secure Multicast,” Internet Draft (work in progress), draft-irtf-smug-key-tree-balance-00.txt, Internet Eng. Task Force, June 1999.
[42] D. Naor, M. Naor, and J. Lotspiech, "Revocation and Tracing Schemes for Stateless Receivers," Advances in Cryptology, LNCS 2139, Springer-Verlag, 2001, pp. 41-62; .
[43] A. Perrig, D. Song, and J.D. Tygar, "ELK, a New Protocol for Efficient Large-Group Key Distribution," Proc. IEEE Symp. Research in Security and Privacy, IEEE Press, 2001, pp. 247-262.
[44] R. Poovendran and J. Baras, “An Information Theoretic Approach for Design and Analysis of Rooted-Tree Based Multicast Key Management Schemes,” Advances in Cryptology: Crypto 99, M. Wiener, ed., pp. 624-638, 1999.
[45] S. Rafaeli, L. Mathy, and D. Hutchison, “LKH+2: An Improvement on the LKH+ Algorithm for Removal Operations,” Internet Draft (work in progress), draft-rafaeli-lkh2-00.txt, Internet Eng. Task Force, Jan. 2002.
[46] R.L. Rivest, “The MD5 Message-Digest Algorithm,” Request for Comments (RFC) 1321, 1992.
[47] O. Rodeh, K.P. Birman, and D. Dolev, “Using AVL Trees for Fault-Tolerant Group Key Management,” Int'l J. Information Security, vol. 1, no. 2, pp. 94-99, Feb. 2002.
[48] A. Selcuk, C. McCubbin, and D. Sidhu, “Probabilistic Optimization of LKH-Based Multicast Key Distribution Schemes,” Internet Draft (work in progress), draft-selcuk-probabilistic-lkh-00.txt, Internet Eng. Task Force, Jan. 2000.
[49] A. Selcuk and D. Sidhu, “Probabilistic Methods in Multicast Key Management,” Proc. Third Int'l Workshop Information Security (ISW 2000), Pieprzyk, Okamoto, and Seberry, eds., pp. 179-193, 2000.
[50] A.T. Sherman and D.A. McGrew, “Key Establishment in Large Dynamic Groups Using One-Way Function Trees,” NAI Labs Technical Report No. 02-017, NAI Labs at Network Associates, Inc., Rockville, Md., July 2002.
[51] A.T. Sherman, “A Proof of Security for the LKH and OFC Centralized Group Keying Algorithms,” NAI Labs Technical Report No. 02-043D, NAI Labs at Network Associates, Inc., Rockville, Md., Nov. 2002.
[52] A.T. Sherman, “A New Amortized Approach to Group Initialization: Refinements and Analysis,” TIS Report No. 0754, Trusted Information Systems, Inc., Glenwood, Md., Mar. 1998.
[53] J.N. Staddon, “A Combinatorial Study of Communication, Storage and Traceability in Broadcast Encryption Systems,” PhD Dissertation, Dept. of Math., Univ. of California, Berkeley, Sept. 1997.
[54] M. Steiner, G. Tsudik, and M. Waidner, “Diffie-Hellman Key Distribution Extended to Groups,” Third ACM Conf. Computer and Comm. Security, pp. 31–37, Mar. 1996.
[55] M. Steiner, G. Tsudik, and M. Waidner, “CLIQUES: A New Approach to Group Key Agreement,” IBM Research Report RZ 2984 (# 93030), Dec. 1997.
[56] V. Viswanathan, “Unconditionally Secure Dynamic Conference Key Distribution,” MS Thesis, Univ. of Wisconsin-Milwaukee, Dec. 1996.
[57] D.M. Wallner, E.J. Harder, and R.C. Agee, “Key Management for Multicast: Issues and Architectures,” Internet Draft (work in progress), draft-wallner-key-arch-01.txt, Internet Eng. Task Force, Sept. 1998.
[58] C.K. Wong, M.G. Gouda, and S.S. Lam, “Secure Group Communications Using Key Graphs,” Technical Report TR-97-23, Dept. of Computer Science, Univ. of Texas at Austin, July 1997.
[59] C.K. Wong, M.G. Gouda, and S.S. Lam, “Secure Group Communications Using Key Graphs,” Proc. ACM SIGCOMM '98 Conf. Applications, Technologies, Architectures, and Protocols for Computer Comm., pp. 68–79, 1998.
[60] R.Y. Yang, S. Li, X.B. Zhang, and S.S. Lam, “Reliable Group Keying: A Performance Analysis,” Proc. SIGCOMM 01, pp. 27-38, 2001.

Index Terms:
Broadcast encryption, conference keying, cryptography, cryptographic protocols, Dynamic Cryptographic Context Management (DCCM) Project, group keying, key agreement, key establishment, key management, logical key hierarchy (LKH), one-functions, one-way function chain (OFC), one-way function tree (OFT), secure conferences, secure group applications.
Citation:
Alan T. Sherman, David A. McGrew, "Key Establishment in Large Dynamic Groups Using One-Way Function Trees," IEEE Transactions on Software Engineering, vol. 29, no. 5, pp. 444-458, May 2003, doi:10.1109/TSE.2003.1199073
Usage of this product signifies your acceptance of the Terms of Use.