Multiway Tree-Based Group Key Management Using Chinese Remainder Theorem for Multi-Privileged Group Communications

Transcription

1 Journal of Applied Science and Engineering, Vol. 17, No. 1, pp (2014) DOI: /jase Multiway Tree-Based Group Key Management Using Chinese Remainder Theorem for Multi-Privileged Group Communications Yang Xu 1, Wei Zhou 1,2 and Guo-Jun Wang 1 * 1 School of Information Science and Engineering, Central South University, Changsha , P.R. China 2 College of Information Science and Technology, Hunan Agriculture University, Changsha , P.R. China Abstract Key management becomes more difficult in multi-privileged communications due to the dynamic membership and the complex relations between users and resources. In this paper, we propose a novel key management scheme in which the key graph is based on multiway trees. Chinese remainder theorem is employed to combine some encrypted rekeying materials into a short message for rekeying. As a result, users can update affected keys through the rekeying material and one-way function by themselves. The security analysis shows forward and backward security can be maintained. Compared with some existing schemes, our proposed scheme can reduce rekeying overhead efficiently. Key Words: Multi-Privileged Group Communications, Key Management, Chinese Remainder Theorem, Multiway Tree 1. Introduction With the rapid growth of internet, multicast technology is widely used in group-oriented applications such as video conferencing, pay-per-view channels, and distance learning. At the same time, the security issue of group communications based on multicast has become increasingly prominent. Secure group communications require to provide backward security so that the new joining user is unable to decrypt the previous communication data correctly in the new joining group, as well as to provide forward security [1] so that the leaving user is no longer able to decrypt the future communication data correctly in the departed group. At present, group key management has become one of the most efficient ways to achieve secure group communications. *Corresponding author. csgjwang@csu.edu.cn In traditional group communications, group key management is comparatively simple because data resources are encrypted by the same Session Key (SK) [2] which is shared by all legitimate users. The SK only needs to be updated when users join or leave the group in order to meet security requirements. When it comes to multi-privileged group communications, it becomes crucial and complicated because each user can have access privilege to multiple data resources while each data resource can be accessed by multiple users. In general, Data Group () is defined as a set of users who can access a specific data resource while Service Group (SG) is defined as a set of users who can access exactly the same set of data resources. As data resources are encrypted by separate SKs and users are provided with different SKs according to their privileges, group key management should not only ensure that no users can access the data beyond their privileges but also be flexible enough to accommodate users re-

2 82 Yang Xu et al. quirements of joining/leaving and switching between different SGs. In this paper, we propose a novel group key management scheme for multi-privileged group communications. The proposed scheme introduces multiway trees to construct SG-subtrees of the key graph, which reduces the storage cost significantly. And a multi-dimensional ID is assigned for every key node, so that users can deduce the relationship between keys by the ID and locate the affected keys by themselves efficiently. To decrease the rekeying cost of leaving/switching process, a rekeying material is encrypted into different ciphertexts. And all the ciphertexts are compressed into a composite message through the use of Chinese Remainder Theorem (CRT) and multicast to the users by the Key Distribution Center (KDC). As a result, the related users can update the affected keys through previous keys and a rekeying material by using a one-way function when membership changes dynamically. The rest of the paper is organized as follows. In the next section, we introduce some existing key management schemes for group communications. In section 3, we propose a novel rekeying scheme. Section 4 gives the theoretical analysis on the proposed scheme in terms of security and performance. Finally, we draw some conclusions in section Related Work In conventional group communication scheme, all members in a group have the same level of access privileges. Many approaches have been proposed for scalable group rekeying. The Logical Key Hierarchy (LKH) [3] is a basic method in centralized environment. It employs a hierarchical structure, called key tree, whose root node is associated with a group key and whose leaf nodes are individual keys of all users in the group. The intermediate nodes correspond to Key Encryption Keys (KEKs) and KEK is an auxiliary key for encrypting other keys (such as group keys) while rekeying. Each user in the group holds a set of keys on the path from his leaf to the root. The introduction of tree hierarchy makes the rekeying overhead of SKs decrease from O(n) to O(log(n)) where n denotes the group size. Subsequently, the variants of LKH are widely used to improve the efficiency of rekeying. To further reduce the rekeying overhead, Song et al. [4] proposes a Scalable Group Key Management Protocol (SGKMP) based on Secure Lock [5], in which new keys are encrypted and combined into one composite rekeying message by CRT before distribution. To achieve the synchronization of rekeying in key tree, a key management scheme based on LKH is presented in [6]. When rekeying, the KDC broadcasts random numbers instead of new keys to users which enable the related users to update the affected keys through previous keys and random numbers by using secure hash function [7]. Therefore, the rekeying efficiency is improved in the situation when users leave the group. However, the proposed scheme applies only to the balanced binary key tree. When the users have different access privileges with the usage of multiple data resources, multi-privileged groups come into existence, which brings new challenges to key management. Since users can access different data resources and switch between SGs, some existing key management schemes in traditional group communications cannot be extended simply for multi-privileged groups. As a result, many solutions [8 14] are proposed based on key trees for multi-privileged communications. The integrated key graph is one of the popular group key management schemes in access control mechanisms. Sun et al. [8] develops a Multi-Group Key Management Scheme (MGKMS) that employs an integrated key graph to manage the keys when membership changes. The integrated key graph is constructed in three steps. Firstly, a binary subtree is constructed for each SG whose leaves are group members in this SG, and whose root is the group key of this SG. Then, a subtree is constructed for each. The leaf nodes are the group keys related to which SGs have the access to this, and the root node is the session key of this. Finally, KDC generates the integrated key graph by connecting the leaves of the -subtrees and the roots of the SG-subtrees. The introduction of integrated key graph removes key redundancies existing in the independent group key schemes, which benefits to reduce the rekeying overhead. However, the introduction of integrated key graph also extends the scope of key sharing among users, which adds seriously to the one affects many problem. Based on the integrated key graph, we have proposed an ID-based

3 Multiway Tree-Based Group Key Management Using Chinese Remainder Theorem for Multi-Privileged Group Communications 83 Hierarchical Key Graph Scheme (IDHKGS) in [9], which uses a derivation technique based on the key identification to allow the users to compute the keys by themselves, making the KDC only need to multicast some IDs and the keys that users cannot deduce by themselves. To reduce the number of multicasts/unicasts due to node splitting, Non-Split Balancing Higher Order (NSBHO) Tree approach [10] does not need node splitting by using a structure of 2-3 tree and hence reduces the rekeying cost. Not like the above solutions in centralized scenario, the integrated key graph is extended to the key management for decentralized contributory environment in [11]. To alleviate the problems of rekeying after a single user join/leave, batch rekeying for multi-privileged group is proposed in [12]. A variation of batch rekeying scheme called Balanced Key Tree Management for Multi-privileged Groups (BKTMG) is introduced by using min (N, T) policy so that when the number of joining/leaving users reaches the threshold, the users need not wait before the rekey interval is reached. However, this scheme fails to guarantee the forward security strictly. Such solutions are not designed to support dynamic formation and decomposition of groups. The Dynamic Access Control for Multi-privileged Group Communications Scheme (DACMGS) [13] and Multimedia Multi-session Key Management Scheme (MM-MSKMS) [14] define a key management graph formed by different key trees, which allows the dynamic formation of SGs and decreases the complexity related with the integrated key graph construction. In Key Tables-based key management scheme for Linear Hierarchies (KTLH) [15], in addition to the rekeying operation to ensure forward/backward security, the upward/downward security is also provided in the situation when the user promotes to a higher SG or degrades to a lower SG. However, due to the structure of key graph and the way of rekeying, most of the aforementioned schemes are costly in storage and have bad performance especially in users leaving/switching process. To overcome these shortcomings, we propose a novel multi-privileged group key management scheme whose major contributions lie in the usage of multiway trees into the key graph, and the utilization of CRT to compress encrypted rekeying materials for key deduction. The former reduces the key storage, and the latter allows users to update affected keys through rekeying material and oneway function by themselves so that bring down the rekeying cost significantly. Table 1 summarizes a simple comparison showing the difference between some existing works and the proposed scheme by comparing some major parameters between them. 3. Our Proposed Scheme We propose a multiway tree-based group key management using Chinese Remainder Theorem for multiprivileged group communications. Table 1. Comparison between the existing works and the proposed scheme Name Environment Key graph Rekeying strategy Major rekeying technique LKH Single-privileged Binary tree Individual rekeying All the keys distributed SGKMP Single-privileged Binary tree Individual rekeying CRT-compressed keys distributed MGKMS Multi-privileged Binary tree Individual rekeying Part of the keys distributed, the other keys deduced IDHKGS Multi-privileged Binary tree Individual rekeying Part of the keys distributed, the other keys deduced NSBHO Multi-privileged 2-3 tree Individual rekeying Part of the keys distributed, the other keys deduced BKTMG Multi-privileged Binary tree Batch rekeying A secret distributed for key deduction DACMGS Multi-privileged Binary tree Individual rekeying Part of the keys distributed, the other keys deduced MM-MSKMS Multi-privileged Binary tree Individual rekeying Part of the keys distributed, the other keys deduced Proposed scheme Multi-privileged Multiway tree Individual rekeying A CRT-compressed rekeying material distributed for key deduction

4 84 Yang Xu et al. 3.1 System Description Our proposed scheme is a centralized key management scheme. It depends on a centralized server, referred to as the KDC, which generates, distributes and manages keys. The proposed scheme employs one integrated key graph accommodating key materials for all users. The key graph contains two parts, the SG subtrees and the subgraph. The logical relationship of and SG is inherited from MGKMS [8] but the structure of them are changed. The SG subtrees are based on multiway trees, while the subgraph is constructed by binary trees according to the partial-ordered of SKs between SGs to store all SK nodes and the nodes between the root nodes of SG subtrees(but not involved in the subgraph) and the SK nodes in the key graph. In the key graph, each node is associated with a key. Each SK node is associated with the session key which encrypts the resource data. Each leaf node of SG subtrees is called user node, which is associated with a user s private key. The intermediate nodes are virtual nodes, which are not actual entities. They are associated with KEKs. For ease of description, the keys in SG subtrees are called SG keys. Similarly, the keys in subgraph are called keys. Seen from Figure 1, each user holds a set of keys in the path from his user node (i.e. leaf node of SG subtrees) to the SK nodes related to required resources. For example, user u 18 has node (3,12), node (3,3), node (3,0), node (3,12), node (15,5), node (15,-1), node (30,15) and node (30,-1). Since the SKs and KEKs are shared by several users, those keys should be updated to achieve secure communications due to the change of membership. To locate key nodes quickly, an ID is assigned to every node on the key graph. Like the identifications which we previously proposed in IDHKGS, the SGs are denoted by SG 2, SG 3, SG 5,..., SG i where i is a prime number. KDC assigns two integers as the ID of each node. In each SG-subtrees, a node is identified by (i, m), where i is the index of the SG i to which the node belongs and m (m 0) is the position which is numbered from the root of its SG-subtree in a top-down and left-right order. The node (i,0) is the root of the SG i subtree. We observe that IDs of a pair parent-child nodes have the following simple relationship: node (i, (m 1)/d ) is the parent node of node (i,m). Here d is the degree of the SG multiway subtree. In the subgraph, if a node has two children nodes (x 1, y 1 ) and (x 2,y 2 ), the node is identified by (lcm (x 1,x 2 ), max (x 1,x 2 )). If a node only has one child node (x 1,y 1 ), such as the SK node, it is identified by (x 1,-1). For example, seen from Figure 1, in the SG 3 subtree, the key node (3,0) is the root of SG 3, while its children nodes from left to right are node (3,1), node (3,2) and node (3,3). In addition, the node (3,12) is the child node of node (3, (12 1)/3 ), i.e. node (3,3). When it comes to subgraph, node (3,0) and node (5,0) identify their father node (lcm (3,5), max (3,5)), i.e. node (15,0), while the SK node (30,-1) is identified by its only child node (30,15). Unlike IDHKGS, a large prime modulus p id is maintained additionally in each SG node, which is selected randomly by KDC and can be public. Again, we take Figure 1 as example, node (3,0) of SG 3 also maintains a large prime modulus p (3,0). Note the value (not size) of modulus p id should be larger than that of an encrypted rekeying material i.e., p id > E kid (R)wherep id and k id belongtothesamenodeande kid (R) denotes the ciphertext of R encrypted by k id. Every pair of these moduli must be coprime. Consequently, each user also holds the moduli of the nodes in the path from his user node to the root of his SG-subtree. Figure 1 illustrates the IDs and moduli of nodes in multiway tree-based key graph, where d =3. By knowing the ID of joining/leaving/switching user, the rest users can deduce which shared keys should be updated, according to the prime factor of i and the fact that k (i, (m 1)/d ) is the parent node of k (i,m). In Figure 1, given the ID (3,12) of u 18 s node, others can deduce that Figure 1. Multiway tree-based key graph (e.g., d = 3).

5 Multiway Tree-Based Group Key Management Using Chinese Remainder Theorem for Multi-Privileged Group Communications 85 user u 18 holds k (3,3), k (3,0), k (15,5), k (15,-1), k (30,15), k (30,-1) (i.e. the keys associated with the red nodes in Figure 1). 3.2 Rekeying Algorithm Joining Operation When a user joins SG j, the keys in the path from the newly joining node to the accessible SK nodes (called the joining path) should be updated. The KDC will create a user node and insert it as a leaf at the end of one of the shortest paths in order to keep the tree as balanced as possible. If the SG j subtree is full, the KDC moves the user node which is in the leftmost position m 2 of leaves to the lower level and creates an intermediate KEK node at the original position. The new KEK node inherits the ID and modulus of the moved user node and becomes the parent node of the moved node and the newly inserted node. The private key associated with the moved user node maintains unchanged. Then, the KDC assigns an ID (j,m 1 ) and a modulus p (j,m1) to the newly inserted node, and broadcasts the ID (j,m 1 ) J of the newly inserted node, ID (j,m 2 ) M of the moved node, and a new modulus p (j,m1 1) for the moved node. When receiving the broadcast message, all the affected users can infer the shared keys from ID (j,m 1 ) J. The shared keys are in the set of {k (x, y) x = j, y { (m 1 1)/d, ( (m 1 1)/d 1)/d,, 0}} {k (x, y) x j, x/j = 0}. The new keys are deduced by using a one-way function from the previous keys as k = f (k) (where k denotes the updated version of key k). If a user finds the ID (j,m 2 ) M broadcast by the KDC is equal to that of his user node, he learns that his user node has been moved into a lower level. So, he deduces the new ID as (j,m 1 1) and the parent KEK as k (j,m2) = f (k (j,0) k (j,m1 1) ), and meanwhile associates the modulus p (j,m1 1) to his user node(j,m 1 1). Finally, the KDC employs the same one-way function to compute the new keys, and unicasts these keys, IDs and moduli in a secure channel to the newly joining user. For simplicity, the major joining operations are extracted and described in a formal way in Figure 2. For example, when user u 28 joins the full subtree SG 2, KDC moves u 1 s user node (2,4) to the lower hierarchy and creates a new KEK node at that position to inherits the ID (2,4) and modulus p (2,4). Then, the KDC creates a new user node for u 28, assigns the node an ID (2,14) and a modulus p (2,14), and inserts it as the child of the new KEK node (2,4). Next, the KDC broadcasts ID (2,14) J, (2,4) M and module p (2,13). Through ID (2,14) J, the affected users can infer k (2,4), k (2,1), k (2,0) in SG 2 subtree and k (30,15), k (30,-1) in subgraph need to be updated. So, u 10 -u 27 compute: k (30,15) = f (k (30,15) ), k (30,-1) = f (k (30,-1) ); u 4 -u 9 compute: k (30,15) = f (k (30,15) ), k (30,-1) = f (k (30,-1) ), k (2,0) = f (k (2,0) ); u 1 -u 3 compute: k (30,15) = f (k (30,15) ), k (30,-1) = f (k (30,-1) ), k (2,0) = f (k (2,0) ), k (2,1) = f (k (2,1) ); moreover, by ID (2,4) M, u 1 also learns that his user node has been moved into a lower level. So, he deduces the new ID as (2,13) and the parent KEK as k (2, 4) = f (k (2,0) k (2,13) ), and meanwhile associates the modulus p (2,13) to his user node. Finally, the KDC employs the same one-way function to compute the new keys, and unicasts k (30,15), k (30,-1), k (2,0), k (2,1), k (2,4), p (2,0), p (2,1) and p (2,4) to u 28 in a secure channel Leaving Operation We define the path from the leaving node to the accessible SK nodes as the leaving path. When a user requests to leave SG i, all the keys the user holds must be updated. KDC broadcasts the ID (i,n) L of leaving user node. So, the affected users can deduce which keys should be updated based on the ID (i,n) L. Firstly, KDC generates a secret rekeying material R and encrypts R respectively with the keys associated to the sibling nodes of the nodes in the path from the leaving node to the root of SG i subtree, and the root nodes of the remaining SG Figure 2. The process of joining operation.

6 86 Yang Xu et al. subtrees except SG i. Let D i denote the set of the ID of these nodes. Then KDC utilizes CRT to compute a composite message M. The CRT is briefly introduced as follows: Let p 1, p 2,,p n be n positive integers where they are pairwise coprime (i.e. gcd (p a,p b ) = 1 for a b,1 a, b n). Let Y 1, Y 2,,Y n be any positive integers, and P = p 1 p 2 p n. Then the set of linear congruous equations X Y 1 mod p 1, X Y 2 mod p 2,,X Y n mod p n have a unique solution as: X Y a P a Q a mod P where P a = P p a and Q a =(P a mod p a ) -1. By CRT, the KDC gets M = id Di [E kid (R) P p id ( P p id mod p id ) -1 mod P] and multicasts it. When receiving M, the affected users can update the shared keys. If the user also belongs to SG i, he can find out the key k (i,min(n)) whose first item of the ID is equal to i and second item is the minimum value from the key set which he holds and do not need to be updated. Then E kid (R) can be computed as E kid (R) M mod p id,wherep id is the corresponding modulus of the node whose ID is (i,min(n)). Thus, the user can decrypt the rekeying material R by knowing k id. If the user does not belong to SG i, he can compute E k( w, 0 ) (R) as E k( w, 0 ) (R) M mod p (w,0),wherep (w,0) is the corresponding modulus of the root node of the SG subtree to which he belongs. He can further achieve R by knowing k (w,0). As a result, the affected users can compute the new keys as k =f(k R). Similarly, KDC also computes the new keys by the same way. For simplicity, the major leaving operations are extracted and described in a formal way in Figure 3. We take the leave operation of user u 18 for example. KDC removes the node of u 18 and broadcasts its ID (3,12) L. For the SG subtree, the affected users deduce that k (3,3), k (3,0) in SG 3 subtree and k (15,5), k (30,15), k (15,-1), k (30,-1) in the subgraph should be updated (i.e. the keys associated with the red nodes in Figure 1). KDC randomly selects a rekeying material R and encrypts R with k (3,10), k (3,11), k (3,1), k (3,2), k (2,0) and k (5,0) (i.e. the keys associated with the yellow nodes in Figure 1) respectively. Then it employs CRT to compress E kid (R) into a short message M. We define C (*) as E k(*) (R) P ( P p (*) p (*) mod p (*) ) mod P, therefore, M = C (3,10) + C (3,11) + C (3,1) + C (3,2) + C (2,0) + C (5,0) ; P = p (3,10) p (3,11) p (3,1) p (3,2) p (2,0) p (5,0). After the computation of M, KDC multicasts the message M to the remaining users. The affected users can decrypt R using the related keys and update their affected keys by F (*), where F (*) is defined as: f (k (*) R). In addition, D kid (c) denotes the operation of decrypting ciphertext c using k id. u 16 computes: R = D k(3,10) (M mod p (3,10) ); k (3,3) = F (3,3) ; k (3,0) = F (3,0) ; k (15,5) = F (15,5) ; k (15,-1) = F (15,-1) ; k (30,15) = F (30,15) ; k (30,-1) = F (30,-1). u 17 computes: R = D k(3,11) (M mod p (3,11) ); k (3,3) = F (3,3) ; k (3,0) = F (3,0) ; k (15,5) = F (15,5) ; k (15,-1) = F (15,-1) ; k (30,15) = F (30,15) ; k (30,-1) = F (30,-1). u compute: R = D k(3,1) (M mod p (3,1) ); k (3,0) = F (3,0) ; k (15,5) = F (15,5) ; k (15,-1) = F (15,-1) ; k (30,15) = F (30,15) ; k (30,-1) = F (30,-1). u compute: R = D k(3,2) (M mod p (3,2) ); k (3,0) = F (3,0) ; k (15,5) = F (15,5) ; k (15,-1) = F (15,-1) ; k (30,15) = F (30,15) ; k (30,-1) = F (30,-1). u 1-9 compute: R = D k(2,0) (M mod p (2,0) ); k (30,15) = F (30,15) ; k (30,-1) = F (30,-1). Figure 3. The process of leaving operation.

7 Multiway Tree-Based Group Key Management Using Chinese Remainder Theorem for Multi-Privileged Group Communications 87 u compute: R = D k(5,0) (M mod p (5,0) ); k (15,5) = F (15,5) ; k (15,-1) = F (15,-1) ; k (30,15) = F (30,15) ; k (30,-1) = F (30,-1). On the side of KDC, the new keys can also be updated. k (3,3) = F (3,3) ; k (3,0) = F (3,0) ; k (15,5) = F (15,5) ; k (15,-1) = F (15,-1) ; k (30,15) = F (30,15) ; k (30,-1) = F (30,-1). Thus, KDC does not need to send any messages including encrypted keys any more. The users can compute the affected keys by themselves Switching Operation User s switching process from SG i to SG j can be considered as that the user first leaves SG i and then joins SG j. The switching rekey can be considered as the superposition of one leaving rekey and one joining rekey. Notice that the shared keys in the subgraph between SG i and SG j, whose first item of ID can be divided by the value of i j, should not be updated because the access privileges of the related resources have not been changed. For example, user u 18 switches from SG 3 to SG 2, when leaving rekey and joining rekey are executed in sequence, k (30,15) and k (30,-1) should not be updated due to their first item of ID can be divided by 6. Given the aforementioned examples of joining/leaving and the space limitations, we only illustrate the rekeying algorithm for switching on user s side in Figure 4. Property 2. The function f is one-way; given f (x), it is computationally infeasible to find x with any nonnegligible probability. This property makes it impossible to find a key k given the key k = f (k). In practical, SHA-256 can be a one-way function candidate. It is designed by the U.S. NSA and published as a U.S. Federal Information Processing Standard. These properties are necessary for the security of the system. 4. Theoretical Analysis 4.1 Security Analysis In this section, we provide an analysis on the security in the respects of backward/forward security. Firstly, we define two important properties of the functions f and E. Property 1. The encryption function E is secure against ciphertext-only attacks. Given a set of ciphertexts c 1, c 2,... c m, where c i =E k (p i ) is the encryption of an unknown plaintext p i with an unknown key k, it is computationally infeasible to find any information about any plaintext with non-negligible probability. This property prevents an attacker from discovering keys by decrypting the ciphertexts that are broadcast to the group. For practical use, the Advanced Encryption Standard (AES) which is widely used in the world can be a good candidate and its security is accepted by the U.S. National Security Agency (NSA). Figure 4. Rekeying algorithm for switching on user s side.

8 88 Yang Xu et al Backward Security When a new user joins or switches into a service group, the new keys in the joining path will be deduced from the previous keys by using a one-way function as k = f (k). Because the one-way function f is computationally irreversible due to the Property 2, it is infeasible for the newly joining malicious user to compute the previous keys k from the new keys k he holds. In this way, backward security is maintained Forward Security When a user leaves or switches from a service group, the new keys in the leaving path will be deduced from the previous key by using one-way function and rekeying materials as k = f (k R). Although the malicious user holds the previous key k and the one-way function f,heis still unable to get the new k without the rekeying material R due to the Property 2. Because the keys which encrypt R into E kid (R)s are unknown to the malicious user, it is impossible for him to get R without the corresponding keys due to the Property 1. For switching process, our scheme follows a procedure strictly that leaving operation is prior to joining operation for KDC so as to prevent switched users from getting rekeying material R. Thus forward secrecy is maintained. In conclusion, our scheme provides sufficient security and ensures that malicious users cannot decrypt any messages. 4.2 Performance Analysis The overhead of storage, computation and communication are the main concerning metrics to evaluate the performance of key management schemes. Therefore, in this section, we analyze the performance of the proposed scheme, and mainly compare the storage and communication overhead of our scheme with those of some existing schemes. Here, we choose MGKMS and IDHKGS as the comparisons. For MGKMS, it is one of the most typical schemes for multi-privileged communications which first utilizes the partial order between SKs of different SGs to combine them into an integrated key graph, while IDHKGS is a successful improvement of MGKMS proposed by us. The proposed scheme inherits the integrated key graph of MGKMS conceptually and introduces IDs for key nodes like IDHKGS. Thus, the comparison of these three schemes which share the similar key graph and node structure will be more targeted and will show our improvements much clearly Storage Overhead In our key graph, we define N k as the total number of keys. N k only depends on the redundancy of data resources between SGs and is independent of users number. The proposed scheme adopts the same structure with MGKMS and IDHKGS to organize the keys, so all three schemes have the same storage overhead of keys. When it comes to SG subtrees, we take advantage of multiway tree to cut down the height of SG subtree so as to reduce the keys stored by both KDC and users. Let N SG denote the number of SGs and n i denote users number of SG i. Compared with the existing binary tree schemes, our scheme reduces the height of subtree SG i from 1 + log 2 n i to 1 + log d n i which reduces the number of keys significantly. Therefore, the total number of keys in SG i is n i + n i 1 d 1. As the KDC holds N k keys and maintains N SG SG subtrees, the total number of keys stored by the KDC is determined by: N k + N SG i Di ni 1 ( ni ) d 1, where D i denotes the ID set of the sibling nodes of the nodes in the path from the leaving node to the root of SG i subtree, and the root nodes of the remaining SG subtrees except SG i. Each user in SG i has to store the keys in the path from his individual key to SKs related with the resources which he can access. In the worst case, a user will keep 1 + log d n i SG keys and N keys where N denotes the number of keys owned by a user. Thus, the total number of the keys stored by user is determined by: N = N +1+ log d n i. Moreover, in the proposed scheme, KDC and users need to maintain an additional modulus p for every SG key which creates a little more storage cost. Table 2 summarizes our comparisons, focusing on the storage overhead of KDC, and the storage overhead of users in the worst case. We define that L k and L p are the sizes of a key, and of a big prime number, respectively. From the analysis, we conclude that our scheme has advantage on users storage overhead when log 2 d L p + 1, and has superior- Lk

9 Multiway Tree-Based Group Key Management Using Chinese Remainder Theorem for Multi-Privileged Group Communications 89 Table 2. Performance comparison for storage overhead MGKMS IDHKGS Proposed scheme N KDC L k ( N k + sc N (2ni 1) ) L k ( N k + sc (2ni 1) ) L k User iedi L k ( N + log 2 n i +1) L k ( N + log 2 n i +1) L k iedi N k Nsc nt 1 + (L k +L p ) ( ni ) iedi d 1 + (L k +L p ) (1 + log d n i ) N ity in KDC s storage overhead when d L L k p +1. Lk Lp Therefore, we can observe that the storage cost can be reduced due to the decrease of key number contributed by multiway tree Communication Overhead The communication overhead is mainly determined by the number of messages transmitted by KDC while rekeying. Therefore, we estimate the number of messages involved in the different rekeying processes (joining/leaving/switching) to determine the communication overhead. Table 3 summarizes our comparisons, according to unicast and multicast cost of KDC. When a user joins an SG, the KDC will encrypt all the keys in the joining path and unicasts the ciphertext to him. So, in our scheme, the number of encrypted keys unicast by the KDC is N + log d n i, while it is N + log 2 n i + 1 for MGKMS and N + log 2 n i for IDHKGS, where N denotes number of keys which the joining user will hold. In addition, our scheme will unicast log d n i moduli associated with SG keys in the joining path. After a joining operation, in all the three schemes, the KDC does not need to multicast any rekeying message because the affected users can deduce the new keys through one-way function by themselves. So the multicast cost is 0. When a user leaves an SG, KDC will multicast several messages to rekey in all the three schemes. MGKMS multicasts 2( log 2 n i + N 1) messages with the encrypted keys in the leaving path to the users while IDHKGS roughly halves the multicast length over MGKMS. However, IDHKGS still needs to multicast several encrypted keys that cannot be deduced by the users. In our scheme, KDC encrypts rekeying material R used for rekeying by several different keys associated with the sibling nodes of the nodes in the path from the leaving node to the root of SG subtree, and the root nodes of the remaining SG subtrees to get corresponding E kid (R)s. We utilize CRT to compress several E kid (R)s into one short message M id Di [E kid (R) P p id ( P p id mod p id ) -1 mod P]. KDC multicasts only one message M instead of several encrypted new keys. Obviously, the size of the product of several values is less than or equal to the size of the direct sum of them. Because p id has the same size with E kid (R), the size of P = Table 3. Performance comparison for communication overhead of KDC MGKMS IDHKGS Proposed scheme Join Unicast L Ek ( N + log 2 n i +1) (L Ek ( N + log 2 n i ) L Ek N + log d n i (L Ek + L p ) Multicast Leave Unicast Multicast L Ek 2( N + log 2 n i 1) L Ek ( N + log 2 n i 1) L ER (N SG 1+(d 1) log d n i ) Switch Unicast L Ek ( N N KS + log 2 n i +1) L Ek ( N N KS + log 2 n i ) L Ek ( N N KS ) + log d n i (L Ek + L p ) Multicast L Ek 2( N N KS L Ek ( N N KS L ER (N SG 1+(d 1) + log 2 n i 1) + log 2 n i 1) log d n i )

10 90 Yang Xu et al. p id is less than or equal to that of the direct sum of E kid (R)s. Therefore, we can draw a conclusion that the size of M is no larger than P with the maximum size L ER (N SG 1+(d 1) log d n i ) in the worst case. L ER denotes the size of encrypted R which can be smaller than that of an encrypted key L Ek.Iftake2ford, itisobviously that the total size of multicast message in our scheme is absolutely smaller than those of both MGKMS and IDHKGS. Therefore, our scheme achieves the goal of reducing the multicast cost of KDC successfully. For the user s leaving process, only the remaining users are involved, the KDC does not need to unicast any messages. Because the switching rekey can be considered as the superposition of one leaving rekey and one joining rekey, the communication cost of switching rekey can be roughly viewed as the sum of that of these two processes. Since some shared keys need not to be updated, they bring no communication cost to the switching process. Let N KS denote the number of keys which the switching user has both in SG i and SG j when he switches from SG i to SG j. In our scheme, the multicast cost of leaving and switching processes are equivalent regardless of N KS because the size of M is only in proportion to the number and height of SGs Computation Overhead The analysis process on computation overhead can be considered to be broadly similar to that of communication overhead. We define that C r, C E, C X, C f, C M and C CRT are the computation cost of generating one key, of an encryption or decryption algorithm, of an exclusiveor operation, of the one-way function f, of a modular operation, and of computing the expression C( * )bycrt, respectively. Among them, C r and C f are the largest, followed by C E and C CRT, and C X and C M. In addition, let N jk and N lk denote the number of keys in the joining and leaving path respectively. Table 4 gives a comparison on our scheme with the MGKMS and IDHKGS in the aspect of computation overhead of KDC in the worst case. It can be seen from Table 4 that our scheme reduces the computation overhead of the user s joining process for both KDC and users with the benefit of multiway trees. But, unfortunately, it inevitably adds some extra computation cost for the user s leaving process on the side of KDC. This is mainly due to the introduction of CRT with the computational complexity of O(log n log n). Therefore, the computation overhead in our scheme increases slightly compared with that of MGKMS and IDHKGS. 5. Conclusions This paper presents a multiway tree based group key management scheme using CRT for multi-privileged group communications. The proposed scheme employs multiway trees to construct SG-subtrees in the key graph in order to reduce the height of key tree. The KDC in our scheme distributes encrypted rekeying materials instead of encrypted new keys, and compresses them into a smaller message by using CRT for the leaving and switching process, which enables the affected users to Table 4. Performance comparison for computation overhead of KDC MGKMS IDHKGS Proposed scheme Join 2C r + C E +(C E + C f ) C r + C f +(C E + C f ) C r +(C E + C f ) ( ( N jk + log 2 n j ) ( log 2 n j + N jk ) + log d n j +1) Leave (C r +2C E ) ( log 2 n l + Switch 2C r +(C E + C f ) ( log 2 n j + N KS )+(C r +2C E ) ( log 2 n l + N N KS ) lk N jk N lk ) C E (C f + C X + C E ) ( N lk (C f + C X ) ( N lk + log d n l ) + log 2 n l ) C E +((d 1) log d n l +(N SG 1)) (C E + C CRT ) N jk C r + C f +(C E + C f ) ( log 2 n j + N jk N KS ) +(C f + C X + C E ) ( N N KS lk + log 2 n l ) C E C r +(C E + C f ) ( N jk N KS + log d n j +1)+(C f + C X ) ( N N KS + log d n l ) lk +((d 1) log d n l +(N SG 1)) (C E + C CRT )

11 Multiway Tree-Based Group Key Management Using Chinese Remainder Theorem for Multi-Privileged Group Communications 91 deduce new keys through the one-way function and the rekeying material by themselves. The theoretical analysis indicates that the proposed scheme has good performance on communication overhead compared with the existing MGKMS and IDHKGS. Simultaneously, forward and backward security can be maintained. In the real world, the proposed scheme can be used in group-oriented applications especially the multimedia ones which contain multilayer data streams and the members have different access privileges, such as video on demand, distance learning and pay-tv. For example, pay- TV distributes contents in multilayer coding format, such as standard-definition format, high-definition format, and ultra-clear format. These data streams are encrypted by different SKs and can be accessed by the users belong to the SGs with the corresponding SKs. As for the key graph giveninsection3,usersofsg 2 can only receive the contents with the standard-definition format, while users of SG 5 can access to all the three kinds above. Since the proposed scheme is a centralized scheme with the individual rekeying strategy and it may need to encrypt and compress rekeying material frequently, it requires a centralized KDC which can communicate with all the users in time and has some ability of computation. So, the proposed scheme will be unsuitable for a distributed environment, which cannot deploy a centralized manager with certain computing power and may not work well in the network with a high delay. Moreover, the proposed scheme cannot reconstruct the subgraph currently so that it does not support dynamic formation and decomposition of service groups. Therefore, our future work is to propose solutions for the dynamic formation and decomposition of service groups. Acknowledgements This work is supported by the National Natural Science Foundation of China under grant numbers and , and the Ministry of Education Fund for Doctoral Disciplines in Higher Education under Grant Number References [1] Rafaeli, S. and Hutchison, D., A Survey of Key Management for Secure Group Communication, ACM Computing Surveys, Vol. 3, No. 35, pp (2003). doi: / [2] Trappe, W., Song, J. H., Poovendran, R. and Liu, J. K. R., Key Distribution for Secure Multimedia Multicasts via Data Embedding, 2001 IEEE International Conference on Acoustics, Speech, and Signal Processing Proceedings (ICASSP 01), Vol. 3, pp (2001). doi: /ICASSP [3] Wong, C. K., Gouda, M. G. and Lam, S. S., Secure Group Communications Using Key Graphs, IEEE/ ACM Transactions on Networking, Vol. 8, No. 1, pp (2000). doi: / [4] Song, R. G., Korba, L. W. and Yee, G. O. M., A Scalable Group Key Management Protocol, Journal of IEEE Communications Letters, Vol. 12, No. 7, pp (2008). doi: /LCOMM [5] Chiou, G. H. and Chen, W. T., Secure Broadcasting Using the Secure Lock, IEEE Transactions on Software engineering, Vol. 15, No. 8, pp (1989). doi: / [6] Xu, J. Z., Dong, Y. X. and Liang, K. H., Efficient Key Management Scheme for Dynamic Multicast Groups, Application Research of Computers, Vol. 27, No. 3, pp (2010). [7] Balenson, D. M., McGrew, D. A. and Sherman, A. T., Key Management for Large Dynamic Groups: One Way Function Trees and Amortized Initialization, Advanced Security Research Journal, NAI Labs, Vol. 1, No. 1, pp (1998). [8] Sun, Y. L. and Liu, J. K. R., Scalable Hierarchical Access Control in Secure Group Communications, Proceedings of INFOCOM 2004, Twenty-Third Annual Joint Conference of the IEEE Computer and Communications Societies, Vol. 2, pp (2004). doi: /INFCOM [9] Wang, G. J., Ouyang, J., Chen, H. H. and Guo, M. Y., Efficient Group Key Management for Multi-Privileged Groups, Computer Communications, Elsevier, Vol. 30, No , pp (2007). doi: /j.comcom [10] Muthulakshmi, A., Anitha, R. and Sumathi, M., Non- Split Balancing Higher Order Tree for Multi-Privileged Groups, WSEAS Transactions on Communications, Vol. 10, No. 10, pp (2011).

12 92 Yang Xu et al. [11]Gu,X.Z.,Zhao,Y.J.andYang,J.Z., Reducing Rekeying Time Using an Integrated Group Key Agreement Scheme, Journal of Communications and Networks, Vol. 14, No. 4 (2012). doi: /JCN [12] Muthulakshmi, A. and Anitha, R Balanced Key Tree Management for Multi-Privileged Groups Using (N, T) Policy, Security and Communication Networks, Vol. 5, No. 5, pp (2012). doi: / sec.351 [13] Ma, D., Deng, R. H., Wu, Y. D. and Li, T. Y., Dynamic Access Control for Multi-Privileged Group Communications, International Conference on Information and Communications Security (ICICS 2004), Lecture Notes in Computer Science (LNCS) 3269, Springer-Verlag, pp (2004). doi: / _39 [14] Cruz, J. R. P., Hernandez, S. E. P., Gomez, G. R., Drira, K. and Diaz, M., Multi-Session Key Management Scheme for Multimedia Group Communications, Journal of Internet Technology, Vol. 1, No. 1, pp (2012). [15] Hassen, H. R., Bettahar, H., Bouadbdallah, A. and Challal, Y., An Efficient Key Management Scheme for Content Access Control for Linear Hierarchies, Computer Networks, Vol. 56, No. 8, pp (2012). doi: /j.comnet Manuscript Received: Mar. 22, 2013 Accepted: Nov. 28, 2013