Abstract
Multicast Key Agreement (MKA) is a long-overlooked natural primitive of large practical interest. In traditional MKA, an omniscient group manager privately distributes secrets over an untrusted network to a dynamically-changing set of group members. The group members are thus able to derive shared group secrets across time, with the main security requirement being that only current group members can derive the current group secret. There indeed exist very efficient MKA schemes in the literature that utilize symmetric-key cryptography. However, they lack formal security analyses, efficiency analyses regarding dynamically changing groups, and more modern, robust security guarantees regarding user state leakages: forward secrecy (FS) and post-compromise security (PCS). The former ensures that group secrets prior to state leakage remain secure, while the latter ensures that after such leakages, users can quickly recover security of group secrets via normal protocol operations.
More modern Secure Group Messaging (SGM) protocols allow a group of users to asynchronously and securely communicate with each other, as well as add and remove each other from the group. SGM has received significant attention recently, including in an effort by the IETF Messaging Layer Security (MLS) working group to standardize an eponymous protocol. However, the group key agreement primitive at the core of SGM protocols, Continuous Group Key Agreement (CGKA), achieved by the TreeKEM protocol in MLS, suffers from bad worst-case efficiency and heavily relies on less efficient (than symmetric-key cryptography) public-key cryptography. We thus propose that in the special case of a group membership change policy which allows a single member to perform all group additions and removals, an upgraded version of classical Multicast Key Agreement (MKA) may serve as a more efficient substitute for CGKA in SGM.
We therefore present rigorous, stronger MKA security definitions that provide increasing levels of security in the case of both user and group manager state leakage, and that are suitable for modern applications, such as SGM. We then construct a formally secure MKA protocol with strong efficiency guarantees for dynamic groups. Finally, we run experiments which show that the left-balanced binary tree structure used in TreeKEM can be replaced with red-black trees in MKA for better efficiency.
The full version [9] is available as entry 2021/1570 in the IACR eprint archive.
A. Bienstock—Partially supported by a National Science Foundation Graduate Research Fellowship.
Y. Dodis—Partially supported by gifts from VMware Labs and Google, and NSF grants 1619158, 1319051, 1314568.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
Most constructions informally claim to have “fair-weather” \(O(\log n_\text {max})\) communication complexity [2], i.e., in some (undefined) good conditions, they have \(O(\log n_\text {max})\) communication.
- 2.
See https://github.com/abienstock/Multicast-Key-Agreement for the code.
- 3.
- 4.
We could easily allow for batch operations – as the latest MLSv11 draft does through the “propose-then-commit” framework [5] – which would be more efficient than the corresponding sequential execution of those operations, but we choose not to for simplicity. We also note that updating one user at a time in case of their corruption is of course much more efficient (and just as secure) than updating the whole group in case just that user was corrupted.
- 5.
Any expression containing \(\bot \) evaluates to \(\mathsf {false}\).
- 6.
Where we use the standard PRF security of a dPRF \(\mathsf {dprf}\) on the child’s key (see the full version [9]).
- 7.
We only need to use a dPRF at leaves of the MKA tree for updates in which the corresponding oob message is corrupted (we could use a PRG elsewhere), but we use one at all nodes, for all operations, for simplicity.
- 8.
Note: we do not actually have to include the skeleton, since the tree does not actually change after updates, but we do for ease of exposition. It should not affect the complexity of the scheme since its size should be proportional to that of \(\mathsf {CT}\).
- 9.
See https://github.com/abienstock/Multicast-Key-Agreement for the code.
- 10.
Note that 12.5% is the threshold such that the group size does not approach zero in expectation, as the number of operations \(10 \cdot 2^i\) is 20 times more than the initial group size \(2^{i-1}\) and thus the difference between the probabilities of Remove and Add operations needs to be less than \(1/20 = 5\%\).
- 11.
In the full version [9], we also show how to retain \(\mathsf {GUS}\)’s \(O(\log n)\) computational complexity.
References
Alwen, J., Coretti, S., Dodis, Y., Tselekounis, Y.: Security analysis and improvements for the IETF MLS standard for group messaging. In: Micciancio, D., Ristenpart, T. (eds.) CRYPTO 2020, Part I. LNCS, vol. 12170, pp. 248–277. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-56784-2_9
Alwen, J., Coretti, S., Jost, D., Mularczyk, M.: Continuous group key agreement with active security. In: Pass, R., Pietrzak, K. (eds.) TCC 2020, Part II. LNCS, vol. 12551, pp. 261–290. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64378-2_10
Alwen, J., et al.: Keep the dirt: tainted treekem, adaptively and actively secure continuous group key agreement. In: 2021 IEEE Symposium on Security and Privacy (SP). IEEE (2021)
Bajaj, S., Sion, R.: Ficklebase: looking into the future to erase the past. In: 2013 IEEE 29th International Conference on Data Engineering (ICDE), pp. 86–97. IEEE
Barnes, R., Beurdouche, B., Millican, J., Omara, E., Cohn-Gordon, K., Robert, R.: The Messaging Layer Security (MLS) Protocol. Internet-Draft draft-ietf-mls-protocol-11, Internet Engineering Task Force, December 2020, work in Progress
Bellare, M., Lysyanskaya, A.: Symmetric and dual PRFs from standard assumptions: A generic validation of an HMAC assumption. Cryptology ePrint Archive, Report 2015/1198 (2015). https://eprint.iacr.org/2015/1198
Bellare, M., Yee, B.: Forward-security in private-key cryptography. In: Joye, M. (ed.) CT-RSA 2003. LNCS, vol. 2612, pp. 1–18. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-36563-X_1
Bhargavan, K., Barnes, R., Rescorla, E.: TreeKEM: Asynchronous decentralized key management for large dynamic groups (2018). https://mailarchive.ietf.org/arch/msg/mls/e3ZKNzPC7Gxrm3Wf0q96dsLZoD8
Bienstock, A., Dodis, Y., Tang, Y.: Multicast key agreement, revisited. Cryptology ePrint Archive, Report 2021/1570 (2021). https://eprint.iacr.org/2021/1570
Bienstock, A., Dodis, Y., Yeo, K.: Forward secret encrypted RAM: lower bounds and applications. In: Nissim, K., Waters, B. (eds.) TCC 2021, Part III. LNCS, vol. 13044, pp. 62–93. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-90456-2_3
Boneh, D., Lipton, R.J.: A revocable backup system. In: USENIX Security Symposium, pp. 91–96 (1996)
Bresson, E., Chevassut, O., Pointcheval, D.: Provably authenticated group Diffie-Hellman key exchange—the dynamic case. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 290–309. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-45682-1_18
Bresson, E., Chevassut, O., Pointcheval, D.: Dynamic group Diffie-Hellman key exchange under standard assumptions. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 321–336. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-46035-7_21
Bresson, E., Chevassut, O., Pointcheval, D.: Security proofs for an efficient password-based key exchange. In: Jajodia, S., Atluri, V., Jaeger, T. (eds.) ACM CCS 2003, pp. 241–250. ACM Press, Washington, DC, 27–30 October 2003
Canetti, R., Garay, J., Itkis, G., Micciancio, D., Naor, M., Pinkas, B.: Multicast security: a taxonomy and some efficient constructions. In: IEEE INFOCOM 1999. Conference on Computer Communications. Proceedings. Eighteenth Annual Joint Conference of the IEEE Computer and Communications Societies. The Future is Now (Cat. No.99CH36320), vol. 2, pp. 708–716 (1999)
Di Crescenzo, G., Ferguson, N., Impagliazzo, R., Jakobsson, M.: How to forget a secret. In: Meinel, C., Tison, S. (eds.) STACS 1999. LNCS, vol. 1563, pp. 500–509. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-49116-3_47
Dodis, Y., Karthikeyan, H., Wichs, D.: Updatable public key encryption in the standard model. In: Nissim, K., Waters, B. (eds.) TCC 2021, Part III. LNCS, vol. 13044, pp. 254–285. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-90456-2_9
Geambasu, R., Kohno, T., Levy, A.A., Levy, H.M.: Vanish: increasing data privacy with self-destructing data. In: USENIX Security Symposium, vol. 316 (2009)
Harney, H., Muckenhirn, C.: RFC2093: Group Key Management Protocol (GKMP) Specification (1997)
Jost, D., Maurer, U., Mularczyk, M.: Efficient ratcheting: almost-optimal guarantees for secure messaging. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019, Part I. LNCS, vol. 11476, pp. 159–188. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17653-2_6
Katz, J., Yung, M.: Scalable protocols for authenticated group key exchange. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 110–125. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-45146-4_7
Micciancio, D., Panjwani, S.: Optimal communication complexity of generic multicast key distribution. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 153–170. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24676-3_10
Mittra, S.: Iolus: A framework for scalable secure multicasting. In: Proceedings of the ACM SIGCOMM 1997 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communication, SIGCOMM 1997, pp. 277–288. Association for Computing Machinery, New York (1997)
Perrin, T., Marlinspike, M.: The double ratchet algorithm (2016). https://signal.org/docs/specifications/doubleratchet/
Peterson, Z.N., Burns, R.C., Herring, J., Stubblefield, A., Rubin, A.D.: Secure deletion for a versioning file system. In: FAST, vol. 5 (2005)
Porambage, P., Braeken, A., Schmitt, C., Gurtov, A., Ylianttila, M., Stiller, B.: Group key establishment for enabling secure multicast communication in wireless sensor networks deployed for IoT applications. IEEE Access 3, 1503–1511 (2015)
Reardon, J., Basin, D., Capkun, S.: Sok: secure data deletion. In: 2013 IEEE Symposium on Security and Privacy, pp. 301–315. IEEE (2013)
Reardon, J., Ritzdorf, H., Basin, D., Capkun, S.: Secure data deletion from persistent media. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security, pp. 271–284 (2013)
Roche, D.S., Aviv, A., Choi, S.G.: A practical oblivious map data structure with secure deletion and history independence. In: 2016 IEEE Symposium on Security and Privacy (SP), pp. 178–197. IEEE (2016)
Sedgewick, R.: Left-leaning red-black trees (2008)
Sherman, A.T., McGrew, D.A.: Key establishment in large dynamic groups using one-way function trees. IEEE Trans. Softw. Eng. 29(5), 444–458 (2003)
Tselekounis, Y., Coretti, S., Alwen, J., Dodis, Y.: Modular design of secure group messaging protocols and the security of MLS. In: ACM CCS 2021 (2021)
Wallner, D., Harder, E., Agee, R.: RFC2627: Key management for multicast: Issues and architectures (1999)
Weidner, M., Kleppmann, M., Hugenroth, D., Beresford, A.R.: Key agreement for decentralized secure group messaging with strong security guarantees. Cryptology ePrint Archive, Report 2020/1281 (2020). https://eprint.iacr.org/2020/1281
Wong, C.K., Gouda, M., Lam, S.S.: Secure group communications using key graphs. In: Proceedings of the ACM SIGCOMM 1998 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communication, SIGCOMM 1998, pp. 68–79. Association for Computing Machinery, New York (1998)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Bienstock, A., Dodis, Y., Tang, Y. (2022). Multicast Key Agreement, Revisited. In: Galbraith, S.D. (eds) Topics in Cryptology – CT-RSA 2022. CT-RSA 2022. Lecture Notes in Computer Science(), vol 13161. Springer, Cham. https://doi.org/10.1007/978-3-030-95312-6_1
Download citation
DOI: https://doi.org/10.1007/978-3-030-95312-6_1
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-95311-9
Online ISBN: 978-3-030-95312-6
eBook Packages: Computer ScienceComputer Science (R0)