1.
Computer Networks 50 (2006) 1781–1798
www.elsevier.com/locate/comnet
Key bundles and parcels: Secure communication
in many groups
Eunjin Jung *, Alex X. Liu, Mohamed G. Gouda
Department of Computer Sciences, The University of Texas at Austin, 1 University Station C0500,
Austin, TX 78712, United States
Received 30 March 2005; received in revised form 22 July 2005; accepted 28 July 2005
Available online 31 August 2005
Responsible Editor: D. Frincke
Abstract
We consider a system where each user is in one or more elementary groups. In this system, arbitrary groups of users
can be speciﬁed using the operations of union, intersection, and complement over the elementary groups in the system.
Each elementary group in the system is provided with a security key that is known only to the users in the elementary
group and to the system server. Thus, for any user u to securely multicast a data item d to every user in an arbitrary
group G, u ﬁrst forwards d to the system server which encrypts it using the keys of the elementary groups that comprise
G before multicasting the encrypted d to every user in G. Every elementary group is also provided with a key tree to
ensure that the cost of changing the key of the elementary group, when a user leaves the group, is small. In [E. Jung,
A.X. Liu, M.G. Gouda, Key bundles and parcels: secure communication in many groups, in: LNCS 2816, Group Com-
munications and Charges, 2003], we introduced two methods for packing the key trees of elementary groups into key
bundles and into key parcels. We also showed that packing into key bundles has the advantage of reducing the number
of encryptions needed to multicast a data item to the complement of an elementary group, while packing into key par-
cels has the advantage of reducing the total number of keys in the system. In this paper, we present more details of key
bundles and parcels: the algorithms that construct key bundles and parcels, and more simulation results comparing key
bundles and parcels. We also discuss how to reconﬁgure key bundles and parcels when the user joins or leaves diﬀerent
elementary groups and how to balance the load among multiple servers.
Ó 2005 Elsevier B.V. All rights reserved.
Keywords: Security; Network security; Group communication; Multicast; Key tree
*
Corresponding author. Tel.: +1 512 471 9532; fax: +1 512 471 8885.
E-mail addresses: ejung@cs.utexas.edu (E. Jung), alex@cs.utexas.edu (A.X. Liu), gouda@cs.utexas.edu (M.G. Gouda).
1389-1286/$ - see front matter Ó 2005 Elsevier B.V. All rights reserved.
doi:10.1016/j.comnet.2005.07.013
2.
1782 E. Jung et al. / Computer Networks 50 (2006) 1781–1798
1. Introduction This scheme is based on a distributed data
structure called a key tree. A key tree is a directed,
We consider a system that consists of n users incoming, rooted, balanced tree where each node
denoted ui, 0 6 i < n. The system users share one represents a key. The root of the tree represents
security key, called the system key. Each user ui the system key and each leaf node represents the
can use the system key to encrypt any data item individual key of a system user. The number of leaf
before sending it to any subset of the system users, nodes is n, which is the number of users in the sys-
and can use it to decrypt any data item after tem. Each user knows all the keys on the directed
receiving it from any other system user. (Examples path from its individual key to the root of the tree,
of such systems are secure multicast systems [1–4], and the server knows all the keys in the key tree.
secure peer-to-peer systems [5], and secure wireless Thus, in a binary key tree, each user knows
networks [6].) d log2 ne + 1 keys, and the server knows (2n À 1)
When a user ui leaves the system, the system key keys.
needs to be changed so that ui can no longer An example of a key tree for a system of eight
decrypt the encrypted data item exchanged within users is depicted in Fig. 1(a). The root of the key
the system. This requires to add a server S to the tree represents the system key K01234567 that is
system and to provide each system user uj with known to all users in the system. Each user also
an individual key Kj that only user uj and server knows all the keys on the directed path from its
S know. When a user ui leaves the system, server individual key to the root of the key tree. For
S changes the system key and sends the new key example, user u7 knows all the keys K7, K67,
to each user uj, other than ui, encrypted using its K4567, and K01234567.
individual key Kj. The cost of this rekeying Fig. 1(a) and (b) illustrates the protocol for
scheme, measured by the number of needed updating the system key when user u7 leaves the
encryptions, is O(n), where n is the number of users system. In this case, the system server S is required
in the system. to change the keys K01234567, K4567, and K67 that
Clearly, this solution does not scale when the user u7 knows. To update these keys, S selects
number of users become large. More eﬃcient new keys K0123456(7), K456(7), and K6(7), encrypts
rekeying schemes have been proposed in [7–14]. them, and sends them to the users that need to
A particular eﬃcient rekeying scheme [3,4,12] is know them. To ensure that u7 cannot get a copy
shown to cost merely O(log n) encryptions. This of the new keys, S needs to encrypt the new keys
scheme is extended in [15–17], and is shown to be using keys that u7 does not know. Therefore, S
optimal in [18]. encrypts the new K0123456(7) with the old K0123,
system key K 01234567 K 0123456(7)
u 7 leaves
K 0123 K4567 K 0123 K456(7)
K 01 K 23 K 45 K 67 K 01 K23 K45 K6(7)
K0 K1 K2 K3 K4 K5 K6 K7 K0 K1 K2 K3 K4 K5 K6
individual keys
(a) (b)
Fig. 1. A binary key tree before and after u7 leaves.
3.
E. Jung et al. / Computer Networks 50 (2006) 1781–1798 1783
encrypts the new K0123456(7) and the new K456(7) subset of the system users and one elementary
with the old K45, encrypts the new K0123456(7), the group has all the system users. Every elementary
new K456(7), and the new K6(7) with K6. Then, S group has a unique identiﬁer Gj, 0 6 j 6 m À 1.
multicasts the encrypted keys to the corresponding The identiﬁer for the elementary group that has
holders of these keys. The protocol can be speci- all users is G0. As an example, Fig. 2 illustrates a
ﬁed as follows: system that has eight users u0 through u7 and ﬁve
S ! u0 ; ...; u6 : fu0 ;u1 ;u2 ;u3 g; K 0123 hK 0123456ð7Þ jchki; elementary groups G0, G1, G2, G3, and G4.
S ! u0 ; ...; u6 : fu4 ;u5 g; K 45 hK 0123456ð7Þ jK 456ð7Þ jchki; The system needs to be designed such that any
user ui can securely multicast data items to all
S ! u0 ; ...; u6 : fu6 g; K 6 hK 0123456ð7Þ jK 456ð7Þ jK 6ð7Þ jchki.
users in any elementary group Gj. Moreover, any
This protocol consists of three steps. In each step, user ui can securely multicast data items to all
server S broadcasts a message consisting of two users in any group, where a group is deﬁned recur-
ﬁelds to every user in the system. The ﬁrst ﬁeld de- sively according to the following four rules:
ﬁnes the set of the intended ultimate destinations
of the message. The second ﬁeld is an encryption, 1. Any of the elementary groups G0, . . . , GmÀ1 is a
using an old key, of the concatenation of the group.
new key(s) and the checksum chk computed over 2. The union of any two groups is a group.
the new key(s). Note that although the broadcast 3. The intersection of any two groups is a group.
message is sent to every user in the system, only 4. The complement of any group is a group. (Note
users in the speciﬁed destination set have the key that the complement of any group G is the set of
used in encrypting the message and so only they all users in G0 that are not in G.)
can decrypt the message.
The above system architecture is based on the Thus, the set of groups is closed under the three
assumption that the system users constitute a single operations of union, intersection, and
group. In our previous work and this paper, we complement.
extend this architecture to the case where the sys- Each group can be deﬁned by a group formula
tem users form many groups. In [19], we introduced that includes the following symbols.
two methods for packing the key trees of elemen-
tary groups into key bundles and into key parcels. • G0 through GmÀ1,
We also showed that packing into key bundles has • _ for union,
the advantage of reducing the number of encryp- • ^ for intersection,
tions needed to multicast a data item to the comple- • : for complement.
ment of an elementary group, while packing into
key parcels has the advantage of reducing the total
number of keys in the system. In this paper, we
present more details of key bundles and parcels: G0
the algorithms that construct key bundles and par- G3
cels, and more simulation results comparing key G1 u2
u4
bundles and parcels. We also discuss how to recon-
ﬁgure key bundles and parcels when the user joins u3
u5
or leaves diﬀerent elementary groups and how to G2
balance the load among multiple servers. u0 u1
G4 u7
2. Groups and group algebra u6
Assume that the system has m, m P 1, elemen-
tary groups: each elementary group is a distinct Fig. 2. A sample system.
4.
1784 E. Jung et al. / Computer Networks 50 (2006) 1781–1798
Group formulae can be manipulated using the As a second example, consider a student regis-
well-known laws of algebra: associativity, commu- tration system in some university. This system
tativity, distribution, De Morgan’s, and so on. For has m elementary groups G0 through GmÀ1, where
example, the group formula each Gi is a list of the students registered in one
course section. A professor who is teaching three
G1 _ :ð:G2 ^ G1 Þ
sections G5, G6, G7 of the same course, may wish
can be manipulated as follows: to securely multicast any information related to
the course to all the students in the group
G1 _ :ð:G2 ^ G1 Þ
G 5 _ G 6 _ G 7.
¼ fby De Morgan’sg G1 _ ð::G2 _ :G1 Þ As a third example, we consider the following
¼ fby associativity of _g G1 _ ::G2 _ :G1 military scenario. There are three overlapping reg-
¼ fby definition of complementg G1 _ G2 _ :G1 iments, G1, G2 and G3, in a battle ﬁeld. The general
commander of these regiments gets the informa-
¼ fby commutativity of _g G1 _ :G1 _ G2
tion that some soldiers in regiment G3 cannot be
¼ fby definition of complementg G0 _ G2 trusted. In this case, he might want to inform the
¼ fby definition of _g G0 . soldiers in G1 and G2, but not in G3, that the mes-
sages from G3 should not be trusted. Therefore, he
From this formula manipulation, it follows that can multicast this message to all the soldiers in the
the group deﬁned by the formula G1 _ : regiment ðG1 _ G2Þ ^ :G3.
ð:G2 ^ G1 Þ is the set of all system users. Thus,
for a user ui to securely multicast a data item d
to every user in the group G1 _ :ð:G2 ^ G1 Þ, it is 3. Key bundles
suﬃcient for ui to securely broadcast d to every
user in the system. The above problem suggests the following sim-
In the rest of this paper, we consider solutions ple solution (which we show below that it is inef-
for the following problem. How to design the sys- fective). First, assign to each elementary group Gj
tem so that any system user ui can securely multi- a security key to be shared by all the users of Gj.
cast data items to any group G in the system. Any Second, assign to the complement :Gj of each ele-
reasonable solution for this problem needs to take mentary group Gj a security key to be shared by
into account that the users can leave any elemen- every member of this complement. Third, provide
tary group in the system or leave the system alto- a key tree for each elementary group and another
gether, and these activities may require to change key tree for its complement. Note that the two key
the security keys associated with the elementary trees provided for an elementary group and its
groups from which users leave. In particular, the complement span all the users in the system. Thus,
solution should utilize key trees, discussed in Sec- these two trees can be combined into one complete
tion 1, that can reduce the cost of changing the key tree that spans all system users in the system.
security keys from O(n) to O(log n), where n is Fig. 3 shows the four complete key trees that are
the total number of users in the system. This prob- provided for the four elementary groups and their
lem is also discussed in [20]. complements in the system in Fig. 2.
The above problem has many applications. As a From Fig. 3(a), the key for the elementary
ﬁrst example, consider a cable TV broadcasting group G1 is K0123 and the key for its complement
system that has four packages: Basic, Standard, is K4567. From Fig. 3(b), the key for the elementary
Cinema, and Sports. When the cable TV provider group G2 is K01 and the key for its complement is
wants only users who subscribe both Standard K234567. From Fig. 3(c), the key for the elementary
and Sports packages to be able to watch Super group G3 is K2345, and the key fro its complement
Bowl game, then the provider securely multicasts is K0167. From Fig. 3(d), the key for the elementary
the game to all users in the group, Standard ^ group G4 is K67, and the key for its complement is
Sports. K012345.
5.
E. Jung et al. / Computer Networks 50 (2006) 1781–1798 1785
G0 K01234567
G0 K01234567
K234567 G2
G1 K0123 K4567 G1 K2345
K01 K23 K45 K67 G2 K 01 K23 K45 K67
K0 K1 K2 K3 K4 K5 K6 K7 K0 K1 K2 K3 K4 K5 K6 K7
(a)
(b)
G0 K01234567 G0 K01234567
G3 K2345 K0167 G3
G4 K012345
K0123
K01 K23 K45 K67 K01 K23 K45 K67 G4
K0 K1 K2 K3 K4 K5 K6 K7 K0 K1 K2 K3 K4 K5 K6 K7
(c) (d)
Fig. 3. The complete key trees for the elementary groups and their complements: (a) Groups G0 ; G1 ; :G1 ; (b) Groups G0 ; G2 ; :G2 ;
(c) Groups G0 ; G3 ; :G3 ; (d) Groups G0 ; G4 ; :G4 .
Note that these complete trees have the same G1 and G2 are non-conﬂicting since G1 is a subset
key for group G0, and the same individual key of G0, and G2 is a subset of G1. On the other hand,
for each user. Nevertheless, the total number of the two elementary groups G1 and G3 are conﬂict-
distinct keys in these complete trees is 19, which ing, because they share two users u2 and u3 and
is relatively large for this rather simple system. In neither group is a subset of the other.
general, this method requires O(mn) keys, where A bundle of a system is a maximal set of non-
m is the number of elementary groups and n is conﬂicting elementary groups of the system. In
the number of users in the system. the system example in Fig. 2, the four elementary
To reduce the total number of needed keys, sev- groups G0, G1, G2, G4 constitute one bundle B0,
eral elementary groups can be added to the same and the four elementary groups G0, G2, G3, G4
complete key tree, provided that these elementary constitute a second bundle B1.
groups are ‘‘non-conﬂicting’’. This idea suggests A bundle cover of a system is a set
the following three deﬁnitions of non-conﬂicting {B0, . . . , BmÀ1} of system bundles such that the
elementary groups, bundles, and bundle covers. following two conditions hold:
Two elementary groups are non-conﬂicting if
and only if either their intersection is empty or 1. Completeness: Each elementary group of the
one of them is a subset of the other. In the system system appears in some bundle Bi in the bundle
example in Fig. 2, the three elementary groups G0, cover.
6.
1786 E. Jung et al. / Computer Networks 50 (2006) 1781–1798
2. Compactness: Each bundle Bi has at least one 15 distinct keys compared with the 19 distinct keys
elementary group that does not appear in any in the four complete trees in Fig. 3. This represents
other bundle Bj in the bundle cover. more than 20% reduction in the total number of
keys in the server.
Note that the set {B0, B1}, where B0 = {G0, G1, The system server S knows the two key bundles
G2, G4} and B1={G0, G2, G3, G4}, is a bundle cover in Fig. 4, and each user ui knows only the keys that
for the system in Fig. 2. exist on the paths from its individual key Ki to the
The security keys for the elementary groups in a key of group G0. Thus, each user ui needs to col-
bundle can be arranged in a complete key tree. For laborate with the system server S in order to
example, Fig. 4(a) shows the complete key tree for securely multicast data items to any elementary
B0. In this tree, the key for group G0 is K01234567, group or any group that can be deﬁned by inter-
the key for group G1 is K0123, the key for G2 is section, union, and complement of elementary
K01, and the key for G4 is K67. Note that users u4 groups. This point is illustrated by the following
and u5 in G0 do not belong to any other elementary four examples.
group in the bundle, and so they are viewed as For the ﬁrst example, assume that user u0 wants
forming a complement group C0 whose key is to securely multicast a data item d to every user in
K45. We refer to a complete key tree that corre- group G4. In this case, user u0 can execute the
sponds to a bundle as a key bundle. following protocol:
Fig. 4(b) shows the complete key bundle for B1.
Note that in this bundle every user in G0 is also in u0 ! S : K 0 hdjG4 jchki;
another elementary group. Thus, the resulting S ! u0 ; . . . ; u7 : G4 ; K 67 hdju0 jchki.
complete key tree does not have a complement
group as in the former key tree in Fig. 4(a). This protocol consists of two steps. In the ﬁrst step,
Comparing the two key bundles in Figs. 4(a) user u0 sends a message K0hdjG4jchki to server S.
and (b), one observes that each of the elementary This message consists of three concatenated ﬁelds,
groups G0, G2, and G4 appear in both key bundles namely the data item d, its intended destination G4,
because none of them conﬂict with any elementary and the checksum chk; the message is encrypted by
group or any group in the system. One also the individual key K0 of user u0. In the second step,
observes that each of these groups has the same server S multicasts the message G4, K67hdju0jchki
group key in both key bundles, and that the indi- where the second ﬁeld consists of the data item d,
vidual key of each user is the same in both key the message source u0, and the checksum chk and
bundles. Note that these key bundles have only is encrypted with the group key of G4.
G0 K 01234567
G0 K 01234567
G1 K 0123 G3 K 2345
G2 K 01 K 23 C1 K 45 C0 K 67 G4 G2 K 01 K 23 K 45 K 67 G4
K0 K1 K2 K3 K4 K5 K6 K7 K0 K1 K2 K3 K4 K5 K6 K7
(a) (b)
Fig. 4. The complete key trees for the two bundles B0 and B1: (a) B0 = {G0, G1, G2, G4} and (b) B1 = {G0, G2, G3, G4}.
7.
E. Jung et al. / Computer Networks 50 (2006) 1781–1798 1787
For the second example, assume user u1 wants After server S receives this message, it translates
to securely multicast a data item d to the users in :G1 to C0 _ G4 then multicasts the message
either group G1 or G3, namely the users in the C0 _ G4, K45hdju5jchki, K67hdju5jchki. The users
union of G1 and G3. In this case, user u1 can in group C0 can get d using the group key K45,
execute the following protocol: and the users in group G4 can get d using the group
key K67.
u1 ! S : K 1 hdjG1 _ G3 jchki.
S ! u0 ; . . . ; u7 : G1 _ G3 ; K 0123 hdju1 jchki;
K 2345 hdju1 jchki. 4. Construction of key bundles
In the second step of this protocol, server S multi-
In this section, we describe a procedure that can
casts the message G1 _ G3, K0123hdju1jchki,
be used by the server of a system to construct and
K2345hdju1jchki to the two groups G1 and G3.
maintain key bundles for that system. This proce-
The users in group G1 can get d by using the group
dure consists of two algorithms. The ﬁrst algo-
key K0123 to decrypt K0123hdju1jchki and the users
rithm, presented in Section 4.1, constructs a
in group G3 can get d by using the group key K2345
bundle cover for the given system. The second
to decrypt K2345hdju1jchki. Note that if it is u2 who
algorithm, presented in Section 4.2, computes a
wants to send d to G1 _ G3, then since u2 belongs
complete key tree (i.e. a key bundle) for each bun-
to both G1 and G3, u2 already knows both K0123
dle in the bundle cover constructed by the ﬁrst
and K2345. Therefore, u2 can send the encrypted d
algorithm.
directly to the users in G1 and G3 as follows:
u2 ! u0 ; . . . ; u7 : G1 _ G3 ; K 0123 hdju2 jchki; 4.1. Algorithm for bundle cover construction
K 2345 hdju2 jchki.
This algorithm takes any given system with m
For the third example, assume that user u4 wants elementary groups G0, . . . , GmÀ1 and constructs a
to send a data item d to all the users in the intersec- bundle cover {B0, . . . , BrÀ1} for the given system,
tion of G1 and G3. In this case, user u4 can execute where r 6 m.
the following protocol. In this algorithm, the given system is repre-
u4 ! S : K 4 hdjG1 ^ G3 jchki. sented by a m · m boolean matrix C, where each
element C[i][j] is deﬁned as follows:
S ! u0 ; . . . ; u7 : G1 ^ G3 ; K 0123 hK 2345 hdju4 jchkii.
false if Gi Gj ¼ ; or Gi Gj or Gj Gi ;
In the second step of this protocol, server S multi- C½iŠ½jŠ ¼
true otherwise.
casts a message G1 ^ G3, K0123hK2345hdju4jchkii to
the group G1 ^ G3. Here the concatenation of d, u4 The algorithm starts with m empty bundles,
and chk is encrypted by both the group key of G1, B0, . . . , BmÀ1. Then the algorithm proceeds to add
which is K0123, and the group key of G3, which is elementary groups of the given system to the bun-
K2345. The encrypted message can only be de- dles, one by one, until each elementary group is
crypted by the users that are in both G1 and G3 be- added to at least one bundle. Finally, the algo-
cause only these users know the two group keys rithm keeps the bundles B0, . . . , BrÀ1 that have ele-
K0123 and K2345. mentary groups and discards the remaining empty
For the fourth example, assume that user u5 bundles Br, . . . , BmÀ1.
wants to send a data item d to all the users in The algorithm uses an array added [0 . . . m À 1]
the complement of group G1. In this case, user u5 of m integers, where added[j] records the number
executes the following protocol: of bundles that the elementary group Gj is added
to. We call added[j] the counter of the elementary
u5 ! S : K 5 hdj:G1 jchki. group Gj. Initially, the counter of every elementary
S ! u0 ; ... ;u7 : C 0 _ G4 ; K 45 hdju5 jchki;K 67 hdju5 jchki. group is zero. Whenever an elementary group Gj is
8.
1788 E. Jung et al. / Computer Networks 50 (2006) 1781–1798
added to a bundle, its counter added[j] is incre- B0 ¼ fG0 ; G1 ; G2 ; G4 g;
mented by one. B1 ¼ fG0 ; G2 ; G3 ; G4 g.
The bundle construction algorithm is speciﬁed
in Algorithm 1. Note that Lines 7 and 12 in this Consider a system with six elementary groups
algorithm call a boolean function NOCON- G0, . . . , G5. Assume that G0 conﬂicts with G1, G2.
FLICT(Br, Gy). This function is speciﬁed in As this algorithm computes a bundle cover with
Algorithm 2. O(m3) time complexity, note that computing a
bundle cover with minimum number of bundles
Algorithm 1. Bundle cover construction algorithm is NP-Complete. The proof is in Theorem 1.
1: r :¼ 0; Theorem 1. Given a system with elementary
2: for x = 0 to m À 1 groups, computing a bundle cover of the system
3: if added[x] 0 then goto line 2; with the minimum number of bundles is NP-
4: Br :¼ Br [ {Gx}; Complete.
5: added[x] :¼ 1;
6: for y = (x + 1) to m À 1 Proof. The proof consists of two parts. The ﬁrst
7: if added[y] = 0 and NOCONFLICT part shows that there is a polynomial algorithm
(Br, Gy) that veriﬁes whether a set of bundles is a bundle
8: then Br :¼ Br [ {Gy}; cover or not. The second part shows that a well-
9: added[y] :¼ 1 known NP-Complete problem, Vertex Coloring,
10: endfor; can be reduced into computing a bundle cover
11: for y = 0 to (m À 1) with minimum number of bundles in polynomial
12: if NOCONFLICT(Br, Gy) time. The Vertex Coloring problem is deﬁned as
13: then Br :¼ Br [ {Gy}; follows: given a graph G = (V, E), each vertex is
14: added[y] :¼ added[y] + 1 assigned with a color such that no adjacent vertices
15: endfor; are in the same color. Finding an assignment with
16: r :¼ r + 1 minimum number of colors is NP-Complete.
17: endfor; Part 1: Given a set of bundles, we can verify
18: discard the empty bundles Br, . . . , BmÀ1; whether the set is a bundle cover or not in
19: discard each bundle in which the counter polynomial time. For each elementary group, ﬁnd
of each elementary group is greater than 1 a bundle it belongs to. If there is any elementary
group that does not belong to any bundle, the set
of bundles is not a bundle cover. This step takes
Algorithm 2. Function NOCONFLICT O(mr), where m is the number of elementary
groups, and r is the number of bundles. To be a
Function NOCONFLICT(Br, Gy):boolean
bundle cover, each bundle has to have at least one
var ﬂag: boolean
elementary group that conﬂicts with some elemen-
1: ﬂag :¼ true;
tary group in every other bundle. Compute the
2: for every Gx in Br
conﬂict matrix C[i][j] as described in Section 4, and
3: if C[x][y] then
compute the conﬂicts between bundles according
4: ﬂag :¼ false;
to the matrix. We can verify all these conﬂicts in
5: goto line 6;
O(m2 + r2) steps.
6: endfor
Part 2: Given a graph G = (V, E), construct a
7: return ﬂag
system SG as follows: for each node u in V, add an
elementary group Gu to SG. For each edge (u, v) in
As an example, if this algorithm is applied to E, add a user useruv to both elementary groups Gu
the system in Fig. 2, the algorithm constructs the and Gv in SG so that these elementary groups
bundle cover {B0, B1}, where conﬂict with each other. Assume that we have the
9.
E. Jung et al. / Computer Networks 50 (2006) 1781–1798 1789
bundle cover B0, B1, . . . , BrÀ1 of the system SG with The algorithm for constructing a complete key
the minimum number of bundles. tree T for a given bundle B is shown below.
First, we show that we can color the vertices The child relation between elementary groups is
with r colors. Let r colors to be C0, C1, . . . , CrÀ1. computed once for all group pairs, using a new
For each elementary group Gu in Bi, color the conﬂict matrix F. F is deﬁned as follows:
vertex u in G with color Ci. (For an elementary
true if Gi Gj ;
group Gu that is in many bundles, choose the F ½iŠ½jŠ ¼
false otherwise.
smallest i of Bi can color with Ci. In fact, we can
The new conﬂict matrix F takes O(mn) to compute,
choose any i and the proof still holds.) The system
and it takes O(m3) to compute isChild, the child
SG is constructed so that for any two adjacent
relationship matrix between all pairs of elementary
nodes u and v in G, the corresponding elemen-
groups.
tary groups Gu and Gv conﬂict in SG, so they
cannot be in the same bundle. Therefore, no two Algorithm 3. Key Bundle Construction Algorithm
adjacent nodes in G can be colored with the same
color. 1: for each elementary group Gx in B
Second, we will show that r is the minimum 2: add a node Kx to T;
number of colors we need to use for coloring G, by 3: for each elementary group Gx in B
contradiction. Assume the minimum number of 4: for each elementary group Gy in B
colors needed to color vertices in G be k, where 5: if is Child(x, y)
k r. Let the k colors used in vertex coloring be 6: then add an edge (Gx, Gy) to T;
C0, C1, . . . , CkÀ1. For each color Ci, create a bundle 7: for each elementary group Gx in B
B0i , and for each node u with the color Ci, assign the 8: if there is an edge (Gy, Gx) in T
elementary group Gu to B0i . Add all the non- 9: then
conﬂicting elementary groups to each bundle B0i for 10: add all users in Gx that are not in any
maximality. The set of bundles B0i is a bundle cover, child elementary group of Gx to Cy;
because each elementary group Gu is in some B0i 11: add a node KCy to T;
(each node u in G is colored with some color Ci), 12: add an edge (KCy, Kx) to T;
and each bundle B0i has an elementary group that is 13: else
not in any other bundle (there is at least one node u 14: add a key tree rooted at Kx whose
that is colored with Ci). Now we have a bundle leaves are labeled with
cover with k bundles, where k r. This contradicts the individual keys of the users in the
to the assumption that the bundle cover elementary group Gx;
B0, B1, . . . , BrÀ1 is with the minimum number of 15: for each complement node KCx in T
bundles. 16: add a key tree rooted at KCx whose
Therefore, ﬁnding a bundle cover with mini- leaves are labeled with
mum number of bundles is NP-Complete. h the individual keys of the users in
the elementary group Cx;
4.2. Algorithm for key bundle construction
8
Next we describe an algorithm that takes as true if Gi Gj ; and no Gx satisfies
input any bundle B in the bundle cover, con- isChild½iŠ½jŠ ¼ Gi Gx Gj ;
:
structed by the above algorithm, and computes a false otherwise.
complete key tree for B. The following deﬁnition
of a child is needed in stating our algorithm. The complexity of this algorithm is O(m2 + mn).
Let B be a bundle and let G and G 0 be two dis- The worst case is when this bundle includes all m
tinct elementary groups in B. Then, G 0 is a child of elementary groups. The ﬁrst loop in lines 1–2 takes
G if and only if G 0 G and B has no elementary O(m) as there can be as many as m elementary
group G00 such that G 0 G00 G. groups in a bundle. The second loop in lines 3–6
10.
1790 E. Jung et al. / Computer Networks 50 (2006) 1781–1798
takes O(m2). In the third loop in lines 7–14, there hand, the disadvantage is that the number of keys
could be at most n users in Gx in the key tree needed in each key bundle is relatively large, and
rooted at Kx. Therefore, the third loop takes so the total number of keys in the server is rela-
O(mn). The last loop again takes O(mn), since tively large. (In the simulation results below shown
there could be at most n À 1 users in the comple- in Fig. 7 in Section 7, we show that the number of
ment group Cx. In total, the complexity of this keys in a system with key bundles is far greater
algorithm is O(m2 + mn). than that with key parcels.)
As an example, if this algorithm is applied to The disadvantage of bundle maximality out-
the system in Fig. 2, the algorithm constructs the weighs its advantage in systems where users never
key bundle shown in Fig. 4. need to securely multicast data items to the com-
plements of elementary groups. Therefore, in these
systems, we use ‘‘parcels’’, which are not maximal,
5. Key parcels instead of bundles, which are maximal. The deﬁni-
tions of parcels and parcel covers are given next.
A bundle is deﬁned as a maximal set of non- A parcel of a system is a set of non-conﬂicting
conﬂicting elementary groups in the system. From elementary groups of the system.
this deﬁnition the elementary group G0 is in every A parcel cover of a system is a sequence of par-
bundle since it does not conﬂict with any other ele- cels (P0, . . . , PsÀ1) such that the following two con-
mentary group in the system. Thus, every key bun- ditions hold:
dle is a complete key tree.
This feature of bundle maximality has one 1. Completeness: Each elementary group of the
advantage and one disadvantage. The advantage system appears in some parcel Pi in the parcel
is that the complement of any elementary group cover.
in a bundle Bj can be expressed as the union of 2. Compactness: Each elementary group in each
some other elementary groups in Bj. Thus, securely parcel Pi conﬂicts with at least one elementary
multicasting a data item to the complement of any group in each of the preceding parcels
elementary group can be carried out eﬃciently. (In P0, . . . , PiÀ1 in the parcel cover.
the simulation results below shown in Fig. 9 in
Section 7, we show that the average number of As an example, a parcel cover for the system in
encryptions required for a complement of an ele- Fig. 2 is (P0, P1), where P0 = {G0, G1, G2, G4} and
mentary group in a system with key bundles is P1 = {G3}. Fig. 5 is a parcel cover (P0, P1) for the
much less than that with key parcels.) On the other system in Fig. 2.
Fig. 5. The complete key trees for the parcel cover: (a) P0 = {G0, G1, G2, G4} and (b) P1 = {G3}.
11.
E. Jung et al. / Computer Networks 50 (2006) 1781–1798 1791
The security keys for the elementary groups in a The complexity of this parcel cover construc-
parcel can be arranged in a key tree that is not nec- tion algorithm is O(m3), but in general the com-
essarily a complete tree. Fig. 5(a) shows the key plexity of computing a parcel cover for a given
tree for parcel P0 consisting of the elementary system with the minimum number of parcels is
groups G0, G1, G2, and G4. Fig. 5(b) shows the NP-Complete. The proof is given in Theorem 2.
key tree for parcel P1 consisting of the elementary
group G3. Note that the key tree for parcel P1 is Theorem 2. Given a system with elementary
not a complete tree. We refer to a key tree that groups, computing a parcel cover of the system with
corresponds to a parcel as a key parcel. the minimum number of parcels is NP-Complete.
Proof. The proof consists of two parts. The ﬁrst
6. Construction of key parcels
part shows that there is a polynomial algorithm
that veriﬁes whether a set of parcels is a parcel
In this section, we describe a procedure that can
cover or not. The second part shows that a well-
be used by the server of a system to construct and
known NP-Complete problem, Vertex Coloring,
maintain key parcels for that system. This proce-
can be reduced into computing a parcel cover with
dure consists of two algorithms.
minimum number of parcels in polynomial time.
The ﬁrst algorithm constructs a parcel cover for
The Vertex Coloring problem is deﬁned as follows:
any given system. This algorithm takes any given
given a graph G = (V, E), each vertex is assigned
system with m elementary groups G0, . . . , GmÀ1
with a color such that no adjacent vertices are in
and constructs a parcel cover (P0, . . . , PsÀ1) for
the same color. Finding an assignment with mini-
the given system, s 6 m. This parcel cover con-
mum number of colors is NP-Complete.
struction algorithm uses the same data structures
Part 1: Given a set of parcels, we can verify
and the same NOCONFLICT function used in
whether the set is a parcel cover or not in
the bundle cover construction algorithm in Algo-
polynomial time. For each elementary group, ﬁnd
rithm 2. The parcel cover construction algorithm
a parcel it belongs to. If there is any elementary
is shown in Algorithm 4.
group that does not belong to any parcel, the set of
Note that the array added used in Algorithm 4
parcels is not a parcel cover. This step takes O(ms),
is actually a boolean array. The value of added[x]
where m is the number of elementary groups, and s
for each elementary group Gx is either 0 or 1,
is the number of parcels. To be a parcel cover, each
where 0 means it is not assigned to any parcel
parcel has to have at least one elementary group
yet and 1 means it is assigned to some parcel.
that conﬂicts with some elementary group in every
Algorithm 4 Parcel Cover Construction algorithm other parcel. Compute the conﬂict matrix C[i][j] as
described in Section 6, and compute the conﬂicts
1: s :¼ 0; between parcels according to the matrix. We can
2: for x = 0 to m À 1 verify all these conﬂicts in O(m2 + s2) steps.
3: if added[x] 0 then goto line 2; Part 2: Given a graph G = (V, E), construct a
4: Ps :¼ Ps [ {Gx}; system SG as follows: for each node u in V, add an
5: added[x] :¼ 1; elementary group Gu to SG. For each edge (u, v) in
6: for y = (x + 1) to m À 1 E, add a user useruv to both elementary groups Gu
7: if added[y] = 0 and NOCONFLICT and Gv in SG so that these elementary groups
(Ps, Gy) conﬂict with each other. Assume that we have the
8: then Ps :¼ Ps [ {Gy}; parcel cover P0, P1, . . . , PsÀ1 of the system SG with
9: added[y] :¼ 1 minimum number of parcels.
10: endfor; First, we show that we can color the vertices
11: s :¼ s + 1 with s colors. Let s colors to be C0, C1, . . . , CsÀ1.
12: endfor; For each elementary group Gu in Pi, color the
13: discard the empty parcels Ps, . . . , PmÀ1 vertex u in G with color Ci. The system SG is
12.
1792 E. Jung et al. / Computer Networks 50 (2006) 1781–1798
constructed so that for any two adjacent nodes u that join signiﬁcantly more elementary groups
and v in G, the corresponding elementary groups than the average. Each elementary group that u
Gu and Gv conﬂict in SG, so they cannot be in the joins is chosen randomly among all the elementary
same parcel. Therefore, no two adjacent nodes in groups from uniform distribution. In our simula-
G can be colored with the same color. tion shown in Figs. 6–9, we used a class of syn-
Second, we will show that s is the minimum thetic systems with the following properties:
number of colors we need to use for coloring G, by
contradiction. Assume the minimum number of 1. The number of users in each system varies from
colors needed to color vertices in G be k, where 1000 to 10 000.
k s. Let the k colors used in vertex coloring be 2. Each system has 500 elementary groups.
C0, C1, . . . , CkÀ1. For each color Ci, create a parcel 3. In each system, a user joins 2 elementary groups
P 0i , and for each node u with the color Ci, assign on average.
the elementary group Gu to P 0i . By the deﬁnition of
vertex coloring, no two adjacent nodes are colored Each system is simulated 100 times. The aver-
with the same color. This set of parcels P 0i is a ages of the following four items are computed over
parcel cover: Each elementary group Gu belongs to
at least to one parcel, since each vertex u in G is
colored with some color. Also, each parcel has at
7
least one elementary group that was not in the
preceding parcels, since for each color Ci, at least 6
number of bundles/parcels
one vertex is colored with Ci and with no other 5
color. Now we have a set of parcels with k parcels,
where k s. This contradicts to the assumption 4
that the parcel cover P0, P1, . . . , PsÀ1 is with the 3
minimum number of parcels.
2
Therefore, ﬁnding a parcel cover with minimum
number of parcels is NP-Complete. h 1
bundles
parcels
The second algorithm computes a key tree (i.e. 0
0 2 4 6 8 10
a key parcel) for each parcel in the parcel cover
number of users (in 1000s)
constructed by the ﬁrst algorithm. This algorithm
is exactly the same as the one presented in Section Fig. 6. Number of bundles or parcels.
4.2.
7. Simulation results 90
bundles
# of keys in the server (in 1000s)
80 parcels
In this section, we present the results of simula- 70
tions that we carried out to demonstrate the feasi- 60
bility of key bundles and key parcels. The
50
simulation is written in Java. For each system,
40
we decide the number of users, the number of ele-
mentary groups, and the average number of ele- 30
mentary groups that each user joins. For the 20
given average number of elementary groups c, we 10
generate a random number ku from Poisson distri- 0
0 2 4 6 8 10
bution for each user u, and user u joins ku elemen-
number of users (in 1000s)
tary groups. The reason that we use Poisson
distribution is to simulate the eﬀect of a few users Fig. 7. Number of keys in the server.
13.
E. Jung et al. / Computer Networks 50 (2006) 1781–1798 1793
14 the number of keys in the case of key bundles
bundles
parcels grows much faster in the case of key parcels. This
12
is because each key bundle is a complete key tree
avg # of keys per user
10 while each key parcel is not necessarily complete.
8
As shown in Fig. 8, the number of keys that
each user needs to store increases as a logarithm
6 function with the number of users in the system.
4 Fig. 9 shows how many encryptions are needed
per complement of an elementary group when the
2
Key Bundle or the Key Parcel approach is used.
0 The Key Bundle approach shows better perfor-
0 2 4 6 8 10
mance than the Key Parcel approach, and the dif-
number of users (in 1000s)
ference becomes greater as the number of users
Fig. 8. Number of keys per user. increases. The number of encryptions in the Key
Bundle approach decreases as the number of users
increases, while that in the Key Parcel approach
8
increases linearly as the number of users increases.
bundles The following two paragraphs explain why.
7 parcels
When the Key Bundle approach is used, the
# of enc per compl in 1000s
6 average number of encryptions performed for a
5 complement of an elementary group decreases as
the number of users increases (the actual number
4
is from around 500 to 400). As the number of users
3
increases, the probability of two groups’ conﬂict-
2 ing increases. Therefore, the average number of
1 groups can be put in a bundle decreases. Since
we use the keys of other groups in the same bundle
0
1 2 3 4 5 6 7 8 9 10 that contains an elementary group to encrypt for
number of users (in 1000s) the complement of the elementary group (for
Fig. 9. Number of encryptions per complement.
example, we use K01 and K67 for :G3 in Fig. 4),
the number of encryptions decreases as the
number of users increases.
the 100 simulation runs for each system: the num- On the other hand, the number of encryptions
ber of bundles or parcels in the system cover, the for a complement performed in the Key Parcel
total number of keys in the server, the number of approach linearly increases as the number of users
keys per user, and the number of encryptions grows. It is because that in the Key Parcel
needed to multicast a data item to the users in approach, we use the individual keys of users that
the complement of an elementary group. The are not in any elementary group in the same par-
results of these simulations are shown in Figs. 6–9. cel. For example, to securely multicast to :G3 in
As shown in Fig. 6, the number of bundles in a Fig. 5, we need to use the individual keys of
bundle cover more or less equals the number of K0, K1, K6, K7. As the number of users increases,
parcels in a parcel cover. Note that this number the probability of two groups’ conﬂicting
increases logarithmically as the number of users increases, so the average number of groups in a
in the simulated system grows. parcel decreases. Therefore, as the number of users
As shown in Fig. 7, the number of keys in sys- increases, we need to use more individual keys to
tems that use key bundles and the number of keys encrypt for a complement.
in systems that use key parcels grow linearly as the We also ran simulations with the following
number of users in the system increases. However, parameters.
14.
1794 E. Jung et al. / Computer Networks 50 (2006) 1781–1798
1. The number of users in each system is 5000. more conﬂicts between elementary groups exist,
2. Each system has 500 elementary groups. so the number of bundles or parcels increases.
3. In each system, the average number of elemen- As shown in Fig. 11, the number of keys in serv-
tary groups each user joins varies from 2 to 2.8. ers that use key bundles and the number of keys in
servers that use key parcels grow linearly as the
Each system is simulated 100 times. The aver- average number of elementary groups each user
ages of the following two items are computed over joins in the system increases. However, the number
the 100 simulation runs for each system: the num- of keys in the case of key bundles grows much fas-
ber of bundles or parcels in the system cover and ter in the case of key parcels. This is the same ten-
the total number of keys in the server. The results dency with Fig. 7 where the number of users in the
of these simulations are shown in Figs. 10 and 11. system varies.
As shown in Fig. 10, the number of bundles in a
bundle cover more or less equals the number of
parcels in a parcel cover. As the average number 8. Bundle/parcel cover reconﬁguration
of elementary groups each user joins increases,
We have shown how to construct a bundle/
parcel cover for a system with elementary groups.
As we discussed in Section 2, users in this system
8 can join or leave any elementary group in the sys-
7 tem, or leave the system altogether, and these
number of bundles/parcels
activities may require to change the security keys
6
associated with the elementary groups which users
5 join or leave. In this section, we discuss how to
4 handle these changes. Handling join and leave
3
operations does not diﬀer either in a system based
on key bundles or in a system based on key
2
parcels, so the following discussion is based on
1 bundles key parcels.
parcels
0 When a user u joins an elementary group G in a
1.8 2 2.2 2.4 2.6 2.8 3 parcel P, this join operation may render G to con-
group density
ﬂict with other elementary groups in P. Also, when
Fig. 10. Number of bundles or parcels. a user u leaves an elementary group G in a parcel
P, this leave operation may render G to conﬂict
with its child group, or not to conﬂict with some
50 elementary groups in other parcels. We do not
bundles
expect that the parcel cover of the system will be
# of keys in the server (in 1000s)
45 parcels
40 reconﬁgured for a certain period, say a year or
35 six months, according to the nature of the applica-
30 tion. During this period, the changes in conﬂicts
25 will be handled tentatively.
20 Join operations can be handled by assigning
15 additional individual keys to the joining users. If
10 user ui, who is already in a group Gj, joins another
5 group G0j in the same parcel P, then the two groups
0 Gj and G0j become conﬂicting and should be
1.8 2 2.2 2.4 2.6 2.8 3 assigned to diﬀerent parcels. Instead of recomput-
group density
ing a new parcel cover for the system, when user ui,
Fig. 11. Number of keys in the server. who is already in group Gj, joins group G0j , another
15.
E. Jung et al. / Computer Networks 50 (2006) 1781–1798 1795
user u0i joins G0j instead of ui. In this case a new tecture can be presented where multiple key and
individual key is assigned to user u0i (although the multicast servers are deployed in a system that
two users ui and u0i in fact correspond to the same use key bundles).
physical user). The net eﬀect of this solution is that
the two groups Gj and G0j are still not conﬂicting 9.1. Architecture
and can remain in the same parcel P. The conﬂict
will be resolved when the current period expires Consider a system that has been partitioned
and the parcel cover is recomputed. into a parcel cover (P0, . . . , PsÀ1), as described in
For the leave operations, we assume that it is Section 6. In this case, s key servers,
okay for leaving users to be able to understand KS0, . . . , KSsÀ1, are deployed such that each key
the communications until the current period server KSk maintains the keys in parcel Pk.
expires and the parcel cover is recomputed. In fact, When a user ui leaves a group Gj in parcel Pk
this is what happens in many subscription-based then only key server KSk needs to update a small
services. Even if users specify their intentions to number of keys in its parcel of Pk and to inform
leave any service or the whole system altogether the other users in Gj. (The updated keys are multi-
in the middle of pre-deﬁned period, they can still cast to the other users in Gj according to the key
receive the service until the current subscription tree algorithm [4].) Similarly, when a user ui joins
period expires. a group Gj in parcel Pk then only the key server
KSk needs to update a number of keys in its parcel
and to inform the other users in Gj.
9. Server distribution The multicast servers know individual keys of
all users and group keys of all groups in the sys-
So far, we have presented the server as if it were tem. Thus whenever key server KSk updates the
a single entity in the system. In fact, the server does keys of its parcel Pk, KSk securely multicast the
not have to be a single entity. In this section, we updated group keys in its parcel to all the multicast
present a way to distribute the functionality of servers in the system.
the server among several servers.
As explained earlier, the server has two tasks: 9.2. Convergence
1. Key Management: The server generates new At an ideal state of this system, each key K in
keys when a user joins or leaves a group, and each key parcel is known to user ui if and only if
distributes the newly generated keys to the either K is the individual key of ui or ui is a descen-
appropriate set of users. dant of node K in the key parcel. Such a system is
2. Secure Multicast: If a user does not know guaranteed to converge to an ideal state provided
appropriate group keys to secure its message, its initial state is ideal.
it has to encrypt the message using its individual When a user ui leaves a group Gj in a parcel Pk,
key and forward it to the server. The server then the key server KSk needs to update the keys that
decrypts the message using the individual key of are on the path from the individual key Ki to the
the user, encrypts the message using the appro- group key GKj in the parcel. Now some keys of
priate group keys, and multicasts the message the parcel have been updated and the updated keys
to the ultimate destination. are not known to all the users that need to know
them, so this state is not ideal. Key server KSk uses
We deploy two types of servers to perform these the key distribution protocol in [4] to distribute the
two tasks: key servers to perform key management updated keys. The key distribution protocol
and multicast servers to perform secure multicast. ensures that only the users that are descendants
In the following we present an architecture where of a key K can acquire the updated key K 0 . After
multiple key and multicast servers are deployed the key distribution is completed, the system is in
in a system that use key parcels. (A similar archi- an ideal state.
16.
1796 E. Jung et al. / Computer Networks 50 (2006) 1781–1798
Similar argument can be given for the case and key parcels provides a reasonable perfor-
when user ui joins a group Gj in a parcel Pk. User mance to the whole system. The number of keys
ui has individual key Ki shared with the servers. stored per user in the case of key bundles is 12
The system is not in an ideal state until user ui for 10 000 user system, while that in the case of
acquires all the keys on the path from Ki to GKj key parcels is 5. Instead, the number of encryp-
in the key parcel. Key server KSk uses the key dis- tions needed for a complement in the case of key
tribution protocol in [4] to transmit keys, and after bundles is far less than that in the case of key par-
the key transmission is ﬁnished the system is in an cels as shown in Fig. 9.
ideal state. Key bundles and key parcels are two extremes
So far, we have only discussed how to use key in the spectrum of solutions supporting secure
servers to store each key parcel. These key servers group communication in many groups. Key bun-
can be implemented using the protocol in [4], but dles put emphasis on supporting complement of
also can be implemented using the technique in an elementary group with relatively large number
[13,21]. of keys in the system, while key parcels save the
number of keys in the system but in result cannot
support complement of an elementary group with-
10. Conclusion out considerably far more number of encryptions.
As a future work, we would like to ﬁnd a hybrid
We consider a system where each user is in one between these two methods, which needs less num-
or more elementary groups. In this system, arbi- ber of keys in the system than in the case of key
trary groups of users can be speciﬁed using the bundles and at the same time supports comple-
operations of union, intersection, and complement ment of an elementary group with less number of
over the elementary groups in the system. Each encryptions than in the case of key parcels.
elementary group in the system is provided with We are also interested in conducting a case
a security key that is known only to the users in study of these methods in a real world application.
the elementary group and to the system server. The case study includes to deﬁne appropriate
Thus, for any user u to securely multicast a data scopes of elementary groups and to maintain key
item d to every user in an arbitrary group G, u ﬁrst bundles or key parcels accordingly. As a typical
forwards d to the system server which encrypts it application of secure group communication, a
using the keys of the elementary groups that com- peer-to-peer knowledge sharing system can take
prise G before multicasting the encrypted d to advantage of these methods. An elementary group
every user in G. Every elementary group is also will represent an access control list for a speciﬁc
provided with a key tree to ensure that the cost domain of knowledge. Using key bundles or key
of changing the key of the elementary group, when parcels, users may securely communicate with
a user leaves the group, is small. We describe two any set of users according to the needs at the given
methods for packing the key trees of elementary time. For example, any two taskforces in a com-
groups into key bundles and into key parcels. pany may merge temporarily for a current task.
Packing into key bundles has the advantage of They do not have to change their security keys,
reducing number of encryptions needed to multi- nor need to initialize a new security domain. Still,
cast a data item to the complement of an elemen- the users in two taskforces can securely communi-
tary group. Packing into key parcels has the cate with one another.
advantage of reducing the total number of keys As described in Section 3, if the sender of mes-
in the system. We apply these two methods to a sage m does not know the keys required to encrypt
class of synthetic systems: each system has from m appropriately, the system server has to encrypt
1000 to 10 000 users and 500 elementary groups, m and multicast. This requirement for the server’s
and a user in each system is in 2 elementary groups help may cause performance bottleneck at the ser-
on average. Simulations of these systems show that ver. To reduce the workload of the system server,
our proposal to pack key trees into key bundles we have discussed in Section 9 how multiple serv-
17.
E. Jung et al. / Computer Networks 50 (2006) 1781–1798 1797
ers may be placed and coordinated to work in a [15] M.G. Gouda, C.-T. Huang, E. Elnozahy, Key trees and the
distributed manner. Moreover, rekeying does not security of the interval multicast, in: 22nd International
Conference on Distributed Computing Systems
need to occur for every single join/leave. In [16], (ICDCS’02), 2002, pp. 467–468.
batch rekeying showed favorable performance. [16] X.S. Li, Y.R. Yang, M.G. Gouda, S.S. Lam, Batch
Also exposure-oriented rekeying in [22] can be rekeying for secure group communications, in: The Tenth
used to trigger rekeying process. International World Wide Web Conference on World
Wide Web, ACM Press, 2001.
[17] Y.R. Yang, X.S. Li, X.B. Zhang, S.S. Lam, Reliable group
rekeying: a performance analysis, in: Proceedings of the
References 2001 Conference on Applications, Technologies, Architec-
tures, and Protocols for Computer Communications, ACM
[1] L. Gong, Enclaves: enabling secure collaboration over the Press, 2001.
Internet, IEEE Journal of Selected Areas in Communica- [18] J. Snoeyink, S. Suri, G. Varghese, A lower bound for
tions 15 (3) (1997) 567–575. multicast key distribution, in: IEEE INFOCOM 2001,
[2] S. Mittra, Iolus: a framework for scalable secure multi- 2001.
casting, in: Proceedings of the ACM SIGCOMM’97, ACM [19] E. Jung, A.X. Liu, M.G. Gouda, Key bundles and parcels:
Press, 1997. secure communication in many groups, in: LNCS 2816,
[3] D.M. Wallner, E.J. Harder, R.C. Agee, Key management Group Communications and Charges, 2003.
for multicast: Issues and architectures, RFC 2627, 1999. [20] M.T. Goodrich, J.Z. Sun, R. Tamassia, Eﬃcient tree-based
[4] C.K. Wong, M. Gouda, S.S. Lam, Secure group commu- revocation in groups of low-state devices, in: CRYPTO’04,
nications using key graphs, IEEE/ACM Transactions on 2004.
Networking (TON) 8 (1) (2000) 16–30. [21] O. Rodeh, K. Birman, D. Dolev, Optimized group rekey
[5] M. Steiner, G. Tsudik, M. Waidner, Key agreement in for group communication systems, in: Symposium on
dynamic peer groups, IEEE Transactions on Parallel and Network and Distributed System Security, 2000.
Distributed Systems 11 (8) (2000) 769–780. [22] Q. Zhang, K.L. Calvert, On rekey policies for secure group
[6] L. Gong, N. Shacham, Multicast security and its extension applications, in: ICCCN, 2003.
to a mobile environment, Wireless Networks 1 (3) (1995)
281–295.
[7] A. Ballardie, Scalable multicast key distribution, RFC Eunjin Jung is a Ph.D candidate in the
1949, 1996. Department of Computer Sciences in
[8] I. Chang, R. Engel, D.D. Kandlur, D.E. Pendarakis, D. the University of Texas at Austin. She
Saha, Key management for secure internet multicast using received the BS degree in Computer
boolean function minimization techniques, in: IEEE Science from Seoul National University
INFOCOM 1999, vol. 2, 1999, pp. 689–698. in 1999, and the M.S. degree in Com-
[9] D. Naor, M. Naor, J.B. Lotspiech, Revocation and tracing puter Sciences from the University of
schemes for stateless receivers, in: CRYPTO, 2001. Texas at Austin in 2002. Her research
[10] O. Rodeh, K. Birman, D. Dolev, The architecture and interests are in security in distributed
performance of security protocols in the ensemble group systems. Currently she is working on
communication system: using diamonds to guard the security issues in certiﬁcate systems.
castle, ACM Transactions on Information and System
Security (TISSEC) 4 (3) (2001) 289–319.
[11] S. Setia, S. Koussih, S. Jajodia, E. Harder, Kronos: a
scalable group re-keying approach for secure multicast, in:
IEEE Symposium on Security and Privacy, 2000. Alex X. Liu received the B.S. degree in
[12] M. Waldvogel, G. Caronni, D. Sun, N. Weiler, B. Plattner, computer sciences from Jilin Univer-
The Versakey framework: versatile group key manage- sity, China, in 1996. He received the
ment, IEEE Journal on Selected Areas in Communications M.S. degree in computer sciences from
17 (9) (1999) 1614–1631. the University of Texas at Austin in
[13] P.P. Lee, J.C.S. Lui, D.K. Yau, Distributed collaborative 2002, where he is currently working
key agreement protocols for dynamic peer groups, in: toward a Ph.D. degree in computer
ICNP, 2002. sciences. He won the 2004 IEEEIFIP
[14] S.S. Kulkarni, B. Bruhadeshwar, Reducing the cost of William C. Carter Award, the 2004
the critical path in secure multicast for dynamic groups, National Outstanding Oversea Stu-
in: Proceedings of the 22nd International Conference dents Award sponsored by the Minis-
on Distributed Computing Systems Workshops try of Education of China, and the 2005 George H. Mitchell
(ICDCSW’02), 2002. Award for Excellence in Graduate Research in The University
18.
1798 E. Jung et al. / Computer Networks 50 (2006) 1781–1798
of Texas at Austin. His research interests include network the Journal of High Speed Networks. He was the program
security, computer security, networks protocols, and distributed committee chairman of ACM SIGCOMM Symposium in 1989.
systems. He was the ﬁrst program committee chairman of IEEE Inter-
national Conference on Network Protocols in 1993. He was the
ﬁrst program committee chairman of IEEE Symposium on
Mohamed G. Gouda was born in Egypt. Advances in Computers and Communications, which was held
His ﬁrst B.Sc. was in Engineering and in Egypt in 1995. He was the program committee chairman of
his second was in Mathematics; both IEEE International Conference on Distributed Computing
are from Cairo University. Later, he Systems in 1999. He is on the steering committee of the IEEE
obtained M.A. in Mathematics from International Conference on Network Protocols and on the
York University and Masters and steering committee of the Symposium on Self-Stabilizing Sys-
Ph.D. in Computer Science from the tems, and was a member of the Austin Tuesday Afternoon Club
University of Waterloo. He worked for from 1984 till 2001. Prof. Gouda is the author of the textbook
the Honeywell Corporate Technology ‘‘Elements of Network Protocol Design’’, published by John-
Center in Minneapolis 1977–1980. In Wiley Sons in 1998. This is the ﬁrst ever textbook where
1980, he joined the University of Texas network protocols are presented in an abstract and formal set-
at Austin where he currently holds the Mike A. Myers Centen- ting. He coauthored, with Tommy M. McGuire, the monograph
nial Professorship in Computer Sciences. He spent one summer ‘‘The Austin Protocol Compiler’’, published by Springer in
at Bell labs in Murray Hill, one summer at MCC in Austin, and 2005. He also coauthored, with Chin-Tser Huang, the mono-
one winter at the Eindhoven Technical University in the Neth- graph ‘‘Hop Integrity in the Internet’’, to be published by
erlands. His research areas are distributed and concurrent Springer in 2006. Prof. Gouda is the 1993 winner of the Kuwait
computing and network protocols. In these areas, he has been Award in Basic Sciences. He was the recipient of an IBM Fac-
working on abstraction, formality, correctness, nondetermin- ulty Partnership Award for the academic year 2000–2001 and
ism, atomicity, reliability, security, convergence, and stabiliza- again for the academic year 2001–2002 and became a Fellow of
tion. He has published over sixty journal papers, and over eighty the IBM Center for Advanced Studies in Austin in 2002. He won
conference and wokshop papers. He supervised Nineteen Ph.D. the 2001 IEEE Communication Society William R. Bennet Best
Dissertations. Four of his former Ph.D. students are now Full Paper Award for his paper ‘‘Secure Group Communications
Professors at the University of Colorado at Colorado Springs, Using Key Graphs’’, coauthored with C.K. Wong and S.S. Lam
the University of California at Santa Barbara, the University of and published in the February 2000 issue of the IEEE/ACM
North Carolina at Chapel Hill, and the Ohio State University. Transactions on Networking (Volume 8, Number 1, Pages 16–
Another six of his former Ph.D. students are now Associate and 30). In 2004, his paper ‘‘Diverse Firewall Design’’, coauthored
Assistant Professors in the United States of America. Prof. with Alex X. Liu and published in the proceedings of the
Gouda was the founding Editor-in-Chief of the Springer-Verlag International Conference on Dependable Systems and Net-
journal Distributed Computing 1985–1989. He served on the works, won the William C. Carter Award. More detailed
editorial board of Information Sciences 1996–1999, and he is information about the career of Prof. Gouda can be found on his
currently on the editorial boards of Distributed Computing and website http://www.cs.utexas.edu/users/gouda
Be the first to comment