An Efficient and Flexible Decentralized Multicast Key Distribution Scheme

IJCSNS Internatonal Journal of Computer Scence and Networ Securty VOL. 6 No. 8B August 006 11 An Effcent and Flexble Decentralzed Multcast Key Dstrbuton Scheme Wen-Shenq Juang and Jyan-Cwan Wu Department of Informaton Management Shh Hsn Unversty Tape Tawan R.O.C. Summary Multcast communcaton s becomng the bass for a growng number of Internet-based applcatons. The secure dstrbuton of servces or messages by the server to all multcastng group members requres an effcent and scalable way for dstrbutng a group ey to elgble members. Most of the exstng research are focusng on group ey and group members management and can be dvded nto four types: centralzed decentralzed dstrbuted and hybrd schemes. In ths paper we propose an effcent and flexble decentralzed multcast ey dstrbuton scheme wth less computatonal cost and more functonalty. The merts nclude: (1) the scheme needs no shared eys table between the regstraton center and all members; () a group ey s dstrbuted by servers to elgble members; (3) the computaton cost s very low; () members and servers can authentcate each other; (5) our scheme s nonce-based and dose not have a serous tme-synchronzaton problem; (6) also the shared secret ey dstrbuton between dynamc partcpants s addressed n our proposed scheme. Key words: Multcast Multcast group ey Key dstrbuton Networ securty Securty servce. 1. Introducton Multcastng s becomng the bass for a growng number of Internet-based applcatons [19] e.g. teleconferencng pay-per-vew on-lne TV and on-lne games. The dstrbuton of servces or messages by the server to all multcastng group members requres a securty framewor wth an effcent and scalable way of dstrbutng a group ey to the elgble members. In a secure multcast communcaton system [3 8] n order to preserve the secrecy of elgble members the group ey must be changed and redstrbuted to all the current members when some member leaves or on ths group. Otherwse t s possble for the new members to decrypt the past tapped encrypted messages or for the former members to decrypt the new encrypted messages. To prevent these problems the followng two securty crtera are mportant for the group ey dstrbuton n secure multcast communcaton [16]. S1: Forward secrecy: If a person has left a group the departed member cannot decrypt encrypted messages transmtted after the leavng. S: Bacward secrecy: If a person ons a group he cannot decrypt encrypted messages transmtted before the onng. The process for achevng forward and bacward secrecy requres redstrbutng the group ey. Ths process s called group reeyng. In [16] the multcastng group ey dstrbuton s dvded nto three man classes: centralzed group ey management protocols decentralzed archtectures and dstrbuted ey management protocols. Most centralzed models use Logcal Key Herarchcal (LKH) methods [11 15 0]. However these approaches ntroduce ey storage rs and are neffcent when the group s large. Decentralzed archtectures use subgroup controllers to dstrbute the group ey [ 13]. They do not dscuss how Key Encrypton Keys (KEKs) between a subgroup controller and ts members are dstrbuted. Dstrbuted ey management protocols use the varant Dffe- Hellman ey agreement [18]. All members submt some nformaton to generate the correspondng group ey. It s neffcent because t has hgher computaton and communcaton costs. Snce the group s generated by all members t s hard to control forward and bacward secrecy. In ths paper we propose an effcent and flexble decentralzed multcast ey dstrbuton scheme wth less computatonal cost and more functonalty. Our proposed scheme satsfes the forward and bacward secrecy requrement for members who on or leave a group. In addton we propose a novel shared ey dstrbuton scheme between all members that s not addressed by other decentralzed schemes. The structure of ths paper s organzed as follows. In secton we gve a bref revew of related wor. In secton 3 we descrbe the decentralzed multcast ey

1 IJCSNS Internatonal Journal of Computer Scence and Networ Securty VOL.6 No.8B August 006 dstrbuton scheme. Securty analyss and effcency consderatons are dscussed n sectons and 5. In secton 6 we offer concludng remars.. Related wor In [1 16] secure approaches of multcastng group ey dstrbuton are dvded nto four man classes: centralzed group ey management protocols decentralzed archtectures dstrbuted ey management protocols and hybrd models..1 Centralzed group ey management A typcal centralzed group ey management protocol contans one mportant entty the Key Dstrbuton Center (KDC) whch generates the group ey and dstrbutes t to all members. The easest way to dstrbutng group ey s usng the Group Key Management Protocol (GKMP) [6 7]. When a reeyng s requred the old conference ey s used to encrypt the new conference ey. However the approach s not a soluton for the forward secrecy. Another mportant property of a centralzed mode s the use of a Logcal Key Herarchcal (LKH) [ 5 11 15 0]. LKH s a nd of a bnary tree to solve the ey dstrbuton n a group. However these approaches ntroduce ey storage rs and are neffcent when the group s large.. Decentralzed archtectures In decentralzed models [ 13] a KDC s used and the large group s splt nto small subgroups. Each subgroup has a subgroup controller to reduce the wor of the KDC. In Iolus [13] there s a group securty agent (GSA) to manage each subgroup. Those GSAs are also managed by a group securty controller (GSC). The GSC uses ndependent eys for each subgroup. No general group ey s avalable for all group members. Although membershp changes n subgroups are local the maor drawbac of Iolus s that when a subgroup member wants to transmt the messages to other subgroups GSA must perform the translaton snce data are encrypted by each GSA s subgroup secret ey. Ths approach can reduce the worload on the GSC but the GSA can become a bottlenec. Furthermore the GSC does not authentcate each subgroup member. The shared eys between GSC and ts dynamc members are not addressed n those schemes [ 13]..3 Dstrbuted ey management protocols The dstrbuted approaches [18] have no group controller. All members must contrbute ther own secrets to generate the group ey. A typcal way s usng the varant Dffe-Hellman ey dstrbuton schemes to generate the group ey. However the computaton and communcaton cost s very hgh due to many exponentaton operatons.. Hybrd models In [1] a hybrd secure multcast communcaton scheme was proposed by combnng the LKH and the Iolus framewor. The scheme has a group controller (GC) and the large group s also splt nto small subgroups. The GC uses Iolus to dstrbute the group ey to the subgroup controller (SC). The SC uses LKH to forward the group ey to group members. Although ths approach can lower the GC load the maor drawbacs are the centralzed problem n SC and the GC could not authentcate each subgroup member. In addton the shared ey dstrbuton between GC and hs dynamc members s not addressed. 3. Our proposed scheme In ths secton we propose an effcent and flexble decentralzed multcast ey dstrbuton scheme. There are three nds of partcpants n our scheme: the regstraton center subgroup controllers and subgroup members. In our scheme all members submt ther denttes to the regstraton center for regstraton. The regstraton center classfes members nto dfferent subgroups. In each subgroup the regstraton center assgns a statc member as the subgroup controller to reduce the cost of ey dstrbuton traffc. When a subgroup controller wants to send the group ey to members the KEK eys between the subgroup controller and ts members can be nqured from the regstraton center. We assume the regstraton center s a trusted server that performs regstraton shared ey queres and multcast groupng. In the proposed approach the regstraton center dvdes all members nto subgroups based on ther behavors and dstances. The subgroups are connected to the regstraton center and arranged n the form of a herarchy. Let RC be the regstraton center. Let U denote the dynamc member n the subgroup and ID denote the unque dentfcaton of U. Wthout loss of generalty let U 0 be the statc member n the subgroup. Let G be the subgroup. Let ) be a secure one-way hashng functon [1]. Let E K (m) be the cphertext of m encrypted usng the secret ey K of a secure symmetrc cryptosystem [1]. Let D K (c) denote the plantext of c decrypted usng the secret ey

IJCSNS Internatonal Journal of Computer Scence and Networ Securty VOL.6 No.8B August 006 13 K of the correspondng symmetrc cryptosystem [1]. Then let denote the conventonal strng concatenaton operator. Let X Y :{ Z} denote a sender X sends a message Z to a recever Y. Fnally let x be the master secret ey of RC V = x ID ) s the secret ey computed by RC and shared by U and RC after U regsterng at RC. Therefore V 0 = ID 0 V ) s the secret ey computed by RC and U shared by U 0 and U. The proposed scheme conssts of fve phases: the regstraton phase the groupng phase the ey dstrbuton phase the shared ey nqury phase and the dynamc membershp management phase. 3.1 The regstraton phase RC performs groupng and ey management requred for the multcast ey dstrbuton. Each member submts hs dentty nformaton to RC for regstraton. If RC accepts ths request then t wll perform the followng steps. Step 1 : Compute U s secret ey V = x ID ) Step :Send V to U va a secure channel or store V n a smart card and gve t to U. 3. The groupng phase To reduce the cost of ey dstrbuton traffc an effcent groupng mechansm follows. The regstraton center RC classfes members nto dfferent subgroups based on ther behavor and geography. In each subgroup RC assgns a statc member as the subgroup head (controller). The general classfcaton mechansm s based on the dstance from the statc members or the value of a threshold functon. The statc members perform the group ey dstrbuton for ther subgroups. These approaches wll reduce the burden on the RC. 3.3 The ey dstrbuton phase After groupng RC generates a group ey K and sends t to all subgroup s statc members U 0. Then all of the subgroup s statc members dstrbute the group ey K to all ther members. The followng protocol s the group ey dstrbuton for each subgroup. Step 1: RC U :{ N E ( K K N ))} 0 1 V 1 0 Step : U RC { E ( N + 1 N )} 0 : V 0 1 Step 3: RC U :{ E ( N + 1)} 0 V 0 Step : U U :{ ID N E ( K K N ID ))} 0 G 0 3 V 0 3 0 Step 5: U U : { E ( N 1 N )} G 0 V 0 3 + Step 6: U U : { E ( N 1)} 0 G V + 0 In step 1 RC generates the group ey K a nonce N and sends the message N E ( K K N ))} to 1 { 1 V 0 1 U 0. The nonce N 1 s a fresh random number for freshness checng. The authentcaton tag h K ) s used for verfyng the dentfcaton of ( N 1 RC. After recevng the message n step 1 U 0 decrypts the message usng ts secret ey and derves the group K by computng ( E ( ( 1))) 0 V 0. Then t checs f the authentcaton tag h ( K N 1) s vald. If yes U 0 sends the encrypted message ( N 1 +1 ) 0 N bac to RC. The nonce N s for freshness checng. Upon recevng the encrypted message n step RC decrypts t by computng ( E ( 1 +1 )) 0 V N 0 N and checs f the nonce N 1 +1 s n t for freshness checng. If yes RC ( N +1) 0 bac to U 0 n step 3. Upon recevng the message E N +1) 0 U 0 decrypts t by computng ( E ( +1)) 0 V N 0 and checs f the nonce N + 1 s n t for freshness checng. After step 3 RC has sent the group ey K to all subgroup heads. When U 0 wants to send the group ey K to hs subgroup member U the shared ey V 0 can be nqured from RC usng the shared ey nqury phase. In step U 0 generates a nonce N and sends ID 0 N 3 the encrypted message ( ( 3 0 )) 0 ID to U. The nonce N 3 s for freshness checng. After recevng ID 0 N 3 and the encrypted message n step U decrypts the message by frst

1 IJCSNS Internatonal Journal of Computer Scence and Networ Securty VOL.6 No.8B August 006 computng the shared ey V ID V ). Then 0 = 0 U can derve the group ey K by computng ( E ( ( 3 0))) 0 V 0 ID and checng f the authentcaton tag h K N ID ) s vald. If yes U sends the encrypted message E N +1 N ) ( 3 0 V ( 0 3 bac to U 0 n step 5. The nonce N s for freshness checng. Upon recevng the encrypted message n step 5 U decrypts t by computng 0 ( E ( 3 +1 )) 0 V N 0 N and checng f the nonce N 1 s n t for freshness checng. If yes 0 3 + U sends the encrypted message E 1) V ( 0 N + bac to U. Upon recevng ( N + 1) 0 U decrypts t by computng ( E ( + 1)) 0 V N 0 and checs f the nonce N + 1 s n t for freshness checng. After fnshng all steps all group members can use the group ey K for secure communcaton. 3. The shared ey nqury phase When U 0 wants to send the group ey K to hs subgroup members U the shared ey V 0 can be nqured from RC. Ths approach can avod the rs of secret ey storage. The followng protocols are the shared ey nqury phase. Step 1: U RC :{ N ID ID E ( ID 0 5 0 V 0 0 ID N 5 ))} Step : RC U :{ E ( V V ( N +1)))} 0 V 0 0 0 5 In step 1 U 0 sends the nqury message to RC. The message ncludes the authentcaton tag h ID ID N ) and s encrypted by the secret ey ( 0 5 V 0 shared by 0 U and RC whch s for verfyng the dentfcaton of U 0. After recevng the nqury message RC frst decrypts t by computng ( E ( ( 0 5))) 0 V h ID 0 ID N then checs f the message contans the authentcaton tag h ( ID 0 ID N 5) and f the nonce N 5 s fresh. RC can eep a smple table to record recently used nonces. RC reects the nqury f t s not vald. If t s vald and the nonce s fresh RC computes the shared ey V 0 = ID0 V ) shared by U 0 and hs subgroup members U. Then RC sends the encrypted message ( V 0 ( 0 0 h V ( N 5 + 1))) bac to U n step. Upon recevng the encrypted message n step U 0 uses hs secret ey to decrypt t and derves the subgroup member s shared ey V 0. 3.5 The dynamc membershp management phase To ensure the forward secrecy and bacward secrecy a secure multcast protocol must update the group ey when the group members change. In our scheme RC performs the dynamc membershp management for scalablty. The on and leave protocols are ntalzed by the dynamc members. We also consder the stuaton of the leavng of a subgroup s statc member. 3.5.1 Member onng We assume a new member U wants to on the servce t must submt hs dentty nformaton to RC for regsterng frst. If RC accepts ths request then t wll perform the followng steps. Step 1:Compute U s secret ey V = x ID ) Step :Send V to U va a secure channel or store V n a smart card and gve t to U. After regsterng RC updates the group ey K ' and sends t to all members to mantan forward secrecy. The followng protocol s the group ey dstrbuton for each subgroup where N N 1 N N 3 N are nonces and JN s the onng-request message. Step 1: U RC : { ID JN N E ( V ID N JN ))} Step : RC U :{ N JN ID E ( ' 0 1 V K 0 K' N 1 ID JN))} Step 3: U 0 RC : { E N 1 + 1 )} 0 N Step : RC U :{ E ( N +1)} Step 5: U 0 V 0 0 U G :{ ID 0 N 3 JN 0 ( K' K' ID 0 N 3 JN ))} Step 6: U G U 0 :{ ( N 3 +1 )} 0 N Step 7: U U :{ E ( N +1)} 0 G V 0

IJCSNS Internatonal Journal of Computer Scence and Networ Securty VOL.6 No.8B August 006 15 In step 1 U sends hs dentty ID a nonce N the onng message JN and the message E V ( h ( ID N JN ) to RC to on the servce. If RC accepts the request then t executes the groupng protocol and classfes the member U nto U 0 s subgroup. After groupng RC updates the group ey K ' and sends the message N JN ID E ( K' K' N ID JN ))} { 1 V 1 0 ncludng the new member s onng message to U 0 n step. The nonce N 1 s a fresh random number for freshness checng. The authentcaton tag K ' N 1 ID JN ) s used for verfyng the dentfcaton of RC. Upon recevng the encrypted message n step U 0 decrypts the message usng hs secret ey and derves the new group ey K ' by computng ( E ( ' ( ' 1 0 V 0 ID JN ))). Then checs f the authentcaton tag K' N 1 ID JN) s vald. If the authentcaton tag K' N 1 ID JN) s vald U 0 sends the encrypted message ( N 1 +1 ) 0 N bac to RC n step 3. The nonce N s for freshness checng. After recevng the encrypted message n step 3 RC decrypts t by computng ( E ( 1 +1 )) 0 V N 0 N and checs f the nonce N 1 +1 s n t for freshness checng. If yes RC ( N +1) 0 bac to U 0 n step. Upon recevng the message E N +1) 0 U 0 decrypts t by computng ( E ( +1)) 0 V N 0 and checs f the nonce N + 1 s n t for freshness checng. After step RC has sent the new group ey K ' to all subgroup heads. In step 5 U 0 generates a nonce N 3 and sends hs ID 0 N 3 the encrypted message ( K' K' N 3 ID 0 JN )) 0 to U G. The nonce N 3 s for freshness checng. After recevng the ID 0 N 3 and the encrypted message n step 5 U G decrypted the message by frst computng the shared ey V 0 = ID0 V ). Then U can derve the group ey K ' by computng ( E ( ' ( ' 3))) 0 V 0. U G sends the encrypted message ( 3 +1 ) 0 N N bac to U 0 n step 6. The nonce N s for freshness checng. Upon recevng the encrypted message n step 6 U 0 decrypts t by computng ( E ( 3 +1 )) 0 V N 0 N and checs f the nonce N 3 + 1 s n t for freshness checng. If yes U 0 ( N +1) 0 bac to U G n step 7. Upon recevng ( N +1) 0 U G decrypts t by computng ( E ( +1)) 0 V N 0 and checs f the nonce N + 1 s n t for freshness checng. After fnshng the steps all group members can use the group ey K ' for secure communcaton. 3.5. Member leavng If U wants to leave the servce the group ey needs to be changed. After a member sends the leave-request to RC RC updates the group ey K to protect the forward secrecy. The followng are the common ey updatng protocols for each subgroup where N N 1 N N 3 N are nonces and LR s the leave-request message. Step 1: U RC:{ ID N LRE V ( ID N LR))} Step : RC U : { N LR ID E ( K 0 1 V 0 K N 1 ID LR ))} Step 3: U 0 RC :{ ( N 1 +1 )} 0 N Step : RC U :{ E ( N +1)} 0 V 0 Step 5: U U :{ ID N E ( K 0 0 3 V 0 G h ( K" ID 0 N 3))} Step 6: U U :{ E ( N +1 N )} 0 V 0 3 G Step 7: U U :{ E ( N + 1)} 0 V 0 G In step 1 U sends hs dentty ID a nonce N LR and the message E V ( h ( ID N LR ) to RC to leave the servce. If RC accepts the request

16 IJCSNS Internatonal Journal of Computer Scence and Networ Securty VOL.6 No.8B August 006 then RC updates the group ey K and redstrbutes to all group members. In step RC sends a nonce N 1 U s dentfy ID and the leavng message LR and the message { N 1 LR ID ( K K 0 N 1 ID LR ))} to U 0. The nonce N 1 s a fresh random number for freshness checng. The authentcaton tag K N 1 ID LR ) s used for verfyng the dentfcaton of RC. Upon recevng the encrypted message n step U 0 decrypts the message usng hs secret ey and derves the new group K by computng ( E ( K K 0 V N ))) 0 1 ID LR. Then t checs f the authentcaton tag K N 1 ID LR) s vald. If yes U 0 sends the encrypted message E N +1 N ) bac to 0 1 RC n step 3. The nonce N s for freshness checng. After recevng the encrypted message n step 3 RC decrypts t by computng ( E ( 1 +1 )) 0 V N 0 N and checs f the nonce N 1 +1 s n t for freshness checng. If yes RC ( N +1) 0 bac to U 0 n step. Upon recevng the message E N +1) 0 U 0 decrypts t by computng ( E ( +1)) 0 V N 0 and checs f the nonce N + 1 s n t for freshness checng. After step RC has sent the new group ey K to all subgroup heads. In step 5 U 0 generates a nonce N 3 and sends hs ID 0 N 3 the encrypted message ( K K N 3 ID 0 JN )) 0 to U G. The nonce N 3 s for freshness checng. After recevng 0 N 3 and the encrypted message n step 5 U G ID decrypts the message by frst computng the shared ey V ID V ). Then U can derve the 0 = 0 group D G ey K by computng ( ( K K N 3))) and chec f the V 0 0 authentcaton tag h K ) s vald. If yes ( N 3 U G ( 3 +1 ) 0 N N bac to U 0 n step 6. The nonce N s for freshness checng. Upon recevng the encrypted message n step 6 U decrypts t by computng 0 ( E ( 3 +1 )) 0 V N 0 N and checs f the nonce N 3 + 1 s n t for freshness checng. If yes U 0 ( N +1) 0 bac to n step 7. Upon the recept of ( N +1) U G U G 0 decrypts t by computng ( E ( +1)) 0 V N 0 and checs f the nonce N + 1 s n t for freshness checng. After fnshng these steps all group members can use the new group ey K for secure communcaton. 3.5.3 Reconfguraton If the statc member U 0 wants to leave the servce the group ey needs to be updated. Followng are the reey operatons requred. 3.5.3.1 The groupng phase After the statc member U 0 sends the leaverequest to RC RC chooses another member U as the new statc member of ths subgroup G. For smplcty we exchange ID wth ID 0 and publsh t. 3.5.3. The ey dstrbuton phase RC updates the group ey K ' to protect the forward secrecy and sends t to other members except U. The followng protocols are the group ey dstrbuton for each subgroup where N N 1 N N 3 N are nonces and SLR s the statc member leave-request message. V Step 1: U RC :{ ID N SLR E ( ID N SLR ))}

IJCSNS Internatonal Journal of Computer Scence and Networ Securty VOL.6 No.8B August 006 17 Step : RC U :{ N SLR ID E ( K ' 0 1 V 0 K N 1 ID SLR ))} 0 V 0 1 Step 3: U RC :{ E ( N +1 N )} Step : RC U 0 : { ( N + 1)} 0 Step 5: U U :{ ID N E ( K 0 0 3 V 0 G ' h ( K ID 0 N 3))} Step 6 U U :{ E ( N +1 N )} 0 V 0 3 G Step 7 U U :{ E ( N +1)} 0 V 0 G In step 1 U sends hs dentty ID a nonce N SLR and the message E V ( h ( ID N SLR ) to RC for leavng the servce. If RC accepts the request ' then RC updates the group ey K and redstrbutes t to all group members. After groupng RC sends a nonce N 1 U s dentfy ID and the leavng message SLR and the message ' ' { N 1 SLR ID ( K K N 1 ID SLR ))} 0 to the new U 0 n step. The nonce N 1 s a fresh random number for freshness checng. The ' authentcaton tag K N 1 ID SLR ) s used for verfyng the dentfcaton of RC. Upon recevng the message n step U 0 decrypts the message usng hs secret ey and derves the ' new group K by computng ' ' ( E ( ( 1 0 V 0 ID SLR ))). Then t checs f the authentcaton tag ' K N 1 ID SLR) s vald. If yes U 0 sends the encrypted message E N +1 N ) bac to 0 1 RC n step 3. The nonce N s for freshness checng. After recevng the encrypted message n step 3 RC decrypts t by computng ( E ( 1 +1 )) 0 V N 0 N and checs f the nonce N s n t for freshness checng. If yes RC +1 1 ' ' ( N +1) 0 bac to U 0 n step. Upon recevng the message E N +1) 0 U 0 decrypts t by computng ( E ( +1)) 0 V N 0 and checs f the nonce N + 1 s n t for freshness checng. ' After step RC has sent the new group ey K to all subgroup heads. In step 5 U 0 generates a nonce N 3 and sends hs ID 0 N 3 the encrypted message ' ' ( K K N3 ID 0 SLR)) 0 to U G. The nonce N 3 s for freshness checng. After recevng the ID 0 N 3 and the encrypted message n step 5 U G decrypted the message by frst computng the shared ey V ID V ). Then 0 = 0 U G can ' derve the group ey K by computng ' ' ( E ( ( 3))) 0 V 0 and chec f the ' authentcaton tag h K ) s vald. If yes ( N 3 U G ( 3 +1 ) 0 N N bac to U 0 n step 6. The nonce N s for freshness checng. Upon recevng the encrypted message n step 6 U 0 decrypts t by computng ( E ( 3 +1 )) 0 V N 0 N and checs f the nonce N 3 + 1 s n t for freshness checng. If yes U 0 sends the encrypted message ( N +1) 0 bac to U n step 7. Upon the recept of E N +1) V ( 0 G U G decrypts t by computng ( E ( +1)) 0 V N 0 and checs f the nonce N + 1 s n t for freshness checng. After fnshng all steps all group members can use the new ' group ey K for secure communcaton.. Securty analyss In ths secton we analyze the securty of our proposed scheme. (1) The secret ey V x ID ) of each member =

18 IJCSNS Internatonal Journal of Computer Scence and Networ Securty VOL.6 No.8B August 006 computed by RC and the shared secret ey V 0 = V ID 0) between U 0 and U are both protected by the secure one-way hash functon h (). It s nfeasble to compute V wthout nowng the secret nformaton x of RC. It s also nfeasble to compute V 0 wthout nowng the secret nformaton x or V. () The replay attac fals snce the freshness of messages transmtted n ey dstrbuton phase s provde by the nonces N N 1 N N3 N. Only vald partcpants can put the related nonces generated by the elgble partner n the encrypted message. The authentcaton tags are used to mae sure that the receved messages were correctly sent by the elgble partners. (3) In the dynamc membershp management phase the group ey s updated when members on leave or reconfgure. It provdes forward and bacward secrecy. In our scheme for mprovng the reparablty mentoned n [9 10] the shared eys V x ID ) stored n U = 's smart card can be replaced wth the new value V = x ID ) where s the number of tmes that U has revoed hs used secret ey V. Ths approach requres RC to record the number n hs database or U to send the number to hs subgroup controller n ey dstrbuton. 5. Performance analyss Table 1: Number of eys stored for our proposed scheme and related schemes Group controller Subgroup controller Iolus [13] Aslan s scheme [1] Our Scheme N n 1 N N-1 N Each member 1 h 1 We analyze the number of stored eys for our proposed scheme and the related schemes [1 13] n Table 1. We assume the total number of subgroups n [1 13] and our scheme s n. The number of each subgroup members s N. Therefore members of the whole group are n* N. The heght of the protocol s tree n [1] s h = (logd N) +1 where d s the degree of the tree. In our scheme the shared ey V x ID ) and = V V ID ) can be computed by the master secret 0 = 0 x and RC only has to eep secretly the master ey x. Each subgroup controller needs to store N-1 shared eys V 0 = V ID 0) nqured from the group controller wth hs subgroup member and one shared ey V 0 = x ID 0) wth the group controller. Each subgroup member U only needs to store one secret ey V = x ID ). In Iolus [13] the group controller needs to store n shared eys wth n subgroup controllers. Each subgroup controller needs to store N-1 shared eys wth hs N-1 subgroup members and at least one shared ey wth hs nearest subgroup controller. Each subgroup member only needs to store one shared secret ey wth hs subgroup controller. In Aslan s protocol [1] the group controller needs to store n shared eys wth n subgroup controllers. Each subgroup controller needs to store N- shared eys ncludng N-1 KEKs and N-1 LKH eys wth hs N-1 subgroup members and at least one shared ey wth hs nearest subgroup controller. The total number of eys s (N-1)+(N-1)+1=N-1. Each subgroup member needs to store h shared secret eys wth hs subgroup controller. Table : Computaton cost of a multcast message for our proposed scheme and related schemes Number of encrypton/decrypton operatons for all subgroup controllers Number of encrypton/decrypton operatons for each subgroup member Iolus [13] Aslan s scheme [1] Our Scheme 3n- 3n- 0 1 1 1 The number of encrypton/decrypton operatons for a multcast message n each subgroup controller and member about our scheme and related schemes s presented n Table. In our scheme all subgroup controllers need not do any encrypton or decrypton for multcastng a message. Each subgroup member needs to do one encrypton or decrypton operaton when a

IJCSNS Internatonal Journal of Computer Scence and Networ Securty VOL.6 No.8B August 006 19 multcast message s transmtted. In the schemes [1 13] all subgroup controllers need to do message translaton. Ths tas needs at least 3n- encrypton or decrypton operatons ncludng 1 decrypton operaton and n-1 encrypton operaton by the sender subgroup controller and n-1 decrypton operatons and n-1 encrypton operatons for all other n-1 subgroup controllers. If you would le to temze some parts of your manuscrpt please mae use of the specfed style temze from the drop-down menu of style categores In the case that you would le to paragraph your manuscrpt please mae use of the specfed style paragraph from the drop-down menu of style categores Table 3: Comparson between our proposed scheme and related schemes Iolus [13] Aslan s Our scheme [1] Scheme No ey table No No Yes Mutual authentcaton No No Yes Computaton cost of multcastng messages Hgh Hgh Very low Secret ey generaton No No Yes We summarze the functonalty of the related schemes [1 13] and our scheme n Table 3. In the schemes [1 13] the group controller must store the shared eys for all subgroup controllers. In our scheme the regstraton center RC needs only to protect hs master secret ey x. The subgroup controller and subgroup members can authentcate each other n our scheme. The computaton cost of multcastng messages n our scheme s very low compared to the schemes [1 13]. We also address the shared eys generaton between RC and subgroup controllers RC and subgroup members and subgroup controllers and subgroup members. 6. Concludng remars In ths paper we have proposed an effcent and flexble decentralzed multcast ey dstrbuton scheme. Our scheme does not need a shared eys table between the regstraton center and all users to reduce the ey storage rs and the computaton cost s very low. In our scheme when a subgroup member wants to transmt messages to other subgroups these messages can be encrypted by the group ey. It does not have the bottlenec problem n subgroup heads. The subgroup heads can authentcate each subgroup members. The Key Encrypton Keys dstrbuton between the ey center and all members are addressed n our proposed scheme but not consdered n other related schemes. Acnowledgments Ths wor was supported n part by the Natonal Scence Councl of Republc of Chna under contract NSC 9-13-E-18-001 and NSC 95-1-E-18-00-MY. References [1] H. Aslan A Scalable and Dstrbuted Multcast Securty Protocol Usng A Subgroup-Key Herarchy Computers and Securty Vol. 3 pp. 30-39 00. [] A. Ballarde Scalable Multcast Key Dstrbuton RFC 199 1996. [3] M. Burmenster Y. Desmedt A Secure and Effcent Conference Key Dstrbuton System In Advances n Cryptology EUROCRYPT 9 A. D. Sants Ed. Lecture Notes n Computer Scence 950 Sprnger-Verlag New Yor pp. 75 86 199. [] R. Canett J. Garay G. Its D. Mccanco M. Naor B. Pnas Multcast Securty: A Taxonomy and Some Effcent Constructons In Proceedngs of the IEEE INFOCOM Vol. pp. 708 716 1999. [5] R. Canett T. Maln K. Nssm Effcent Communcaton-Storage Tradeoffs for Multcast Encrypton In Advances n Cryptology EUROCRYPT 99 J. Stem Ed. Lectures Notes n Computer Scence 1599. Sprnger-Verlag New Yor pp. 59 7 1999. [6] H. Harney C. Mucenhrn Group Key Management Protocol (GKMP) Specfcaton RFC 093 1997. [7] H. Harney C. Mucenhrn Group Key Management Protocol (GKMP) Archtecture RFC 09 1997. [8] G. Horng Cryptanalyss of A Key Management Scheme for Secure Multcast Communcatons IEICE Trans. Communcatons Vol. E85-B No. 5 pp. 1050-1051 00. [9] T. Hwang and W. Ku Reparable Key Dstrbuton Protocols for Internet Envronments IEEE Trans. on Communcatons Vol. 3 No. 5 pp. 197-1950 1995. [10] W. Ku and S. Chen Weanesses and Improvements of an Effcent Password Based Remote User Authentcaton Scheme Usng Smart

150 IJCSNS Internatonal Journal of Computer Scence and Networ Securty VOL.6 No.8B August 006 Cards IEEE Trans on Consumer Electroncs Vol. 50 No. 1 pp. 0-07 00. [11] M. L R. Poovendran C. Berensten Desgn of Secure Multcast Key Management Schemes wth Communcaton Budget Constrant IEEE Communcatons Letters Vol. 6 No.3 pp.108-110 00. [1] R. Merle One Way Hash Functons and DES In Brassard G. (ed.) Advances n Cryptology-Crypt'89 LNCS 35 pp. 8-6 Sprnger New Yor 1989. [13] S. Mttra Iolus: A Framewor for Scalable Secure Multcastng In Proceedngs of ACM SIGCOMM pp. 77-88 1997. [1] NIST FIPS PUB 197 Announcng the Advanced Encrypton Standard (AES) Natonal Insttute of Standards and Technology U. S. Department of Commerce 001. [15] A. Perrg D. Song J. Tygar A New Protocol for Effcent Large-Group Key Dstrbuton In Proceedngs of the IEEE Symposum on Securty and Prvacy IEEE Computer Socety Press Los Alamtos Calf. 001. [16] S. Rafael D. Hutchson A Survey of Key Management for Secure Group Communcaton ACM Computng Surveys Vol. 35 No. 3 pp.309-39 003. [17] O. Rodeh K. Brman D. Dolev Optmzed group reey for group communcaton systems In Networ and Dstrbuted System Securty San Dego Calf. Feb. 000. [18] M. Stener G. Tsud M. Wadner Dffe-Hellman Key Dstrbuton Extended to Group Communcaton In SIGSAC Proceedngs of the 3rd ACM Conference on Computer and Communcatons Securty New Yor pp. 31 37 1996. [19] R. Wttmann M. Ztterbart Multcast Communcaton Protocols and Applcatons Morgan Kaufman Publshers 001. [0] C. Wong M. Gouda L. Smon Secure Group Communcaton Usng Key Graphs IEEE/ACM Transactons on Networng Vol. 8 No.1 pp.16-30 000. Wen-Shenq Juang receved hs master's degree n Computer Informaton Scence from Natonal Chao Tung Unversty n 1993 and hs Ph. D. degree n electrcal engneerng from Natonal Tawan Unversty n 1998. He oned the Department of Informaton Management Shh Hsn Unversty Tape Tawan n 000 as an assstant professor. He s current an assocate professor n the same department. Dr. Juang's current research nterests nclude appled cryptography nformaton securty and networ securty. Jyan-Cwan Wu s now worng toward MS degree n Informaton Management from Shh Hsn Unversty Tawan. Hs current nterests nclude nformaton securty electronc commerce and networ securty.