Group Rekeying in the Exclusive Subset-Cover Framework

Abstract

Group Rekeying deals with the problem about how to efficiently and securely distribute a new group key GK to remaining legitimate users when there are changes in group membership (join/leave). Given a universe U of n users, an exclusive keyKS for an arbitrary subset S⊂U is a long-term key shared by all users in U∖S. Hence we can distribute a new group key GK encrypted under KS such that all users in U except those in S can decrypt it during group rekeying. This method allows us to exclude S from the group with a rekey message whose length is just one single encrypted key. In this paper, we use this idea to extend the famous Subset-Cover Framework to obtain its exclusive version — Exclusive Subset-Cover Framework. We provide sufficient conditions that guarantee the security of any stateless group rekeying protocol in this framework. We propose a concrete exclusive subset-cover protocol called exclusive complete subtree protocol. Compared with existing 1-resilient stateless group rekeying protocols, this protocol achieves not only constant communication overhead but also better computational efficiency as well as better collusion resistance. From this protocol, it is easy to obtain a 1-resilient stateful group rekeying protocol which also outperforms the existing 1-resilient stateful protocols. Recent researches have proved some lower bounds on the communication complexity of group rekeying protocols. These bounds suggest that it is impossible to achieve a lower communication overhead without trading off some degree of collusion resistance. However, there are application scenarios which require communication overhead below these bounds. We show that any 1-resilient stateless group rekeying protocol with constant communication overhead can be used in tandem with a Subset-Cover based protocol to construct a hybrid protocol with tunable collusion-bandwidth tradeoffs.