Scalable and Reliable Key Distribution

1/　

Ryuzou NISHI†

† Institute of Systems & Information Technologies (ISIT)

2/ 　

Introduction Appearance of a large variety of application of an information and telecommunication 　e.g. Internet, Home automation, Sensor network, and so on 　 　

In the conventional point-to-point communication, scalability is a issue.

Broadcast communication is desired

Issues of broadcast security

1. Communication reliability ・ Re-transmission request is a large load to transmitter ・ In a case of failure of receiving keys, it is impossible to decrypt following messages

2. Communication overhead frequent key-update cause communication overhead, and the overhead causes a degradation of communication reliability

Area ： Key distribution for group key update in case of members' joining in or leaving from group in channel of poor quality, e.g. wireless, power line communication. Group key is used to encrypt or decrypt messages and is shared among all the members of a group.

Goal ： Reliable group key update where rekey message size is independent of group size,

Introduction Our work

Previous Work scalability

4/　

□ GKMP : Group Key Management Protocol Key server distributes an updated key to each member through unicast cannel O(N)

□ LKH ： Logical Key Hierarchy

O(N) → 　 O(log(N))

Kd Ke Kf

M1 M2 M3 M4

Kb

Ka

Kc

Kg

group key

Previous Work reliability

5/　

□ FEC : Forward Error Correction

In a sender, redundancy is added into an original data. If data error occur on the way, a receiver corrects the error.

　　 method 　　 coding gain　　 BCH 　 　　 2.1 dB Convolution 　 5.1 dB 　　　

Proposal : Basic idea

□ Updated key is distributed by using Direct Sequence Spread Spectrum (DS-SS) communication scheme which spreading code are M-sequences (maximal-length sequences) 　　

6/　

1 bit

1 period

ｔ ime

ｔ ime

Updated group key

secret key M-sequence

secret key

IDshift

multiplexerUpdated group key

M-sequence

Proposal : Cyclic shift M-sequence

7/　

M-sequences 1 period

M-sequences' auto-correlation curve

i=j point

M-sequences （ u0,u1, ・・・ ,uN-

1)Cyclic shift M-sequences Ui = （ ui,ui+1, ・・・ ,uN-1 , u0, ・・・ ,

ui-1)A cross-correlation between Ui and Uj is maximum N at i=j, and -1 at i≠ ｊ .And a cross-correlation between － Ui and Uj is maximum -N at i=j, and +1 at i≠ ｊ .

ui = +1 or -1 　 N: sequence's length

Proposal : Setup

8/　

1. The key server sends the secret key to each member in secure channel where secret key is depicted by GK digits and maximum number of each digit is N-1

2. The key server regroup all member into subgroups where the maximum number of members of each subgroup is N

3. The key server sends the M-sequences and ID(1,2,...,GK) Where a different subgroup uses a different M-sequence and each member of a same subgroup uses a different cyclic shift M- sequence generated from a same M-sequence.

subgroup #1subgroup #2

subgroup #Ns

・・・

M-seq.M1

M-seq.M2

M-seq.MNs

ID1

ID2 IDNs

Key server

9/　

Proposal : Basic idea

□ Updated key is distributed by using Direct Sequence Spread Spectrum (DS-SS) communication scheme which spreading code are M-sequences (maximal-length sequences) 　　

1 bit

1period

ｔ ime

ｔ ime

Updated group key

secret key M-sequence

secret key

IDshift

multiplexerUpdated group key

M-sequence

Proposal : Secret key → 　 M-sequenceIn the case that the number of k digit of member M1's secret key is ik, cyclic shift M-sequence （ uik,ui

k+1, ・・・ ,uN-1 , u0, ・・・ ,uik-1 ） is generated by cyclically shifting M-sequence （ u0,u1, ・・・ ,uN-1) ik times. About each digit of the secret key, similar process are done. 　

timeM-seq. １ period

（ ui1,ui1+1, ・・・ ,uN-1 , u0, ・・・ ,ui1-1 ）

１ -st digit

（ uiGK,uiGK+1, ・・・ ,uN-1 , u0, ・・・ ,uiGK-1 ）・・・

GK-th digit

M-seq. １ period

10/　

11/　

Proposal : Basic idea

□ Updated key is distributed by using Direct Sequence Spread Spectrum (DS-SS) communication scheme which spreading code are M-sequences (maximal-length sequences) 　　

1 bit

1period

ｔ ime

ｔ ime

Updated group key

secret key M-sequence

secret key

IDshift

multiplexerUpdated group key

M-sequence

Proposal : ID shift and multiplier

□ 　 Sequence （ Kid,Kid+1, ・・・ ,KGK-1 , K

0, ・・・ ,Kid-1 ） is generated by cyclically shifting updated group key （ K0,K1, ・・・ ,KGK-1) id (value of ID) times.

□ 　 k-th value GKk(= +1or -1) of the sequence is multiplied with cyclic shift M-sequence （ uik,uik+1, ・・・ ,uN-1, u0, ・・・ ,uik-1 ）

12/　

timeGK1 × （ ui1,ui1+1, ・・・ ,uN-1 , u0, ・・・ ,ui1-1 ）

１ -st digit

GKNr × （ uiNr,uiNr+1, ・・・ ,uN-1 , u0, ・・・ ,uiNr-1 ）・・・GK-th digit

M-seq. １ period M-seq. １ period

13/　

Proposal : Basic idea

□ Updated key is distributed by using Direct Sequence Spread Spectrum (DS-SS) communication scheme which spreading code are M-sequences (maximal-length sequences) 　　

1 bit

1period

ｔ ime

ｔ ime

Updated group key

secret key M-sequence

secret key

IDshift

multiplexerUpdated group key

M-sequence

Proposal : Multiplexer

□ 　 Multiplier's outputs of all members are multiplexed as follows.

For example, multiplexing of two members whose output sequence are U （ u0,u1, ・・・ ,uN-1) and U' （ u'0,u'1, ・・・ ,u'N-1) output seq. U （ u0,u1, ・・・ ,uN-1)

+output seq. U' （ u'0,u'1, ・・・ ,u'N-1)

multiplexed seq. U+U' （ u0+u'0, u1+u'1, ・・・ , uN-

1+ u'N-1)

14/　

Proposal : Decoding of group key

15/　

・・・

2N length shift-register

2N length reference shift-register

adder

・・・

sam

ple

r decoded GK

received signal

Group key bit can be decoded from the polarity of the adder’s output

Proposal : Decoding of group key

16/　

・・・

2N length shift-register

2N length reference shift-register

adder

・・・

sam

ple

r

decoded GK

received signal

Decoder's output includes the following signals

・ auto-correlation ( this corresponds to sent group key )

・ closs-correlation between cyclic shift M-sequences which shift times are different, but original M-sequence is same.

・ closs-correlation between different M-sequences

Proposal : Example of decoder's output

17/　

Supportable group size GKk(+)1bit quant. (+)

1bitquant.(-)

126

109

44

-126

-125

-188

19 -15

25 -9

127 ×2

127 ×3

group key size:128 bits 、 M-sequence size 127bit

group size （ number of members ）

rekey message size (bit)

3 ×127

128× 3 ×127 GKMP

128× 127 proposal

127

GKk(-)

127 ×4

GKk(+) : decoder’s output when polarity of the sent group key is plus(+)GKk( － ) : decoder’s output when polarity of the sent group key is minus( － )1bit quant. (+) : multiplexer’s output is quantized by 1bit when polarity of the sent group key is plus(+)1bit quant. ( － ) : multiplexer’s output is quantized by 1bit when polarity of the sent group key is plus( － )The larger decoder‘s output absolute becomes, the stronger the immunity to the noise becomes.

Proposal : Reliability

・ Conventional approach ( approach using FEC without ARQ ) 　　　　　　 improved SNR ( by coding gain )　　　　 5 dB ( coding ratio : 0.5 、 convolutional coding )

・ Proposal 　 improved SNR ( by despreading effect )　　　　 16 dB ( = 10 * log(44) )

Criterion : improved SNR for required reliability (error rate)

SNR : Signal to Noise Ratio

18/　

Proposal : Security

19/　

The proposal’s security is based on that member which should be revoked, does not know the number of times of the shift of cyclic shift M-sequences of other members

Can an attacker know the number of times of the shift, if heknow the original M-sequence and get the receiver?…No.Because the decoder output is multiplexed signal as follows.Only legitimate member who knows the number of times of the shift, can decode group key.

Decoder output

ConclusionWe propose the scalable and reliable key distributionscheme where rekey message size is indepedent of group size by using DS-SS communication scheme which spreading code is M-sequences including cyclicshift M-sequences.

The proposal improves the reliability of key and reduces the rekey message size.

20/