Paper 2024/1097

The Cost of Maintaining Keys in Dynamic Groups with Applications to Multicast Encryption and Group Messaging

Michael Anastos, ISTA
Benedikt Auerbach, PQShield
Mirza Ahad Baig, ISTA
Miguel Cueto Noval, ISTA
Matthew Kwan, ISTA
Guillermo Pascual-Perez, ISTA
Krzysztof Pietrzak, ISTA
Abstract

In this work we prove lower bounds on the (communication) cost of maintaining a shared key among a dynamic group of users. Being "dynamic'' means one can add and remove users from the group. This captures important protocols like multicast encryption (ME) and continuous group-key agreement (CGKA), which is the primitive underlying many group messaging applications. We prove our bounds in a combinatorial setting where the state of the protocol progresses in rounds. The state of the protocol in each round is captured by a set system, with each of its elements specifying a set of users who share a secret key. We show this combinatorial model implies bounds in symbolic models for ME and CGKA that capture, as building blocks, PRGs, PRFs, dual PRFs, secret sharing, and symmetric encryption in the setting of ME, and PRGs, PRFs, dual PRFs, secret sharing, public-key encryption, and key-updatable public-key encryption in the setting of CGKA. The models are related to the ones used by Micciancio and Panjwani (Eurocrypt'04) and Bienstock et al. (TCC'20) to analyze ME and CGKA, respectively. We prove - using the Bollobás' Set Pairs Inequality - that the cost (number of uploaded ciphertexts) for replacing a set of $d$ users in a group of size $n$ is $\Omega(d\ln(n/d))$. Our lower bound is asymptotically tight and both improves on a bound of $\Omega(d)$ by Bienstock et al. (TCC'20), and generalizes a result by Micciancio and Panjwani (Eurocrypt'04), who proved a lower bound of $\Omega(\log(n))$ for $d=1$.

Metadata
Available format(s)
PDF
Category
Cryptographic protocols
Publication info
A major revision of an IACR publication in TCC 2024
DOI
10.1007/978-3-031-78011-0_14
Keywords
group messagingcontinuous group key agreementCGKAmulticast encryptionlower bound
Contact author(s)
michael anastos @ ista ac at
benedikt auerbach @ pqshield com
mbaig @ ista ac at
mcuetono @ ista ac at
matthew kwan @ ista ac at
gpasper @ proton me
pietrzak @ ista ac at
History
2024-12-09: revised
2024-07-05: received
See all versions
Short URL
https://ia.cr/2024/1097
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2024/1097,
      author = {Michael Anastos and Benedikt Auerbach and Mirza Ahad Baig and Miguel Cueto Noval and Matthew Kwan and Guillermo Pascual-Perez and Krzysztof Pietrzak},
      title = {The Cost of Maintaining Keys in Dynamic Groups with Applications to Multicast Encryption and Group Messaging},
      howpublished = {Cryptology {ePrint} Archive, Paper 2024/1097},
      year = {2024},
      doi = {10.1007/978-3-031-78011-0_14},
      url = {https://eprint.iacr.org/2024/1097}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.