---
_id: '10408'
abstract:
- lang: eng
  text: 'Key trees are often the best solution in terms of transmission cost and storage
    requirements for managing keys in a setting where a group needs to share a secret
    key, while being able to efficiently rotate the key material of users (in order
    to recover from a potential compromise, or to add or remove users). Applications
    include multicast encryption protocols like LKH (Logical Key Hierarchies) or group
    messaging like the current IETF proposal TreeKEM. A key tree is a (typically balanced)
    binary tree, where each node is identified with a key: leaf nodes hold users’
    secret keys while the root is the shared group key. For a group of size N, each
    user just holds   log(N)  keys (the keys on the path from its leaf to the root)
    and its entire key material can be rotated by broadcasting   2log(N)  ciphertexts
    (encrypting each fresh key on the path under the keys of its parents). In this
    work we consider the natural setting where we have many groups with partially
    overlapping sets of users, and ask if we can find solutions where the cost of
    rotating a key is better than in the trivial one where we have a separate key
    tree for each group. We show that in an asymptotic setting (where the number m
    of groups is fixed while the number N of users grows) there exist more general
    key graphs whose cost converges to the cost of a single group, thus saving a factor
    linear in the number of groups over the trivial solution. As our asymptotic “solution”
    converges very slowly and performs poorly on concrete examples, we propose an
    algorithm that uses a natural heuristic to compute a key graph for any given group
    structure. Our algorithm combines two greedy algorithms, and is thus very efficient:
    it first converts the group structure into a “lattice graph”, which is then turned
    into a key graph by repeatedly applying the algorithm for constructing a Huffman
    code. To better understand how far our proposal is from an optimal solution, we
    prove lower bounds on the update cost of continuous group-key agreement and multicast
    encryption in a symbolic model admitting (asymmetric) encryption, pseudorandom
    generators, and secret sharing as building blocks.'
acknowledgement: B. Auerbach, M.A. Baig and K. Pietrzak—received funding from the
  European Research Council (ERC) under the European Union’s Horizon 2020 research
  and innovation programme (682815 - TOCNeT); Karen Klein was supported in part by
  ERC CoG grant 724307 and conducted part of this work at IST Austria, funded by the
  ERC under the European Union’s Horizon 2020 research and innovation programme (682815
  - TOCNeT); Guillermo Pascual-Perez was funded by the European Union’s Horizon 2020
  research and innovation programme under the Marie Skłodowska-Curie Grant Agreement
  No. 665385; Michael Walter conducted part of this work at IST Austria, funded by
  the ERC under the European Union’s Horizon 2020 research and innovation programme
  (682815 - TOCNeT).
alternative_title:
- LNCS
article_processing_charge: No
author:
- first_name: Joel F
  full_name: Alwen, Joel F
  id: 2A8DFA8C-F248-11E8-B48F-1D18A9856A87
  last_name: Alwen
- first_name: Benedikt
  full_name: Auerbach, Benedikt
  id: D33D2B18-E445-11E9-ABB7-15F4E5697425
  last_name: Auerbach
  orcid: 0000-0002-7553-6606
- first_name: Mirza Ahad
  full_name: Baig, Mirza Ahad
  id: 3EDE6DE4-AA5A-11E9-986D-341CE6697425
  last_name: Baig
- first_name: Miguel
  full_name: Cueto Noval, Miguel
  id: ffc563a3-f6e0-11ea-865d-e3cce03d17cc
  last_name: Cueto Noval
- first_name: Karen
  full_name: Klein, Karen
  id: 3E83A2F8-F248-11E8-B48F-1D18A9856A87
  last_name: Klein
- first_name: Guillermo
  full_name: Pascual Perez, Guillermo
  id: 2D7ABD02-F248-11E8-B48F-1D18A9856A87
  last_name: Pascual Perez
  orcid: 0000-0001-8630-415X
- first_name: Krzysztof Z
  full_name: Pietrzak, Krzysztof Z
  id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87
  last_name: Pietrzak
  orcid: 0000-0002-9139-1654
- first_name: Michael
  full_name: Walter, Michael
  id: 488F98B0-F248-11E8-B48F-1D18A9856A87
  last_name: Walter
  orcid: 0000-0003-3186-2482
citation:
  ama: 'Alwen JF, Auerbach B, Baig MA, et al. Grafting key trees: Efficient key management
    for overlapping groups. In: <i>19th International Conference</i>. Vol 13044. Springer
    Nature; 2021:222-253. doi:<a href="https://doi.org/10.1007/978-3-030-90456-2_8">10.1007/978-3-030-90456-2_8</a>'
  apa: 'Alwen, J. F., Auerbach, B., Baig, M. A., Cueto Noval, M., Klein, K., Pascual
    Perez, G., … Walter, M. (2021). Grafting key trees: Efficient key management for
    overlapping groups. In <i>19th International Conference</i> (Vol. 13044, pp. 222–253).
    Raleigh, NC, United States: Springer Nature. <a href="https://doi.org/10.1007/978-3-030-90456-2_8">https://doi.org/10.1007/978-3-030-90456-2_8</a>'
  chicago: 'Alwen, Joel F, Benedikt Auerbach, Mirza Ahad Baig, Miguel Cueto Noval,
    Karen Klein, Guillermo Pascual Perez, Krzysztof Z Pietrzak, and Michael Walter.
    “Grafting Key Trees: Efficient Key Management for Overlapping Groups.” In <i>19th
    International Conference</i>, 13044:222–53. Springer Nature, 2021. <a href="https://doi.org/10.1007/978-3-030-90456-2_8">https://doi.org/10.1007/978-3-030-90456-2_8</a>.'
  ieee: 'J. F. Alwen <i>et al.</i>, “Grafting key trees: Efficient key management
    for overlapping groups,” in <i>19th International Conference</i>, Raleigh, NC,
    United States, 2021, vol. 13044, pp. 222–253.'
  ista: 'Alwen JF, Auerbach B, Baig MA, Cueto Noval M, Klein K, Pascual Perez G, Pietrzak
    KZ, Walter M. 2021. Grafting key trees: Efficient key management for overlapping
    groups. 19th International Conference. TCC: Theory of Cryptography, LNCS, vol.
    13044, 222–253.'
  mla: 'Alwen, Joel F., et al. “Grafting Key Trees: Efficient Key Management for Overlapping
    Groups.” <i>19th International Conference</i>, vol. 13044, Springer Nature, 2021,
    pp. 222–53, doi:<a href="https://doi.org/10.1007/978-3-030-90456-2_8">10.1007/978-3-030-90456-2_8</a>.'
  short: J.F. Alwen, B. Auerbach, M.A. Baig, M. Cueto Noval, K. Klein, G. Pascual
    Perez, K.Z. Pietrzak, M. Walter, in:, 19th International Conference, Springer
    Nature, 2021, pp. 222–253.
conference:
  end_date: 2021-11-11
  location: Raleigh, NC, United States
  name: 'TCC: Theory of Cryptography'
  start_date: 2021-11-08
date_created: 2021-12-05T23:01:42Z
date_published: 2021-11-04T00:00:00Z
date_updated: 2023-08-14T13:19:39Z
day: '04'
department:
- _id: KrPi
doi: 10.1007/978-3-030-90456-2_8
ec_funded: 1
external_id:
  isi:
  - '000728363700008'
intvolume: '     13044'
isi: 1
language:
- iso: eng
main_file_link:
- open_access: '1'
  url: https://eprint.iacr.org/2021/1158
month: '11'
oa: 1
oa_version: Preprint
page: 222-253
project:
- _id: 258AA5B2-B435-11E9-9278-68D0E5697425
  call_identifier: H2020
  grant_number: '682815'
  name: Teaching Old Crypto New Tricks
- _id: 2564DBCA-B435-11E9-9278-68D0E5697425
  call_identifier: H2020
  grant_number: '665385'
  name: International IST Doctoral Program
publication: 19th International Conference
publication_identifier:
  eisbn:
  - 978-3-030-90456-2
  eissn:
  - 1611-3349
  isbn:
  - 9-783-0309-0455-5
  issn:
  - 0302-9743
publication_status: published
publisher: Springer Nature
quality_controlled: '1'
scopus_import: '1'
status: public
title: 'Grafting key trees: Efficient key management for overlapping groups'
type: conference
user_id: 4359f0d1-fa6c-11eb-b949-802e58b17ae8
volume: 13044
year: '2021'
...