 Hi, I'm Benedict, and in this video, I'm going to give an overview on our paper Grafting Key Trees Efficient Key Management for Overlapping Groups This is joint work with Joel, Ahad, Miguel, Kahn, Guillermo, Krzysztof and Michael I will start with a short introduction into Key Trees, concretely actually one of their main applications, Continuous Group Key Agreement So in the setting of Continuous Group Key Agreement, a group of users wants to establish a shared key that then is supposed to secure the communication within the group And we assume this group to be long-lived, so users want to be able to regularly rotate the key material known to them On one hand this is to achieve forward secrecy, but on the other hand users might get corrupted and their keys might leak So updating those keys should re-establish security of the communication And of course, when one wants this operation to have a communication cost, that is as small as possible Now the structure, which is at core of efficient CGKA schemes, are usually key trees So this is a dilirected tree where the group key corresponds to the root and the users correspond to the leaves of the tree and every node is associated with a key pair of an asymmetric encryption scheme So you can think of the group key just being the secret key at the root Now the iteration behind this construction is that edges mean that knowledge of the key of the node that the edge starts in implies knowledge of the key of the other node So we have the following key invariant Every user knows exactly the secret keys of nodes that lie on the path from their leaf to the root And the nice thing about this construction is that we are able to very cheaply update keys So to see this, let's assume that one user gets corrupted and their keys leak So to perform an update, the user would now sample fresh keys for all the nodes on their path in a sequential way from leaf to root And of course, this change now has to be communicated to the rest of the group And to do so, the user would encrypt every new key under the public key of its co-parent That is the parent that is not part of the update path And every user below such a node is now able to recover this new key by decrypting And then in turn is able to recover the remaining secret keys up to the root Now the update cost of this operation just corresponds to the number of ciphertexts that have to be generated So it corresponds to the length of the update path And if you use a balanced binary tree, then this cost is going to be logarithmic in the number of users And we re-establish security of the key tree Key trees are used, for example, as I said, in the construction of CGKA For example, in the current standardization effort for message layer security But they are also used to construct multicast encryption schemes So in this setting we have a central authority that would know all of the secret keys and perform the updates So in this setting it's sufficient to rely on symmetric encryption instead of asymmetric encryption And here updates would not so much be about recovering from corruption But rather about adding or removing users from the group Now, as we have seen, the update cost of key trees is going to be logarithmic in the number of users And this actually turns out to be optimal with respect to the average update cost Meaning that if we have a key tree, then the average update cost for a user must be at least log n Now the question we are interested in in our work is What is the situation if we have multiple potentially overlapping groups? Can we find more efficient solutions? And to address this question, we define key graphs for multiple groups And I'm now going to tell you what those look like Now the setting we are interested in Here we have a universe of n users and a system of k groups each containing some of those users So in the picture the dots in the Venn diagram correspond to the individual users And now we can define a key graph for the system as follows So a key graph is going to be a directed acyclic graph Where we require that we have one sync per group And the sync is going to serve as the key of the respective group On the other hand, for every user we want to have one source And now, of course, we have to specify properties that ensure correctness and security of our construction And what we want is that users have exactly access to the keys of groups that they are members of So quite naturally we require that there is a path from a user source to one of the syncs Exactly if the user is in the corresponding group So in the picture we depicted this for a user which is a member of groups 2 and 3 And we now have the following key invariant A graph invariant The users know exactly the keys of nodes that they can reach from the leaf So let's have a look at the update cost Similar to the one group case, users would rotate all keys that they know So all keys corresponding to nodes that they can reach And of course they have to communicate these changes And to do so they would encrypt the new key of a node to all of its co-parents Now in the definition we actually do not have to require that the graph is binary That is that every non-source has in degree 2 as depicted in the picture here But actually this property turns out to hold without loss of generality In the sense that given an arbitrary key graph We can transform it into one that actually has this property in a way that can only decrease the update cost So we can assume that every node has exactly one co-parent And thus the update cost of user is going to correspond to the number of nodes in the graph that they can reach And now what we are interested in is finding key-to-year key-graphs Which have a minimal total update cost And this is just going to be defined as the sum of the update cost of all users And note that this is directly proportional to the average update cost But it turned out to make for a bit nicer presentation So we stuck to this measure of update cost Okay let's have a look at a first example And this first example is actually just going to be the trivial way to construct a key-graph And what we are going to do is we are simply using the solution for one group in parallel That is we built one balanced binary tree per group And now we can consider the update cost of this operation So in this trivial solution all users of one fixed group have an update cost That is the logarithm of the group size So if we sum over all of the users in this group This is going to give us a term group size times the log of the group size And finally if we sum over all of the groups we end up with the total update cost of the trivial solution And this is simply the sum of the group sizes times the log And the main question is can we do better than this? So I will now give a brief overview on our contributions So we consider this question in two different settings So first to get a feeling on the question we start with an asymptotic setting Here we are going to consider a fixed group system But then let the number of users grow in a way that leaves the relative size of the groups As well as the relative size of their intersections constant And we can show that yes we can indeed do better than the trivial solution And we do this by computing lower bounds on the update cost and then give a matching solution However this comes with the caveat that these asymptotics actually can kick in quite slowly And the solution actually performs quite bad for some concrete systems So we also consider the question of finding good key graphs for concrete group systems And here we propose an algorithm to find key graphs that seems better suited for concrete systems And we then prove bounds on its update cost that make it quite easy to compare it to solutions we found in the asymptotic setting And as a second contribution we also provide lower bounds on the update cost of continuous group key agreement And multicast encryption in a symbolic model And I will now discuss our results in more detail starting with the asymptotic setting So in the asymptotic setting we start with a fixed base system of k groups All of which are subgroups of some universe of lowercase n users And now we are going to build a sequence of group systems for a larger number of users And we are going to do this by simply replacing every user with several copies So concretely if we want to build a group with let's say capital N users We are going to replace the user with capital N over small n copies So this would look something like this And for simplicity here we assume that small n divides capital N So there's two things I want to point out First the number of groups is constant But also the relative size of the groups and also the relative size of their intersections stays constant Now we want to construct key graphs that have an optimal update cost when the number of users tends to infinity So first let's have a look at the trivial solution For that recall that it simply builds one balanced binary tree for every single group So let's consider one of those groups say group si And note that the fraction of users that are members of this group is actually independent of n And we are going to denote this fraction by si So now we can consider the update cost that the tree corresponding to this group contributes to the total update cost And this actually is just as discussed before the group size times the log of the group size But we can now rewrite this as n times small si times logarithm of n times small si Then finally we can pull the logarithm apart like this So now if we sum over all the groups we actually get a total update cost of n times log n Times the sum over all the relative group sizes si plus a term which is of order n So the second term stems from summing up the terms n times si times log si So it's really dependent on the group system and in particular it depends on k But as we are only interested in the asymptotics with respect to n It's going to be this linear nn Okay now we can make the observation that actually if we sum over all of those relative group sizes What we get is just the average number of groups that users are members of So we end up with our final update cost of t times n times log n plus a term that is of order n Now to see whether this is optimal we are going to derive a lower bound on the update cost Of group systems in the asymptotic setting And to this end we are going to partition the universe of users into the sets of users that are members of exactly the same groups This is depicted now in the Venn diagram So you can see that each set in this partition is specified by some index set j Which is just going to be a subset of the numbers from 1 to k And the set indicates exactly the set of groups that the users are members of And similar to before we can denote the fraction of users who lie in each of those sets in the partition by lowercase pj And again this value pj is independent of the overall number of users n by construction of this asymptotic setting So now let's have a look at a key graph for our group system We can observe that the leaves of one of those partitioning sets always have at least one common sync So in the picture I've shown this for the users who are exactly members of the groups 1 and 2 And thus have paths to the syncs for group 1 and group 2 But this means that we actually can find a key tree for those users as a subgraph of our keygraph And we already know that the update cost of size of this partitioning set times the logarithm of its size Is going to be optional for such a key tree And we can now conclude that the cost of this key tree must be at least as large And similarly to before we can now replace the size of the set by lowercase pj times n Times the log of this value plus some value which is of order n Okay and now we can simply sum over all of the sets And since those sets form a partition actually their relative sizes must sum up to 1 And we end up with an update cost of at least n times log n plus a term which is of order n And the nice thing about this bound is that it actually already gives us a good hint on how to construct a matching keygraph So again we're going to partition our universe of users as before And then we simply build one balanced binary tree for every set in this partition Now to achieve correctness we have to add a layer on top that combines the roots of those trees to get the required group keys So in the picture for group 1 we would have to combine the users who are members of exactly group 1 With the ones who are exactly in groups 1 and 2 and the ones who are in groups 1, 2 and 3 And then we would do the same for the remaining groups Now we can analyze the cost of this So as discussed in the lower bound the cost of this bottom layer is going to be n times log n plus some term of order n So now let's consider the upper the second layer And we can see that since we only have a finite number of groups for every user the second layer is only going to add a constant communication cost But this means that the overall cost added by the second layer must be linear in the number of users And we can actually conclude that the cost asymptotically matches our lower bound So to summarize our findings about the asymptotic setting In the asymptotic setting we can see that an optimal solution has an update cost of n times log n Which interestingly is independent of the particular set system we are interested in and only depends on the number of users And we can also see that we can save a factor corresponding to the average number of groups that users are members of compared to the trivial solution However all of this comes with some carriers So first note that we really relied on the number of groups staying fixed while the number of users grows Which is not very realistic in practice And in particular the asymptotic notion hides constant that depend on the number of groups k And for general group system this number of groups could actually be exponential than the number of users For example this would be the case if we consider the system which contains every possible subgroup So the asymptotic effects can actually kick in quite slowly And this also made us look at the situation for concrete group systems And I'm going to discuss our results in this setting now in greater detail So from now on we are going to consider some fixed system of k subgroups of n users And a first observation we can make is that actually the update cost of the trivial solution can differ from the optimal update cost by at most a factor of log n And the reason for this is as follows In the trivial solution we know that the cost for a user that is in m groups can be at most log n times m But on the other hand the cost for the same user in the optimal solution must be at least m as they need to at least replace all group keys when performing an update So this establishes this inequality But unfortunately it turns out that there actually are examples of very natural group systems in which this worst case happens for both the trivial solution and also the asymptotically optimal solution we have to see so far And to see this we can consider this hierarchical set system where the group si contains exactly the users 1 to i And the first observation we can make is that the sets we partitioned into before now all contain exactly one user which means that the graphs of the trivial and the asymptotically optimal graph actually coincide And also the cost of the ith group is going to be i times log i So if we sum over all groups we obtain a total cost of roughly n squared times log n However the optimal solution for this system is essentially this path depicted on the right And there you can see that the cost for user n minus i is actually i So if we sum over all of those users we would end up with a total cost of order n squared So this matches this worst case discussed above So what goes wrong here? Intuitively we have a very hierarchical group system but both of our solutions put the users that are at very different levels in the system at the same level in the key graph So our goal was to find solutions that better reflect this hierarchical nature of group systems And we propose an algorithm to generate key graphs which seems better equipped to handle such systems In particular for this example it would just recover the optimal solution So now I'm going to describe our algorithm I'm going to start with a high level description So the algorithm runs into phases and both phases are implemented with greedy algorithms So executing the algorithm is quite efficient And similarly to before we are going to partition our universe of users into the sets of users who are members of exactly the same groups And we can actually adapt a bit more abstract view of this So as seen before every set in this partition corresponds to an index set which specifies the corresponding groups And we can arrange those index sets in a graph those so-called Boolean letters So in this Boolean letters the index sets are going to correspond to nodes and an edge corresponds to one set being a subset of the other And as you can see in the picture it actually reflects this hierarchical nature of sets quite well and for example the singleton sets all lie at the top level Now in the first phase our algorithm picks a subgraph of the Boolean letters and it does so to achieve or to match some correctness property So essentially what we want here is that every node has paths to exactly the singleton sets that it decomposes into And then in the second phase we attach the users at their corresponding position in the letters graph and then starting from the bottom build binary trees for every node in the letters So I'm going to describe this in more detail now First let's start with the first phase So here we start with our group system So in the example with three groups And we first identify the largest intersection of two sets So in our example those would be the groups one and two And now we split those two sets into three The intersection of the two sets as well as the sets without the intersection And we also add edges from the intersection to the two other sets So in the letters graph this corresponds to adding edges from node one to two to the nodes one and two So now we have a system consisting of four different sets So in the example this would be the intersection of groups two and one Group two without group one and group one without group two as well as group three And we are just going to repeat this process until all sets are disjoint So in our example the next largest intersection now would be to intersect group three That is the yellow set with the cyan colored set And this results in a new set which is depicted in green And in the letters graph we add the corresponding edges from the sets two three to the nodes two and three So now we have five sets and we actually have to repeat this step one last time So it might be a bit hard to see but there actually is a non-empty intersection between the yellow and the blue set But after splitting those two sets we actually have partitioned our set system as desired And also the Boolean letters graph now satisfied their desired correctness property And in the paper we formally show that this indeed will always be the case So this concludes the first phase of the algorithm Now let's discuss the second phase So here first we attach the users of the partitioning sets to the corresponding node in the letters graph So the users here are depicted by the little dots And then our idea is that for every node in the letters graph we are going to build a binary tree And the leaves of this tree are going to be on one hand the users attached to it And on the other hand the nodes in the letters graph that have an incident edge to our node So let's begin from the bottom So here we have just a couple of users so we can simply build a balanced binary tree for them But now let's consider the blue node Here we have some users but we now also have an ingoing edge from the root of the tree that we just built And we can see that this node actually represents more than one user So if we would simply be building a balanced binary tree we would not achieve the best solution with respect to average update cost However we can actually see this as a coding problem for the set of leaves Where every leaf has a weight that is proportional to the number of users it represents So if we use Huffman coding to build a tree we are actually going to get an optimal solution as Huffman codes are optimal And if we apply this to the blue node it would look something like this So note here that the root of the black tree is actually attached a bit higher in the blue tree as it has larger weight And now if we repeatedly apply this idea we finally end up with a graph that looks something like this And in the paper we show that this is indeed a key graph which satisfies the correctness properties we require for the considered group system And of course we would like to know how efficient the solution is So as a first thing going back to the asymptotic setting we can show that it is also asymptotically optimal So already this is quite nice But we also compute bounds on its update cost in the concrete setting and I'm going to discuss them in a bit more detail now So we can show the following bound on the update cost of key graphs generated with our algorithm This looks quite complicated but actually makes it quite easy to compare it to the trivial solution And I will try to break it down now So let's first consider the first term We can see that this term actually just corresponds to the update cost of the trivial solution Which means that the second part of this equation is going to tell us how much we save compared to it So here we have a sum running over all of the nodes in the lattice graph that are no singleton sets That is the nodes below the first level So let's consider one of those terms and concretely let's look at the blue partitioning set representing the lattice node 1, 2 And we can see that the saved cost actually corresponds to the update cost of building a balanced binary tree For a certain number of users and more precisely this number of users is going to be the users that either belong to the lattice node itself Or to a lattice node that has a path into it So in our example this would be the users who are exactly in the groups 1 and 2 And the users who are exactly in groups 1, 2 and 3 And to briefly cover the other nodes we would also in our example save the cost of building one tree for the users in groups 1, 2 and 3 So this corresponds to the black node And to the cost of building a tree for the users in groups 2 and 3 corresponding to the green node However all of this comes with a caveat and that is so far we have only looked at the lower bound But the upper bound also includes some terms of plus 1 And due to these terms we can unfortunately not formally conclude that our algorithm always does better than the trivial one So if there is some concrete group system for which our algorithm actually does worse it would be due to those rounding errors However I want to point out that we were not able to find an example where our algorithm actually does not outperform the trivial algorithm Overall we unfortunately do not know whether our algorithm always finds the optimal key graph or whether it's optimal up to some factor So we consider this a very interesting open question and I will discuss it in a bit more detail at the very end of the video And I also want to point out that in the paper we also give a comparison to the asymptotically optimal algorithm from before And similarly our algorithm seems to do better, however here the savings are less substantial They are actually more of order n than of order n times log n Let me now briefly discuss the second contribution in the concrete setting we make in this paper And that is lower bounds in a symbolic model So we derive lower bounds on the update cost of continuous group key agreement schemes and multicast encryption schemes in this setting of multiple groups And we consider schemes built from public key encryption, pseudo random generators and secret sharing in the case of CGKA And symmetric encryption, pseudo random generators and secret sharing in the case of multicast And to prove our bounds we rely on a symbolic model in the style of Dodev and Yao That is we model the used building blocks as idealized primitives And this means that the information about secret keys can only be recovered according to some fixed derivation rules And the security notion we target is post-compromised security Which means that users should be able to recover from corruption And since we derive lower bounds this also in particular excludes constructions for stronger security notions One would like in practice like post-compromise forward secrecy And our approach follows the ideas by Michangio and Panjuani Who considered the worst case update cost for multicast encryption for a single group So the difference being that we consider multiple groups and find bounds with respect to the average update cost And if we restrict to a single group our bound actually matches the one established in this paper So here is what we were able to show So we can see that again the partition into sets of users who belong to exactly the same groups plays a role And more precisely we show that in the symbolic model every secure CGKA or multicast scheme Must have an average update cost of at least the cost of constructing a balanced binary tree for every set in the partition So to give some idea of the proof we allow arbitrary schemes So they do not necessarily have to use a fixed key derivation graph However we can show that at every point during the protocol execution in the symbolic model We can identify something which looks like a key derivation graph in the secret keys of the system And then we can compute lower bounds on the communication complexity incurred by this graph Similar to how we got the bound in the asymptotic setting So this concludes the technical part of this video And I will end with a brief summary and some open questions So in this work we investigate the update cost of key graphs for several potentially overlapping groups And we consider this question in two settings In the asymptotic setting we compute lower bounds on the update cost and find a matching constructions But unfortunately this construction is not satisfactory for certain concrete group systems So we also consider concrete resistance afterwards And here we propose an algorithm to compute key graphs and compute bounds on its update cost That make it quite easy to compare it to the trivial solution And as a second contribution we derive lower bounds on the update cost of CGKA and multicast encryption For multiple groups in a symbolic model And now let me end by pointing out some interesting open questions So the most pressing one is probably the question of optimality in the concrete setting So this can be asked in different flavours So the first one would be in general Is it possible to efficiently find the optimal key graph for a group system Or on the other end of the spectrum might this even be NP-complete And as a second flavour of this question if we stricter ourselves to algorithms which follow this Boolean lattice approach So key graphs where in the first phase we pick a subgraph of this Boolean lattice And then in a second phase use Huffman codes to generate the final key graph The open question would be is our approach optimal if we restrict to key graphs generated with this approach And this essentially translates to some discrete optimisation problem over graphs So if you are interested in this we detail this in the paper Now a different line for future work would be conserved with making the approach practical So tree cam and other CGKA protocols employ additional mechanisms to ensure that all users all have a consistent view of the key graph So a good question would be do those carry over And on the other hand of course one would like to be able to add and remove users to and from the groups And we show in the paper that this can be implemented for all constructions using techniques like blanking or unmerged leaves But it is an interesting open question how efficient this would be compared to the trivial solution Now this marks the end of this video so thank you a lot for watching Bye