A Balanced Key Tree Approach for Dynamic Secure ... - CiteSeerX

A Balanced Key Tree Approach for Dynamic Secure Group Communication1 Geng Hao, N. V. Vinodchandran, Byrav Ramamurthy

Xukai Zou

Dept. of Computer Science and Engineering University of Nebraska–Lincoln Lincoln, NE 68588-0115 Email: {ghao, vinod, byrav}@cse.unl.edu

Dept. of Computer and Information Science School of Science, Purdue University-Indianapolis Indianapolis, IN 46202 Email: [email protected]

Abstract— Logical Key Hierarchy (LKH) is a promising solution to handle group key distribution in secure group communication. Several recent studies have investigated different approaches to reduce the re-keying cost of LKH. For certain group communication applications, such as the subscription pay TV, a member’s departure time is available when the member joins the group. The proposed scheme aims to improve the re-keying cost for such applications. It uses a combination of an AVL tree and a binary search tree called the leaving tree as the topology of its key tree. Both the AVL tree and the leaving tree are searchable by members’ departure times. Our analysis shows that the average costs in terms of the number of key updates for the member join and and leave are O(log n) and O(log log n), respectively. Our simulation results show that the proposed scheme achieves better performance than other balanced tree based solutions.

I. I NTRODUCTION Many distributed applications require group communications. How to maintain the confidentiality of communication over a multicast channel has been one of the essential issues in multicast communication. Most of the current proposals on secure group communication use secret key techniques for group data encryption. All group members share the same group key and use it to encrypt group communication. Simple extensions of unicast key distribution protocols to group communication (e.g. [1]) require linear time to distribute the group key. In 1998, Wong et al. [2] proposed to use a key graph for group communication key management. The use of a logical key tree, a special case of a key graph, helps reduce the time for distributing the group shared key to logarithmic time. So far, most proposed logical key tree schemes fall into one of two categories: centralized scheme [2] [3], where a key server is responsible for the group key generation and distribution, and contributory scheme [4], where no central controller is needed, and the group key is generated by cooperation among group members. In a centralized key tree, the group key server is responsible for all the re-keying requests, and it becomes a bottle-neck of the system as the size and the dynamics of the group increase. So one question arises: how to maintain the key tree so that the key server’s workload could be reduced or minimized? 1 This

project is partially supported by NSF Grant No. CCR-0311577.

0-7803-9428-3/05/$20.00 ©2005 IEEE.

We observe that there are many applications in which the departure time of any member is known at the time this member joins the group (for example subscription pay-TV or pay-per-view [5]). This information is used in our scheme to reduce the re-keying cost when a member leaves. We propose a centralized key tree scheme that employs a modified AVL tree as its key tree, and a leaving tree which is attached to the AVL tree to facilitate process of member leave operation. Our analysis shows that the proposed algorithm achieves an average O(log n) server cost for the member join operation and O(log log n) for the member leave operation. The rest of this paper is organized as follows. Section 2 reviews the Logical Key Hierarchy and defines notations. Related work is also presented in this section. Section 3 discusses the AVL-leaving tree scheme. In Section 4, we present the algorithm in detail. Performance and complexity analysis are discussed in section 5. In section 6, the experimental methodology and results are presented and discussed. Section 7 presents our conclusion and suggestions for future work. II. P RELIMINARY AND R ELATED W ORK A. Logical Key Hierarchy The logical key tree scheme was proposed in [2]. It assumes that there is a single trusted and secure key server. The key server uses a key tree for group key management. Every leaf in the tree is a member node (u-node). Each member shares a unique key with the key server. Every interior node (k-node) is associated with a unique auxiliary key, also called a KeyEncryption Key (KEK), it is used to encrypt and transmit the updated group shared key. The root node stores the group shared key, which is used to encrypt group communication. Each member holds the keys belonging to nodes on the path from the member’s u-node to the root. For a dynamic group, Backward Secrecy and Forward Secrecy are necessary to ensure security of group communication. Backward Secrecy means that when a new member joins the group, it should not be able to decrypt messages exchanged among group members before his joining the group. In the Key Tree Scheme, that means the group shared key and all the KEKs assigned to the new member should be updated upon his joining. Similarly, Forward Secrecy means that after a member leaves the group, it should not be able to decrypt any future group

345

communication, which means that the group shared key and all KEKs originally held by the leaving member should be changed. Throughout this paper, we will assume that network multicast capability is available for group communication. We also assume the User-Oriented Rekeying strategy is used as the way the group key server distributes new keys. In this study, we use the server cost as the performance metric. Server cost is defined as the number of key updates the key server has to perform for a member join/leave event. It is proportional to both the server’s computational cost and communication cost to handle such events. If we limit our discussion to a regular binary tree, when a joining member is inserted as a leaf node at depth n, the corresponding server cost is n+1. If a member leaves and its u-node’s depth is n, the corresponding server cost is n. For simplicity, in the following discussion, sometimes we will use a node’s depth instead of the server cost. B. AVL Search Tree An AVL tree is a balanced binary search tree. It is not perfectly balanced, but pairs of sub-trees differ in height by at most 1. The AVL tree is a well-known data structure, and has been under intense study since it was proposed in 1962 [6]. Some facts about the AVL tree are listed below to facilitate future discussion. The height, h, of an AVL balanced tree with m internal nodes satisfies the following condition. log(m + 1) ≤ h ≤ 1.440 log(m + 2) − 0.328 It is difficult to get an analytical result of average height of an AVL tree. According to the empirical result from [1], the average height of an AVL tree is: 1.01 log n + 0.1 Where n is the number of nodes in the tree. To insert a node into an AVL tree, it takes at most 1 rotation (either single or double rotation) to rebalance the tree. To delete a node, it takes at most log n rotations to rebalance the tree. C. Related Work Optimal key tree structure is considered in previous literature from a different aspect. In [2][3][7], the authors assume that all members have the same re-keying probability. In [2] and [3], the authors suggest that a regular 4-ary tree is optimal. The work in [7] improved the result of [2][3] and suggests that the optimal tree should be a regular 4-ary tree except for the first and last level. The root of the optimal tree has 2k children with k ≥ 2, where the value of k depends on value of re-keying probability. The work in [8] considered a different scenario where the re-keying probability varies. It used the same method as constructing a Huffman Code to construct the key tree. If a member has a higher re-keying probability, it should be placed at a node closer to the root, so that when it leaves, less auxiliary keys (KEK) need to be updated. The work in [8] did not consider a dynamic group situation.

Other researchers tried to reduce the rekeying cost in dynamic group. [9] proposed using 2-3 tree to keep a key tree balanced, thus reducing the average server cost. However the cost to rebalance a 2-3 tree is high. When the group size is relatively small, the restructuring cost makes their scheme perform even worse than an unbalanced tree. In the work of [10], the authors proposed a new rekeying policy, exposure-oriented rekeying, for LKH to achieve better tradeoff between rekeying cost and level of security. [11] proposed to use a join-tree/exit-tree topology in logical key tree and exploits the efficiency of amortized operations. It was aimed to reduce time cost for member join/leave in a contributory key agreement framework, such as TGDH [4]. When a member joins, it is placed in a join-tree. When the join-tree is full, members in the join-tree are moved to the main tree in a batch operation. Before members leave, they are again moved to an exit-tree. By limiting the size of the join-tree and the exit-tree, the proposed algorithm reduced the average time cost for member join and leave to O(log log n). But the batch movement between join-tree and main-tree and main-tree and exit-tree needs additional O(log n) time to complete. It is worth mentioning that the proposed scheme belongs to the class of centralized group key management schemes. The other three classes of group key management are decentralized group key management with relaying (DGKM) [12], [13], (distributed) contributory group key agreement (CGKA) [4], [14], [15], [16], [17], [18], and distributed group key distribution (DGKD) [19]. The performance analysis for CGKA can be found in [20]. III. AVL-L EAVING T REE S CHEME A. Motivation The work in [3] showed that using an aggregate operation reduces the number of key updates. Since for each membership change, the keys along the path from the affected member to the root have to be changed, if several requests are processed together, some of the paths may partially overlap, keys belonging to the overlapping part need to be updated only once in each aggregate operation. Performance of batch rekeying is analyzed in [3] and [21]. When all members in a subtree require rekeying in one aggregate operation, keys along the path from the root of that subtree to the root of the key tree need to be changed once, and it gives the best case performance. As mentioned in the introduction, for some group applications, the behavior of members are not totally random, and members’ departure times are predictable. When a member joins the group, it provides the time at which it will end the session and leave the group. Intuitively, we can fill a subtree with members with similar departure times, and before any member of the subtree leaves, we can cut the subtree from the key tree, move it up and place it as the child of the root. Keys along the path between the root of the subtree and the root need to be updated once during the movement. After the movement, if any of the members in that subtree leave the group, those keys updated during the movement no longer

346

R Leaving Tree

P’ P

Main AVL Tree

Main AVL Tree B

A

C Fig. 3.

Fig. 1.

AVL-Leaving Tree.

A key tree, members in subtree C are of similar departure time.

R

C

P’

Leaving Tree

B

Main AVL Tree A

Fig. 2.

Subtree C is moved to place near root.

need to be changed again. This is similar to the best case of the aggregation operation. An example of the movement is shown in Figures 1 and 2. The movement also helps to improve the system response time since there are less key updates required when members leave. On the other hand, to maintain the key tree balanced helps to get a lower server cost to handle the member join events [2][3][7][9][22]. It is straightforward to organize the key tree as a balanced search tree to get benefit from both sides. We propose to use the AVL tree as our balanced search tree since it gives the best performance among the commonly used tree algorithms in this class [1], and has a low cost to rebalance. B. Our Approach We will now present our algorithm. Our key tree has two parts. One part is called the main AVL tree; it is an AVL tree, indexed by the members’ departure times in the descending order. Most of the members of the group are in this part of the tree. the main AVL tree is different from a regular AVL tree in two ways. Firstly, it is a regular binary tree, i.e. each interior node has exactly two children. Secondly, there is no value assigned to interior nodes; the tree is searchable only by its leaf nodes, and insertion always happens at a leaf node. The second part of the key tree is called the leaving tree. It contains a small number of members, those who have the earliest departure times in the group. The leaving tree is also a search tree indexed by members’ departure times in the descending order. Figure 3 shows the topology of the key tree. In the beginning, the leaving tree is empty. When a member joins, it is inserted into the main AVL tree, and the necessary rotation is carried out to maintain the balance requirement of the AVL tree. Once the group size increases beyond a certain

threshold value, the leaving tree is activated. A “right-most” subtree (the size of this subtree will be determined later) of the main AVL tree is selected and moved to the leaving tree. We name this operation relocation. An example is shown in Figures 1 and 2. After the relocation, KEKs along the path from the root of the subtree to the root of the main AVL tree are changed, and necessary rotation performed to rebalance the AVL tree. How and when to perform relocation and how to add it to the leaving tree will be discussed later. In the leaving tree, the descending order of departure times is still preserved, but the balance requirement is no longer enforced. Furthermore, we can observe that the descending order of the departure times is preserved through the entire key tree, while the AVL balance requirement is maintained only in the main AVL tree. IV. K EY T REE A LGORITHM The AVL-leaving tree algorithm consists of 3 parts: member join, member leave and relocation. The first two are used to handle the membership change request. And the relocation algorithm is used to perform the batch movement on the key tree. It is triggered when handling a member leave event. A. Member Join Assume that a member m asks to join the group. Let its departure time be T . We search the key tree and find a leaf node whose leaving time is less than but closest to T among all members. Call this node c. 1) Create a new interior node, and place it at the position previously held by c. 2) Make m and c the left and right child of the newly created node. 3) If c is in the Leaving Tree, update the keys along the path from m to the root of the key tree. 4) Else if c is in the main AVL tree, update the keys along the path from the m to the root of the key tree, perform rotation if necessary to maintain the main AVL tree balance. It is possible that some joining members will be inserted into the leaving tree. If this is the case, the server cost is smaller than the case of insertion to the main tree since the leaving tree has a smaller height compared to the main AVL tree. Since the average height of an AVL tree is O(log n), the average join cost is also O(log n).

347

B

A

A

C

C

Double Rotation

1

B

h

4 2

h

1

2

h

3

4

3 h (a)

Fig. 4.

(b)

Double rotation to rebalance AVL tree.

B. Member Leave Assume a member asks to leave the group. Let the node associated with this member be m. Let p and s be m’s parent and sibling, respectively. 1) Delete m. 2) Replace p with s. 3) Update keys along the path from parent of s to the root R. 4) Call the relocation algorithm (described below) if the leaving tree is empty. Analysis of leave cost is given in section V. The result shows that our scheme achieves O(log log n) to handle member leave request. C. Relocation Algorithm The relocation algorithm is used to move a subtree of the main AVL tree to the leaving tree. Let the root of the subtree be rs, and let p and s be rs’s parent and sibling in the main AVL tree, and Krs and Kp be the KEKs associated with rs and p. 1) Delete p and the subtree rooted at rs from the main AVL tree 2) Move s to the place where p originally is 3) Place rs as the root node’s child 4) Send a message to the members of the subtree rooted at rs to inform them the relocation 5) Update all KEKs along the path from s to the root, perform rotation if necessary. V. A NALYSIS AND D ISCUSSION We will use the following notations. Let CL be the capacity of the leaving tree, i.e. the maximum number of members which could reside in the leaving tree. Let N be the size of the group. A. Cost of rebalancing after member joins When a member joins the group, if it is inserted in the main AVL tree, its insertion may cause an imbalance of the main AVL tree, so rotation (double or single) has to be carried out to rebalance the tree. Our observation gives the following result: Claim: Rotations that keep an AVL tree balanced do not increase server cost. The example shown in Figure 4 illustrates the above claim for the case of double rotation. Other cases of rotation give

similar results. Assume that a member is inserted into the subtree 3, causing the height of the subtree 3 to increase by 1. It causes an imbalance and a double left rotation is triggered to resume the balance of the AVL tree. The result is shown in Figure 4b. Due to the insertion in the subtree 3, KEKs associated with nodes along the insertion point up to the root, including KEKs associated with A, B and C should be updated. The rotation will affect the way the key server distributes KEKs associated with A, B and C only; members not shown in Figure 4 will receive the same message regardless of whether a rotation is performed or not. Comparing figures 4.a and 4.b, we can see that the number of key updates does not change if rotation is carried out. The only difference is that the keys sent to a certain subtree may be different. So if we combine the rotation together with the key update process, there will be no additional server cost for the rotation. B. Relocation Strategy We will discuss the relocation condition in this section. In the AVL-leaving tree, server cost of member leave event consists of two parts: the server cost of relocating a subtree from the main AVL tree to the leaving tree and the server cost of members leaving from the leaving tree. Using the example shown in Figures 1 and 2, the subtree C is relocated. If we assume the depth of P
is t, and subtree C contains CL members, then by moving subtree C to the leaving tree, all t KEKs along the path from P
to the root need to be updated once to maintain forward secrecy requirement. After the relocation, when any member in subtree C leaves, only the group key and KEKs along the path need to be updated. So the total server cost per member in C leaving the group will be: t + α log(CL + 1) + β CL α log(N + 1) + β ≤ + α log(2CL ) + β (1) CL where N is the group size. α = 1.44 and β = −0.328. The right part of expression (1) reaches its minimal value when β (2) α (2) gives the value of the capacity of leaving tree that minimizes the leave cost. Combining (1) and (2), we can see the leave cost is O(log log n). In practice, the size of a subtree in an AVL tree of height h could be any number between 2h and Fh+2 − 1, where Fn stands for the Fibonacci number. So we cannot always find a subtree whose size satisfies (2). Instead, we select one among all the possible subtrees so that (3) is minimized, where Cn denotes the size of the subtree. CL = log(N + 1) +

t + log(Cn ) Cn

(3)

When the group contains more members than a threshold value, we want to activate the leaving tree. To find this value, we compare the server cost of the AVL-Leaving tree with an

348

Height of B h h h-1 h-1 h-1 h-2 h-2 h-2 h-3

Height of C h h-1 h h-1 h-2 h-1 h-2 h-3 h-2

Cause Imbalance? maybe maybe maybe no no yes yes yes yes

Experiment 1

TABLE I

Fig. 5.

P OSSIBLE COMBINATIONS OF HEIGHT OF SUBTREE B AND SUBTREE C.

AVL tree without a leaving tree. If a leaving tree is not used, the average server cost for member join/leave is 1.01log(2N − 1) + 0.1. The member leave cost of the AVL-Leaving tree is shown in (1), and member join cost will increase by 1 since the shared group key needs to be encrypted and sent to the leaving tree. So we have: 1.01 log(2N − 1) + 0.1 α log(N + 1) + β ≥ + α log(CL + 1) + β + 1 CL

Experiment 2

Fig. 6.

(4)

Group Size.

Server cost for member join and member leave for experiment 1.

VI. E XPERIMENTAL R ESULTS

Replacing CL with the value in (2), we find that the threshold of group size to perform the relocation operation is 16. When the group size is bigger than 16, it is beneficial to use a leaving tree. C. Rebalancing after relocation A relocation may cause an imbalance of the AVL tree. For the example shown in Figure 4, if the height of subtree A is h, then the possible height combinations of subtree B and C are listed in Table 1. For the first 3 combinations, the relocation causes the height of subtree rooted at P
to decrease by 1, and may cause imbalance of the AVL tree. The balance of the subtree itself is preserved. We claim that at most t − 1 single right rotation could rebalance the tree, where t is the depth of node P
. As mentioned in section 5.1, it will not increase the server cost. For the next 2 combinations, relocation will not cause imbalance. For the last four combinations, the height of the subtree rooted at P
does not change after the removal of C, so it will not cause an imbalance at any nodes outside the subtree. But the subtree itself is imbalanced. It is interesting to observe that if we assume that the height of B is h, despite the fact that it is h − 2 or h − 3, the imbalance will be limited to the subtree rooted at P
, and will not cause imbalance at any higher level of the tree. In other words, the imbalance is local to the subtree. This situation will end when B is moved to the leaving tree in a later relocation operation or when there are enough number of insertions into B to increase its height to at least h − 1. No rebalance is carried out for these cases and it will not increase the server cost.

We have carried out simulation experiments to test our key tree scheme. In the experiments, we adopt a probabilistic model of group member behavior suggested in [23]. Both inter-arrival times and membership durations follow an exponential distribution. The λ values of experiment 1 and 2 are listed in Table 2. These values are used to generate a sequence of random membership change events, which served as input to the simulation program. We count the number of key updates for processing each membership change request in the event sequence. The initial group size is set to 0. In both simulations, there are totally 5000 member join events and 5000 member leave events, durations of the simulations are 23000 and 26000 time units, respectively. The simulation ends when all members leave. Figure 5 shows the plot of group size against time for both experiments. For experiment 1, the group size changes between 0 and 435 with bursty user join/leave request. Experiment 2 simulates a situation where group size changes in a relatively small range, with approximately the same number of member joins and member leaves in any time period. The threshold value to activate the leaving tree is set to 64 for both experiments. Figures 6 and 7 show the total number of key updates during the simulation. The join cost and the leave cost are measured separately. Results of AVL-Leaving tree are compared with that of a simple balanced binary tree and 4-ary tree. We can see that the join cost of the AVL-Leaving tree scheme is almost the same as that for a balanced binary tree while there is about 30% improvement in the cost of user leave events in both experiments. The simulation experiment results show that the proposed scheme improves the overall user leave cost. The AVL tree helps to keep the key tree balanced with a little overhead.

349

Time Span λ for Inter-arrival λ for duration - Experiment 1 λ for duration - Experiment 2

1-600 0.25 0.0025 0.001

600-1600 0.25 0.0005 0.001

1600-2800 0.25 0.003 0.001

2800-3100 0.25 0.0005 0.001

3100-4300 0.25 0.0035 0.001

4200-5000 0.25 0.02 0.001

TABLE II PARAMETERS USED IN GENERATING MEMBERSHIP CHANGE EVENT.

Fig. 7.

Server cost for member join and member leave for experiment 2.

The AVL-Leaving tree scheme is suitable for large size secure group communication when members’ departure times are predictable. VII. C ONCLUSIONS AND F UTURE W ORK This paper addressed the scalability problem of key management in secure group communication. We have applied a new scheme to maintain the key tree in a LKH when a centralized key server is used. It improves the server cost for secure group communication applications where the member departure time is predictable. We have showed through analysis that the server cost of member join event is O(log n) and server cost for member leave event is O(log log n). The overall performance is better than those for previous works, especially when group dynamic and group size is large. As future work, we intend to consider situations where the members’ actual departure times are allowed to deviate from the predicted departure time. We also want to extend the scheme to include aggregation operations. R EFERENCES [1] P. L. Karlton, S. H. Fuller, R. E. Scroggs, and E. B. Kaehler, “Performance of height-balanced trees,” Communications of the ACM, vol. 19, pp. 23–28, Jan. 1976. [2] C. K. Wong, M. Gouda, and S. S. Lam, “Secure group communications using key graphs,” in Proceedings of ACM SIGCOMM ’98, Vancouver, B.C., Sept. 1998, pp. 68–79. [3] X. S. Li, Y. R. Yang, M. Gouda, and S. S. Lam, “Batch rekeying for secure group communications,” in Proceedings of Tenth International World Wide Web Conference, Hong Kong, China, May 2001, pp. 525– 534. [4] Y. Kim, A. Perrig, and G. Tsudik, “Simple and fault-tolerant key agreement for dynamic collaborative groups,” in Proceedings of the 7th ACM Conference on Computer and Communications Security. 2000, Athens, Greece, Nov. 2000, pp. 235–244.

[5] B. Briscoe, “Marks: Zero side-effect multicast key management using arbitrarily revealed key sequences,” in Proceedings of First International Workshop on Networked Group Communication, Pisa, Italy, Nov. 1999, pp. 301–320. [6] G. M. Adelson-Velskii and E. M. Landis, “An algorithm for the organization of information,” in Doklady Akademii Nauk SSSR, 1962, pp. 146:263–266. [7] F. Zhu, A. Chan, and G. Noubir, “Optimal tree structure for key management of simultaneous join/leave in secure multicast,” in Proceedings of MILCOM’03, Boston, MA, Oct. 2003. [8] R. Poovendran and J. S. Baras, “An information theoretic analysis of rooted- tree based secure multicast key distribution schemes,” in Proceedings of Advances in Cryptology - CRYPTO’99, Santa Barbara, CA, Aug. 1999, pp. 624–638. [9] J. Goshi and R. Ladner, “Algorithms for dynamic multicast key distribution trees,” in Proceedings of Twenty-Second ACM Symposium on Principles of Distributed Computing (PODC ’03), Boston, MA, July 2003, pp. 243–251. [10] Q. Zhang and K. Calvert, “On rekey policies for secure group applications,” in Proceedings of The 12th International Conference on Computer Communications and Networks, 2003. ICCCN 2003, Dallas, TX, Oct. 2003, pp. 559–564. [11] Y. Mao, Y. Sun, M. Wu, and K. J. R. Liu, “Dynamic join-exit amortization and scheduling for time-efficient group key agreement,” in Proceedings of Infocomm 2004, Hong Kong, China, Mar. 2004, pp. 2617–2627. [12] L. R. Dondeti, S. Mukherjee, and A. Samal, “A dual encryption protocol for scalable secure multicasting,” In Fourth IEEE Symposium on Computers and Communications, pp. 2–8, July 1999. [13] S. Mittra, “Iolus: A framework for scalable secure multicasting,” Journal of Computer Communication Reviews, vol. 27, no. 4, pp. 277–288, 1997. [14] M. Burmester and Y. Desmedt, “Efficient and secure conference-key distribution,” Security Protocols Workshop, pp. 119–129, 1996. [15] L. R. Dondeti, S. Mukherjee, and A. Samal, “DISEC: a distributed framework for scalable secure many-to-many communication,” In Proceedings of Fifth IEEE Symposium on Computers and Communications (ISCC 2000), pp. 693–698, July 2000. [16] Y. Kim, A. Perrig, and G. Tsudik, “Tree-based group key agreement,” ACM Transactions on Information Systems Security, vol. 7, no. 1, pp. 60–96, Feb. 2004. [17] D. Steer, L. Strawczynski, W. Diffie, and M. Wiener, “A secure audio teleconference system,” Advances in Cryptology-CRYPTO’88, LNCS, Springer-Verlag, vol. 403, pp. 520–528, Aug. 1990. [18] M. Steiner, G. Tsudik, and M. Waidner, “Diffie-Hellman key distribution extended to group communication,” ACM Conference on Computer and Communications Security (ACM CCS 1996), pp. 31–37, Mar. 1996. [19] P. Adusumili, X. Zou, and B. Ramamurthy, “DGKD: Distributed group key distribution with authentication capability,” Proceedings of the 2005 IEEE Workshop on Information Assurance and Security, United States Military Academy, West Point, NY, 15–17 June 2005, pp. 286–293, June 2005. [20] Y. Amir, Y. Kim, C. Nita-Rotaru, and G. Tsudik, “On the performance of group key agreement protocols,” 22 nd International Conference on Distributed Computing Systems (ICDCS’02), pp. 463–464, June 2002. [21] X. Zou, B. Ramamurthy, and S. S. Magliveras, Secure Group Communications Over Data Networks. New York, NY: Springer, 2005. [22] S. Zhu, S. Setia, and S. Jajodia, “Performance optimizations for group key management schemes,” in Proceedings of the 23rd International Conference on Distributed Computing Systems, Providence, Rhode Island, May 2003, pp. 163–171. [23] K. Almeroth and M. Ammar, “Multicast group behavior in the internet’s multicast back-bone (mbone),” IEEE Communications Magazine, vol. 35, pp. 124–129, June 1997.

350