Performance Comparison of Stateful and Stateless Group Rekeying Algorithms

Scalable group rekeying schemes proposed in the literature can be classified into three categories: stateful schemes, stateless schemes and self-healing schemes. They differ mainly on the interdependency of rekey messages and messaging overhead in rekeying. Logical key hierarchy (LKH) based approaches are stateful in that members should have received past rekeying messages to decrypt current rekeying messages. Stateless rekeying algorithms, such as subset difference based member revocation (SDR) mechanism, on the other hand, use keys sent during member registration/initialization to encrypt the group key. In other words rekeying messages are independent of each other and consequently members going offline can decrypt the group key without having to consult the group manager. This is an important property considering that reliable delivery of rekey messages is a significant issue in deploying group and multicast security solutions. While in self-healing schemes, a rekeying message contains not only the current key, but also the shares of previous and future keys such that a member can recover a missed key by combining corresponding shares received by the member through other rekeying messages. SDR messaging overhead in rekeying is dependent on the membership during an entire multicast session whereas LKH messaging overhead is dependent on membership of the group during a rekeying instance. In this paper, we study the advantages and applicability of stateful and stateless rekeying algorithms to different groups and multicast security applications. We analytically compare the storage cost and the rekeying cost (number of unit-size encrypted messages) of LKH and SDR in immediate and batch rekeying scenarios. We implemented the two algorithms and simulated different membership scenarios to compare the rekeying cost. The simulation study shows that LKH performs better in immediate rekeying and small batch rekeying, whereas stateless rekeying performs better as we process membership changes in larger batches. In some cases, stateless rekeying was observed to be as inefficient as encrypting the group key separately for each member of the group. We also report on the effect of member adjacency on SDR rekeying cost that it seems to have more impact on rekeying cost than the number of membership changes. This work is supported by the Defense Advanced Research Projects Agency (DARPA) under contract N66001-00-C8011. yDepartment of Computer Science, University of Massachusetts, Amherst, MA 01003. [email protected] zStrategic protocols group, Nortel Networks, 600 Technology Park Drive, MS E65-60-202, Billerica, MA 01821. [email protected]