KeyManagement Schemes for Multilayer and Multiple Simultaneous Secure Group Communication

Many emerging applications are based on group communication model and many group communications like multimedia distribution and military applications require a security infrastructure that provides multiple levels of access control for group members. The group members are divided into a number of subgroups and placed at different privilege levels based on certain criteria. A member at higher level must be capable of accessing communication in its own level as well as its descendant lower levels but not vice versa. In this paper we propose a key management scheme for this multilayer group communication. We achieve substantial reduction in storage and encryption cost compared to the scheme proposed by Dexter et al. We also address periodic group rekeying. Applications like scientific discussion and project management may lead to a scenario in which it is necessary to set up multiple secure groups simultaneously, and few members may be part of several secure groups. Managing group keys for simultaneous secure groups is critical. In this paper we propose a novel key management scheme for multiple simultaneous groups.


Introduction
Many emerging applications like secure audio and visual broadcasts, pay-per-view, scientific discussion, and teleconferencing are based on group communication model.Several users participate in these applications, and multicast communication is an efficient means of distributing data to a large group of participants [1][2][3] since it reduces the demands on network and bandwidth resources.But, the communication among these participants must be carried out confidentially.Thus, a common key known as group key or secret key must be established with all the users in the group, so that any group member can encrypt the message using this key, and all others can decrypt the message using the same key.The group, being dynamic in nature, allows member join and leave events.Efficiently managing group key for large, dynamically changing groups is a difficult problem.Every time when a new member joins the group, the group key must be changed in order to provide backward access control (i.e., new members should not be able to access past communication).Similarly, when a user leaves the group, the group key must be changed so that leaving member cannot have access to future communication that takes place between remaining group members, known as forward access control.This group key updating process is referred to as rekeying.
Rekeying process involves changing the group key whenever there is a membership change and distributing it among the members of the group in a secure manner.To communicate changed key among group members securely, rekey messages are constructed, encrypted, and multicast to the group.The overhead involved in rekey operation, that is, key updation, number of encryptions performed, and communication cost must be minimum and should be independent of the group size, which improves scalability.
Several secure group key management techniques have been proposed to support scalable secure multicasting [4][5][6][7][8][9][10].In a typical multicast key management scheme, there is a trusted third party, known as Key Distribution Center (KDC).This single trusted centralized entity is responsible for generating and distributing keys securely to the group members.Among the schemes which involve KDC [7,[11][12][13][14][15], the scheme proposed by Wong et al. in [7] is efficient and is widely used since it improves scalability.The scheme uses a hierarchical tree structure in which users are maintained at the leaf level, and every user is assigned with keys along the path of its location till the root.Besides group key, the KDC shares auxiliary keys that are used solely for the purpose of updating the group key and other auxiliary keys.In addition, every user shares a private key that is known by itself and the KDC.These schemes are referred to as key-based schemes.
Hierarchical tree structure is also used in Centralized Key Management with Secret Sharing (CKMSS) [16,17].In this scheme, KDC considers a t degree (t is a nonzero positive integer) polynomial with the constant term of the polynomial being the secret key.It computes t distinct shares known as prepositioned information and stores them at the users.To compute the group key, (t + 1) shares of the polynomial are required, and this (t + 1)th share is sent as an activating share by the KDC.Once the group key is computed, it is used until a member joins or leaves the group.For every membership change (join/leave), to perform rekey operation, KDC multicasts an activating share to enable the members to compute new group key.These schemes are called share-based schemes.
Both the key-based and share-based schemes discussed above are designed for managing keys for a group of users enjoying same privilege and are not suitable for handling multilayer and multiple SGC scenario.But, for certain applications, it is necessary to have multilayer group communication scenario where members in the system have different privileges.In some applications a member u in the system may be part of several groups.In this paper, we address the above two cases of Secure Group Communication (SGC) and propose key management schemes.
We organize the paper as follows: Section 2 focuses on the applications of multilayer SGC and highlights the schemes proposed to address such scenario in detail.Section 3 concentrates on our scheme to manage multilayer hierarchy.We discuss initial key computation, rekeying during join/leave operation, periodic rekeying.In section 4 we compare the performance of our scheme with Dexter et al. scheme.Section 5 deals with setting up multiple groups, initial key computation, and rekeying.Section 6 presents authentication to multiple SGC, and we conclude the paper in Section 7.

Applications of Multilayer SGC
(i) In multimedia applications, we can consider two categories of receivers: high-definition television (HDTV) and traditional television.Users with HDTV receivers can form one subgroup and others with traditional television receiver can form another subgroup.Users with traditional television receivers can receive the normal format, while the users with HDTV receiver can receive both the normal format and the extra information needed to achieve HDTV resolution.Thus, there are two layers, group with HDTV receiver forms higher layer subgroup and the one with traditional television receiver forms lower layer subgroup.This application requires a multilayer SGC scenario.
(ii) In multicast scalable video service, the video is encoded into 3 quality levels: basic quality level, medium quality level, and best quality level.Here, the users can be classified into 3 different layers based on the quality of the video they purchase: base layer (BL), enhancement layer 1 (EL1), and enhancement layer 2 (EL2).The users purchasing the basic video quality level belong to BL group, users purchasing the medium quality level belong to both BL and EL1 groups, whereas the users purchasing the best quality level belong to all the three, that is, BL, EL1, and EL2 groups.Thus, users with access to higher-quality video service must also have access to lower-quality ones.
(iii) Military troop contains different categories like Captains, Lieutenants, Sergeants, Corporals, Soldiers, and so forth, and this requires a hierarchical group communication model.Captains are at the highest layer, Lieutenants at the second higher level layer, Sergeants at a layer below Lieutenants, Corporals at the next lower layer, and Soldiers must be at the lowest layer as considered in [18].Soldiers should be able to communicate only with other Soldiers (peer members), whereas Sergeants can communicate with other Sergeants as well as with Corporals and Soldiers.Similarly Captains should have access to all the communications that take place between different classes.
(iv) In project management, a single project is divided into multiple modules, and set of users are made to design a particular module.Users involved in handling one module form one secure group.This may lead to a scenario in which it is necessary to set up multiple secure groups simultaneously.
To manage the above type of scenarios, a naive solution is to extend key-based and share-based tree structure, by using independent trees for each layer.But, this is inefficient and does not scale well when there are many layers.Hence, there is a need to have a multigroup key management scheme that exploits the overlap in the memberships of different layers.Two key management schemes have been developed to provide hierarchical access control.The scheme proposed in [19,20] is key-based, where each layer has its own session key and whenever there is a membership change in any layer, corresponding session key is changed and securely transmitted to appropriate group members.The scheme proposed in [21] is share based.For each layer, a polynomial of degree t is considered, and t distinct shares of this polynomial are stored at the members of that layer (prepositioned information) and KDC sends (t + 1)th share as an activating share so that members can compute group key for that layer.Whenever there is a membership change in any layer, KDC just sends a different activating share to the members of that layer so that they can compute a new group key for that layer.
In [18], a military application is considered to illustrate multilayer secure group communication.Military officers belonging to different categories (Captains, Lieutenants, Sergeants, Corporals, Soldiers, etc.) are divided into subgroups and are hierarchically placed one above the other.Higher layer officials can have access to the communication between its descendant lower-layer subgroups.To provide this feature, it uses a one-way hash function H(•) to compute a chain of keys.The main idea of using H(•) function is to relate layers' keys in such a way, that is, knowing a key of its own layer, a member can compute keys of lower layers.Thus, Captains are given with random key K, for the Lieutenants H(K) is given, for Sergeants H(H(K)) = H 2 (K) is sent, Corporals are assigned with H 3 (K), and Soldiers with H 4 (K).Captains can access the communication between the Sergeants, by computing the key H 2 (K).
In [19,20], Sun and Liu used tree-based hierarchical approach to handle broadcasting multimedia applications in different layers to different groups of users.
To the best of our knowledge, only SGC within a single group is addressed in the literature.A SGC among multiple groups is not addressed in the literature.In this paper we address key management schemes for multilayer and multiple groups and our schemes can be used for the applications explained above.

Multilayer Secure Group Communication.
Multilayer key management scheme proposed in [19,20] uses the following model: a set of users U = {u 1 , u 2 , . . ., u N } is partitioned into M subsets (subgroups) P 1 , P 2 , . . ., P M such that members of P i and can communicate with each other.However, members of P i can communicate with members of P j , i > j, but not vice versa, 1 ≤ i, j ≤ M. We say that the members of subgroup P i are at layer i and members of subgroup P i belong to subgroup P j , i > j.Members of subgroup P i overlap with the members of subgroup P j , i > j. Figure 1 illustrates the arrangement of different subgroups P i in layered approach, i = 1, 2, . . ., M.
To manage keys for multiple layers in traditional hierarchical tree-based key management scheme, a separate key tree is constructed for each layer.Although it is easy to implement using independent trees, a substantial overhead is introduced in managing the keys due to the overlapping membership in different layers.
In order to manage the keys of all the subgroups, independent trees are integrated into one key graph in [19,20], and it uses a key-based scheme to manage the keys.In [21], integrated key graph as in [19,20] is used, but for key management it uses share-based scheme.The key management scheme proposed in [21] is explained as follows: (1) KDC fixes the security parameter t, (2) KDC constructs a Logical Key Tree (LKT) as in [7] for the subgroup P i at layer i.For a secure group with S i users, there are at most 2S i − 1 nodes in LKT and the height of the LKT, is log 2 S i , (3) for each node in LKT of subgroup P i , KDC selects randomly t − 1 number of distinct points ( To each user u ∈ P i , KDC sends securely (t − 1)log 2 S i shares pertaining to the shares for the nodes along the path from leaf node u till root, (4) KDC selects another point (x t , y t ) called activating share (AS) and broadcasts it to the members of all the layers in the system, (5) a member of the subgroup P i constructs log 2 S i number of polynomials of degree (t − 1) using the corresponding shares it has received from KDC and AS, i = 1, 2, . . ., M and evaluates each polynomial at 0 to get the keys, and (6) KDC also constructs polynomial of degree (t − 1) for each node k in the LKT of P i using the t − 1 points (x i k j , y i k j ) and AS and evaluates at 0 to get the corresponding key for that node.
In this scheme, each key is computed by constructing a t − 1 degree polynomial using t − 1 different prepositioned shares and a common activating share.In this scheme, each user u i is required to store prepositioned shares of the nodes from leaf to the root.

Proposed Key Management Scheme for Multilayer SGC
We propose to use the key graph structure as in [19,20].We construct individual key trees for different layers and then integrate them.We use the same model that is explained for Dexter et al. scheme and try to reduce the amount of storage required at both KDC and users [22].For auxiliary keys, we use random elements, and we compute the group keys as described below.KDC fixes the security parameter t, computes, and distributes the keys and shares as follows: (1) KDC selects randomly t − 1 number of points (x i , y i ) in GF(p) called prepositioned shares, i = 1, 2, . . ., t − 1 and an activating share (AS) and sends securely to the members of all the subgroups P 1 , P 2 , . . ., P M , (2) KDC constructs LKT for the subgroup P 1 at layer 1 with the subgroup key G 1 .The key G 1 is obtained by constructing a polynomial P(x) of degree t − 1 using the t − 1 points (x i , y i ) and AS and evaluating at 0 to get G 1 = P 1 (0).KDC sends secretly to each user u of P 1 , all the auxiliary keys along the path of LKT from leaf u to the root, (3) KDC selects group share (xg j , yg j ) for the subgroup P j and sends secretly to the members of the subgroup P j , P j+1 , . . ., P M , j = 2, 3, . . ., M, and (4) KDC constructs LKT for the subgroup P j at layer j with the subgroup key G j .The key G j is obtained by constructing a polynomial P j (x) of degree t + j − 2 using t − 1 prepositioned shares, AS, and j − 1 group shares (xg l , yg l ), l = 2, 3, . . ., j and j = 2, 3, . . ., M. It evaluates the polynomial P j at 0 to get G j = P j (0).To each user u of P j , KDC sends secretly all the auxiliary keys along the path of LKT from leaf u to root.
Figure 2 shows the hierarchical key tree structure with M layers.Figure 3 shows an example integrated key graph for three layers in which three independent groups are integrated to form a three-layer hierarchy.In Figure 3, G 1 , G 2 , and G 3 represent the roots of the subgroups P 1 , P 2 , and P 3 , respectively.
We are addressing the following events: (1) a new member joins the service, (2) a member leaves the service, and (3) a member moves from one service layer to another service layer.

Member Join Event.
When a new member, u new , joins any layer i, i = 1, . . ., M, keys along the path from the joining point till the root must be changed and conveyed to corresponding users.Instead of KDC changing the keys or sending a new activating share, we allow the members of layer i themselves to compute the new group key and auxiliary  keys on their own by applying one-way hash function to the corresponding previous keys.KDC also applies one-way hash function to the previous keys on the path from the joining point till the root.Members at layers i + 1 to M change the group key G i by applying one-way hash function to previous group key G i .For the new user, u new , KDC sends t − 1 prepositioned shares (x i , y i ), auxiliary keys of P i along the path to where u new is inserted, and group key G i and i group shares (xg i , yg i ) by encrypting with the private key of u new , i = 1, 2, . . ., M.

Member Leave Event.
If a member at layer i leaves, i = 1, 2, . . ., M, the following keys have to be changed: (1) keys along the path from the leaving position till root, (2) subgroup key G i , and KDC generates keys along the path and sends them securely to the required members of the group.KDC generates and sends a new activating share securely to the members of the subgroups P 1 , P 2 , . . ., P i .Users of group P j construct the polynomial P j (x) using prepositioned shares, group share, and new activating share and compute the group key G j by evaluating the polynomial P j (x) at 0, j = 1, 2, . . ., i.
We illustrate this with the following example.From Figure 3

Periodic Rekeying.
If the content has very high value, even though there is no membership change, group key must be changed for all the layers periodically.This leaves the attacker with very less time to attack on the current key values.To achieve this periodic rekeying, we fix a rekey period/interval.After the expiry of each rekey interval, rekeying process is initiated.For periodic rekeying, we propose two methods.
Method 1. (i) KDC sends an activating share by encrypting it with layer 1 group key, G 1 .
(ii) Since all the users u 1 , u 2 , . . ., u N in the system belong to subgroup P 1 , they know the subgroup key G 1 and can decrypt the activating share.
(iii) Users of subgroup P i compute new subgroup keys G 1 , G 2 , . . ., G i using new activating share, prepositioned shares and group share (xg i , yg i ).
Method 2. The users compute the new group key after every rekey interval by applying a one-way hash function on the current group keys.This reduces the communication and computation cost since it avoids reconstruction of the polynomial.

Comparison
Storage at Each User.In Dexter et al. scheme [21], each user u ∈ P i stores the shares of the keys along the path from leaf to the root, i = 1, 2, . . ., M. If there are S i users in P i , then height of the tree is log 2 S i .Thus each user u ∈ P i stores (t − 1) log 2 S i number of elements.
In our scheme, each user u ∈ P i stores (t − 1) prepositioned shares, an activating share, i number of group shares and log 2 S i auxiliary keys.
Storage at KDC. KDC is required to store shares of all the keys in the system.For a total of N users in the system, there are at most 2N − 1 nodes.Thus, storage required at KDC in Dexter et al. scheme is (t−1)(2N −1).In our scheme there are t + M − 1 shares and 2N − M − 1 auxiliary keys in the system.Hence KDC is required to store only 2N + t − 2 elements.Encryption Cost.In Dexter et al. scheme, if a member leaves any layer i, i = 1, . . ., M, in order to change the keys along the path till the root, corresponding prepositioned shares must be changed, which leads to (t − 1) log 2 S i encryptions.Also, prepositioned shares meant for different layers must be changed, which results in (t − 1)i encryptions.Hence, the number of elements encrypted is (t − 1)( log 2 S i + i).Whereas in our scheme, keys along the path and an activating share are encrypted; thus, it is just ( log 2 S i +it) encryptions.
Computation Cost.In Dexter et al. scheme [21], the group key for each layer i is computed by constructing a (t − 1) degree polynomial and evaluated at 0. In our scheme, as we move up the hierarchy, degree of the polynomial is incremented by 1.Though it requires more amount of computation as compared to (t−1) degree polynomial, it improves the resistance of the system to attack; hence, the system is more secure.
Table 1 gives the comparison of our scheme with the scheme proposed by Dexter et al. [21] in terms of storage and encryption cost.
Table 2 compares the performance of our scheme with Dexter et al. scheme [21].To have fair comparison we consider 4 layers N 1 , N 2 , N 3 , and N 4 and a polynomial of degree 5, that is, t − 1 = 5.N 1 is the layer at lower privilege level, and N 4 is at higher privilege level.
Consider an example with 128 users at layer N 1 , 64 users each at layers N 2 and N 3 , and 32 users at layer N 4 .Heights of the trees at layers N 1 , N 2 , N 3 , and N 4 are 7, 6, 6, and 5, respectively.Number of keys stored at KDC in Dexter et al. scheme is (t − 1)(2N − 1) at each layer which sums up to be 2860, whereas in our scheme we get only 588 keys at the KDC which is computed as 2N + t − 2.
In Dexter et al. scheme, users at layer N 1 store h 1 +i = 7+1 sets of prepositioned information, namely, 8 * 5 = 40 keys.Users at layer N 2 store 6 + 2 = 8 sets of prepositioned information, users at layer N 3 store 6 + 3 = 9 sets of prepositioned information, and users of layer N 4 store 5 + 4 = 9 sets of prepositioned information.In our scheme, the number of keys at different layers N 1 , N 2 , N 3 , and N 4 is only 12, 12, 13, and 13, respectively.In Table 2 we also have recorded the percentage of savings achieved in our scheme.From the values recorded in Table 2, it is clear that we achieve substantial savings in storage and encryption cost as compared to Dexter et al. scheme.For instance, for a secure group with 4096 users and with a fixed security parameter t = 10, we achieve 80% savings in storage at KDC and about 73% savings in storage at the users.

Multiple Simultaneous SGC
A project may be divided into several modules, and each module may be assigned to a group of members.It may be necessary for some members to deal with two or more modules depending on the requirement.It is required that each module should be developed confidentially so that members developing a particular module must communicate among themselves securely.Hence, each group should have a group key, and members belonging to two or more groups should possess group keys of all those groups for which they are members.We develop a key management scheme for such multiple SGC with efficient storage, computation, and communication costs [23].

Key Management Scheme.
We consider a set of users U = {u 1 , u 2 , . . ., u N } and M subgroups P 1 , P 2 , . . ., P M such that some users are present in more than one subgroup.For each subgroup P i , a logical key tree is constructed, i = 1, 2, . . ., M. The height of the tree for subgroup P i depends on the number of users in P i .If there are N i (N i ≤ N) number of users in group P i , then the height is h i = log 2 N i .An user u i is assigned with a private key K i , i = 1, 2, . . ., N and auxiliary keys along the path from u i to root of the key tree.This section deals about initial group setup and computation of group key(s).

Initial Group Setup and
Group Key Computation.Our scheme is based on centralized key management scheme using logical key tree (LKT) approach as proposed in [7].Hence, we assume a trusted KDC which is responsible for initial group(s) setup and rekeying operations.Users in the system are provided with unique identification number, and the groups are assigned with group numbers.To begin with we allow the KDC to fix the security parameter t.
The KDC generates and sends a unique private key K i , i = 1, 2, . . ., N to the requesting user u i over a secure channel (we assume that, at the initial stage, a secure channel is established between KDC and the joining user).Hence, every user shares a private key with the KDC.
(2) KDC selects randomly t − 2 number of points (x i , y i ) in GF(p) called prepositioned basic shares, i = 1, 2, . . ., t − 2 and (x t , y t ) as activating share (AS).These shares are sent securely to the members of all the subgroups P 1 , P 2 , . . ., P M .
(3) KDC selects randomly M points (xg i , yg i ) in GF(p) called prepositioned group shares distinct from the previously selected points and sends (xg i , yg i ) securely to the members of the subgroup P i , i = 1, 2, . . ., M.
(4) KDC constructs LKT for the group P i with the group key G i .The key G i is obtained by constructing a polynomial P i (x) of degree t − 1 using the shares (x i , y i ) of step 2 and the prepositioned group share (xg i , yg i ).The group key is G i = P i (0), i = 1, 2, . . ., M. KDC sends secretly to each user u of P i , all the auxiliary keys along the path of LKT from the leaf u to the root.
(5) If an user u is a member of j number of groups (1 ≤ j ≤ M), it is provided with (t −2) prepositioned basic shares along with AS and j number of prepositioned group shares.It constructs j distinct polynomials.A polynomial P k (x) is constructed by using t − 1 shares of step 2 and prepositioned group share (xg k , yg k ), k = 1, 2, . . ., j.Thus, it can construct j distinct polynomials just by using one distinct group share.
Group P 1 Group P 2 Group P 3 Figure 4: Key tree structure for multiple groups.Figure 4 shows an example key tree structure with 3 groups, namely, P 1 , P 2 , and P 3 set up simultaneously.Group P 1 comprises of eight members u 1 , u 2 , . . ., u 8 , group P 2 contains u 6 , u 8 , u 9 , and u 10 as its members, whereas members u 5 , u 11 , u 12 , u 13 , u 14 , and u 15 belong to group P 3 .In Figure 4, u-nodes represent users, and K-nodes represent keys.Key nodes K 1 through K 15 are private keys of users u 1 through u 15 , respectively, and remaining K-nodes in the figure represent auxiliary keys.G 1 , G 2 , and G 3 are the group keys of the groups P 1 , P 2 , and P 3 , respectively.
For example, let us consider t = 4, p = 41 and the (t − 2) prepositioned basic shares as (1, 28), (2,23) and AS as (4,4).Assume that KDC sends (3,11), (3,8), and (3,5) as the prepositioned group share for the members of the groups P 1 , P 2 , and P 3 , respectively.Hence, the members of the group P i , i = 1, 2, 3, now possess t; that is, 4 shares with them, and they can construct (t − 1) degree polynomial and evaluate it at 0 to get the group key.Thus the members of group P 1 get the group key G 1 as 14, members of P 2 get the group key G 2 as 2, and G 3 is computed by members of P 3 as 34.Hence, user U 5 , for instance, can compute group keys for both the groups P 1 and P 3 .

Member Join Event.
If a new user u new wants to join the group P i (1 ≤ i ≤ M), it sends a join request to KDC.KDC finds a location for the user u new in the LKT of P i and inserts it.To provide backward access control, keys along the path from the point of insertion till one level below the root are changed and communicated to the corresponding users.In order to change the group key G i of P i , KDC picks a new value of group share (xg i , yg i ), encrypts it with the previous group key G i , and sends it to the users of the group P i .For the user u new , KDC sends keys along the path from u new to root, prepositioned shares (basic shares and group share) and AS after encrypting with the private key of u new .The new user constructs the polynomial and evaluates it at 0 to get the group key G i .
For instance, if a new user u 16 sends a join request to join the group P 3 , KDC inserts u 16 at the location as shown Figure 5: Key tree structure for multiple groups after user u 16 joins the group P 3 .
in Figure 5. KDC changes the key K 1417 to K 1417 and picks a new value for group share, say (xg 3 , yg 3 ).To convey changed keys and share to corresponding users, KDC constructs the following rekey messages: Now, suppose that if user u 17 sends join requests to join two groups P 2 and P 3 , the LKT looks as in Figure 6 after inserting u 17 to both the groups of Figure 5. KDC constructs the following rekey messages to convey changed keys and group shares: If a member joins a group G i with N i members, then at most log 2 N i keys are changed.To convey changed keys to the members of the group, 2log 2 N i encryptions are performed and log 2 N i rekey messages are constructed.In general, if a member joins j number of groups, j i=1 log 2 N i keys are changed, 2 j i=1 log 2 N i encryptions are performed, and j i=1 log 2 N i rekey messages are constructed.

Member Leave Event.
A member may leave the group either voluntarily or KDC may forcibly expel the member from the group.In any case, the keys known to leaving member in the LKT must be changed to provide forward confidentiality.If a member u l wants to leave the group P i (1 ≤ i ≤ M), it sends a leave request to KDC.Here, we encounter two cases.
Group P 1 Group P 2 Group P 3 Figure 6: Key tree structure for multiple groups after user u 17 joins the groups P 2 and P 3 .
Case 1.If u l belongs to only one group P i , (i) KDC removes the corresponding user-node and private key-node from LKT, (ii) KDC changes the keys along the path from leaving point till one level below the root in P i selects new group share (xg i , yg i ) and conveys to corresponding users in P i .
Case 2. If u l belongs to more than one group, (i) KDC detaches u l from the group P i , (ii) KDC changes the keys along the path from leaving point till one level below the root in P i selects new group share (xg i , yg i ) and conveys to corresponding users in P i .
For example, consider the multiple groups scenario as in Figure 6.Now, if user u 5 wants to leave the group P 3 , it sends a leave request to KDC.KDC detaches u 5 from the LKT of P 3 and changes the keys along the path as shown in Figure 7, and to convey changed keys it constructs the following rekey messages: If a member leaves the group P i , which contains N i members, then log 2 N i values are changed, 2log 2 N i number of encryptions are performed, and log 2 N i rekey messages are constructed to convey changed keys to the members of the group.

Member Moving from One Secure Group to Another.
There are two cases.
Case 1.A member u m wants to move from group P i to the group P j .
(i) u m sends a move request to KDC.
(ii) This request is interpreted as member leave event for the group P i and member join event for group P j .
(iii) KDC detaches u l from the LKT of the group P i .
(iv) To provide forward access control for group P i , KDC changes the keys along the path from the leaving point till one level below the root in the LKT of group P i .
(v) KDC inserts u new in LKT of the group P j .
(vi) To provide backward access control in group P j , KDC changes the keys along the path from insertion point till the root in LKT of group P j .
(vii) To change group keys of the groups P i and P j , KDC changes group shares (xg i , yg i ) and (xg j , yg j ).
(viii) KDC conveys securely changed keys and group shares to corresponding members of the groups P i and P j .
Case 2. A member u m ∈ P i wants to join the group P j .
(i) u m sends a join request to KDC.
(ii) KDC inserts u m in the LKT of group P j .
(iii) To provide backward access control in group P j , KDC changes the keys along the path from insertion point till the root in the LKT of group P j .
(iv) To change group key of P j , KDC changes group share (xg j , yg j ).
(v) KDC conveys securely changed keys and group share to corresponding members of the group P j .
To illustrate the member-moving scenario, consider Figure 7 and assume that user u 4 wants to move from group P 1 to group P 2 .It sends to KDC the move request.KDC inserts u 4 in the group P 2 as shown in Figure 8 and changes the keys K 34 and K 14 in group P 1 and the keys K 17−1 , K 17−2 in group P 2 .It picks new values for group shares (xg 1 , yg 1 ) and (xg 2 , yg 2 ), and, in order to convey changed keys and shares securely, it constructs the following rekey messages: Thus, when a member moves from one group with N i members to another group with N j members, log 2 N i + log 2 N j keys are changed, 2(log 2 N i + log 2 N j ) encryptions are performed, and log 2 N i + log 2 N j rekey messages are constructed.
Figure 7: Key tree structure for multiple groups after user u 5 leaves the group P 3 . Group Figure 8: Key tree structure for multiple groups after user u 4 moves from group P 1 to group P 2 .
5.6.Storage.If there are N i users in group P i , then the height of the LKT for P i is log 2 N i .A user u of the group P i stores log 2 N i − 1 auxiliary keys, (t − 1) prepositioned shares and an AS.If a user u is a member of j number of groups, it needs to store j i=1 ( log 2 N i − 1) auxiliary keys, (t−2+ j) prepositioned shares, and an AS.Thus, even though a particular user belongs to all the M groups in the system, it needs to store at most M i=1 log 2 N i + t − 2 elements from GF(p) and can compute keys for all the groups.
We plot the graphs to depict the percentage of savings achieved in storage cost and encryption cost when compared to Dexter et al. scheme.The graph in Figure 9 shows the percentage of savings achieved in storage at KDC.It is plotted for different values of the security parameter t.Figures 10 and 11 show the percentage of savings with users in different layers.They are plotted by keeping the value of t as 5 and 10, respectively.From the graphs it is clear that the storage savings at KDC varies from 75% to 95% and with the users it varies from 68% to 73%.Figures 12 and 13 show the percentage savings in encryption cost that are plotted by keeping the value of t as 5 and 10, respectively.Savings in encryption cost vary from 45% to 85%, and it is observed that the the percentage of savings is proportional to the value of t.As we move from lower layers to higher layers, the cost of savings decreases.

Authenticated Secure Group Communication
Once the groups are set up, members of the group can communicate with each other securely.When a member u i , i = 1, . . ., N of group P j , j = 1, . . ., M sends an encrypted message to members of P j , they must identify that the message is from u i and also if any other user u q tries to act as u i , others must identify that it is not u i .This section briefs about the authenticated secure group  communication.Protocol in Table 3 depicts authenticated communication between group members.In the protocol, the symbol denotes concatenation, and E K [m] denotes message m encrypted with key K.If user u i , i = 1, . . ., N wants to send a message to group members, it sends a request to KDC.Request includes identity ID i of u i , group number P j , j = 1, . . ., M and a time stamp value T. KDC picks a random number r from GF(p), applies hash function to compute H(r), and broadcasts [H(r) ID i P j T] after encrypting with group key G j , so that only the members of group P j can decrypt it.KDC sends u i , the message, [r P j T] after encrypting it with the private key of u i .Thus, the value of r is available only to u i .Now, u i in order to send a message, m, constructs the message [r ID i P j T m], encrypts it with the group key G j , and sends.Only members of group P j can decrypt it and apply hash function for the received value of r to compute H(r) and verify that this value is same as the one received from KDC.If it is true, then they realize that the message is from u i as it is claimed; otherwise, they realize that some one else is trying to impersonate as u i .

Conclusion
Managing multiple groups with overlapped membership is one of the important issue in group communication scenario.In this paper we proposed a scheme for such hierarchical group key management using a combination of key-based and share-based approach.It is possible for the members at higher layers to compute the keys for its own layer along with all its descendant layers just by storing extra prepositioned information.Our scheme is secure, even if a member compromises, it is not possible to get the group key unless activating share is obtained.We reduce both storage and encryption cost compared to Dexter et al. scheme.We proposed two schemes for periodic rekeying.
Managing group keys for independent simultaneous secure groups is an important issue in SGC.In this paper we considered such multiple secure groups with overlapped membership and proposed a key management scheme using a combination of key-based and share-based approach.We showed that, even if a particular user belongs to all M secure groups, it needs to store at most (Mh + t − 2 + M) elements from GF(p) and is able to compute keys for all the groups.Encryption cost and number of key changes are of the order of log N for membership changes (join, leave, and a member moving from one group to another).We also provided authentication for the messages communicated between group members.

Figure 2 :
Figure 2: Hierarchical key tree structure for multilayer secure group communication with M layers.

Figure 3 :
Figure 3: An example integrated key graph with auxiliary keys and group keys.

Table 1 :
Comparison of storage and encryption cost.

Table 2 :
Performance of multilayer SGC.

Table 3 :
Protocol for authenticated secure group communication.(1)ui→ KDC: E Ki [ID i P j T] (2) KDC → u i : E Ki [r P j T] (3)KDC → {Members of P j }: E Gj [H(r) ID i P j T] i → {Members of P j }: E Gj [r ID i P j T m]