A key management scheme evaluation using Markov processes

Content access control aims at ensuring that, in a system with several resources, users can only access resources they are authorized to. Resources are encrypted using cryptographic keys. Generating, distributing and renewing these keys are the challenges faced by key management schemes. While most of the existing key management schemes are typically evaluated by simulation. We propose, for the first time, to use Markovian processes for this purpose. Markovian processes give more accurate evaluation. The key tables-based key management scheme for linear hierarchies (KTLH) is a particularly interesting key management scheme; it was initially proposed for securing group communications, but could easily be adapted to other application such as wireless sensor networks. KTLH requires each user to maintain a set of keys. The keys and size of the key set change dynamically, making the evaluation of the overheads of KTLH a challenging task. Our contribution is threefold, we have (1) modeled KTLH using Markov processes, (2) evaluated KTLH according to its storage, computation and bandwidth overheads and compared it to existing key management schemes and (3) shown how our approach could be generalized to other key management schemes.


Introduction
Ensuring content access control is a critical security issue within hierarchies. A hierarchy is defined using a set of access rights (privileges), and each entity in the hierarchy has a subset of these access rights. Content access control in a hierarchy (CACH) is required in any context where a set of sensitive information items should be accessed with a set of access rights. A user might have access to particular items while others do not. The main goal of CACH is to ensure that users access only items to which they are entitled. CACH is required in several contexts such as ensuring access control to resources shared on a cloud or protecting messages in a hierarchical group (e.g., military communications).
For example, in a multilayered video streaming application with a basic layer quality, and N enhancement layers (EL). A user who pays for enhancement layer E L i should be able to access enhancement layers of lower quality, but not to enhancement layers of higher quality. Ensuring content access control in this example can be carried out by encrypting the different enhancement layers using different keys. Each user will have the key of the enhancement layer they are entitled to, as well as (the required information to get) the keys for the enhancement layers of lower quality. These keys are called Resource Encryption Keys (REK). Key management for CACH aims at efficiently generating, distributing and renewing these keys while fulfilling the security requirements of content access control [1].
Key management for CACH is a challenging security problem. The key management problem has already been addressed for flat systems. In a flat system, there is only one data stream. That is, a user can be authorized to access either all data or nothing. Adding a hierarchy makes the key management more complex. Indeed, in a hierarchy, there are several data streams, each encrypted using a different keys.
Markov processes (aka continuous time Markov chain CTMC) are a category of stochastic processes that have the Markov property [2]. They have been extensively studied in the stochastic processes literature [3][4][5], and interesting properties have been established for them. Numerical properties of key management schemes can be modeled by Markov processes.

Our contribution
In this paper, we show how to model key management schemes using Markov models. We have chosen the key tables-based key management scheme for linear hierarchies (KTLH) key management scheme [6] because of its complex and random behavior. Applying Markov processes to other key management schemes is likely to be of similar or less complexity. Our contribution is threefold, we have (1) modeled KTLH using Markov processes, (2) evaluated KTLH according to its storage, computation and bandwidth overheads and compared it to existing key management schemes and (3) shown how our approach could be generalized to other key management schemes.
The next section reviews the problem of content access control in hierarchies and its key management issues, and gives an overview of the existing key management schemes including KTLH. Our Markov model and its results are presented in Sect. 3. In Sect. 4, we evaluate the overheads of KTLH using the results of our model. We present our conclusions in Sect. 5. An appendix contains the required theoretical background on Markov processes.

Content access control in hierarchies
A hierarchy can be defined in two steps. First, the entities within the system are divided into security classes (SC) according to their access rights. Second, an ordering relation is defined on the classes. Ordering the classes is based on the access rights. These access rights allow to say that a class is more privileged than another, thereby defining the hierarchy. A security class contains users who have exactly the same access rights. Users could be individuals, devices or processes.
A security class SC i covers (or dominates) another security class SC j and we denote it by SC i SC j if and only if any user in SC i has access to all information items in SC j . Users within the same security class could be assigned the same role in a role-based access control (RBAC) context.
A very interesting type of hierarchy is the linear hierarchies. In such a hierarchy, security classes form a directed chain. The first class in the chain is the most privileged. Indexes can be assigned such that i < j ⇔ SC i SC j . That is, SC 1 is the highest class.

Key management schemes for CACH
Key management typical tasks are Resource Encryption Keys (REK) generation and renewal [1]. The REK renewal is necessary to ensure confidentiality when users join or leave the hierarchy. That is, a new user must be prevented from accessing data exchanged before they join the hierarchy. This requirement is called backward secrecy. Inversely, a leaving user should not have access to data exchanged after they leave the session (forward secrecy requirement). A renewal must be carried out after their departure.
The existing key management schemes for CACH can be divided into two approaches: the dependent-keys and the independent-keys approaches [1] as shown in Fig. 1.
The independent-keys approach originates from the multicast security community. More precisely, from works on key management, hence, these schemes use usual key trees and graphs techniques [7]. In order to access any information item, the user must have a copy of its decryption key.
In the dependent-keys approach, in order to access a given information item (message), a legitimate user does not need to have the key with which it is encrypted. But using merely their own key, combined with some public parameters and/or functions, they can compute the key used to decrypt the item. The resulting key management schemes typically use complex cryptographic techniques.
The dependent-keys schemes can be further divided in two categories as shown in Fig. 2: indirect access schemes and direct access schemes. In indirect access schemes, if SC i SC j , members of SC i must compute all intermediate keys on the path from SC i to SC j in order to be able to compute the key of SC j . Sandhu [8,9], Gudes [10] and Yang and Li [11] proposed indirect schemes that are based on one-way functions. In these schemes, the key of a class is computed from the key of its parent using a one-way function.
A direct scheme avoids the computation of intermediate keys by using additional public parameters. Most of the schemes proposed in this approach use prime numbers fundamental properties (Akl and Taylor [12], Ray et al. [13], Zou et al. [14]) and other theoretical cryptographic notions (Hardjono et al. [15] and Zheng et al. [16]). Shen and Chen [17], Zhang et al. [18], Tzang et al. [19] and Das et al. [20] used Newton's polynomial interpolation to correlate classes' indices with their keys.

Discussion
Independent-keys schemes are quite simple to deploy. However, they do not offer an efficient support for hierarchy changes. On the other hand, dependent-keys schemes have the advantage of minimizing the number of keys maintained by users. This is carried out using well-chosen public parameters. However, in most of the schemes proposed in this approach, the number of public parameters is quite important which obsoletes the idea of reducing storage on user's side. One-way functions-based techniques is a good solution for storage overhead issues. In these techniques, keys of the security classes are iteratively generated using a one-way function (possibly combined one or more public parameters). Linking the keys using such functions allows replacing a set of keys by only one key. Nevertheless, changing one key in a set of related keys implies the renewal of the whole set. This generates an additional renewal overhead. KTLH is based on one-way functions but uses a keys table mechanism to avoid renewing the whole set of keys. It is important to understand how KTLH works before we describe our model. We will briefly recall it in the next section.

KTLH
KTLH is a dependent-keys key management scheme for linear hierarchies. KTLH allows users to join and leave the hierarchy, as well as to be promoted (moving to a higher class) or degraded (moving to a lower class) within the hierarchy.
KTLH links keys in such a way that, knowing their own keys table, a user can compute keys of lower classes. Keys tables are used in KTLH to maintain the links between the keys.
Initially, KTLH generates a random key K 1 and uses a hash function H to compute a chain of keys using the formula: where K c is the key of the c th class. Then each key K c is sent to its corresponding class SC c . Thus, only one key is sent to each user. Once a user in class SC c receives their key, they can, if required, compute the key of any class SC u , SC u < SC c , by simply applying (u − c) times H to K c . Since the keys are renewed several times, we denote by K p c the key of SC c after the ( p − 1) th key renewal. That is, p is the version of the key. The initial key of SC c is denoted K 1 c . The novelty in KTLH is the use of keys tables to maintain the key chain. Initially, the table of a user in SC c only contains the pair (c, The keys tables evolve with the hierarchy membership changes. For instance, when a user leaves the c th class, the key K 1 c of SC c and keys of all lower (but not higher) classes are renewed (because the leaving user knows them). An update message, containing the pair (c, K 2 c ), is sent to higher classes who update their keys tables by adding an entry to it to contains the pair. So, for example, users in class 1 will have in their keys tables, in addition to the pair (1, K 2 1 ), the pair (c, K 2 c ). Note that the key of SC 1 remains unchanged. This is why its upper index (version) remains the same.
Obviously, if the update messages are not used, users in SC 1 will not be able to find K 2 c . This is because it was not computed based on K 1 c−1 using H. In order to overcome chain discontinuity problem, users maintain keys tables. Each time that a user receives an update message, they make necessary updates to their keys tables. Later on, when they need to compute the key of a lower class u, the user looks in their table for the greatest class index c such that c ≤ u. KTLH is a dependent-keys key management scheme because it uses a one-way function. The next examples illustrates how KTLH builds keys tables. Example Let us consider a system with five security classes (C = 5). Initially, every user needs to know only her own class key. Assume that a user in SC 2 has just been demoted to SC 4 . In order to prevent this user from accessing future communications/information items of SC 2 and SC 3 , K 1 2 and K 1 . That is, the new content encryption keys are K 2 2 and K 2 3 , whereas K 1 1 , K 1 4 and K 1 5 remain unchanged. KTLH sends K 2 2 to users in SC 2 and K 2 3 to those in SC 3 . It also sends keys tables update messages to SC 1 , SC 2 and SC 3 ; users of SC 2 and SC 3 will receive only one message containing the pair (K 2 4 , 4), whereas users of SC 1 will receive two messages: the first containing (K 2 2 , 2) and the second containing (K 2 4 , 4). Upon receiving these messages, users of SC 1 will update their keys tables to look like Table 1, while users of SC 3 will get Table 2.

A Markov process model for KTLH
We will evaluate KTLH according to the following metrics: (1) Key Storage the average number of keys that each user has to store within their keys table; (2) Computation Time the average number of computations of the one-way function that a user should carry out to compute the key of a lower class. (3) Bandwidth number of messages sent per user in order to make key renewals when a membership change occurs.
We propose to model KTLH using a Markov process in order to evaluate these performance criteria. A Markov process is a stochastic process whose future state, given the present state does not depend on the past. That is, the conditional probability distribution of the process depends only on the present state [21]. Appendix 1 contains a summary of the Markov processes properties we are using in this paper.
Our objective is to model the system characteristics by a Markov process and then use the limiting distribution of the Markov process to compute the average value of the modeled variable. This value will serve us as a means to compute the storage and computation overheads.
Let us consider a hierarchy with N classes and let Z t (c) be the number of keys within keys tables of a member of SC c . Obviously, Z t (c) is a particularly interesting process because it directly gives the storage overhead, and the average value of Z t (c) is the average key storage. We thought it is worth justifying to the reader why we decided not to use this process. Indeed, Z t (c) is not a Markov process because the size of the table of SC c after a given membership change can have several values independently from its size before the membership change. In other words, the future probability distribution of the table size is not fully determined by knowing its current size. We give a counterexample below to show that Z t (c) is not a Markov process.
Let Z t (1) be number of keys within the keys table of SC 1 . Suppose that the system contains 10 classes and that the current keys table size is 3. Suppose that a member joins the system at SC 5 . If the keys table initially contains K 1 1 , K 2 2 and K 3 4 (Fig. 3a), then after the key renewal the keys table will contain K 1 1 , K 2 2 , K 3 4 , K 4 5 (the key of SC 5 is renewed), and hence, the new keys table size is 4. However, if the keys table initially contained K 1 1 , K 2 6 and K 3 8 (Fig. 3b), then after the renewal the keys table would have contained K 1 1 and K 4 5 (note that there is no more need to keep K 2 6 and K 3 8 because their new versions can be obtained, thanks to KTLH and the keys table mechanism, from the new key K 4 5 ). The new keys table size is 2. That is, Z t (1) has not the same value for both cases after the membership change even if it had the same size, 3, before it. This is due to the fact that Z t (1) depends on the contents of the keys table, which is related to the process history, thus fulfilling the Markov property. In what follows, we will consider an alternative process which is a Markov one.

The "Next Discontinuity" process
Let N be the number of security classes. We say that there is a chain discontinuity between two successive classes SC i and SC i+1 if K i+1 cannot be computed by applying the oneway function to K i (e.g., due to the previous key renewal triggered by a user leaving SC i ). We define the distance from any class SC c (SC c SC i ) to this discontinuity as (i + 1) − c. By convention, we consider that there is a chain discontinuity just after the last class SC N . Let X t (c) be the distance from SC c to the next discontinuity in the key chain at time t.
An example of the values of X t (c) is shown in Fig. 4. X t (c) is a Markov process. Indeed, X t (c) depends only on its last value and the membership change that occurs. In other words, the membership change determines in a unique way the next value of X t (c) conjointly with its previous value (and this does not depend on older history). Since there is a chain discontinuity just after SC N , the maximum value of X t (c) is N − c + 1, i.e., X t (c) ∈ {1, . . . , N − c + 1}. For Fig. 4 Chain discontinuity process example, the maximum distance between SC 3 and the next discontinuity is 10 − 3 + 1 = 8. In Fig. 4, this distance is 3 but it can change when membership changes occur.
We denote by E X c the average value of X t (c). That is, E X c is the average distance from SC c to the next discontinuity. Note that E X c does not depend on t but only depends on the class. E X c can be used to compute the key storage and the computation overheads. For example, let us say we find that for a hierarchy of 50 classes, E X c = 5 for all values of c. This means that the average distance from the first class to the first discontinuity is five classes, then the distance from the first discontinuity to the second is five classes as well and so on. That is, the whole key chain can be divided, by the chain discontinuities, into 10 segments of five classes each. Each chain discontinuity corresponds to a key that should be stored by higher classes, so (in average) the maximum number of keys that a class should store is the number of discontinuities, which is 10 in our case (stored by users of SC 1 for example). Furthermore, because each segment contains only five classes, a user would need to apply the hash function no more than four times (5−1). As you can see in this example, knowing the value of E X c would allow to estimate the overheads of KTLH.
We denote by Q(c) the transition matrix 1 of X t (c). Q(c) gives the rates at which X t (c) changes its value. In what follows, we give its analytical form for all values of c. Q(c) will be used to study the existence of the limiting distribution, π c , of X t (c).
The reason we need to study the existence of the limiting distribution π c is that, when it exists, π c gives the probability that X t (c) (t big enough) is in the state i. Then, the average value of X t (c), E X c , can be obtained from π c using [2]: and π c in its turn can be obtained from Q(c) by solving the equation system: Allowing us to find E X c for any class c.
In the rest of this section, we determine the transition matrix Q(c) of X t (c) in 3.2; then we use Q(c) in order to determine E X c , the average value of X t (c), in 3.3. The events probability matrix ω x,y An element of The limiting distribution of X t (c)

The transition matrix of X t (c): Q(c)
We denote by ω x,y the probability of the event "a user will switch from SC x to SC y ." By convention, SC 0 contains external hosts. That is, ω 0,y is the probability that an external host joins the class SC y and ω x,0 is the probability that a user leaves the class SC x and becomes an external host. By definition, N x=0 N y=0 ω x,y = 1. We define as the (N + 1) × (N + 1) matrix having ω x,y as entries. will be used to compute Q(c). Note that is not a transition matrix. Table 3 summarizes the notations we will use.
Obviously, in order to obtain concrete values of π c , we need to have concrete values of Q(c) (cf. equation system 2). However, in order to stay as general as possible, we will not use numerical values for Q(c), but we have rather chosen to consider the model where the membership change rate is the same for any pair of classes SC x and SC y ; i.e., a user has the same probability to stay in their class as to switch to any other class. Our approach can still be applied in the same way to other values of Q(c). In other words, all the entries of the transition matrix are identical, i.e: ∀x, y, ω x,y = ω, where ω is a constant. It y=0 ω x,y = 1, we obtain for all x, y: Let us denote by q x,y the elements of Q(c). Since Q(c) depends on the value of c, we distinguish three cases: c = N , c = 1 and 2 ≤ c ≤ N − 1.
The process X t (N ) has a constant value and is permanently equal to 1. Q(N) is a 1 × 1 matrix containing one element: q 1,1 = 1. (2) c = 1. (1) ∈ {1, . . . , N }, Q(N) is a N × N matrix. We distinguish three cases according to the values of x. For x=1:

X t
These formulas are based on KTLH operations. For example, q 1,N (last line of equation system 4) gives the rates at which the distance from SC 1 to the next chain discontinuity changes from 1 to N. According to the formula above, q 1,N = 2 (N +1) 2 . This is because having a distance of N to the next chain discontinuity means that there is no chain discontinuity but the one after SC N (by convention). This situation only happens when a user joins or leaves SC 1 . A join to SC 1 occurs with the rate ω 0,1 = 1 (N +1) 2 (i.e., from SC 0 to SC 1 , SC 0 is the set of external hosts). A leave occurs with the rate ω 1,0 = 1 (N +1) 2 . Similarly, we obtain: For x=N: For 2 ≤ x ≤ N − 1: For x=N-c+1:

Average value of X t (c) : E X c
Using the values of q x,y , we can give the next theorem: Theorem 1 (Existence of the Limiting Distribution): The limiting probability π c of X t (c) exists [2] and is the unique solution of: Proof Since q i, j > 0 for all c, 1 ≤ c ≤ N and all i, j ∈ {1, . . . , N −c +1}, any two states are communicating. Furthermore, {1, . . . , N − c + 1} is a finite set. Therefore, according to theorem 2 in Appendix A, π c exists and is the unique solution of the above equation system.
We have solved, using MATLAB, equation system 10 for several values of N ranging from 2 to 1000. This allowed us to find π c values for each value of N. Note that for each value of N there is a whole set of π c s (a π c for each class c between 1 and N). Then, for each value of N, we used Eq. 1 to find the values of E X c (1 ≤ c ≤ N ).
For each value of N, we distinguish three cases depending on the value of c (1) c = N : X t (N ) is constant and equals 1. Therefore, its average value, E X N , equals 1.
(2) c = 1 : According to Fig. 5, we see that E X 1 is a linear function of log(N ). Therefore, E X 1 is in O(log(N )).
(3) For c between 2 and ≤ N − 1 : In order to have the most reliable results, we have considered different values of N while varying c. Figures 6 and 7 show E X c as a function of log(N ), for 60 ≤ N ≤ 200 and 10 ≤ c ≤ 20 (cf. Fig. 6 ), and 700 ≤ N ≤ 1000 and 180 ≤ c ≤ 280 (cf. Fig. 7 ). As for the case where c = 1, we observe here that E X c has a linear shape as a function of log(N ).

Discussion
These results suggest that the average distance to the next discontinuity is of complexity O(log(N )) where N is the

Key storage overhead
Since E X c is of complexity O(log(N )), the average distance from the first discontinuity to the second one is O (log(N )), the average distance from the second discontinuity to the third is O (log(N )) and so on. Therefore, the whole key chain can be divided into K segments, each segment is of O(log(N )) classes. That is, K is O( N log(N ) ) Each chain discontinuity corresponds to a key that should be stored by higher classes, the maximum number of keys that a class should store is the number of discontinuities K. It follows that the key storage complexity is O( N log(N ) ).

Computation overhead
Since the key chain is split into segments of O(log(N )) classes, the maximum number of computations a user needs to do is the length of the segment, which is O (log(N )). That is, the computation overhead is O(log(N )).

Bandwidth overhead
When a user leaves or joins a security class SC c , this results in the renewal of the key of their class and all lower classes. This is done by generating new keys for their class and lower classes and sending, to each class, its new key. Also, the new key of SC c has to be sent to all higher classes. That is, each class in the system will need to receive exactly one message, whatever its position is in the hierarchy. The bandwidth overhead in this case is O(1). On the other hand, if a user is promoted or demoted, then two chain discontinuities are created. Classes above the higher discontinuity will need to receive two new keys, whereas all other classes will need to receive only one (as shown in the example in 2.3). The number of messages that need to be sent is smaller or equal to a constant (2), and thus, the bandwidth overhead is O (1) in this case as well. Table 4 shows these results.   [12,13], [17,20] KTLH

Comparison to the existing schemes
KTLH is a dependent-keys key management scheme. The complexity of some of the existing dependent-keys key management schemes [9,[11][12][13]17,20] when applied to linear hierarchies was evaluated in [6]. Table 5 uses this evaluation and compares the complexity of KTLH to the dependentkeys schemes, namely direct and indirect schemes. Optimal overheads are highlighted. KTLH has the best computation overhead, and it is the only scheme that gives an overhead that is less than the linear overhead (O(N)). It also has the lowest bandwidth overhead. On the other hand, The indirect and direct approaches have a better storage overhead. The fact of staying below the O(N) bound for all overheads gives KTLH some advantage over the direct and indirect approaches, particularly if used for devices with limited capacity or within hierarchies with big numbers of classes.

Generalization to other key management schemes
Even if our transition matrix is specific to KTLH, the reasoning and methodological steps we presented in this paper can be applied to other key management schemes.
Finding the matrix (that we defined to contain the switching probabilities from a class x to a class y) will probably have to be the first step and the corner stone in any application of Markov processes to the evaluation of a key management scheme.
Furthermore, the technique we used to solve equation system (10) and find E X c can be easily used by other key management schemes evaluation works when faced by complex equation systems.

Conclusion
In this paper, we provided a theoretical evaluation of the performance of KTLH. We used the Markov processes in order to model the distance to next discontinuity from each class. We demonstrated that the average distance to the next discontinuity is of O(log(N )), where N is the total number of classes. Using this result, we concluded that, for KTLH, the average key storage per user is O( N log(N ) ), the average computation overhead is O(log(N )), and the average bandwidth overhead per key renewal is O (1). Comparison to other dependent-keys schemes showed that KTLH tunes storage, computation and bandwidth overheads to achieve good performance trade-offs. Future works can extend our Markovian approach to evaluate other key management schemes as explained in the previous section.
Open Access This article is distributed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecomm ons.org/licenses/by/4.0/), which permits unrestricted use, distribution, and reproduction in any medium, provided you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made.

Appendix The Markov property
A stochastic process {X t , t ≥ 0} is a family of random variables X t where t is an indexing parameter, t is usually time. The set of values (states) in which X t takes its values is called the state space S.
Let {X t , t ≥ 0} be a stochastic process. The Markov property states that the conditional distribution of X t at time t + s (s, t ≥ 0) given the history of the process up to and including time t depends only on the state of the process at time t. In other words, the state of the process at time t + s is conditionally independent of the history of the process before time t, given the state of the process at time t. We give hereafter a formal definition of Markov processes.

Definition 1 (Markov Process):
A stochastic process {X (t), t ≥ 0} is a Markov process if for all s, t ≥ 0 and nonnegative integers i, j, x u , 0 ≤ u < s: Definition 2 (State Distribution Vector): Let X t be a Markov process defined on the state space S = {1, . . . , N }. The state distribution vector π t is defined by π t = (π t (1), . . . , π t (N )) where π t (i) = P{X t = i} for all i ∈ S.
The state distribution vector π t defines for each time t the probability distribution of X t .

The transition matrix
The entries of the transition (rate) matrix Q give at which rate the process moves from a state to another. Entries of Q are defined by: The sum of each row of this matrix is equal to 1. If P{X t+s = j|X t = i} does not depend on t, then X t is said to be homogenous. In this case, we denote by p i, j (s) the probability P{X t+s = j|X t = i}.

Limiting distribution
Definition 3 (Communicating states and irreducibility [4]): Two states i, j ∈ S are said to communicate if there are t 1 , t 2 > 0 such that: p i, j (t 1 ) > 0 and p j,i (t 2 ) > 0. The Markov process is irreducible if any two states in S can communicate.

Definition 5 (Limiting distribution vector):
The limiting distribution vector π * is defined by: π * = lim t→∞ π t (15) when this limit exists Theorem 2 (Existence of the limiting distribution [4]): The stationary distribution vector π of an irreducible Markov process on an finite state space is unique. π is also the limiting distribution.
That is, the limiting distribution π of an irreducible Markov process on a finite set S exists and can be computed using (13) and (14): π.Q = π i∈S π(i) = 1