We prove a tight lower bound on the communication complexity of secure
multicast key distribution protocols in which rekey messages are built
using symmetric-key encryption, pseudorandom generators and
secret sharing schemes.
Our lower bound shows that the amortized cost of updating
the group key for each group membership change
(as a function of the current group size)
is at least *log*_{2}(n) - o(1) basic rekey messages.
This lower bound matches, up to a subconstant additive term,
the upper bound due to Canetti, Garay, Itkis,
Micciancio, Naor and Pinkas [Proc. of Infocomm 1999],
who showed that
*log*_{2}(n) basic rekey messages (each time a user
joins and/or leaves the group) are sufficient. Our lower bound is,
thus, optimal up to a small, subconstant additive term.
The result of this paper considerably strengthens previous lower bounds
by Canetti, Malkin and Nissim [Proc. of Eurocrypt 1999]
and Snoeyink, Suri and Varghese
[Computer Networks 47(3):2005],
which allowed for neither the use of pseudorandom generators and
secret sharing schemes, nor the iterated (nested) application of the
encryption function.
Our model (which allows for arbitrarily nested combinations of encryption,
pseudorandom generators and secret sharing schemes) is much more general,
and, in particular, encompasses essentially all known multicast key
distribution protocols of practical interest.