Efficient Key Management for Secure Group Communications with Bursty Behavior

Transcription

1 Efficient Key Manageent for Secure Group Counications with Bursty Behavior Xukai Zou, Byrav Raaurthy Departent of Coputer Science and Engineering University of Nebraska-Lincoln Lincoln, NE68588, USA Eail: Spyros Magliveras Departent of Matheatical Sciences Florida Atlantic University Boca Raton, FL 3343, U.S.A eail: ABSTRACT Secure group counication (SGC) is becoing ore popular in the Internet. Burstiness is an iportant behavior in SGC. Perforing bursty operation in one aggregate operation is iportant for efficiency and scalability. In this paper, we extend the well-known key-tree key anageent protocol for SGC to situations with bursty user arrival and departure patterns. By using a binary representation technique for indexing the keys and the ebers on the key tree, we propose an efficient ipleentation algorith for bursty operation. The algorith uses only binary right shift operation, and is extreely siple and efficient, which could be ebedded in standard secure ulticast API packages. We also present experiental results fro our algorith. KEY WORDS Network Security, Secure Group Counication, Multicast, Key Manageent Protocol, Group Dynaics, Bursty Behavior Introduction Secure group counication (SGC) is becoing ore popular in the Internet, especially when Virtual Private Networks are being deployed on the Internet. Even though Internet ulticast capability provides an efficient way for secure group counication applications, the security of ulticast applications is guaranteed by cryptographic techniques. The ost iportant feature of SGC is group dynaics by which we ean that ebers can join and/or leave a group at any tie. The biggest challenge caused by group dynaics is that when eber(s) join or leave a group, the group key(s) ust be changed in an efficient and scalable way to prevent the joining/leaving eber fro decrypting the previous/future essages. Based on the nuber of ebers joining a group and/or leaving a group, group dynaics can be divided into following scenarios: single join, single leave, single join and single leave at the sae tie, ultiple joins, ultiple leaves, and ultiple joins and ultiple leaves at the sae tie. We call ultiple joins and/or ultiple leaves burst operations. Bursty behavior is prevalent in SGC applications. Soe applications are inherently burst oriented. For exaple, in periodical electronic inforation distributions, users subscribe and/or un-subscribe the service in a bursty anner at the beginning/end of the period. In soe other applications, ebers join and leave a group frequently. When the frequency of ebership changes is high, it becoes necessary to reduce the cost of frequent key distributions. One feasible way is to accuulate the joins and leaves [] for a certain period of tie, thus reducing the frequency of key distributions. This can be considered as another kind of bursty behavior. Perforing a bursty operation in one aggregate operation is iportant for reducing the nuber of rekeying essages, reducing the frequency of key distributions, increasing the scalability of the key distribution protocol and reducing the network traffic. There has been extensive research focusing on group dynaics in SGC [9,, 7, 2, 2, 22, 24, 27]. However ost of the place the ephasis on single join and single leave, i.e., reducing the nuber of rekeying essages when a eber joins/leaves. When ultiple ebers request join and leave siultaneously, they are supposed to be processed individually, i.e., they are treated as any single joins and single leaves (we call this kind of operation split operation). This results in a great increase in the nuber of rekeying essages, which is copletely opposite to our goal that the cost of rekeying should decrease rather than increase. As we will show later, the aggregation of key updates can reduce the cost of key distribution operations. In papers [, 22], it was shown that in a key tree schee processing ultiple joins and leaves in aggregation is possible and will reduce the nuber of rekeying essages. However no efficient ipleentation algorith was given. One recent paper [] is the first paper, to our knowledge, focusing on the proble of the aggregation of key updates by cuulative eber reoval. The paper focuses on ultiple leaves and does not discuss how to deal with ultiple joins and ultiple leaves at the sae tie. As indicated in the paper [], the ain proble with this technique is that the schee is susceptible to collusion attack of two or ore ebers. In this paper, we extend the well-known key-tree key anageent protocol [, 22, 27] for secure group counication to situations with bursty user arrival and departure patterns, especially when ultiple joins and ultiple leaves occur at the sae tie. (We call this kind of a bursty operation, i.e., perforing ultiple joins and/or ultiple

2 leaves in one round, an aggregate operation.) By using binary representation technique for indexing the keys and the ebers on the key tree, we propose an efficient ipleentation algorith for bursty operation. The algorith uses only binary right shift operation, and is extreely siple and efficient, and could be ebedded in standard secure ulticast API packages. Moreover, copared with the ethod in [], our ethod can defeat the collusion of any nuber of illegal ebers. We also present experiental results, which show that the nuber of rekeying essages generated by our algorith is significantly less copared with that generated by split operation. Recently, there has been another study [8] which deals with siilar bursty behavior based on a key tree schee as we do. Moreover, the article [8] deals with a general d ary key tree (d 2) with a general ipleentation. However when liiting d = 2, our ipleentation is totally different fro, uch sipler, and uch ore efficient than that in [8]. The rest of the paper is organized as follows. In Section 2, we suarize the typical schees for SGC with the ephasis on key tree schee [, 22, 27]. In Section 3, we adapt the key tree schee to situations with bursty user arrive and leave patterns and present our ipleentation algorith with the proof of its correctness and analysis of its coplexity. The experient results are given in Section 4. Finally, in Section 5, we conclude the paper. 2 Existing schees for secure group counication We suarize and classify secure group counication schees in this section. Based on the nuber of senders, SGC applications can be divided into two categories: broadcast counication, i.e., one-to-any counication [, 2, 4, 3, 5, 2] and conference counication, i.e., any-to-any counication [8, 9, 3, 7, 9, 23, 24]. Schees in [, 2, 22, 27] are suitable for both kinds of applications. Based on how the group key is fored, soe schees require a Group Controller (GC) which generates group key(s) and distributes the key(s) to group ebers. In other schees [8, 9, 3, 7, 23, 24], the group key is generated by unifor contributions fro all group ebers. Based on the kind of cryptosystes used, there are public-key cryptosyste based schees [2, 5, 2] and secret-key cryptosyste based schees, where the underlying secure channel ay be ipleented by public key systes. In the latter case, the group key anageent is the core proble and any key anageent schees [, 2, 3, 4, 5, 6, 7, 8, 9,, 3, 4, 6, 7, 9, 2, 22, 23, 24, 26, 27] have been proposed. Based on the structural organization of group ebers, ost schees do not split ebers whereas soe schees [4, 2, 2] divide group ebers into distinct subgroups, resulting in two levels of key anageent and increasing the scalability. In the later case, the subgroup anager ay be a eber of the group or not and ay be trusted [5, 2] or not [4, 2]. Based on the kind of security, the SGC schees ay be classified as unconditionally secure or coputationally secure [25, 26]. Furtherore soe schees ay resist against any nuber of adversaries who ay collude, whereas others [2, 3, 4, 5, 6, 7, 6, 26] only resist against the collusion of up to k adversaries, i.e., k- resilient schees, where k is a security paraeter in these schees. We briefly introduce key tree based key anageent [, 22, 27] since Our algorith for bursty operation is based on this schee. There is a group controller (GC) which aintains the ulticast group and anages a virtual tree (see Figure ). The ebers of the group are placed at leaf nodes of the tree. The nodes in the tree are assigned keys. The key at the root is the traffic encryption key (TEK) and all other keys are key encryption keys (KEKs). Every eber is assigned the keys along the path fro its leaf to the root. The keys at leaf nodes are possessed by individual ebers; the keys at internal nodes are shared by subsets of ebers, and the key at the root node is shared by all ebers. When a essage is sent, it will be encrypted with TEK, and all the ebers can decrypt it using TEK. When a eber leaves, all the keys the leaving eber knows and shares with other ebers (i.e., the keys fro root to the parent of the leaving eber) need to be changed. The GC changes these keys. Every changed key will be encrypted with its children s keys and be broadcast to all ebers. When a eber joins, after being authenticated by the GC, the GC decides where it should be put in the tree and figures out all the keys fro the root to the joining eber. Then the GC changes all these keys and broadcasts the keys. When the key tree is a binary tree, the nuber of keys which need to be changed for a join or a leave is O(log(n)) and the nuber of rekeying essages O(2log(n)) where n is the nuber of ebers in the ulticast group. 3 Binary tree based algorith for bursty operation We present our algorith in this section. We first observe bursty behavior and properties. Then we propose our algorith followed by the proof of the algorith. Finally, we analyze the algorith coplexity and discuss collusion attacks. 3. Bursty behavior and properties First, we give an exaple to illustrate how the aggregate operation reduces the nuber of keys which need to be changed (see Figure 2). Suppose the current ebers in the group are {, 2, 3, 4, 5, 7, 8}, four ebers {, 2, 5, 7} will leave, while another five ebers will join at the sae tie. If we use a split operation, nine separate operations are needed with log 2 (8) = 3 keys needing to be changed for each operation. Therefore, the total nuber of changed keys is 9 3 = 27. If we process all four leaves and five joins at the sae tie

3 i.e., in one aggregate operation, then the total nuber of keys needing to be changed is 6 (all internal keys except the parent of 3 and 4) (see Figure 2). An 88% (i.e., 6 27 ) savings in the total nuber of changed keys is achieved. The reason for the savings is that any shared key is only changed once in an aggregate operation. Bursty behavior has soe special properties, which can be clarified by eans of the following two leas (The proofs are oitted because of their obviousness). The first lea states that without considering the keys on leaf nodes, the operations of joining and leaving are equivalent. The second lea states that when r joins and s leaves are cobined in one aggregate operation, the cost for rekeying in{r, s} keys will be copletely saved (covered by ax{r, s}). Therefore, we uniforly call both joins and leaves updates. Lea 3.. Suppose the nuber of joins is j and the nuber of leaves is l. If j = l and the positions of joining ebers in the tree are the sae as the positions of the leaving ebers, then the keys that need to be changed for the joins in one aggregate operation are exactly the sae as the keys that need to be changed for the leaves in one aggregate operation. Lea 3.2. Suppose the nuber of joins is j and the nuber of leaves is l. If we perfor both joins and leaves in one aggregate operation, the nuber of keys that need to be changed for these j + l ebers is the sae as the nuber of keys that need to be changed for = ax{ j, l } ebers. 3.2 Bursty algorith In order to perfor ultiple joins and/or ultiple leaves in one aggregate operation, it is required to find the coon keys shared by joining and/or leaving ebers in an efficient way. In order to do that, we represent keys by bitstrings and use only binary right shift operations. The detailed echanis is described below. All nodes are represented by bitstrings. The root is represented by the epty string ε. Suppose a node is labeled by bitstring v, then its left child will be represented by v and its right child by v. The key associated with node v is represented by k v. Thus, the root key is k ε = k. The keys at level are k, k ; the keys at level 2 are k, k, k, k and so on (see Figure 3). In general, a node at level l is represented by soe bitstring i l i of length l, and its key by k il i. Each eber is assigned a rando non-negative integer as its identification (ID). These integer ID s can be represented as bitstrings 2. Suppose that the tree height is h, so Because the keys on leaf nodes are only possessed by individual ebers and are only used to encrypt essages between group controller and individual ebers, whether or not they need to be changed or how they will be changed does not affect an aggregate operation. In fact, we ay assue that keys on leaf nodes are the public keys of individual ebers. 2 When an integer i is stored in the coputer, it is already in the binary for, hence there is no need to perfor representation transforations. that the group size could be as large as 2 h, and let a user u i have ID equal to i. We represent i in binary for as i h i. The user u i is placed at node i h i and is assigned the keys along the path fro the node to the root, i.e., k ih i i, k ih i,, k ih, k. Next we consider how to find the coon keys shared by ebers. Fro Lea 3.2, it is reasonable to assue all ebers in question join a group or they all leave a group. We consider two cases separately: two ebers and any ebers. Suppose two ebers in question are u i and u j. We can decide their shared keys by coparing their corresponding bitstrings as discussed bellow. Since i j, i h i i j h j j and k ih i i k jh j j. Let s be the sallest index such that i h i s = j h j s, then s, k ih i s = k jh j s, and all keys along the path fro node i h i s to the root are shared keys. The only operation needed here is to find the prefix of an integer, which can be ipleented by the right shift operation >>. Let us consider 2 ebers. We have following theore. Theore. Suppose ebers u i,, u i are to be processed in one aggregate operation and assue they are already sorted by their ID. The keys that need to be changed can be deterined by the coparisons of IDs of neighboring ebers in a cyclic anner, i.e., i with i, i with i 2,..., i 2 with i, and i with i. The keys shared by all the ebers are deterined when all neighboring coparisons yield equalities. Proof: First let us consider any key at level l which is only possessed by one eber, e.g., u ij. Then this key will be k ijh i jh l. Consider the next eber s ID i j+ (if u ij is the last eber u i then consider the first eber s ID i ). It is true that i jh i jh l i (j+)h i (j+)h l, otherwise, k ijh i jh l will be shared by these two ebers. Therefore, this key can be found by coparing i jh i jh l with i j+h i j+h l. Next let us consider any key at level l which is shared by a subset of ebers u ij, u ij+, u ij+t. Then again, this key will be k ijh i jh l. It is true that i jh i jh l = i (j+)h i (j+)h l = = i (j+t)h i (j+t)h l. Consider the next eber s ID i j+t+, if u ij+t is the last eber, then consider i. It is true that i (j+t)h i (j+t)h l i (j+t+)h i (j+t+)h l. Therefore, the shared key k ijh i jh l can be found by coparing i (j+t)h i (j+t)h l with i (j+t+)h i (j+t+)h l. Finally, consider a key at level l which is shared by all ebers u i,, u i. It is true that i h i h l = i h i h l = = i ( )h i ( )h l. Thus, all neighboring coparisons yield equalities. Or, to say it in another way, when all coparisons of neighboring ebers are equal, a shared key is found. Once a key shared by all ebers is found, there is no need to do further coparisons. The theore is proved.

4 Figure 4 illustrates the coparisons of neighboring ebers. In order to ake the coparison of i with i be the sae as for the other coparisons, we add an ( + )st eber and let its ID be the ID of the first one, i.e., i = i. The following algorith finds all keys which need to be changed. A changed key will be encrypted with its two children keys and broadcast separately (thus, 2 N uberof KeysChanged rekeying essages), or in one packet (thus, NuberOfKeysChanged rekeying essages). It is also possible that all encrypted changed keys are put in one packet (thus, one rekeying essage). //h: the tree height; : group size; i, i, i : ebers IDs NuberOfKeysChanged = ; for (s = ; s <= h; s + +) { SaeSubtree=true; for (j = ; j < ; j + +) if ((i j >> s)! = (i j+ >> s)) { SaeSubtree=false; the key k ijh i js is not a shared key and change it; NuberOfKeysChanged + +; } if (SaeSubT ree) { //the keysshared by all ebers are found change k ih i s,k ih i s+, k; NuberOfKeysChanged+ = h s; break; //exit fro for loop } } 3.3 Analysis of coplexity and attack Suppose the group size is n and the height of the binary tree is h (h = log(n) ). Then the above algorith needs 2n space blocks each of length equal to the length of a key to store the keys. Suppose is the larger between the nuber of joining and leaving ebers, then the tie coplexity of the above algorith is O(h). We do not include here the tie coplexity of generating a rando key since it is independent of our algorith. As to susceptibility to possible attacks, when ebers leave, all the keys known to the leaving ebers are changed. The new keys have no relation with the old keys. No atter how any leaving ebers collude, they cannot figure out the new keys. Therefore, the algorith is resilient to collusion of any nuber of ebers and provides unconditional security. 4 Experiental results A theoretical analysis of perforance of a rando d ary key tree schee for bursty behavior can be found in [8], which is suitable for our binary key tree when setting d = 2. In this section, we present the experiental results, which is coincident to the theoretical analysis in [8]. The purpose of our experients is to test the perforance of our algorith in different scenarios for different group sizes 3. We focus on two classes of coparisons: ) 3 Only the figures of the group of size 24 are shown and the groups of other sizes have exactly sae results. a coparison of the nubers of changed keys between experiental and theoretical analysis and 2) a coparison of the nuber of changed keys between aggregate operations and split operations. Suppose the nuber of joining ebers is j and the nuber of the leaving eber is l, and let ax = ax( j, l ) and in = in( j, l ). Assue h is the height of the binary tree. As indicated in the previous section, we call a join or a leave an update and only consider ax updates. For aggregate operations, in order to get reasonable results, we generate rando positions for ax updates repeatedly ( rounds), run the above proposed algorith to get the nuber of keys needed to be changed for each round, and average the nubers of changed keys over rounds. We denote the average nuber by N A. In contrast, the nuber of keys which need to be changed in split operations is: N S = ( j + l ) h. Let us see the first class of coparison. The nubers of changed keys in best, worst, average cases fro the theoretical analysis and the average nuber of changed keys fro the experients are shown in Figure 6. Fro the figure, we can see a clear difference between best, worst and average scenarios. We also see that for the average case, the nuber of changed keys obtained by experients is copletely coincident with that predicted by theoretical analysis. Let us consider the second class of coparison, i.e., the gain of aggregate operation versus split operation, which is defined by gain = N A /N S. The experients were on different group sizes. For each group size, we test three cases. Firstly, we let in = and ax range fro percent to 5 percent of the group size. This case corresponds to just joins or leaves, with the axiu nuber of joins or leaves being half of the group size. Secondly, for any ax, we let in range fro percent to percent of ax. This corresponds to joins and leaves at the sae tie with the best scenario that the nuber of joins is the sae as the nuber of leaves (i.e., in = percent of ax ). Finally, we let ax ebers be in consecutive positions. This occurs when ebers join a group in a batch and leave the group together. The results are shown in Figures 7 to 9. Figure 7 illustrates the first case. Fro the figure, we can see that when ax is 5 percent of group size, the gain achieved is 5 percent (for groups of size larger than 256). When ax reaches 5 percent of the group size, the gain is about 8 percent. The gain is really significant. Moreover, the larger the group size, the greater the gain that can be achieved for the sae percentage. The next figure (Figure 8) illustrate the second case for groups of 24. The gain is huge. For exaple, when ax and in are both nearly 5 percent of group size, the gain is over 75 percent. When ax and in are both nearly 5 percent of group size, the gain reaches 9 percent. Figure 9 shows the third case (only joins or leaves),

5 when the ebers are in consecutive positions. The gain is generally higher than 8 percent. The interesting result shown in this case is that the gain is alost not affected by the variation in ax. The reason is as follows. We know the gain is obtained by the nuber of keys shared aong ebers. In the first two cases, when ax becoes higher, the ebers will be closer to each other, therefore, they have increasingly ore shared keys. However, in the third case, independent of ax, the ebers are already as close to each other as they can be. As a result, the keys shared by the have been axiized. In other words, the nuber of keys that need to be changed has been iniized and the gain has been optial. Fro the experients, it is clear that the gain due to aggregate operation is obvious and huge. The secure ulticast protocols should deploy the bursty behavior as uch as possible. Furtherore, as we pointed out in the introduction, when the frequency of group ebership changes is high, secure ulticast protocols should accuulate eber joining and leaving events as uch as possible as long as the security (e.g., a leaving eber is still allowed to receive essages for a short period of tie) and delay requireents are not violated. 5 Conclusion The aggregation of joining and leaving ebers in secure ulticast applications is iportant for reducing the cost of key distributions. We presented a novel algorith which can perfor the aggregate operation efficiently. The algorith is extreely siple and efficient and can be ebedded in standard secure ulticast API packages. Standardizing and ipleenting a key tree based secure ulticast API is our ajor work for the future. References [] A. Bakkardie. Scalable ulticast key distribution. RFC 949, 996. [2] A. Beiel and B. Chor. Interaction in key distribution schees. Advances in Cryptology - CRYPTO 93, LNCS, Springer, Berlin, 773: , 994. [3] A. Beiel and B. Chor. Counications in key distribution schees. IEEE Transactions on Inforation Theory, 42:9 28, 996. [4] R. Blo. An optial class of syetric key generation systes. Advances in Cryptology - EUROCRYPT 84, LNCS, Springer, Berlin, 29: , 985. [5] C. Blundo and A. Cresti. Space requireents for broadcast encryption. Advances in Cryptology - EUROCRYPT 94, LNCS, Springer, Berlin, 95: , 995. [6] C. Blundo, L. A. F. Mattos, and D. R. Stinson. Generalied beiel-chor schee for broadcast encryption and interactive key distribution. Theoretical Coputer Science, 2:33 334, 998. [7] C. Blundo, A. D. Santis, A. Herzberg, S. Kutten, U. Vaccaro, and M. Yung. Perfect secure key distribution for dynaic conferences. Advances in Cryptology - CRYPTO 92, LNCS, Springer, Berlin, 74:47 486, 993. [8] M. Burester and Y. Desedt. A secure and efficient conference key distribution syste. Advances in Cryptology - EUROCRYPT 94, LNCS, Springer, Berlin, 95: , 995. [9] M. Burester and Y.G. Desedt. Efficient and secure conference-key distribution. Security Protocols Workshop, pages 9 29, 996. [] G. Caronni, K. Waldvogel, D. Sun, and B. Plattner. Efficient security for large and dynaic ulticast groups. Proceedings Seventh IEEE International Workshop on Enabling Technologies: Infrastucture for Collaborative Enterprises (WETICE 98) (Cat. No.98TB253). Los Alaitos, CA, USA: IEEE, pages , 998. [] I. Chang, R. Engel, D. Kandlur, D. Pendarakis, and D. Saha. Key anageent for secure internet ulticast using boolean function iniization techniques. Proceedings of INFOCOM 99: Conference on Coputer Counications, pages , 999. [2] G. H. Chiou and W.T.Chen. Secure broadcasting using the secure lock. IEEE Transaction on Software Engineering, 5(8): , 989. [3] L. R. Dondeti. Efficient private group counication over public networks. PhD. Dissertation, CSE UNL, 999. [4] L. R. Dondeti, S. Mukherjee, and A. Saal. A dual encryption protocol for scalable secure ulticasting. In Fouth IEEE Syposiu on Coputers and Counications, Red Sea, Egypt, pages 2 8, July 999. [5] F. Du, L. M. Ni, and A. H. Esfahanian. Towards solving ulticast key anageent proble. ICCCN 99 Eighth International Conference on Coputer Counications and Networks, Boston, MA, USA, October 999. [6] A. Fiat and M. Naor. Broadcast encryption. Advances in Cryptology - CRYPTO 93, LNCS, Springer, Berlin, 773:48 49, 994. [7] I. Ingearsson, D. Tang, and C. Wong. A confernece key distribution syste. IEEE Transations on Inforation Theory, 28(5):74 72, Septeber 982. [8] X. Li, Y. Yang, M. Gouda, and S. S. La. Batch updates of key trees. Technical Report TR--22, The University of Texas, Septeber 2, 2. [9] D. A. McGrew and A. T. Sheran. Key establishent in large dynaic groups using one-way function tree. Subitted to IEEE transactions on Software Engineering, May 998. [2] S. Mittra. Iolus: A fraework for scalable secure ulticasting. Journal of Coputer Counication Reviews, 27(4): , 997. [2] R. Molva and A. Pannetrat. Scalable ulticast security in dynaic groups. 6th ACM Conference on Coputer and Counications Security, Singapore, pages 2, Noveber 999. [22] G. Noubir. Multicast security. European Space Agency, Project: Perforance Optiisation of Internet Protocol Via Satellite, April 998. [23] D. Steer, L. Strawczynski, W. Diffie, and M. Wiener. A secure audio teleconference syste. Advances in Cryptology-CRYPTO 88, LNCS, Springer-Verlag, 43:52 528, August 99. [24] M. Steiner, G. Tsudik, and M. Waidner. Diffie-hellan key distribution extended to group counication. ACM Conference on Coputer and Counication Security, New Delhi, India, pages 3 37, March 996. [25] D. R. Stinson, editor. Cryptograph Theory and Practice. CRC Press, Inc., Boca Raton, Florida, 995. [26] D. R. Stinson. On soe ethods for unconditionally secure key distribution and broadcast encryption. Design, Codes and Cryptograph, 2:25 243, June 997. [27] C. K. Wong, M. Gouda, and S. S. La. Secure group counications using key groups. SIGCOMM 98, Also University of Texas at Austin, Coputer Science Technical report TR 97-23, pages 68 79, Deceber 998. Appendix Figures K K K 2 K 3 K 4 M K - M K -3 K -7 (TEK) K 2-3 K 4-7 K 4-5 K 6-7 K 5 K 6 K 7 M2 M3 M4 M5 M6 M7 Figure. Key tree: ebers assigned the keys fro leaf to the root

6 2 Coparison of best, worst, and average cases for group size Nuber of changed keys M M2 M5 M7 M6 Figure 2. Bursty behavior: ultiple join and leave at the sae tie 2 worst in theory average by test average in theory best in theory Percent Of updates Figure 6. The coparison of best, worst, and average cases root : key nodes : user nodes Gain for groups of different sizes: u u7 u8 u9 u u u3 u2 u4 u5 u3 u5 u u u2 u6 4 Percent of changed keys Figure 3. Binary key tree Percent Of Leaves or Joins related to group sizes Root key is shared by all ebers and is deterined when all coparisons are equal Deterined by the coparison of of il with i Keys shared by all ebers are deterined when all coparisons are equal. root Figure 7. Gain of aggregate to split for joins or leaves Deterined by the coparison of i with i Deterined by the coparison of i with i i Deterined by the coparison of with i3 il Deterined by coparison of i with Deterined by coparison of i with i Deterined by coparison of with i3 i i il Deterined by coparison of il with i Percent of changed keys Gain for different percent (5--5) of joins/leaves in group of size Figure 4. changed keys are deterined by the coparisons of neighboring ebers Percent Of join (leave) related to leave (join) Figure 8. Gain of aggregate to split for both joins and leaves k Gain for groups of different sizes: T 2 updates T q 2 updates update h-k T 2 k update h Percent of changed keys q binary subtrees 2 k such binary subtrees Figure 5. Worst case scenario Percent Of Leaves and Joins related to group sizes Figure 9. Gain of aggregate to split for consecutive positions