Key Management for UMTS MBMS

Key Management for UMTS MBMS

Shin-Ming Cheng, Member, IEEE, Wei-Ru Lai, Member, IEEE, Phone Lin, Senior Member, IEEE,

and Kwang-Cheng Chen, Fellow, IEEE

Abstract—3GPP 33.246 proposes Key Management Mechanism

(KMM) to distribute security keys for Universal Mobile

Telecom-munications System (UMTS) Multimedia Broadcast and Multicast Service (MBMS). KMM introduces extra communication

over-head to UMTS. The previous study, Key-Tree Scheme (KTS), resolves this issue for the IP multicast network. However, this scheme may not be so efficient while applied in UMTS MBMS due to lots of storage space and heavy multicast traffic intro-duced, which may decrease the QoS of UMTS MBMS. In this paper, we propose a more efficient scheme, Hash Function Scheme (HFS), to release both storage and communication overhead for KMM in UMTS MBMS. We first modify the KTS applied in the UMTS MBMS and then detail the execution of HFS, which is proven to be correct. We conduct an analytical model and simulation experiments to compare the performance between the UMTS KMM with KTS and with HFS. Our study shows that the proposed HFS can reduce both communication and storage overhead without damaging QoS of UMTS MBMS.

Index Terms—Hash function, key management, multimedia

broadcast and multicast service (MBMS), Universal Mobile Telecommunications System (UMTS).

I. INTRODUCTION

T

O DELIVER multimedia content efficiently over the Universal Mobile Telecommunications System (UMTS), 3GPP proposed the Multimedia Broadcast/Multicast Service (MBMS) based on UMTS [1], [2]. UMTS MBMS utilizes point-to-multipoint transmission technology, where the multi-media content is delivered from a single source to a group of mobile devices through the UMTS MBMS transmission bearer.

Manuscript received April 15, 2007; revised August 15, 2007; accepted November 6, 2007. The associate editor coordinating the review of this paper and approving it for publication was W. Lou. The work of P. Lin was sponsored in part by the National Science Council (NSC), R.O.C., under the contract number 96-2627-E-002-001-, 96-2811-E-002-010, NSC-96-2628-E-002-002-MY2 and NSC-95-2221-E-002-091-MY3, Ministry of Economic Affairs (MOEA), R.O.C., under contract number 93-EC-17-A-05-S1-0017, Telcordia Applied Research Center, Taiwan Network Information Center (TWNIC), Excellent Research Projects of National Taiwan University, 95R0062-AE00-07, and Chunghwa telecom M-Taiwan program M-Taoyuan Porject. This paper was presented in part (titled as “A Hash Function Scheme for Key Management in UMTS MBMS”) at IEEE Globecom’07, including the key tree scheme, the hash function scheme, and the security analysis. This full version extends the performance evaluation section (which includes the analytic model in Appendix A, simulation experiments, and complete performance study).

S.-M. Cheng is with the Department of Electrical Engineering, Na-tional Taiwan University, Taipei 106, Taiwan, R.O.C. (e-mail: sm-cheng@cc.ee.ntu.edu.tw).

W.-R. Lai is with the Department of Communications Engineering, Yuan Ze University, Tao-Yuan 320, Taiwan, R.O.C. (e-mail: wrlai@saturn.yzu.edu.tw). P. Lin is with the Department of Computer Science & Information Engi-neering and Graduate Institute of Networking & Multimedia, National Taiwan University, Taipei 106, Taiwan, R.O.C. (e-mail: plin@csie.ntu.edu.tw).

K.-C. Chen is with the Department of Electrical Engineering, National Taiwan University, Taipei 106, Taiwan, R.O.C. (e-mail: chenkc@cc.ee.ntu.edu.tw).

Digital Object Identifier 10.1109/TWC.2008.070400.

Multimedia Data a d HSS c BM-SC Content Provider BSF UE b

Fig. 1. A simplified UMTS MBMS network architecture.

Figure 1 illustrates the simplified UMTS MBMS network architecture [3], without showing the network elements sup-porting MBMS transmission bearers in UMTS. The User Equipment (UE; Figure 1 (a)) receives the MBMS application (also known as MBMS User Service) [4] from the Broadcast-Multicast Service Center (BM-SC; Figure 1 (b)), which is an application server serving as an MBMS data source or as an entry point for the multimedia content provider. The UEs join-ing the multicast group for a specific MBMS User Service are called joined UEs. The BM-SC initializes the establishment of the MBMS transmission bearer, then sends multimedia content to the joined UEs. The Home Subscriber Subsystem (HSS; Figure 1 (c)) maintains UMTS subscriber information (e.g., security-related information). The Bootstrapping Server Function (BSF; Figure 1 (d)) is a security server function, which is responsible for establishing shared secrets between the BM-SC and UEs.

The BM-SC multicasts MBMS content to the joined UEs via a broadcasting network bearer, where the MBMS point-to-multipoint Traffic Channel (MTCH) in the air interface [5] is used to carry the multicast content. To prevent the non-joined UEs from receiving the MBMS content, 3GPP 33.246 proposed the Key Management Mechanism (KMM) [6], which are described in detail below. A specific MBMS User Ser-vice has two corresponding group keys, namely the MBMS Transmission Key (MTK; denoted as T) and the MBMS Service Key (MSK; denoted as S). Every UE of an MBMS User Service group has the same S and T. T is used to protect multicast content from eavesdropping or modification, where the multicast content is encrypted by T before being multicasted to all joined UEs. A UE uses T to decrypt content that it receives. T is multicasted from BM-SC to all joined UEs by sending S{T}, which means that T is encrypted by S. S is

individually unicasted from BM-SC to every joined UE. During an MBMS User Service, T or S is updated when one of the following events occurs: (Event 1) a new UE joins the multicast group; (Event 2) a joined UE leaves the multicast group; (Event 3) the timer of the current S expires, or (Event 4) the timer of the current T expires. The User Service Join procedure (denoted as P1 for Event 1), the User Service Leave procedure (denoted as P2 for Event 2), the MSK Periodic Update procedure (denoted as P3 for Event 3), and the MTK

Bootstrapping authentication

Bootstrapping usage procedure (R1+1)

Generate Snew U1+1{Snew}

UE1+1 BM-SC BSF

UE1...1

Snew_{Tnew_{} Generate T}new

Derive U1+1and R1+1 U1...1{Snew} J3 J2 J4 J1 Derive U1+1and R1+1

Fig. 2. Message flow for the User Service Join procedure in KMM.

Periodic Update procedure (denoted as P4 for Event 4) are exercised at this moment in order to update T or S [6]. The four procedures are described in detail below.

Figure 2 shows the message flow for Procedure P1 with the following steps, where we suppose that the multicast group contains N joined UEs. Assume that a new UE, UEN +1, joins the MBMS User Service, and before UEN +1joins the service, the two keys, Sold _{and T}old _{are used for the MBMS User} Service.

User Service Join Procedure P1:

Step J1. UEN +1 performs the bootstrapping authentication procedure [3] with BSF to obtain an MBMS Request Key (denoted as RN +1) and an MBMS User Key (denoted as

UN +1).

Step J2. UEN +1 uses RN +1 as the authentication password when executing the bootstrapping usage procedure [3] with BM-SC and BSF.

Step J3. If the authentication in Step J2 is successful, then

BM-SC generates Snew_{, and unicasts it to every UE, UE} i, in the multicast group by sending Ui{Snew}. Otherwise (i.e., the authentication fails), the procedure quits. This step requires N + 1 unicasts to deliver Snew_.

Step J4. BM-SC generates Tnew_{, and multicasts it to all} joined UEs by sending Snew_{Tnew_{}. Significantly, only} one multicast transmission is necessary.

The other three procedures are similar to Procedure P1. Procedure P2 consists of three steps, Steps L1–L3, which are the same as Steps J2–J4, respectively. Procedure P3 comprises two steps, Steps S1 and S2, which are the same as Steps J3 and J4, respectively. Procedure P4 consists of only one step, Step T1, which is the same as Step J4.

Note that in Step J3, S is unicasted through the Dedicated Control Channel (DCCH), which is a signaling message. Conversely, in Step J4, T is multicasted using the MIKEY protocol [7], and T is delivered via the MTCH, which is used to carry the multimedia content and other session information. In other words, T delivery may consume the radio resource for the transmission of multicast content. This study considers the following two main issues.

Issue 1. The number of unicast key deliveries should be

minimized to lower signaling overhead.

Issue 2. The number of multicast key deliveries should be

minimized to provide an acceptable QoS (i.e., more bandwidth can be used to transmit multicast content). Only one group key (that is used for data encryption and

U3,1 1 , 2 K K2,2 K2,3 1 , 1 K K1,2 UE1 UE2 UE3 UE4 UE5 UE6 UE7 c S b a 4 , 2 K UE8 U3,2 U3,3 U3,4 U3,5 U3,6 U3,7 U3,8

Fig. 3. An example of the key tree in KTS.

unicasted to every member of a multicast group) is defined in IP multicast networks. Previous studies [8]–[11] have attempted to reduce the number of unicastings for the group key deliveries in IP multicast networks by proposing Key-Tree

Scheme (KTS), which applies multicast Key Encryption Keys

(KEKs; cf. Section II) to all members of a multicast group. The KTS was applied in cellular networks in 2004 [12], [13], when the UMTS MBMS has not been well defined (i.e., only one group key was considered in these studies).

In this work, to consider Issues 1 and 2, KTS is first modified so that it can be applied in UMTS MBMS KMM. Analytical results indicate that KTS is not efficient in UMTS MBMS KMM. The Hash Function Scheme (HFS), which is regarded as more efficient than KTS, is then proposed. The rest of this paper is organized as follows. The application of KTS in the existing UMTS MBMS KMM is described in Section II. Section III details HFS. Section IV provides security analysis for HFS. Section V conducts an analytical model and simulation experiments to evaluate the performance of KMM with/without KTS or HFS. Finally, Section VI concludes this work.

II. KTSINUMTS MBMS KEYMANAGEMENT

This section describes how to apply KTS in UMTS MBMS KMM. In KTS, BM-SC establishes and maintains a balanced binary key tree [8], [9]. As shown in Figure 3, each leaf U of the tree is assigned to corresponding joined UE (Figure 3 (a)). The root of the key tree is S for the multicast group (Figure 3 (b)). The intermediate nodes of the key tree are the intermediate KEKs (Figure 3 (c)), which are used to facilitate efficient S updates.

Consider N joined UEs, UE1, UE2, ..., UEN, in the multicast group. Let H be the height of the binary tree, which

can be calculated by H =lg N. The keys in the tree have

the index number (i, j), where 0≤ i < H is the layer number,

and 1≤ j ≤ 2i _{is the position number in layer i. The index} number for the parent of the KEK with the index (i, j) is given by (i− 1,j

2



). Suppose that UEj is assigned the user key UH,j where 1 ≤ j ≤ N. The content is encrypted by the intermediate key Ki,j before it is multicasted to 2H−i UEs, UE2H−i(j₋₁₎₊₁, UE2H−i(j₋₁₎₊₂, ..., UE2H−ij. UH,j is used to encrypt the key that will be unicasted to UEj. UEj stores S, T, Rj, UH,j and H−1 intermediate keys, K_H−1,j

2, K_H−2,j 22, ..., K1, j 2H−1. In other words, UE j contains H + 3keys.

In the original KMM in UMTS, the new S should be unicasted to all joined UEs to update an old S. In KTS, the multicast technology can be applied to deliver the new

S. Consider Figure 3 as an example. To deliver a new S to

UE1, UE2, ..., UE8, BM-SC can multicast K1,1{Snew} to UE1,

UE2, UE3, UE4and multicast K1,2{Snew} to UE5, UE6, UE7,

UE8. To apply KTS in KMM, Procedure P4 is not modified,

while the other three procedures are modified as follows:

User Service Leave Procedure P2: The Steps L1 and L3

are the same as those in KMM while the Step L2 is modified as follows. Assume that UEl leaves the multi-cast group. The group keys (including S and H−1 KEKs)

known by UElshould be updated so that UElcannot de-code any future multicast content. Kold

H−1,₂l is updated to Knew H−1,₂l; K old H−2,l 22 is updated to Knew H−2,l 22 ; ...; Kold 1, l 2H−1 is updated to Knew 1, l 2H−1

, and Sold_{is updated} to Snew_{. All newly generated keys should be delivered} to all joined UEs that own the old keys. The following actions are taken. The KEK, Knew

H−1,₂l, is unicasted to the other UE that owns Kold

H−1,₂l(i.e., UEl+1if l is odd, or UEl−1 if l is even). Knew_H−2,l 22 , ..., Knew 1, l 2H−1 and

Snew _{are multicasted to the UEs that own the old keys,} and are encrypted with each of their respective children’s KEKs. Take Figure 3 as an example. Originally, there are 7 joined UEs, UE1, UE2, ..., UE7, and later UE6 leaves

the multicast group. In this case, the following four steps are exercised in Step L2.

Step L2-1. The BM-SC updates the two old KEKs, Kold

1,2

and Kold

2,3 as Knew1,2 and Knew2,3 and the old MSK Soldas Snew _{for UE}

5 by unicasting U3,5{Knew1,2 ,Knew2,3 ,Snew}

to UE5.

Step L2-2. The BM-SC updates the old KEK Kold

1,2 as Knew

1,2 for UE7by multicasting Kold2,4{Knew1,2 } to UE7. Step L2-3. The BM-SC updates the old MSK Sold

as Snew _{for UE}

1, UE2, ..., UE4 by multicasting K1,1{Snew} to UE1, UE2, UE3 and UE4.

Step L2-4. The BM-SC updates the old MSK Sold _as

Snew _{for UE}

5 and UE7 by multicasting Knew1,2 {Snew}

to UE5 and UE7.

Note that the key tree may not be balanced when a UE leaves. As recommended by Moyer et al. [14], the key tree should be regenerated by running the Re-balance algorithm. After the key tree regeneration, the newly generated keys should be delivered to the affected joined

UEs. As noted in [14], the number of keys that need to be updated is twice that in a non-balanced key tree after a UE leaves.

User Service Join Procedure P1: When a new UE, UE_, joins the multicast group, the BM-SC first determines the corresponding U position in the key tree for UE by executing the Re-balance algorithm in [14]. Let k be the position number of the found U position, i.e., UE is assigned UH,k. To simplify our description, UE is denoted as UEk hereafter.

To prevent UEk from decoding overheard multicast con-tent, Kold H_−1,k₂, K old H_−2,k 22 , ..., Kold 1, k 2H−1 and Sold should be updated. The newly generated keys (i.e.,

Knew H−1,k₂, K new H−2,k 22 , ..., Knew 1, k 2H−1

and Snew_{) are} delivered to all joined UEs that own the old keys, which are encrypted by the old keys. BM-SC then unicasts

UH,k{Knew_H−1,k 2 , Knew H−2,k 22 , ..., Knew 1, k 2H−1 , Snew_{} to} UEk. In the example of Figure 3, where UE8 joins the

multicast group, BM-SC multicasts Kold

1,2{Knew1,2 } to UE5,

UE6and UE7, and unicasts U3,8{Knew2,4 , Knew1,2 , Snew} to

UE8, in order to deliver Knew1,2 to UE5, UE6, UE7 and

UE8. These key deliveries are performed at Step J3. MSK Update Procedure P3: To update S, the all KEKs and

S in the key tree should be regenerated and unicast to

all joined UEs, including S and H− 1 KEKs. The key

deliveries can be performed at Step S1.

In KTS, delivery of intermediate KEKs requires multicast transmission. According to the UMTS KMM, KEKs may be delivered through the MTCH. Based on the UMTS MBMS standard [4], the following two implementation methods are available for KEK delivery: (i) BM-SC creates a new multicast group for the KEK delivery, and (ii) BM-SC multicasts KEKs through the network bearer of the original multicast group. In method (i), to form a new multicast group, all joined UEs should perform the MBMS Multicast Service Activation procedure [2], which incurs heavy signaling overhead to the UMTS network. Method (ii) is thus more practical than method (i). However, method (ii) consumes radio resource (carrying the multicast content) in delivering KEKs, thus decreasing the QoS of multicast content. Furthermore, KTS has the following problems.

• In KTS, H + 3 keys are stored in a UE. Increasing the number of joined UEs (i.e., increasing H) raises the amount of storage space required, and therefore may not be practical due to the limited UE storage space. • KTS may require much extra key transmission overhead

to keep the key tree balanced when UEs join or leave. The next section proposes the Hash Function Scheme (HFS) for KMM in UMTS MBMS by utilizing the one-way hash function to resolve both Issues 1 and 2 without extra storage space.

III. HASHFUNCTIONSCHEME

A one-way hash function h(·) is a powerful and

com-putationally efficient cryptographic tool [15], which takes a message of arbitrary size as its input, and outputs a fixed string. “One way” means that the original input cannot feasibly

be derived from the output. The one-way property of hash function is utilized to update S efficiently. The idea of HFS is that BM-SC requests (through multicast) UEs to generate a new S by using h(·) instead of unicast S to all UEs. The

HFS exercises as follows. Suppose that the multicast group contains N joined UEs, namely UE1, UE2, ..., UEN, and Sold and Told _{are used for the MBMS User Service. To apply HFS} to KMM, Procedures P1 and P3 are modified as follows, while the other two procedures (P2 and P4) remain the same as those in KMM.

User Service Join Procedure P1: Figure 4 shows the

mes-sage flow for this procedure, where Steps J1 and J2 are the same as that in KMM, and Steps J3 and J4 are modified. Assume that a UE, UEN +1, joins the multicast group. If N = 0 (i.e., UEN +1 is the only user in the multicast group), then this procedure is the same as that in KMM of MBMS UMTS. For N > 0, UEN +1 is assigned UN +1 after being successfully authenticated. The BM-SC generates a new T, Tnew _{and a new S by} executing Snew_{= h(T}new_{, S}old_{). Then BM-SC unicasts}

UN +1{Snew, Tnew} to UEN +1. Then BM-SC multicasts

Sold_{Tnew_{} to the other N joined UEs. The N UEs} generate Snew _{by executing S}new _{= h(T}new_{, S}old_), respectively.

MSK Update Procedure P3: The BM-SC generates a new T, Tnew _{and a new S by executing S}new _{= h(T}new_,

Sold_{). Then, BM-SC multicasts S}old_{Tnew_{} to N joined} UEs. The N UEs generate Snew _{by executing S}new ₌

h(Tnew_{, S}old_{), respectively.}

The SHA-1 [16] (the standard one-way hash function in-stalled in the UE) can be utilized to implement HFS. The implementation cost of HFS is considered insignificant. For the robustness of SHA-1, as mentioned in [15], theoretically, it requires 280_{trials using the brute-force method to break the}

full 80-step SHA-1, which is considered big overhead. In the recent studies [15], [17], the birthday attack and multicollision attack were proposed to break SHA with less

computation overhead, whose details can be found in [15], [17]. Wang et al. [18] reduced the complexity of the com-putation (to find a collision in SHA-1 using collision search attack) to 269_{. The computation overhead is still high, i.e., up}

to several hours. In HFS, the one-way hash function h(·) is

applied when only Event 1 or 3 occurs. For Events 2 and 4, HFS follows the standard procedures in MBMS KMM. Usually, the time interval between the occurrence of Event 2 and the occurrence of Event 4 is shorter than one hour. In other words, before SHA-1 is broken, UE may retrieve new

S and T from BM-SC. Thus, HFS is considered robust under

birthday and multicollision attacks.

IV. SECURITYANALYSIS

A secured multicast mechanism should satisfy the group secrecy property [19], which stipulates the following require-ments.

• Nongroup confidentiality: only the joined UEs can decode the multicast content, i.e., non-joined UEs cannot decode it.

• Forward secrecy: a UE joining at time t cannot decode any multicast content before t.

• Backward secrecy: a UE leaving at time t cannot decode any multicast content after t.

This section analyzes the group secrecy property for the KMM, KMM with KTS (denoted as KMMKTS), and KMM

with HFS (denoted as KMMHFS).

As specified in [6], in KMM, nongroup confidentiality can be achieved by group keys S and T, and forward and backward confidentialities can be achieved via Procedures P1 and P2, respectively. Additionally, in [8], KMMKTS has been proven

to be able to achieve the three confidentialities. In KMMHFS,

Procedure P2 is the same as that in KMM, and backward secrecy can be achieved. In KMMHFS, we modify Procedures

P1 and P3 in KMM. In KMMHFS, Procedure P1 is invoked

to update S and T when a new UE joins the multicast group at t. Since the UE does not have the old T and S, it cannot decode any content multicasted before t, and forward secrecy holds in KMMHFS.

In KMM, T is used to encode the multicast content for security protection, and S is used to encrypt the multicast transmission of T. The following lemma proves that HFS prevents any malicious UE from obtaining S and T, and therefore cannot steal the multicast content. In other words, KMMHFS holds nongroup confidentiality.

Lemma1 1: Let ti be the time when the ith event occurs during a multicast session, and S(i) _{and T}(i) _{denote S and} T used at the ith event. Suppose that a malicious UE, UEm, starts to overhear the multicast information at time t _during the period between ti and ti+1, i.e., ti≤ t< ti+1. Then with KMMHFS, UEm cannot get S(i) and T(i).

Proof: The proof is completed by considering the

follow-ing two conditions.

Condition 1: t _{> ti. The multicast information (overheard} by UEm during the time period [t ti+1)) is

T(i)_{{content}, and UE}

m cannot retrieve S(i) and T(i) from this information.

Condition 2: t _{= ti. During the time period [ti ti+1), UEm} can overhear S(i)_{T(i)_{} and T}(i)_{{content}. In this}

con-dition, if UEm cannot get S(i), then he cannot steal the content. Hypothesis “UEm cannot get S(i)” is proven to hold by induction on i.

Basic: If i = 1 in KMM, then the ith event must be

Event 1. The first UE joins the multicast group, and

S(1) _{is unicasted with protection to this UE. The UE}

m cannot obtain S(1)_{, and the hypothesis holds.}

Inductive Step: Suppose that the hypothesis holds when i = k (i.e., UEm cannot get S(k)). For i = k + 1, consider the following four cases:

Case 1: The k + 1st event is Event 1. At tk+1, all joined UEs respectively generate S(k+1) _by

exe-cuting Procedure P1 in KMMHFS, and have S(k+1)

= h(T(k+1),S(k)) (1) where T(k+1) _{is delivered by multicast} S(k)_{T(k+1)_{}. Since UE}

m cannot obtain S(k), he cannot retrieve S(k+1)_.

Bootstrapping authentication

Bootstrapping usage procedure (MRK1+1)

Generate Tnew_{and S}new_{= h(T}new_{, S}old₎

UE1+1 BM-SC BSF UE1...1 Sold_{Tnew_} Derive U1+1and R1+1 U1+1{Snew, Tnew} J3 J2 J4 J1

Derive U1+1and R1+1

Generate Snew₌

h(Tnew_{, S}old₎

Fig. 4. Message flow for the User Service Join procedure in HFS.

Case 2: The k + 1st event is Event 2. At tk+1, S(k+1) is unicasted with protection to all joined UEs by BM-SC (see Procedure P2 in KMMHFS), and thus

UEmcannot get S(k+1).

Case 3: The k + 1st event is Event 3. At tk+1, all joined UEs respectively generate S(k+1) _by

exe-cuting Procedure P3 in KMMHFSusing (1). In the

same reason mentioned in Case 1, UEmcannot get

S(k+1)_.

Case 4: The k + 1st event is Event 4. At tk+1, all joined UEs update T by receiving the multicasted

S(k+1)_{T(k+1)_{} from BM-SC (see Procedure P4 in}

KMMHFS), and S(k+1) is the same as S(k). Since

UEmcannot obtain S(k), S(k+1)cannot be retrieved by UEm.

Thus, the hypothesis holds for all cases.

V. PERFORMANCEEVALUATION

This study develops an analytic model and simulation ex-periments to investigate the performance for KMM, KMMKTS

and KMMHFS. Appendix A describes the analytic model

in details. The simulation model adopts the event-driven approach widely used in mobile network studies [20]. Both models are validated against each other in Appendix A. More than 500,000 experiments are executed to ensure the stability of the simulation results.

In this study, the session time Tsof an MBMS User Service session is modeled as a widely used Gamma distribution with mean 1

μ and variance vs [20] because Gamma distribution can be shaped to represent many distributions, as well as to measure data that cannot be characterized by a particular dis-tribution [21]. Additionally, this disdis-tribution has been widely used in mobile network studies [20]. A UE may join or leave the multicast group during an MBMS User Service session. Assume that the UE inter-arrival time ta to an MBMS User Service session has Gamma distribution with mean 1

λ and variance va. The resident time tu (when the joined UE stays in an MBMS User Service session) is assumed to be Gamma distributed with mean 1

η and variance vu =

1

αη2, where α is

the shape parameter. During an MBMS User Service session,

S and T are periodically updated every Δsand Δttime units, respectively. The other notations used in this study include the random number N (to count the number of current joined

UEs in a multicast group at a specific time point), the total number X of UEs that have joined the multicast group during the period Ts and the total number Y of UEs that have left the multicast group during the period Ts.

This study applies videos as multicast sessions to investigate the performance of MBMS User Services. The average session time (1

μ) is 100 mins, and the variance of session time (vs) is 570 min2_{. If v}

s is large (e.g., vs ≥ _μ12), then most of

generated session times are very small numbers (the curve of Gamma density function can be found in Figure 11 of Chapter 3 [21]) and not fit to represent the periods of movies. Therefore, a small variance is chosen to approximate the real world. According to Chebyshev’s Inequality, the probability

P that the session times are out of the range [_μ1− t,_μ1+ t]is less than v_s

t2 for all t. If 1

μ = 100mins and vs= 570 min

2_,

then P is less than 63.3%. The numerical results indicate that

P is about 20%. Furthermore, the effects of _λ1, va and 1_η (discussed later) are similar even for different vs. Therefore, the performance results specifically for Exponential session times are not presented. For the same reason, α = 4 is chosen for the Gamma resident time tu so that a reasonable number of UEs stay in the MBMS service within any time period. Anyway, it is easy to adjust these parameters to simulate different behaviors of MBMS services.

Let ei be the number of Events i (i = 1, 2, 3 or 4) occurring in a multicast session. Let Ni,j be the number of joined UEs in the multicast group at the jth occurrence of Event i. As specified in [6], T and S have the same size of 128 bits. Let nu,i(Ni,j) and nm,i(Ni,j), be the numbers of unicast and multicast messages used to deliver S or T at the jth occurrence of Event i conditioning on there are Ni,j joined UEs, respectively. Let ku,i(Ni,j)and km,i(Ni,j)be the numbers of keys (T or S) carried in a unicast and a multicast messages at the jth occurrence of Event i conditioning on there are Ni,j joined UEs, respectively. Let su,i(Ni,j) and

sm,i(Ni,j) be the total number of keys (S or T) carried in unicast and multicast messages at the jth occurrence of Event

i conditioning on there are Ni,j joined UEs, respectively. For i = 1, 2, 3, 4, we have su,i(Ni,j) = nu,i(Ni,j)ku,i(Ni,j) and sm,i(Ni,j) = nm,i(Ni,j)km,i(Ni,j). Figure 5 lists the

nu,i(Ni,j), nm,i(Ni,j), ku,i(Ni,j), km,i(Ni,j), su,i(Ni,j), and

sm,i(Ni,j)values for KMM, KMMKTS, and KMMHFS, where i = 1, 2, 3, 4. Note that the analysis for KMMKTS in Figure 5

is simplified due to the complexity of key tree regeneration. This study investigates the following output measures.

1,j+1

sm,i(i,j)

su,i(i,j)

nm,i(i,j) km,i(i,j)

nu,i(i,j) ku,i(i,j)

sm,i(i,j)

su,i(i,j)

nm,i(i,j) km,i(i,j)

nu,i(i,j) ku,i(i,j)

sm,i(i,j)

su,i(i,j)

nm,i(i,j) km,i(i,j)

0 ⎡lg(N −1)⎤ ⎡ N ⎤ N lg i=1 nu,i(i,j) 1,j+1 KMM ku,i(i,j) 1 1 1 1 i=2 2,j−1 1 1 1 2,j−1 1 i=3 3,j 1 1 1 3,j 1 i=4 0 1 0 1 0 1 1 KMMKTS 1 1 1 3,j 1 1 1 0 1 0 1 1 1 KMMHFS 1 2 1 2 1 2,j−1 1 1 1 2,j−1 1 0 1 0 1 0 1 0 1 0 1 0 1 ⎡lg( 1)⎤ 1 2 N− − ⎡lg(N +1)⎤ ⎡lg(N −1)⎤ ⎡lgN⎤ ⎡lg(N+1)⎤+1 ⎡lg( 1)⎤ 1 2 N− − i=1 i=2 i=3 i=4 ⎡lg(NN1,j+1)⎤+1 N1,j _⎡lg(NN1,+j 1)_⎤ N1,j j N2, N2,j N2,j N2,j j N3, N3,j N3,j

Fig. 5. nu,i(N_i,j), nm,i(N_i,j), ku,i(N_i,j), km,i(N_i,j), su,i(N_i,j), and s_m,i(N_i,j)values for i = 1, 2, 3, 4 in KMM, KMMKTS, and KMMHFS.

• Muor Mm: the numbers of unicast or multicast messages used to deliver S or T during a multicast session, which is calculated as Mu= 4  i=1 e_i  j=1 nu,i(Ni,j) or Mm= 4  i=1 e_i  j=1 nm,i(Ni,j). (2) • Su or Sm: the total number of keys (S or T) carried in

unicast or multicast messages during a multicast session, which is obtained as follows

Su= 4  i=1 e_i  j=1 su,i(Ni,j) or Sm= 4  i=1 e_i  j=1 sm,i(Ni,j). (3) (2), (3) and Figure 5 clearly indicate that Mm= Smfor each scheme, since every multicast message contains only one key, i.e., km,1(N1,j) = km,2(N2,j) = km,3(N3,j) = km,4(N4,j) =

1for all j. Additionally, KMM and KMMHFS have the same Mmvalues. Based on the simulation experiments, the impacts of the input parameters on the output measures are elaborated as follows.

Effects of 1

λ: Figure 6 plots Mu, Suand Smas functions of

1

λ for KMM, KMMKTS and KMMHFS, where

1

μ = 100 mins, vs= 570min2, 1_η = 60mins, α = 4, Δt= 5mins and Δs= 20mins. The inter-arrival time is exponentially distributed with mean 1

λ mins.

The figure shows an intuitive result that Mu, Su and Sm decrease as 1

λincreases. A lower

1

λimplies that more UEs join (i.e., a larger X), stay (i.e., a larger N) and then leave (i.e., a larger Y ) the service. Based on Figure 5, explicitly all of Mu, Su and Smare decreasing functions when _λ1 increases.

Figure 6 (a) indicates that decreasing 1

λ significantly increases Mu of KMM and slightly increases Mu of KMMHFS. Decreasing _λ1 only insignificantly affects Mu of KMMKTS. In KMM, BM-SC needs to unicast S to

all UEs in service at Procedures P1, P2 and P3, and the effort of S delivery is large if the net traffic is heavy. In KMMHFS, S is delivered to all UEs at Procedure P2,

and thus the Mu of KMMHFS is smaller than that of

KMM. In KMMKTS, only for Procedure P3, BM-SC

unicasts S to all UEs while P3 rarely executes. Thus,

Mu of KMMKTS is insensitive to the change in 1_λ, and

is the smallest among the three schemes.

Since the wireless bandwidth is precious, the total number of keys carried in unicast/multicast messages is calculated to find the bandwidth consumed for each of the three schemes. Figure 6 (b) shows the total number of keys carried in unicast messages for the three schemes. The figure indicates when the traffic is small (i.e., 1

λ ≥ 1.4 mins), the Suof KMMHFSis less than that of KMMKTS.

Conversely, when the traffic is large (i.e., 1

λ < 1.4mins), KMMKTSrequires fewer keys to deliver than KMMHFS.

As 1

λ decreases, N and Y increase, and therefore Su of KMMHFS increases rapidly since the number of unicast

messages for Procedure P2 is O(N). For KMMKTS,

the keys of each unicast message at P1, P2 and P3 is

O(lg N )and Su of KMMKT S increases slowly. If N is

small, then KMMHFS has a smaller Su than KMMKTS.

When the net traffic is heavy, the gap between O(N) and O(lg N) increases rapidly, and KMMKTS performs

better than the other two schemes. Figure 6 (c) shows that as 1

λ decreases, Smof KMMKTS increases more rapidly than that of KMM and KMMHFS.

Note that Sm = Mm for each scheme individually, and

Sm are the same for KMM and KMMHFS. Since the

number of keys carried in each multicast message at Procedures P1 and P2 is O(lg N), Sm of KMMKTS

increases rapidly as 1

λ decreases.

All of the multicast messages for KMMKTS are used for

key distribution, and must be transmitted in real-time. Consider a special scenario in which many UEs join or depart simultaneously during a short period. Since P1 and P2 need to transmit many keys, and occupy the MTCH, the multimedia content is likely to be compressed, thus degrading QoS. Although KMMKTS has better

perfor-mance for Issue 1, the requirement of Issue 2 is not guaranteed.

Effects of va: Figure 7 plot Suand Smas functions of va for KMM, KMMHFS and KMMKTS, respectively. In these

figures, 1 λ = 2 mins, 1 μ = 100 mins, vs = 570 min 2 , 1

η = 60 mins, α = 4, Δt = 5 mins and Δs = 20 mins. Note that if the variance (va) equals to 4 min2, then the inter-arrival times form an Exponential distribution, and Su and Sm for KMMHFS are smaller than those

of KMMKTS, as revealed in Figure 6. We observe the

following.

• For va < 1 min2, Su and Sm are insensitive to the variance of the inter-arrival time.

• For va≥ 1 min2, Suand Smare increasing functions of va. Specifically, a change in va significantly affects Su of KMM and KMMHFS.

A large vameans the system traffic becomes more bursty, that is, most inter-arrival times are very small, but a few of them are very large. The inter-arrival times thus diverge in a wide range. If the same period Tsis observed, then the number of UEs joining the service (i.e., X) for a large va is greater than that for

a small va, and the effect of increasing vais similar to the effect of decreasing 1

λ. Therefore, Su and Sm increase as va increases. Specifically, if va ≥ 60 min2, the Su of KMMHFS is larger than that of KMMKTS.

0 20 40 60 80 100 Mu (102₎ 1 2 3 4 1/λ (unit: minute) ... ... ..._... ..._... ... ..._... ..._... ..._... ... ..._... ..._... ..._... ..._... ..._... ..._... ..._... ... ..._... ..._... ..._... ..._... ..._... ... ... ... ..._... ... ..._... ... ..._... ... ..._... ..._... ..._... ..._... ... ..._... ..._... ..._... ..._... ... ..._... ..._... ..._... ..._... ..._... ... ◦ ◦ ◦ ◦ _◦ ∗ ∗ ∗ _∗ ∗ • • _{• • •} (a) Effect on Mu ◦ : KMM ∗ : KMMHFS • : KMMKTS 0.5 ... ... 0 20 40 60 80 100 Su (102₎ 1 2 3 4 1/λ (unit:minute) ... ... ..._... ..._... ... ..._... ..._... ..._... ..._... ..._... ... ..._... ..._... ..._... ..._... ..._... ... ..._... ..._... ..._... ..._... ..._... ... ... ... ..._... ... ..._... ... ... ..._... ... ..._... ..._... ..._... ..._... ..._... ..._... ..._... ..._... ..._... ..._... ... ..._... ..._... ... ..._... ..._... ..._... ..._... ... ..._... ..._... ..._... ..._... ... ◦ ◦ ◦ _◦ ∗ ∗ ∗ _∗ ∗ • • • _• • (b) Effect on Su ◦ : KMM ∗ : KMMHFS • : KMMKTS 0.5 ... ... 0 10 20 30 Sm (102₎ 1 2 3 4 1/λ (unit:minute) ..._... ... ..._... ... ... ..._... ..._... ..._... ... ..._... ... ..._... ..._... ..._... ..._... ..._... ... ..._... ..._... ..._... ..._... ..._... ... ◦ _◦ ◦ ◦ ◦ ∗ ∗ _{∗ ∗ ∗} • • • • _• (c) Effect on Sm ◦ : KMM ∗ : KMMHFS • : KMMKTS 0.5...

Fig. 6. The effects of 1

λon Mu, Su, Smand Mm(1μ= 100mins; vs= 570min2; η1 = 60mins; α = 4; Δt= 5mins; Δs= 20mins).

10−2 ₁₀−1 _{1 10}1 ₁₀2 va(unit: min2₎ 0 5 10 15 20 25 30 35 102 ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ◦ ◦ ◦ ◦ ◦ ∗ ∗ ∗ ∗ ∗ • • • • • ◦ ◦ ◦ ◦ ◦ ∗ ∗ ∗ ∗ ∗ • • • • • Su Sm ◦ : KMM ∗ : KMMHF S • : KMMKT S ... ... ...

Fig. 7. The effects of vaon Suand Sm(1_λ = 2mins; _μ1 = 100mins; vs= 570min2_; 1

η= 60mins; α = 4; Δt= 5mins; Δs= 20mins).

Effects of 1

η: Figure 8 plots Su and Sm as functions of the mean session holding time 1

η for KMM,

KMMKTS and KMMHFS, respectively. In these figures, 1

λ = 2 mins, va = 4min

2_{, α = 4,} 1

μ = 100mins , vs= 570 min2_{, Δ}

t = 5 mins and Δs = 20 mins. Notably,

X is fixed for every 1

η, and the execution numbers of Procedures P3 and P4 are also fixed. As 1

η rises (i.e., the time period that a joined UE remains in the service rises),

Y falls and N rises. Since the total traffic to the system

is fixed, increasing 1

η has the following phenomena.

Phenomenon 1: As 1

η increases, Y decreases linearly, which implies that the execution number of Procedure P2 of the three schemes decreases.

Phenomenon 2: As 1

η increases, N increases, which implies that the number of unicast messages for each Procedure P2 of KMM and KMMHFS increases. Phenomenon 3: As 1

η increases, N increases, which implies that the number of unicast messages for each Procedure P1 of KMM increases.

Phenomenon 4: As 1

η increases, N increases, which implies that the number of unicast messages for each

0 3 6 9 12 15 18 102 10 20 30 40 50 60 70 80 1/η ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ..._... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... . ... ... ... ... ... ... ... ... ... ... ... ... ... ... . ... ... ... ... ... ... ... ... ... ..._{... ... ... ...} ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ • • • • • • • • ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ • • • • • • • • Su Sm ◦ : KMM ∗ : KMMHF S • : KMMKT S ... ... ...

Fig. 8. The effects of 1

η on Suand Sm(λ1 = 2mins; va = 4min2;

1

μ= 100mins; vs= 570min2; α = 4; Δt= 5mins; Δs= 20mins).

Procedure P3 of KMM and KMMKTS increases. Phenomenon 5: As 1

η increases, N increases, indicating that the number of keys carried in each unicast message for Procedures P1, P2 and P3 of KMMKTS increases. Phenomenon 6: As 1

η increases, N increases, indicating that the number of multicast messages for each Proce-dures P1 or P2 of KMMKTS increases.

The interaction between Phenomena 1 and 2 is subtle. For KMMHFS, the total number of unicast messages

triggered by the departure procedures first increases and then decreases as 1

η increases, as does Su. The interaction effect for KMM is similar to that of KMMHF S. However,

due to Phenomena 3 and 4, the Su of KMM increases as 1

η increases. For KMMKTS, the effect of Phenomena 1, 4 and 5 interact, causing Su to increase slowly as 1_η increases.

Due to Phenomenon 1, Sm of KMM and KMMHFS fall

as 1

η rises. For KMMKTS, the interaction of Phenomena 1 and 6 causes Smto first rise and then fall as 1_η rises.

VI. CONCLUSION

This study proposed a new scheme for distributing MBMS keys over the UMTS network. Based on the concept of Key Management Mechanism (KMM) proposed by 3GPP, the Key-Tree Scheme (KMMKTS), which works efficiently in wired

IP networks, has been modified to fit the mobile environment. Additionally, this study proposed a new scheme, known as a Hash Function Scheme (KMMHFS), in which a hash function

is adopted to update the keys S on UEs and the BM-SC. Via the security analysis, we proved the security of KMMHFS.

Simulation experiments have been developed to investi-gate the performance for KMM, KMMKTS and KMMHFS.

We discussed the number of unicast/multicast messages and the number of keys sent on the unicast/multicast channels. Simulation results indicate that KMMHFS needs less unicast

communication than the other two schemes on Su and Sm if the traffic is not heavy. When the number of UE arrivals is very large, KMMKTS can reduce the unicast burden (i.e., Su) but increase the multicast overhead (i.e., Sm). The burst multicast overhead due to the key distribution of KMMKTS

may result in that the QoS is not guaranteed in some period with very heavy traffic.

Besides, all UEs listening to the MTCH has to process every received multicast key, where the total computation overhead in all UEs increases. We should notice that the effects of multicast key delivery is more significant than the unicast key delivery. Additionally, KMMKTS requires large memory

in UEs. The number of group keys required for a service is lg N, and it increases as more UEs join this service, while only one S is stored for each service in KMM and KMMHFS.

Thus, KMMKTSis more complex than the other two schemes.

By contrast, KMM and KMMHFS are simple to implement.

Compared with KMM, the proposed scheme KMMHFS can

reduce overhead in unicast messages, and also provides the same QoS, because KMMHFS does not increase the multicast

overhead.

APPENDIXA

THEANALYTICALMODEL

This section proposes an analytical model to validate the simulation model by calculating the number of occurrences of executions for P1 or P2 during a MBMS session. Consider the timing diagram in Figure 9. Suppose that the elapse time of an MBMS User Service session, Ts, is exponentially distributed with the density function f(t), the mean 1

μ and Laplace transform f∗_{(s) =} μ

μ+s 

, to validate the simulation model (which is mainly used to conduct our study and is easily applied different distributions for the session times).

During an MBMS User Service session, when an UE joins or leaves the multicast group of this service at his own will, P1 or P2 is triggered. In our analytical model, the UE inter-arrival time for an MBMS User Service session, ta, is assumed to be exponentially distributed with the mean 1

λ. The time period when the joined UE stays in the MBMS User Service session,

tu, has the density function fu(·), the mean 1_η and the Laplace transform f∗

u(s).

Let X be the number of UEs joining the multicast group conditioning the period Ts. From [22], the probability that

X = x during period Ts= t can be expressed as Pr[X = x|Ts= t] =

(λt)x

x! e

−λt_.

Then, Pr[X = x] (the probability that x UEs join the multicast group during period Ts) can be obtained as follows:

Pr[X = x] =  ∞ t=0 Pr[X = x|T = t]f(t)dt =  λx x!  ∞ t=0 txf (t)e−λtdt =  λx x! (−1)x d x dsxf ∗_(s) s=λ = μλ x (μ + λ)x+1 and the expected number of X is given as

E[X] = ∞  x=1 x Pr[X = x] = λ μ. (4)

The UEs joining the MBMS User Service within the period

Ts may leave the multicast group at any time. Let τ be the time period

between the time when the UE joins the multicast group and the time when the session for the service stops. Then from [22], the density function r(τ) for the distribution of τ is expressed r(τ ) = μ  _∞ t=τ f (t) = μ[1− F (t)] t=τ

where F (t) is the distribution function of Ts. Since Ts is exponentially distributed, τ and Tshave the same distribution, that is r(τ) = μe−μτ_.

If the UE leaves the multicast group of the service before the session stops (i.e., tu< τ), the User Service Leave procedure is executed and S is updated. Otherwise (i.e, tu ≥ τ), the current S remains. Let Y be the number of UEs leaving the multicast group during the period Ts. Then, Pr[Y = y|X = x] is the probability that among x joined UEs, y UEs leave (where y ≤ x) the multicast group before the session

ter-minates. Pr[Y = y|X = x] can be computed by counting all

possible ways of y UEs leaving the multicast group before the session terminates, which is given by

Pr[Y = y|X = x] =  x y (Pr[tu< τ ])y(Pr[tu≥ τ])x−y. (5) where Pr[tu≥ τ] can be calculated as

Pr[tu≥ τ] =  _∞ t_u=0  tu τ =0 μe−μτdτ fu(tu)dtu =  _∞ tu=0 (1− e−μtu_)fu(tu)dtu = 1−  _∞ t_u=0 fu(tu)e−μtudtu = 1− fu∗(μ), (6)

and Pr[tu< τ ]can be calculated as fu∗(μ). Thus, (5) is rewritten as Pr[Y = y|X = x] =  x y fu∗(μ) y [1− fu∗(μ)] x_−y .

1st UE joins 2nd UE joins ta_1 tu_1 tu_2 1st UE leaves 3rd UE joins ta_2 2nd UE leaves x-1st UE joins xjoinsth UE ta_x-1

...

tu_x-1 x-1st & xth UEs leave tu_x

MBMS User Service session starts _T MBMS User Service session stops

ta_i : the UE inter-arrival time between the ith UE andi+1st UE.

tu_i : the time period when the ith joined UE stays in the session.

T: the time period for an MBMS User Service session. Fig. 9. Timing diagram.

The expected number of Y is thus expressed as

E[Y ] = ∞  x=1 x  y=1 {y Pr[Y = y|X = x] Pr[X = x]} = ∞  x=1 _x  y=1 y  x y fu∗(μ) y [1− fu∗(μ)] x−y  × μλx (μ + λ)x+1  . (7)

This study takes the Gamma distribution as an example for the distribution of tu. The Gamma distribution with shape parameter α, the mean 1

η and the variance vu=

1 αη2 has the Laplace transform f∗ u(s)as fu∗(s) =  αη αη + s α . (8)

Applying (8) to (7), (7) can be written as

E[Y ] = ∞  x=1 _x  y=1 y  x y  αη αη + μ αy × 1−  αη αη + μ αx_−y μλx (μ + λ)x+1  .(9)

Figure 10 plots E[Y ] where Ts = 100and _λ1 = 4. In this figure, solid curves are the analytical results and the points are the simulation results. The curves and the symbol points show that the analytic analysis is consistent with the simulation results (all errors are within 3%).

ACKNOWLEDGMENT

The authors would like to thank the four anonymous review-ers. Their comments have significantly improved the quality of this paper.

REFERENCES

[1] 3GPP, “Multimedia Broadcast/Multicast Service (MBMS); Stage 1 (Release 7),” 3GPP, Tech. Rep. 3G TS 22.146 V7.1.0, Mar. 2006. [2] ——, “Multimedia Broadcast/Multicast Service (MBMS); Architecture

and functional description (Release 6),” 3GPP, Tech. Rep. 3G TS 23.246 V6.10.0, June 2006.

[3] ——, “Generic Authentication Architecture (GAA); Generic bootstrap-ping architecture (Release 7),” 3GPP, Tech. Rep. 3G TS 33.220 V7.4.0, June 2006. 12 14 16 18 20 22 24 26 E[Y ] 10 20 30 40 50 60 1 η ...       ..._... ..._... ..._... ..._... ..._... ... ◦ ◦ ◦ ◦ _◦ ◦ ..._... ..._... ..._... ..._... ..._... ... ..._... ..._... ..._... ..._... ..._... ..._... ..._... ..._... ..._... × × × × × × ..._... ..._... ..._... ..._... ..._... ..._... ..._... ..._... ..._... ..._... ..._... ..._... ..._... ..._... ..._... ..._... ..._... ...       ..._... ..._... ..._... ..._... ..._... ..._... ..._... ..._... ... ..._... ..._... ..._... ..._... ... ..._... ..._... ..._... ..._... ... ... × × × × × × ... ... ... ... ... ... ... ... ... ..._{... ... ... ... ... ... ... ... ... ... ... ... ... ... ... .}  _{    } ... ... ... ... ... ... ... ..._{... ...} ... ... ... ... ..._{... ... ...} ... ... ..._{... ... ... ...} ... ... ◦ ◦ ◦ ◦ _◦ ◦ ..._... ..._... ..._... ..._... ... ... ... ..._... ... ... ..._... ... ... ... ..._... ..._... ..._... ..._... ..._... ..._... ..._. ∗ ∗ ∗ ∗ ∗ ∗ ... ... ... ..._... ... ..._... ... ..._... ..._... ..._... ..._... ..._... ... ..._... ..._... ... ... ... ... ... ... ... ... ..._... ... ..._...       ..._... ... ... ..._... ... ... ..._... ..._... ..._... ..._... ..._... ..._... ... ..._... ... ... ... ... ... ... ... ..._... ... ... ... ... ... × × × × × × Solid: Simulation Dashed: Analysis : vu=100η12 ◦: vu=10η12 ∗: vu=η12 : vu=10η2 ×: vu=100η2

Fig. 10. Comparison between the analytic and simulation results.

[4] ——, “Multimedia Broadcast/Multicast Service (MBMS) user services; Stage 1 (Release 8),” 3GPP, Tech. Rep. 3G TS 22.246 V8.0.0, June 2006.

[5] ——, “Radio Interface Protocol Architecture (Release 7),” 3GPP, Tech. Rep. 3G TS 25.301 V7.0.0, Apr. 2006.

[6] ——, “3G Security; Security of Multimedia Broadcast/Multicast Service (MBMS) (Release 7),” 3GPP, Tech. Rep. 3G TS 33.246 V7.0.0, June 2006.

[7] J. Arkko, E. Carrara, F. Lindholm, M. Naslund, and K. Norrman, “MIKEY: Multimedia Internet KEYing,” RFC 3830, Aug. 2004. [8] R. Canetti, J. Garay, G. Itkis, D. Micciancio, M. Naor, and B. Pinkas,

“Multicast security: a taxonomy and some efficient constructions,” in Proc. IEEE INFOCOM’99, vol. 2, Mar. 1999, pp. 708–716.

[9] M. J. Moyer, J. R. Rao, and P. Rohatgi, “A survey of security issues in multicast communications,” IEEE Network, vol. 13, no. 6, pp. 12–23, Nov.-Dec. 1999.

[10] D. Wallner, E. Harder, and R. Agee, “Key management for multicast: issues and architectures,” RFC 2627, June 1999.

[11] C. K. Wong, M. Gouda, and S. S. Lam, “Secure group communications using key graphs,” IEEE/ACM Trans. Networking, vol. 8, no. 1, pp. 16–30, Feb. 2000.

[12] W. Xu, W. Trappe, and S. Paul, “Key management for 3G MBMS security,” in Proc. IEEE GLOBECOM’01, vol. 4, Dec. 2004, pp. 2276– 2280.

[13] Y. Sun, W. Trappe, and K. J. Liu, “A scalable multicast key manage-ment scheme for heterogeneous wireless networks,” IEEE/ACM Trans. Networking, vol. 12, no. 4, pp. 653–666, Aug. 2004.

[14] M. J. Moyer, J. R. Rao, and P. Rohatgi, “Maintaining balanced key trees for secure multicast,” IETF Draft, June 1999.

[15] A. Joux, “Collisions for SHA-0,” in rump session of Proc. CRYPTO’04, Aug. 2004.

[16] NIST, “FIPS PUB 180-1: Secure Hash Standard,” Apr. 1995. [17] M. Nandi and D. R. Stinson, “Multicollision attacks on some generalized

sequential hash functions,” IEEE Trans. Inform. Theory, vol. 53, no. 2, pp. 759–767, Feb. 2007.

[18] X. Wang, Y. L. Yin, and H. Yu, “Finding collisions in the full SHA-1,” in Proc. CRYPTO’05, Aug. 2005.

[19] H. Lu, “A novel high-order tree for secure multicast key management,” IEEE Trans. Comput., vol. 54, no. 2, pp. 214–224, Feb. 2005. [20] Y.-B. Lin, “Performance modeling for mobile telephone networks,”

IEEE Network, vol. 11, no. 6, pp. 63–68, Nov.-Dec. 1997.

[21] A. M. Mood, F. A. Graybill, and D. C. Boes, Introduction to the Theory of Statistics. McGraw-Hill Publishing Co., 1974.

[22] L. Kleinrock, Theory, Volume 1, Queueing Systems. Wiley-Interscience, 1975.

Shin-Ming Cheng received the BS and Ph.D.

de-grees in computer science and information engi-neering from National Taiwan University, Taipei, Taiwan, in 2000 and 2007, respectively. Currently, he is a postdoctoral researcher at the Department of Electrical Engineering, National Taiwan University, Taipei, Taiwan. His research interests include mobile networking, wireless communications, and network security.

Wei-Ru Lai received the BSEE and Ph.D. degrees

from the Department of computer Science and Infor-mation Engineering, National Chiao Tung Univer-sity, Taiwan, R.O.C., in 1991 and 1999, respectively. In 1999, she became an Assistant Professor with the Department of Information Management, Chin-Min College, Taiwan. She is currently an Assistant Professor with the Communications Engineering Department, Yuan Ze University, Tao-Yuan, Taiwan, R.O.C. Her research interests include the design and analysis of personal communications services.

Phone Lin (M’02-SM’06) received his BSCSIE

degree and Ph.D. degree from National Chiao Tung University, Taiwan, R.O.C. in 1996 and 2001, re-spectively. From August 2001 to July 2004, he was an Assistant Professor in Department of Computer Science and Information Engineering (CSIE), Na-tional Taiwan University, R.O.C. Since August 2004, he has been an Associate Professor in Department of CSIE and in Graduate Institute of Networking and Multimedia, National Taiwan University, R.O.C. His current research interests include personal commu-nications services, wireless Internet, and performance modeling. Dr. Lin has published more than twenty international SCI journal papers (most of which are IEEE Transactions and ACM papers). Dr. Lin is an Associate Editor for IEEE TRANSACTIONS ONVEHICULARTECHNOLOGY, a Guest Editor for IEEE WIRELESSCOMMUNICATIONSspecial issue on Mobility and Resource Management, and a Guest Editor for ACM/SPRINGERMONET special issue on Wireless Broad Access. He is also an Associate Editorial Member for the WCMC Journal. Dr. Lin has received many research awards. He was elected as the Best Young Researcher, the 3rd IEEE ComSoc Asia-Pacific Young Researcher Award, 2007. He was a recipient of Research Award for Young Researchers from Pan Wen-Yuan Foundation in Taiwan in 2004, a recipient of K. T. Li Young Researcher Award honored by ACM Taipei Chapter in 2004, a recipient of Wu Ta You Memorial Award of National Science Council (NSC) in Taiwan in 2005, a recipient of Fu Suu-Nien Award of NTU in 2005 for his research achievements, and a recipient of 2006 Young Electrical Engineering Award, the Chinese Institute of Electrical Engineering. Dr. Lin is listed in Who’S Who in Science and Engineering(R) in 2006. Dr. Lin is a Senior Member, IEEE. P. Lin’s email and website addresses are plin@csie.ntu.edu.tw and http://www.csie.ntu.edu.tw/∼plin, respectively.

Kwang-Cheng Chen received B.S. from the

Na-tional Taiwan University in 1983, M.S. and Ph.D. from the University of Maryland, College Park, United States, in 1987 and 1989, all in electrical engineering. From 1987 to 1998, Dr. Chen worked with SSE, COMSAT, IBM Thomas J. Watson Re-search Center, and National Tsing Hua University in mobile communication networks and related re-search. Dr. Chen is the Distinguished Professor and Irwin T. Ho Chair Professor at the Institute of Communication Engineering and Department of Electrical Engineering, National Taiwan University, Taipei, Taiwan, ROC. He holds several visiting positions with Technical University of Delft in Nether-lands, HP Labs. in US, Aalborg University in Denmark. Dr. Chen actively involves the technical organization of numerous leading IEEE conferences, including 1996 IEEE International Symposium on Personal Indoor Mobile Radio Communications, IEEE Globecom 2002, 2007 IEEE Mobile WiMAX Symposium, and IEEE Vehicular Technology Conference Spring 2010. He has served editorship with many prestigious international journals: IEEE TRANS -ACTION ONCOMMUNICATIONS, IEEE COMMUNICATIONSLETTERS, IEEE WIRELESSCOMMUNICATIONSMAGAZINE, INTERNATIONALJOURNAL OF WIRELESS INFORMATION NETWORKS, IEEE JOURNAL ON SELECTED AREA IN COMMUNICATIONS, ACM/BLATZER JOURNAL ON WIRELESS NETWORKS, WIRELESSPERSONALCOMMUNICATIONS, and FRONTIERS OF COMMUNICATIONS AND INFORMATIONTHEORY, etc. Dr. Chen has authored and co-authored over 200 technical papers and documents, 18 granted US patents, and two books: Mobile WiMAX, published by Wiley in 2008, and Principles of Communications, published by River in 2008. Dr. Chen is an IEEE Fellow, and the recipient of many awards and honors. Dr. Chen’s research interests include wireless communications and wireless networks, cognitive and nano-communications & computing.