International Association
for Cryptologic Research

In this work we prove lower bounds on the (communication) cost of maintaining a shared key among a dynamic group of users. Being ``dynamic'' means one can add and remove users from the group. This captures important protocols like multicast encryption (ME) and continuous group-key agreement (CGKA), which is the primitive underlying many group messaging applications. We prove our bounds in a combinatorial setting where the state of the protocol progresses in rounds. The state of the protocol in each round is captured by a set system, with each of its elements specifying a set of users who share a secret key. We show this combinatorial model implies bounds in symbolic models for ME and CGKA that capture, as building blocks, PRGs, PRFs, dual PRFs, secret sharing, and symmetric encryption in the setting of ME, and PRGs, PRFs, dual PRFs, secret sharing, public-key encryption, and key-updatable public-key encryption in the setting of CGKA. The models are related to the ones used by Micciancio and Panjwani (Eurocrypt'04) and Bienstock et al. (TCC'20) to analyze ME and CGKA, respectively. We prove -- using the Bollobas' Set Pairs Inequality -- that the cost (number of uploaded ciphertexts) for replacing a set of d users in a group of size n is \Omega(d*\ln(n/d)). Our lower bound is asymptotically tight and both improves on a bound of \Omega(d) by Bienstock et al. (TCC'20), and generalizes a result by Micciancio and Panjwani (Eurocrypt'04), who proved a lower bound of \Omega(\log(n)) for d=1.