Access control in user hierarchy based on elliptic curve cryptosystem

(1)

Access control in user hierarchy based on elliptic curve

cryptosystem

Yu Fang Chung

a

, Hsiu Hui Lee

b

, Feipei Lai

b,c

, Tzer Shyong Chen

d,*

a

Information Management Department, Chaoyang University of Technology, Taiwan b

Computer Science and Information Engineering Department, National Taiwan University, Taiwan c

Electrical Engineering Department, National Taiwan University, Taiwan d

Information Management Department, Tunghai University, Taiwan Received 16 May 2006; received in revised form 30 July 2007; accepted 1 August 2007

Abstract

This work proposes a novel key management method based on elliptic curve cryptosystem and one-way hash function to solve dynamic access problems in a user hierarchy. The proposed scheme attempts to derive the secret key of successors eﬃciently and non-redundantly. It includes functions such as insertion and removal of classes, updating of their relation-ships, and changing of secret keys. The method utilizes a Central Authority, which enables a user to change the secret key at will conveniently. Since the proposed method uses the elliptic curve cryptosystem which has a low computational cost and small key size, its performance in terms of both security and eﬃciency is quite commendable. Therefore, it can be anticipated that its use will be extended to wireless communication in the future.

Keywords: Key management; Elliptic curve cryptosystem; Access control; User hierarchy

1. Introduction

Computer cryptography and information security are of prior concern in the digital age. The accelerated growth of computer networks and technology favors environments that support multi-users in a hierarchy. Thus, sharing resources has become unavoidable, and both academic and industrial ﬁelds require approaches to protect information from unauthorized access.

Computer communication systems often employ user hierarchies to solve access control problems. A user hierarchy generally comprises disjointed security classes, to which users and user information are assigned and ranked. The security class of a user is known as his security clearance. Assume that SC1, SC2, . . . , SCnare

n disjointed security classes. Let P denote a binary partially ordered relationship in a user set, SC = {SC1,

SC2, . . . , SCn}. In the partially ordered set (poset, SC, P), SCiP SCjdenotes that the security class SCihave

* _{Corresponding author. Tel.: +886 923 696355; fax: +886 2 23504930.} E-mail address:arden@thu.edu.tw(T.S. Chen).

(2)

a security clearance higher than or equal to the security class SCj. SCiis classiﬁed as a predecessor of SCj, and SCj

as a successor of SCi. The predecessors SCihave accessibility to information belonging to their successors SCj,

but not vice versa. If there is no security class SCkbetween SCiand SCj, where SCiP SCkP SCj, then SCiis

known as an immediate predecessor of SCj, and SCjis an immediate successor of SCi.Fig. 1illustrates an

exam-ple of the partially ordered set in a user hierarchy. The arrows linking the connected paths in an accessible net indicate the direction of access. A user at the end of an arrow can access the user at the head of the same arrow. For SCiP SCj, the data classiﬁed as SCjis generally encrypted using the secret key skj, and SCiderives skj

to access the data that belongs to SCjusing ski. A predecessor needs to access the non-immediate successors by

recursively storing the successors’ secret keys level by level. Following a growing hierarchy, the users of higher-clearance security classes need larger storage space to accommodate the secret keys of all successors, resulting in key management problems. Additionally, large numbers of keys make security management diﬃcult. Another solution to the problem is developed, which is, to assign each user a unique secret key through which a user can calculate all his successors’ keys.

The cryptographic key assignment scheme is developed by Akl and Taylor[19]. In this model, each security class SCi is given with a secret key ski corresponding to a public parameter Ti. For the relationship

SCiP SCj, SCi can derive the successor’s secret key skj from his secret key ski and the successor’s public

parameter Tj. Simple key generation and derivation algorithms make the scheme superior to other solutions

for dynamic access control problems. However, in practice, the number of security classes increases as the hier-archy expands, and so does the required storage space for maintaining public parameters. Therefore, the pro-cess of updating a key becomes complex and the procedure for altering secret keys becomes inconvenient.

This study presents a key management approach to overcome the above problems. The proposed method simpliﬁes key generation and derivation algorithms, eﬃciently solves the dynamic access control problems, enables users to alter their secret keys at will for security reasons, and resists collusive attacks.

The rest of this paper is organized as follows. Section2brieﬂy reviews previous studies on access control problems. Section 3 presents the proposed key generation and derivation algorithms. Section 4 describes dynamic key management. Section5analyzes the secure tolerance under such a key management scheme. Sec-tion6gives the analysis of performance. Conclusions are ﬁnally drawn in Section7.

2. Review of previous research

In AT’s model[19], each security class SCiis assigned a public parameter Tiand a secret key ski. The secret

key is created as follows: ski¼ skT0i ðmod MÞ

where sk0denotes the secret key of the Central Authority (called CA for brevity hereafter). M represents the

product of a pair of secret large prime numbers, and Ti rises with the expansion of security classes. If

SCiP SCj, then Tj/Tiwill be an integer so that a predecessor SCican derive skj, as follows:

skj¼ sk Tj 0 ¼ sk TiðTj=TiÞ 0 ¼ sk ðTj=TiÞ i ðmod MÞ

If SCj(not 6) SCi, then Tj/Tiwill not be an integer, and the key derivation fails.

For the case where Ti rises as the security classes expand, MacKinnon et al. [20]presented a canonical

assignment scheme to lower the value of Ti. Both AT’s and MacKinnon’s schemes utilize top-down traversal.

(3)

Harn and Lin [15] developed a bottom-up key generation method. Although these approaches succeed in decreasing the value of Ti, they have to update all existing secret keys to maintain security whenever the

hier-archy changes.

Several key management schemes have been presented; for instance, the methods in[6,14,21]construct and derive the secure keys of all classes on the basis of discrete logarithm problems; the model in[17]uses the inte-ger factorization problem to complete the construction and derivation of key. Attempts to improve dynamic access control problems were made in these schemes using diﬀerent methods. These methods deal with the problems of inserting and removing security classes in a user hierarchy and the reduction of the size of public parameters. In these models, users with high security clearance apply repetitive key derivation processes to obtain the secret keys of non-immediate successors. Other methods[12,22]attempt to enhance AT’s scheme, and explore other possible approaches that can enable a user in a hierarchy to modify the secret key as nec-essary. Accordingly, a predecessor can directly and eﬃciently derive the secret keys of its successors.

Lin[7]found that deriving one key from another key might compromise the new key due to the disclosure of the old secret key. Furthermore, if the identities of two users belonging to two diﬀerent security classes in the hierarchy are only slightly diﬀerent, then one user can probably guess the key of the other.

Kuo et al. later developed a method[10]that employs the public key to encrypt the secret key. Their model has a straightforward key assignment algorithm, and small storage space requirement. It utilizes a one-way hash function H(X), where X denotes an arbitrary-length input, and H(X) is a fixed-length output. The hash function is the fingerprint of a file, a message, or other data blocks, and has the following attributes[8].

(1) X can be applied to a data block of all sizes.

(2) For any given variable X, H(X) is easy to operate, enabling easy implementation in software and hardware.

(3) The output length of H(X) is ﬁxed.

(4) Deriving X from the given value h and the given hash function H(X) is computationally infeasible. (5) For any given variable X, ﬁnding any Y 5 X so that H(Y) = H(X) is computationally infeasible. (6) Finding an input (X, Y) so that H(X) = H(Y) is computationally infeasible.

The trade-oﬀ between security and eﬃciency in performance means that H(X) can help obtain message digest.

Based on these related works[3–5,9,13,17], this work develops a security model that provides protection against external and internal attacks. The model can provide a simple and eﬃcient solution to overcome the collision and the security leaks.

3. Proposed scheme

The proposed method has three sequential phases, namely the relationship building phase, the key gener-ation phase, and the key derivgener-ation phase, all of which are described below.

3.1. Elliptic curve cryptosystem

To ensure high security and eﬃciency, the proposed method is established based on an elliptic curve cryp-tosystem. An elliptic curve cryptosystem can achieve security of equal level to the RSA or DSA in the discrete logarithm problems, and it has lower computation overhead and smaller key size. The mathematic back-ground of elliptic curve cryptosystem[1,23]is deﬁned below.

The elliptic curve cryptosystem employs the use of elliptic curves. The variables and coefficients of elliptic curves are all restricted to elements of a finite field, offering added efficiency in the operation of ECC. Two families of elliptic curves, prime curves defined over Zpand binary curves constructed over GF(2n), are used

in cryptographic applications. Fernandes[2]once pointed out, ‘‘prime curves are best for software applica-tions because the extended bit-ﬁddling operaapplica-tions needed by binary curves are not required; and that binary curves are best for hardware application, where it takes remarkably few logic gates to create a powerful, fast cryptosystem’’.

(4)

In this study, the applied elliptic curve over Zp, deﬁned modulo a primep, is the set of solutions (x, y) to the

equation, Ep(a, b): y2= x3+ ax + b (mod p) where a, b2 Zp, and 4a3+ 27b2 mod p 5 0. The condition

4a3+ 27b2mod p 5 0 is necessary to ensure that x3+ ax + b (mod p) has no repeated factors, which means that a finite abelian group can be defined based on the set Ep(a, b). The definition of an elliptic curve also

includes a point at inﬁnity denoted as O, which is the third point of intersection of any straight line with the curve; such a line has points of intersection of the form (x, y), (x,y) and O. Not any elliptic curve over Zp can be applied in cryptographic applications.Fig. 2 [11] shows an example of the elliptic curve group,

where the elliptic curve is deﬁned by the equation, y2= x3+ x + 1 (mod 23) (taken from[23]).

The example depicted inFig. 2has a = 1 and b = 1 so that 4a3+ 27b2mod 23 8 mod 23 5 0. Thus, the elliptic group E23(1, 1) consists of the points shown in Table 1, extracted from[23].

Addition operation has been used over Ep(a, b). For all points P, Q2 Ep(a, b), the rules for addition over

Ep(a, b) are deﬁned as follows:

1. P + O = P, where O serves as the additive identity.

2. If P = (xp, yp), then P + (xp,yp) = O. The point (xp,yp) is the negative of P, denoted asP. For

exam-ple, in E23(1, 1), for P = (6, 4), we haveP = (6, 4). Since 4 mod 23 19, P = (6, 19), which is also

over E23(1, 1).

3. If P = (xp, yp) and Q = (xq, yq) with P 5Q, then R = P + Q = (xr, yr) is over E23(1, 1) and is determined

by the following the rules: xr¼ ðk2 xp xqÞmod p

y_r¼ ðkðxp xrÞ ypÞmod p

where k is given as shown below

k¼ yqyp xqxp mod p; if P 6¼ Q 3x2 pþa 2yp mod p; if P ¼ Q 8 > < > :

4. Multiplication by an integer is deﬁned by repeated addition; for example, 2P = P + P.

(5)

Example. Let P = (6, 4) and Q = (7, 11) in E23(1, 1). When P 5 Q, we must derive k before calculating P + Q, as follows: k¼ 11 4 7 6 mod 23 7

So, when k = 7, xr and yr can be derived as shown below. Thus, P + Q = (13, 16).

xr¼ ð72 6 7Þmod 23 6 mod 23 13

y_r¼ ð7ð6 13Þ 4Þmod 23 53 mod 23 16 To calculate 2P, we must ﬁrst derive k as follows:

k¼ 3ð6 2_{Þ þ 1} 2 4 mod 23109 8 mod 23 5

So, when k = 7, xr and yr can be derived as shown below. Thus, 2P = (13, 7).

xr¼ ð52 6 6Þmod 23 13 mod 23 13

y_r¼ ð5ð6 13Þ 4Þmod 23 39 mod 23 7

The addition operation in ECC is the counterpart of modular multiplication in RSA, and multiplication in ECC is the counterpart of modular exponentiation in RSA. A diﬃcult problem is essential to creating a cryp-tographic system using elliptic curves over Zp. Consider the equation Q = kP, where Q, P2 Ep(a, b) and k < p.

Given k and P, it is relatively easy to calculate Q, but given Q and P, it is relatively hard to determine k. This is called the elliptic curve discrete logarithm problem (ECDLP)[1,16,23].

Given an example taken from[23], suppose E23(9, 17) is an elliptic curve deﬁned by y2= x3+ 9x + 17 (mod

23). Find the discrete logarithm k of Q = (4, 5) to the base P = (16, 5). One solution is the brute-force method, in which multiples of P is computed until Q is found. Thus, P = (16, 5), 2P = (20, 20), 3P = (14, 14), 4P = (19, 20), 5P = (13, 10), 6P = (7, 3), 7P = (8, 7), 8P = (12, 17), 9P = (4, 5).

Because 9P = (4, 5) = Q, the discrete logarithm Q to the base P is k = 9. But in the real implementation, the brute-force method is quite infeasible as p and k would be so large that the method would not be viable.

Apparently, the efficiency of ECC depends on the fast calculation of Q = kP for some number k and a point P on the curve. The addition of elliptic curve points requires a few modular calculations. As shown in[23], ECC can have a prime p that is much smaller than the numbers in the other types of systems. This allows for significant improvement in efficiency in the operation of ECC over both integer factorization and discrete logarithm systems.

3.2. Relationship building phase

First, establish the Central Authority to specialize in system and member maintenance. In this phase, CA builds the hierarchical structure for controlling access according to the relationships between the nodes. Sup-pose there are n members which together form a set denoted as U = {SC1, SC2, . . . , SCn}. Let SCibe a security

class with higher clearance and SCja security class with lower clearance. If there is a legitimate relationship

between SCi and SCj such that SCi can access SCj, then this relationship can be represented as

(SCi, SCj)2 Ri,j.

Table 1

Points over the elliptic curve E23(1, 1)

(0, 1) (6, 4) (12, 19) (0, 22) (6, 19) (13, 7) (1, 7) (7, 11) (13, 16)

(1, 16) (7, 12) (17, 3) (3, 10) (9, 7) (17, 20) (3, 13) (9, 16) (18, 3)

(6)

3.3. Key generation phase

To complete the key generation phase, CA executes the algorithm below. Step 1: randomly select a large prime p

Step 2: select an elliptic curve E deﬁned over Zp, where the order of E is located in the interval between

[p + 1 2pp, p + 1 + 2pp]

Step 3: select a one-way function h(x) to transform a point into a number and a base point Gjfrom E(Zp),

where j = 1, . . . , n

Step 4: select a secret key skjand a sub-secret key sjfor SCj, where j = 1, . . . , n

Step 5: for all {SCij(SCi, SCj)}2 Ri,j

determine siGj= (xj,i, yj,i)

determine h(xj,ikyj,i) using the one-way hash function, wherek is a bit concatenation operator

end for

Step 6: determine the public polynomial fj(x) using h(xj,ikyj,i) as follows

fjðxÞ ¼

Y

SCiPSCj

½x hðxj;ikyj;iÞ þ skjmod p

Step 7: send skjand sjto the security class SCjvia a secret channel, and announce p, h(x), Gj, and fj(x)

Example. As shown in Fig. 1, the user set has six security classes, denoted as U = {SC1, SC2, SC3,

SC4, SC5, SC6}. CA determines the public elliptic curve polynomial fj(x) for each security class. Each security

class can then derive the secret keys of his successors, as follows: fjðxÞ ¼

Y

SCiPSCj

½x hðxj;ikyj;iÞ þ skj mod p

SC1: f1ðxÞ ¼ ½x hðx1;0ky1;0Þ þ sk1 mod p; where s0 is given by CA

SC2: f2ðxÞ ¼ ½x hðx2;1ky2;1Þ þ sk2 mod p

SC3: f3ðxÞ ¼ ½x hðx3;1ky3;1Þ þ sk3 mod p

SC4: f4ðxÞ ¼ ½x hðx4;1ky4;1Þ½x hðx4;2ky4;2Þ þ sk4 mod p

SC5: f5ðxÞ ¼ ½x hðx5;1ky5;1Þ½x hðx5;2ky5;2Þ½x hðx5;3ky5;3Þ þ sk5 mod p

SC6: f6ðxÞ ¼ ½x hðx6;1ky6;1Þ½x hðx6;3ky6;3Þ þ sk6 mod p

3.4. Key derivation phase

For the relationship (SCi, SCj)2 Ri,jbetween SCiand SCj, the predecessor SCicalculates the secret keys skj

of all successors, SCj, as follows:

Step 1: for {SCij(SCi, SCj)}2 Ri,j

determine siGj= (xj i, yj,i)

determine h(xj,ikyj,i) using the one-way hash function, wherek is a bit

concatenation operator end for

Step 2: determine skjusing h(xj,ikyj,i) as follows

fjðxÞ ¼

Y

SCiPSCj

(7)

4. Solution to key management of dynamic access problems

After establishing the protocol to generate and derive keys in a hierarchy, the solution to dynamic key man-agement problems such as inserting a new security class, removing an existing security class, creating a new relationship, revoking an existing relationship, and changing secret keys is given as shown below.

4.1. Inserting new security classes

Assume that a new security class SCk is inserted into the hierarchy such that SCiP SCkP SCj; the

relationship SCiP SCk is given as (SCi, SCk)2 Ri,k, and the relationship SCkP SCj is denoted as

(SCk, SCj)2 Rk,j. CA follows the procedure below to manage the accessing priority of SCkin the hierarchy.

Step 1: update the partial relationship R that follows when SCkjoins the hierarchy

Step 2: randomly select skk, sk, and Gk

Step 3: for all {SCij(SCi, SCk)}2 Ri,kthat satisﬁes SCiP SCkwhile inserting the new security class SCk

determine siGk= (xk,i,yk,i)

determine h(xk,ikyk,i) using the one-way hash function, wherek is a bit

concatenation operator end for

Step 4: determine the public polynomial fk(x) using h(xk,ikyk,i) as follows

fkðxÞ ¼

Y

SCiPSCk

½x hðxk;ikyk;iÞ þ skk mod p

Step 5: for all {SCij(SCi, SCk)}2 Ri,kand {SCkj(SCk, SCj)}2 Rk,jthat satisfy SCiP SCkP SCj

determine skGj= (x j,k, yj,k)

determine siGj= (x j,i, yj,i)

determine h(xj,kkyj,k) and h(xj,ikyj,i) using the one-way hash function, wherek is a

bit concatenation operator end for

Step 6: determine the public polynomial f0

jðxÞ using h(xj,kkyj,k) and h(xj,ikyj,i) as follows

f_j0ðxÞ ¼ Y

SCiPSCkPSCj

½x hðxj;ikyj;iÞ½x hðxj;kkyj;kÞ þ skj mod p

Step 7: replace fj(x) with fj0ðxÞ

Step 8: send skkand skto SCkvia a secret channel, and announce Gk, fk(x) and fj0ðxÞ

Example. InFig. 3, a new security class SC7is inserted into the user hierarchy such that SC1P SC7P SC6.

For SC7, CA randomly selects sk7, s7, and G7. Since SC7is assigned as a successor to SC1and as a predecessor

to SC6, CA constructs the public polynomial f7(x), and replaces the public polynomial f6(x) with f60ðxÞ. CA ﬁrst

calculates h(x7,1ky7,1) with the help of the sub-secret key s1to construct f7(x); then determines h(x6,7ky6,7) using

the sub-secret key s7 to derive f₆0ðxÞ. Finally, CA transmits sk7 and s7 to SC7 via a secret channel and

announces G7, f7(x), and f₆0ðxÞ.

(8)

Before SC7joins the hierarchy, the public polynomial f6(x) is formed as follows:

f6ðxÞ ¼ ½x hðx6;1ky6;1Þ½x hðx6;3ky6;3Þ þ sk6 mod p

After SC7joins the hierarchy, the public polynomials f60ðxÞ and f7(x) are formed as follows:

f₆0ðxÞ ¼ ½x hðx6;1ky6;1Þ½x hðx6;3ky6;3Þ½x hðx6;7ky6;7Þ þ sk6 mod p

f7ðxÞ ¼ ½x hðx7;1ky7;1Þ þ sk7 mod p

4.2. Removing existing security classes

Assume that an existing member SCkis to be removed from a user hierarchy, such that the relationship

SCiP SCkP SCjbreaks up. CA not only directly revokes information related to SCk, but also alters the

accessing relationship between the involved ex-predecessor SCiand ex-successor SCj, of SCk. In particular,

to control the forward security of SCj, CA needs to renew the secret key skjas sk0j, the base point Gjas G0j,

and the public polynomial fj(x) as fj0ðxÞ, as follows:

Step 1: update the partial relationship R that follows when SCkis removed

Step 2: for all {SCkj(SCk, SCj)}2 Rk,j

renew the secret key skjas sk0j and the base point Gjas G0j, of SCj

for all {SCij(SCi, SCj)}2 Ri,j

renew {SCij(SCi, SCj)}2 Ri,jafter removing SCk

determine siG0j¼ ðxj;i, yj,i)

determine h(xj,ikyj,i) using the one-way hash function, wherek is a bit concatenation operator

end for

determine the public polynomial f0

jðxÞ as follows f_j0ðxÞ ¼ Y SCiPSCj ½x hðxj;ikyj;iÞ þ sk 0 j ðmod pÞ replace fj(x) with fj0ðxÞ end for

Step 3: send sk0_jto SCjvia a secret channel, and announce G0jand f 0 jðxÞ

Example. For instance, considering Fig. 4, let SC3 be removed from the poset, so that the relationships

SC1P SC3P SC5 and SC1P SC3P SC6 break up. To revoke the accessibility of SC3, CA removes all

parameters related to SC3, and updates the relationships among the relative predecessors and successors on

the connected path, such as SC1and SC6. To ensure forward security of the successor SC6, CA renews the

secret key sk6as sk0₆and the base point G6as G0₆. Then, CA identiﬁes all predecessors of SC6, namely SC1in

Fig. 4; determines h(x6,1jjy6,1) using the sub-secret key s1and G06, and builds the newly available polynomial

f₆0ðxÞ. The same procedure is then executed on other successors involved on the connected path, namely SC5.

After completing all renewals, CA transmits sk0₅ to SC5 and sk06 to SC6 through a secret channel and

announces G0₅, G0₆, f₅0ðxÞ, and f0 6ðxÞ.

(9)

Before deleting SC3, f5(x) and f6(x) are formed as shown below.

f5ðxÞ ¼ ½x hðx5;1ky5;1Þ½x hðx5;2ky5;2Þ½x hðx5;3ky5;3Þ þ sk5 mod p

After deleting SC3, f50ðxÞ and f60ðxÞ are formed as shown below.

f₅0ðxÞ ¼ ½x hðx5;1ky5;1Þ½x hðx5;2ky5;2Þ þ sk50 mod p

f₆0ðxÞ ¼ ½x hðx6;1ky6;1Þ þ sk06 mod p

4.3. Creating new relationships

The relationships among members in an organization might be changeable. For instance, a new relationship SCkP SClmight be added such that SCiP SCkP SClP SCj. Notably, the relationship between SCkand

SClis immediate. CA performs the following procedure to link the relationships between SCland his

prede-cessors (SCk, SCi), and the relationships between SCjand his predecessors (SCl, SCk, SCi).

Step 1: save the partial relationship SCiP SCkP SClP SCjformed due to the creation of SCkP SCl

Step 2: for all SCiP SCl

if {SCij(SCi, SCl)}2 Ri,ldoes not hold until SCkP SClis created such that SCiP SCkP SClP SCj

determine siGl= (xl,i, yl,i)

determine skGl= (xl,k, yl,k)

determine h(xl,ikyl,i) and h(xl,kkyl,k) using the one-way hash function, wherek is a bit concatenation

operator end if end for

Step 3: determine the public polynomial fl(x) as follows

flðxÞ ¼

Y

SCiPSCl

½x hðxl;ikyl;iÞ½x hðxl;kkyl;kÞ þ skl mod p

Step 4: for all SCiP SCj

if {SCij(SCi, SCj)}2 Ri,j do not hold until SCkP SClis created such that SCiP SCkP SClP SCj

determine siGj= (xj,i, yj,i)

determine skGj= (xj,k, yj,k)

determine slGj= (xj,l, yj,l)

determine h(xj,ikyj,i), h(xj,kkyj,k), and h(xj,lkyj,l), wherek is a bit concatenation operator

end for end if end for

jðxÞ as follows

f_j0ðxÞ ¼ Y

SCiPSCj

½x hðxj;ikyj;iÞ½x hðxj;kkyj;kÞ½x hðxj;lkyj;lÞ þ skj mod p

Step 7: announce fl(x) and fj0ðxÞ

Example. Fig. 5displays the creation of a relationship between SC5and SC6such that SC2P SC5P SC6,

making SC5a new predecessor of SC6. To authorize access to SC5from SC6, CA calculates h(x6,5ky6,5) with s5

and h(x6,2ky6,2) with s2to build the public polynomial f6(x) using previously obtained parameters h(x6,1ky6,1)

(10)

Before creating the relationship SC2P SC5P SC6, f6(x) is formed as follows:

After creating the relationship SC2P SC5P SC6, f60ðxÞ is formed as follows:

f₆0ðxÞ ¼ ½x hðx6;1ky6;1Þ½x hðx6;3ky6;3Þ½x hðx6;2ky6;2Þ½x hðx6;5ky6;5Þ þ sk06 mod p

4.4. Revoking existing relationships

Consider the case of revoking an existing relationship (SCk, SCl)2 Rk,l. In addition to directly deleting the

relationship, CA updates the accessibility of SCkover SClfor controlling the forward security of the

ex-suc-cessor SCl. Restated, CA renews the secret key sklas sk0l, the base point Glas G0l, and fl(x) as fl0ðxÞ, related to

SCl. CA follows the following procedure to revoke an existing relationship.

Step 1: revoke the partial relationship R due to the deletion of (SCk, SCl)2 Rk,l

Step 2: renew the secret key sklas sk0land the base point Glas G0l, related to SCl

Step 3: for all {SCij(SCi, SCl)}2 Ri,lthat holds after revoking (SCk, SCl)2 Rk,l

determine siG0l¼ ðxl;i; yl;iÞ

determine h(xl,ikyl,i) using the one-way hash function, wherejj is a bit concatenation operator

end for

lðxÞ using h(xl,ikyl,i) as follows

f_l0ðxÞ ¼ Y

SCiPSCl

½x hðxl;ikyl;iÞ þ sk 0 l mod p

Step 5: for all {SCkj(SCk, SCj)}2 Rk,j

if {SCkj(SCk, SCj)}2 Rk,jbreaks up after revoking (SCk, SCl)2 Rk,l

renew the secret key skjas sk0j and the base point Glas G0l, related to SCj

determine siG0j¼ ðxj;i; yj;iÞ

determine slG0j¼ ðxj;l; yj;lÞ

determine h(xj,ikyj,i) and h(xj,lkyj,l), wherek is a bit concatenation operator

end for

renew the public polynomial f_j0ðxÞ as follows f_j0ðxÞ ¼ Y SCiPSCj ½x hðxj;ikyj;iÞ½x hðxj;lkyj;lÞ þ sk 0 jmod p end if end for

Step 6: send the sk0_l to SCland sk0jto SCjvia a secret channel, and announce fl0ðxÞ, fj0ðxÞ, Gl, and G0l

Example. Consider the revoking of relationship {SC2j(SC2, SC5)}2 R2,5 in Fig. 6, such that

{SC2j(SC2, SC5)}62 R2,5.

(11)

Because {SC2j(SC2, SC5)}2 R2,5does not hold, CA renews the secret key sk5as sk05, the base point G5as G05,

and the public polynomial f5(x) as f50ðxÞ, related to SC5.

Before revoking {SC2j(SC2, SC5)}2 R2,5, f5(x) is formed as follows:

After revoking {SC2j(SC2, SC5)}2 R2,5, f5(x) is replaced with f50ðxÞ as follows:

f₅0ðxÞ ¼ ½x hðx5;1ky5;1Þ½x hðx5;3ky5;3Þ þ sk 0 5 mod p

4.5. Changing secret keys

A secret key must be changeable to maximize security. To change a secret key skjto sk0j, CA must replace

the base point Gjwith G0jand the public polynomial fj(x) with fj0ðxÞ, as follows:

Step 1: replace the secret key skjwith sk0j and the base point Gjwith G0j

Step 2: for all {SCij(SCi, SCj)}2 Ri,j

determine siG0j¼ ðxj;i; yj;iÞ

determine h(xj,ikyj,i), wherek is a bit concatenation operator

end for

jðxÞ as follows f_j0ðxÞ ¼ Y SCiPSCj ½x hðxj;ikyj;iÞ þ sk 0 jmod p

Step 5: send sk0_jto SCjvia a secret channel, and announce G0j and fj0ðxÞ

5. Discussion of security

This section addresses the possible types of attacks. Security tolerance of the proposed model in response to the various attacks is discussed in the following subsections.

5.1. Contrary attack

The ﬁrst potential attack is from a successor, who might wish to obtain the secret key of the immediate or any prior predecessor through the public parameters and his own secret key. That is, can a successor SCj

com-pute the predecessor’s secret key from the public polynomial fi(x) and the one-way hash function h(xj,ikyj,i)?

The unauthorized user can generally solve this problem by the given plaintext. However, both the elliptic curve cryptosystem and the one-way hash function can resist forced attack in the proposed approach because their time complexity is placed at reasonable computational security. An unauthorized successor cannot obtain the secret key even after years of attempting. Hence, the proposed scheme is highly secure against such an attack.

(12)

5.2. Exterior collecting attack

The second potential attack is from an outsider. Can an intruder generate the secret key from a lower secu-rity class by accessible public parameters? In addition to deriving both the elliptic curve cryptosystem and the one-way hash function, the invader must successfully launch a ciphertext attack against the asymmetric cryp-tosystem. A ciphertext attack against an asymmetric cryptosystem is much harder than a plaintext attack against an asymmetric cryptosystem. Therefore, the proposed model resists intrusion from outsiders. 5.3. Collaborative attack

The collaborative attack is a type of attack where several users collaborate to launch the attack. Suppose SCj and SCkare the immediate successors of SCi; their relationship can be denoted as (SCi, SCj)2 Ri,j and

(SCi, SCk)2 Ri,k, as shown inFig. 7.

When SCjand SCkcollaborate to try to hack the secret key skiof SCi, ﬁrst, SCjand SCkmust exchange

secret keys with each other, and then derive the sub-secret key siof SCithrough fj(x) and fk(x).

fjðxÞ ¼

Y

SCiPSCj

fkðxÞ ¼

Y

SCiPSCk

½x hðxk;ikyk;iÞ þ skk mod p

However, siis protected by the one-way hash function and the ECDLP among which one-way hash function is

irreversible while the ECDLP is computationally extremely complex. Therefore, attackers cannot invert the procedure to derive si.

5.4. Equation attack

This is a type of attack where a member uses the common successor to try to hack the secret key of another member it does not have an accessibility relationship with, like those shown in Fig. 8. For the relationships SCiP SCjand SCkP SCj, SCimay try to obtain the sub-secret key skof SCkthrough fj(x).

Taking Fig. 1 as example, aimed at the relationships SC2P SC5 and SC3P SC5, SC2 may attempt

to obtain s3 through their common successor SC5. Using s1G5= (x5,1, y5,1), s2G5= (x5,2, y5,2), and

s3G5= (x5,3, y5,3), f5(x) can be formed as follows:

f5ðxÞ sk5¼ ½x hðx5;1ky5;1Þ½x hðx5;2ky5;2Þ½x hðx5;3ky5;3Þ mod p

x hðx5;3ky5;3Þ ¼ ½f5ðxÞ sk5=½x hðx5;1ky5;1Þ½x hðx5;2ky5;2Þ mod p

Let x¼ 0; then hðx5;3ky5;3Þ ¼ ½sk5 f5ð0Þ=½hðx5;1ky5;1Þ½hðx5;2ky5;2Þ mod p

The derivation of hacking s3from f5(x) is based on the diﬃculty of solving one-way hash function and

ECDLP, which is of reasonable computational security.

5.5. Forward security of the successors while changing SCiP SCkP SCjto SCiP SCj

Modifying the relationship SCiP SCkP SCjto SCiP SCjannuls the accessibility authority of SCkover

SCj. The forward security of the existing security class SCjshould be considered seriously. CA not only deletes

(13)

the accessibility-link relationship, but also updates the accessibility-link relationship between SCiand SCj. CA

replaces the secret key skjwith sk0jand the base point Gjwith G0j, and thus computes the renewed public

poly-nomial f0

jðxÞ which no longer includes the factor h(xk,ikyk,i). The authority of SCkover SCjis thus terminated,

so SCkcannot later determine the secret key skjof SCj.

6. Analysis of performance

Table 2analyzes the proposed approach in comparison to other methods in terms of the required

complex-ity for processing dynamic access control problems, in which Chang denotes the model in[6], Wu represents that in[14], and Hwang is that in[17]. The analysis inTable 2clearly reveals that the proposed method is more straightforward than the other ones, and also requires less storage space.

Table 2shows functional comparisons between the presented scheme and other previously proposed ones.

In terms of storage size, both Hwang’s and Wu’s schemes require large storage space. In these schemes, the number of public parameters and the length of the public parameters grow as the number of successor increases, so the required storage space too gets increasingly larger. As for Chang’s scheme, it is similar to the scheme proposed in this study. Each class has only one ﬁxed public parameter that needs to be stored. In terms of dynamic access control problem, all four schemes need only make partial update to information when inserting and deleting security classes, creating and revoking relationship, and changing security key.

On computational complexity, key generation and key derivation requires executing elliptic curve addition operations, hash operations and constructing interpolating polynomials. In terms of computational over-heads, Vanstone[18]had summarized that the key sizes and bandwidth required by ECC provides higher eﬃ-ciency with order of magnitude roughly 10 times that of integer factorization systems and discrete logarithm systems. Besides, Stallings[23]estimated that the 4096-bit key size of the RSA gives the same level of security as the 313-bit one in ECC. That is, the length of the prime p in Ep(a, b) is secure enough with 300 bits.

The storage required for the polynomials fi(x) is proportional to the number of successors a security class is

assigned. The length of the prime p is 300 bits such that the coeﬃcients of the polynomial are deﬁned over p. Let m be the degree of fi(x); then the storage occupies about mdlog p + 1e bits. In integer factorization systems

or discrete logarithm systems, the chosen prime should be of at least 100 decimal digits to provide suﬃcient security.

Fig. 8. Relationships potentially risking an equation attack.

Table 2

Performance analysis in terms of complexity for access control problems

Required complexity Chang Wu Hwang The proposal

Key generation Exponential Exponential Factorization ECC + hash + encryption Key derivation Exponential Exponential Factorization ECC + hash + decryption Inserting/removing security classes Partial update Partial update Partial update Partial update

Creating/revoking relationships Partial update Partial update Partial update Partial update Changing secret keys Partial update Partial update Partial update Partial update Storage for public parameters Fixed and small Large Large Fixed and small

(14)

As to constructing an interpolating polynomial, Knuth [8] completed it with a computation time of O(m(log m)2). The overall computational complexity of establishing and updating the polynomials is O(nÆm(log m)2), where n is the number of security classes in the hierarchy.

7. Conclusions

The proposed key management method for controlling dynamic access problems is a simple and efficient solution for ensuring hierarchical organization. It allows the access of members to data to be classified accord-ing to their ranks. Members in higher-ranked security class can directly access the secret keys of members in lower-ranked classes, but not vice versa. The members can change the secret keys at will in consideration of security, showing that the key generation and public polynomial are flexible.

References

[1] A. Cilardo, L. Coppolino, N. Mazzocca, L. Romano, Elliptic curve cryptography engineering, Proceedings of the IEEE 94 (2) (2006) 395–406.

[2] A.D. Fernandes, Elliptic-curve cryptography, Dr. Dobb’s Journal (1999).

[3] A.D. Santis, A.L. Ferrara, B. Masucci, A new key assignment scheme for access control in a complete tree hierarchy, in: Proceeding of the International Workshop on Coding and Cryptography—WCC 2005, LNCS 3969, 2006, pp. 202–217.

[4] A.D. Santis, A.L. Ferrara, B. Masucci, Cryptographic key assignment schemes for any access control policy, Information Processing Letters 92 (4) (2004) 199–205, Nov.

[5] A.D. Santis, A.L. Ferrara, B. Masucci, Enforcing the security of a time-bound hierarchical key assignment scheme, Information Sciences 176 (12) (2006) 1684–1694, June.

[6] C.C. Chang, I.C. Lin, H.M. Tsai, H.H. Wang, A key assignment scheme for controlling access in partially ordered user hierarchies, in: Proceedings of the 18th IEEE International Conference on Advanced Information Networking and Applications (AINA2004), Fukuoka, Japan, vol. 2, March 2004, pp. 376–379.

[7] C.H. Lin, Dynamic key management schemes for access control in a hierarchy, Computer Communications 20 (15) (1997) 1381–1385. [8] D.E. Knuth, 3rd ed., The Art of Computer Programming, vol.2: Seminumerical Algorithms, Addison-Wesley, Reading, MA, 1998. [9] F.G. Jeng, C.M. Wang, An eﬃcient key-management scheme for hierarchical access control based on elliptic curve cryptosystem,

Journal of Systems and Software 79 (8) (2006) 1161–1167, Oct.

[10] F.H. Kuo, V.R.L. Shen, T.S. Chen, F. Lai, Cryptographic key assignment scheme for dynamic access control in a user hierarchy, IEE Proceeding—Computers and Digital Techniques 146 (5) (1999) 235–240.

[11] Francisco Rodrı´guez-Henrı´quez, Doctoral Dissertation: New Algorithms and Architectures for Arithmetic in GF(2m) Suitable for Elliptic Curve Cryptography, Oregon EUA, June 2000. Supervisor: Dr. Cetin K. Koc. Available from:<http://delta.cs.cinvestav.mx/ ~francisco/tesis.html>.

[12] H.M. Tsai, C.C. Chang, A cryptographic implementation for dynamic access control in a user hierarchy, Computers and Security 14 (2) (1995) 159–166.

[13] J.H. Yeh, R. Chow, R. Newman, Key assignment for enforcing access control policy exceptions in distributed systems, Information Sciences 152 (2003) 63–88.

[14] J. Wu, R. Wei, An access control scheme for partially ordered set hierarchy with provable security, in: Proceedings of SAC 2005, LNCS 3897, 2006, pp. 221–232.

[15] L. Harn, H.Y. Lin, A cryptographic key generation scheme for multilevel data security, Computers and Security 9 (6) (1990) 539–546. [16] M.A. Strangio, Eﬃcient Diﬃe-Hellmann two-party key agreement protocols based on elliptic curves, in: Proceedings of the 2005

ACM Symposium on Applied Computing, 2005, pp. 324–331.

[17] M.S. Hwang, W.P. Yang, Controlling access in large partially-ordered hierarchies using cryptographic keys, Journal of Systems and Software 67 (2) (2003) 99–107.

[18] S.A. Vanstone, Elliptic curve cryptosystem—The answer to strong, fast public-key cryptography for securing constrained environments, Information Security Technical Report 2 (2) (1997) 78–87.

[19] S.G. Akl, P.D. Taylor, Cryptographic solution to a problem of access control in a hierarchy, ACM Transactions on Computer Systems 1 (3) (1983) 239–248.

[20] S.J. MacKinnon, P.D. Taylor, H. Meijer, S.G. Akl, An optimal algorithm for assigning cryptographic keys to control access in a hierarchy, IEEE Transactions on Computers 34 (9) (1985) 797–802.

[21] V.R.L. Shen, T.S. Chen, A novel key management scheme based on discrete logarithms and polynomial interpolations, Computers and Security 21 (2) (2002) 164–171.

[22] V.R.L. Shen, T.S. Chen, F. Lai, Novel cryptographic key assignment scheme for dynamic access control in a hierarchy, IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences E80-A (10) (1997) 2035–2037.