A CRYPTOGRAPHIC KEY ASSIGNMENT SCHEME FOR IMPROVING THE INCORRECTNESS OF CHW SCHEME

全文

(1)A CRYPTOGRAPHIC KEY ASSIGNMENT SCHEME FOR IMPROVING THE INCORRECTNESS OF CHW SCHEME 1;¤. Jyh-Horng Wen; 1Jeng-Shin Sheu, 2 Yu-Fang Chung, and 2Tzer-Shyong Chen 1 Department of Electrical Engineering National Chung Cheng University, Chia-Yi, Taiwan 621, ROC E-mail: [email protected] 2 Department of Computer Science and Information Engineering Dayeh University, Taiwan, R.O.C. ¤ Correspondence addressee ABSTRACT. For a large number of security classes, the key generation algorithm of Akl-Taylor scheme [1] has been proved infeasible [5]. In order to improve the disadvantage of the Akl-Taylor scheme, a cryptographic key assignment scheme [4], called the CHW scheme based on the Newton interpolation method and a prede¯ ned one-way function, was presented. Compared with AklTaylor scheme, the storage required for the public parameters in CHW scheme is much smaller, and moreover the process in generating and deriving keys becomes simple and e± cient. However, two counter examples proposed recently in [6] show that the CHW scheme [4] is incorrect and its two modi¯ed versions [8] are insecure. In this paper, a scheme is presented not only to improve the incorrectness of CHW scheme, but also to enhance the ability of defending against attacks.. Based on the Newton interpolation method and a prede¯ ned one-way function, a cryptographic key assignment scheme, called the CHW scheme, in a user hierarchy was presented by Chang et al. in 1992 [4]. The CHW scheme solved the need of the dramatic storage in Akl-Taylor scheme [1]. However, two counter examples presented in [6] prove the incorrectness of CHW scheme, and further two modi¯ed versions of CHW scheme [8] are proven to be insecure as well. Owing to the above-mentioned problems, in this paper a simple scheme is proposed to solve the incorrectness and to enhance the security of CHW scheme.. 1. INTRODUCTION. 2. THE INCORRECTNESS AND WEAKNESS OF CHW SCHEME. In an information protection system, the security of access control is very important. There are many schemes [1-5], which have been proposed to discuss about the access control in a user hierarchy. A user hierarchy can be represented by a partial ly order set (poset). In such hierarchy, the users are divided into di® erent security classes named C1 ; C 2 ; : : : ; C n , where n is the number of nodes in the user hierarchy. Figure 1 shows an example of the poset in a user hierarchy. According to the partially order 5 , the relationship among the security classes is presented. For instance, Cj 5 C i means that the users in Ci have the authority to access the data in Cj , but the opposite is not allowed. Under such a relationship, Ci is called a predecessor of C j , and Cj a successor of C i. Moreover, if there does not exist any other security class Ck such that Cj 5 Ck 5 C i, then Cj is an immediate successor of C i and Ci is an immediate predecessor of C j . For simplicity, throughout this paper we use the abbreviations IS and IP to denote an immediate successor and an immediate predecessor, respectively.. In this section, a brief introduction to CHW scheme [4] is given, and its incorrectness and weakness are presented subsequently. For any security class Ci in a user hierarchy, both of his secret key SKi and his public-parameter pair (P 1 i; P 2i ) are generated and distributed by the central authority (CA). A large prime number P and a prede¯ned one-way function f are public to all security classes in the user hierarchy by CA. Throughout this paper, we suppose that a security class Ci has ki ISs, denoted by © i = fCi;j ; j = 1; 2; : : : ; kig, for which SK i; j and (P 1 i;j ; P 2 i;j ) denote the secret key and the pair of public parameters for the jth IS Ci;j ; j = 1; 2; : : :,ki, respectively. According to the concept of Newton interpolation method [9], CA can construct an interpolating polynomial for each security class C i in a user hierarchy, denoted as Hi (x) of degree ki, over the Galois ¯eld GF(P ) by interpolating the following ki +1 points: (0; SKi) and the ki publicparameter pairs (P 1 i;j ; P 2 i;j ), j = 1; 2; : : :,ki . Then the secret key SKi;j for the jth IS C i;j of Ci is generated by. 1.

(2) SKi;j = f (aj ) (mod P );. (1). where aj is the coe± cient of the term x j in Hi(x): At the beginning of the key generation process, all security classes in the user hierarchy are unmarked, and then traversed by the preorder way. The keygeneration procedure of CHW scheme is described in detail in the following. Step 1: Get an unmarked node Ci from the user hierarchy by preorder traversal. Step 2: If Ci is a leaf node, that is, ki = 0, then mark Ci and return to Step 1. Step 3: Let Ci;1 ; Ci;2 ; : : : ; Ci;m i be unmarked ISs of C i and Ci;m i+1 ; C i;m i+2 ; : : : ; Ci;k i be marked ones. Step 4: If Ci is the root node, that is, Ci has no predecessor, then go to Step 5; else go to Step 6. Step 5: (5a) Randomly select an integer between 1 and P ¡ 1, denoted as SKi . Then assign SK i to be the secret key of C i and mark Ci . (5b) Randomly select a polynomial of degree ki over GF(P ), denoted as Hi (x) = SKi + a1 x + a2 x2 + : : : + ak i xk i (mod P ); where a1 ; a2 ; : : : ; ak i are ki distinct integers between 1 and P ¡ 1. (5c) Go to Step 7. Step 6: (6a) Randomly select mi integer pairs (P 1 i;j ; P 2i;j ), j = 1; 2; : : :,m i, between 1 and P , such that all P 1i;t for t = 1; 2; : : : ; ki are distinct. (6b) By the Newton's interpolating method, an interpolating polynomial Hi(x) of degree ki on the ki + 1 points: (0; SKi ); (P 1 i;1 ; P 2 i; 1 ); (P 1 i;2 ; P 2 i;2 ); : : : ; and (P 1i;k i ; P 2 i;k i ) over GF(P ) can be constructed as Hi (x) = SKi + a1 x + a2 x2 + : : : + ak i xk i (mod P ): Step 7: Generate the secret keys SK i;j of Ci 's ISs, which are still unmarked, according to equation (1), and then mark C i;j for j = 1; 2; : : : ; m i: Step 8: Repeat from Step 1 until all nodes of the user hierarchy are marked. ¥ In the key derivation procedure, a security class Ci can reconstruct the interpolating polynomial Hi (x) by his secret key SKi and the ki pairs of public parameters of his ISs, and then use Hi (x) and the prede¯ned one-way function to derive the secret keys of all his ISs.. For any non-immediate successor, Ci can derive the secret key by performing the key-derivation procedure iteratively. Since no one can reconstruct Hi (x) only by the public parameters of Ci 's ISs, the secret key of any security class cannot be derived by conspiratorial. In the sequel, we discuss the incorrectness of CHW scheme. Let the set of security classes Â = fC i; C i+1 ; : : : ; Ci+d¡ 1 g have the same security clearance; that is, all the elements of the set are on the same level of a user hierarchy. Suppose that the ¯rst q ISs of each security class in Â are the same . Because the keys are generated by preorder traversal, the ¯ rst security class Ci in Â determines the secret keys and public-parameter pairs for the ¯rst q ISs, shared by all security classes in Â . Then these q ISs are marked. That is, Ci uses the points (0; SKi ) and the ki publicparameter pairs of his ISs, to reconstruct the following interpolating polynomial, denoted as Hi(x) = SKi + ai;1 x + ai;2 x 2 + : : : + ai;k i xk i (mod P ); Then Ci uses the ki coe± cients, ai;1 ; ai; 2 ; : : : ; ai;k i , to compute the secret keys of his ISs according to (1). When it comes to the other security classes in Â , their interpolating polynomials are given by Hj (x) = SKj + aj;1 x + aj;2 x2 + : : : + aj;k j x kj (mod P ); for j = i + 1; i + 2; : : : ; i + d ¡ 1. The q coe± cients ak; 1 ; a k; 2 ; : : : ; ak;q of Hk (x); for k = i; i +1; : : : ; i +d¡ 1; are used to generate the secret keys of the q shared ISs. Accordingly if each security class in Â wants to generate identical secret keys for their q shared ISs, then for each r = 1; 2; : : : ; q the following equations f (ai;r ) = f (aj; r) (mod P ). for all i 6= j. must be satis¯ed. However they are not held in general due to distinct secret keys of security classes in Â . This is the incorrectness of CHW scheme and leads the CHW scheme unusable. Moreover, in CHW scheme, the secret key of a certain security class is susceptible to being broken if all his ISs are collaborated. Therefore any IP may be broken if all his ISs are united to invade their predecessor. In the next section, a simple and e® ective scheme will be presented to solve the two problems. 3. OUR PROPOSED SCHEME TO IMPROVE CHW SCHEME Assume that a central authority (CA) is responsible of generating and distributing the secret key SKi.

(3) and public-parameter pair (P 1 i; P 2i ) for each security class C i in the user hierarchy. Let P be a large prime number and f be a prede¯ned one-way function. Both P and f are made public to all security classes in the user hierarchy by CA. Moreover, to keep from collaborative attacks [8], any secret key SK will be substituted with its corresponding pretending secret key SK 0 , generated from the prede¯ned function f . SK 0 = f(SK). (2). 3.1 THE BASIC IDEA OF THE PROPOSED SCHEME Firstly, we assume that for a set of security classes, all the security classes in this set have the same security clearance. A set of IPs is called a similar IP set if all security classes of which simultaneously share a number of ISs. Suppose that there are Q L similar IP sets in the Lth security-clearance level. We use ª L = fª L;1 ; ª L;2 ; : : : ; ª L;Q Lg to denote the Q L similar IP sets and assume that the j th similar IP set ª L;j of ª L contains N ª L;j IPs for j = 1; 2; : : : ; QL . Every similar IP set corresponds to a set of ISs, which is called a shared IS set. For simplicity, we use 'L ;j to denote the shared IS set corresponding to the similar IP set ª L ;j . In addition, let ' L = f' L;1 ; ' L;2 ; : : : ; ' L; QL g denote the QL shared IS sets corresponding to the similar IP sets ª L = fª L;1 ; ª L ;2 ; : : : ; ª L;QL g, and the number of ISs in ' L;j be N 'L;j for j = 1; 2; : : : ; QL . That is, the N 'L;j security classes in 'L ;j are shared by each IP in ª L;j . Let ¤ j be a set containing N ¤ j security classes. A security class C j is called the exclusive IP with respect to the set ¤ j , if Cj is the only IP that exclusively shares the N ¤ j security classes in ¤ j . For simplicity, we call ¤ j the exclusive IS set with respect to the exclusive IP, C j . Previously, we suppose that a security class C j in the user hierarchy has kj ISs, denoted by © j = fCj;t; t = 1; 2; : : : ; kj g. It is observed that kj equals N ¤ j , if C j does not belong to any similar IP set. For a good comprehension of the above-de¯ned terminologies, an illustration for the user hierarchy in Figure 1 is given. In Figure 1, fC1 g, fC2 ; C 3; C 4 g, and fC5 ; C6 ; : : : ; C18 g belong to the ¯rst, second, and third security-clearance level, respectively. The illustration for the second security-clearance level is shown at Table 1. Apparently, a certain security class may belong to a similar IP set and an exclusive IP at the same time. For example, C 2 belongs to ª 2;1 the ¯rst similar IP set of the second security-clearance level, and is also the exclusive IP of the exclusive IS set ¤ 2 . In our proposed scheme, for each securityclearance level, the security classes of similar IP sets and exclusive IPs are done separately by di® erent algo-. rithms. Accordingly, while we construct interpolating polynomials, the ISs of any node C i in the user hierarchy are classi¯ ed into two parts, if exists. The ¯ rst part is the shared IS set corresponding to the similar IP set to which C i belongs, and the second part is the exclusive IS set whose exclusive IP is Ci . Consider a certain similar IP set ª L;j with respect to the shared IS set ' L;j . The criteria for the key-generation scheme is that each security class in ª L;j can only use his own secret key, without any secret key of the other peers in ª L; j , on deriving secret keys of their shared ISs in 'L ;j . And importantly, it must satisfy that any IP in ª L;j cannot use the secret keys of the shared IS set 'L ;j to derive any secret key of the other peers in ª L;j . In the next section, we propose a simple and e® ective scheme satisfying the above two points. The proposed scheme is based on the combination of Lagrange polynomial [11] and Newton interpolation method [9]. In the sequel, fSKª L;j ;k ; k = 1; 2; : : : ; N ª L;j g are used to denote the secret keys of the N ª L;j IPs in ª L; j . About the basic idea of the Lagrange polynomial, we would like to consider the product of factors ¯rst given by. Nª. £ ª L;j (x) =. L;j Y. k=1. 0. (x ¡ SKª L;j ;k );. (3). which is related to the N ª L;j pretending secret keys 0 fSKª L;j ;k ; k = 1; 2; : : : ; N ª L;j g. The function £ ª L;j (x) is a polynomial of N ª L;j orders and becomes 0 0 0 zero at x = SKª L;j ;1 ; SK ª L;j ;2 ; : : : ;and SKª L;j ;Nª . L;j. 0. If £ ª L;j (x) is divided by (x ¡ SKª L;j ;i), the resulting function, de¯ned to be. V i(x) =. £ ª L;j (x) 0. (x ¡ SK ª L;j ;i ). ;. (4). 0. turns out zero at x = SKª L;j ;t, for t 6= i. Therefore, if Vi (x) is multiplied by (x ¡ D) for i = 1; 2; : : : ; N ª L;j , the resulting function becomes a polynomial of order Nª L;j again, de¯ ned to be Ui(x) = (x ¡ D)Vi (x);. (5). where D is a dummy secret key in order to make Ui(x) a polynomial of degree N ª L;j . The dummy secret key D is di® erent from the N ª L;j pretending secret key of ª L;j and is only known by CA. Notice that the value 0 Ui(x) becomes zero at x = SKª L;j ;k for k 6= i by the property of (4). The basis of our proposed scheme is to use a universal key, denoted as SKª L;j ; instead of the secret keys fSKª L;j ;k ; k = 1; 2; : : : ; Nª L;j g of security classes in the similar IP set ª L;j while any security class in ª L;j is constructing the interpolating.

(4) polynomial for the shared IS set 'L ;j . That is, each security class in ª L;j will construct the identical interpolating polynomial for the shared IS set on the N 'L;j + 1 points: (0; SKª L;j ) and the N 'L;j publicparameter pairs of ' L;j over GF(P ). Now let's consider the following N ª L;j linear congruence equations:. 0. SKª L;j = ® i Ui (SKª L; j; i ) (mod P );. (6). for i = 1; 2; : : : ; N ª L;j where ® i's are unknown and SKª L;j is the universal key selected by CA. Note that by the theorem 1.4 of [10], the Nª L;j linear congruence equations shown above have exactly N ª L;j solutions. Accordingly, after solving the unknown coe± cients ® i's, we can have the generation polynomial for the universal key SKª L;j ; given by. shared IS set. The universal key is obtained by solving the generation polynomial in (7), which is produced via equations (3)-(6). Therefore each IP in the similar IP set can construct the identical interpolating polynomial of the corresponding shared IS set by the universal key and the public-parameter pairs of the shared IS set. As for the exclusive IPs on a security-clearance level, each of them constructs the interpolating polynomial of the associated exclusive IS set by his own secret key and the public-parameter pairs of all his exclusive ISs. Since there are two types of IPs, the proposed key-generation algorithm includes two sub-algorithms in contrast: exclusive-IP algorithm and similar-IP algorithm. The former is used for the exclusive IPs and the latter is applied on the IPs in a similar IP set. In the key-generation procedure, Step 2 to Step 4 are designed for the exclusive IPs, and Step 5 and Step 6 are applied to similar IPs. In the following, the key-generation algorithm is presented and the two sub-algorithms are shown subsequently.. Nª. Gª L;j (x) =. L;j X. i=1. ® i Ui (x):. (7). From (6) and (7), and the property of (4), we ¯ nd that any security class of the similar IP set ª L;j can get the universal key SKª L;j merely by his own corresponding pretending secret key SK 0 , that is. 0. SKª L;j = Gª L;j (SKª. L;j ;k. ) (mod P );. (8). for k = 1; 2; : : : ; N ª L;j : Therefore each security class in the similar IP set ª L ;j can construct the identical interpolating polynomial for the shared IS set ' L;j by the universal key SKª L;j and the N'L;j public-parameter pairs of ' L; j . Notice that, any security class in ª L;j can use neither the derived secret keys of the shared IS set ' L;j nor the generation polynomial Gª L;j (x) to break the secret keys of the other peers in ª L; j . 3.2 THE KEY-GENERATION ALGORITHM The key-generation algorithm is proceeded level by level. For any security-clearance level, the security classes on the same level are categorized into similar IPs and exclusive IPs, and they are done separately by di® erent algorithms. Accordingly, while we construct interpolating polynomials, the ISs of a node Ci in the user hierarchy are classi¯ed into two parts, if exists. One part is the shared IS set corresponding to the similar IP set to which C i belongs, and the other part is the exclusive IS set whose exclusive IP is Ci . For any similar IP set, all IPs in this set use the corresponding universal key instead of their secret keys, while constructing interpolating polynomial for the associated. Key-Generation Algorithm Step 1: (1a) Make all nodes in the user hierarchy unmarked. (1b) Let L be the security-level index and set L = 1 (the highest security clearance). Step 2: (2a) Take an unmarked node C i from the security classes which belongs to the Lth security clearance. (2b) Mark C i. Step 3: (3a) Determine the exclusive IS set of Ci and denote it as ¤ i . (3b) Go to the exclusive-IP algorithm. Step 4: Repeat Step 2 and Step 3 until all no des in the Lth security-clearance are marked. Step 5: (5a) Determine all the similar IP sets of the Lth security-clearance level, shown as ª L = fª L;1 ; ª L; 2 ; : : : ; ª L ;QL g; and the corresponding shared IS sets, shown as 'L = f'L ;1 ; 'L ;2 ; : : : ; 'L ;QL g. (5b) Let j be the index for the similar IP sets and default j = 1. Step 6: (6a) Run the similar-IP algorithm for ª L;j , the jth similar set of ª L . (6b) Set j = j + 1: If j 5 Q L , then return to (6a). Step 7: If all the nodes in the user hierarchy are marked, then stop; else set L = L + 1 and return to Step2. ¥ Exclusive-IP Algorithm Step 1: (1a) If Ci is the root node, C i has no IPs. Randomly select an integer SKi between 1 and P ¡ 1 to be the secret key of Ci . Otherwise, the secret key SK i of Ci.

(5) has already assigned. (1b) Suppose Ci has N ¤ i exclusive ISs. Randomly select N ¤ i distinct integers P 1 i;1 ; P 1 i; 2 ; : : : ; P 1 i;N¤ i between 1 and P ¡ 1, and any N ¤ i integers P 2 i;1 ; P 2 i;2 ; : : : ; P 2i;N ¤ i between 1 and P ¡ 1. (1c) Assign (P 1 i;k ; P 2i;k ) as the public-parameter pair of the kth exclusive IS of Ci , where k = 1; 2; : : : ; N¤ i . Step 2: Using the Newton's interpolation method, we can construct an interpolating polynomial Hi(x) of degree 0 N ¤ i by interpolating on the points: (0; SKi ) and (P 1i;k ; P 2 i;k ), k = 1; 2; : : : ; N ¤ i , over GF(P ), shown as 0. Hi(x) = SKi +a1 x +a2 x 2 + : : : +aN ¤ i x N¤ i (mod. P ). Step 3: Compute all the secret keys for the N ¤ i exclusive ISs of C i as follows. SKi;k = f (ak ) (mod P ); for k = 1; 2; : : : ; N ¤ i ; where SKi;k denotes the secret key of the kth exclusive IS of C i, and ak is the coe± cient of the term xk in Hi(x). ¥. universal key of the set ª. L;j. as follows:. Nª. Gª L;j (x) =. L;j X. ® i£ ª L;j (x);. i=1. where ® i' s are obtained from Step 3. (4b) Make Gª L;j (x) public. Step 5: (5a) Randomly select N 'L;j distinct integers P 1'L;j ;1 ; P 1 'L;j ;2 ; : : : ; P 1 'L;j ;N 'L;j between 1 and P ¡ 1, and any N'L;j integers P 2 'L;j ;1 ; P 2 'L;j ;2 ; : : : ; P 2 'L;j ;N 'L;j between 1 and P ¡ 1. (5b) Assign (P 1 'L;j ;k ; P 2 'L;j ;k ) as the publicparameter pair of the kth shared IS in ' L;j , where k = 1; 2; : : : ; N 'L;j . Note that the N'L;j shared ISs in 'L ;j is corresponding to the j th similar IP set ª L ;j . Step 6: Using the Newton's interpolation method, we can construct an interpolating polynomial Hª L;j (x) of de0 gree N'L;j by interpolating on the points: (0; SKª L;j ) and the N'L;j points (P 1'L;j ;k ; P 2 'L;j ; k ), k = 1; 2; : : : ; N 'L;j over GF(P ), shown as 0. Hª L;j (x) = SK ª L;j +a1 x+: : :+aN'L;j x Similar-IP Algorithm As previously, we use fSKª L;j ;k ; k = 1; 2; : : : ; N ª L;j g to denote the N ª L;j secret keys of the jth similar IP set ª L;j in the Lth security clearance. Step 1: Generate the following polynomial Nª. £ ª L;j (x) =. L; j Y. k=1. 0. (x ¡ SKª L;j ;k );. N'L;j. (mod P );. 0. where SKª L;j = f (SKª L;j ). Step 7: Compute all the secret keys of the shared IS set 'L ;j by SK 'L;j ;k = f (ak );. for k = 1; 2; : : : ; N 'L;j ;. where ak is the coe± cient of the term x k in Hª L;j (x).¥ 3.3 KEY-DERIVATION ALGORITHM. and let V i (x) =. £ ª L;j (x) ; for i = 1; 2; : : : ; N ª L;j : 0 (x ¡ SKª L; j; i). Step 2: Make polynomials of degree N ª L; j in terms of V i(x): U i(x) = (x ¡ D)V i(x), for i = 1; 2; : : : ; N ª L;j : where D is a dummy secret key only known by CA. Step 3: Set 0. SKª L;j = ® i Ui(SK ª L;j ;i ) (mod P ); for i = 1; 2; : : : ; Nª L;j where SKª L;j is the predetermined universal key by CA. Step 4: (4a) De¯ ne a generation polynomial Gª L;j (x) for the. Assume that a security class Ci with the secret key SKi wants to derive the secret key SKi;k of his IS C i; k . As previously, the IS C i;k may be a node of the shared IS set corresponding to the similar IP set to which Ci belongs, or a no de of the exclusive IS set whose exclusive IP is Ci. The algorithm for the key derivation is given as follows.. Key-Derivation Algorithm Step 1: If the security class Ci is the exclusive predecessor of Ci;k , then go to Step 2; otherwise, go to Step 3. Step 2: (2a) Determine the exclusive IS set ¤ i of C i and take all the corresponding public-parameter pairs of ¤ i , denoted as (P 1 i;t ; P 2 i; t), t = 1; 2; : : : ; N¤ i, where N¤ i means the cardinal number of the set ¤ i . (2b) Using the Newton's interpolation method, we can.

(6) reconstruct the interpolating polynomial 0. Hi (x) = SK i + a1 x + a2 x2 + : : : + aN ¤ i x N¤ i (mod P ); 0. by interpolating on the points: (0; SKi ) and the N ¤ i public-parameter pairs, (P 1 i;t ; P 2 i; t), t = 1; 2; : : : ; N¤ i , over GF(P ). (2c) Go to Step 5. Step 3: (3a) Determine the corresponding similar IP set ª and shared IS set ' to which Ci and C i;k belongs, respectively, and then get the generation polynomial Gª (x) for the universal key of the similar IP set ª . (3b) The universal key SKª is obtained by 0. Gª (SKi );. the prede¯ ned one-way function f (x) = 7 x. There is a CA for generating the secret key and public parameters for each security class in the user hierarchy. The generated parameters for the user hierarchy in Figure 2 are summarized at Table 2. Key-Generation Example ² For the root node C1 { Randomly select the secret key SK1 = 7; and (3; 12) and (10; 9) as the public-parameter pairs for C2 and C3 , respectively. { Construct the interpolating polynomial H1 (x) over 0 GF(31) on the points: (0; SK 1 = 28), (3; 12) and (10; 9); given by H1 (x) = 28 + 27x + 3x2 (mod 31).. 0. where SKi is the corresponding pretending secret key of C i. Step 4: (4a) Take the N' public-parameter pairs of ', denoted as (P 1i;1 ; P 2i;1 ), (P 1 i; 2; P 2i;3 ); : : : ; (P 1 i;N ' ; P 2i;N ' ). (4b) Using the Newton's interpolation method, we can reconstruct the interpolating polynomial 0. { Then the secret keys for C2 and C3 are computed as. SK2. =. f (27) (mod 31) = 16. SK3. =. f (3) (mod 31) = 2:. and. by interpolating on the points: (0; SK ª ) and the N' public-parameter pairs, (P 1i;t ; P 2 i;t), t = 1; 2; : : : ; N' , over GF(P ). Step 5: Compute the secret key of C i;k by. ² For exclusive IP C 2 { The exclusive ISs for C 2 are C 4 and C5 . { Randomly select (15; 2) and (11; 9) as the publicparameter pairs for C 4 and C5 , respectively. { Construct the interpolating polynomial H2 (x) over 0 GF(31) on the points: (0; SK2 = 7), (15; 2) and (11; 9); given by. SKi;k = f (ak ) (mod P );. H2 (x) = 7 + 7x + 25x2 (mod 31).. Hi (x) = SK i + a1 x + a2 x 2 + : : : + aN ' x N' (mod P ); 0. { Then the secret keys for C4 and C5 are computed as where ak is the coe± cient of the term x k of Hi (x).¥ Note that the security class C i can derive all secret keys of his successors, which could be not an immediate one, by performing the Key-Derivation Algorithm iteratively. The weakness of the original CHW scheme [8] is that it can not avoid from collaborative attack from ISs. Therefore, we substitute a corresponding pretending secret key SK 0 for its original SK for any predecessor when constructing the interpolating polynomial. Thus, we can intensify the security because even all the ISs unite together to attack the corresponding IP, and they can get nothing but a fake secret key.. SK 4. =. f(7) (mod 31) = 28. SK 5. =. f(25) (mod 31) = 25:. and. ² For exclusive IP C 3 { The exclusive ISs for C 3 are C 8 and C9 . { Randomly select (5; 2) and (13; 3) as the publicparameter pairs for C 8 and C9 , respectively. { Construct the interpolating polynomial H3 (x) over 0 GF(31) on the points: (0; SK3 = 18), (5; 2) and (13; 3); given by H3 (x) = 18 + 5x + 12x2 (mod 31).. 4. EXAMPLES In this section, the key-generation and keyderivation examples are given under the user hierarchy in Figure 2. There are four security-clearance levels containing twelve security classes in this user hierarchy. We suppose that the prime number P = 31 and. { Then the secret keys for C8 and C9 are computed as SK8. =. f (5) (mod 31) = 5 and. SK9. =. f (12) (mod 31) = 16:. ² For similar IP ª 2;1 = fC 2 ; C3 g { The shared ISs for ª 2;1 are C6 and C7 ..

(7) { The generation polynomial, with the dummy key D=17, for the universal key of ª 2;1 is shown as Gª. 2;1. (x) = 6x 2 + 5x + 10;. for which the universal key SKª 0. 2;1. is computed as 0. SK ª 2;1 = Gª 2;1 (SK 2 = 7) = Gª 2;1 (SK 3 = 18) = 29: { Randomly select (25; 17) and (29; 19) as the publicparameter pairs for C 6 and C 7 , respectively. { Construct the interpolating polynomial Hª 2;1 (x) over 0 GF(31) on the points: (0; SKª 2;1 = 9), (25; 17) and (29; 19); given by Hª 2;1 (x) = 9 + 19x + 12x 2 : { Then the secret keys for C 6 and C 7 are computed by SK6. =. f (19) (mod 31) = 14. SK7. =. f (12) (mod 31) = 16:. and. ² For exclusive IP C4 { The exclusive ISs for C4 are C10 ; C 11 and C 12 . { Randomly select (14; 12); (7; 22) and (4; 21) as the public-parameter pairs for C10; C 11 and C 12 , respectively. { Construct the interpolating polynomial H4 (x) over 0 GF(31) on the points: (0; SK4 = 19), (14; 12); (7; 22) and (4; 21); given by H4 (x) = 19 + 9x + 18x2 + 25x3 (mod 31). { Then the secret keys for C 10 ; C11 and C 12 are given as SK 10. =. f (9) (mod 31) = 8:. SK 11. =. f (18) (mod 31) = 2. SK 12. =. f (25) (mod 31) = 25:. ² Do nothing for the leaf nodes: C 5 ; C6 ; : : : ; and C9 .. Key-Derivation Example Suppose that C 1 wants to access the data of C 6 and C10 : The security class C6 is the shared IS of ª 2;1 = fC2 ; C3 g: The security class C10 is an immediate successor of C 4 . ² The derivation of SK6 { Reconstruct the interpolating polynomial H1 (x) over 0 GF(31) on the points: (0; SK1 = 28), (3; 12) and (10; 9); given by H1 (x) = 28 + 27x + 3x 2 (mod 31): { The secret key of C 2 is computed by SK 2 = f (27) (mod 31) = 16. { Get the universal key SKª 2;1 for C 2 and C3 by 0 SKª 2;1 = Gª 2;1 (SK2 = 7) = 29:. { Reconstruct the interpolating polynomial Hª 2;1(x) 0 over GF(31) on the points: (0; SKª 2;1 = 9), (25; 17) and (29; 19); given by H ª 2;1 (x) = 9 + 19x + 12x 2 : { The secret keys for C 6 is given by SK6 = f (19) (mod 31) = 14: ² The derivation of SK 10 { Reconstruct the interpolating polynomial H1 (x) over 0 GF(31) on the points: (0; SK 1 = 28), (3; 12) and (10; 9); given by H1 (x) = 28 + 27x + 3x 2 (mod 31): { The secret key of C2 is computed by SK2 = f (27) (mod 31) = 16. { Reconstruct the interpolating polynomial H 2(x) for the exclusive ISs of C2 over GF(31) on the 0 points:(0; SK 2 = 7), (15; 2) and (11; 9); given by H2 (x) = 7 + 7x + 25x2 (mod 31). { The secret key of C 4 is computed by SK 4 = f (7) (mod 31) = 28. { Reconstruct the interpolating polynomial H 4(x) for the exclusive ISs of C4 over GF(31) on the 0 points:(0; SK 4 = 19), (14; 12); (7; 22) and (4; 21); given by H4 (x) = 19 + 9x + 18x 2 + 25x 3 (mod 31): { Then the secret key of C 10 is computed by SK10 = f (9) (mod 31) = 8:. 5. CONCLUSIONS A simple and e® ective scheme, based on the combination of Lagrange polynomial and Newton interpolation method, is proposed to solve the incorrectness of CHW scheme and to enhance its security at the same time. The polynomial for generating the universal key of a similar IP set is easily obtained by just solving linear congruence equations. This scheme ensures not only each security class in a similar IP set can derive each secret key of the associated shared ISs via his own secret key, without the help of his peers, but also the predecessor's secret key cannot be revealed by conspiracy of his successors..

(8) [2] W. P. Lu and M. K. Sundareshan, "A model for multilevel security in computer networks," Proceedings of INFOCOM, pp.1095-1104, 1988.. C1. C2. C5. C6. C3. C7. C 10. C4. C 11. C 17. C 18. [4] C. C. Chang, R. J. Hwang, and T. C. Wu, "Cryptographic key assignment scheme for access control in a hierarchy," Inf. Syst., Vol. 17, No. 3, pp.243247, 1992.. Figure 1: The poset in a user hierarchy. C1. C2. C4. C 10. C5. C 11. [5] S. F. Mackinnon, P. D. Taylor, H. Meijer, and S. G. Akl, "An optimal algorithm for assigning cryptographic keys to control access in a hierarchy," IEEE Trans. Comput. , Vol. 34, No. 9, pp.797-802, 1985.. C3. C6. C7. [3] D. McCullough, "Speci¯ cations for multilevel security and a hook-up property," Proceedings of IEEE Symposium on Security and Privacy, pp.161-166, 1987.. C8. C9. [6] K. J. Tan, S. J. Gu, and H. W. Zhu, "Correctness of CHW cryptographic key assignment scheme in a hierarchy," IEE Proc. Comput. Digit. Tech., Vol. 146, No. 4, pp.217-218, 1999.. C 12. Figure 2: Examples. [7] M. S. Hwang, "Extension of CHW cryptographic key assignment scheme in a hierarchy," IEE Proc. Comput. Digit. Tech., Vol. 146, No. 4, p.219, 1999.. Table 1: The second security-clearance level of the user hierarchy in Figure 1. Similar IP sets ª 2 ª 2;1 = fC 2 ; C 3 ; C4 g ª 2;2 = fC 3 ;C 4 g Shared IS sets ' 2 ' 2;1 = fC 7 ; : : : ;C 10 g ' 2;2 = fC 11 ; : : : ;C17 g Immediate Successors © 2 = fC5 ; : : : ; C10 g © 3 = fC7 ; : : : ; C17 g © 4 = fC7 ; : : : ; C18 g Exclusive IS Sets ¤ 2 = fC5 ; C6 g ¤ 3 = Á for C 3. ¤ 4 = fC18 g for C 4 .. [8] M. S. Hwang, W. P. Yang, and C. C. Chang, "Modi¯ ed Chang-Hwang-Wu access control scheme," Electron. Lett., Vol. 29, No. 24, pp.2095-2096, 1993.. Table 2: Parameters for the user hierarchy in Figure 2. Security class. C 1 C2 C3 C 4 C5 C 6 C7 C8 C 9 C10 C 11 C12 SKi 0 SKi P 1i P 2i. 7 16 2 28 7 18 ¢¢¢ 3 10 ¢¢¢ 12 9. 28 19 15 2. 25 25 11 9. 14 9 25 17. 16 7 29 19. 5 5 5 2. 16 7 13 3. 8 10 14 12. 2 18 7 22. 25 25 4 21. References [1] S. G. Akl and P. D. Taylor, "Cryptographic solution to a problem of access control in a hierarchy," ACM Trans. Comput. Syst. Vol. 1, No. 3, pp.239249, 1983.. [9] D. Knuth, The Art of Computer Programming, Vol. 2: Seminumerical Algorithm, AddisonWesley, Reading, MA, 1969. [10] H. E. Rose, A Course in Number Theory, p.34, Oxford, 1994. [11] S. Nakamura, Applied Numerical Methods in C, Prentice-Hall, 1993..

(9)