Yu-Li Lin and Chien-Lung Hsu Department of Information Management, Chang-Gung University Information Science(SCI) Reporter: Tzer-Long Chen

 Abstract  Introduction  The Proposed Key Assignment Scheme ◦ Key generation phase ◦ Key derivation phase ◦ A small example  Dynamic Key Management ◦ Adding a security class, Deleting a security class, Creating a new relationship, Revoking an existing relationship, Changing a secret key.  Security Analysis  Performance Analysis  Conclusions

 The proposed scheme is secure against some potential attacks only based on the intractability of reversing one-way hash function.  The proposed scheme can efficiently deal with dynamic access control problems.  The storage required for public and private parameters is significantly reduced.

 [4] Y.F. Chung, H.H. Lee, F. Lai, “Access Control in User Hierarchy Based on Elliptic Curve Cryptosystem,” Information Sciences, Vol. 178, pp ,  This will reduce the key management costs. Performance of the proposed scheme is more efficient than that of the Chung et al. scheme in terms of the computational complexities and storage of public and private parameters.

 Let SC={SC 1, SC 2, …, SC n } be a user hierarchy with n disjoint sets of security classes which are partially ordered by binary relation “ ≦ ”.  Let ID i be the identity for the security class SC i.  The proposed scheme requires a central anthority (CA) to maintain all public system parameters and functions.  CA selects and publishes a large prime p and a one- way hash function h( ).

 CA randomly chooses a distinct secret key sk i and a random number R i for each security class SC i in the hierarchy, i=1, 2, …, n.  Any higher security class SC l to derive the encryption key h(sk i ∥ R i ). For each security class SC i.  CA computes the polynomial f i (x) over GF(p) by  Finally CA sends the secret key sk i to the security class SC i via a secure channel and publishes (f i (x), R i ).

 Step 1. Use its secret key sk i, identity ID i, SC j ’s identity ID j, and SC j ’s public random number R j to compute  Step 2. Use and the public polynomial f j (x) to derive SC j’s encryption key h(sk j ∥ R j ) as h(sk j ∥ R j ) =f j ( )

 Suppose there are a set of six disjoint security classes in a hierarchy as Fig.1  CA chooses a distinct secret key sk i and a random number R i for each security class SC i in the hierarchy, where i=1, 2, …, n.  When the security SC 2 wants to derive the encryption key h(sk 4 ∥ R 4 ) of the class SC 4, it can use the secret key sk 2 and public information to calculate and then compute the polynomial f j (x) for each security class by the following equations:

 When the security class SC 2 wants to derive the encryption key h(sk 4 || R 4 ) of the class SC 4, it can use the secret key sk 2 and the public information to calculate and then compute h(sk 4 || R 4 ) = f 4 ( )

 Adding  Deleting  Creating a new relationship  Revoking an existing relationship  Changing a secret key

 Step 1.Assign a secret key sk k and random number R k for the security class SC k.  Step 2.For each SC j (where SC j ≦ SC k ≦ SC i ), replace the public function f j (x) with f’ j (x) where  Step 3.Construct the public polynomial f k (x) using h(sk i ∥ R k ∥ ID i ∥ ID j ) by where ∥ is a bit concatenation operator  Step 4.finally, CA sends the secret key sk k to SC k via a secure channel and publishes the public information (R k, f k (x), f’ j (x))

Update New

Step 1. Assign a secret key sk 7 and a random number R 7 for the security class SC 7. Step 2. Replace the public polynomial f 6 (x) with f 6 ′ (x) as f 6 ′ (x) = (((x − h(sk 1 || R 6 || ID 1 || ID 6 ))(x − h(sk 3 || R 6 || ID 3 || ID 6 )) ((x − h(sk 7 || R 6 || ID 7 || ID 6 ))) + h(sk 6 || R 6 ) mod p Note that before SC 7 is added into in the hierarchy, the public polynomial f 6 (x) is formed as f6 (x) = (((x − h(sk 1 || R 6 || ID 1 || ID 6 )) (x − h(sk 3 || R 6 || ID 3 || ID 6 )))+ h(sk 6 || R 6 )mod p Step 3. Construct the public polynomial f 7 (x) using h(sk 1 || R 7 || ID 1 || ID 7 ) by f 7 (x) = ((x − h(sk 1 || R 7 || ID 1 || ID 7 )) + h(sk 7 || R 7 )mod p Step 4. Replace f 6 (x) with f 6 ′ (x). Step 5. Publish ( f 7 (x), R 7 ) and send sk 7 to the security class SC 7 via a secure channel.

 Step 1.Renew a random number R j as R’ j of SC i for all the successors SC j of SC k (SC k ≧ SC j )  Step 2.compute the public polynomial f’ j (x) as and replace f j (x) with f’ j (x).  Step 3.delete the security class SC k from the hierarchy and discard the secret key and public parameters of SC k.

Update New

 Step 1. Renew two random numbers R 5 ′ and R 6 ′ for the security class SC 5 and SC 6, respectively.  Step 2. Replace the public function f 5 (x) with f 5 ′ (x) as f 5 ′ (x) = (((x − h(sk 1 || R 5 ′ || ID 1 || ID 5 )) (x − h(sk 2 || R 5 ′ || ID 2 || ID 5 ))+ h(sk 5 || R 5 ′ )mod p  Step 3. Replace the public function f 6 (x) with f 6 ′ (x) as f 6 ′ (x) = ((x − h(sk 1 || R 6 ′ || ID 1 || ID 6 )) + h(sk 6 || R 6 ′ )mod p  Step 4. Publish ( f 5 ′ (x), f 6 ′ (x),R 5 ′,R 6 ′ ).

 Step 1. Randomly choose a public number R l and a secret key sk l for SC l  Step 2. For all SC i ≥ SC l if {SC i | (SC i,SC l )} ∈ R i,l does not hold until SC k ≥ SC l is created such that SC i ≥ SC k ≥ SC l ≥ SC j compute h(sk i ||R l ||ID i ||ID j ) and h(sk k ||R l ||ID k ||ID l ) end if end for  Step 3. Construct the public polynomial f l (x) as

 Step 4. For all SC i ≥ SC l if {SC i | (SC i,SC l )} ∈ R i,l does not hold until SC k ≥ SC l is created such that SC i ≥ SC k ≥ SC l ≥ SC j for all {SC i | (SC i,SC j )} ∈ R i,j compute h(sk i ||R j ||ID i ||ID j ), h(sk k ||R j ||ID k ||ID j ) and h(sk l ||R j ||ID l ||ID) end for end if end for

 Step 5. Construct the public polynomial f j ′ (x) as where || is a bit concatenation operator and h( ⋅ ) be a one-way hash function.  Step 6. Replace f j (x) with f j ′ (x)  Step 7. Publish f j ′ (x) and f l (x)

Update New

 Step 1. Renew a random number R 6 ′ for the security class SC 6.  Step 2. Replace f 6 (x) with f 6 ′ (x) as f 6 ′ (x) = ((x − h(sk 1 || R 6 ′ || ID 1 || ID 6 ))(x − h(sk 2 || R 6 ′ || ID 2 || ID 6 ))((x − h(sk 3 || R 6 ′ || ID 3 || ID 6 ))((x − h(sk 5 || R 6 ′ || ID 5 || ID 6 )))+ h(sk 6 || R 6 ′ )mod p  Step 3. Publish ( f 6 ′ (x),R 6 ′ ).

 Step 1. For all SC i ≥ SC l Renew a random number R l as R l ′ Construct the public polynomial f l ′ (x) as end for  Step 2. For all SC k ≥ SC j Renew a random number R j as R ′ j Construct the public polynomial f j ′ (x) as end for  Step 3. Revoke the relationship SC k ≥ SC l and publish (R l ′, R j ′, f l ′ (x), f j ′ (x)).

Update New

 Step 1. Renew the random number R 5 with R 5 ′.  Step 2. Renew the public polynomial f 5 (x) with f 5 ′ (x) as f 5 ′ (x) = ((x − h(sk 1 || R 5 ′ || ID 1 || ID 5 ))(x − h(sk 3 || R 5 ′ || ID 3 || ID 5 )))+ h(sk5 || R5′ )mod p  Step 3. Revoke the relationship SC 2 ≥ SC 5 and publish ( f 5 ′ (x),R 5 ′ ).

 It is necessary to change the derivation key for some security consideration. When a security class SC i wants to change its secret key sk i to sk i ′,  CA needs to update the public functions of SC j ( SC j ≤ SC i ) and all other keys or information items do not need to be changed.

 Compromising Attack  Equation Attack  Collaborative Attack  Interior Collecting Attack  Exterior Collecting Attack

 Consider the scenario that a successor SC j (SC j ≤ SC i ) who knows the public parameters (ID i, R j, f j (x)) attempts to derive SC i ’s secret key sk i.  even if h(sk i || R j || ID i || ID j )is known to the adversary, it is also difficult to compute the secret key sk i of the security class SC i because of the fact that it is computationally infeasible to invert the one-way hash function.

 If two security classes have the common successor(s), one of them might attempt to use the public polynomial(s) of the common successor(s) for deriving unauthorized secret keys.

we use the example depicted in Fig. 1 to demonstrate that the relationships SC 2 ≥ SC 5 and SC 3 ≥ SC 5. SC 2 might attempt to obtain SC 3 ’s secret key sk 3 through SC 5 ’s public information f 5 (x). Let x = 0, then It can be seen that the derivation of SC 3 ’s secret key sk 3 is based on the difficulty of solving one-way hash function.

 Consider the scenario that two or more security classes at lower level in the user hierarchy want to derive a secret key at higher level.  Let SC j, SC k, and SC l be the successors of SC i.  For these above equations, deriving sk i is based on the difficulty of solving one-way hash function.

 Consider the scenario that there is a lower-level security class SC j with m predecessors, which are SC i, SC i+1, …, and SC i+m−1.  solving sk i is based on the difficulty of solving one-way hash function. …

 Assume that an intruder comes from outside the system, he may try to compute the secret key sk i of a security class by using only the public parameters.  solving sk i is based on the difficulty of solving one-way hash function.

 The secret key for each security class is reusable for dynamic access control problems. Key management costs of the proposed scheme are smaller than that of Chung et al.’s scheme.  The proposed scheme can efficiently deal with dynamic access control problems.  The storage required for public and private parameters is significantly reduced.  Performance of the proposed scheme is more efficient than that of Chung et al.’s schemes in terms of the computational complexities and the storage.