1. 1 An Efficient Key-Management Scheme for Hierarchical Access Control Based on Elliptic Curve Cryptosystem Author: F.G. Jeng and C.M. Wang Citation: Journal of Systems and Software

2. 2 Outline  Introduction  Elliptic Curve Cryptosystem  Proposed Scheme  Analysis of Security  Analysis of Time Complexity  Analysis of Storage Complexity  Conclusion  Idea

3. 3 Introduction President Office of Student Affairs Office of Academic Affairs Office of General Affairs Students TeachersLibrary  Hierarchical access control problems : access rights among a group of users in an organization higher level user can access lower level user’s data lower level user can not access higher level user’s data

4. 4 Introduction  Two Types of Hierarchies Tree hierarchy Each class (except root class) has only one parent class. Partially ordered hierarchy Each class (except root class) could have more than one parent class.

5. 5 Introduction  Tree hierarchy The users are divided into a set of disjoint security classes C = {C 1, C 2, …, C n }. Each class has its own cryptographic key. Each class (except root class) has only one parent class. C j ≤ C i : C i can read or store information in C j, but the opposite is not allowed. C i can derive the key of C j. C1C1 C4C4 C5C5 C8C8 C2C2 C3C3 C6C6 C7C7 A tree hierarchy CiCi CjCj

6. 6 Introduction  Partially ordered hierarchy The users are divided into a set of disjoint security classes C = {C 1, C 2, …, C n }. Each class has its own cryptographic key. Each class (except root class) could have more than one parent classes. C j ≤ C i : C i can read or store information in C j, but the opposite is not allowed C i can derive the key of C j. C1C1 C4C4 C5C5 C6C6 C7C7 C2C2 C3C3 A partially ordered hierarchy CiCi CiCi

7. 7 Introduction  Types of public-key cryptosystem Integer Factorization System n = pq, where p and q are two primes. It’s hard to factorize n. Discrete Logarithm System r x ≡ h (mod p) It’s hard to find x. Elliptic Curve Cryptosystem Q = aP, where P and Q are two points over an elliptic curve. It’s hard to find a.

8. 8 Introduction  Goals of a Key-Management Scheme The scheme should be secure. The key-derivation process should be efficient. The scheme should have the dynamic access property. The scheme should require low-cost computation overhead and less storage. The scheme should be flexible on selection of user’s own secret key.

9. 9  Advantages of ECC (Elliptic Curve Cryptosystem) ECC provides greater efficiency roughly 10 times than either integer factorization systems or discrete logarithm systems in terms of computational overheads, key sizes and bandwidth. a key size of 4096 bits for RSA gives the same level of security as 313 bits in an ECC Elliptic Curve Cryptosystem

10. 10 Elliptic Curve Cryptosystem  Mathematics Backgrounds on the ECC Elliptic curve equation E over Z p Z p = {0, 1, 2, …, p-1} E p (a, b) : y 2 =x 3 +ax+b (mod p), where a and b  Z p, and 4a 3 +27b 2  0 A finite abelian group, which defined over E p (a, b) y 2 = x 3 + x+ 1

11. 11 Elliptic Curve Cryptosystem  Mathematics Backgrounds of ECC Operations of points in the ECC If P = (x p, y p ), then P + (x p, –y p ) = O. The point (x p, –y p ) is the negative of P, denoted as –P. Example Let P = (6, 4), then, –P = (6, –4). Since –4 mod 23  19, –P = (6, 19) over E 23 (1, 1). (0, 1)(6, 4)(12,19) (0, 22)(6, 19)(13, 7) (1, 7)(7, 11)(13,16) (1, 16)(7, 12)(17,3) (3, 10)(9, 7)(17,20) (3, 13)(9, 16)(18,3) (4, 0)(11, 3)(18,20) (5, 4)(11,20)(19,5) (5, 19)(12, 4)(19,18) Points over E 23 (1, 1)

12. 12 Elliptic Curve Cryptosystem  Mathematics Backgrounds of ECC Multiplication by an integer is defined by repeated addition; for example, 2P = P + P. x r = ( 2  x p  x q ) mod p y r = ( (x p  x r )  y p ) mod p Example P = (6, 4); λ=5, x r =13, y r =7, 2P = (13, 7) over E 23 (1, 1) (0, 1)(6, 4)(12,19) (0, 22)(6, 19)(13, 7) (1, 7)(7, 11)(13,16) (1, 16)(7, 12)(17,3) (3, 10)(9, 7)(17,20) (3, 13)(9, 16)(18,3) (4, 0)(11, 3)(18,20) (5, 4)(11,20)(19,5) (5, 19)(12, 4)(19,18) Points over E 23 (1, 1)

13. 13 Elliptic Curve Cryptosystem  Mathematics Backgrounds on ECC Addition operation of two different points over E p (a, b ). If P = (x p, y p ) and Q = (x q, y q ) in which P   Q, then R = P + Q = (x r, y r ). x r = ( 2  x p  x q ) mod p y r = ( (x p  x r )  y p ) mod p, Example P = (6, 4), Q = (7, 11), λ=7, x r =13, y r =16, R = P + Q = (13, 16) over E 23 (1, 1). (0, 1)(6, 4)(12,19) (0, 22)(6, 19)(13, 7) (1, 7)(7, 11)(13,16) (1, 16)(7, 12)(17,3) (3, 10)(9, 7)(17,20) (3, 13)(9, 16)(18,3) (4, 0)(11, 3)(18,20) (5, 4)(11,20)(19,5) (5, 19)(12, 4)(19,18) Points over E 23 (1, 1)

14. 14 Elliptic Curve Cryptosystem Comparison ： ECC vs. RSA Elliptic curve logarithms using the Pollard rho method Integer factorization using the general number field sieve Key sizeMIPS-YearsKey sizeMIPS-Years 1503.8 x 10 10 5123 x 10 4 2057.1 x 10 18 7682 x 10 8 2341.6 x 10 28 10243 x 10 11 12801 x 10 14 15363 x 10 16 20483 x 10 20 160

15. 15 Proposed Scheme  Key-management Scheme for Tree Hierarchy Mathematics background A function H: A→ B is a one-way hash function, it is a one-to-one function and implies that  For every x in A, H(x) can be computed easily;  For every y = H(x) in B, it is infeasible to compute x

16. 16 Proposed Scheme  Key Generation Algorithm Step 1 CA determines E p (a, b) : y 2 = x 3 + ax + b (mod p) p is a large prime number 4a 3 + 27b 2 ≠ 0 mod p. CA picks a base point G = (x, y) with the order n such that nG = O. CA publishes E p (a, b), G and n.

17. 17  Key Generation Algorithm Step 2 CA selects Ã: (x, y) → v, v is an integer number. The CA makes à public. CA chooses a secret parameter n ca and makes P ca public, where P ca = n ca G.  Private parameter of the CA : n ca  Public parameter of the CA : point P ca Proposed Scheme

18. 18  Key Generation Algorithm Step 3 Class C i chooses secret key K i, 1 ≤ K i ≤ p-1 Class C i chooses secret parameter n i. n i ≤ n P i = n i G is public C i sends (K i, n i ) to CA secretly  Private parameters of C i :K i, n i  Public parameter of C i : point P i = n i G Proposed Scheme

19. 19  Key Generation Algorithm Step 4 CA constructs a polynomial H i (x) for C i. For the root class, H(x) = nil. H 1 (x) = nil For non-root class, H i (x) = where C i ≤ C t. C1C1 C4C4 C5C5 C6C6 C7C7 C2C2 C3C3 Proposed Scheme

20. 20  Key Generation Algorithm Example C1C1 C4C4 C5C5 C6C6 C7C7 C2C2 C3C3 H 3 (x) =(x - Ã(n 3 P 1 )) + K 3 C1C1 C4C4 C5C5 C6C6 C7C7 C2C2 C3C3 H 2 (x)=(x - Ã(n 2 P 1 )) + K 2 Proposed Scheme

21. 21 Proposed Scheme  Key Generation Algorithm Example C1C1 C4C4 C5C5 C6C6 C7C7 C2C2 C3C3 H 4 (x) = (x - Ã(n 4 P 1 )) + K 4 C1C1 C4C4 C5C5 C6C6 C7C7 C2C2 C3C3 H 5 (x) =(x - Ã(n 5 P 1 )) (x - Ã(n 5 P 2 )) + K 5

22. 22 Proposed Scheme C1C1 C4C4 C5C5 C6C6 C7C7 C2C2 C3C3 C1C1 C4C4 C5C5 C6C6 C7C7 C2C2 C3C3  Key Generation Algorithm Example H 6 (x) =(x - Ã(n 6 P 1 )) (x - Ã(n 6 P 2 )) (x - Ã(n 6 P 3 )) (x - Ã(n 6 P 4 )) + K 6 H 7 (x) =(x - Ã(n 7 P 1 )) (x - Ã(n 7 P 4 )) + K 7.

23. 23  Key Derivation Algorithm Step 1. C i derives the key of C j. C i gets the public polynomial H j (x) and P j. Example C 1 derives the key of C 6. C 1 knows : P 6 and H 6 (x) C1C1 C4C4 C5C5 C6C6 C7C7 C2C2 C3C3 Proposed Scheme

24. 24  Key Derivation Algorithm Step 2. C i Computes H j (Ã(n i P j )) C i obtains K j H 6 (x) =(x - Ã(n 6 P 1 )) (x - Ã(n 6 P 2 )) (x - Ã(n 6 P 3 )) (x - Ã(n 6 P 4 )) + K 6 Example H 6 (Ã(n 1 P 6 )) = (Ã(n 1 P 6 ) - Ã(n 6 P 1 ))(Ã(n 1 P 6 ) - Ã(n 6 P 2 )) (Ã(n 1 P 6 ) - Ã(n 6 P 3 )) (Ã(n 1 P 6 ) - Ã(n 6 P 4 )) + K 6 = (Ã(n 1  n 6 G) - Ã(n 6 × n 1 G))(……) + K 6 = K 6 C1C1 C4C4 C5C5 C6C6 C7C7 C2C2 C3C3 || 0 Proposed Scheme

25. 25 Proposed Scheme  Problems of Dynamic Access Control Addition of a new security class Deletion of a security class

26. 26 Proposed Scheme  Addition of a new security class Class C 8 is added to the hierarchy, C 8 has private parameters (n 8, K 8 ) and public parameter P 8 = n 8 G. The CA constructs H 8 (x) for C 8, H 8 (x) = (x - Ã(n 8 P 1 )) (x - Ã(n 8 P 4 )) + K 8 C1C1 C4C4 C5C5 C6C6 C7C7 C2C2 C3C3 C1C1 C4C4 C5C5 C6C6 C8C8 C2C2 C3C3 C7C7

27. 27 Proposed Scheme  Deletion of a Security Class Class C 3 is removed from the hierarchy. Only, the CA deletes K 3, n 3, P 3 and H 3 (x). C1C1 C4C4 C5C5 C6C6 C8C8 C2C2 C3C3 C7C7 C1C1 C4C4 C5C5 C6C6 C8C8 C2C2 C7C7

28. 28 Analysis of Security : Conspiracy  C 5 public parameters (P 5, H 5 (x)) private parameters (n 5, K 5 )  C 6 public parameters (P 6, H 6 (x)) private parameters (n 6, K 6 )  C 5, C 6 know P 2, H 2 (x) n 2 P 2 = n 2 G H 2 (x) = (x - Ã(n 2 P 1 )) + K 2 H 2 (Ã(n 2 P 1 )) = (Ã(n 2 P 1 ) - Ã(n 2 P 1 )) + K 2 C1C1 C4C4 C5C5 C6C6 C7C7 C2C2 C3C3 C1C1 C4C4 C5C5 C6C6 C7C7 C2C2 C3C3 hard

29. 29 Analysis of Time Complixity Constructing H i (x) O(m ． log 2 m) degree m Updating H i (x)O(nm ． log 2 m)n classes

30. 30 Analysis of Storage Complexity nini 300 bits RSA – 4096 bits ECC – 313 bits KiKi 300 bits Point P i 600 bits P i = (x i, y i ) Hi(x)Hi(x) m prime p : 300 bits degree m

31. 31 Conclusions  The problem of hierarchical access control is discussed and solved.  ECC is more efficient than other cryptosystems.  It is efficient in our key generation and key derivation based on ECC.  The proposed scheme achieves the dynamic access property. Addition of a new class Deletion of an old class  The proposed scheme has low computational overhead and less storage based on ECC.  The proposed scheme is flexible on selection of user’s own secret key.

32. 32 具有優先權概念之 不擴展漸進式視覺密碼  漸進式且具有不同權限等級的不擴展視覺密碼分享 方法 (n, n)-PPSM (n, n)-priority and progressive sharing model  現行的漸進式視覺密碼的分享機制下，無法根據參 與者的重要性來賦予適當的權限等級  n 個機密分享參與者，都擁有不同權限

33. 33 實驗結果與分析討論  圖 5 ：圖 4 分享影像的重疊結果  左：疊合五張分享影像 → (NC = 0.74) 才能隱約看到機密影像的輪廓  右：疊合三張分享影像 → (NC = 0.72) ， 即可隱約看到機密影像的輪廓 疊合四張分享影像 → (NC = 0.78) ，即可 清晰地看到機密影像的內容  該研究的機密分享矩陣確實能給予分享 者不同的機密復原能力

34. 34 實驗結果與分析討論  圖 7 ：圖 6 所產生的彩色分享影像  權限高 → 疊合分享影像 → 較少張 → 輪廓  權限低 → 疊合分享影像 → 較多張 → 輪廓  圖 5, 7 實驗結果可發現，機密影 像的還原結果是根據參與者的權限 等級高低

35. 35 感想

36. 36 老師補充  想法 : 是否可以金鑰可以用群組的概念來作為 分享影像的作法 ?