An efficient key-management scheme for hierarchical access control based on elliptic curve cryptosystem

The Journal of Systems and Software 79 (2006) 1161–1167 www.elsevier.com/locate/jss

An efficient key-management scheme for hierarchical access control based on elliptic curve cryptosystem Fuh-Gwo Jeng a

a,b,*

, Chung-Ming Wang

a

Institute of Computer Science, National Chung-Hsing University, 250 Kuo-Kwang Road, Taichung 40227, Taiwan, ROC b Department of Applied Mathematics, National Chiayi University, 300 Syuefu Road, Chiayi 60004, Taiwan, ROC Received 11 August 2005; received in revised form 11 January 2006; accepted 20 January 2006 Available online 3 March 2006

Abstract The elliptic curve cryptosystem is considered to be the strongest public-key cryptosystem known today and is preferred over the RSA cryptosystem because the key length for secure RSA has increased over recent years, and this has put a heavier processing load on its applications. An efficient key management and derivation scheme based on the elliptic curve cryptosystem is proposed in this paper to solve the hierarchical access control problem. Each class in the hierarchy is allowed to select its own secret key. The problem of efficiently adding or deleting classes can be solved without the necessity of regenerating keys for all the users in the hierarchy, as was the case in previous schemes. The scheme is shown much more efficiently and flexibly than the schemes proposed previously. Ó 2006 Elsevier Inc. All rights reserved. Keywords: Elliptic curve cryptosystem; Key management scheme; Hierarchical access control

1. Introduction The tremendous progress of computer networks and Internet make resource-sharing a tendency. In such a distributed sharing environment, the users and resources are structured into a multilevel hierarchy. However, data-sharing brings the problem of data being eavesdropped, stolen or destroyed. Thus, to solve the access control problem is the same as to solve the authentication problem; shortly speaking, to guarantee protected data are only accessed by authorized users. In the real world, it is not difficult to conceive of examples where hierarchical access control is required. One is the personnel of a chain of department stores, where employees are grouped by their ranks into a partially ordered hierarchy.

Abbreviation: ECC, Elliptic curve cryptosystem Corresponding author. Address: Department of Applied Mathematics, National Chiayi University, 300 Syuefu Road, Chiayi 60004, Taiwan, ROC. Tel.: +886 5 2864783; fax: +886 5 2717869. E-mail addresses: [email protected] (F.-G. Jeng), cmwang@ cs.nchu.edu.tw (C.-M. Wang). *

0164-1212/$ - see front matter Ó 2006 Elsevier Inc. All rights reserved. doi:10.1016/j.jss.2006.01.018

Another is a hospital where only doctors with a certain degree of seniority may have access to some personal information in a patient’s medical record. Similar situations abound in other areas, particularly in the government and the military, are easily envisaged. Moreover, consider a secure distributed system where hosts operate at different security levels and the encrypted data are broadcast into the network without concern for misrouting since the unintended recipients would be unable to decrypt the data. A goal is to enable a member of the organization at some level of the hierarchy to get the keys of members below him in the hierarchy, and consequently to have access to those data enciphered under those keys. Anyone with the proper receiving equipment can intercept the data but has access to the information it contains only if in possession of the right key. A hierarchical access control problem is defined in details below. In an organization, the users and their authorized data are organized into a group of disjoint sets of security classes, and each user is assigned to a certain security class called his security clearance. Let C1, C2, . . . , Cm, m 2 N, be m disjoint security classes and ‘6’ be a binary partial-order relation over the set C = {C1, C2, . . . , Cm}.

1162

F.-G. Jeng, C.-M. Wang / The Journal of Systems and Software 79 (2006) 1161–1167

For the set (C, 6), Cj 6 Ci (i, j 2 N) means that the users in the security class Ci have a security clearance higher than or equal to those in the security class Cj. In other words, the users in security class Ci can read or store the data held by the users in security class Cj, but the opposite is not allowed. Fig. 1 shows an example of a partially ordered user hierarchy. The relation C1 ! C2 in Fig. 1 means that C1 has a security clearance higher than that of C2. For the relation Cj 6 Ci, Ci is called a predecessor of Cj, and Cj a successor of Ci. Further, if Cj 6 Ci and there is no other security class Ck, k 2 N such that Cj 6 Ck 6 Ci, then Ci is said to be an immediate predecessor of Cj, and Cj an immediate successor of Ci. Generally speaking, each user in security class Ci is assigned a secret key Ki. When he wants to store a datum x into the database or broadcast it to the network, he first encrypts x by his secret key Ki to obtain x0 ¼ EK i ðxÞ, then stores or broadcasts x 0 . Only users in possession of Ki are able to retrieve x by calculating x ¼ DK i ðx0 Þ. Both E and D are noted as the encryption and decryption algorithms, respectively. However, the key Ki is only used for encrypting or decrypting the database entitled to security class Ci. That means when a user in security class Ci, with a higher clearance than Cj, would like to retrieve data encrypted by Kj, he should get the right key Kj first. Obviously, the easiest way for each user is to keep all of his successor’s keys; as shown in Fig. 1, if the user in C1 wants to retrieve the data encrypted under his own key or his successor’s keys, he has to hold a set of keys {K1, K2, K3, K4, K5, K6, K7}. But when the hierarchy grows larger and larger, the users with higher privilege are required to hold a large number of secret keys. Thus, the quantity of keys will become awkward to administer and may itself become a security hazard. Therefore, how to find a key-generating mechanism such that each user only holds one secret key and afterwards uses this key to retrieve all the information items he is entitled to is a job for all the researchers in this field. The first attempt to solve the problem by using cryptographic keys was proposed by Akl and Taylor (1983). Firstly, Akl and Taylor assigned a public integer ti to security class Ci with the property that tijtj if and only if Cj 6 Ci. The cryptographic key Ki for Ci is computed by K i ¼ K t0i (mod m), where K0 is the secret key of the central authority, respon-

C1

sible for generating and distributing the cryptographic keys and m is the public product of a pair of large secret prime numbers. Since tj/ti is an integer if Cj 6 Ci,Ci can derive Kj by the following deduction: t

t tj =ti

K j ¼ K 0j ¼ K 0i

t =ti

¼ ðK t0i Þ j

Obviously, if Cj 6 Ci,tj/ti is not an integer and the key derivation will fail. However, the size of the public information ti will grow linearly with the number of security classes. Hence, MacKinnon et al. (1985) proposed a canonical assignment method to reduce the ti values. Later, Harn and Lin (1990) presented a bottom-up key generation scheme instead of the top-down design approach in Akl and Taylor (1983) and MacKinnon et al. (1985) to improve the ti values. Yet, these three key assignment schemes mentioned above violate the security requirement whenever a new security class is added into the system as an immediate successor of an existing security class; that is, all the issued keys should be re-generated. Several key assignment solutions (Chick and Tavares, 1990; Chang et al., 1992; Chang and Buehrer, 1993) were proposed subsequently to achieve the target of dynamically adding or removing a security class, together with keeping the size of public information as small as possible. However, a big disadvantage of these schemes is that when the user with a higher security clearance wants to derive a secret key of his successor, but not an immediate one, he should iteratively perform the key derivation algorithm. Such an approach is quite inefficient. Tsai and Chang (1995) presented a scheme based upon the Rabin public key cryptosystem along with Chinese remainder theory and Newton’s interpolating method to achieve the dynamic property and the efficiency of key derivation. Their scheme shows that it is efficient in the keygeneration and key-derivation processes. However, a group of secret data is required to be held by each security class. Recently, Wu et al. (2001) used a function called a secure filter to solve the problem practically. Security class Ci in their scheme chooses its own secret key Ki and a secret number si at random. And then the central authority generates a secure filter fi(x) for Q security class Ci. The secure filter is defined as fi ðxÞ ¼ t ðx  gsi t Þ þ K i for all Ci < Ct, where st is the secret number of Ct and gi is a public number chosen by Ci randomly. The example below, based on Fig. 1, illustrates the formula. f1 ðxÞ ¼ nil; which means that no other class has access to C 1 ; f2 ðxÞ ¼ ðx  gs21 Þ þ K 2 ;

C2

C3

C4

f3 ðxÞ ¼ ðx  gs31 Þ þ K 3 ; f4 ðxÞ ¼ ðx  gs41 Þ þ K 4 ; f5 ðxÞ ¼ ðx  gs51 Þðx  gs52 Þ þ K 5 ;

C5

C6

t =t

¼ ðK ij i Þðmod mÞ.

C7

Fig. 1. A partially ordered user hierarchy.

f6 ðxÞ ¼ ðx  gs61 Þðx  gs62 Þ  ðx  gs63 Þðx  gs64 Þ þ K 6 ; f7 ðxÞ ¼ ðx  gs71 Þðx  gs74 Þ þ K 7 .

F.-G. Jeng, C.-M. Wang / The Journal of Systems and Software 79 (2006) 1161–1167

Now suppose a user in C1 wants to access the data held by C6. First, he acquires the public data (f6(x), g6) of C6 and then he uses his own secret number s1 to derive the secret key K6 by evaluating f6 ðgs61 Þ. It is obvious that the requirements of the storage and the computational overhead for fi(x) are tremendous. Generally speaking, an ideal key assignment scheme is supposed to achieve the following criteria. 1. The scheme should be secure. The scheme ensures the conspiracy of one’s successors is unable to reveal their predecessor’s secret key, and similarly unable to eavesdrop their sibling’s secret key. 2. The key-derivation process should be efficient. Generally the key-generation is implemented in certain times; however, the key-derivation process could be executed all the times. Therefore, an efficient key derivation algorithm is sufficient and necessary. It is better for a user to derive any of its successor’s key directly, instead of iteratively. 3. The scheme has the dynamic access property. Any organization such as the military, the hospital or the government we mentioned above is quite changeable in real implementation. Any changes to the hierarchy such as adding a new security class or removing a security class are expected without altering all issued secret keys. 4. The scheme requires low-cost computation overhead and no extra storage. 5. The scheme is flexible on selection of user’s own secret key. Any security class is able to select its own secret key K for its own convenience, and able to change its secret key from K to K 0 for some security consideration. Thus, in the following we will present our scheme based upon the elliptic curve cryptosystem to achieve all the criteria mentioned above. The rest of the paper is organized as follows: in the next section, we will briefly introduce the elliptic curve cryptosystem. Our key management scheme is presented in Section 3. Security analysis is discussed in Section 4. Finally, conclusions are made in Section 5. 2. The elliptic curve cryptosystem A vast majority of the products and the standards use RSA for encryption and digital signatures. As we have seen, the key length for secure RSA has increased over recent years, and this has put a heavier processing load on its applications. This burden has ramifications, especially for electronic commerce sites that conduct large numbers of secure transactions (Stallings, 2003). Koblitz (1987) and Miller (1986) independently proposed Elliptic Curve Cryptosystem (ECC), whose security relies on the discrete logarithm problem over the points on an elliptic curve. Elliptic curves are not ellipses. In fact,

1163

the elliptic curve cryptosystem makes use of elliptic curves in which the variables and coefficients are all restricted to elements of a finite field. Such a representation offers extra efficiency in the operation of ECC. Two families of elliptic curves are used in cryptographic applications: prime curves defined over Zp and binary curves constructed over GF(2n). Fernandes (1999) pointed out, ‘‘prime curves are best for software applications because the extended bit-fiddling operations needed by binary curves are not required; and that binary curves are best for hardware application, where it takes remarkably few logic gates to create a powerful, fast cryptosystem.’’ An elliptic curve over Zp, defined modulo a prime p, is the set of solutions (x, y) to an equation of the form denoted as Ep ða; bÞ : y 2 ¼ x3 þ ax þ b

ðmod pÞ

where a and b 2 Z p .

Also included in the definition of an elliptic curve is a single element called the point of infinity denoted as O. By definition, O is the third point of intersection of any straight line with the curve; that is, such a line has points of intersection of the form (x, y), (x, y) and O. Not every elliptic curve over Zp can be applied in cryptographic applications. The condition 4a3 + 27b2 mod p 5 0 is sufficient and necessary to ensure that (x3 + ax + b) mod p has no repeated factors, which means that a finite abelian group can be defined based on the set Ep(a, b). For example, let p = 11 and consider the elliptic curve y2 = x3 + x + 6 (mod 11). In this case, a = 1 and b = 6 so 4a3 + 27b2 mod 11  8 mod 11 5 0. The set E11(1, 6) consisting of the following points (2, 4), (2, 7), (3, 5), (3, 6), (5, 2), (5, 9), (7, 2), (7, 9), (8, 3), (8, 8), (10, 2), and (10, 9), is a finite abelian group. An operation over Ep(a, b), called addition, is used. For all points P, Q 2 Ep(a, b), the rules for addition over Ep(a, b) are defined as follows. 1. P + O = P. O serves as the additive identity. Thus O = O. 2. If P = (xp, yp), then P + (xp, yp) = O. The point (xp, yp) is the negative of P, denoted as P. For example, in E11(1, 6), for P = (2, 4), we have P = (2, 4). Since 4 mod 11  7, P = (2, 7), which is also in E11(1, 6). 3. If P = (xp, yp) and Q = (xq, yq) with P 5 Q, then R = P + Q = (xr, yr) is in E11(1, 6) and is determined by the following rules: xr ¼ ðk2  xp  xq Þmod p; y r ¼ ðkðxp  xr Þ  y p Þmod p; where,  8 y q y p > < xq xp mod p; if P 6¼ Q; k¼  2  > : 3xp þa mod p; if P ¼ Q. 2y p

4. Multiplication by an integer is defined by repeated addition; for example, 4P = P + P + P + P.

1164

F.-G. Jeng, C.-M. Wang / The Journal of Systems and Software 79 (2006) 1161–1167

For example, let P = (3, 5) and Q = (7, 2) in E11(1, 6). Then since P 5 Q, we have   25 3 mod11 ¼ mod11 ¼ 2; k¼ 73 4 xr ¼ ð22  3  7Þmod11 ¼ 6mod11 ¼ 5; y r ¼ ð2ð3  5Þ  5Þmod11 ¼ 9mod11 ¼ 2. So P þ Q ¼ ð5;2Þ. To find 2P, we have  2  3ð3 Þ þ 1 6 k¼ mod11 ¼ mod11 ¼ 5; 25 10 xr ¼ ð52  3  3Þmod11 ¼ 19mod11 ¼ 8; y r ¼ ð5ð3  8Þ  5Þmod11 ¼ 30mod11 ¼ 3. So 2P ¼ ð8; 3Þ. The addition operation in ECC is the counterpart of modular multiplication in RSA, and multiplication in ECC is the counterpart of modular exponentiation in RSA. To form a cryptographic system using elliptic curves over Zp, we need to find a ‘‘hard problem’’. Consider the equation Q = kP, where Q,P 2 Ep(a, b) and k < p. It is relatively easy to calculate Q given k and P, but it is relatively hard to determine k given Q and P. This is called the discrete logarithm problem for elliptic curves. We give an example taken from Stallings (2003). Suppose E23(9, 17) is an elliptic curve given by y2 = x3 + 9x + 17 (mod 23). What is the discrete logarithm k of Q = (4, 5) to the base P = (16, 5)? The brute-force method is to compute multiples of P until Q is found. Thus, P ¼ ð16; 5Þ;

2P ¼ ð20; 20Þ;

3P ¼ ð14; 14Þ;

4P ¼ ð19; 20Þ; 5P ¼ ð13; 10Þ; 6P ¼ ð7; 3Þ; 7P ¼ ð8; 7Þ; 8P ¼ ð12; 17Þ; 9P ¼ ð4; 5Þ. Because 9P = (4, 5) = Q, the discrete logarithm Q to the base P is k = 9. However, in the real implementation, p and k would be large enough to make the brute-force method infeasible. The security of ECC relies upon the difficulty of the elliptic curve discrete logarithm problem. As is the case with the integer factorization problem and the discrete logarithm problem modulo p, no efficient algorithm is known to solve the elliptic curve discrete logarithm problem. Vanstone (1997) states, ‘‘the elliptic curve discrete logarithm problem is believed to be harder than both the integer factorization problem and the discrete logarithm problem modulo p.’’ The extra difficulty makes ECC the strongest public-key cryptosystem known nowadays and moderate security can be achieved by ECC over modulo a prime number p that is several times shorter than 150 decimal digitals. The efficiency of ECC is dependent on the fast calculation of Q = kP for some number k and a point P on the curve. The process of adding elliptic curve points requires a few modular calculations. As shown in Stallings (2003), the prime p used in ECC can be much smaller than the numbers in the other types of systems. This leads to a significant improvement in efficiency in the operation of ECC

over both integer factorization and discrete logarithm systems. Before describing our key management scheme, we would like to mention the processes of elliptic curve encryption and decryption. Several approaches to encryption and decryption using elliptic curves have been analyzed in the literature. Here we introduce a method proposed by Koblitz. Suppose Ep(a, b) is an elliptic curve over Zp given by y2 = x3 + ax + b. Let m be a message, expressed as a number 0 6 m < p/100. Let xi = 100m + i for 0 6 i < 100. For ðp1Þ=2 i = 0,1, 2, . . . , 99, compute si ¼ x3i þ axi þ b. If si 1 (mod p), then si is a square mod p, in which case we do not need to try any more values of i. When p  3 (mod 4), a ðpþ1Þ=4 square root of si is then given by y i  si mod p. Thus the point (xi, yi) on Ep(a, b) is obtained, and this is the encryption of the message m. To recover m from (xi, yi), simply compute [xi/100] = the greatest integer less than or equal to xi/100). 3. Our key-management scheme In our scheme, a central authority (CA) is required. His job is to determine an elliptic group Ep(a, b) as y2 = x3 + ax + b (mod p), where p is a large prime number, and the coefficients satisfy 4a3 + 27b2 mod p 5 0, and then to choose a base point G from Ep(a, b). Besides, CA selects ~ to represent each point on the elliptic curve an algorithm A ~ public. Each security as a real number and then makes A class in the hierarchy is allowed to select its own secret key K and a secret parameter n at random. Consequently, each class has to generate its corresponding public parameter P = nG. Finally, each class sends both of its secret key K and secret parameter n to the central authority. To ensure the transmission of keys secure, we encrypt the keys before sending them to CA. Firstly, CA selects randomly a secret parameter nca and makes Pca = ncaG public. Each class forms its secret data as a point (K, n). Then each class chooses a random positive integer k and produces a pair of points, {kG, (K, n) + kPca}. Consequently, he sends the pair of points to CA. When CA gets them, he multiples the first point by his secret parameter nca and subtracts the result from the second point to derive (K, n): ðK; nÞ þ kP ca  nca ðkGÞ ¼ ðK; nÞ þ kðnca GÞ  nca ðkGÞ ¼ ðK; nÞ. Note that each class masks its (K, n) by adding kPca to it and nobody but CA can remove the mask. For an attacker, he has to compute k given G and kG, which is assumed hard. In order to make the key-derivation process efficient, the central authority constructs a polynomial H(x) for each security class in which the right key is only accessed by all its predecessors. An efficient scheme is implemented by the key generation and derivation algorithms respectively shown in the following.

F.-G. Jeng, C.-M. Wang / The Journal of Systems and Software 79 (2006) 1161–1167

Key generation algorithm

~ i P j ÞÞ ¼ H j ðAðn

Y

1165

~ i P j Þ  Aðn ~ j P t ÞÞ þ K j ðAðn

C j 6C t

Step 1. Suppose there are m, m 2 N, security classes in a user hierarchy over the partial-order relation (6). CA determines an elliptic group Ep(a, b) as y2 = x3 + ax + b (mod p), where p is a large prime number, and the coefficients satisfy 4a3 + 27b2 5 0 (mod p). Then CA selects a base point G = (x, y) from Ep(a, b) whose order is a very large value n such that nG = O. CA makes Ep(a, b), G and the value n public. ~ : ðx; yÞ ! v, for repreStep 2. CA selects an algorithm A senting a point on Ep(a, b) as a real number v. ~ public. CA chooses a secret paraCA makes A meter nca and makes Pca public, where Pca = ncaG. Step 3. For security class Ci,1 6 i 6 m, it chooses its own secret key Ki, 1 6 Ki 6 p  1, and a secret parameter ni, ni < n, firstly. It makes Pi public, where Pi = niG. Then it encrypts the point (Ki, ni) by adding kPca to it and sends the pair of points {kG, (Ki, ni) + kPca} to CA, where k is a positive integer selected randomly. Step 4. For each pair of points {kG, (Ki, ni) + kPca}, 1 6 i 6 m, CA multiples the first point by his secret parameter nca and subtracts the result from the second point to derive (Ki, ni). ðK i ; ni Þ þ kP ca  nca ðkGÞ ¼ ðK i ; ni Þ þ kðnca GÞ  nca ðkGÞ ¼ ðK i ; ni Þ. Step 5. For security class Ci, 1 6 i 6 m, CA constructs a polynomial Hi(x) for him. Y ~ i P t ÞÞ þ K i for all C i < C t . ðx  Aðn H i ðxÞ ¼

Y

~ i P j Þ  Aðn ~ j P i ÞÞ  ¼ ðAðn

~ iP jÞ ðAðn

C j 6C t ;C t 6¼C i

~ j P t ÞÞ þ K j  Aðn ~ i  nj GÞ  Aðn ~ j  ni GÞÞ ¼ ðAðn Y ~ i P j Þ  Aðn ~ j P t ÞÞ þ K j  ðAðn C j 6C t ;C t 6¼C i

¼ K j.



An example using the hierarchy of Fig. 1 is shown below. Class C1 determines its own secret key K1, and its secret parameter n1, and then generates its public parameter P1 = n1G. Then it sends its pair of points {kG, (K1, n1) + kPca} to CA. The other classes in the hierarchy do the same job. While CA derives all the secret keys and secret parameters, he constructs the corresponding polynomials for each class and then makes them public. The polynomials are generated as follows: H 1 ðxÞ ¼ nil; which means that no other class has access to C 1 ; ~ 2 P 1 ÞÞ þ K 2 ; H 2 ðxÞ ¼ ðx  Aðn ~ 3 P 1 ÞÞ þ K 3 ; H 3 ðxÞ ¼ ðx  Aðn ~ 4 P 1 ÞÞ þ K 4 ; H 4 ðxÞ ¼ ðx  Aðn ~ 5 P 1 ÞÞðx  Aðn ~ 5 P 2 ÞÞ þ K 5 ; H 5 ðxÞ ¼ ðx  Aðn ~ 6 P 1 ÞÞðx  Aðn ~ 6 P 2 ÞÞðx  Aðn ~ 6 P 3 ÞÞ H 6 ðxÞ ¼ ðx  Aðn ~ 6 P 4 ÞÞ þ K 6 ;  ðx  Aðn ~ 7 P 1 ÞÞðx  Aðn ~ 7 P 4 ÞÞ þ K 7 . H 7 ðxÞ ¼ ðx  Aðn

t

End (of the key generation algorithm) Key derivation algorithm Assume user ui in the security class Ci wants to access the encrypted data held by user uj in one of his successor classes Cj, ui can derive the secret key Kj of uj by the following steps: Step 1. Get the public parameters Hj(x) and Pj of uj. ~ i P j ÞÞ and then Kj can be obtained. Step 2. Compute H j ðAðn End (of the key derivation algorithm) Theorem 3.1. For two security classes Ci and Cj, Cj 6 Ci, the secret key Kj can be derived by Ci by the above key derivation algorithm. Proof. We have the public parameters Hj(x) and Pj of Cj. Y ~ j P t ÞÞ þ K j for all C j < C t . H j ðxÞ ¼ ðx  Aðn t

~ i P j ÞÞ. Since Cj 6 Ci, we compute H j ðAðn

Now suppose a user in C1 wants to derive the secret key K4. Using his own secret parameter n1 along with the public parameters H4(x) and P4, he can derive the secret key K4 by ~ 1 P 4 ÞÞ shown below. computing H 4 ðAðn ~ 1 P 4 ÞÞ ¼ ðAðn ~ 1 P 4 Þ  Aðn ~ 4 P 1 ÞÞ þ K 4 H 4 ðAðn ~ 1  n4 GÞ  Aðn ~ 4  n1 GÞÞ þ K 4 ¼ K 4 . ¼ ðAðn Now, we consider the problem of addition of new security classes. Suppose a new security class Ck is added into an existing hierarchy. It is well performed. Neither the existed secret keys nor secret parameters have to be altered. For example, let C8 a new security class be added as an immediate successor of C4, as shown in Fig. 2. After C8 selects its own secret key K8 and secret parameter n8, CA generates polynomial H8(x) to show that C1 and C4 have the access right to C8 as follows: ~ 8 P 1 ÞÞðx  Aðn ~ 8 P 4 ÞÞ þ K 8 . H 8 ðxÞ ¼ ðx  Aðn Now consider the case when a security class Cj is removed from the hierarchy. It is trivial for our scheme since only the corresponding key Kj and parameters nj

1166

F.-G. Jeng, C.-M. Wang / The Journal of Systems and Software 79 (2006) 1161–1167

C1

C2

C5

C3

C4

C6

C7

C8

Fig. 2. A class C8 added to the hierarchy of Fig. 1.

and Pj are deleted. Neither the other secret keys nor the other secret parameters have to be altered. Obviously, the dynamic property of our scheme is performed significantly. As to the ex-member problem mentioned in Zheng et al. (1993), a user should have no privilege to access all the information that he originally was entitled to when he is dismissed from the hierarchy. Suppose user uj in class Cj is dismissed from his class. The solution is similar to the case of removing a class from the hierarchy. CA discards all related parameters of Cj and makes Cj select his new secret key Kj and his new secret parameter nj. After that, CA constructs Qa new corresponding polynomial Hj(x), ~ j P t ÞÞ þ K j for all Cj < Ct. Obviwhere H j ðxÞ ¼ t ðx  Aðn ously, the ex-member problem can be solved easily and efficiently in our scheme. Changing a secret key for some security reason is sometimes necessary for practical implementation. Let each security class have the right to alter its secret key anytime and anywhere, which makes our scheme practical and flexible. While CA receives the notice of key-change from Ki to K 0i , he Qonly updates the corresponding polynomial ~ i P t ÞÞ þ K 0 for all Ci < Ct. H i ðxÞ ¼ t ðx  Aðn i 4. Security analysis and discussions Review the key derivation process. It is practical and efficient for security class Ci by means of its secret parameter ni to derive any of its successors’ keys directly, instead iteratively. Yet the opposite is not allowed since it is no way for any successor to get the secret parameters of its predecessor. Now, let us consider the problem of two or more users at a lower level of the hierarchy collaborating to derive a higher level key to which they are not entitled. Assume three classes C2, C3 and C4 in Fig. 1 want to conspire to obtain the secret key of C1. No information about C1 except the public data P1 can be obtained. As mentioned in Section 2, to reveal n1 from P1, where P1 = n1G, is the problem of solving discrete logarithm over an elliptic curve, which is believed to be harder than both the integer factorization problem and the discrete logarithm problem modulo p. Similarly, any class cannot conspire to obtain his

sibling’s secret key since each class in the hierarchy is entitled to access his successor’s secret keys only. As to the computational complexity, the kernel operations in our scheme for our key generation or derivation are based upon the elliptic curve cryptosystem and the construction of polynomials. Vanstone (1997) had summarized that ECC provided greater efficiency with order of magnitude roughly 10 times than either integer factorization systems or discrete logarithm systems in terms of computational overheads, key sizes and bandwidth. Obviously, this means ECC has the advantages of higher speed, lower power consumption and code size reduction. Next, the computation time of construction of a polynomial is another concern. Knuth (1981) proposed an efficient algorithm requiring O (k Æ log2 k) computation time to achieve this task, where k is the degree of the polynomial Hi(x). Finally, we discuss the storage requirements of our scheme. Stallings (2003) estimated that a key size of 4096 bits for RSA gives the same level of security as 313 bits in an elliptic curve system. That means the size of the prime p in Ep(a, b) is secure enough by taking 300 bits. Class Ci, 1 6 i 6 m, requires the storage for its secret pair (Ki, ni) and his public parameters (Pi,Hi(x)). The storage required for ni, Ki, and Pi is bounded in 300 bits each. Thus the total storage required is O(m), where m is the number of security classes in the hierarchy. As for the polynomial Hi(x), we know that the storage required is proportional to the number of the successors he has. Fortunately, the prime p takes around 300 bits such that the coefficients of the polynomial are defined over the prime p. Let k be the degree of Hi(x), then the storage needed is about kdlog p + 1e bits. Compared to those schemes based upon either integer factorization systems or discrete logarithm systems, each prime is required to have 100 digits to be secure. The total storage required in our scheme is quite less. 5. Conclusions An efficient key management scheme based upon ECC for access control in a hierarchy is proposed. Compared to the other public-key cryptosystems, ECC appears to offer equal security for a much smaller key size, thereby reducing processing overhead. Besides, our scheme ensures that the collaboration of a group of users is unable to reveal their predecessor’s secret key, and similarly unable to generate their sibling’s secret key. Our scheme is proven to be secure and has the following advantages. (1) It is practical in both of the key generation and key derivation phases since the elliptic curve cryptosystem has the benefit of reducing the overhead on computation. (2) It is efficient in the key-derivation process especially, since any user can derive any of his successor’s key directly, instead of iteratively. (3) It is well performed when a new class is added into or a class is removed from the hierarchy.

F.-G. Jeng, C.-M. Wang / The Journal of Systems and Software 79 (2006) 1161–1167

(4) It requires less storage than the other schemes proposed previously. (5) It is flexible on the key selection, since any security class is able to select its own secret key K for its own convenience, and able to change its secret key from K to K 0 for some security reason. References Akl, S.G., Taylor, P.D., 1983. Cryptographic solution to a problem of access control in a hierarchy. ACM Transactions on Computer Systems 1 (3), 239–247. Chang, C.C., Buehrer, D.J., 1993. Access control in a hierarchy using a one-way trapdoor function. Computers and Mathematics with Applications 26 (5), 71–76. Chang, C.C., Hwang, R.J., Wu, T.C., 1992. Cryptographic key assignment scheme for access control in a hierarchy. Information Systems 17 (3), 243–247. Chick, G.C., Tavares, S.E., 1990. Flexible access control with master keysAdvances in Cryptology—CRYPTO’89. Springer-Verlag, pp. 316–322. Fernandes, A., 1999. Elliptic curve cryptography. Dr. Dobb’s Journal. Harn, L., Lin, H.Y., 1990. A cryptographic key generation scheme for multilevel data security. Computer Security 9, 539–546. Knuth, D.E., 1981. The Art of Computer Programming, second ed. Seminumerical Algorithms, vol. 2. Addison-Wesley, Reading, MA. Koblitz, N., 1987. Elliptic curve cryptosystems. Mathematics of Computation 48, 203–209. MacKinnon, S.T., Taylor, P.D., Meijer, H., Akl, S.G., 1985. An optimal algorithm for assigning cryptographic keys to control access in a hierarchy. IEEE Transactions on Computers C-34 (9), 797–802. Miller, V.S., 1986. Use of elliptic curves in cryptography. In: Advances in Cryptology—Proceedings of CRYPTO’85. Lecture Notes in Computer Science, vol. 218. Springer-Verlag, pp. 417–426.

1167

Stallings, W., 2003. Cryptography and Network Security—Principles and Practices, third ed. Prentice-Hall. Tsai, H.M., Chang, C.C., 1995. A cryptographic implementation for dynamic access control in a user hierarchy. Computers & Security 14, 159–166. Vanstone, S.A., 1997. Elliptic curve cryptosystem-the answer to strong, fast public-key cryptography for securing constrained environments. Information Security Technical Report 12 (2), 78–87. Wu, K.P., Ruan, S.J., Tseng, C.K., Lai, F.P., 2001. Hierarchical access control using the secure filter. IEICE Transactions on Information & Systems E84-D (6), 700–707. Zheng, Y., Hardjono, T., Seberry, J., 1993. New solutions to the problem of access control in a hierarchy. Technical Report Preprint No. 93-2, Department of Computer Science, University of Wollongong, Australia.

Fuh-Gwo Jeng received his B.S. in Applied Mathematics from National Chung Hsing University in 1986 and M.S. in computer and information science from National Chiao Tung University, Taiwan in 1991. Now, he is an instructor at the Department of Applied Mathematics, National Chiayi University and working toward his Ph.D. degree at the Institute of Computer Science, National Chung Hsing University, Taiwan. His research interests include information security and computer graphics. Chung-Ming Wang is a professor at the Institute of Computer Science, National Chung Hsing University, Taiwan. Wang received B.S. from National Chung Hsing University and since then he had worked in industry for several years. He received his Ph.D. degree in computer science and engineering from the University of Leeds, United Kingdom, in 1992. He has won several times the Dragon Thesis Awards funded by the Acer Computers. His research interests include computer graphics, virtual reality, multimedia, and computer networks. He is a member of ACM, IEEE and Eurographics.