- Email: [email protected]
Cryptanalyses and improvements of two cryptographic key assignment schemes for dynamic access control in a user hierarchy
COSE 2205.qxd
01/07/2003
11:51
Page 453
Cryptanalyses and improvements of two cryptographic key assignment schemes for dynamic access control in a user hierarchy Abstract Recently, Wu and Chang and Shen and Chen separately proposed a cryptographic key assignment scheme for solving access control problem in a partially ordered user hierarchy. However, this paper will show the security leaks inherent in both schemes based on polynomial interpolations. That is, the users can have access to the information items held by others without following the predefined partially ordered relation. Finally, we proposed two improvements to eliminate such security flaws.
1 Introduction Many access control or key management methods consider the hierarchical structures to provide cryptographic mechanisms for controlling access to system resource securely and efficiently in organizations, such as business or government administration systems. In such a hierarchy, users and their information items are classified into a number of disjoint sets of security classes, say C = {C1, C2, …, Cn}. Moreover, these security classes have a binary partially ordered relation. For instance, Cj ≤ Ci means that the users in Ci have a security class higher than or equal to those in Cj. That is, the users in the security class Ci can have access to the information items belonging to the users in the security class Cj, while the reverse is not a
Correspondence to: Associate Professor Tzong-Sun Wu, Ph. D., Department of Informatics, Fo Guang University, 160, Linwei Rd., Jiaushi, I-Lan, 262, Taiwan, Republic of China; email: [email protected], [email protected]; tel: +886-3-987-1000 ext. 23214; fax: +886-3-987-4813.
allowed. Elaborating on the partially ordered user hierarchy, Wu and Chang recently proposed a cryptographic key assignment scheme for hierarchical access control [1] (it is denoted as the Wu-Chang scheme for short). Later, Shen and Chen also proposed another cryptographic key assignment scheme for solving the key management problems arisen in the partially order user hierarchy [2] (it is denoted as the Shen-Chen scheme for short). In both schemes, the users belonging to a security class must follow the predefined partially ordered relation to have access to the information items held by their successor(s). However, this paper will demonstrate two attacks against the Wu-Chang and the ShenChen schemes, respectively. The attacker can have access to the information items held by others without following the predefined relation, which violates the security requirement. Furthermore, two improvements are proposed for eliminating the security leaks inherent in their schemes.
Chien-Lung Hsu and Tzong-Sun Wua Department of Informatics, Fo Guang University, I-Lan 262, Taiwan, Republic of China
2 Brief review of the Wu-Chang and the Shen-Chen schemes In this section, we will brief review the WuChang scheme [1] and the Shen-Chen scheme [2], respectively. Both schemes are divided into the key generation and the key derivation stages as described below.
2.1 The Wu-Chang scheme Let C = {C1, C2, …, Cn} be a set of n security classes in the hierarchy and the notation “≤” denote a binary partially ordered relation on C.
Computers & Security Vol 22, No 5, pp 453-456, 2003 Copyright ©2003 Elsevier Ltd Printed in Great Britain All rights reserved 0167-4048/03
453
COSE 2205.qxd
01/07/2003
11:51
Page 454
Chien-Lung Hsu and Tzong-Sun Wu Cryptanalyses and improvements of key assignment schemes
In the partially ordered set (poset) (C, ≤), Cj ≤ Ci means that the users in Ci have a security class higher than or equal to those in Cj. Let IDCA, IDi, and IDjt be the identifiers for the central authority (CA), the security class Ci, and the user ujt who is the t-th user belonging to Cj, respectively. We denote |x| the bit-length of integer x. For the system setup, CA first selects two large primes p and q, satisfying that |q| ≤ |p| + |ID|, and a primitive root g over GF(p). Then, CA chooses his private key SCA such that gcd(SCA, p – 1) = 1 and computes his public key YCA = gSCA mod p. CA finally publishes {p, q, g, YCA}. The key generation and the key derivation stages of the Wu-Chang scheme are stated as follows. Key generation stage – CA randomly chooses a distinct private key Si for each security class Ci in the hierarchy such that gcd(Si, p – 1) = 1, computes its corresponding public key Yi = gSi mod p, and then transmits Si to each user uit ∈ Ci via a secure channel. Upon receiving Si from CA, uit chooses an encryption key Kit in Zp and publishes -1 Wit = (Kit)Si + IDit mod p. The information items held by uit are encrypted with Kit. Finally, CA computes the public derivation polynomial fi(x) for each security class Ci in a bottom-up approach until all security classes in the hierarchy are examined. That is, CA interpolates the points (((YCA)Si mod p) || IDj, Sj )’s
(1)
for all Cj ≤ Ci and (((YCA)Si mod p) || IDCA, Ri )
(2)
by Lagrange interpolating formula [3] to generate a public polynomial fi(x) over GF(q), where || is a bit concatenation operator. Key derivation stages – When the user uia ∈ Ci wants to have access to the information items held by some user ujb in Cj, where Cj ≤ Ci, uia can derive Cj’s private key Sj and ujb’s encryption key Kjb as Sj = fi (((YCA)Si mod p) || IDj)
454
(3)
Kjb = (Wjb – IDjb)Sj mod p
(4)
Thereafter, uia uses Kjb to decrypt ujb’s information items. Wu and Chang also consider some possible dynamic access control problems in their paper, such as adding a new security class into the hierarchy, deleting an old security class from the hierarchy, and changing user’s encryption key. The interested readers are encouraged to refer to [1] for detailed discussions.
2.2 The Shen-Chen scheme The set of security classes C = {C1, C2, …, Cn} and the notation “≤” are the same as those defined in the Wu-Chang scheme [1]. Let IDi be the identifiers for the security class Ci. Initially, CA selects and publishes a large primes p such that p = 2p′ + 1 and a primitive root g over GF(p), where p′ is also a large prime integer. The key generation and the key derivation stages of the Shen-Chen scheme are described as follows. Key generation stage – CA randomly chooses a distinct private key Si and an integer bi for each security class Ci in the hierarchy, where gcd(Si, p – 1) = 1 and 1 ≤ bi ≤ p. CA interpolates the key derivation polynomial fi(x) over GF(p) with the points (IDj || (gSi mod p), bi)’s
(5)
for each security class Ci with the relation -1 Cj ≤ Ci. CA further computes Qi = Sibi mod p. Finally, CA publishes all (fi(x), Qi)’s and transmit (Si, bi) to each security class Ci in the hierarchy via a secure channel. Key derivation stage – Consider the relation Cj ≤ Ci. With the private key Si, the security class Ci can derive his successor Cj’s secret parameter bj and the private key Sj as bj = fi (IDj || (gSi mod p))
(6)
Sj = Qjbj mod p
(7)
COSE 2205.qxd
01/07/2003
11:51
Page 455
Chien-Lung Hsu and Tzong-Sun Wu Cryptanalyses and improvements of key assignment schemes
Thereafter, the security class Ci can have access to the information processed by the security class Cj with Sj. As to the handling of dynamic access control problems, the interested reader can refer to [2].
3 Cryptanalyses and improvements In this section, we give a simple example to demonstrate the security leak inherent in both the Wu-Chang and the She-Chen schemes. Suppose that the set of classes is organized as a poset access control hierarchy such as Figure 1. Following the access control relations, the users in security class C3 solely have the access right to the information items held by those in C5 or C6, but not for those in C4. In the following, we will show that some malicious insider, e.g., users in C3, can have access to the information items held by those who are not his subordinates, i.e., users in C4 in this case. We further proposed improvements to amend their schemes. Figure 1: An example of a poset access control hierarchy with six security classes.
compute the private key S5 of the security class C5 by eqn. 3, i.e, S5 = f3 (((YCA)S3 mod p) || ID5. Since the security classes C3 and C2 have the same immediate successor C5, u3a can use S5 to find the roots of the polynomial f2 (((YCA)S2 mod p) || ID5) = S5 (mod p) over the finite field GF(q) in polynomial time [4, 5] and thus obtains ((YCA)S2 mod p) || ID5). u3a further uses the shared key (YCA)S2 mod p of C2 and CA to compute the private key S4 = f2 (((YCA)S2 mod p) || ID4) by eqn. 3. This implies that u3a has the access right to the information items held by the users in C4. That is, u3a can derive the encryption key K4b of any user u4b in C4 by K4b = (W4b – ID4b)S4 mod p, and thus can use it to decrypt the information items held by u4b. It can be seen that this attack can be extended to the generalized case, provided that the two security classes in the hierarchy have the same immediate successor(s). The security leak inherent in the Wu-Chang scheme is caused by the fact that the shared key (YCA)S2 mod p can be compromised and used to compute the private key(s) of C2’s successor(s). We can eliminate the security leak by using a oneway hash function h [6] to prevent the shared key (YCA)S2 mod p from being disclosed. Note that the function h maps a string of variable length to a string of |q| bits. Therefore, we replace eqns. 1 and 2 with eqns. 1* and 2*, respectively: (h(((YCA)Si mod p) || IDj), Sj )’s
(1*)
(h(((YCA)Si mod p) || IDCA), Ri )
(2*)
Consequently, eqn. 3 should be changed to:
3.1 Attack on the Wu-Chang scheme and its improvement For simplicity, we use the example depicted in Figure 1 to demonstrate that the users in C3 can have the access right to the information items held by those in C4, which violate the predefined requirements. From the partially ordered relation predefined in Figure 1, the user u3a knowing S3 in the security class C3 can
Sj = fi (h(((YCA)Si mod p) || IDj))
(3*)
Since the shared key (YCA)Si mod p is protected by the one-way hash function h, it is computationally infeasible to compute the private key(s) without following the predefined partially ordered relation based on the intractability of reversing h [6]. Hence, our improvement is secure against the above attack.
455
COSE 2205.qxd
01/07/2003
11:51
Page 456
Chien-Lung Hsu and Tzong-Sun Wu Cryptanalyses and improvements of key assignment schemes
3.2 Attack on the Shen-Chen scheme and its improvement Consider the same scenario as described in Subsection 3.1. The Shen-Chen scheme [2] also suffers from the same attack on the Wu-Chang scheme [1]. From Figure 1, the security class C3 can first compute his successor C5’s secret parameter b5 by b5 = f3 (ID5 || (gS3 mod p)) and then derive its private key S5 = Q5b5 mod p. Since the security classes C3 and C2 have the same immediate successor C5, one can see that the derived secret parameter b5 also satisfy the relation f2 (ID5 || (gS2 mod p)) = b5 (mod p). With the knowledge of b5, C3 can derive gS2 mod p by finding the roots of the polynomial f2 (ID5 || (gS2 mod p)) = b5 (mod p) over the finite field GF(p) in polynomial time [4, 5]. After that, C3 can use gS2 mod p to compute b4 = f2 (ID4 || (gS2 mod p) and then derive C4’s private key as S5 = Q4b4 mod p by eqn. 7. This implies that u3a has the access right to the information items held by the users in C4. It can be seen that this attack can be extended to the generalized case, provided that the two security classes in the hierarchy have the same immediate successor(s). The security leak inherent in the Shen-Chen scheme is caused by the fact that gS2 mod p can be compromised and used to compute the private key(s) of C2’s successor(s). We also can eliminate the security leak by using a one-way hash function h to prevent gS2 mod p from being disclosed. That is, we replace eqns. 5 and 6 with eqns. 5* and 6*, respectively: (h(IDj || (gSi mod p)), bi)’s
456
(5*)
bj = fi (h(IDj || (gSi mod p)))
(6*)
Since gS2 mod p is protected by the one-way hash function h, it is computationally infeasible to compute the private key(s) without following the predefined partially ordered relation based on the intractability of reversing h [6]. Hence, the improvement is secure against the above attack.
4 Conclusions We have shown both the Wu-Chang and the Shen-Chen schemes violate the requirements defined in a key assignment scheme for a poset user hierarchy. In both schemes, if there exist two (or more) security classes having the same immediate successor(s), the malicious insider can have access to the information items held by those who are not his successors without following the predefined partially ordered relation. Finally, we employ the one-way hash function to eliminate the security leaks inherent in both schemes.
References [1] Wu, T.C. and Chang, C.C., 2001. Cryptographic key assignment scheme for hierarchical access control. International Journal of Computer Systems Science and Engineering, Vol. 1 (1), 2001, pp. 25-28. [2] Shen, V.R.L. and Chen, T.S., 2002. A novel key management scheme based on discrete logarithms and polynomial interpolations. Computers & Security, Vol. 21 (2), 2002, pp. 164-171. [3] Knuth, D.E., 1981. The art of computer programming, volume 2, seminumerical algorithms, 2nd Edition, AddisonWesley, MA, 1981. [4] Ben-Or, M., 1981. Probabilistic algorithms in finite fields. 22nd Annual Symposium on Foundations of Computer Science, IEEE FOCS’81, 1981, pp. 394-398. [5] Cohen, H., 1991. A course in computational algebraic number theory, Springer-Verlag, 1991. [6] Diffie, W. and Hellman, M., 1976. New directions in cryptography. IEEE Transactions on Information Theory, IT22 (6), 1976, pp. 644-654.
01/07/2003
11:51
Page 453
Cryptanalyses and improvements of two cryptographic key assignment schemes for dynamic access control in a user hierarchy Abstract Recently, Wu and Chang and Shen and Chen separately proposed a cryptographic key assignment scheme for solving access control problem in a partially ordered user hierarchy. However, this paper will show the security leaks inherent in both schemes based on polynomial interpolations. That is, the users can have access to the information items held by others without following the predefined partially ordered relation. Finally, we proposed two improvements to eliminate such security flaws.
1 Introduction Many access control or key management methods consider the hierarchical structures to provide cryptographic mechanisms for controlling access to system resource securely and efficiently in organizations, such as business or government administration systems. In such a hierarchy, users and their information items are classified into a number of disjoint sets of security classes, say C = {C1, C2, …, Cn}. Moreover, these security classes have a binary partially ordered relation. For instance, Cj ≤ Ci means that the users in Ci have a security class higher than or equal to those in Cj. That is, the users in the security class Ci can have access to the information items belonging to the users in the security class Cj, while the reverse is not a
Correspondence to: Associate Professor Tzong-Sun Wu, Ph. D., Department of Informatics, Fo Guang University, 160, Linwei Rd., Jiaushi, I-Lan, 262, Taiwan, Republic of China; email: [email protected], [email protected]; tel: +886-3-987-1000 ext. 23214; fax: +886-3-987-4813.
allowed. Elaborating on the partially ordered user hierarchy, Wu and Chang recently proposed a cryptographic key assignment scheme for hierarchical access control [1] (it is denoted as the Wu-Chang scheme for short). Later, Shen and Chen also proposed another cryptographic key assignment scheme for solving the key management problems arisen in the partially order user hierarchy [2] (it is denoted as the Shen-Chen scheme for short). In both schemes, the users belonging to a security class must follow the predefined partially ordered relation to have access to the information items held by their successor(s). However, this paper will demonstrate two attacks against the Wu-Chang and the ShenChen schemes, respectively. The attacker can have access to the information items held by others without following the predefined relation, which violates the security requirement. Furthermore, two improvements are proposed for eliminating the security leaks inherent in their schemes.
Chien-Lung Hsu and Tzong-Sun Wua Department of Informatics, Fo Guang University, I-Lan 262, Taiwan, Republic of China
2 Brief review of the Wu-Chang and the Shen-Chen schemes In this section, we will brief review the WuChang scheme [1] and the Shen-Chen scheme [2], respectively. Both schemes are divided into the key generation and the key derivation stages as described below.
2.1 The Wu-Chang scheme Let C = {C1, C2, …, Cn} be a set of n security classes in the hierarchy and the notation “≤” denote a binary partially ordered relation on C.
Computers & Security Vol 22, No 5, pp 453-456, 2003 Copyright ©2003 Elsevier Ltd Printed in Great Britain All rights reserved 0167-4048/03
453
COSE 2205.qxd
01/07/2003
11:51
Page 454
Chien-Lung Hsu and Tzong-Sun Wu Cryptanalyses and improvements of key assignment schemes
In the partially ordered set (poset) (C, ≤), Cj ≤ Ci means that the users in Ci have a security class higher than or equal to those in Cj. Let IDCA, IDi, and IDjt be the identifiers for the central authority (CA), the security class Ci, and the user ujt who is the t-th user belonging to Cj, respectively. We denote |x| the bit-length of integer x. For the system setup, CA first selects two large primes p and q, satisfying that |q| ≤ |p| + |ID|, and a primitive root g over GF(p). Then, CA chooses his private key SCA such that gcd(SCA, p – 1) = 1 and computes his public key YCA = gSCA mod p. CA finally publishes {p, q, g, YCA}. The key generation and the key derivation stages of the Wu-Chang scheme are stated as follows. Key generation stage – CA randomly chooses a distinct private key Si for each security class Ci in the hierarchy such that gcd(Si, p – 1) = 1, computes its corresponding public key Yi = gSi mod p, and then transmits Si to each user uit ∈ Ci via a secure channel. Upon receiving Si from CA, uit chooses an encryption key Kit in Zp and publishes -1 Wit = (Kit)Si + IDit mod p. The information items held by uit are encrypted with Kit. Finally, CA computes the public derivation polynomial fi(x) for each security class Ci in a bottom-up approach until all security classes in the hierarchy are examined. That is, CA interpolates the points (((YCA)Si mod p) || IDj, Sj )’s
(1)
for all Cj ≤ Ci and (((YCA)Si mod p) || IDCA, Ri )
(2)
by Lagrange interpolating formula [3] to generate a public polynomial fi(x) over GF(q), where || is a bit concatenation operator. Key derivation stages – When the user uia ∈ Ci wants to have access to the information items held by some user ujb in Cj, where Cj ≤ Ci, uia can derive Cj’s private key Sj and ujb’s encryption key Kjb as Sj = fi (((YCA)Si mod p) || IDj)
454
(3)
Kjb = (Wjb – IDjb)Sj mod p
(4)
Thereafter, uia uses Kjb to decrypt ujb’s information items. Wu and Chang also consider some possible dynamic access control problems in their paper, such as adding a new security class into the hierarchy, deleting an old security class from the hierarchy, and changing user’s encryption key. The interested readers are encouraged to refer to [1] for detailed discussions.
2.2 The Shen-Chen scheme The set of security classes C = {C1, C2, …, Cn} and the notation “≤” are the same as those defined in the Wu-Chang scheme [1]. Let IDi be the identifiers for the security class Ci. Initially, CA selects and publishes a large primes p such that p = 2p′ + 1 and a primitive root g over GF(p), where p′ is also a large prime integer. The key generation and the key derivation stages of the Shen-Chen scheme are described as follows. Key generation stage – CA randomly chooses a distinct private key Si and an integer bi for each security class Ci in the hierarchy, where gcd(Si, p – 1) = 1 and 1 ≤ bi ≤ p. CA interpolates the key derivation polynomial fi(x) over GF(p) with the points (IDj || (gSi mod p), bi)’s
(5)
for each security class Ci with the relation -1 Cj ≤ Ci. CA further computes Qi = Sibi mod p. Finally, CA publishes all (fi(x), Qi)’s and transmit (Si, bi) to each security class Ci in the hierarchy via a secure channel. Key derivation stage – Consider the relation Cj ≤ Ci. With the private key Si, the security class Ci can derive his successor Cj’s secret parameter bj and the private key Sj as bj = fi (IDj || (gSi mod p))
(6)
Sj = Qjbj mod p
(7)
COSE 2205.qxd
01/07/2003
11:51
Page 455
Chien-Lung Hsu and Tzong-Sun Wu Cryptanalyses and improvements of key assignment schemes
Thereafter, the security class Ci can have access to the information processed by the security class Cj with Sj. As to the handling of dynamic access control problems, the interested reader can refer to [2].
3 Cryptanalyses and improvements In this section, we give a simple example to demonstrate the security leak inherent in both the Wu-Chang and the She-Chen schemes. Suppose that the set of classes is organized as a poset access control hierarchy such as Figure 1. Following the access control relations, the users in security class C3 solely have the access right to the information items held by those in C5 or C6, but not for those in C4. In the following, we will show that some malicious insider, e.g., users in C3, can have access to the information items held by those who are not his subordinates, i.e., users in C4 in this case. We further proposed improvements to amend their schemes. Figure 1: An example of a poset access control hierarchy with six security classes.
compute the private key S5 of the security class C5 by eqn. 3, i.e, S5 = f3 (((YCA)S3 mod p) || ID5. Since the security classes C3 and C2 have the same immediate successor C5, u3a can use S5 to find the roots of the polynomial f2 (((YCA)S2 mod p) || ID5) = S5 (mod p) over the finite field GF(q) in polynomial time [4, 5] and thus obtains ((YCA)S2 mod p) || ID5). u3a further uses the shared key (YCA)S2 mod p of C2 and CA to compute the private key S4 = f2 (((YCA)S2 mod p) || ID4) by eqn. 3. This implies that u3a has the access right to the information items held by the users in C4. That is, u3a can derive the encryption key K4b of any user u4b in C4 by K4b = (W4b – ID4b)S4 mod p, and thus can use it to decrypt the information items held by u4b. It can be seen that this attack can be extended to the generalized case, provided that the two security classes in the hierarchy have the same immediate successor(s). The security leak inherent in the Wu-Chang scheme is caused by the fact that the shared key (YCA)S2 mod p can be compromised and used to compute the private key(s) of C2’s successor(s). We can eliminate the security leak by using a oneway hash function h [6] to prevent the shared key (YCA)S2 mod p from being disclosed. Note that the function h maps a string of variable length to a string of |q| bits. Therefore, we replace eqns. 1 and 2 with eqns. 1* and 2*, respectively: (h(((YCA)Si mod p) || IDj), Sj )’s
(1*)
(h(((YCA)Si mod p) || IDCA), Ri )
(2*)
Consequently, eqn. 3 should be changed to:
3.1 Attack on the Wu-Chang scheme and its improvement For simplicity, we use the example depicted in Figure 1 to demonstrate that the users in C3 can have the access right to the information items held by those in C4, which violate the predefined requirements. From the partially ordered relation predefined in Figure 1, the user u3a knowing S3 in the security class C3 can
Sj = fi (h(((YCA)Si mod p) || IDj))
(3*)
Since the shared key (YCA)Si mod p is protected by the one-way hash function h, it is computationally infeasible to compute the private key(s) without following the predefined partially ordered relation based on the intractability of reversing h [6]. Hence, our improvement is secure against the above attack.
455
COSE 2205.qxd
01/07/2003
11:51
Page 456
Chien-Lung Hsu and Tzong-Sun Wu Cryptanalyses and improvements of key assignment schemes
3.2 Attack on the Shen-Chen scheme and its improvement Consider the same scenario as described in Subsection 3.1. The Shen-Chen scheme [2] also suffers from the same attack on the Wu-Chang scheme [1]. From Figure 1, the security class C3 can first compute his successor C5’s secret parameter b5 by b5 = f3 (ID5 || (gS3 mod p)) and then derive its private key S5 = Q5b5 mod p. Since the security classes C3 and C2 have the same immediate successor C5, one can see that the derived secret parameter b5 also satisfy the relation f2 (ID5 || (gS2 mod p)) = b5 (mod p). With the knowledge of b5, C3 can derive gS2 mod p by finding the roots of the polynomial f2 (ID5 || (gS2 mod p)) = b5 (mod p) over the finite field GF(p) in polynomial time [4, 5]. After that, C3 can use gS2 mod p to compute b4 = f2 (ID4 || (gS2 mod p) and then derive C4’s private key as S5 = Q4b4 mod p by eqn. 7. This implies that u3a has the access right to the information items held by the users in C4. It can be seen that this attack can be extended to the generalized case, provided that the two security classes in the hierarchy have the same immediate successor(s). The security leak inherent in the Shen-Chen scheme is caused by the fact that gS2 mod p can be compromised and used to compute the private key(s) of C2’s successor(s). We also can eliminate the security leak by using a one-way hash function h to prevent gS2 mod p from being disclosed. That is, we replace eqns. 5 and 6 with eqns. 5* and 6*, respectively: (h(IDj || (gSi mod p)), bi)’s
456
(5*)
bj = fi (h(IDj || (gSi mod p)))
(6*)
Since gS2 mod p is protected by the one-way hash function h, it is computationally infeasible to compute the private key(s) without following the predefined partially ordered relation based on the intractability of reversing h [6]. Hence, the improvement is secure against the above attack.
4 Conclusions We have shown both the Wu-Chang and the Shen-Chen schemes violate the requirements defined in a key assignment scheme for a poset user hierarchy. In both schemes, if there exist two (or more) security classes having the same immediate successor(s), the malicious insider can have access to the information items held by those who are not his successors without following the predefined partially ordered relation. Finally, we employ the one-way hash function to eliminate the security leaks inherent in both schemes.
References [1] Wu, T.C. and Chang, C.C., 2001. Cryptographic key assignment scheme for hierarchical access control. International Journal of Computer Systems Science and Engineering, Vol. 1 (1), 2001, pp. 25-28. [2] Shen, V.R.L. and Chen, T.S., 2002. A novel key management scheme based on discrete logarithms and polynomial interpolations. Computers & Security, Vol. 21 (2), 2002, pp. 164-171. [3] Knuth, D.E., 1981. The art of computer programming, volume 2, seminumerical algorithms, 2nd Edition, AddisonWesley, MA, 1981. [4] Ben-Or, M., 1981. Probabilistic algorithms in finite fields. 22nd Annual Symposium on Foundations of Computer Science, IEEE FOCS’81, 1981, pp. 394-398. [5] Cohen, H., 1991. A course in computational algebraic number theory, Springer-Verlag, 1991. [6] Diffie, W. and Hellman, M., 1976. New directions in cryptography. IEEE Transactions on Information Theory, IT22 (6), 1976, pp. 644-654.