An Efficient Key-Management Scheme for Hierarchical Access Control Based on Elliptic Curve Cryptosystem Author: F.G. Jeng and C.M. Wang Citation: Journal of Systems and Software 1 Outline Introduction Elliptic Curve Cryptosystem Proposed Scheme Analysis of Security Analysis of Time Complexity Analysis of Storage Complexity Conclusion Idea 2 Introduction Hierarchical access control President problems : access rights among a group of Office of Academic Affairs Office of Student Affairs Office of General Affairs users in an organization higher level user can access lower level user’s data Teachers Students Library lower level user can not access higher level user’s data 3 Introduction Two Types of Hierarchies Tree hierarchy Each class (except root class) has only one parent class. Partially ordered hierarchy Each class (except root class) could have more than one parent class. 4 Introduction Tree hierarchy C The users are divided into a set of disjoint 1 C C C 2 security classes C = {C1, C2, …, Cn}. 4 3 C C C C 5 6 7 8 A tree hierarchy Ci Cj Each class has its own cryptographic key. Each class (except root class) has only one parent class. Cj ≤ Ci : Ci can read or store information in Cj, but the opposite is not allowed. Ci can derive the key of Cj. 5 Introduction Partially ordered hierarchy C1 The users are divided into a set of disjoint C2 C3 C4 security classes C = {C1, C2, …, Cn}. Each class has its own cryptographic key. C5 C6 C7 A partially ordered hierarchy Ci Each class (except root class) could have more than one parent classes. Cj ≤ Ci : Ci can read or store information in Cj, but the opposite is not allowed Ci can derive the key of Cj. Ci 6 Introduction Types of public-key cryptosystem Integer Factorization System n = pq, where p and q are two primes. It’s hard to factorize n. Discrete Logarithm System rx ≡ h (mod p) It’s hard to find x. Elliptic Curve Cryptosystem Q = aP, where P and Q are two points over an elliptic curve. It’s hard to find a. 7 Introduction Goals of a Key-Management Scheme The scheme should be secure. The key-derivation process should be efficient. The scheme should have the dynamic access property . The scheme should require low-cost computation overhead and less storage. The scheme should be flexible on selection of user’s own secret key. 8 Elliptic Curve Cryptosystem Advantages of ECC (Elliptic Curve Cryptosystem) ECC provides greater efficiency roughly 10 times than either integer factorization systems or discrete logarithm systems in terms of computational overheads, key sizes and bandwidth. a key size of 4096 bits for RSA gives the same level of security as 313 bits in an ECC 9 Elliptic Curve Cryptosystem Mathematics Backgrounds on the ECC Elliptic curve equation E over Zp Zp = {0, 1, 2, …, p-1} Ep(a, b) : y2=x3+ax+b (mod p), where a and b Zp, and 4a3+27b2 0 A finite abelian group, which defined y2 = x3 + x+ 1 over Ep(a, b) 10 Elliptic Curve Cryptosystem (0, 1) (6, 4) (12,19) (0, 22) (6, 19) (13, 7) Mathematics Backgrounds of ECC (1, 7) (7, 11) (13,16) Operations of points in the ECC (1, 16) (7, 12) (17,3) (3, 10) (9, 7) (17,20) (3, 13) (9, 16) (18,3) (4, 0) (11, 3) (18,20) (5, 4) (11,20) (19,5) (5, 19) (12, 4) (19,18) If P = (xp, yp), then P + (xp, –yp) = O. The point (xp, –yp) is the negative of P, denoted as –P. Example Let P = (6, 4), then, –P = (6, –4). Since –4 mod 23 19, –P = (6, 19) over E23(1, 1). Points over E23(1, 1) 11 Elliptic Curve Cryptosystem (0, 1) (6, 4) (12,19) Mathematics Backgrounds of ECC (0, 22) (6, 19) (13, 7) Multiplication by an integer is (1, 7) (7, 11) (13,16) (1, 16) (7, 12) (17,3) (3, 10) (9, 7) (17,20) (3, 13) (9, 16) (18,3) (4, 0) (11, 3) (18,20) (5, 4) (11,20) (19,5) (5, 19) (12, 4) (19,18) Points over E23(1, 1) defined by repeated addition; for example, 2P = P + P . xr = (2 xp xq) mod p yr = ( (xp xr) yp) mod p y q y p x q x p 2 3x p a 2 y p mod p , if P Q mod p , if P Q Example P = (6, 4); λ=5, xr=13, yr=7, 2P = (13, 7) over E23(1, 1) 12 Elliptic Curve Cryptosystem Mathematics Backgrounds on ECC (0, 1) (6, 4) (12,19) (0, 22) (6, 19) (13, 7) (1, 7) (7, 11) (13,16) (1, 16) (7, 12) (17,3) (3, 10) (9, 7) (17,20) xr = (2 xp xq) mod p (3, 13) (9, 16) (18,3) yr = ( (xp xr) yp) mod p, (4, 0) (11, 3) (18,20) (5, 4) (11,20) (19,5) (5, 19) (12, 4) (19,18) Addition operation of two different points over Ep(a, b). If P = (xp, yp) and Q = (xq, yq) in which P Q, then R = P + Q = (xr, yr). Example P = (6, 4), Q = (7, 11), λ=7, xr=13, yr=16, R = P + Q = (13, 16) over E23(1, 1). Points over E23(1, 1) 13 Elliptic Curve Cryptosystem Comparison:ECC vs. RSA Elliptic curve logarithms using the Pollard rho method Integer factorization using the general number field sieve Key size MIPS-Years Key size MIPS-Years 150 3.8 x 1010 512 3 x 104 205 7.1 x 1018 768 2 x 108 234 1.6 x 1028 1024 3 x 1011 1280 1 x 1014 1536 3 x 1016 2048 3 x 1020 160 14 Proposed Scheme Key-management Scheme for Tree Hierarchy Mathematics background A function H: A→ B is a one-way hash function, it is a one- to-one function and implies that For every x in A, H(x) can be computed easily; For every y = H(x) in B, it is infeasible to compute x 15 Proposed Scheme Key Generation Algorithm Step 1 CA determines Ep (a, b) : y2 = x3 + ax + b (mod p) p is a large prime number 4a3 + 27b2 ≠ 0 mod p. CA picks a base point G = (x, y) with the order n such that nG = O. CA publishes Ep(a, b), G and n. 16 Proposed Scheme Key Generation Algorithm Step 2 CA selects Ã: (x, y) → v, v is an integer number. The CA makes à public. CA chooses a secret parameter nca and makes Pca public, where Pca = ncaG. Private parameter of the CA : nca Public parameter of the CA : point Pca 17 Proposed Scheme Key Generation Algorithm Step 3 Class Ci chooses secret key Ki, 1 ≤ Ki ≤ p-1 Class Ci chooses secret parameter ni. ni ≤ n Pi = niG is public Ci sends (Ki, ni) to CA secretly Private parameters of Ci :Ki , ni Public parameter of Ci : point Pi = niG 18 Proposed Scheme Key Generation Algorithm Step 4 CA constructs a polynomial Hi(x) for Ci. C1 For the root class, H(x) = nil. C2 C3 C4 H1(x) = nil For non-root class, C5 C6 C7 Hi(x) = ~ ( x A ( n i Pt )) K i , where Ci ≤ Ct. t 19 Proposed Scheme Key Generation Algorithm Example H2(x)=(x - Ã(n2P1)) + K2 H3(x) =(x - Ã(n3P1)) + K3 C C 1 1 C C C 2 3 4 C C C 5 6 7 C C C 2 3 4 C C C 5 6 7 20 Proposed Scheme Key Generation Algorithm Example H4(x) = (x - Ã(n4P1)) + K4 H5(x) =(x - Ã(n5P1)) (x - Ã(n5P2)) + K5 C C 1 1 C C C C C C 2 3 4 2 3 4 C C C C C C 5 6 7 5 6 7 21 Proposed Scheme Key Generation Algorithm Example H6(x) =(x - Ã(n6P1)) (x - Ã(n6P2)) (x - Ã(n6P3)) (x - Ã(n6P4)) + K6 H7(x) =(x - Ã(n7P1)) (x - Ã(n7P4)) + K7. C C 1 1 C C C 2 3 4 C C C 5 6 7 C C C 2 3 4 C C C 5 6 7 22 Proposed Scheme Key Derivation Algorithm Step 1. Ci derives the key of Cj. C 1 C C C 2 3 4 Ci gets the public polynomial Hj(x) and Pj. Example C C C 5 6 7 C1 derives the key of C6. C1 knows : P6 and H6(x) 23 Proposed Scheme Key Derivation Algorithm Step 2. Ci Computes Hj(Ã(niPj)) Ci obtains Kj C1 H6(x) =(x - Ã(n6P1)) (x - Ã(n6P2)) (x - Ã(n6P3)) C2 C3 (x - Ã(n6P4)) + K6 Example C4 H6(Ã(n1P6)) C5 C6 C7 = (Ã(n1P6) - Ã(n6P1))(Ã(n1P6) - Ã(n6P2)) (Ã(n1P6) - Ã(n6P3)) (Ã(n1P6) - Ã(n6P4)) + K6 = (Ã(n1 n6G) - Ã(n6 × n1G))(……) + K6 = K6 || 0 24 Proposed Scheme Problems of Dynamic Access Control Addition of a new security class Deletion of a security class 25 Proposed Scheme C Addition of a new security class 1 C C C 2 3 4 Class C8 is added to the hierarchy, C C C 5 6 7 C8 has private parameters (n8, K8) and public parameter P8 = n8G. The CA constructs H8(x) for C8, C 1 C C C 2 3 4 C C C 5 6 7 H8(x) = (x - Ã(n8P1)) (x - Ã(n8P4)) + K8 C 8 26 Proposed Scheme C Deletion of a Security Class 1 C C C 2 3 4 C C C 5 6 7 Class C3 is removed from C 8 the hierarchy. Only, the CA deletes K3, n3, P3 and H3(x). C 1 C C 2 4 C C C 5 6 7 C 8 27 Analysis of Security : Conspiracy C5 C 1 public parameters (P5, H5(x)) C C C 2 3 4 private parameters (n5, K5) C6 C C C 5 6 7 C public parameters (P6, H6(x)) private parameters (n6, K6) C5, C6 know P2 , H2(x) 1 C C C 2 3 4 n2 C C C 5 6 7 P2 = n2G H2(x) = (x - Ã(n2P1)) + K2 H2(Ã(n2P1)) = (Ã(n2P1) - Ã(n2P1)) + K2 hard 28 Analysis of Time Complixity Constructing Hi(x) O(m.log2m) degree m Updating Hi(x) O(nm.log2m) n classes 29 Analysis of Storage Complexity ni 300 bits Ki 300 bits Point Pi 600 bits Hi(x) m log p 1 RSA – 4096 bits ECC – 313 bits Pi = (xi, yi) prime p : 300 bits degree m 30 Conclusions The problem of hierarchical access control is discussed and solved. ECC is more efficient than other cryptosystems. It is efficient in our key generation and key derivation based on ECC. The proposed scheme achieves the dynamic access property. Addition of a new class Deletion of an old class The proposed scheme has low computational overhead and less storage based on ECC. The proposed scheme is flexible on selection of user’s own secret key. 31 具有優先權概念之 不擴展漸進式視覺密碼 漸進式且具有不同權限等級的不擴展視覺密碼分享 方法 (n, n)-PPSM (n, n)-priority and progressive sharing model 現行的漸進式視覺密碼的分享機制下,無法根據參 與者的重要性來賦予適當的權限等級 n個機密分享參與者,都擁有不同權限 32 實驗結果與分析討論 圖 5:圖 4 分享影像的重疊結果 左:疊合五張分享影像→ (NC = 0.74) 才能隱約看到機密影像的輪廓 右:疊合三張分享影像→ (NC = 0.72), 即可隱約看到機密影像的輪廓 疊合四張分享影像→ (NC = 0.78),即可 清晰地看到機密影像的內容 該研究的機密分享矩陣確實能給予分享 者不同的機密復原能力 33 實驗結果與分析討論 圖 7:圖 6 所產生的彩色分享影像 權限高→疊合分享影像→較少張→輪廓 權限低→疊合分享影像→較多張→輪廓 圖 5 , 7 實驗結果可發現,機密影 像的還原結果是根據參與者的權限 等級高低 34 感想 A B C D a E b c F d e f 35 老師補充 想法:是否可以金鑰可以用群組的概念來作 為分享影像的作法? 36