draft 4 - with new proof

8/6/2019 Draft 4 - With New Proof

1/27

On the Security Proof of Wu-Wei Hierarchical

Key Assignment Scheme

Murali Medisetty, Yagna Srinath, and Anish Mathuria

Dhirubhai Ambani Institute of Information and Communication TechnologyGandhinagar, Gujarat, India

{murali krishna 2006, srinath battula, anish mathuria}@daiict.ac.in

Abstract. This paper examines the security proof given by Wu and Weito the hierarchical key assignment scheme proposed by them. Some errorsin their proof and the proof model are identified and a new proof modeland a rigorous proof based on standard security notions is proposed.

1 Introduction

In the real world, we often find people, resources etc. arranged in a hierarchicalfashion in such a way that some have higher access privileges than others. Theseare examples of hierarchical access control. In a hierarchical access control, theusers are divided into set of security classes based on their access privileges. Eachsecurity class has some data which should be accessible only to the users of thesame class or of another security class with higher privilege than the presentclass. Let P = {p1, p2..,pn} be the set of security classes. The access relation-ships between various classes can be represented by a partial order relation on the set P. If pj pi, then pi is said to have a higher security clearance than

that ofpj . Usually, a partial order set can be represented using a hasse diagram,in which a node represents a security class and the edges represent the accessrelationship between the classes. If pj pi, then pi is called a predecessor of

pj and pj is called a successor of pi. If there is no node pk(other than pi andpj) in the hierarchy such that pj pk pi, then pj is called an immediatesuccessor of node pi and pi is called an immediate predecessor of pj . A nodewith no predecessors is called a root node. Now, the problem is to ensure thatany user in a certain class can obtain access to all the information belongingto the successors of users own class. However, the other way round should notbe possible. This is sometimes referred to as access control problem in hierarchy.

In 1983, Akl and Taylor [1] proposed a cryptographic solution for hierarchicalaccess control problem. Since then, cryptographic access control for a hierarchy

has been an active area of research and numerous hierarchical key assignmentschemes (HKAS) have been proposed. In order to provide a better handle onthese numerous schemes available, Crampton et al [6] surveyed the existing hi-erarchical key assignments and classified them into various generic classes in sucha way that the actual schemes are just the instantiations of these generic classes.


2/27

Their classification depends on the attributes of the scheme like usage of de-pendent/independent keys, key derivation being direct/indirect etc. Intuitively,a scheme is said to have indirect key derivation, if the key of a non-immediatesuccessor can not be found without explicitly computing the keys of other nodesin some path from deriving node to target node. But, for schemes with directkey derivation, keys for any successors can be directly found. Also, a scheme issaid to use dependent keys, if the key of any node is dependent on its immediatepredecessors keys. If the keys of nodes can be independently assigned, then wesay that the scheme uses independent keys. Despite the existence of large num-ber of HKAS there are very few schemes which are provably secure. In the classof schemes with direct key derivation, Akl-Taylor scheme [1] has been proved tobe secure recently by DArco et al in [7]. In the class of schemes with indirectkey derivation and independent keys, Atallah et al scheme [3] is provably secure.

1.1 Our contributions

Finally, in the class of dependent key based and indirect schemes, Wu-Wei [9]have proposed a provably secure scheme. We, in this article, show that the Wu-Weis proof is erroneous. We show that the Wu-Weis proof doesnt consider allthe possible information available to the adversary and thus is incomplete andincorrect. We propose the problems identified by us in Wu-Weis proof and pro-vide a more robust proof.

The rest of the paper is organized as follows. Section 2 introduces securitynotions in key hierarchies and some assumptions used in the Wu-Weis proof[9]. Sections 3 and 4 review Wu-Weis scheme and provides a proof sketch ofWu-Weis scheme respectively. Section 5 explains the errors we have found inthe Wu-Wei proof. Section 6 proposes a rigorous proof for the scheme .Section7 concludes the article.

2 Security Notions

Wu- Wei [9] used the following informal definition to capture the required se-curity property for key hierarchies.

A hierarchical access control scheme for poset hierarchy is secure if forany group of classes in the poset, it is computationally infeasible to derivethe key of any class that is not a member of that group, nor a successorof any member of that group.

Atallah et al [2], [3] formalized a notion of security for key hierarchies calledsecurity w.r.t Key-Recovery. They have also introduced another level of security,stronger than Key-Recovery called security w.r.t Key Indistinguishability. Wewill review these notions below.


3/27

Before we present the formal definitions of the security notions, let us in-troduce a few notations first. Desc(pi) and Anc(pi), where pi is a node in thehierarchy, represent sets of descendants and ancestors ofpi (including pi) respec-tively. Similarly, ImmPred(pi) and ImmDesc(pi), represent sets of immediatepredecessors and immediate descendants ofpi (excluding pi) respectively. It is as-sumed that Si is the secret information given to the user ofpi and using this andpublic information, the users in that class will be able to derive the encryptionkey (the key used for encrypting the data in a given class) Ki of that class. P r[E]denotes the probability that the event E occurs. |.| denote the modulus function.

In the definitions below, the security notions are modeled using a game playedby the adversary with a challenger. A special query called Corrupt(pi) can beissued by the adversary to the challenger, in which case, the challenger has toanswer the query by providing the adversary with (Si, Ki). However, note thatthere are some restrictions on the nodes on which the adversary can issue the

corrupt query.

Definition 2.1 (Key Recovery) [3]. A Key Assignment Scheme is secure w.r.tkey recovery if no polynomial time adversary has a non-negligible advantage(inthe security parameter ) against the challenger in the following game:

Setup: The challenger sets up the hierarchy, assigns all the keys and givesthe public information to the adversary A.

Attack: The adversary issues a polynomial number of Corrupt(pi)queries,which the challenger answers by retrieving (Si, Ki) and giving Si to A.

Break: The adversary chooses a node p, p / Desc(pi) for any pi for whichthe corrupt query was issued in the previous step. The adversary now outputshis choice p along with his best guess Kp to the key Kp of node p

.

The adversarys advantage is defined as: AdvKRA = P r[Kp = Kp]

Another notion of security is Key Indistinguishability. In this notion, the ad-versary is allowed to corrupt all the nodes except the attacking node and itspredecessors and at the end of the game the challenger asks the attacker to dis-tinguish between the actual key and a random string (of same length as key). Ifthis is not possible for a polynomial time adversary with non-negligible advan-tage, then the scheme is said to be key indistinguishable. The formal definitionfollows.

Definition 2.2 (Key Indistinguishability [3]) A Key Assignment Scheme is keyindistinguishable if no polynomial time adversary A has a non negligible advan-

tage (in the security parameter ) against the challenger in the below game:

Setup : The challenger sets up the hierarchy, assigns all the keys and givesthe public information to the adversary A


4/27

Phase 1 : The adversary issues a polynomial number of Corrupt(pi)queries,which the challenger answers by retrieving (Si, Ki) and giving Si to A

Challenge: After the Phase 1, adversary chooses p, p / Desc(pi) for anypi asked in Phase 1. Now the challenger picks a random bit b {0, 1}: ifb = 1, it returns to A the actual key of p, Kp; otherwise it returns to Aa random key Kp, which is of same length as Kp.

Phase 2 : Adversary can issue more Corrupt(pi), for any pi / Anc(p), andobtain corresponding Sis

The adversary outputs a bit b {0, 1} as its best guess to whether it wasgiven the actual key Kp or a random key. A wins the game if b = b

We define the adversarys advantage as: AdvKIA = |P r[b = b] 1/2|

As mentioned before, security w.r.t key indistinguishability is a stronger formof security than that of security w.r.t key recovery. Also, security w.r.t key indis-tinguishability implies security w.r.t key recovery, whereas the other way roundis not true. To see this more clearly let us suppose by contradiction that thereexists a scheme which is secure w.r.t key indistinguishability and not securew.r.t key recovery. In this case, when adversary is playing the indistinguishabil-ity game (Def 2.2), with all the information he has obtained by corrupt queries,he can invoke another key recovery adversary on the same hierarchy1. As weassumed that the scheme at hand in insecure w.r.t key recovery, the key recov-ery adversary would return the correct key of target node with non-negligibleadvantage. Now the indistinguishability adversary can compare the value pro-vided to him/her by challenger (in challenge phase of the game) to the valueoutputted by key recovery adversary and win the game described in Def 2.2

with non-negligible advantage 2. This is contradictory to our assumption thatthe scheme is secure w.r.t key indistinguishability. Hence a key indistinguishablysecure scheme is also secure w.r.t key recovery.

To see that security w.r.t key recovery doesnt necessarily imply security w.r.tindistinguishability, we can consider the example of Wu-Wei scheme itself, whichis secure w.r.t key recovery and not secure w.r.t key indistinguishability. We willsee why in the later part of this article.

1 Here, we assume that this key recovery adversary choose the same target node as thekey indistinguishability adversary which happens with the probability 1/n, where nis the number of nodes in the hierarchy

2 The advantage here would be 1/nth to the advantage with which key recovery ad-versary would win the game in Def 2.1. However, note that even this would benon-negligible.


5/27

Fig. 1. Example Hierarchy

3 Review of Wu-Wei Scheme

Wu-Weis scheme uses dependent keys and indirect key derivation. They claim

that the security of the scheme depends on three assumptions, namely discretelogarithmic assumption (DL assumption), decisional Diffie-Hellman assumption(DDH assumption), group decisional Diffe-Hellman assumption (GDDH assump-tion).

Preliminaries The central authority (CA) chooses two odd primes p, q suchthat p = 2q + 1. For a subgroup G of Zp , an auxiliary function f : G [1, q] isdefined as

f(x) ={ x if x qp-x otherwise

Key Assignment The key assignment to the nodes is done by CA as follows.

Each node pi P is assigned gi, a unique generator of group G. The corre-sponding key Ki is computed by CA as defined below and securely distributedto the users in pi

Ki = { randomly chosen from G if pi is a root nodef(g (keys(ImmPred(pi)))i ) where keys(S) = {Ks : s S}The set of values {g

(keys(S))

i : S ImmPred(pi) and |ImmPred(pi)| =|P| 1} is made public information. Note that

(X) =

xX x, which means

product of the elements in set X and if X = then

(X) = 1.

Key Derivation For any non-root node pi, the immediate predecessor pj of pican derive the key as

Ki = hKji,j where hi,j = g

(keys(P){Kj})

i is a public value.


6/27

If the key of a non immediate-successor pi of a node pj needs to be derived,we need to find a path to pi from pj and derive the keys of all the intermediatenodes in the path using the above method. Hence one can see that the keyderivation is indirect.

Example Consider a hierarchy in Fig.1. Initially unique generators, ga to gf,are assigned to all nodes and are made public. Now, Ka is chosen randomly fromG as a is the root node. Kb is computed as Kb = f(g

Kab ). For node E, Ke =

f(gKb.Kce ), as it has e and c as its immediate predecessors. Also note that he,b= gKcE , he,c = g

Kbe are made public.

It should be noted that Wu-Wei scheme is not secure w.r.t key indistinguisha-bility. To see why, consider the hierarchy in Fig.1. Let b be the target node. So,according to the game defined in Def 2.2, an adversary is allowed to corruptnode d and thus obtain its key. Now, when the challenger gives him x (Kb or

Kb), the adversary checks whether Kd = f(gxd ) or not and thus can correctlyoutput the b value in the last phase of the game. This way the adversary hasnon negligible advantage to win in this game and thus we can conclude that thescheme is insecure w.r.t key indistinguishability.

4 Wu-Weis security proof revisited

Wu-Wei provided the security proof for security w.r.t key recovery for theirscheme [9]. We present the sketch of their proof in this section. The security ofthis scheme as Wu-Wei claims is dependent on the three assumptions discussedfurther.

4.1 Assumptions

The security proof of the scheme according to Wu-Wei relies on three standardassumptions, namely discrete logarithmic (DL) assumption, decisional Diffie-Hellman (DDH) assumption and group Diffie-Hellman assumption (GDDH) overthe group G (of prime order q) [4], [8], [5]. Let g be a generator of G, a, b, c berandom variables uniform on [1, q], be a set of random variables uniform on[1, q], l be the binary length of q. Let || is polynomially bounded by l. For anyprobabilistic polynomial time (in l) algorithms A, any polynomial Q, for l largeenough, the three assumptions mentioned earlier can be formally expressed asfollows:

DL assumption. DL assumption states that, any polynomial time algorithmcan not obtain a, given g, ga as inputs. Mathematically, it can be written as:

P r[A(g, ga) = a] < 1/Q(l)


7/27

DDH assumption. Consider an algorithm A which outputs 1, when it guessesthe input given to it is of the form (g, ga, gb, gab) and 0 for (g, ga, gb, gc), wherec = ab. Then DDH assumption can be expressed mathematically as:

|P r[A(g, ga, gb, gab) = 1] P r[A(g, ga, gb, gc) = 1]| < 1/Q(l)

When the above assumption holds we say that the probabilistic distributions(g, ga, gb, gab) and (g, ga, gb, gc) in the above equation are polynomially indistin-guishable. For the sake of convenience we write the above assumption as:

(g, ga, gb, gab) poly (g, ga, gb, gc)

GDDH assumption. Let

() represent the product of the elements in i.e.() =

x x . According to this assumption, any polynomial time algorithm

(say A), will not be able to distinguish between g

()

and gc

, where c =

(),even if it is given g

(S), for all possible proper subsets of as inputs. Consideringthat the algorithm A outputs 1, when it guesses the input given to it was of theform (g, ga, gb, g

()) and 0 for (g, ga, gb, gc). Then GDDH assumption can be

expressed mathematically as:

|P r[A(g, g

(), g

(S)|S ) = 1] P r[A(g, g

(S), gc|S ) = 1]| < 1/Q(l)

Again, for notational convenience we write the above assumption as

(g, g

(), g

(S)|S ) poly (g, g

(S)|S )

4.2 Proof

Let P be the set of all nodes in the hierarchy. Assume |P| is polynomiallybounded by l. Also, let pt be the target node, Kt its secret key and A is the setof predecessors of pt i.e in other words A = Anc(pt) {pt}. Now, we need toshow that even if all the users of P A {pt} collude, it is intractable for themto compute Kt.

We divide the set P (A {pt}) three subsets as follows.

B is the set of nodes in P A, which have no predecessors in P A andwhich is not pt.

D is the set of nodes which are immediate successors of pt i.e. in other wordsD = ImmDesc(pi).

R is the set of remaining nodes i.e. R = P (A {pt} B D).

It should be noted that R B = R D = which is obvious based on how Ris defined. Also, B D = because if a node is in D, then one of its predecessorswould be pt, which means it has a predecessor not in P A and thus not eligible


8/27

to be in the set B by definition.

For example consider the the hierarchy in fig-1 and let node b be the target node.Then A = {a}, B = {c} as node c does not have any predecessors in P A,D = {d, e} and R = {f}

The proof proceeds by establishing the following claims.

Claim 1. Even if all the users in B collude, finding Kt is intractable.

Claim 2. Even if all the users in B D collude, finding Kt is intractable.

Claim 3. Even if all the users in B D R collude, finding Kt is intractable.

Let gt be the generator assigned to pt and be the set of keys of immediatepredecessors of pt. Also, let x =

() and thus we can say Kt = g

xt . The public

information related to pt is

{gt} {g

(S)t |S , |S| = || 1}

First we consider the case where all the users in B collude. If nodes in Bshare common immediate predecessor(s) with pt, then the subset of the set

{gbi |bi B} {g

(S)bi

|S , bi B}, where gbi is the generator of node bi B,

might be held by B. It is important to note that this is the maximal informa-tion that might be held by B obtained through common immediate predecessorsand the exact information that B will possess depends on the number of im-mediate predecessors shared by target node and any node in B. So, it can beassumed that the information users in B might have in the worst case is as below

{gbi |bi B} {g

(S)bi

|S , bi B}

Overall, the information held by users of B is:

= {gt} {g

(S)t |S , |S| = || 1} {gbi |bi B} {g

(S)bi |S , bi B}

The following theorem is proved in Wu-Wei [9]. It shows that given the infor-mation as described above, it is intractable for a polynomial time adversary to

distinguish between gxt and g()

t .


9/27

Theorem 1. Suppose DDH and GDDH assumptions hold on group G. Let cbe the random variable uniform on [1, q]. Then the two distributions

Vbn =

g

()

t , {gt}, {gt, g

(S)

t |S }, {gbi |bi B}, {g

(S)

bi |S , bi B}

and Vbn =

gct , {gt}, {gt, g

(S)t |S }, {gbi|bi B}, {g

(S)

bi|S , bi B}

are polynomially indistinguishable.

Now, if we consider the case where B and D collude, then we can see that theset {gdi , g

Ktdi

|di D} would be accessible to the colluded nodes. Note that gdiare generators assigned to the nodes di D . The following example shows howthis information can be generated by users in B and D.

Example. If di has only one immediate predecessor, then gKtdi

is the secret key

held by it. Even if di has more than one immediate predecessors, the aboveinformation can be calculated by collusion. In the fig.2, the node f has threeimmediate predecessors. Let b, be the target node, then D = {f}, B = {c, d}.So, the information available as public values is {gKb.Kef , g

Ke.Kdf , g

Kd.Kbf }. Now

c can derive the key of e, Ke and thus calculate gKbf = (g

Kb.Kef )

(Ke)1

.

Fig. 2.

The following theorem is proved in Wu-Wei using DL-assumption and the resultin Theorem 1. [9]


10/27

Theorem 2. It is intractable for any polynomial time (in l) algorithm to derivegxt i.e Kt from

I = {gt, g

(S)t |S , |S| = || 1} {gbi , g

(S)

bi|S , bi B}

{gdi , gf(gxt )di

|di D}

i.e . for any polynomial time algorithm (in l) A, any polynomial Q, if l issufficiently large, then

P r[A(I) = f(gxt )] < 1/Q(l) .

Now consider the third case, where B D R collude. Note that all the nodes inR are either successors of B or D. So potentially there is no extra informationadded to our information set I. Hence, as we proved that B D can not collude

to recover the key Kt, it is also intractable for B D R to collude and computeKt. This completes the proof.

5 Problems with the proof

5.1 Incomplete information

In the proof above, we see that the main idea is to partition the nodes whichcould be potentially corrupted by an adversary into three different sets. Each setcontains nodes that hold similar information about Kt which is considered crit-ical to the security. When we consider the information relevant to target nodeskey that is held by nodes in B, we can say that such information might be exis-tent due to common predecessors or common successors shared by target node

and the nodes in B. But the set of values {gbi |bi B} {g

(S)bi

|S , bi B},which Wu-Wei [9] claim to be the whole information possibly held by usersin B is an underestimate. The information that B holds due to the commonnon-immediate predecessors 3 is not accounted for in this case. Hence, the infor-mation that would be held by nodes in B either by public or private informationdue to the common predecessors is not completely covered. This makes the proofof claim-1 incomplete as all the possible information is not considered. Note thatthe proof also neglects the information available to B due to common successors,but in claim-2 it is covered exhaustively. Even in this case the authors mentionthat the information available would be subset of{gdi , g

Ktdi

|di D}, but it is notthe subset which would be available but the whole set in all the possible cases.

We now model the information which was missed in Wu-Weis proof i.e. theinformation that is known to the users in B which share non-immediate prede-cessors with the target node. Let us say pt, the target node and b B share a

3 The common predecessor, which might be immediate predecessor to only one or noneof the nodes under consideration


11/27

non-immediate predecessor p. Since, p is a predecessor to both pt and b, thereexists one or more paths from p to pt and to b. For every possible pair of pathsfrom p to pt and p to b, the relevant information with the users in b is as de-scribed below.

Let prt (= p), pr1t ,..,p

1t ,p

0t (= pt) and p

sb(= p), p

s1b ,..,p

1b ,p

0b(= b) be a pair of

paths. Also let Ki+1t and Kj+1b be the set of keys of all immediate predecessors

of pit and pjb respectively, where 0 i < r, 0 j < s . Now the key of the target

node can be expressed as

kt = gp0t

(K1t{k

1t}).gp1

t

(K2t{k

2t})....,gp

r1t

(Krt{k

rt }).k

rt

and also

k(b) = gp0b

(K1b{k

1b}).gp1

b

(K2

b{k2

b})....,g

ps1b

(Ks

b{ks

b}).ks

b

Notice that the information common in both these expressions is ksb and

krt , which are nothing but the key of the common predecessor p. Though theexact information is missing in the Wu-Weis proof, the information of similarsort is considered and is proven to be impossible to recover the key from suchinformation. So, It is easy to see that the information obtained by the users inB due to non-immediate common predecessor also can not be used to generatethe key of the target node.

5.2 Improper B-Definition

We have discussed earlier that Wu-Weis proof [9] tries to consider the infor-mation available to B due to the common immediate predecessors only. But,we have noticed that their proof fails to achieve even this in some cases. The

definition of B as given by Wu-Wei leaves out some nodes which hold informa-tion (due to common immediate predecessors) relevant to Kt. So, in these cases,though the similar information (as in Theorem 1) is available in the hierarchy,due to the bad definition of B, it is neglected. We will demonstrate the problemwith Wu-Weis definition of the set B using the example below:

Example. Consider the hierarchy as shown in the fig-3. Let e be the targetnode, then set of ancestors, A will be {a,b,c}. Node d doesnt have any prede-cessors in P - A, so d is in B. But f has d as predecessor which is in P - A, sof is not in B. Therefore, according to Wu-Weis definition B = {d}. But, onecan note that no node in B hold any critical information similar to that in theset 4 as no node in B share a common immediate predecessor with e (targetnode). So all the argument in Theorem 1 stands not required in this case. But,if we observe the node f, it can be noted that it shares a common immediatepredecessor with pt and hold critical information similar to that in the set but,the node f is not included in B. In order to fix the above problem, we need to

4 = {gt} {g

(S)t |S , |S| = || 1} {gbi |bi B} {g

(S)

bi|S , bi B}


12/27

Fig. 3.

provide a more generic definition for B.

The basic idea behind the definition ofB is to include all such nodes which mightbe in possession of critical information about the target nodes key through itspredecessors i.e. the nodes which might have predecessors of pt as their imme-diate predecessors. Observe that the siblings to the nodes in path from root totarget node, may potentially have common children with the target node pt andthus hold some sensitive information regarding the key of the target node. Alsothe siblings of the target node itself are included because they hold some relatedinformation, as some or all the immediate predecessors of target node are alsoimmediate predecessors of them. We propose the following definition for the setB.

Definition 5.1 The set B for a given hierarchy is constructed as below

Now using the new hierarchy, B is defined as set of all the siblings (not inA {pt}) of the nodes that are encountered in all possible paths from rootnode to the target node.

In the hierarchy in Fig.3, According to the new definition, one can see thatB = {d, f}. Note that there are two paths from a (root node) to e (target node),which are a,b,e (path 1) and a,c,e (path 2). Now consider all the nodes alongpath 1, which are a,b and e. The node f (sibling of e), which is not in A {pt}is added into B. Now, considering path 2 similarly, we see that node d is thesibling ofc and is not in A {pt}

However, the above definition would not work for multi-rooted hierarchies aswhich root to be considered becomes ambiguous in such case. Hence the defini-tion 5.1 needs to be changed for the case where the hierarchy under considerationhas more than one root nodes. So, the below definition is proposed for the setB.


13/27

Definition 5.2 The set B for a given hierarchy is constructed as below

If the hierarchy has more than one root, then add an imaginary node (say

node -1) such that all the existing root nodes are children of the node -1 Now using the new hierarchy, B is defined as set of all the siblings (not in

A {pt}) of the nodes that are encountered in all possible paths from rootnode to the target node

As an example for a multi-rooted hierarchy, consider Fig.4. This is a multi-rootedhierarchy, so we need to add a dummy root as shown in the Fig.5, where -1 noderepresents the dummy root. Let target node pt = f. First, consider the path1, b , d, f. clearly e is sibling of d and g of f. After considering for all the otherpaths the set B remains to be {e, f} in this case.

Fig. 4.

5.3 Incorrect inference

Another anomaly exists in Wu-Weis proof. In [9], it is stated that:

Theorem 1 formally shows that even if all the nodes in B (according toWu-Weis definition) conspire, with the information I 5, they can notdistinguish Kt from a random number on [1, q].

To be precise, it states that, given the information below, which is the public

values and information relevant to Kt, which is derived from keys of nodes in B, itis impossible for any polynomial time adversary to distinguish between Kt and arandom number. But, this claim can be disproved with the example that follows.

5 I= {gt} {g

(S)t |S , |S| = || 1} {gbi |bi B} {g

(S)

bi|S , bi B}


14/27

Fig. 5.

{gt, g

(S)t |S , |S| = || 1} {gbi , g

(S)

bi|S , bi B}

Consider the hierarchy in Fig.1. Let b be the target node and as already dis-cussed, B = {c}. Now, the information available to adversary through collusionwith all the users of nodes in set B includes {gb} {gc, g

Kac }. Now note that

f(gKac ) = Kc and is known to the adversary. So, the adversary can computeKe = f(hKce,c) using the he,c, which is available publicly. Hence the adversary hasthe secret key of node e, Ke. Now, if the adversary is given x (which can be Kbor a random value in [1, q]), he/she checks whether or not f(hxe,b) = Ke. Based

on the result, if f(hxe,b) = Ke, then it can be inferred that x given was Kb andif f(hxe,b) = Ke, x given was a random number. Thus, the adversary will be ableto distinguish between Kt and a random value. This negates the authors claimsin [9].

Also, in Wu-Weis proof, as the indistinguishability claim in the case wherewhole B colludes is proved to be wrong, one needs to prove that all users of Bcolluding doesnt pose threat to key recovery security in order to complete theproof of claim 1.

6 Our proof

As we have seen earlier the proof given by Wu-Wei [9] would not be acceptable

due to the problems pointed out in the earlier section. In this section, we provideanother proof for Wu-Weis scheme using the modern notions of security whichwould be the first provable security style proof for any dependent keys basedscheme in the literature.


15/27

6.1 Outline

In this section, we would briefly outline the proof to be discussed in detail in

the next section. To prove the key recovery security of Wu-Weis scheme,Wewant to model all the information available to the adversary consistently andcompletely unlike the previous proof which is the first game the adversary plays.Then we remove the dependency between the values (both private and publicinformation) of predecessors of target node by constructing a series of similargames which differ only in some information that is provided to the key recoveryadversary in the first game. We use an argument called called twining and alemma described later for a construction in such a way that adversary will notbe able to perceive the change in information from the former game. Otherwisewe can construct a polynomial time adversary which can have a non-negligibleadvantage of breaking the DDH assumption. Thus coming to the conclusion thatthe adversarys behavior would not differ significantly from the first and the lastgames of the series, we then argue that the probability for any adversary to

succeed in producing the key of the target node in the last game of the seriesusing the existing information would be same as a polynomial time adversarytrying to guess the key. Thus, we conclude that the scheme is secure w.r.t keyrecovery.

6.2 Proof in detail

Theorem 1. Wu-Weis scheme is secure w.r.t key recovery provided DDH andDL assumptions hold on the group G

Let be a family of graphs corresponding to partially ordered hierarchies andlet G = (V, E) be some graph in . Let u V be a class in the hierarchy andlet STATu be a static polynomial time adversary attacking the class u. Now,

based on the constraints of the Def 2.1, STATu is allowed only to corrupt thenodes which do not have access to the target node u. If we let A as the set ofpredecessors of u (including u), then the set of nodes which STATu can corruptis V A.

Twining This argument is used to rename the product of keys of two of theancestors in the exponent of key of common successor node.

We then replace it with a random value in next game. Also every other oc-currence is replaced and then decisional Diffie-Hellman Problem is modeled onthese two successive games to show that key recovery adversary cannot perceivethe changes in the information of ancestors. This kind of argument is used whenthe node has two or more immediate predecessors and so not used in first case.

Also this kind of argument is necessary when the target node is at level belowimmediate successors of root node or the target node is one of the immediatesuccessor of hierarchy having multiple roots and having a sibling too like in hi-erarchy 2 of case 2.


16/27

To prove the theorem, we define a sequence of indistinguishable games G0,G1,. . ., where G0 is the actual adversarial game and where the adversarys advantagein the last game will only be negligible. In each game Gj , the goal of adversary

is to output k

u which is her best for the key ku. chosen by the challenger in theattack game. Let SUCCj be the event that k

u = ku in game Gj .For clarity of exposition, we first discuss two special cases, which exemplify

the most technical aspects of the proof. we then describe how to tackle the gen-eral case.

First case : u is one of the root nodes in G.We typically have 3 types of hierarchies w.r.t this case. Any other hierarchy

can be visualized in these hierarchies.

Fig. 6.

As shown in the fig[6] the target root node is named as 1 in all the 3 hier-archies. The first hierarchy is a single root and single child hierarchy, second issingle child multiple children and third is multiple root multiple children hierar-chy.

We assume that there exists a AKRST which can break the scheme withnon negligible probability in polynomial time. We use the adversary to modelan algorithm for breaking the discrete logarithm problem as in the following:

AlgorithmADL(g, g)

k1 = comment: is implicitly assumed to be the key of node 1 and is not known toADL. As the other root nodes like 5 are corruptible they are assigned any value


17/27

from the set of valid key values and are available to KR-ST adversary.g2 = gx=product of keys of immediate predecessors of 2 other than 1.comment: If a node has single immediate predecessor like in hierarchy 2 then xis equal to 1.k2 = (gx)

comment: As there can be any number of siblings they are modeled here.for(sibling a of node 2){ga = g

r where r is any random value.y =product of keys of immediate predecessors of a other than node 1.ka = (g

)r.y

}comment: All the remaining public and private values given to adversary can becomputed as usual using the above values.

k

1 = AKRST(1

,G,pub,corr)return k1End ADL

Notice that in the above algorithm as is not available and in order forthe consistent modeling of the information we exploit the g and g available.As we cannot find the key of siblings of node 2 without we assign generatorsof them with gr where r is random then according to scheme,(if node 2 has asingle parent) the key should be (gr) which is equivalent to (g)r which canbe computed g is available(if node 2 has multiple parents then as remainingparents are corruptible and so keys of them are available, the so obtained gr.)should be raised to product of remaining keys). Also root nodes other thantarget like node 5 are corruptible and so can be assigned any valid value and are

available to KR-ST adversary in corr.so if the adversary is able to output k1 correctly, then we found a polynomial

time algorithm to break the DL problem modeled here in the form of keys ofnode 1 and 2. But DL problem is assumed to be hard. So its a contradiction toour assumption that a KR-ST adversary exists. So if at all adversary exists, ithas same advantage as any polynomial time adversary attacking a DL problem.

Now we try to give the proof for the case of nodes immediately below theroot node.

Second case: u is one of the immediate descendant of any of root node inG. We again have 3 typical hierarchies possible.In all these kinds of hierarchiesnode 2 is our target node.

case 2a: As shown in the first hierarchy of fig[7] the node 2 is the targetnode and also this case is similar to node 1 except that the target node has apredecessor and which is the only root node in the hierarchy.


18/27

Fig. 7.

If the target node has descendants then we assume that there exists a AKRSTwhich can break the scheme with non negligible probability in polynomial time.

We use the adversary to model an algorithm which can break the DL problemas shown in the following:

AlgorithmADL(g, g)k2 = comment: is implicitly assumed to be the key of node 2 and is not known toADL. Node 1 is assigned any random key from the set of valid keys.g3 = gk3 = g

comment:For any other node like 3, generator is assigned as gr where r is randomand key of the node as (g)r.All the remaining public and private values givento adversary can be computed as usual.k2 = AKRST(1

,G,pub,corr)

return k2End ADL

so if the adversary is able to output k2 then we found a polynomial timealgorithm to break the DL problem. But DL-Assumption is assumed to be hard.So its a contradiction to our assumption that a KR-ST adversary exists. So ifat all adversary exists, it has same advantage as any polynomial time adversaryattacking a DL problem.

Now we have a case where the target node has a sibling. This case is not sim-ilar to earlier case because the adversary against the scheme has to be providedwith the keys of siblings and so in the algorithm again the root node is implicitlyassumed to be and the keys of target node and its siblings are constructed

using values input to DDH algorithm.

case 2b: As shown in the second hierarchy of fig[7] the node 2 is the targetnode


19/27

In this case we construct a series of 2 games G0,G1 in each which we modifythe adversary KR-STs view and in the final game we KR-ST adversary doesnot have any real key values and so has same advantage as any polynomial timeadversary trying to guess the key.

AlgorithmADDH(g, g, g, z)

k1 = comment: is implicitly assumed to be the key of node 1 and is not known toADDH.g2 = g

k2 = f(z)for(sibling a of node 2){ga = g

r where r is any random value.ka = (g

)r

}comment: All the remaining public and private values given to adversary can becomputed as usual using the above values.k2 = AKRST(1

,G,pub,corr)return k2 = k2End ADDH

Game0: This is a normal KR-ST adversarial game without any modificationi.e., the adversary is given all the correct values of keys and values of all thecorruptible nodes derived from real key values(z = g).

Game1: In this game the z value input to DDH algorithm is random and allthe remaining values of descendants are calculated as in case.

ADVKRST = |P r[SUCC0]|

|P r[SUCC0|z = real] P r[SUCC1|z = random]|

+P r[SUCC1|z = random]

Despite the knowledge of any public and private information derived fromrandom key, it would be information theoretically impossible for any polynomialtime adversary to distinguish that values are random unless the actual k2 isknown to it. It follows that the probability of adversary KR-ST succeeding ingame G1 is just 1/2

where is the security parameter.


20/27

P r[SUCC1] =1

2ADVKRST = |P r[SUCC0]|

DDH +1

2

Lemma 1. |P r[SUCC0|z = real] P r[SUCC1|z = random]| is DDH.

proof: If KR-ST adversary can output the key of node 2 correctly then it canbe used to break a DDH assumption by virtue of construction of games byusing the above algorithm. In game G0 the target node is assigned the DHtuple(g,g,g ,g) and in game G1 the target nodes key is assigned (g

) assome random value. Now KR-ST outputs key which can be used by DDH algo-

rithm to check and output whether it is random or real key with probability ofsuccess of KR-ST adversary which is assumed to be non-negligible. Hence DDHproblem can be broken. But it is a contradiction as DDH problem is assumed tobe hard on G. Hence the KR-ST adversary has negligible advantage in noticingthe change in the environment.

Now as the proof for a single root and a target node having siblings is given,a more general case in which target node having multiple parents i.e. root nodesis considered.

case 2c: As shown in the third hierarchy of fig[7] the node 2 is the targetnode and in this case, there are two or more root nodes in the hierarchy.

NOTE:There can be more than two root nodes.But still the following argu-ment is applicable, but should be applied until the exponent of key of targetnode is twined in to single value.

In this case we use the twining argument which is discussed earlier. We modifythe adversarial view in each of the successive games and show that the adversaryhas negligible advantage in observing the change in the successive games.AlgorithmADDH(g, g

, g, z)k1 = k3 = comment: and are implicitly assumed to be the keys of immediate predeces-sors of 2 which are 1,3 and are not known to ADDH. If there are more than tworoot nodes then they are assigned the valid values from the set of keys.But in

the next game the c1 is considered as and if there is another root then key ofthat node as and a similar argument is done until we end up with a randomvalue and no other root nodes left unconsidered.g2 = g c1


21/27

comment: The product is renamed as c1x = product of keys of immediate predecessors of node 2 other than 1 and 3k2

= f(zx)comment:Here z is implicitly assumed to be product of and or a randomvalue depending on game. All the remaining public and private values given toKR-ST adversary can be computed using g,g and the keys of remaining rootnodes are available to ADDH.k2 = AKRST(1


Game0: This is a normal KR-ST adversarial game without any modificationi.e., the adversary is given all the correct values of keys and public values of allthe corruptible nodes. In this game z value input to adversary is g.

Gamei1: In this game the z value input to DDH adversary is real and allthe remaining values of descendants are calculated as in case 2b.

Gamei: In this game the z value input to DDH adversary is random and allthe remaining values of descendants are calculated as in case. Ultimately we arereplacing all the occurrences of(ci) with some random value.

Let SUCCi be the probability of guessing K2 correctly by the adversaryKR-ST.


|P r[SUCC0] P r[SUCC1]| + |P r[SUCC1] P r[SUCC2]|

+... + |P r[SUCCn1] P r[SUCCn]| + P r[SUCCn]

The number of games simulated depends upon the number of root nodes. Ineach successive game the occurrence of product of two of immediate predeces-sors which is denoted by cj or product of cj and key of one of the immediatepredecessor not considered earlier denoted by cj+1 is assigned a random valueuntil all the immediate predecessors are exhausted.

So in the final game Gn the information available related to the key is made

absolutely random and despite the knowledge of any public and private informa-tion derived from random keys of immediate predecessors, it would be informa-tion theoretically impossible for any polynomial time adversary to distinguishthat values are random unless the actual k2 is known to it. It follows that theprobability of adversary KR-ST succeeding in game Gn is just 1/2

.


22/27

P r[SUCC1

] =1

2ADVKRST = |P r[SUCC0]|

n DDH +1

2

Also n here is the number of times twining argument applied for renamingand then replacing with random values to break the dependency between all thevalues available to adversary.

Lemma 2. |P r[SUCCi1|z = real] P r[SUCCi|z = random]| is DDH.

proof:Assume that KR-ST adversary correct key in both the games which canbe used by DDH algorithm to answer the DDH problem with non-negligibleprobability equal to success probability of adversary KR-ST. In game Gi1 thekey of target node is the product of cj and key of a immediate predecessor notconsidered earlier and in game Gi the product used in the previous game isreplaced with random value(cj+1).It denotes the target node key(g) which isassigned a random value. So in these games cj is implicitly assumed to be andimmediate predecessors key as . But its a contradiction that DDH problemcan be broken in polynomial time. Hence the adversary has negligible advantagein outputting correct keys and hence in noticing the changes in the environment.

As a case 2c which has been discussed above, constructing proof for general

case is discussed below using arguments in case 2b and case 2c.

General case: In general there can be any number of roots and the target nodecan be at any depth in the hierarchy. If the hierarchy has a single root the firsttwo hierarchies of each of two special cases demonstrate how to start simulatingthe scheme even though the special cases consider the target node at depth 0 anddepth 1. Starting at the level below the root node and then moving towards thetarget node(which is at depth greater than 2) we have to use twining argumentused in the case2c where we try to remove the dependency between the values ofa node and its predecessors in way adversary cannot identify the change in thegame setup. Then in the final game, dependency is completely removed and theadversary has the public and private values but are random. Hence the adversaryhas to guess the key which can be done with the probability 12 .

To remove the dependency in the information given to adversary in the formof corruptible nodes keys and public values we first sort the predecessors otherthan root nodes of target node topologically(although this is not the case whenthere is redundancy which is discussed under special case.). Now we apply the


23/27

twining argument where we replace the product of keys of two of immediatepredecessors with some random value if node under consideration has more thanone root. Otherwise if there is only one root node then we use argument similarto case2b unless the hierarchy is purely vertical. We apply the twining argumentuntil the value of the node considered is assigned purely random value like incase 2c. So we apply the above arguments recursively on the nodes orderedearlier until we reach the target node. So in the final game the adversarysimmediate predecessors are assigned random values and so does not have anyreal information from siblings of common predecessors of target node, as theyare replaced with random value. So the adversary cannot identify the changeunless it has the original key of target node.

Game0: This is a normal KR-ST adversarial game without any modificationi.e., the adversary is given all the correct values of keys and public values of allthe corruptible nodes. In this game z value input to adversary is g.

Gamei1

: In this game the z value input to DDH adversary is real and allthe remaining values of descendants are calculated as in case 2b.

Gamei: In this game the z value input to DDH adversary is random and allthe remaining values of descendants are calculated as in case. Ultimately we arereplacing all the occurrences of(ci) with some random value.

Let SUCCi be the probability of guessing key of node under considerationcorrectly by the adversary KR-ST.


|P r[SUCC0] P r[SUCC1]| + |P r[SUCC1] P r[SUCC2]|+... + |P r[SUCCn1] P r[SUCCn]| + P r[SUCCn]

The number of games simulated depends upon the number of ancestral nodes.In each successive game the occurrence of product of two of immediate prede-cessors which is denoted by cj or product of cj and key of one of the immediatepredecessor not considered earlier denoted by cj+1 is assigned a random valueuntil all the immediate predecessors are exhausted.

So in the final game Gn the information available related to the key is madeabsolutely random and despite the knowledge of any public and private informa-

tion derived from random keys of immediate predecessors, it would be informa-tion theoretically impossible for any polynomial time adversary to distinguishthat values are random unless the actual key for node under consideration isknown to it. It follows that the probability of adversary KR-ST succeeding ingame Gn is just 1/2

.


24/27

P r[SUCC1] =1

2


m DDH +1

2

Also m here is the number of times twining argument applied for renamingand then replacing with random values to break the dependency between all thevalues available to adversary. Finally the proof for the scheme uses the lemma2 discussed in case 2c to bound the advantage of KR-ST adversary noticing thechange in the game setup.

Now we look at some of the special cases which are not covered in the generalcase like a steep hierarchy or when redundancy is present.

Other special cases : The hierarchies that are not covered in usual contextare listed here.

Fig. 8.

case 1: The first case is one where the hierarchy is the steepest possibleIn this case the target node is at some depth and each internal node has onlyone child. In the following game we model such that all the predecessors of tar-get node are assigned some valid random keys . This operation is valid becausethe adversary can not be given any information about ancestors of target nodeexcept their public info which in this case are the generators which are of no useto adversary in this particular case.

suppose node i be the target and all ancestors are assigned random keys andremaining values are computed. Now we can construct a DL algorithm usingadversary AKRSTAlgorithmADL(g, g

)ki =


25/27

ki+1 = g

comment: All the predecessors of the target node are assigned random values.gi+1

= gki = AKRST(1

,G,pub,corr)return kiEnd ADL

NOTE: If the target node does not have any children then the proof argu-ment is that the adversary does not have any information regarding the targetnode and it is information theoretically impossible for KR-ST adversary to out-put the correct key with no less advantage than a polynomial time adversarytrying to guess.

The node i+1 is the descendant of the target node i and we have modeledDL problem here.so if the adversary is able to output ki() then we found apolynomial time algorithm to break the DL problem. But DL problem is assumed

to be hard. So our assumption is false. So adversary has same advantage as anypolynomial time adversary attacking a DL problem.

case 2: This case occurs in most of the hierarchies where the redundancyis seen. As shown in the second hierarchy of fig 8 the edge between node 3 andnode 2 is redundant as the node 2 can derive the key of node 3 by using key ofnode 4. But such cases arise when the hierarchies are to be optimized for fastkey derivation.

NOTE: In this case our target node is somewhere below the level belowthe root and its immediate successors. We use the hierarchy shown in fig 8to illustrate that if there is redundancy present in the hierarchy arguments(inassigning random keys to ancestors of target node and target node not being

able to perceive the change) cannot be applied in topological order but shouldbe done as in the following.

We have to break the dependency between the values of ancestors of targetnode. We show a series of games G0,G1,G2 and so on. In game G0 which isthe original adversarial game and in game G1, the node 3 is assigned randomvalues,but still the adversary would not be able to conceive the change. We provethis claim by modeling a DDH problem.

AlgorithmADDH(g, g, g, z)

g3 = g

k4 = comment: is implicitly assumed to be the key of one of the immediate prede-cessors of 3 which is 4 and are not known to ADDH.But in the next game thenode 3 is assigned a random key. Then we continue to apply the twining argu-

ment and replace all the values of immediate predecessors of target node withrandom values and then in the final game its argued information theoreticallythat the KR-ST adversary does not have any non-negligible advantage.comment: Here z is implicitly assumed to be product of and or a randomvalue depending on the game. All the remaining public and private values given


26/27

to KR-ST adversary can be computed using g,g and the keys of remainingroot nodes are available to ADDH.k3

= AKRST(1


Game0: This is a normal KR-ST adversarial game without any modificationi.e., the adversary is given all the correct values of keys and public values of allthe corruptible nodes.

Game1: In this game the z value input to DDH adversary is random and allthe remaining values of descendants are calculated as in case.

Let SUCCi be the probability of success in game Gi by the adversary KR-ST.


|P r[SUCC0] P r[SUCC1]| + .. + P r[SUCCn]

Despite the knowledge of any public information of siblings of all nodes fromroot to target node which are derived from random keys of ancestors of targetnode, it would be information theoretically impossible for any polynomial timeadversary to distinguish that values are random unless the actual k2 is knownto it. It follows that the probability of adversary KR-ST succeeding in game G1is just 1/2.

P r[SUCC1] =1

2


n DDH + 12

We use lemma 1 discussed in case 2b to show that the advantage of adversarynoticing the change in game setup is negligible, otherwise a polynomial timealgorithm can be constructed for breaking DDH assumption using this adversary.

7 Conclusions

We have shown that Wu-Weis proof in [9] suffers from couple of errors. Also,we have changed their proof model to avoid the the error with the definitionof B, by redefining the set. However, the problem with the proof regarding

indistinguishability should still be addressed by providing a key recovery proofin the case when users in the B collude.

Our proof makes use of the modern security notions and makes the assump-tions on which the security of the scheme is based, more explicit. Also, by simu-lating a polynomial time algorithm to break the security of a well-known problem


27/27

using the adversary who can break the security of the scheme to be proved, wemake our proof more rigorous and acceptable than that of the previous proof.

The proof discussed in this article is limited to a static scheme, meaning nochanges to the hierarchy or to the users in the security classes are allowed. Butmany existing schemes support these changes and also consider the costs forthese updates as a measure of efficiency of these schemes. Considering this fact,it is surprising to note that, no scheme, hitherto, in the literature is proved tobe secure along with the supported dynamic properties. This remains an openproblem in the area of provable security for key hierarchies.

References

1. Akl, S., Taylor, P.: Cryptographic solution to a problem of access control in a hier-archy. J-TOCS 1(3), 239248 (Aug 1983)

2. Atallah, M., Frikken, K., Blanton, M.: Dynamic and efficient key management for

access hierarchies. ACM Conference on Computer and Communications Security(CCS05) pp. 190202 (Nov 2005)

3. Atallah, M.J., Blanton, M., Fazio, N., Frikken, K.B.: Dynamic and efficient keymanagement for access hierarchies. ACM Trans. Inf. Syst. Secur. 12(3) (2009)

4. Boneh, D.: The decision diffie-hellman problem. ANTS-III: Proceedings of the ThirdInternational Symposium on Algorithmic Number Theory pp. 4863 (1998)

5. Bresson, E., Chevassut, O., Pointcheval, D.: The group diffie-hellman problems.Selected Areas in Cryptography pp. 325338 (2002)

6. Crampton, J., Martin, K.M., Wild, P.R.: On key assignment for hierarchical accesscontrol. CSFW pp. 98111 (2006)

7. DArco, P., Santis, A.D., Ferrara, A.L., Masucci, B.: Variations on a theme by akland taylor: Security and tradeoffs. Theor. Comput. Sci. 411(1), 213227 (2010)

8. Steiner, M., Tsudik, G., Waidner, M.: Diffie-hellman key distribution extended togroup communication. ACM Conference on Computer and Communications Secu-

rity pp. 3137 (1996)9. Wu, J., Wei, R.: An access control scheme for partial ordered set hierarchy with

provable security. Selected Areas in Cryptography 2005, LNCS 3897 pp. 221232(2006)

draft 4 - with new proof

Documents