Secret sharing with access structures in a hierarchy - Semantic Scholar

Secret Sharing with Access Structures in a Hierarchy Chin-Chen Chang*, Chu-Hsing Lin**, Wei Lee**, and Pai-Cheng Hwang* * Department of Computer Science and Information Engineering, National Chung Cheng University ** Department of Computer Science and Information Engineering, Tunghai University [email protected], [email protected] Abstract In this paper, we propose a secret sharing scheme with the property of access structures in a hierarchy. We employ the concept of admission tickets to delegate the access right from ancestors to their descendants. Each participant group has an authorized access structure and each access structure has its own secret key. The presented scheme is based on general hierarchies, and may be more suitable for real applications. Keywords: document management, secret sharing, access structure, hierarchical access control, delegation and agreement.

1. Introduction Secret sharing scheme is an important method for users to share a secret key in a group. A simple secret sharing scheme is called an (a, w)-threshold scheme [4]. For a more general case of the threshold scheme is the secret sharing scheme based upon an access structure [1, 7]. For some applications, we have to study a problem of secret sharing on the basis of access structures in a hierarchy. It has two properties: i i

Participants are divided into several levels; each level has its own ancestors and descendants. The ancestor groups can delegate the tickets to their descendant groups, who can reconstruct the secret with their secret key and the ticket.

In this paper, we propose two schemes to solve the problem of secret sharing with access structures in a hierarchy. We organize this paper as follows: in Section 2, we shall introduce the access structures for delegation and agreement. Further, in Section 3, the background of access controls in a hierarchy will be introduced. In Section 4, we shall propose our new schemes for secret sharing with hierarchical access structures. In Section 5, we have security analyses, and some conclusions will be made in Section 6.

2. Access Structures for Delegation In this section, we shall introduce Charnes’s hierarchical delegation for secret sharing scheme [3]. Let P be a group of participants, and an access structure T be the collection of subsets of P, where T is a monotone circuit so that it can be determined uniquely by its minimal sets [6]. Each subset of T can concurrently reconstruct the secret key K. Assume that the minimal set of T is {C1,C2,…,Cr}, then T can be shown by the following Boolean equation: T = C1 + C2 + … + Cr .

(1)

In a hierarchical access structure, we assume that P is partitioned into O levels, P1 , P2 ,..., PO , and each access structure Ti corresponds to the level Pi . A delegation structure Di Ž {i+1, i+2,…, O } is to determine which levels can be delegated by level i. An agreement structure Bi, defined by Pi, is to determine the collection of subsets of Pi in which the participants can jointly agree to delegate the ticket to any lower level j  Di. In general case, Bi can be the same as Ti.

3. Hierarchical Access Control In 1997, C. H. Lin proposed an approach [7] for access control in a hierarchy. In 2001, H. H. Cho [8] present an improvement of Lin’s scheme. Cho’s scheme lets a parent group Pi have a public information rij to its child Pj as indicated in Figure 1. Pi rij Pj

Figure 1. The relationship between Pi and Pj There are two algorithms in this scheme: ¾

Key generation algorithm The key generation algorithm has three steps.

Proceedings of the 18th International Conference on Advanced Information Networking and Application (AINA’04) 0-7695-2051-0/04 $ 20.00 © 2004 IEEE

1. The trust authority (TA) chooses a large prime number PTA and publishes it. Note that computing the discrete logarithm is infeasible over GF(PTA) [5, 10]. 2. Each group Pi selects its own secret key Ki, which satisfies GCD(Ki, PTA-1) = 1, and then sends it to the TA via a secret channel. 3. The TA computes the public information rij for the parent group Pi and the child group Pj as follow: rij

(Z

SG i

1 i

(2)

hash( K i  ID j ) ˜ K i mod I ( PTA ) ,

(3)

mod PTA ) † ( K j ˜ SG mod PTA )

where SGi

Based upon the hierarchical concept, we assume that there is a set of participants, namely P, which is partitioned into eight groups P0, P1,…,P7. Then we repartition these groups into three levels L0, L1, and L2, where L0 = {P0}, L1 = {P1, P2, P3}, and L2 = {P4, P5, P6, P7}. Then the following figure shows the relationship of them. P0 P1 P4

and I ( PTA ) | Z P* | PTA  1 , Z is a primitive element TA of GF(PTA), and SGi-1 is the multiplicative inverse of SGi modulo PTA. ¾

Key derivation algorithm

If a parent group Pi wants to get the enciphered data from his/her child group Pj, Pi has to derive the secret key Kj by using his/her own secret key Ki: Kj

(rij † ( Z SG i mod PTA )) ˜ SGi mod PTA

(4)

Further, if an ancestor group Ph, not the direct parent, of the group Pj (Pj d Ph) also wants to access the data, then the secret key Kj can also be derived from the following path constructed by the branches from Ph to Pj. For example, if Ph is the parent of Pi and Pi is the parent of Pj, then Ph can derive Kj from his/her own secret key Kh as follows: Ki Kj

(rhi † ( Z SG h mod PTA )) ˜ SGh mod PTA (rij † ( Z

SG i

mod PTA )) ˜ SGi mod PTA

(5) (6)

We will adopt the concept of the above algorithms as a background of our secret sharing scheme. In the next section, we will introduce our secret sharing scheme in a hierarchical access structure.

4. Secret Sharing in a Hierarchy When we focus on the access control scheme in a hierarchy, we find some drawbacks. Assume that a group Ph is the parent of the group Pi, which is in turn the parent of the group Pj. Then, the data that Ph wants to transmit to Pj, enciphered by Kj, will be deciphered by both Pi and Pj. An ancestor can know any information of his/her descendants, but, in some cases, we hope that the data being transmitted from an ancestor group can only be extracted by a certain specified descendant group. It means that all ancestor groups receive no information about the transmitted or enciphered data beside the sending ancestor group. By modifying some conditions and hypotheses, the concept of admission tickets can solve this problem and the secret sharing scheme can hold the property of a hierarchical structure.

L0

P2 P5

P3 P6

L1 P7

L2

Figure 2. The participant group in a hierarchy. Each group Pi has a corresponding access structure Ti which is a monotone circuit and determines a minimal set of monotone circuit. Then, if the participants at a higher level group want to delegate the ticket to lower-leveled participants, the following three rules must be satisfied. i

i i

Only the participants at the descendant group can be delegated the ticket from the participants at a higher level group. Only the participants at a pre-specified group can be delegated the ticket from the participants at an ancestor group. The certain group of participants shall mutually approve to delegate the ticket to the participants at a pre-specified descendant group.

According to the three rules above, we need two additional access structures which are mentioned in Section 2. One is the delegation structure D, and the other is the agreement structure B. In other words, each group of participants Pi shall keep three access structures: Ti, Di, and Bi, and each access structure is defined by Pi itself. Note that the members in the delegation structure Di only can be the descendant groups of Pi, and in general case, the agreement structure Bi is the same as Ti. We assume that there is a TA, to help each group to generate its own secret key Ki and to assign the public information rij of each branch between group Pi and group Pj. Figure 3 shows the key distribution of the hierarchy in Figure 2. K0 r01 K1 r14 r15 K4

K5

L0 r03

r02

K2 K3 r25 r26 r36 r37 K6

K7

L1 L2

Figure 3. The key distribution of the Figure 2. Note that each authorized subset of access structure Ti of the group Pi can get the secret key Ki, if members of

Proceedings of the 18th International Conference on Advanced Information Networking and Application (AINA’04) 0-7695-2051-0/04 $ 20.00 © 2004 IEEE

the authorized subset cooperate with each other. Another responsibility of TA is to generate and distribute the shadows and tickets to all participants from P. Next, TA also helps an authorized subset of access structure Ti of the group Pi to collect and recover the secret key Ki. We shall describe our secret sharing scheme with hierarchical access structures in two cases: unconditionally and conditionally, depending on the shadows are reused or not.

4.1. Unconditionally Secret Sharing In the unconditional situation, the participants in an authorized subset should share their own shadows to TA to generate the secret key K, and then the shadows are not secure in the next time. It means that they need to generate new shadows and a new secret key K'. Here, we use the Cho’s scheme to help an ancestor group Pi to find the secret key Kj of its descendant group Pj. The public information of the branch connected from the parent group Pi to its child group Pj should be computed by the following formula: rij

( Z SG i mod PTA ) † ( K j ˜ SGi1 mod PTA )

(7)

where SGi hash( K i  ID j ) ˜ K i mod I ( PTA ) (8) Let us consider the case in Figure 3. First, every document was sent to the TA and TA transfers the document to the highest level group P0 and enciphered by the P0’s secret key K0. Therefore, the authorized subset of the access structure T0 of the group P0 should cooperate with each other to recover the secret key K0. After deciphering the secret document, the participants in the authorized subset can know the context of the document. They find the document to be appropriately known by the descendant P6. Then, the participants of the access structure T0 contact the subset of the agreement access structure B0 and ask the ticket t0 from B0. Further, they encipher the document by the secret key K6 and the ticket t0, and transmit the enciphered document to the group P6. They also give the ticket t0 to TA via a secure channel. When the participants in the authorized subset of the access structure T6 of the group P6 want to decipher the enciphered document, they first cooperate with each other to recover their secret key K6 and next, they receive the ticket t0 from TA. Therefore, they can decipher the enciphered document from the secret key K6 and the ticket t0. After the participants cooperate with each other to recover the secret key K, the shadows and the secret key K are not secure. Therefore they need to generate their new shadows and the new secret key K' with the help of TA. Then, TA has to change the public information rij of branches.

4.2. Conditionally Secret Sharing The unconditionally secret sharing in a hierarchical

scheme can be reused once again, because it redistributes shadows of participants every time. In this subsection, based upon the property of reusing the shadows, we will convert the unconditional secret sharing scheme into conditional. Following the method in [9], we will achieve the property of reusing shadows. For unconditional secret sharing in a hierarchy, we assume |Ai|  Ti, a secret key Ki, and the shadows si,1, si,2,…,si,|A|. Then, TA publishes |A| corresponding parameters ui,1, ui,2, … , ui,|A| such that (9)

si ,1ui ,1  si ,2ui ,2  ...  si , A ui , A

Ki

For conditional secret sharing based upon the discrete logarithm, we assume a secret key g iKi mod PTA , and the s

shadows si,j, for 1 d j d |A|, is changed to gi i , j mod PTA , where PTA is a large prime number, and gi should satisfy GCD(gi, PTA–1) = 1. Then, TA publishes |A| corresponding parameters ui,1, ui,2, … , ui,|A| and gi such that g iKi mod PTA s

s

u

( gi i ,1 mod PTA ) i ,1  s

u

u

(10)

( gi i ,2 mod PTA ) i ,2  ...  ( gi i ,|A| mod PTA ) i ,|A|

Next, we shall consider the public information rij of each branch ij connected from the parent group Pi to the child group Pj. The public information rij will be computed as follows: ( Z SG i mod PTA ) † ( g j

rij

where SGi

Kj

˜ SGi1 mod PTA )

hash( gi  ID j ) ˜ gi mod I ( PTA ) , Ki

Ki

(11) (12)

and PTA is a large prime number chosen by TA. Then, TA assigns the public information rij to each branch ij. If the participants in an authorized subset of access structure Ti of the parent group Pi want to know the secret key K g j j mod PTA of the child group Pj, then they can compute the following formula gj

Kj

(13)

(rij † ( Z SG i mod PTA )) ˜ SGi mod PTA

After generating the ticket ti and knowing the secret key of the group Pj, the authorized subset of access structure Ti can send the secret document enciphered by ti and gKjj mod PTA . Before knowing the secret key of group Pj, the participants at the authorized subset of access structure Ti will first share their shadows. It means that after the communication, group Pi and his/her descendant group need to change the old secret key to a new one. Hence, TA first produces a new generator gi' where ( gic ) Ki mod PTA

(( gic )

(( g ic )

ui ,2

Si ,2

mod PTA )

Si ,1

u

mod PTA ) i ,1 

 ...  (( gic )

Si ,| A|

u

mod PTA ) i ,|A|

(14)

Then TA broadcasts gi', and each participant l of the

Proceedings of the 18th International Conference on Advanced Information Networking and Application (AINA’04) 0-7695-2051-0/04 $ 20.00 © 2004 IEEE

access structure Ti in the group Pi changes his/her old shadow gisi ,l mod PTA to be the new shadow s ( gic ) i ,l mod PTA , and generate the new secret key

( g ic ) Ki mod PTA .

Since the secret key is modified to a new one, the group Pi can not know the secret key of its descendant group through the public information. On the other hand, the secret key of the group Pi also can not be extracted from the connected path by the ancestor of the group Pi. Without rectifying the public information of the connected branches, the property of access control in a hierarchy would get lost. Further, TA will modify the public information of the branches which are connected With the new secret key with the group Pi. K c ( gi ) mod PTA of the group Pi, TA changes each branch ij i

as follows: rijc

c

( Z SG mod PTA ) † ( g j i

˜ SGic1 mod PTA )

Kj

where SGic hash(( g ic ) K  ID j ) ˜ ( g ic ) K mod I ( PTA ) i

i

(15)

access controls. Our scheme is practical in many applications, and it indeed solves the problem of secret sharing with hierarchical access structures efficiently. Acknowledgement: This research is supported in part by the National Science Council of Taiwan, under contract number NSC 92-2213-E-029-017.

References [1] G. PremKumer, and P. Venkateram, "Security Management Architecture for Access Control to Network Resources," IEE Proceedings – Computers and Digital Techniques, Vol. 144, No. 6, pp.362-370, 1997. [2] J. Benaloh, and J. Leichter, "Generalized Secret Sharing and Monotone Functions," Proceedings of CRYPTO '88, Springer-Verlag, pp. 27-35, 1990. [3] C. Charnes, K. Martin, J. Pieprzyk and R. Safavi-Naimi, "Secret Sharing in Hierarchical Groups," Proceedings of First International Conference, ICICS '97, pp. 81-85, 1997.

(16)

Therefore, comparing to the scheme in Subsection 4.1, regeneration and redistribution of the shadows of each participant in the group Pi will be taken by TA but these operations can be done by the participants themselves with the new generator.

5. Security Analyses In unconditionally secret sharing scheme, the security relies on two points: the distributed shadows and the branch information. The shadows are generated and distributed by the TA. The TA is assumed as an honest participant so that the distributed process is secure. The branch information is generated and derived by the TA and the security is based on solving discrete logarithm. Therefore, the unconditionally secret sharing scheme is secure. In the conditional situation, the shadows are asked to be reused. TA generates and derives the shadows to the participant. If this participant needs to share the shadow, he/she releases the g s , not sij. Here, g is the primitive element of GF(PTA). The next time he/she needs to share the shadows ( g c) sij , not sij, where g' is another generator. If the hacker wants to access the data, he/she needs to It is extract the shadow from g sij and ( g c) sij . infeasible since he/she has to solve the discrete logarithm. From above discussion, we can believe that our shadows derivation and branch public information are secure.

[4] B. Schneier, Applied Cryptography: Protocols, Algorithms, and Source Code in C, New York, Wiley, pp. 59-61, 1994. [5] W. Diffie, and M. E. Hellman, "New Directions in Cryptography," IEEE Transactions on Information Theory, Vol. IT-22, pp. 644-654, 1976. [6] D. R. Stinson, "An Explication of Secret Sharing Schemes," Designs, Codes and Cryptography, pp. 357-390, 1992. [7] C. H. Lin, "Dynamic Key Management Schemes for Access Control a Hierarchy," Computer Communications, No. 20, pp.1381-1385, 1997. [8] H. H. Cho, Y. H. Park, J. S. Lee, H. S. Jang, and K. H. Rhee: “A Proposal of Secure Efficient Dynamic Hierarchical Key Management Structure,” The Second Workshop on Information Security Application, Korea, pp.357-362, 2001,. [9] H. Y. Lin, and L. Harn, "A Generalized Secret Sharing Scheme with Cheater Detection," Proceedings of ASIACRYPTO '91, Springer-Verlag, pp.149-158, November, 1991.

ij

[10] S. Pohlig, and M. E. Hellman, " An Improved Algorithm for Computing Logarithms over GF(P) and Its Cryptographic Significance," IEEE Transactions on Information Theory, Vol. IT-24, pp. 106-110, 1978.

6. Conclusions In this paper, we proposed two secret sharing schemes with the properties of hierarchical access structures and

Proceedings of the 18th International Conference on Advanced Information Networking and Application (AINA’04) 0-7695-2051-0/04 $ 20.00 © 2004 IEEE