Mar 18, 2009 - Introduction. In 2004, Chang et al. proposed a secret sharing scheme with the property of hierarchical access control. The groups are divided ...
Efficient Secret Sharing with Access Structures in a Hierarchy
Chu-Hsing Lin and Wei Lee Department of Computer Sciences and Infomation Tunghai Taichung-kang Rd., 3, Taichung, 407 Taiwan, E-mail: thu.edu. Abstract 2004, Chang et al. suggested an approach that solves the problem of secret sharing with access structures in a hierarchy. They used the concept of discrete logarithm to reuse shadows, and adopted Cho [4]mechanism to achieve theproperties of hierarchical key management. However, Changk scheme requires a lot of time for computation. this paper, we adopt one-way hash function to allow the shadows to be reused and achieve the properties of hierarchical access control. The proposed scheme more than Changk scheme.
181
the parent group can use the related parameter to calculate its child group secret key. Figure 1 also shows the related parameters among the groups. i ) has a ponding Each group (for access and the authorized subset of the access structure of group can get the secret key if members of the authorized subset cooperate with each other. Assume there is only one authorized subset in each access structure. Figure 2 shows the participants who stayed in the authorized subset (gray background) and the group key of each group.
Keywords: secret sharing, access structure, hierarchical key management, discrete logarithm algorithm, one-way hash function.
1. Introduction In 2004, Chang et al. proposed a secret sharing scheme with the property of hierarchical access control. The groups are divided into several levels, and higher-leveled groups can compute the secret keys of lower-leveled groups. Besides, each group has its own access structures to share the group’s secret key. Assume there is a group which is partitioned Here, is the into a set of disjoint groups number of subgroups. Then, we repartition these groups The access right of into several levels is greater than Here, is the number of levels. For example, The relationship of each group shows as Figure 1. Fig. : The relationship of groups and levels
There is an additional participant in Chang’s scheme, called Trust Authority (TA) which helps each and assigns the group to generate its secret key related parameters of each branch to Afterward
Fig.
structure and key distribution of each
Another responsibility of TA to generate and Next, TA distribute the shadows to all participants also helps the authorized subset to collect the shadows and recover the group key. If the parent group wants to calculate its child group’s secret key, the authorized subset of the parent group needs to cooperate with each other to recover the group key. Then, based upon the concept of hierarchical key managements, the parent group can use its group key and the related parameter to calculate its child group’s secret key. In general, if the participants in an authorized subset share their shadows to generate the group key, the shadows are not secure in next time. It means that after the participants cooperate with each other to recover the group key, TA needs to reconstruct the participants’ new shadows and recomputed the new group key. From the schemes proposed in [2] and Chang the discrete logarithmalgorithm to achieve the property of reusing shadows, and adopted [4] scheme to approach the hierarchical key management. Chang solves the problems of secret sharing based upon access structures in a hierarchy, but it needs a lot of
Proceedings of the 19th International Conference on Advanced Information Networking and Applications (AINA’05) 1550-445X/05 $20.00 © 2005 IEEE Authorized licensed use limited to: TUNG HAI UNIVERSITY. Downloaded on March 18, 2009 at 09:24 from IEEE Xplore. Restrictions apply.
time in computation. We use one-way hash function to make the shadows reusable and fit all of the hierarchical key management requirements. We show that the proposed scheme is secure and more efficient than Chang’s.
2. Chang’s Scheme The scheme used two related technologies to solve the problems of secret sharing with access structures in a hierarchy, one is the secret sharing based upon access structures, and the other is the hierarchical key management.
2.1
Secret Sharing based Structures
upon Access
TA generates shadows and these shadows to each corresponding participant through a secret channel. Then, TA generates a generator and of group broadcask it. If the authorized subset wants to compute their group key the corresponding participants in can use their shadows and the generator to calculate their group key Suppose that in the group Pi, the participants belong to the authorized subset and denotes the ID value of the participant w (for ). At first, TA publishes shadows to the corresponding participants ...,A through a secret channel. Then, TA generates a and it. The group Pi’s secret key can be calculated as: where
is a large prime number chosen by TA, satisfy 1. Here, based upon the discrete logarithm, each participant w shares mod (for 1 w A instead of sharing their Before knowing the secret key of the group Pi, the participants at the authorized subset need to share their secrets first. Then, the secret of each corresponding participant and the group key of the group are not secure anymore. Hence, TA produces a and broadcasts it. Then, each new generator participant of the authorized subset changes old secret into a new one (for 1 ). If the group wants to calculate the new secret key , each should share participant of the authorized subset instead of . Chang’s scheme, TA broadcasts a new generator instead of redistributing new shadows every time. The new secret key will be calculated as follows: and
(2) Chang used the discrete logarithm algorithm to achieve the property of reusing shadows. Based upon the discrete logarithm the shadows are not revealed and are held by each participant.
Hierarchical Key Management
level can calculate the lower-leveled groups’ secret keys. That is, lower-level groups can’t calculate the higher-leveled groups’ secret keys. Chang adopted Cho’s [4] hierarchical key management scheme to approach these concepts. In Cho’s scheme, we assume the group at a higher level than the group and a related parameter helps the group to calculate the group secret key. In the Group Key Derivation Algorithm, we will consider the related parameter of each branch Then, in the Group Key Modification Algorithm, we if will introduce how to modify the related . group wants to change its group key to Group Key Derivation Algorithm In Cho’s [4] hierarchical key management scheme, the related parameter will be computed as follows:
,
where
is a primitive element is the multiplicative inverse of
and modulo . If the parent group wants to compute the secret it can use its group key key of its child group and the related parameter to compute secret key as follows: After generating the secret key the group can transfer secret documents to enciphered by Group Key Modification Algorithm If the secret key is modified to be a new one the group can not compute the secret key of its child group through the original related parameter On the other hand, the new secret key of the group can also not be extracted from the connected path by its Without the related parent group parameter of the connected branches, the property of hierarchical access control would get lost. Therefore, TA will change each branch hi and which are connected from the parent group to the group and from the group to its child group (Eq.6) as follows: (5) where =
where After these updates, the parent group can new key through the new calculate related parameter ,and the group can use its new secret key to calculate its child secret ,too. key through the new related parameter
3. Proposed Scheme The proposed scheme is suitable for secret sharing with access structures in a hierarchy and solves the problems of the secret sharing with access structures and the hierarchical key management by using one-way hash function.
In Chang’s scheme, groups who stayed at higher
Proceedings of the 19th International Conference on Advanced Information Networking and Applications (AINA’05) 1550-445X/05 $20.00 © 2005 IEEE Authorized licensed use limited to: TUNG HAI UNIVERSITY. Downloaded on March 18, 2009 at 09:24 from IEEE Xplore. Restrictions apply.
3.1 Efficient Secret Sharing Scheme based upon Access Structures We adopt the one-way hash function instead of the discrete logarithm algorithm in Chang’s scheme to approach the property of reusing shadows. The same as Chang’s scheme, we assume that in the group the participants 1.2, ...,A belong to the authorized , and denotes the ID value of the participant (for ). At first, TA publishes shadows to the corresponding participants ...,A through a secret channel. Then, TA generates a random number for and it. Based upon the hash group function, the group secret key can be calculated by the following equation. where
denotes an
operation, and
) denotes a one-way hash function.
of the group Before knowing the secret key the corresponding participants at the access structure need to share their secrets. Then, the secret of each corresponding participant and the group key of the group are not secure anymore. Hence, TA produces a new random number and broadcasts it, and each changes participant of the access structure old secret a new Next time, each participant can use new secret to generate the new secret key K,’ . Now, based upon the property of one-way hash (for are function, not only the shadows not revealed, but also the shadows can be changed freely by each participant.
3.2 Efficient Hierarchical Key Management Afterwards, we will adopt the one-way hash function for hierarchical key management. Similar to Cho’s scheme, we divide the proposed scheme into two algorithms, the first is the Group Key Derivation Algorithm, and the other is the Group Key Modification Algorithm. Group Key Derivation Algorithm At first, we will consider the related parameter which is connected from the parent group to the child group The related parameter will be computed as follows: where is the random number of the child group which is generated and broadcasted by TA, and ) denotes a one-way hash function. If the parent group wants to compute the secret key of its child group it can compute the following equation
K, =
After generating the secret key the group transfer secret documents to enciphered by Group Key Modification Algorithm
can
If the group secret key is modified to be a new the group can not computes the secret through the old related key of its child group parameter On the other hand, the new secret key of the group can also not be extracted from its parent group through the old related parameter Therefore, TA needs to modify the related parameters which are connected with the group Pi. With the new of the group Pi, TA will change each secret key branch hi and which are connected from the parent and from the group group to the group (Eq. to its child group as follows: = =
where is a new random number of the group which is generated and broadcasted by TA, and K,‘ is the new secret key of the group After these updates, the parent group can new secret key , and the group can calculate use its new secret key to calculate its child group secret key, too.
4. Security Analysis In the proposed scheme, shadows are generated and distributed by TA. Assume TA is an honest participant and the shadows distribution process is secure. The shadows are asked to be reused in the proposed scheme. If the participants need to share their secrets to reconstruct the secret key releases instead of releasing shadow Next time, when needs to share the secret, releases instead of releasing , where is another random number generated and derived by TA. If a hacker wants to impersonate a legal participant, needs to extract the shadow from or But we know that it is hard to reverse the one-way hash function process in order to get original message from the hash value. Without a legal and pair, a hacker is hard to impersonate a legal participant. The related parameter = is generated and derived by TA . A hacker can’t get any key information from the related parameter and the child group can’t calculate its parent group Pi’s secret key through the related parameter In the proposed scheme, we change the related parameter every time, and we don’t use any participant’s ID information in the related parameter, so Lee and Hwang’s security comments [5] [6] are infeasible in the proposed scheme. Therefore, the proposed scheme is secure.
5. Comparison First, we give the definition for some notations as follows: is the time needed for exponentiation denotesthe time needed for a one-way operation. hash function. denotes the time needed for modular multiplication, and denotes the time
Proceedings of the 19th International Conference on Advanced Information Networking and Applications (AINA’05) 1550-445X/05 $20.00 © 2005 IEEE Authorized licensed use limited to: TUNG HAI UNIVERSITY. Downloaded on March 18, 2009 at 09:24 from IEEE Xplore. Restrictions apply.
needed for inverse operation. Assumptions: There are disjointed groups in our system, and each group has corresponding participants in its access structure. There are x relationsin our system. The computation amount of operation and addition are negligible, therefore the operation time of and are not computed. We divide them scheme into three phases: Setup Phase, and Key Modification Phase, Key Phase. Setup Phase: TA needs to send the shadow (for A to each corresponding participates of group Pi. Then, TA will generate each groups’ secret of each key, and calculate the related parameters branch ij. Key Derivation Phase: TA helps the access structure of group to recover the secret key After that, can use its secret key and the related parameter to calculate its child group secret key Key Modification Phase: TA needs to help the group to change its secret key. The time complexity of key modification phase is like the setup phase, but it only needs to broadcast a new generator or random number. After modifying Pi’s secret key, TA will compute the new secret key and change the related parameters, we assume there which are connected to the group are three related parameters connected to the group The comparison result shown in table 1. Since an exponentiation operation needs more time than the one-way hash function. If we use [7] to implement 1024 bit exponentiation 214 Further, if operation and SHA-1 we use hardware processor to implement 1024 bit exponentiation operation and SHA-1, 3000000 From above discussion, we can easily know that the proposed scheme is more efficient than Chang’s scheme Scheme
Comparison
Our Scheme
I
I
I
-
I
Parameter
Table 1:The comparison of the two schemes
6. Conclusion There are two drawbacks of Chang’s method, one is the discrete logarithm spends a lot of time on computation, and the other is Cho’s hierarchical key management scheme needs complex calculations, too. In the proposed scheme, we use a one-way hash function to allow the shadows to be reused and approach the hierarchical key management. Finally, we analyze the security level of the proposed scheme, and prove the proposed scheme more efficient than Chang’s scheme. The proposed scheme approach the properties of secret sharing based upon access structures in a hierarchy efficiently.
Acknowledgements This research was partially supported by the National Science Council, Taiwan, under grant -2622-E-029-005.
Reference C. C. Chang, C. H. Lin, W. Lee, and P. C. Hwang, “Secret Sharing with Access Structures in a Hierarchy,” International Conference on Advanced Information Networking and Applications 2004 (AINA), Japan, Mar 2004, Vol. 2, pp. 31-34 and R. Safavi-Naini, [2] C. Charnes, J. “Conditionally Secure Secret Sharing Schemes with Disenrollment Capability,“ Proceedings of the 2nd ACM Conference on Computer and Communication Security, Virginia, Nov 89-95. [3] H. Y. Lin, and L. Ham, “A Generalized Secret Sharing Scheme with Cheater Detection,” Proceedings of ASIACRYPTO ‘91, Verlag, Nov 1991,pp. 149-158. [4] H. H. Cho, Y.H. Park, J. S. Lee, H. S. Jang, and K. Rhee: “A Proposal of Secure Dynamic Hierarchical Key Management Structure,” The Second Workshop on Information Security Application, Korea, 2001, pp. 357-362. N. Y. Lee and T. Hwang, “Research Note Comments on Dynamic Key Management Schemes for Access Control in a Hierarchy,” Computer Communications, 22, 1999, pp. 87-89. [6] C. H. Lin, “DynamicKey Management Schemes for Access Control a Hierarchy,” Computer 20, 1997, pp. 1381-1385. Library 5.1 from [7] [8] D. Carlson, D. A. Jain, T. Kiszely, P. Kodandapani, A. Vardharajan, T. Xanthopoulous, V. Yalala, “A High Performance SSL IPSEC Protocol Aware Security IEEE International Solid-state Circuits Conference 2003 (ISSCC), 1, 142-483. 2003, Draft FIPS Secure Hash Standard (SHS), U.S. May 30,2001.
Proceedings of the 19th International Conference on Advanced Information Networking and Applications (AINA’05) 1550-445X/05 $20.00 © 2005 IEEE Authorized licensed use limited to: TUNG HAI UNIVERSITY. Downloaded on March 18, 2009 at 09:24 from IEEE Xplore. Restrictions apply.
