Embed Size (px)
Citation preview
1
An Efficient Key-Management Scheme for Hierarchical Access Control Based on Elliptic Curve Cryptosystem
Author: F.G. Jeng and C.M. Wang
Citation: Journal of Systems and Software
2
Outline
Introduction Elliptic Curve Cryptosystem Proposed Scheme Analysis of Security Analysis of Time Complexity Analysis of Storage Complexity Conclusion Idea
3
Introduction
President
Office of Student Affairs
Office of Academic Affairs
Office of General Affairs
StudentsTeachers Library
Hierarchical access control
problems :
access rights among a group of
users in an organization
higher level user can access
lower level user’s data
lower level user can not access
higher level user’s data
4
Introduction
Two Types of Hierarchies Tree hierarchy
Each class (except root class) has only one parent class.
Partially ordered hierarchy
Each class (except root class) could have more than
one parent class.
5
Introduction
Tree hierarchy The users are divided into a set of disjoint s
ecurity classes C = {C1, C2, …, Cn}. Each class has its own cryptographic key.
Each class (except root class) has only one
parent class.
Cj ≤ Ci : Ci can read or store information in
Cj, but the opposite is not allowed.
Ci can derive the key of Cj.
C
1
C
4
C
5
C
8
C
2C
3
C
6
C
7
A tree hierarchy
Ci
Cj
6
Introduction
Partially ordered hierarchy The users are divided into a set of disjoint
security classes C = {C1, C2, …, Cn}.
Each class has its own cryptographic key.
Each class (except root class) could have
more than one parent classes.
Cj ≤ Ci : Ci can read or store information i
n Cj, but the opposite is not allowed
Ci can derive the key of Cj.
C1
C4
C5 C6 C7
C2 C3
A partially ordered hierarchy
Ci
Ci
7
Introduction
Types of public-key cryptosystem Integer Factorization System
n = pq, where p and q are two primes.
It’s hard to factorize n.
Discrete Logarithm System
rx ≡ h (mod p)
It’s hard to find x.
Elliptic Curve Cryptosystem
Q = aP, where P and Q are two points over an elliptic curve.
It’s hard to find a.
8
Introduction
Goals of a Key-Management Scheme The scheme should be secure.
The key-derivation process should be efficient.
The scheme should have the dynamic access property .
The scheme should require low-cost computation overhead
and less storage.
The scheme should be flexible on selection of user’s own
secret key.
9
Advantages of ECC (Elliptic Curve Cryptosystem)
ECC provides greater efficiency roughly 10 times than
either integer factorization systems or discrete logarithm
systems in terms of computational overheads, key sizes and
bandwidth.
a key size of 4096 bits for RSA gives the same level of
security as 313 bits in an ECC
Elliptic Curve Cryptosystem
10
Elliptic Curve Cryptosystem
Mathematics Backgrounds on the ECC
Elliptic curve equation E over Zp
Zp = {0, 1, 2, …, p-1}
Ep(a, b) : y2=x3+ax+b (mod p), wh
ere a and b Zp, and 4a3+27b2 0
A finite abelian group, which defined o
ver Ep(a, b)y2 = x3 + x+ 1
11
Elliptic Curve Cryptosystem
Mathematics Backgrounds of ECC
Operations of points in the ECC If P = (xp, yp), then P + (xp, –yp) = O. T
he point (xp, –yp) is the negative of P, d
enoted as –P.
Example
Let P = (6, 4), then, –P = (6, –4). Since
–4 mod 23 19, –P = (6, 19) over E23
(1, 1).
(0, 1) (6, 4) (12,19)
(0, 22) (6, 19) (13, 7)
(1, 7) (7, 11) (13,16)
(1, 16) (7, 12) (17,3)
(3, 10) (9, 7) (17,20)
(3, 13) (9, 16) (18,3)
(4, 0) (11, 3) (18,20)
(5, 4) (11,20) (19,5)
(5, 19) (12, 4) (19,18)
Points over E23(1, 1)
12
Elliptic Curve Cryptosystem
Mathematics Backgrounds of ECC Multiplication by an integer is defin
ed by repeated addition; for example, 2P = P + P .
xr = (2 xp xq) mod p
yr = ( (xp xr) yp) mod p
ExampleP = (6, 4); λ=5, xr=13, yr=7, 2P
= (13, 7) over E23(1, 1)
(0, 1) (6, 4) (12,19)
(0, 22) (6, 19) (13, 7)
(1, 7) (7, 11) (13,16)
(1, 16) (7, 12) (17,3)
(3, 10) (9, 7) (17,20)
(3, 13) (9, 16) (18,3)
(4, 0) (11, 3) (18,20)
(5, 4) (11,20) (19,5)
(5, 19) (12, 4) (19,18)
Points over E23(1, 1)
QPifpy
ax
QPifpxx
yy
p
p
pq
pq
, mod 2
3
, mod
2
13
Elliptic Curve Cryptosystem
Mathematics Backgrounds on ECC Addition operation of two differe
nt points over Ep(a, b). If P = (xp, yp) and Q = (xq, yq) in which
P Q, then R = P + Q = (xr, yr). xr = (2 xp xq) mod p
yr = ( (xp xr) yp) mod p,
Example
P = (6, 4), Q = (7, 11), λ=7, xr=13,
yr=16, R = P + Q = (13, 16) over E
23(1, 1).
(0, 1) (6, 4) (12,19)
(0, 22) (6, 19) (13, 7)
(1, 7) (7, 11) (13,16)
(1, 16) (7, 12) (17,3)
(3, 10) (9, 7) (17,20)
(3, 13) (9, 16) (18,3)
(4, 0) (11, 3) (18,20)
(5, 4) (11,20) (19,5)
(5, 19) (12, 4) (19,18)
Points over E23(1, 1)
14
Elliptic Curve Cryptosystem
Comparison : ECC vs. RSAElliptic curve logarithms using the
Pollard rho method
Integer factorization using the
general number field sieve
Key size MIPS-Years Key size MIPS-Years
150 3.8 x 1010 512 3 x 104
205 7.1 x 1018 768 2 x 108
234 1.6 x 1028 1024 3 x 1011
1280 1 x 1014
1536 3 x 1016
2048 3 x 1020
160
15
Proposed Scheme
Key-management Scheme for Tree Hierarchy Mathematics background
A function H: A→ B is a one-way hash function, it is a
one-to-one function and implies that
For every x in A, H(x) can be computed easily;
For every y = H(x) in B, it is infeasible to compute x
16
Proposed Scheme
Key Generation Algorithm
Step 1
CA determines Ep (a, b) : y2 = x3 + ax + b (mod p)
p is a large prime number
4a3 + 27b2 ≠ 0 mod p.
CA picks a base point G = (x, y) with the order n such th
at nG = O.
CA publishes Ep(a, b), G and n.
17
Key Generation Algorithm
Step 2
CA selects Ã: (x, y) → v, v is an integer number.
The CA makes à public.
CA chooses a secret parameter nca and makes Pca public,
where Pca = ncaG.
Private parameter of the CA : nca
Public parameter of the CA : point Pca
Proposed Scheme
18
Key Generation Algorithm Step 3
Class Ci chooses secret key Ki, 1 ≤ Ki ≤ p-1
Class Ci chooses secret parameter ni. ni ≤ n
Pi = niG is public
Ci sends (Ki, ni) to CA secretly
Private parameters of Ci :Ki , ni
Public parameter of Ci : point Pi = niG
Proposed Scheme
19
Key Generation Algorithm
Step 4
CA constructs a polynomial Hi(x) for Ci.
For the root class, H(x) = nil.
H1(x) = nil
For non-root class,
Hi(x) = where Ci ≤ Ct., ))(
~(
titi KPnAx
C1
C4
C5 C6 C7
C2 C3
Proposed Scheme
20
Key Generation Algorithm
Example
C
1
C
4
C
5
C
6
C
7
C
2
C
3
H3(x) =(x - Ã(n3P1)) + K3
C
1
C
4
C
5
C
6
C
7
C
2
C
3
H2(x)=(x - Ã(n2P1)) + K2
Proposed Scheme
21
Proposed Scheme
Key Generation Algorithm
Example
C
1
C
4
C
5
C
6
C
7
C
2
C
3
H4(x) = (x - Ã(n4P1)) + K4
C
1
C
4
C
5
C
6
C
7
C
2
C
3
H5(x) =(x - Ã(n5P1)) (x - Ã(n5P2)) + K5
22
Proposed Scheme
C
1
C
4
C
5
C
6
C
7
C
2
C
3
C
1
C
4
C
5
C
6
C
7
C
2
C
3
Key Generation Algorithm
Example
H6(x) =(x - Ã(n6P1)) (x - Ã(n6P2)) (x - Ã(n6P3)) (x - Ã(n6P4))
+ K6
H7(x) =(x - Ã(n7P1)) (x - Ã(n7P4)) + K7.
23
Key Derivation Algorithm Step 1.
Ci derives the key of Cj.
Ci gets the public polynomial Hj(x) and Pj.
Example
C1 derives the key of C6.
C1 knows : P6 and H6(x)
C
1
C
4
C
5
C
6
C
7
C
2
C
3
Proposed Scheme
24
Key Derivation Algorithm Step 2.
Ci Computes Hj(Ã(niPj))
Ci obtains Kj
H6(x) =(x - Ã(n6P1)) (x - Ã(n6P2)) (x - Ã(n6P3)) (x -
Ã(n6P4)) + K6
Example H6(Ã(n1P6))
= (Ã(n1P6) - Ã(n6P1))(Ã(n1P6) - Ã(n6P2)) (Ã(n1P6)
- Ã(n6P3)) (Ã(n1P6) - Ã(n6P4)) + K6
= (Ã(n1 n6G) - Ã(n6 × n1G))(……) + K6
= K6
C1
C4
C5 C6 C7
C2 C3
||
0
Proposed Scheme
25
Proposed Scheme
Problems of Dynamic Access Control Addition of a new security class
Deletion of a security class
26
Proposed Scheme
Addition of a new security class
Class C8 is added to the hierarchy, C8
has private parameters (n8, K8) and
public parameter P8 = n8G.
The CA constructs H8(x) for C8, H8(x)
= (x - Ã(n8P1)) (x - Ã(n8P4)) + K8
C
1
C
4
C
5
C
6
C
7
C
2
C
3
C
1
C
4
C
5
C
6
C
8
C
2
C
3
C
7
27
Proposed Scheme
Deletion of a Security Class
Class C3 is removed from the
hierarchy.
Only, the CA deletes K3, n3,
P3 and H3(x).
C1
C4
C5 C6
C8
C2 C3
C7
C1
C4
C5 C6
C8
C2
C7
28
Analysis of Security : Conspiracy
C5
public parameters (P5, H5(x))
private parameters (n5, K5)
C6
public parameters (P6, H6(x))
private parameters (n6, K6)
C5, C6 know P2 , H2(x)
n2 P2 = n2G
H2(x) = (x - Ã(n2P1)) + K2
H2(Ã(n2P1)) = (Ã(n2P1) - Ã(n2P1)) + K2
C1
C4
C5 C6 C7
C2 C3
C1
C4
C5 C6 C7
C2 C3 hard
29
Analysis of Time Complixity
Constructing Hi(x) O(m. log2m) degree m
Updating Hi(x) O(nm. log2m) n classes
30
Analysis of Storage Complexity
ni 300 bits RSA – 4096 bits
ECC – 313 bits
Ki 300 bits
Point Pi 600 bits Pi = (xi, yi)
Hi(x) m prime p : 300 bits
degree m 1log p
31
Conclusions
The problem of hierarchical access control is discussed and solved.
ECC is more efficient than other cryptosystems.
It is efficient in our key generation and key derivation based on ECC.
The proposed scheme achieves the dynamic access property.
Addition of a new class
Deletion of an old class
The proposed scheme has low computational overhead and less
storage based on ECC.
The proposed scheme is flexible on selection of user’s own secret key.
32
具有優先權概念之不擴展漸進式視覺密碼
漸進式且具有不同權限等級的不擴展視覺密碼分享方法(n, n)-PPSM
(n, n)-priority and progressive sharing model
現行的漸進式視覺密碼的分享機制下,無法根據參與者的重要性來賦予適當的權限等級
n 個機密分享參與者,都擁有不同權限
33
實驗結果與分析討論
圖 5 :圖 4 分享影像的重疊結果
左:疊合五張分享影像→ (NC = 0.74)才能隱約看到機密影像的輪廓
右:疊合三張分享影像→ (NC = 0.72) ,即可隱約看到機密影像的輪廓疊合四張分享影像→ (NC = 0.78) ,即可清晰地看到機密影像的內容
該研究的機密分享矩陣確實能給予分享者不同的機密復原能力
34
實驗結果與分析討論
圖 7 :圖 6 所產生的彩色分享影像
權限高→疊合分享影像→較少張→輪廓
權限低→疊合分享影像→較多張→輪廓
圖 5 , 7 實驗結果可發現,機密影像的還原結果是根據參與者的權限等級高低
35
感想
A
CB
fedcba
D FE
36
老師補充
想法 :是否可以金鑰可以用群組的概念來作為分享影像的作法 ?
![Improved Cryptanalysis of the KMOV Elliptic Curve Cryptosystem · Both attacks improve the existing attacks on the KMOV cryptosystem. 1 Introduction The RSA cryptosystem [21], invented](https://img.pdfslide.net/doc/110x75/5f0265ed7e708231d4041456/improved-cryptanalysis-of-the-kmov-elliptic-curve-cryptosystem-both-attacks-improve.jpg)
