Efficient Time-Bound Hierarchical KeyAssignment Scheme

Hung-Yu Chien, Member, IEEE Computer Society

Abstract—The access privileges in distributed systems can be effectively

organized as a hierarchical tree that consists of distinct classes. A hierarchical

time-bound key assignment scheme is to assign distinct cryptographic keys to

distinct classes according to their privileges so that users from a higher class can

use their class key to derive the keys of lower classes, and the keys are different

for each time period; therefore, key derivation is constrained by both the class

relation and the time period. This paper shall propose, based on a tamper-resistant

device, a new time-bound key assignment scheme that greatly improves the

computational performance and reduces the implementation cost.

Index Terms—Cryptography, hierarchical key assignment.

�

1 INTRODUCTION

THERE are many distinct entities in a distributed system, and theseentities usually have distinct privileges of accessing different partsor depths of the resources in the system. In most cases, the accessprivileges can be effectively organized as a hierarchical tree, wherethe entities are classified into ndisjoint classes,S ¼ fC1; C2; . . . ; Cng.Here, S is a partially ordered set under the binary relation “� .” Forexample, the expression “Cj � Ci”means that the entities belongingtoCi are entitled to access the resources belonging toCj. Applicationexamples are like the unequal relations in the military or in agovernmental or privately owned organization. Assigning distinctcryptographic keys to distinct classes so that a higher class canderive the keys of lower classes is a good solution to the aboveproblem [1], [2], [3], [4], [5], [6].

However, in some situations (for example, electronic papersubscription and digital TV broadcasting [8], [11]), a user may beassigned to a certain class for only a period of time. For suchenvironments, the conventional key assignment schemes [1], [2],[3], [4], [5], [6] have to renew the keys periodically and redistributethese keys to the users accordingly. To allow a user to access all theauthorized data over some periods of time, this straightforwardimplementation requires him/her to keep a lot of keys, which isobviously not efficient. In contrast to the conventional schemes, atime-bound hierarchical key assignment scheme [8] updates thekeys periodically according to the class hierarchy, and an entitykeeps only a small quantity of information for deriving all hisentitled keys. Such a scheme is useful for those environmentswhere the keys needed to be refreshed periodically for security andthe storage and communication of keys should be minimized. Oneexample is the electronic newspaper subscription or a Pay-TVsystem [8], [11], where the newspaper of each day is partitionedinto n parts, Ci, 1 � i � n, which forms a partial-order hierarchy.The ith partial subscription of the newspaper consists of the dataassigned to Ci and those assigned to its lower classes Cj, Cj � Ci.The data assigned to Ci at time period t would be encrypted usingkey Ki;t. So, when a user wants to use the backlog newspapers ofith part from time period t1 to t2, the company just releases theinformation Iði; t1; t2Þ to the user and allows him to access thebacklog database. Another is a cryptographic key backup system

that allows employees to encrypt their files, but does not allowthem to hold encrypted files as hostages [8]. Readers are referred toTzeng’s work [8] for detail. Even though Tzeng’s scheme isefficient in terms of storage and communication, it is computa-tionally inefficient. In this paper, we shall present a new time-bound hierarchical key assignment scheme. The scheme employs alow-cost tamper-resistant device that performs only simplearithmetic operations. To derive all the keys a user is entitled to,he/she keeps only one key and two hash values. Compared toTzeng’s scheme, our scheme greatly improves the computationalperformance and reduces the implementation cost. The rest of thispaper is organized as follows: Section 2 discusses the relatedworks. Section 3 introduces our new time-bound hierarchical keyassignment scheme, and then Section 4 examines the security andevaluates the performance of the new scheme. Finally, Section 5will be the conclusion.

2 RELATED WORKS

Since Akl and Taylor proposed their hierarchical key assignmentprotocols [1], many works [1], [2], [3], [4], [5], [6] have beenpublished in the literature. These schemes allow an entity from ahigher class to derive the cryptographic keys of lower classes. But,the schemes [1], [2], [3], [4], [5] are not computationally efficientbecause of the costly public-key computations; furthermore, theschemes [1], [2], [3], [4], [5], [6] are not time bound. That is, for thesituations where the cryptographic keys need to be updatedperiodically, these conventional key assignment schemes have torenew the class keys periodically and redistribute these keys to theusers accordingly. It consumes lots of storage and communication.

In 2002, Tzeng [8] proposed the time-bound key assignmentscheme, inwhich each classCi hasmany class keysKi;t, whereKi;t isthe key of classCi during time period t. A user inCi from time t1 to t2is given the information Iði; t1; t2Þ, such that with the informationIði; t1; t2Þ, the user can compute the keyKj;t ofCj at time t if and onlyifCj � Ci and t1 � t � t2. Tzeng’s scheme is very efficient in terms ofspace requirement because, to derive all the keys a user is entitled to,he/she keeps only the information Iði; t1; t2Þ that is independent ofthe number of total classes and the time period from t1 to t2. Thecryptographic key Ki;t is defined to be

hðKht1h

z�12

i mod n1; Vfz�11

ft2ðbÞÞ;

where hðÞ is a one-way function and V is the Lucas function.However, the computation of Ki;t involves lots of costly public-keycomputations and costly Lucas computations [10] that incur highcomputational loads and implementation costs and therefore limitits deployments.

Other works related to our topic is the group multicast problem[12], where messages shared among the group members areencrypted using the group keys, and the group keys are updatedwhenever users join or leave the group. So, a group member who isoffline during t key updates should receive and process the t keyupdate messages in order to access the content belonging to theoffline period. Pinkas improved the update overhead to a messageof OðlogtÞ keys. Pinkas’s scheme is efficient; however, it is differentfrom our scenario in several respects. 1) There is only one class inthe multicast problem; on the contrary, our topic focuses on thesituation where there exist many classes and these classes can beorganized as a hierarchical tree according to their privileges. 2) Thekey update is triggered by membership change in the groupmulticast problem. A group communication in the group multicastproblem usually lasts for a limited period of time and the numberof key updates, t, for one offline member is also very limited. So, amessage of Oðlogt, keys is efficient. On the contrary, in our topic(electrical newspapers subscription or Pay-TV system), the keys

IEEE TRANSACTIONS ON KNOWLEDGE AND DATA ENGINEERING, VOL. 16, NO. 10, OCTOBER 2004 1301

. The author is with the Department of Information Management, ChaoyangUniversity of Technology, Taichung, Taiwan, R.O.C.E-mail: redfish6@ms45.hinet.net.

Manuscript received 27 Nov. 2002; revised 31 July 2003; accepted 28 Aug.2003.For information on obtaining reprints of this article, please send e-mail to:tkde@computer.org, and reference IEEECS Log Number 117841.

1041-4347/04/$20.00 � 2004 IEEE Published by the IEEE Computer Society

are updated continuously and very frequently, based on a

predefined time interval. For a subscription of one year with atime slot of 20 seconds, a user needs 1,576,800 keys, whichconsumes lots of storage and communication. So, we need a more

efficient mechanism.

3 NEW TIME-BOUND HIERARCHICAL KEY ASSIGNMENT

SCHEME

The new scheme assigns distinct cryptographic keys to the nodesin the hierarchical tree, which consists of n disjoint classes

S ¼ fCi; C2; . . . ; Cng, such that a user of a class Ci from time t1 tot2 can derive the secret keys Kj;t of other classes Cj if and only if

Cj � Ci and t1 � t � t2. The scheme is built upon the followingassumptions:

1. There is a secure one-way hash function hðÞ;2. Tamper-resistant devices are available [7], where even the

owner cannot access the protected data in the device. Thisassumption is practical and is widely adopted in Pay-TVsystems [11];

3. There is a Trusted Agent (TA). Assume the system canallow as many as z time periods; that is, the system starts attime period 0 and ends at time period z. For example, ifeach time period represents a month, then z ¼ 1; 200represents 100 years. Our scheme is composed of fourphases–initialization, user registration, encrypting keygeneration, and decrypting key derivation.

Initialization. TA randomly selects n secret keys kis, 1 � i � n,

and two random secret values a and b. Of course, these parameters

could be updated to enhance security, and the interval to update the

parameters depends on the system requirements. The key ki is for classCi. For each directed edge “Cj � Ci,” TA publishes a public valuerij ¼ hðXkIDikIDjkkiÞ � kj on an authenticated public board,

where x is TA’s secret key, IDi=IDj is the identity of class Ci=Cj,respectively, k denotes the string concatenation, and � denotes the

bit-wise XOR operation. Everyone can read the data on the board,but only TA can update the data.

User Registration. When a user is assigned to class Ci for time

periods t1 through t2, TA distributes ki to the user through a securechannel. TA also issues the user a tamper-resistant device in which

TA’s secret key, X, and the identity of Ci; IDi, ht1ðaÞ, and hz�t2 ðbÞ

are stored. The expression hmðxÞ ¼ hðhð. . . ðhðxÞÞ . . .ÞÞ denotes theresult of applying m hashing operations to x. It is assumed that

even the owner of such a tamper-resistant device cannot access thevalue X, ht

1ðaÞ, and hz�t2 ðbÞ, nor can she/he alter the value IDi.Encrypting Key Generation. The data belonging to class Ci for

time period t would be encrypted by the key Ki;j. The key Ki;j is

defined to be hðki � htðaÞ � hz�1ðbÞÞ.Decrypting Key Derivation. Assume a user U is assigned to

class Ci for time periods t1 through T2, and U wants to decrypt the

encrypted data in class Cj at time period t, where t1 � t � t2, andCi is the parent node of Cj in the hierarchical tree. The following

steps are to be executed to decrypt the data:

1. U inputs the public value rij, the identity IDj, and her/hissecret key ki.

2. Then, the tamper-resistant device derives the secret key kjby computing kj ¼ rij � hðXkIDikIDjkkiÞ.

3. The tamper-resistant device computes htðaÞ ¼ ht�t1 ðht1 ðaÞÞ,hz�tðbÞ ¼ ht2�tðhz�t2ðbÞÞ, and Kj;t ¼ hðkj � htðaÞ � hz�tðbÞÞ,where the values ht1 ðaÞ and hz�t2ðbÞ are stored in the device.With the derived secret keyKj;t, now the device can decryptthe data that are protected by the secret key Kj;t.

The above process applies when the user wishes to derive anykeyKl;t if and only if Cl � Ci and t1 � t � t2. U just inputs his secret

key ki, the public values, and the identities along the path fromCi toCl in the hierarchical tree. The device then derives the key kl, h

tðaÞ,hz�tðbÞ, andKl;t by performing calculations similar to Steps 2 and 3.The derivation of kl is by iteratively calculating the keys along thepath from Ci to Cl using computations similar to Step 2.

4 SECURITY ANALYSIS AND PERFORMANCE

EVALUATION

Possible attacks launched by either outsiders or insiders will bediscussed in Section 4.1. The performance will be evaluated inSection 4.2 from several perspectives: storage space requirement,implementation cost, and computation load.

4.1 Security Analysis

The security property and the time-bound property are nowexamined.

Attack by an outsider. An outsider who has no TA-issued devicemight try to derive the secret key from the public value rij ¼hðXkIDikIDjkkiÞ � kj. However, it is infeasible for the attacker toderive the secret keys ki and kj, since he cannot access TA’s secretkey X, Ci’s secret key ki and the one-way property of hðÞ.

Attack by a subordinate/Collusive attack by subordinates.Assume “Cj � Ci” is one directed edge. Some inside attacker fromclass Cj might try to derive the secret key of Ci from the publicvalue rij ¼ hðXkIDikIDjkkiÞ � kj. However, even though theattacker can derive the value hðXkIDikIDjkkiÞ, it is infeasible forhim to derive ki due to the one-way property of hðÞ. Even thoughsome subordinates of a class Ci may collude and try to break thesystem, they can only derive more hashed values as above. Theyare incapable of inverting the one-way hash values.

The time-bound property of the encrypting key. Assume auser U , who is assigned to class Ci from time period t1 to t2, tries toderive the encrypting keys for some time period t beyond theauthorized time periods. To derive the key Ki;t, U has to computeboth htðaÞ ¼ ht�t1 ðht1 ðaÞÞ and hz�tðbÞ ¼ ht2�tðhz�t2 ðbÞÞ; however, itis infeasible to compute the htðaÞ value because t� t1 is negativefor t < t1, and is impossible for the value hz�tðbÞ because t2 � t isnegative for t > t2. As a result, U cannot derive any encryptingkeys beyond the authorized time periods. Now, consider collu-sions of some users. Assume some users with distinct authorizedtime periods try to derive the keys beyond the authorized timeperiods. They fail because they can only share their secret classkeys and the public data, and the secret data ht1 ðaÞ, hz�t2 ðbÞ, and X

are well protected in the tamper-resistant device.

4.2 Performance Evaluation

Now, we examine the space requirement, the implementation cost,and the computational complexity. Our scheme publishes onepublic value rij for each edge in the hierarchical tree; therefore, thetotal number of public values is equal to the number of edges,which is smaller than the number of classes by 1. In Tzeng’sscheme, there are 6þ n public values to publish, where n is thenumber of classes. In our scheme, on the user’s side, eachauthorized user needs to keep just one key and one low-costsmart card that stores only ðX; IDi; h

t1 ðaÞ; hz�t2 ðbÞ; hðÞÞ.Regarding the implementation cost, our scheme assumes the

use of a low-cost smart card that stores simple data and performssimple hashing operations, while Tzeng’s scheme requires thedeployment of a public key cryptosystem and performs computa-tion-intensive public key operations and Lucas functions [10].

Next, we evaluate the computational complexity. Suppose Th

stands for the time complexity of one hashing operation, Te for thatof one modular exponentiation, Tm for that of a modular multi-plication, and TL for that of a Lucas function operation. To comparethe performance,we adopt the same assumptions in [9]. Suppose jmj

1302 IEEE TRANSACTIONS ON KNOWLEDGE AND DATA ENGINEERING, VOL. 16, NO. 10, OCTOBER 2004

denotes the bit length ofm. With amodulusm, the computation of amodular exponentiation operation generally takes logjmj modularmultiplications (and can be reduced to 0:3381jmj for fixed based andprecomputation, which is around 346, for jmj ¼ 1; 024). Each Lucasoperation with a fixed sequence is roughly equivalent to a modularexponentiation operation [10]. The modular exponentiation and theLucas function in Tzeng’s scheme are not with a fixed based and nota fixed sequence. So, the computation cost would be larger.However, to simplify the comparison without losing the computa-tional superiority of our scheme, we assume the modularexponentiation is with a fixed base and the Lucas function appliesto a fixed sequence. A hashing operation requires nomore time thana modular multiplication operation.

Assume the user U , who is assigned to class Ci for timeperiod ½t1; t2�, wants to derive the encrypting key Kj;t. There areseveral cases:

1. For j ¼ i, our scheme requires ðt2 � t1 þ 1ÞTh, where t2 � t1is for calculating htðaÞ ¼ ht�t1 ðht1 ðaÞÞ and

hz�tðbÞ ¼ ht2�tðhz�t2 ðbÞÞ;

and one for calculating hðki � htðaÞ � hz�tðbÞÞ. Tzeng’s

scheme requires

ðt2 � t1ÞTe þ ðt2 � t1ÞTL þ 1Th:

2. To derive the encrypting key Kj;t of a one-edge-distancechild class Cj, our scheme requires ðt2 � t1 þ 2ÞTh, wherethe extra hashing operation is for calculating the secret keyof the child class. Tzeng’s scheme requires

ðt2 � t1 þ rÞTe þ ðt2 � t1ÞTL þ 1Th;

where r is the number of child classes Ck’s that satisfy

Ck � Ci and Ck not � Cj.3. To derive the encrypting key of an l-edge-away child class

Cj, our scheme requires ðt2 � t1 þ 1þ lÞTh, while Tzeng’s

scheme requires ðt2 � t1 þ rÞTe þ ðt2 � t1ÞTL þ 1Th, where ris the total number of child classes Ck’s that satisfy Ck � Ci

and Ck not � Cj. The maximum value of l or r is n� 1when Ci is the root and Cj is the leaf in a skewed tree.

Table 1 summarizes the performance evaluations. The client

side of our scheme can be easily implemented by using a low-cost

tamper-resistant device that supports only simple operations and

little storage space. Without public key cryptography, our scheme

greatly reduces the computational load and implementation cost.

With a modulus of 1,024 bits, the computational complexity of our

scheme is roughly 1/692 that of Tzeng’s scheme in the simplified

assumption. This property is extremely important when the client

side is low-powered and computing-capacity-limited (for example,

PDAs, and mobile phones). Each user holds only one key data of

which the size is independent of the numbers of classes and the

authorized time periods.

5 CONCLUSION

This paper has proposed a new time-bound key assignment

scheme based on a low-cost tamper-resistant device. Without

public key cryptography, our scheme greatly reduces the compu-

tational load and the implementation cost.

ACKNOWLEDGMENTS

The author would like to thank the anonymous reviewers for their

helpful comments. This research is partially supported with project

number NSC92-2213-E-324-036.

REFERENCES

[1] S.G. Akl and P.D. Taylor, “Cryptographic Solution to a Problem of AccessControl in a Hierarchical,” ACM Trans. Computer System, vol. 1, no. 3,pp. 239-247, 1983.

[2] L. Harn and H.Y. Lin, “A Cryptographic Keys Generation Scheme forMultilevel Data Security,” Computer Security, vol. 9, pp. 539-546, 1990.

IEEE TRANSACTIONS ON KNOWLEDGE AND DATA ENGINEERING, VOL. 16, NO. 10, OCTOBER 2004 1303

TABLE 1Comparisons between Two Time-Bound Key Assignment Schemes

* n: the number of classes; r is the number of the child classes Cks that satisfy Ck � Ci and Ck not � Cj, where Ci is the user’s class and Cj is the target class. * Th: thetime complexity for one hashing operation; Te: that for one modular exponentiation, Tm: one modular multiplication; TL: one Lucas function operation.

[3] R.S. Sandhu, “Cryptographic Implementation of a Tree Hierarchy forAccess Control,” Information Processing Letters, vol. 27, pp. 95-98, 1988.

[4] C.H. Lin, C.C. Chang, and R.C.T. Lee, “Hierarchy Representation Based onArithmetic Coding for Dynamic Information Protection Systems,” Informa-tion Sciences, vol. 64, nos. 1-2, pp. 35-48, Oct. 1992.

[5] H.M. Tsai and C.C. Chang, “A Cryptographic Implementation for DynamicAccess Control in a User Hierarchy,” Computers & Security, vol. 14, pp. 159-166, 1995.

[6] C.H. Lin, “Hierarchical Key Assignment without Public-Key Cryptogra-phy,” Computers & Security, vol. 20, no. 7, pp. 612-619, 2001.

[7] M.L. Gemplus, “Smart-Cards: A Cost-Effective Solution against ElectronicFraud,” Proc. European Conf. Security and Detection, no. 437, pp. 81-85, Apr.1997.

[8] W.G. Tzeng, “A Time-Bound Cryptographic Key Assignment Scheme forAccess Control in a Hierarchy,” IEEE Trans. Knowledge and Data Eng.,vol. 14, no. 1, pp. 182-188, Jan./Feb. 2002.

[9] V. Dimitrov and T. Cooklev, “Two Algorithms for Modular ExponentiationUsing Nonstandard Arithmetic,” IEICE Trans. Fundamentals, vol. E78-A,no. 1, pp. 82-87, 1995.

[10] S.M. Yen and C.S. Laih, “Fast Algorithms for LUC Digital SignatureComputation,” Proc. IEEE Computers and Digital Technology, vol. 142, no. 2,pp. 165-169, 1995.

[11] B.M. Macq and J.-J. Quisquater, “Cryptology for Digital TV Broadcasting,”Proc. IEEE, vol. 83, no. 6, pp. 944-957, 1995.

[12] B. Pinkas, “Efficient State Updates for Key Management,” Proc. ACMWorkshop on Security and Privacy in Digital Rights Management, Nov. 2001.

1304 IEEE TRANSACTIONS ON KNOWLEDGE AND DATA ENGINEERING, VOL. 16, NO. 10, OCTOBER 2004