![ACEEE International Journal on Network Security, Vol 1, No. 2, July 2010
HACBPS: A Hierarchical Access Control-
Based Proxy Signature
Debasis Giri1,*, Jiban Dalal1, P. D. Srivastava2 and Sanasam Ranbir Singh3
1
Department of Computer science & Engineering
Haldia Institute of Technology, Haldia -721657, India
2
Department of Mathematics
Indian Institute of Technology, Kharagpur-721302, India
3
Department of Computer science & Engineering
Indian Institute of Technology, Madras, Chennai-600036, India
Email: debasis_giri@hotmail.com, jiban.dalal@gmail.com, pds@maths.iitkgp.ernet.in and san.ranbir@gmail.com
Abstract— In this paper, we propose a new security tree structural access control scheme [7]. Wu-Wei
protocol which is styled hierarchical access control-based proposed a scheme [2] which satisfies the indirect
proxy signature (HACBPS). In hierarchical access access control mechanism. Harn-Lin proposed a
control, upper security level users can access some secret
scheme [3] which satisfies the direct access control
information hold by lower security level users, but reverse
is not allowed. Whereas in proxy signature, on behalf of
mechanism and is based on the RSA cryptosystem. Giri
the original signer, proxy signer can generate the and Srivastava proposed two schemes: one is access
signature on an arbitrary message. In our protocol, an control in tree structural hierarchy [8] and other is
upper security level user (considered as original signer) poset ordered hierarchy [9] in 2007 and 2008
can delegate his signing right for signature generation on respectively. Sheng Zhong proposed a scheme [4]
an arbitrary message to a lower security level user which satisfies the indirect access control mechanism.
(considered as proxy signer) and the proxy signer can The direct access control schemes achieve smaller
generate proxy signature on behalf of the original signer. storage spaces for storing public information and better
In HACBPS, each user in a hierarchy holds two secret
dynamics. The access control is motivated by the
keys: one key can be accessed by upper security level
users and other one is not accessible to any other user. scenario. A CEO (Chief Executive Officer) of a
company can access to some important documents of
Index Terms— cryptography, security, access control, his General Manager. But General Manager cannot be
proxy signature, Poset permitted to access the CEO’s documents. In the same
manner, General Manager can access the documents of
I. INTRODUCTION his/her lower level employees, but opposite is strictly
1 prohibited. Whereas, in a proxy signature, proxy
In an access control of a hierarchical structure, a user signature generation is allowed by a designated person,
has access some secrets to another if and only if the called a proxy signer, to sign an arbitrary message on
former is superior of the later. The access control for a behalf of an original signer. An original signer delegates
hierarchy can be represented by a partially ordered set his/her signing capability to a proxy signer (by issuing a
(Poset). A hierarchy is constructed by dividing users proxy key) and then proxy signer signs a message on
into number disjointed users, say behalf of the original signer using the proxy key. A
U 1 ,U 2 ,U 3 , .. . ,U n which are partially ordered verifier can check the validity of that signature and also
with a binary relation <= ` . In a hierarchy, know the signature which is signed by the proxy signer
U i ≤U j means that the security level of U i is rather than that by the original signer. More precisely,
the original signer sends a specific message with its
lower than that of. In other words, U j can access signature to the proxy signer who then uses this
some secret information held by user U i , while the information to construct a proxy signing key. Using the
opposite is not allowed. Figure 1 shows a three level proxy signing key, the proxy signer can generate proxy
hierarchical structure. The top level user (that is, U 1 ) signatures. From a proxy signature, anyone can verify
both the original signer’s delegation and the proxy
poses the highest security and security decreases with signer’s digital signature. The concept of the proxy
increase in level. Hence, users (that is, U 4 ,U 5 ,U 6 ) signature introduces first by Mambo et al. [5, 6]. After
in bottom level have least security. In 1983, Akl and that many authors propose many schemes on proxy
Taylor first propose hierarchical access-based key signatures. In 2008, Giri and Srivastava proposed a
assignment scheme [1]. In 1998, Sandhu proposed a proxy signature scheme [10] after removing te
weaknesses of Das el al.’s proxy signature scheme
1
*Corresponding author [11]. The real life example of proxy signature is as
Dr. Debasis Giri is at present an Assistant Professor in the Department of
follows: Let CEO of a company wants to ask his
Computer Science and Engineering of Haldia Institute of Technology, Haldia-721657, India.
29
© 2010 ACEEE
DOI: 01.ijns.01.02.06](https://image.slidesharecdn.com/06-120925225140-phpapp01/85/HACBPS-A-Hierarchical-Access-Control-Based-Proxy-Signature-1-320.jpg)
![ACEEE International Journal on Network Security, Vol 1, No. 2, July 2010
General Manager to sign some important documents on B. Key assignment by CA
his behalf. In this paper, we propose a new security Suppose there exists n users in a hierarchy, say
protocol which is combination of hierarchical access U 1 ,U 2 , .. . ,U n . The CA can assign keys for each
control and proxy signature is called access control
based proxy signature. But if we simply2 combine two user in a hierarchy is as follows.
existing schemes (one is hierarchical access control and 1. CA first choose the root node, that is U 1 (in
other proxy signature) without any change (or new the rest of the paper, we consider “node”
design) then the combined scheme can not be no longer means a user in a hierarchy) and chooses an
secure, because of fact that secrete key of the lower arbitrary key x 1 . CA computes
level security users must be derived (or accessed) by x1
their upper level security users. And so for the proxy u 1 =g mod p .
signature scheme, if we use the secrete key for the 2. Next, CA chooses a node using the technique
proxy signature generation then the upper level security of breadth first traversal (BFT) of the
user can generate the proxy signature because he/she hierarchical structure. Let U i be the node
also able to derive (or access) the secrete keys’ of its
chosen by the CA according to BFT.
lower level security users. Therefore, the scheme is not
proxy protected. But proposed scheme solves that 3. If node U j is only one direct parent node of
weakness. In our proposed scheme, each user in a Ui Uj xi ,
, the secret key of is where
hierarchy holds two secret keys: one key can be
x i =H x j ,ID i ,
accessed by upper security level users and other one is
not accessible to any other user. (1) where ID i is the identity of the user
The remainder of this paper is organized as Ui .
follows. In Section II, we introduce our proposed
HACBPS scheme. In Section III, we analyze the 4. If the node U j has more than one direct
security of our proposed scheme. Section IV shows the parent nodes, say U j1 ,U j2 ,U j3 , . .. ,U jt
time complexity required for our scheme. Finally,
where keys of U j1 ,U j2 ,U j3 , . .. ,U jt are
Section V concludes the paper.
x j1 ,x j2 ,x j3 ,. . . ,x jt respectively, then CA first
U chooses the secret key x j for the user U j . CA
1
then generates the Newton's interpolating
polynomial [12] over modulo p containing the
U U x
points H ID j∣∣ x ji , x j g ji mod p for
2 3
i= 1,2,. . . ,t . We denote this polynomial as
U U U
P j x . CA publishes the P j x in a public
4 5 6
directory.
xi
Figure 1: An Example of a Hierarchical Structure u i =g mod p .
5. CA computes
6. Go to step 2 until all users are not taken consideration in the hierarchy.
II. PROPOSED HACBPS SCHEME xi
u i =g mod p Ui
The HACBPS is the combination of two schemes: Note: CA publishes each corresponding to the user
first, hierarchical access control scheme; second, a x U
and sends the secret key i to the user i (for
proxy signature scheme. There exists a trusted CA i=1,2,….) in secure manner.
(central authority) in the system that can generate and Example. CA assigns the secret keys for the users
assign keys for each user in a hierarchy. The scheme corresponding to Figure 1 shown below. CA assigns
consists of eight phases namely, setup, Key assignment
x1 for the user U 1 . CA then computes
by CA, Key derivation by an upper level user, Key
generation by a user, Proxy key generation, Proxy key x 2 =H ID 2∣∣ x1 , x 3 =H ID 3∣∣x 1 for the
verification, Proxy signature generation, Proxy users U 2 ,U 3 respectively. CA also computes
signature verification.
x 4 =H ID 4∣∣ x 2 , x 6 =H ID6 ∣∣ x 3 for the
A. Setup
users U 4 ,U 6 respectively. Finally, CA constructs a
Let H be a cryptographic one-way hash
Newton’s interpolating polynomial containing the
function and g a generator of Z p (where is a large x
points H ID 5∣∣ x 2 , x 5 g 2 mod p
prime of length at least 1024-bit for security x
consideration). and H ID 5∣∣ x 3 , x 5 g 3 mod p after choosing
2 the secret key x 5 for the user U 5 .
30
© 2010 ACEEE
DOI: 01.ijns.01.02.06](https://image.slidesharecdn.com/06-120925225140-phpapp01/85/HACBPS-A-Hierarchical-Access-Control-Based-Proxy-Signature-2-320.jpg)
![ACEEE International Journal on Network Security, Vol 1, No. 2, July 2010
V. CONCLUSION [4] Sheng Zhong, “A Practical Key Management Scheme
for Access Control in a User Hierarchy,” Computers &
In this paper, we have proposed a new security Security, vol. 21, no. 8, pp. 750-759, 2002.
protocol which is called hierarchical access control- [5] M. Mambo, K. Usuda, and E. Okamoto, “Proxy
based proxy signature. The concept behind the scheme Signatures Delegation of the Power to Sign
is that anybody in a hierarchy should have two different Messages,” IEICE Trans. Fundamentals, vol. E79-A, no
private keys, where one key can be derived by an upper 9, pp. 1339-1353, 1996.
level user, using key derivation, but other key is only [6] M. Mambo, K. Usuda, and E. Okamoto, “Proxy
known by the user. The upper level user, after deriving Signatures for Delegating Signing Operation,” in
one secrete key from his/her lower level, cannot Proceeding of the 3rd ACM Conference on Computer
generate the valid proxy signature because of the fact and Communications Security, pp. 48-57, 1996.
that other secret key is unknown to the user. We have [7] R. S. Sandhu, ”Cryptographic Implementation of a Tree
Hierarchy for Access Control”, Information Processing
already discussed the security analysis as well as
Letters, no. 27, pp. 95-98, 1988.
computational cost of the proposed scheme.
[8] D. Giri and P. D. Srivastava, “An Asymmetric
Furthermore in our scheme, we can easily adopt Cryptographic Key Assignment Scheme for Access
dynamicity, that is, some users can be added (or Control in Tree Structural Hierarchies,” International
deleted) in (from) a hierarchy. Journal of Network Security, Vol.4, No.3, pp.348–354,
2007.
REFERENCES [9] D. Giri and P. D. Srivastava, “A Cryptographic Key
Assignment Scheme for Access Control in Poset
[1] S. G. Akl, and P. D. Taylor, “Cryptographic Solution to Ordered Hierarchies with Enhanced Security,”
a Problem of Access Control in a Hierarchy,” ACM International Journal of Network Security, Vol.7, No.2,
Transactions on Computer Systems vol. 1, no. 2, pp. pp. 223–234, 2008.
239-248, 1983. [10] D. Giri and P. D. Srivastava, “Cryptanalysis and
[2] J. Wu and R. Wei, “An Access Control Scheme for Improvement of Das et al.’s Proxy Signature Scheme,”
Partially Ordered Set Hierarchy with Provable in the 10th International Conference on Information
Security,” Selected Areas in Cryptography 2005, LNCS Technology (ICIT 2007), Rourkela, India, IEEE
3897, pp. 221-232, 2005. Computer Society, pp. 151-154, 2007.
[3] L. Harn, and H.-Y. Lin, “A Cryptographic Key [11] M. L. Das, A. Saxena1, and D. B. Phatak, “Proxy
Generation Scheme for Multilevel Data Security,” Signature Scheme with Effective Revocation using
Computers and Security, vol. 9, no. 6, pp. 539-546, Oct. Bilinear Pairings,” International Journal of Network
1990. Security, vol. 4, no. 3, pp. 312-317, 2007.
[12] M. K. Jain, S. R. K. Iyengar, and R. K. Jain, “Numerical
Methods for Scientific and Engineering Computation,”
New Age International Pvt. Ltd. Publisher, 5th Ed., 2007.
33
© 2010 ACEEE
DOI: 01.ijns.01.02.06](https://image.slidesharecdn.com/06-120925225140-phpapp01/85/HACBPS-A-Hierarchical-Access-Control-Based-Proxy-Signature-5-320.jpg)
HACBPS: A Hierarchical Access Control- Based Proxy Signature
- 1. ACEEE International Journal on Network Security, Vol 1, No. 2, July 2010 HACBPS: A Hierarchical Access Control- Based Proxy Signature Debasis Giri1,*, Jiban Dalal1, P. D. Srivastava2 and Sanasam Ranbir Singh3 1 Department of Computer science & Engineering Haldia Institute of Technology, Haldia -721657, India 2 Department of Mathematics Indian Institute of Technology, Kharagpur-721302, India 3 Department of Computer science & Engineering Indian Institute of Technology, Madras, Chennai-600036, India Email: [email protected], [email protected], [email protected] and [email protected] Abstract— In this paper, we propose a new security tree structural access control scheme [7]. Wu-Wei protocol which is styled hierarchical access control-based proposed a scheme [2] which satisfies the indirect proxy signature (HACBPS). In hierarchical access access control mechanism. Harn-Lin proposed a control, upper security level users can access some secret scheme [3] which satisfies the direct access control information hold by lower security level users, but reverse is not allowed. Whereas in proxy signature, on behalf of mechanism and is based on the RSA cryptosystem. Giri the original signer, proxy signer can generate the and Srivastava proposed two schemes: one is access signature on an arbitrary message. In our protocol, an control in tree structural hierarchy [8] and other is upper security level user (considered as original signer) poset ordered hierarchy [9] in 2007 and 2008 can delegate his signing right for signature generation on respectively. Sheng Zhong proposed a scheme [4] an arbitrary message to a lower security level user which satisfies the indirect access control mechanism. (considered as proxy signer) and the proxy signer can The direct access control schemes achieve smaller generate proxy signature on behalf of the original signer. storage spaces for storing public information and better In HACBPS, each user in a hierarchy holds two secret dynamics. The access control is motivated by the keys: one key can be accessed by upper security level users and other one is not accessible to any other user. scenario. A CEO (Chief Executive Officer) of a company can access to some important documents of Index Terms— cryptography, security, access control, his General Manager. But General Manager cannot be proxy signature, Poset permitted to access the CEO’s documents. In the same manner, General Manager can access the documents of I. INTRODUCTION his/her lower level employees, but opposite is strictly 1 prohibited. Whereas, in a proxy signature, proxy In an access control of a hierarchical structure, a user signature generation is allowed by a designated person, has access some secrets to another if and only if the called a proxy signer, to sign an arbitrary message on former is superior of the later. The access control for a behalf of an original signer. An original signer delegates hierarchy can be represented by a partially ordered set his/her signing capability to a proxy signer (by issuing a (Poset). A hierarchy is constructed by dividing users proxy key) and then proxy signer signs a message on into number disjointed users, say behalf of the original signer using the proxy key. A U 1 ,U 2 ,U 3 , .. . ,U n which are partially ordered verifier can check the validity of that signature and also with a binary relation <= ` . In a hierarchy, know the signature which is signed by the proxy signer U i ≤U j means that the security level of U i is rather than that by the original signer. More precisely, the original signer sends a specific message with its lower than that of. In other words, U j can access signature to the proxy signer who then uses this some secret information held by user U i , while the information to construct a proxy signing key. Using the opposite is not allowed. Figure 1 shows a three level proxy signing key, the proxy signer can generate proxy hierarchical structure. The top level user (that is, U 1 ) signatures. From a proxy signature, anyone can verify both the original signer’s delegation and the proxy poses the highest security and security decreases with signer’s digital signature. The concept of the proxy increase in level. Hence, users (that is, U 4 ,U 5 ,U 6 ) signature introduces first by Mambo et al. [5, 6]. After in bottom level have least security. In 1983, Akl and that many authors propose many schemes on proxy Taylor first propose hierarchical access-based key signatures. In 2008, Giri and Srivastava proposed a assignment scheme [1]. In 1998, Sandhu proposed a proxy signature scheme [10] after removing te weaknesses of Das el al.’s proxy signature scheme 1 *Corresponding author [11]. The real life example of proxy signature is as Dr. Debasis Giri is at present an Assistant Professor in the Department of follows: Let CEO of a company wants to ask his Computer Science and Engineering of Haldia Institute of Technology, Haldia-721657, India. 29 © 2010 ACEEE DOI: 01.ijns.01.02.06
- 2. ACEEE International Journal on Network Security, Vol 1, No. 2, July 2010 General Manager to sign some important documents on B. Key assignment by CA his behalf. In this paper, we propose a new security Suppose there exists n users in a hierarchy, say protocol which is combination of hierarchical access U 1 ,U 2 , .. . ,U n . The CA can assign keys for each control and proxy signature is called access control based proxy signature. But if we simply2 combine two user in a hierarchy is as follows. existing schemes (one is hierarchical access control and 1. CA first choose the root node, that is U 1 (in other proxy signature) without any change (or new the rest of the paper, we consider “node” design) then the combined scheme can not be no longer means a user in a hierarchy) and chooses an secure, because of fact that secrete key of the lower arbitrary key x 1 . CA computes level security users must be derived (or accessed) by x1 their upper level security users. And so for the proxy u 1 =g mod p . signature scheme, if we use the secrete key for the 2. Next, CA chooses a node using the technique proxy signature generation then the upper level security of breadth first traversal (BFT) of the user can generate the proxy signature because he/she hierarchical structure. Let U i be the node also able to derive (or access) the secrete keys’ of its chosen by the CA according to BFT. lower level security users. Therefore, the scheme is not proxy protected. But proposed scheme solves that 3. If node U j is only one direct parent node of weakness. In our proposed scheme, each user in a Ui Uj xi , , the secret key of is where hierarchy holds two secret keys: one key can be x i =H x j ,ID i , accessed by upper security level users and other one is not accessible to any other user. (1) where ID i is the identity of the user The remainder of this paper is organized as Ui . follows. In Section II, we introduce our proposed HACBPS scheme. In Section III, we analyze the 4. If the node U j has more than one direct security of our proposed scheme. Section IV shows the parent nodes, say U j1 ,U j2 ,U j3 , . .. ,U jt time complexity required for our scheme. Finally, where keys of U j1 ,U j2 ,U j3 , . .. ,U jt are Section V concludes the paper. x j1 ,x j2 ,x j3 ,. . . ,x jt respectively, then CA first U chooses the secret key x j for the user U j . CA 1 then generates the Newton's interpolating polynomial [12] over modulo p containing the U U x points H ID j∣∣ x ji , x j g ji mod p for 2 3 i= 1,2,. . . ,t . We denote this polynomial as U U U P j x . CA publishes the P j x in a public 4 5 6 directory. xi Figure 1: An Example of a Hierarchical Structure u i =g mod p . 5. CA computes 6. Go to step 2 until all users are not taken consideration in the hierarchy. II. PROPOSED HACBPS SCHEME xi u i =g mod p Ui The HACBPS is the combination of two schemes: Note: CA publishes each corresponding to the user first, hierarchical access control scheme; second, a x U and sends the secret key i to the user i (for proxy signature scheme. There exists a trusted CA i=1,2,….) in secure manner. (central authority) in the system that can generate and Example. CA assigns the secret keys for the users assign keys for each user in a hierarchy. The scheme corresponding to Figure 1 shown below. CA assigns consists of eight phases namely, setup, Key assignment x1 for the user U 1 . CA then computes by CA, Key derivation by an upper level user, Key generation by a user, Proxy key generation, Proxy key x 2 =H ID 2∣∣ x1 , x 3 =H ID 3∣∣x 1 for the verification, Proxy signature generation, Proxy users U 2 ,U 3 respectively. CA also computes signature verification. x 4 =H ID 4∣∣ x 2 , x 6 =H ID6 ∣∣ x 3 for the A. Setup users U 4 ,U 6 respectively. Finally, CA constructs a Let H be a cryptographic one-way hash Newton’s interpolating polynomial containing the function and g a generator of Z p (where is a large x points H ID 5∣∣ x 2 , x 5 g 2 mod p prime of length at least 1024-bit for security x consideration). and H ID 5∣∣ x 3 , x 5 g 3 mod p after choosing 2 the secret key x 5 for the user U 5 . 30 © 2010 ACEEE DOI: 01.ijns.01.02.06
- 3. ACEEE International Journal on Network Security, Vol 1, No. 2, July 2010 C. Key derivation by an upper level user σ'=σ+y i H m,m w ,v i ,v j ,L i ,w +z mod p−1 . (4) Suppose U i ≤U j with a chain He then sends the proxy signature U i ≤U k ≤⋯≤U k U k U j . Let C j want to m,m w ,w,σ ', Li ,K> l 2 1 over a public channel to a compute the secret key x i of the user U i . U j first verifier. computes the secret key x k1 of the user U k 1 using Note: mw is a warrant message and w is public (1), if U j is the immediate parent of U k 1 ; information. otherwise if there are many immediate parents of H. Proxy signature verification U k 1 , then U j computes hashed value of m,m w ,w,σ ', Li ,K> h ID k ∣∣x j and put the hashed value as x - 1 After receiving the coordinate in the polynomial P k x . Hence, U j 1 verifier checks whether the condition xj H m,mw ,v ,v ,L ,w can get x k1 g mod p and then using his secret key g σ' Km =u j v j w v i i j i Li w mod p (5) x j, Uj recover the secret key x k1 of the user holds or not. If it holds good, the verifier accepts it as a U k . In the similar fashion, using the secret key x k valid proxy signature; otherwise it is rejected. 1 1 (which is computed earlier), U j computes the secret III. SECURITY ANALYSIS key x k 2 of the uses U k and so on until computes 2 In this section, we describe the security analysis of the the secret key x i of the user U i . proposed scheme. D. Key generation by a user A. Security for the access control In our scheme, the key assignment and key Each user U j randomly chooses as other secret derivation by upper level users in a hierarchy are key and computes the corresponding public key. U j obtained by a cryptographic one-way hash function. If keeps y j as a secret key and publishes v j as public Ui U j then a user has only one direct parent node parameter. the key of Ui x =H x j ,ID i will be i , where xj E. Proxy key generation is the secret key of U j . Therefore it is difficult for Let U j be an original signer and U i a proxy U x the user i to derive the key j of its parent node signer. Uj chooses a random number k k 1 <k<p−1 and computes K=g mod p . He U j from H x j ,ID i , because of the fact that it is computationally infeasible to invert H . also computes σ=x j +kx i +Ky j m w mod p−1, U i has many immediate (2) Analogously even a user where m w is a warrant message which consists of the parents nodes, it is also difficult to compute the secret key of any immediate parent node due to the infeasible identities of the original as well as proxy signer, to invert of a cryptographic one-way hash function. expiration date. The original signer U j delivers the Ui B. Security analysis for proxy signature proxy key σ,mw ,K to the proxy signer over a public channel. There are six main security properties to be needed for proxy signature such as unforgeability; secret-key’s F. Proxy key verification dependency, verifiability, distinguishability, The proxy signer checks the condition whether identifiability and unreliability. Kmw xi Ui g σ =u j v j K mod p In our proposed scheme, each user has a pair of (3) x ,y secret keys, i i where U j (with U i ≤U j ) can is true . If the condition is true, the proxy signer x x Ui accepts it as a valid proxy; otherwise it is rejected. derive i using his/her secret key j . But cannot compute the secret key y i from v i due to G. Proxy signature generation Ui U discrete logarithm problem (DLP). Further, The proxy signer i first chooses xj yj z 1 <z<p−1 and then computes w=g z mod p cannot compute or of the upper level security user U j . x Ui and L i =K mod p . i then computes 31 © 2010 ACEEE DOI: 01.ijns.01.02.06
- 4. ACEEE International Journal on Network Security, Vol 1, No. 2, July 2010 i) Unforgeability σ' mw H m,mw ,v ,v ,L ,w i j i g =u j v j v i L i w mod p is Suppose an original signer is an adversary А. Now let us check whether А can forge a proxy signature on necessary, where σ' is generated by the proxy signer an arbitrary message, say m . using the equation Suppose А chooses m ', m' w ,L' i ,w ', K' and try σ'=σ+y i H m,mw ,v i ,v j ,L i ,w +z mod p−1 to find σ '' such that (where σ is computed by the original signer using the K'm' H m', m' w ,v ,v ,L' ,w' equation σ=x j +kx i +Ky j m w mod p−1 ). Hence g σ '' =u j v j w v i i j i L' i w 'mod p (6) anyone can verify the proxy signature after receiving holds. Now А knows all values of the parameters of m,m w ,w,σ ', Li ,K> right hand side (RHS) of (6). Therefore, А can compute . That is to say that a verifier RHS of the equation (6). To compute σ '' such that σ '', m ', m' w ,L' i ,w ', K' satisfies the condition in can distinguish a proxy signature rather than the signature generated by the original signer. (6), А has to solve the DLP (discrete logarithm problem) which is computationally infeasible. Hence, v) Identifiability after choosing m ', m' w ,L' i ,w ', K' it is The verifier can determine the relationship of σ delegation between an original signer and a proxy signer, because in the verification condition of the computationally infeasible to compute ¿{} such that proxy signature needs the warrant message m w which ¿ ¿¿ consists of the identity of the original signer as well as condition in (6) holds good. Analogously, after proxy signer with expiration date. Hence the verifier choosing any five of can determine that the signature is generated by a size10σ, m',m' size8w ,L' size4i ,w , K' , it is also hard proxy signer on behalf of original signer. to compute the value of the rest such that the condition in (6) holds. vi) Undeniability In our proxy signature phase, σ' is computed as ii) Secret-Key’s dependence σ'=σ+y i H m,mw ,v i ,v j ,L i ,w +z mod p−1 , In our protocol, original signer derives σ=x j +kx i +Ky j m w mod p−1 and proxy where y i is one of the private keys and z a session signerderives secret generated by the proxy signer or a lower level σ'=σ+y i H m,m w ,v i ,v j ,L i ,w +z mod p−1 user. Involvement of the private key of a proxy signer . implies that the proxy signer cannot deny that he has From the above equations, it is clear that σ' is not sign the message. Hence the scheme is undeniable. computed using σ,y i with some other public IV. COMPUTATIONAL COST information. σ is derived from x j ,y j ,x i where x j ,y j is the secrete key pair of the original signer Following are the computation cost needed for the different operation in our scheme. and x i is one of the secrete key of the proxy signer. t exp : Time taken for a modular exponentiation So, original signer using his private key can generate a operation. proxy key. It implies that proxy signature key is t h : Time taken for a hashing operation. computed from the secrete key of the original signer. So proxy signature key is secret-key dependent. t mul : Time taken for modular multiplication of two iii) Verifiability numbers. t add : Time taken for modular addition of two From HACBPS scheme, it is clear that proxy signer σ Kmw xi numbers. checks the condition g =u j v j K L i w mod p , where u j ,v j are the public information corresponding • Computational cost for proxy key to U j and K,m w are the public information. So by generation: t exp 3t mul2t add these public key, public information and σ , only • Computational cost for proxy key proxy signer can verify the condition. On the other verification: 2t exp 3t mul hands, one can verify the verification condition in (5). • Computational cost for proxy signature Hence the proposed scheme is verifiable. generation: 2t exp +t h +t mul2t add iv) Distinguisablity • Computational cost for proxy signature In the verification of the proxy signature the verification: 3t exp +t h 5t mul condition, 32 © 2010 ACEEE DOI: 01.ijns.01.02.06
- 5. ACEEE International Journal on Network Security, Vol 1, No. 2, July 2010 V. CONCLUSION [4] Sheng Zhong, “A Practical Key Management Scheme for Access Control in a User Hierarchy,” Computers & In this paper, we have proposed a new security Security, vol. 21, no. 8, pp. 750-759, 2002. protocol which is called hierarchical access control- [5] M. Mambo, K. Usuda, and E. Okamoto, “Proxy based proxy signature. The concept behind the scheme Signatures Delegation of the Power to Sign is that anybody in a hierarchy should have two different Messages,” IEICE Trans. Fundamentals, vol. E79-A, no private keys, where one key can be derived by an upper 9, pp. 1339-1353, 1996. level user, using key derivation, but other key is only [6] M. Mambo, K. Usuda, and E. Okamoto, “Proxy known by the user. The upper level user, after deriving Signatures for Delegating Signing Operation,” in one secrete key from his/her lower level, cannot Proceeding of the 3rd ACM Conference on Computer generate the valid proxy signature because of the fact and Communications Security, pp. 48-57, 1996. that other secret key is unknown to the user. We have [7] R. S. Sandhu, ”Cryptographic Implementation of a Tree Hierarchy for Access Control”, Information Processing already discussed the security analysis as well as Letters, no. 27, pp. 95-98, 1988. computational cost of the proposed scheme. [8] D. Giri and P. D. Srivastava, “An Asymmetric Furthermore in our scheme, we can easily adopt Cryptographic Key Assignment Scheme for Access dynamicity, that is, some users can be added (or Control in Tree Structural Hierarchies,” International deleted) in (from) a hierarchy. Journal of Network Security, Vol.4, No.3, pp.348–354, 2007. REFERENCES [9] D. Giri and P. D. Srivastava, “A Cryptographic Key Assignment Scheme for Access Control in Poset [1] S. G. Akl, and P. D. Taylor, “Cryptographic Solution to Ordered Hierarchies with Enhanced Security,” a Problem of Access Control in a Hierarchy,” ACM International Journal of Network Security, Vol.7, No.2, Transactions on Computer Systems vol. 1, no. 2, pp. pp. 223–234, 2008. 239-248, 1983. [10] D. Giri and P. D. Srivastava, “Cryptanalysis and [2] J. Wu and R. Wei, “An Access Control Scheme for Improvement of Das et al.’s Proxy Signature Scheme,” Partially Ordered Set Hierarchy with Provable in the 10th International Conference on Information Security,” Selected Areas in Cryptography 2005, LNCS Technology (ICIT 2007), Rourkela, India, IEEE 3897, pp. 221-232, 2005. Computer Society, pp. 151-154, 2007. [3] L. Harn, and H.-Y. Lin, “A Cryptographic Key [11] M. L. Das, A. Saxena1, and D. B. Phatak, “Proxy Generation Scheme for Multilevel Data Security,” Signature Scheme with Effective Revocation using Computers and Security, vol. 9, no. 6, pp. 539-546, Oct. Bilinear Pairings,” International Journal of Network 1990. Security, vol. 4, no. 3, pp. 312-317, 2007. [12] M. K. Jain, S. R. K. Iyengar, and R. K. Jain, “Numerical Methods for Scientific and Engineering Computation,” New Age International Pvt. Ltd. Publisher, 5th Ed., 2007. 33 © 2010 ACEEE DOI: 01.ijns.01.02.06