An RSA-Based Time-Bound Hierarchical Key Assignment
Scheme for Electronic Article Subscription
Jyh-haw Yeh
Department of Computer Science, Boise State University
1910 University Drive, Boise, ID 83642, USA
jhyeh@cs.boisestate.edu
ABSTRACT
The time-bound hierarchical key assignment problem is to
assign time sensitive keys to security classes in a partially
ordered hierarchy so that legal data accesses among classes
can be enforced. Two time-bound hierarchical key assign-
ment schemes have been proposed in the literature, but both
of them were proved insecure against collusive attacks. In
this paper, we will propose an RSA-based time-bound hier-
archical key assignment scheme and describe its possible ap-
plication. The security analysis shows that the new scheme
is safe against the collusive attacks.
Categories and Subject Descriptors: E.3 [Data]: Data
Encryption
General Terms: Security
Keywords: Access Control, Key Assignment
1. INTRODUCTION
Depending on the security clearance, users in an organi-
zation can be divided into a set of disjointed user classes
C = {C1 , C2 , . . . , Cm }. The set of classes usually can be
organized as a hierarchical tree if they are partially ordered
by a binary relation “”. Cj  Ci denotes that the class
Ci has a higher or equal security clearance than the class
Cj . Thus, users in Ci is allowed to access the data items
owned by users in Cj , but the access in the opposite direc-
tion is prohibited. Many key assignment schemes have been
proposed in the literature to enforce the hierarchical access
control problem [1, 3, 4, 5, 8].
In 2002, Tzeng [7] proposed a time-bound hierarchical key
assignment scheme. He claimed that his scheme not only
provides a solution for the hierarchical access control prob-
lem, but also has an additional feature that each class has
different data encryption keys for different time periods. To
describe the feature more specifically, time is divided into a
sequence of z periods, from period 1 to period z. In each
time period t, each class Cj will be assigned a data encryp-
tion key Kj,t to encrypt its data to prevent illegal accesses.
Copyright is held by the author/owner.
CIKM’05, October 31–November 5, 2005, Bremen, Germany.
ACM 1-59593-140-6/05/0010.
285
Also, each user in the system has an assigned valid time in-
terval [t1 , t2 ], where 1 ≤ t1 ≤ t2 ≤ z. If the user is in a
class Ci , he is able to derive the encryption key Kj,t to de-
crypt the encrypted data in class Cj if, and only if, Cj  Ci
and t1 ≤ t ≤ t2 . This feature enhances the applicability of
the key assignment approach for some online applications
such as digital TV broadcasting and electronic news broad-
casting [7]. However, Yi and Ye [9] pointed out that Tzeng’s
scheme is not secure against collusive attacks. After Tzeng’s
scheme was proved insecure, Chien proposed another time-
bound hierarchical key assignment scheme [2] in 2004, based
on tamper-resistant devices. Unfortunately, Santis, Ferrara,
and Masucci [6] showed that three malicious users can collu-
sively misuse the tamper-resistant devices to compute some
secret keys that they should not know.
In this paper, we will propose a new scheme which is based
on the RSA algorithm. The remainder of this paper is or-
ganized as follows. Section 2 presents the new time-bound
cryptographic key assignment scheme, which is followed by a
security analysis in Section 3. Section 4 describes a possible
application - online electronic article subscription system.
2. NEW KEY ASSIGNMENT SCHEME
The new scheme is based on the RSA algorithm. Sup-
pose the hierarchy has m classes {C1 , C2 , . . . , Cm } and the
time is divided into z periods, starting at period 1. Similar
to Tzeng’s and Chien’s schemes, there is a trusted Central
Authority (CA) responsible for generating and distributing
keys. The CA performs the following:
1. The CA chooses two distinct large primes p and q, and
computes n = p · q and φ(n) = (p − 1)(q − 1).
2. For each Ci , the CA chooses a distinct integer ei , which
is relatively prime to φ(n), and then determines the di
for each ei , where ei di = 1 mod φ(n).
3. For each period y, the CA chooses a distinct integer gy ,
which is relatively prime to φ(n), and then determines
the hy for each gy , where gy hy = 1 mod φ(n).
4. The CA chooses a Q number a, 1 < a < n, and computes
d
a class key Ki = a Ck Ci k mod n for each Ci .
5. The CA publishes the parameters e1 , e2 , . . . , em , g1 , g2 ,
. . . , gz , n and keeps the other parameters secret.
User Registration: When a user is assigned to Ci for a
time interval [t1 , t2 ], the CA assigns
Q
a user key Ki,(t1 ,t2 ) to
the user, where Ki,(t1 ,t2 ) = (Ki ) t1 ≤y≤t2 hy mod n.
Encryption Key Generation: The CA assigns a data
encryption key Ki,t for each Ci in each time period t, 1 ≤
t ≤ z, where Ki,t = (Ki )ht mod n.

Decryption Key Derivation: A user who is in Ci for
the time interval [t1 , t2 ] can use the user key Ki,(t1 ,t2 ) along
with some public parameters to derive the data encryption
key Kj,t of Cj for the time period t if, and only if, Cj  Ci
and t1 ≤ t ≤ t2 . The key derivation is as follows.
Q Q
Ck Ci & Ck 6Cj ek t1 ≤y≤t2 & y6=t gy
(Ki,(tQ1 ,t2 ) )
d B can compute (K5,(1,5) )e5 g1 g2 g3 g4 = ah5 mod n. Based on
= (a Ck Cj k )ht = (Kj )ht mod n = Kj,t
An Example: Figure 1 shows a six-class hierarchy. As-
sume that the time is divided into five periods 1, 2, . . ., 5.

C1


R
@
@ This section uses ACM as an example to describe a possi-
C2 C3
 

R
@
@ R
@
@ more subscription options for subscribers, ACM may pro-
C4 C5 C6
  
Fig.1. An example of a hierarchical policy with six classes
A user in C2 from time period 2 to 4 has the user key
K2,(2,4) . This user can derive the following data encryption
keys {K2,2 , K2,3 , K2,4 , K4,2 , K4,3 , K4,4 , K5,2 , K5,3 , K5,4 }.
For example, to derive K5,3 , the user computes
Q
e
Q
g riod for subscription. The subscribers normally subscribe a
(K2,(2,4) ) Ck C2 & Ck 6C5 k 2≤y≤4 & y6=3 y
= (ad2 d4 d5 h2 h3 h4 )e2 e4 g2 g4 = ad5 h3 mod n = K5,3
Performance: Given Ki,(t1 ,t2 ) and public parameters
with which to derive Kj,t , the user needs to compute
Q Q
e gy
(Ki,(t1 ,t2 ) ) Ck Ci & Ck 6Cj k t1 ≤y≤t2 & y6=t mod n
The above computation requires r + t2 − t1 modular expo-
nentiations, where r is the number of classes Ck that satisfy
Ck  Ci and Ck 6 Cj . The key derivation complexity is the
same as that of Tzeng’s scheme.
3. SECURITY ANALYSIS
Attack by an Outsider: An outsider, with only knowl-
edge of public parameters ei ’s and gy ’s, may try to derive a
key in the system such as Ki , Ki,(t1 ,t2 ) , or Ki,t . Since all
the keys are generated based on secret parameters a, di ’s,
or hy ’s, the outsider has no way to know any of them.
Attack by an Insider: Using the same example shown
in Figure 1, a user in C2 , with a key K2,(2,4) , is unable to
derive the data encryption keys not in the set {K2,2 , K2,3 ,
K2,4 , K4,2 , K4,3 , K4,4 , K5,2 , K5,3 , K5,4 }. For example, the
user is unable to derive the key K6,3 .
Q Q
e g
(K2,(2,4) ) Ck C2 & Ck 6C6 k 2≤y≤4 & y6=3 y
= (ad2 d4 d5 h2 h3 h4 )e2 e4 e5 g2 g4 = ah3 mod n 6= K6,3
By adding one more step above, the number a can be de-
rived. Knowing a provides no help in deriving data encryp-
tion keys, since it is necessary to compute modular expo-
nentiations with unknown exponents. Again, the security of
the scheme relies on the same computational difficulty that
the RSA algorithm is based upon: given a message a, it is
not feasible to forge someone’s signature, ad mod n, on the
message a without knowing the private key d.
Attack by a group of insiders: Given a data en-
0
cryption key Ki,t = ad ht mod n, where d0 = Ck Ci dk ,
Q
0 key assignment scheme for access control in a hierarchy. IEEE
even if both ad and aht (modn) are separately derived by
a group of malicious users, they are still unable to compute
286
0
ad ht mod n. Using the example in Figure 1 once more, sup-
pose that a user A in C2 , with the key K2,(1,3) , conspires
with another user B in C5 , with the key K5,(1,5) . They
try to collusively derive the data encryption key K2,5 =
ad2 d4 d5 h5 mod n, which both A and B are not eligible to ac-
cess. A can compute (K2,(1,3) )g1 g2 g3 = ad2 d4 d5 mod n and
the RSA algorithm, with knowledge of a, ad2 d4 d5 mod n and
ah5 mod n, the value ad2 d4 d5 h5 mod n cannot be computed
within a reasonable amount of time.
4. APPLICATION
ble application - electronic article subscription system. ACM
periodically publishes different journals. In order to have
vide different subscription packages. These packages form a
hierarchical structure as follows. The hierarchy has n leaf
nodes if ACM has n different journals. A leaf node in the
hierarchy corresponds to one, and only one, journal, whereas
an internal node in the hierarchy represents a package hav-
ing multiple journals. All journals listed in a package Cj
are also listed in its predecessors Ci in the hierarchy, where
Cj  Ci . Assume that each fiscal year is a unit time pe-
package for multiple years, from time period t1 to t2 .
The proposed new scheme can provide an access control
solution to such electronic article subscription system. Each
leaf node Cj in the hierarchy will be assigned a data encryp-
tion key Kj,t during each time period t. Each journal (cor-
responds to a leaf node) published in each time period t will
be encrypted by the leaf node’s data encryption key to pre-
vent unauthorized accesses. When a subscriber subscribes a
package Ci from time period t1 to t2 , he/she will be assigned
a user key Ki,(t1 ,t2 ) . Suppose that a journal is listed in the
subscribed package Ci and its corresponding leaf node is Cj .
With the user key Ki,(t1 ,t2 ) , the subscriber is able to access
the journal published in the time period t by first deriving
the data encryption key Kj,t , where t1 ≤ t ≤ t2 .
5. REFERENCES
[1] S. Akl and P. Taylor. Cryptographic solution to a problem of
access control in a hierarchy. ACM Trans. on Computer
Systems, 1:239–248, 1983.
[2] H. Chien. Efficient time-bound hierarchical key assignment
scheme. IEEE Trans. of Knowledge & Data Engineering,
16(10):1301–1304, 2004.
[3] H. Chien and J. Jan. New hierarchical assignment without
public key cryptography. Computers & Security, 22:523–526,
2003.
[4] L. Harn and H. Lin. A cryptographic key generation scheme
for multilevel data security. Computers & Security, 9:539–546,
1990.
[5] R. Sandhu. Cryptographic implementation of a tree hierarchy
for access control. Info. Processing Letters, 27:95–98, 1988.
[6] A. Santis, A. Ferrara, and B. Masucci. On the insecurity of a
time-bound hierarchical key assignment scheme. Tech. Report,
Dept. of Math., University of Waterloo, cacr2005-07.ps, 2005.
[7] W. Tzeng. A time-bound cryptographic key assignment scheme
for access control in a hierarchy. IEEE Trans. on Knowledge
& Data Engineering, 14:182–188, 2002.
[8] J. Yeh, R. Chow, and R. Newman. A key assignment for
enforcing access control policy exceptions. In International
Sympo. on Internet Technology, pages 54–59, 1998.
[9] X. Yi and Y. Ye. Security of tzeng’s time-bound cryptographic
Trans. on Knowledge & Data Engineering, 15:1054–1055,
2003.