Optimal Constructions for Chain-Based Cryptographic Enforcement of Information Flow Policies

The simple security property in an information flow policy can be enforced by encrypting data objects and distributing an appropriate secret to each user. A user derives a suitable decryption key from the secret and publicly available information. A chain-based enforcement scheme provides an alternative method of cryptographic enforcement that does not require any public information, the trade-off being that a user may require more than one secret. For a given information flow policy, there will be many different possible chain-based enforcement schemes. In this paper, we provide a polynomial-time algorithm for selecting a chain-based scheme which uses the minimum possible number of secrets. We also compute the number of secrets that will be required and establish an upper bound on the number of secrets required by any user.

[1]  Ravindra K. Ahuja,et al.  Network Flows: Theory, Algorithms, and Applications , 1993 .

[2]  Jason Crampton,et al.  Constructing Key Assignment Schemes from Chain Partitions , 2010, DBSec.

[3]  Rafail Ostrovsky,et al.  Attribute-based encryption with non-monotonic access structures , 2007, CCS '07.

[4]  Mikhail J. Atallah,et al.  Incorporating Temporal Capabilities in Existing Key Management Schemes , 2007, ESORICS.

[5]  Gregory Gutin,et al.  Digraphs - theory, algorithms and applications , 2002 .

[6]  Alfredo De Santis,et al.  Security and Tradeoffs of the Akl-Taylor Scheme and Its Variants , 2009, MFCS.

[7]  Gregory Gutin,et al.  Cryptographic Enforcement of Information Flow Policies Without Public Information , 2014, ACNS.

[8]  Kenneth G. Paterson,et al.  Simple, Efficient and Strongly KI-Secure Hierarchical Key Assignment Schemes , 2013, CT-RSA.

[9]  Selim G. Akl,et al.  Cryptographic solution to a problem of access control in a hierarchy , 1983, TOCS.

[10]  Duminda Wijesekera,et al.  Status-Based Access Control , 2008, TSEC.

[11]  Jason Crampton,et al.  On key assignment for hierarchical access control , 2006, 19th IEEE Computer Security Foundations Workshop (CSFW'06).

[12]  Sushil Jajodia,et al.  Combining fragmentation and encryption to protect privacy in data storage , 2010, TSEC.

[13]  Kenneth G. Paterson,et al.  Provably Secure Key Assignment Schemes from Factoring , 2011, ACISP.

[14]  Jason Crampton,et al.  Practical and efficient cryptographic enforcement of interval-based access control policies , 2011, TSEC.

[15]  Marina Blanton,et al.  Dynamic and Efficient Key Management for Access Hierarchies , 2009, TSEC.

[16]  R. P. Dilworth,et al.  A DECOMPOSITION THEOREM FOR PARTIALLY ORDERED SETS , 1950 .

[17]  John Adrian Bondy,et al.  A short proof of the Chen-Manalastas theorem , 1995, Discret. Math..

[18]  Brent Waters,et al.  Ciphertext-Policy Attribute-Based Encryption , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).