On the Security Proof of Wu-Wei Hierarchical

Key Assignment Scheme

Murali Medisetty, Yagna Srinath, and Anish Mathuria

Dhirubhai Ambani Institute of Information and Communication Technology

Gandhinagar, Gujarat, India
{murali krishna 2006, srinath battula, anish mathuria}@daiict.ac.in

Abstract. This paper examines the security proof given by Wu and Wei
to the hierarchical key assignment scheme proposed by them. Some errors
in their proof and the proof model are identified and a new proof model
and a rigorous proof based on standard security notions is proposed.

1 Introduction
In the real world, we often find people, resources etc. arranged in a hierarchical
fashion in such a way that some have higher access privileges than others. These
are examples of hierarchical access control. In a hierarchical access control, the
users are divided into set of security classes based on their access privileges. Each
security class has some data which should be accessible only to the users of the
same class or of another security class with higher privilege than the present
class. Let P = {p1 , p2 .., pn } be the set of security classes. The access relation-
ships between various classes can be represented by a partial order relation ≤
on the set P . If pj ≤ pi , then pi is said to have a higher security clearance than
that of pj . Usually, a partial order set can be represented using a hasse diagram,
in which a node represents a security class and the edges represent the access
relationship between the classes. If pj ≤ pi , then pi is called a predecessor of
pj and pj is called a successor of pi . If there is no node pk (other than pi and
pj ) in the hierarchy such that pj ≤ pk ≤ pi , then pj is called an immediate
successor of node pi and pi is called an immediate predecessor of pj . A node
with no predecessors is called a root node. Now, the problem is to ensure that
any user in a certain class can obtain access to all the information belonging
to the successors of user’s own class. However, the other way round should not
be possible. This is sometimes referred to as access control problem in hierarchy.

In 1983, Akl and Taylor [1] proposed a cryptographic solution for hierarchical
access control problem. Since then, cryptographic access control for a hierarchy
has been an active area of research and numerous hierarchical key assignment
schemes (HKAS) have been proposed. In order to provide a better handle on
these numerous schemes available, Crampton et al [6] surveyed the existing hi-
erarchical key assignments and classified them into various generic classes in such
a way that the actual schemes are just the instantiations of these generic classes.
Their classification depends on the attributes of the scheme like usage of de-
pendent/independent keys, key derivation being direct/indirect etc. Intuitively,
a scheme is said to have indirect key derivation, if the key of a non-immediate
successor can not be found without explicitly computing the keys of other nodes
in some path from deriving node to target node. But, for schemes with direct
key derivation, keys for any successors can be directly found. Also, a scheme is
said to use dependent keys, if the key of any node is dependent on its immediate
predecessors’ keys. If the keys of nodes can be independently assigned, then we
say that the scheme uses independent keys. Despite the existence of large num-
ber of HKAS there are very few schemes which are provably secure. In the class
of schemes with direct key derivation, Akl-Taylor scheme [1] has been proved to
be secure recently by D’Arco et al in [7]. In the class of schemes with indirect
key derivation and independent keys, Atallah et al scheme [3] is provably secure.

1.1 Our contributions

Finally, in the class of dependent key based and indirect schemes, Wu-Wei [9]
have proposed a provably secure scheme. We, in this article, show that the Wu-
Wei’s proof is erroneous. We show that the Wu-Wei’s proof doesn’t consider all
the possible information available to the adversary and thus is incomplete and
incorrect. We propose the problems identified by us in Wu-Wei’s proof and pro-
vide a more robust proof.

The rest of the paper is organized as follows. Section 2 introduces security

notions in key hierarchies and some assumptions used in the Wu-Wei’s proof
[9]. Sections 3 and 4 review Wu-Wei’s scheme and provides a proof sketch of
Wu-Wei’s scheme respectively. Section 5 explains the errors we have found in
the Wu-Wei proof. Section 6 proposes a rigorous proof for the scheme .Section
7 concludes the article.

2 Security Notions

Wu- Wei [9] used the following informal definition to capture the required se-
curity property for key hierarchies.

A hierarchical access control scheme for poset hierarchy is secure if for

any group of classes in the poset, it is computationally infeasible to derive
the key of any class that is not a member of that group, nor a successor
of any member of that group.

Atallah et al [2], [3] formalized a notion of security for key hierarchies called
security w.r.t Key-Recovery. They have also introduced another level of security,
stronger than Key-Recovery called security w.r.t Key Indistinguishability. We
will review these notions below.
 Before we present the formal definitions of the security notions, let us in-
troduce a few notations first. Desc(pi ) and Anc(pi ), where pi is a node in the
hierarchy, represent sets of descendants and ancestors of pi (including pi ) respec-
tively. Similarly, ImmP red(pi ) and ImmDesc(pi ), represent sets of immediate
predecessors and immediate descendants of pi (excluding pi ) respectively. It is as-
sumed that Si is the secret information given to the user of pi and using this and
public information, the users in that class will be able to derive the encryption
key (the key used for encrypting the data in a given class) Ki of that class. P r[E]
denotes the probability that the event E occurs. |.| denote the modulus function.

In the definitions below, the security notions are modeled using a game played
by the adversary with a challenger. A special query called Corrupt(pi ) can be
issued by the adversary to the challenger, in which case, the challenger has to
answer the query by providing the adversary with (Si , Ki ). However, note that
there are some restrictions on the nodes on which the adversary can issue the
corrupt query.

Definition 2.1 (Key Recovery) [3]. A Key Assignment Scheme is secure w.r.t
key recovery if no polynomial time adversary has a non-negligible advantage(in
the security parameter τ ) against the challenger in the following game:

– Setup: The challenger sets up the hierarchy, assigns all the keys and gives
the public information to the adversary A.
– Attack: The adversary issues a polynomial number of Corrupt(pi )queries,
which the challenger answers by retrieving (Si , Ki ) and giving Si to A.
– Break: The adversary chooses a node p∗ , p∗ ∈ / Desc(pi ) for any pi for which
the corrupt query was issued in the previous step. The adversary now outputs
his choice p∗ along with his best guess Kp0 ∗ to the key Kp∗ of node p∗ .
KR 0
The adversary’s advantage is defined as: AdvA = P r[Kp∗ = Kp∗ ]

Another notion of security is Key Indistinguishability. In this notion, the ad-

versary is allowed to corrupt all the nodes except the attacking node and its
predecessors and at the end of the game the challenger asks the attacker to dis-
tinguish between the actual key and a random string (of same length as key). If
this is not possible for a polynomial time adversary with non-negligible advan-
tage, then the scheme is said to be key indistinguishable. The formal definition
follows.

Definition 2.2 (Key Indistinguishability [3]) A Key Assignment Scheme is key

indistinguishable if no polynomial time adversary A has a non negligible advan-
tage (in the security parameter τ ) against the challenger in the below game:

– Setup : The challenger sets up the hierarchy, assigns all the keys and gives
the public information to the adversary A
 – Phase 1 : The adversary issues a polynomial number of Corrupt(pi )queries,
which the challenger answers by retrieving (Si , Ki ) and giving Si to A
– Challenge: After the Phase 1, adversary chooses p∗, p∗ ∈ / Desc(pi ) for any
pi asked in Phase 1. Now the challenger picks a random bit b∗ ∈ {0, 1}: if
b∗ = 1, it returns to A the actual key of p∗, Kp∗ ; otherwise it returns to A
a random key K p∗ , which is of same length as Kp∗ .
– Phase 2 : Adversary can issue more Corrupt(pi ), for any pi ∈
/ Anc(p∗), and
obtain corresponding Si ’s
– The adversary outputs a bit b ∈ {0, 1} as its best guess to whether it was
given the actual key Kp∗ or a random key. A wins the game if b = b∗

KI
We define the adversary’s advantage as: AdvA = |P r[b = b∗ ] − 1/2|

As mentioned before, security w.r.t key indistinguishability is a stronger form

of security than that of security w.r.t key recovery. Also, security w.r.t key indis-
tinguishability implies security w.r.t key recovery, whereas the other way round
is not true. To see this more clearly let us suppose by contradiction that there
exists a scheme which is secure w.r.t key indistinguishability and not secure
w.r.t key recovery. In this case, when adversary is playing the indistinguishabil-
ity game (Def 2.2), with all the information he has obtained by corrupt queries,
he can invoke another key recovery adversary on the same hierarchy1 . As we
assumed that the scheme at hand in insecure w.r.t key recovery, the key recov-
ery adversary would return the correct key of target node with non-negligible
advantage. Now the indistinguishability adversary can compare the value pro-
vided to him/her by challenger (in challenge phase of the game) to the value
outputted by key recovery adversary and win the game described in Def 2.2
with non-negligible advantage 2 . This is contradictory to our assumption that
the scheme is secure w.r.t key indistinguishability. Hence a key indistinguishably
secure scheme is also secure w.r.t key recovery.

To see that security w.r.t key recovery doesn’t necessarily imply security w.r.t
indistinguishability, we can consider the example of Wu-Wei scheme itself, which
is secure w.r.t key recovery and not secure w.r.t key indistinguishability. We will
see why in the later part of this article.

1
Here, we assume that this key recovery adversary choose the same target node as the
key indistinguishability adversary which happens with the probability 1/n, where n
is the number of nodes in the hierarchy
2
The advantage here would be 1/nth to the advantage with which key recovery ad-
versary would win the game in Def 2.1. However, note that even this would be
non-negligible.
 Fig. 1. Example Hierarchy

3 Review of Wu-Wei Scheme

Wu-Wei’s scheme uses dependent keys and indirect key derivation. They claim
that the security of the scheme depends on three assumptions, namely discrete
logarithmic assumption (DL assumption), decisional Diffie-Hellman assumption
(DDH assumption), group decisional Diffe-Hellman assumption (GDDH assump-
tion).

Preliminaries The central authority (CA) chooses two odd primes p, q such
that p = 2q + 1. For a subgroup G of Zp∗ , an auxiliary function f : G → [1, q] is
defined as
x if x ≤ q
f(x) = { p-x otherwise

Key Assignment The key assignment to the nodes is done by CA as follows.

Each node pi ∈ P is assigned gi , a unique generator of group G. The corre-

sponding key Ki is computed by CA as defined below and securely distributed
to the users in pi

Ki = { frandomly
(g
Q
i
chosen from G if p is a root node
(keys(ImmP red(pi )))
i

) where keys(S) = {K : s ∈ S} s
Q
(keys(S))
The set of values {gi : S ⊂ ImmPQ Q |ImmP red(pi )| =
red(pi ) and
|P | − 1} is made public information. Note that (X) Q = x∈X x, which means
product of the elements in set X and if X = Φ then (X) = 1.

Key Derivation For any non-root node pi , the immediate predecessor pj of pi

can derive the key as
Q
K (keys(P )−{Kj })
Ki = hi,jj where hi,j = gi is a public value.
 If the key of a non immediate-successor pi of a node pj needs to be derived,
we need to find a path to pi from pj and derive the keys of all the intermediate
nodes in the path using the above method. Hence one can see that the key
derivation is indirect.

Example Consider a hierarchy in Fig.1. Initially unique generators, ga to gf ,

are assigned to all nodes and are made public. Now, Ka is chosen randomly from
G as a is the root node. Kb is computed as Kb = f (gbKa ). For node E, Ke =
f (geKb .Kc ), as it has e and c as its immediate predecessors. Also note that he,b
Kc
= gE , he,c = geKb are made public.

It should be noted that Wu-Wei scheme is not secure w.r.t key indistinguisha-
bility. To see why, consider the hierarchy in Fig.1. Let b be the target node. So,
according to the game defined in Def 2.2, an adversary is allowed to corrupt
node d and thus obtain its key. Now, when the challenger gives him x (Kb or
K b ), the adversary checks whether Kd = f (gdx ) or not and thus can correctly
output the b value in the last phase of the game. This way the adversary has
non negligible advantage to win in this game and thus we can conclude that the
scheme is insecure w.r.t key indistinguishability.

4 Wu-Wei’s security proof revisited

Wu-Wei provided the security proof for security w.r.t key recovery for their
scheme [9]. We present the sketch of their proof in this section. The security of
this scheme as Wu-Wei claims is dependent on the three assumptions discussed
further.

4.1 Assumptions
The security proof of the scheme according to Wu-Wei relies on three standard
assumptions, namely discrete logarithmic (DL) assumption, decisional Diffie-
Hellman (DDH) assumption and group Diffie-Hellman assumption (GDDH) over
the group G (of prime order q) [4], [8], [5]. Let g be a generator of G, a, b, c be
random variables uniform on [1, q], χ be a set of random variables uniform on
[1, q], l be the binary length of q. Let |χ| is polynomially bounded by l. For any
probabilistic polynomial time (in l) algorithms A, any polynomial Q, for l large
enough, the three assumptions mentioned earlier can be formally expressed as
follows:

DL assumption. DL assumption states that, any polynomial time algorithm

can not obtain a, given g, g a as inputs. Mathematically, it can be written as:
P r[A(g, g a ) = a] < 1/Q(l)
DDH assumption. Consider an algorithm A which outputs 1, when it guesses
the input given to it is of the form (g, g a , g b , g ab ) and 0 for (g, g a , g b , g c ), where
c 6= ab. Then DDH assumption can be expressed mathematically as:

|P r[A(g, g a , g b , g ab ) = 1] − P r[A(g, g a , g b , g c ) = 1]| < 1/Q(l)

When the above assumption holds we say that the probabilistic distributions
(g, g a , g b , g ab ) and (g, g a , g b , g c ) in the above equation are polynomially indistin-
guishable. For the sake of convenience we write the above assumption as:

(g, g a , g b , g ab ) ≈poly (g, g a , g b , g c )

Q
GDDH
Q assumption. Let (χ) represent the product of the elements in χ i.e.
Q
(χ) = x∈χ x . According to this assumption, any polynomial time algorithm
Q
(χ)
and g c , where c 6= (χ),
Q
(say A), will not be Q able to distinguish between g
even if it is given g (S) , for all possible proper subsets of χ as inputs. Considering
that the algorithm Q A outputs 1, when it guesses the input given to it was of the
form (g, g a , g b , g (χ) ) and 0 for (g, g a , g b , g c ). Then GDDH assumption can be
expressed mathematically as:
Q Q Q
(χ) (S) (S)
|P r[A(g, g ,g |S ⊂ χ) = 1] − P r[A(g, g , g c |S ⊂ χ) = 1]| < 1/Q(l)

Again, for notational convenience we write the above assumption as

Q Q Q
(χ) (S) (S)
(g, g ,g |S ⊂ χ) ≈poly (g, g |S ⊂ χ)

4.2 Proof

Let P be the set of all nodes in the hierarchy. Assume |P | is polynomially

bounded by l. Also, let pt be the target node, Kt its secret key and A is the set
of predecessors of pt i.e in other words A = Anc(pt ) − {pt }. Now, we need to
show that even if all the users of P − A − {pt } collude, it is intractable for them
to compute Kt .

We divide the set P − (A ∪ {pt }) three subsets as follows.

– B is the set of nodes in P − A, which have no predecessors in P − A and

which is not pt .
– D is the set of nodes which are immediate successors of pt i.e. in other words
D = ImmDesc(pi ).
– R is the set of remaining nodes i.e. R = P − (A ∪ {pt } ∪ B ∪ D).

It should be noted that R ∩ B = R ∩ D = φ which is obvious based on how R

is defined. Also, B ∩ D = φ because if a node is in D, then one of its predecessors
would be pt , which means it has a predecessor not in P − A and thus not eligible
to be in the set B by definition.

For example consider the the hierarchy in fig-1 and let node b be the target node.
Then A = {a}, B = {c} as node c does not have any predecessors in P − A,
D = {d, e} and R = {f }

The proof proceeds by establishing the following claims.

Claim 1. Even if all the users in B collude, finding Kt is intractable.

Claim 2. Even if all the users in B ∪ D collude, finding Kt is intractable.

Claim 3. Even if all the users in B ∪ D ∪ R collude, finding Kt is intractable.

Let gt be the generator assignedQto pt and χ be the set of keys of immediate

predecessors of pt . Also, let x = (χ) and thus we can say Kt = gtx . The public
information related to pt is

Q
(S)
{gt } ∪ {gt |S ⊂ χ, |S| = |χ| − 1}

First we consider the case where all the users in B collude. If nodes in B
share common immediate
Q
predecessor(s) with pt , then the subset of the set
(S)
{gbi |bi ∈ B} ∪ {gbi |S ⊆ χ, bi ∈ B}, where gbi is the generator of node bi ∈ B,
might be held by B. It is important to note that this is the maximal informa-
tion that might be held by B obtained through common immediate predecessors
and the exact information that B will possess depends on the number of im-
mediate predecessors shared by target node and any node in B. So, it can be
assumed that the information users in B might have in the worst case is as below

Q
(S)
{gbi |bi ∈ B} ∪ {gbi |S ⊆ χ, bi ∈ B}

Overall, the information held by users of B is:

Q Q
(S) (S)
υ = {gt } ∪ {gt |S ⊂ χ, |S| = |χ| − 1} ∪ {gbi |bi ∈ B} ∪ {gbi |S ⊆ χ, bi ∈ B}

The following theorem is proved in Wu-Wei [9]. It shows that given the infor-
mation as described above, itQis intractable for a polynomial time adversary to
(χ)
distinguish between gtx and gt .
Theorem 1. Suppose DDH and GDDH assumptions hold on group G. Let c
be the random variable uniform on [1, q]. Then the two distributions
 Q Q Q 
(χ) (S) (S)
Vbn = gt , {gt }, {gt , gt |S ⊂ χ}, {gbi |bi ∈ B}, {gbi |S ⊆ χ, bi ∈ B}
 Q Q 
(S) (S)
and Vb0n = gtc , {gt }, {gt , gt |S ⊂ χ}, {gbi |bi ∈ B}, {gbi |S ⊆ χ, bi ∈ B}
are polynomially indistinguishable.

Now, if we consider the case where B and D collude, then we can see that the
set {gdi , gdKit |di ∈ D} would be accessible to the colluded nodes. Note that gdi
are generators assigned to the nodes di ∈ D . The following example shows how
this information can be generated by users in B and D.

Example. If di has only one immediate predecessor, then gdKit is the secret key
held by it. Even if di has more than one immediate predecessors, the above
information can be calculated by collusion. In the fig.2, the node f has three
immediate predecessors. Let b, be the target node, then D = {f }, B = {c, d}.
So, the information available as public values is {gfKb .Ke , gfKe .Kd , gfKd .Kb }. Now
−1
c can derive the key of e, Ke and thus calculate gfKb = (gfKb .Ke )(Ke ) .

Fig. 2.

The following theorem is proved in Wu-Wei using DL-assumption and the result
in Theorem 1. [9]
Theorem 2. It is intractable for any polynomial time (in l) algorithm to derive
gtx i.e Kt from
Q Q
(S) (S)
I = {gt , gt |S ⊂ χ, |S| = |χ| − 1} ∪ {gbi , gbi |S ⊆ χ, bi ∈ B} ∪
f (g x )
{gdi , gdi t |di ∈ D}

i.e . for any polynomial time algorithm (in l) A, any polynomial Q, if l is

sufficiently large, then

P r[A(I) = f (gtx )] < 1/Q(l) .

Now consider the third case, where B ∪ D ∪ R collude. Note that all the nodes in
R are either successors of B or D. So potentially there is no extra information
added to our information set I. Hence, as we proved that B ∪ D can not collude
to recover the key Kt , it is also intractable for B ∪ D ∪ R to collude and compute
Kt . This completes the proof.

5 Problems with the proof

5.1 Incomplete information
In the proof above, we see that the main idea is to partition the nodes which
could be potentially corrupted by an adversary into three different sets. Each set
contains nodes that hold similar information about Kt which is considered crit-
ical to the security. When we consider the information relevant to target node’s
key that is held by nodes in B, we can say that such information might be exis-
tent due to common predecessors or common successors shared Q by target node
(S)
and the nodes in B. But the set of values {gbi |bi ∈ B} ∪ {gbi |S ⊆ χ, bi ∈ B},
which Wu-Wei [9] claim to be the whole information possibly held by users
in B is an underestimate. The information that B holds due to the common
non-immediate predecessors 3 is not accounted for in this case. Hence, the infor-
mation that would be held by nodes in B either by public or private information
due to the common predecessors is not completely covered. This makes the proof
of claim-1 incomplete as all the possible information is not considered. Note that
the proof also neglects the information available to B due to common successors,
but in claim-2 it is covered exhaustively. Even in this case the authors mention
that the information available would be subset of {gdi , gdKit |di ∈ D}, but it is not
the subset which would be available but the whole set in all the possible cases.

We now model the information which was missed in Wu-Wei’s proof i.e. the
information that is known to the users in B which share non-immediate prede-
cessors with the target node. Let us say pt , the target node and b ∈ B share a
3
The common predecessor, which might be immediate predecessor to only one or none
of the nodes under consideration
non-immediate predecessor p. Since, p is a predecessor to both pt and b, there
exists one or more paths from p to pt and to b. For every possible pair of paths
from p to pt and p to b, the relevant information with the users in b is as de-
scribed below.

Let prt (= p), pr−1

t ,..,p1t ,p0t (= pt ) and psb (= p), pbs−1 ,..,p1b ,p0b (= b) be a pair of
paths. Also let Kt and Kbj+1 be the set of keys of all immediate predecessors
i+1

of pit and pjb respectively, where 0 ≤ i < r, 0 ≤ j < s . Now the key of the target
node can be expressed as
(Ktr −{kt
r }).kr
Q
(Kt2 −{kt
2 })....,g t
Q
r−1
pt
(Kt1 −{kt1 }).gp1
Q
kt = gp0t t and also
Q s −{ks }).ks
(Kb
Q 2 −{k2 })....,g
(Kb b b
b s−1
p
(Kb1 −{kb1 }).gp1
Q
b
k(b) = gp0b b

Notice that the information common in both these expressions is kbs and
ktr ,
which are nothing but the key of the common predecessor p. Though the
exact information is missing in the Wu-Wei’s proof, the information of similar
sort is considered and is proven to be impossible to recover the key from such
information. So, It is easy to see that the information obtained by the users in
B due to non-immediate common predecessor also can not be used to generate
the key of the target node.

5.2 Improper B-Definition

We have discussed earlier that Wu-Wei’s proof [9] tries to consider the infor-
mation available to B due to the common immediate predecessors only. But,
we have noticed that their proof fails to achieve even this in some cases. The
definition of B as given by Wu-Wei leaves out some nodes which hold informa-
tion (due to common immediate predecessors) relevant to Kt . So, in these cases,
though the similar information (as in Theorem 1) is available in the hierarchy,
due to the bad definition of B, it is neglected. We will demonstrate the problem
with Wu-Wei’s definition of the set B using the example below:

Example. Consider the hierarchy as shown in the fig-3. Let e be the target
node, then set of ancestors, A will be {a, b, c}. Node d doesn’t have any prede-
cessors in P - A, so d is in B. But f has d as predecessor which is in P - A, so
f is not in B. Therefore, according to Wu-Wei’s definition B = {d}. But, one
can note that no node in B hold any critical information similar to that in the
set υ 4 as no node in B share a common immediate predecessor with e (target
node). So all the argument in Theorem 1 stands not required in this case. But,
if we observe the node f , it can be noted that it shares a common immediate
predecessor with pt and hold critical information similar to that in the set υ but,
the node f is not included in B. In order to fix the above problem, we need to
Q Q
4 (S) (S)
υ = {gt } ∪ {gt |S ⊂ χ, |S| = |χ| − 1} ∪ {gbi |bi ∈ B} ∪ {gbi |S ⊆ χ, bi ∈ B}
 Fig. 3.

provide a more generic definition for B.

The basic idea behind the definition of B is to include all such nodes which might
be in possession of critical information about the target node’s key through its
predecessors i.e. the nodes which might have predecessors of pt as their imme-
diate predecessors. Observe that the siblings to the nodes in path from root to
target node, may potentially have common children with the target node pt and
thus hold some sensitive information regarding the key of the target node. Also
the siblings of the target node itself are included because they hold some related
information, as some or all the immediate predecessors of target node are also
immediate predecessors of them. We propose the following definition for the set
B.

Definition 5.1 The set B for a given hierarchy is constructed as below

– Now using the new hierarchy, B is defined as set of all the siblings (not in
A ∪ {pt }) of the nodes that are encountered in all possible paths from root
node to the target node.

In the hierarchy in Fig.3, According to the new definition, one can see that
B = {d, f }. Note that there are two paths from a (root node) to e (target node),
which are a, b, e (path 1) and a, c, e (path 2). Now consider all the nodes along
path 1, which are a,b and e. The node f (sibling of e), which is not in A ∪ {pt }
is added into B. Now, considering path 2 similarly, we see that node d is the
sibling of c and is not in A ∪ {pt }

However, the above definition would not work for multi-rooted hierarchies as
which root to be considered becomes ambiguous in such case. Hence the defini-
tion 5.1 needs to be changed for the case where the hierarchy under consideration
has more than one root nodes. So, the below definition is proposed for the set
B.
Definition 5.2 The set B for a given hierarchy is constructed as below
– If the hierarchy has more than one root, then add an imaginary node (say
node -1) such that all the existing root nodes are children of the node -1
– Now using the new hierarchy, B is defined as set of all the siblings (not in
A ∪ {pt }) of the nodes that are encountered in all possible paths from root
node to the target node
As an example for a multi-rooted hierarchy, consider Fig.4. This is a multi-rooted
hierarchy, so we need to add a dummy root as shown in the Fig.5, where -1 node
represents the dummy root. Let target node pt = f . First, consider the path
−1, b, d, f . clearly e is sibling of d and g of f . After considering for all the other
paths the set B remains to be {e, f } in this case.

Fig. 4.

5.3 Incorrect inference

Another anomaly exists in Wu-Wei’s proof. In [9], it is stated that:

Theorem 1 formally shows that even if all the nodes in B (according to

Wu-Wei’s definition) conspire, with the information I 5 , they can not
distinguish Kt from a random number on [1, q].

To be precise, it states that, given the information below, which is the public
values and information relevant to Kt , which is derived from keys of nodes in B, it
is impossible for any polynomial time adversary to distinguish between Kt and a
random number. But, this claim can be disproved with the example that follows.

Q Q
5 (S) (S)
I = {gt } ∪ {gt |S ⊂ χ, |S| = |χ| − 1} ∪ {gbi |bi ∈ B} ∪ {gbi |S ⊆ χ, bi ∈ B}
 Fig. 5.

Q Q
(S) (S)
{gt , gt |S ⊂ χ, |S| = |χ| − 1} ∪ {gbi , gbi |S ⊆ χ, bi ∈ B}

Consider the hierarchy in Fig.1. Let b be the target node and as already dis-
cussed, B = {c}. Now, the information available to adversary through collusion
with all the users of nodes in set B includes {gb } ∪ {gc , gcKa }. Now note that
f (gcKa ) = Kc and is known to the adversary. So, the adversary can compute
Ke = f (hK e,c ) using the he,c , which is available publicly. Hence the adversary has
c

the secret key of node e, Ke . Now, if the adversary is given x (which can be Kb
or a random value in [1, q]), he/she checks whether or not f (hxe,b ) = Ke . Based
on the result, if f (hxe,b ) = Ke , then it can be inferred that x given was Kb and
if f (hxe,b ) 6= Ke , x given was a random number. Thus, the adversary will be able
to distinguish between Kt and a random value. This negates the authors’ claims
in [9].
Also, in Wu-Wei’s proof, as the indistinguishability claim in the case where
whole B colludes is proved to be wrong, one needs to prove that all users of B
colluding doesn’t pose threat to key recovery security in order to complete the
proof of claim 1.

6 Our proof
As we have seen earlier the proof given by Wu-Wei [9] would not be acceptable
due to the problems pointed out in the earlier section. In this section, we provide
another proof for Wu-Wei’s scheme using the modern notions of security which
would be the first provable security style proof for any dependent keys based
scheme in the literature.
6.1 Outline
In this section, we would briefly outline the proof to be discussed in detail in
the next section. To prove the key recovery security of Wu-Wei’s scheme,We
want to model all the information available to the adversary consistently and
completely unlike the previous proof which is the first game the adversary plays.
Then we remove the dependency between the values (both private and public
information) of predecessors of target node by constructing a series of similar
games which differ only in some information that is provided to the key recovery
adversary in the first game. We use an argument called called twining and a
lemma described later for a construction in such a way that adversary will not
be able to perceive the change in information from the former game. Otherwise
we can construct a polynomial time adversary which can have a non-negligible
advantage of breaking the DDH assumption. Thus coming to the conclusion that
the adversary’s behavior would not differ significantly from the first and the last
games of the series, we then argue that the probability for any adversary to
succeed in producing the key of the target node in the last game of the series
using the existing information would be same as a polynomial time adversary
trying to guess the key. Thus, we conclude that the scheme is secure w.r.t key
recovery.

6.2 Proof in detail

Theorem 1. Wu-Wei’s scheme is secure w.r.t key recovery provided DDH and
DL assumptions hold on the group G
Let Γ be a family of graphs corresponding to partially ordered hierarchies and
let G = (V, E) be some graph in Γ . Let u ∈ V be a class in the hierarchy and
let ST ATu be a static polynomial time adversary attacking the class u. Now,
based on the constraints of the Def 2.1, ST ATu is allowed only to corrupt the
nodes which do not have access to the target node u. If we let A as the set of
predecessors of u (including u), then the set of nodes which ST ATu can corrupt
is V − A.

Twining This argument is used to rename the product of keys of two of the
ancestors in the exponent of key of common successor node.

We then replace it with a random value in next game. Also every other oc-
currence is replaced and then decisional Diffie-Hellman Problem is modeled on
these two successive games to show that key recovery adversary cannot perceive
the changes in the information of ancestors. This kind of argument is used when
the node has two or more immediate predecessors and so not used in first case.
Also this kind of argument is necessary when the target node is at level below
immediate successors of root node or the target node is one of the immediate
successor of hierarchy having multiple roots and having a sibling too like in hi-
erarchy 2 of case 2.
 To prove the theorem, we define a sequence of indistinguishable games G0 ,G1 ,
. . ., where G0 is the actual adversarial game and where the adversary’s advantage
in the last game will only be negligible. In each game Gj , the goal of adversary
0
is to output ku which is her best for the key ku . chosen by the challenger in the
0
attack game. Let SUCCj be the event that ku = ku in game Gj .
For clarity of exposition, we first discuss two special cases, which exemplify
the most technical aspects of the proof. we then describe how to tackle the gen-
eral case.

First case: u is one of the root nodes in G.

We typically have 3 types of hierarchies w.r.t this case. Any other hierarchy
can be visualized in these hierarchies.

Fig. 6.

As shown in the fig[6] the target root node is named as 1 in all the 3 hier-
archies. The first hierarchy is a single root and single child hierarchy, second is
single child multiple children and third is multiple root multiple children hierar-
chy.
We assume that there exists a AKR−ST which can break the scheme with
non negligible probability in polynomial time. We use the adversary to model
an algorithm for breaking the discrete logarithm problem as in the following:

AlgorithmADL (g, g α )
k1 = α
comment: α is implicitly assumed to be the key of node 1 and is not known to
ADL . As the other root nodes like 5 are corruptible they are assigned any value
from the set of valid key values and are available to KR-ST adversary.
g2 = g
x=product of keys of immediate predecessors of 2 other than 1.
comment: If a node has single immediate predecessor like in hierarchy 2 then x
is equal to 1.
k2 = (g x )α
comment: As there can be any number of siblings they are modeled here.
for(sibling a of node 2)
{
ga = g r where r is any random value.
y =product of keys of immediate predecessors of a other than node 1.
ka = (g α )r.y
}
comment: All the remaining public and private values given to adversary can be
computed as usual using the above values.
k1‘ = AKR−ST (1τ , G, pub, corr)
return k1‘
End ADL

Notice that in the above algorithm as α is not available and in order for
the consistent modeling of the information we exploit the g and g α available.
As we cannot find the key of siblings of node 2 without α we assign generators
of them with g r where r is random then according to scheme,(if node 2 has a
single parent) the key should be (g r )α which is equivalent to (g α )r which can
be computed g α is available(if node 2 has multiple parents then as remaining
parents are corruptible and so keys of them are available, the so obtained g r.α )
should be raised to product of remaining keys). Also root nodes other than
target like node 5 are corruptible and so can be assigned any valid value and are
available to KR-ST adversary in corr.
so if the adversary is able to output k1 correctly, then we found a polynomial
time algorithm to break the DL problem modeled here in the form of keys of
node 1 and 2. But DL problem is assumed to be hard. So its a contradiction to
our assumption that a KR-ST adversary exists. So if at all adversary exists, it
has same advantage as any polynomial time adversary attacking a DL problem.
Now we try to give the proof for the case of nodes immediately below the
root node.

Second case: u is one of the immediate descendant of any of root node in

G. We again have 3 typical hierarchies possible.In all these kinds of hierarchies
node 2 is our target node.

case 2a: As shown in the first hierarchy of fig[7] the node 2 is the target
node and also this case is similar to node 1 except that the target node has a
predecessor and which is the only root node in the hierarchy.
 Fig. 7.

If the target node has descendants then we assume that there exists a AKR−ST
which can break the scheme with non negligible probability in polynomial time.
We use the adversary to model an algorithm which can break the DL problem
as shown in the following:

AlgorithmADL (g, g α )
k2 = α
comment: α is implicitly assumed to be the key of node 2 and is not known to
ADL . Node 1 is assigned any random key from the set of valid keys.
g3 = g
k3 = g α
comment:For any other node like 3, generator is assigned as g r where r is random
and key of the node as (g α )r .All the remaining public and private values given
to adversary can be computed as usual.
k2‘ = AKR−ST (1τ , G, pub, corr)
return k2‘
End ADL

so if the adversary is able to output k2 then we found a polynomial time

algorithm to break the DL problem. But DL-Assumption is assumed to be hard.
So its a contradiction to our assumption that a KR-ST adversary exists. So if
at all adversary exists, it has same advantage as any polynomial time adversary
attacking a DL problem.
Now we have a case where the target node has a sibling. This case is not sim-
ilar to earlier case because the adversary against the scheme has to be provided
with the keys of siblings and so in the algorithm again the root node is implicitly
assumed to be α and the keys of target node and its siblings are constructed
using values input to DDH algorithm.

case 2b: As shown in the second hierarchy of fig[7] the node 2 is the target
node
 In this case we construct a series of 2 games G0 ,G1 in each which we modify
the adversary KR-ST’s view and in the final game we KR-ST adversary does
not have any real key values and so has same advantage as any polynomial time
adversary trying to guess the key.

AlgorithmADDH (g, g α , g β , z)
k1 = α
comment: α is implicitly assumed to be the key of node 1 and is not known to
ADDH .
g2 = g β
k2 = f (z)
for(sibling a of node 2)
{
ga = g r where r is any random value.
ka = (g α )r
}
comment: All the remaining public and private values given to adversary can be
computed as usual using the above values.
k2‘ = AKR−ST (1τ , G, pub, corr)
return k2‘ = k2
End ADDH

Game0 : This is a normal KR-ST adversarial game without any modification

i.e., the adversary is given all the correct values of keys and values of all the
corruptible nodes derived from real key values(z = g αβ ).

Game1 : In this game the z value input to DDH algorithm is random and all
the remaining values of descendants are calculated as in case.

ADVKR−ST = |P r[SU CC0 ]|

≤ |P r[SU CC0 |z = real] − P r[SU CC1 |z = random]|
+P r[SU CC1 |z = random]

Despite the knowledge of any public and private information derived from
random key, it would be information theoretically impossible for any polynomial
time adversary to distinguish that values are random unless the actual k2 is
known to it. It follows that the probability of adversary KR-ST succeeding in
game G1 is just 1/2τ where τ is the security parameter.
 1
P r[SU CC1 ] =
2τ
ADVKR−ST = |P r[SU CC0 ]|
1
≤ DDH + τ
2

Lemma 1. |P r[SU CC0 |z = real] − P r[SU CC1 |z = random]| is DDH .

proof: If KR-ST adversary can output the key of node 2 correctly then it can
be used to break a DDH assumption by virtue of construction of games by
using the above algorithm. In game G0 the target node is assigned the DH
tuple(g,g α ,g β ,g αβ ) and in game G1 the target node’s key is assigned (g αβ ) as
some random value. Now KR-ST outputs key which can be used by DDH algo-
rithm to check and output whether it is random or real key with probability of
success of KR-ST adversary which is assumed to be non-negligible. Hence DDH
problem can be broken. But it is a contradiction as DDH problem is assumed to
be hard on G. Hence the KR-ST adversary has negligible advantage in noticing
the change in the environment.

Now as the proof for a single root and a target node having siblings is given,
a more general case in which target node having multiple parents i.e. root nodes
is considered.

case 2c: As shown in the third hierarchy of fig[7] the node 2 is the target
node and in this case, there are two or more root nodes in the hierarchy.

NOTE:There can be more than two root nodes.But still the following argu-
ment is applicable, but should be applied until the exponent of key of target
node is twined in to single value.

In this case we use the twining argument which is discussed earlier. We modify
the adversarial view in each of the successive games and show that the adversary
has negligible advantage in observing the change in the successive games.
AlgorithmADDH (g, g α , g β , z)
k1 = α
k3 = β
comment: α and β are implicitly assumed to be the keys of immediate predeces-
sors of 2 which are 1,3 and are not known to ADDH . If there are more than two
root nodes then they are assigned the valid values from the set of keys.But in
the next game the c1 is considered as α and if there is another root then key of
that node as β and a similar argument is done until we end up with a random
value and no other root nodes left unconsidered.
g2 = g
αβ ← c1
comment: The product αβ is renamed as c1
x = product of keys of immediate predecessors of node 2 other than 1 and 3
k2 = f (z x )
comment:Here z is implicitly assumed to be product of α and β or a random
value depending on game. All the remaining public and private values given to
KR-ST adversary can be computed using g α ,g β and the keys of remaining root
nodes are available to ADDH .
k2‘ = AKR−ST (1τ , G, pub, corr)
return k2‘ = k2
End ADDH

Game0 : This is a normal KR-ST adversarial game without any modification

i.e., the adversary is given all the correct values of keys and public values of all
the corruptible nodes. In this game z value input to adversary is g αβ .
Gamei−1 : In this game the z value input to DDH adversary is real and all
the remaining values of descendants are calculated as in case 2b.
Gamei : In this game the z value input to DDH adversary is random and all
the remaining values of descendants are calculated as in case. Ultimately we are
replacing all the occurrences of αβ(ci ) with some random value.

Let SU CCi be the probability of guessing K2 correctly by the adversary

KR-ST.

ADVKR−ST = |P r[SU CC0 ]|

≤ |P r[SU CC0 ] − P r[SU CC1 ]| + |P r[SU CC1 ] − P r[SU CC2 ]|
+... + |P r[SU CCn−1 ] − P r[SU CCn ]| + P r[SU CCn ]

The number of games simulated depends upon the number of root nodes. In
each successive game the occurrence of product of two of immediate predeces-
sors which is denoted by cj or product of cj and key of one of the immediate
predecessor not considered earlier denoted by cj+1 is assigned a random value
until all the immediate predecessors are exhausted.
So in the final game Gn the information available related to the key is made
absolutely random and despite the knowledge of any public and private informa-
tion derived from random keys of immediate predecessors, it would be informa-
tion theoretically impossible for any polynomial time adversary to distinguish
that values are random unless the actual k2 is known to it. It follows that the
probability of adversary KR-ST succeeding in game Gn is just 1/2τ .
 1
P r[SU CC1 ] =
2τ
ADVKR−ST = |P r[SU CC0 ]|
1
≤ n ∗ DDH + τ
2

Also n here is the number of times twining argument applied for renaming
and then replacing with random values to break the dependency between all the
values available to adversary.

Lemma 2. |P r[SU CCi−1 |z = real] − P r[SU CCi |z = random]| is DDH .

proof:Assume that KR-ST adversary correct key in both the games which can
be used by DDH algorithm to answer the DDH problem with non-negligible
probability equal to success probability of adversary KR-ST. In game Gi−1 the
key of target node is the product of cj and key of a immediate predecessor not
considered earlier and in game Gi the product used in the previous game is
replaced with random value(cj+1 ).It denotes the target node key(g αβ ) which is
assigned a random value. So in these games cj is implicitly assumed to be α and
immediate predecessor’s key as β. But its a contradiction that DDH problem
can be broken in polynomial time. Hence the adversary has negligible advantage
in outputting correct keys and hence in noticing the changes in the environment.

As a case 2c which has been discussed above, constructing proof for general
case is discussed below using arguments in case 2b and case 2c.

General case: In general there can be any number of roots and the target node
can be at any depth in the hierarchy. If the hierarchy has a single root the first
two hierarchies of each of two special cases demonstrate how to start simulating
the scheme even though the special cases consider the target node at depth 0 and
depth 1. Starting at the level below the root node and then moving towards the
target node(which is at depth greater than 2) we have to use twining argument
used in the case2c where we try to remove the dependency between the values of
a node and its predecessors in way adversary cannot identify the change in the
game setup. Then in the final game, dependency is completely removed and the
adversary has the public and private values but are random. Hence the adversary
has to guess the key which can be done with the probability 21τ .

To remove the dependency in the information given to adversary in the form

of corruptible nodes keys and public values we first sort the predecessors other
than root nodes of target node topologically(although this is not the case when
there is redundancy which is discussed under special case.). Now we apply the
twining argument where we replace the product of keys of two of immediate
predecessors with some random value if node under consideration has more than
one root. Otherwise if there is only one root node then we use argument similar
to case2b unless the hierarchy is purely vertical. We apply the twining argument
until the value of the node considered is assigned purely random value like in
case 2c. So we apply the above arguments recursively on the nodes ordered
earlier until we reach the target node. So in the final game the adversary’s
immediate predecessors are assigned random values and so does not have any
real information from siblings of common predecessors of target node, as they
are replaced with random value. So the adversary cannot identify the change
unless it has the original key of target node.
Game0 : This is a normal KR-ST adversarial game without any modification
i.e., the adversary is given all the correct values of keys and public values of all
the corruptible nodes. In this game z value input to adversary is g αβ .
Gamei−1 : In this game the z value input to DDH adversary is real and all
the remaining values of descendants are calculated as in case 2b.
Gamei : In this game the z value input to DDH adversary is random and all
the remaining values of descendants are calculated as in case. Ultimately we are
replacing all the occurrences of αβ(ci ) with some random value.

Let SU CCi be the probability of guessing key of node under consideration

correctly by the adversary KR-ST.

ADVKR−ST = |P r[SU CC0 ]|

≤ |P r[SU CC0 ] − P r[SU CC1 ]| + |P r[SU CC1 ] − P r[SU CC2 ]|
+... + |P r[SU CCn−1 ] − P r[SU CCn ]| + P r[SU CCn ]

The number of games simulated depends upon the number of ancestral nodes.
In each successive game the occurrence of product of two of immediate prede-
cessors which is denoted by cj or product of cj and key of one of the immediate
predecessor not considered earlier denoted by cj+1 is assigned a random value
until all the immediate predecessors are exhausted.
So in the final game Gn the information available related to the key is made
absolutely random and despite the knowledge of any public and private informa-
tion derived from random keys of immediate predecessors, it would be informa-
tion theoretically impossible for any polynomial time adversary to distinguish
that values are random unless the actual key for node under consideration is
known to it. It follows that the probability of adversary KR-ST succeeding in
game Gn is just 1/2τ .
 1
P r[SU CC1 ] =
2τ
ADVKR−ST = |P r[SU CC0 ]|
1
≤ m ∗ DDH +
2τ

Also m here is the number of times twining argument applied for renaming
and then replacing with random values to break the dependency between all the
values available to adversary. Finally the proof for the scheme uses the lemma
2 discussed in case 2c to bound the advantage of KR-ST adversary noticing the
change in the game setup.

Now we look at some of the special cases which are not covered in the general
case like a steep hierarchy or when redundancy is present.
Other special cases: The hierarchies that are not covered in usual context
are listed here.

Fig. 8.

case 1: The first case is one where the hierarchy is the steepest possible
In this case the target node is at some depth and each internal node has only
one child. In the following game we model such that all the predecessors of tar-
get node are assigned some valid random keys . This operation is valid because
the adversary can not be given any information about ancestors of target node
except their public info which in this case are the generators which are of no use
to adversary in this particular case.

suppose node i be the target and all ancestors are assigned random keys and
remaining values are computed. Now we can construct a DL algorithm using
adversary AKR−ST
AlgorithmADL (g, g α )
ki = α
ki+1 = g α
comment: All the predecessors of the target node are assigned random values.
gi+1 = g
ki‘ = AKR−ST (1τ , G, pub, corr)
return ki‘
End ADL

NOTE: If the target node does not have any children then the proof argu-
ment is that the adversary does not have any information regarding the target
node and it is information theoretically impossible for KR-ST adversary to out-
put the correct key with no less advantage than a polynomial time adversary
trying to guess.
The node i+1 is the descendant of the target node i and we have modeled
DL problem here.so if the adversary is able to output ki (α) then we found a
polynomial time algorithm to break the DL problem. But DL problem is assumed
to be hard. So our assumption is false. So adversary has same advantage as any
polynomial time adversary attacking a DL problem.
case 2: This case occurs in most of the hierarchies where the redundancy
is seen. As shown in the second hierarchy of fig 8 the edge between node 3 and
node 2 is redundant as the node 2 can derive the key of node 3 by using key of
node 4. But such cases arise when the hierarchies are to be optimized for fast
key derivation.

NOTE: In this case our target node is somewhere below the level below
the root and its immediate successors. We use the hierarchy shown in fig 8
to illustrate that if there is redundancy present in the hierarchy arguments(in
assigning random keys to ancestors of target node and target node not being
able to perceive the change) cannot be applied in topological order but should
be done as in the following.
We have to break the dependency between the values of ancestors of target
node. We show a series of games G0 ,G1 ,G2 and so on. In game G0 which is
the original adversarial game and in game G1 , the node 3 is assigned random
values,but still the adversary would not be able to conceive the change. We prove
this claim by modeling a DDH problem.
AlgorithmADDH (g, g α , g β , z)
g3 = g α
k4 = β
comment: β is implicitly assumed to be the key of one of the immediate prede-
cessors of 3 which is 4 and are not known to ADDH .But in the next game the
node 3 is assigned a random key. Then we continue to apply the twining argu-
ment and replace all the values of immediate predecessors of target node with
random values and then in the final game its argued information theoretically
that the KR-ST adversary does not have any non-negligible advantage.
comment: Here z is implicitly assumed to be product of α and β or a random
value depending on the game. All the remaining public and private values given
to KR-ST adversary can be computed using g α ,g β and the keys of remaining
root nodes are available to ADDH .
k3‘ = AKR−ST (1τ , G, pub, corr)
return k3‘ = k3
End ADDH

Game0 : This is a normal KR-ST adversarial game without any modification

i.e., the adversary is given all the correct values of keys and public values of all
the corruptible nodes.
Game1 : In this game the z value input to DDH adversary is random and all
the remaining values of descendants are calculated as in case.
Let SU CCi be the probability of success in game Gi by the adversary KR-ST.

ADVKR−ST = |P r[SU CC0 ]|

≤ |P r[SU CC0 ] − P r[SU CC1 ]| + .. + P r[SU CCn ]

Despite the knowledge of any public information of siblings of all nodes from
root to target node which are derived from random keys of ancestors of target
node, it would be information theoretically impossible for any polynomial time
adversary to distinguish that values are random unless the actual k2 is known
to it. It follows that the probability of adversary KR-ST succeeding in game G1
is just 1/2τ .

1
P r[SU CC1 ] =
2τ
ADVKR−ST = |P r[SU CC0 ]|
1
≤ n ∗ DDH + τ
2

We use lemma 1 discussed in case 2b to show that the advantage of adversary

noticing the change in game setup is negligible, otherwise a polynomial time
algorithm can be constructed for breaking DDH assumption using this adversary.

7 Conclusions
We have shown that Wu-Wei’s proof in [9] suffers from couple of errors. Also,
we have changed their proof model to avoid the the error with the definition
of B, by redefining the set. However, the problem with the proof regarding
indistinguishability should still be addressed by providing a key recovery proof
in the case when users in the B collude.
Our proof makes use of the modern security notions and makes the assump-
tions on which the security of the scheme is based, more explicit. Also, by simu-
lating a polynomial time algorithm to break the security of a well-known problem
using the adversary who can break the security of the scheme to be proved, we
make our proof more rigorous and acceptable than that of the previous proof.
The proof discussed in this article is limited to a static scheme, meaning no
changes to the hierarchy or to the users in the security classes are allowed. But
many existing schemes support these changes and also consider the costs for
these updates as a measure of efficiency of these schemes. Considering this fact,
it is surprising to note that, no scheme, hitherto, in the literature is proved to
be secure along with the supported dynamic properties. This remains an open
problem in the area of provable security for key hierarchies.

References
1. Akl, S., Taylor, P.: Cryptographic solution to a problem of access control in a hier-
archy. J-TOCS 1(3), 239–248 (Aug 1983)
2. Atallah, M., Frikken, K., Blanton, M.: Dynamic and efficient key management for
access hierarchies. ACM Conference on Computer and Communications Security
(CCS’05) pp. 190–202 (Nov 2005)
3. Atallah, M.J., Blanton, M., Fazio, N., Frikken, K.B.: Dynamic and efficient key
management for access hierarchies. ACM Trans. Inf. Syst. Secur. 12(3) (2009)
4. Boneh, D.: The decision diffie-hellman problem. ANTS-III: Proceedings of the Third
International Symposium on Algorithmic Number Theory pp. 48–63 (1998)
5. Bresson, E., Chevassut, O., Pointcheval, D.: The group diffie-hellman problems.
Selected Areas in Cryptography pp. 325–338 (2002)
6. Crampton, J., Martin, K.M., Wild, P.R.: On key assignment for hierarchical access
control. CSFW pp. 98–111 (2006)
7. D’Arco, P., Santis, A.D., Ferrara, A.L., Masucci, B.: Variations on a theme by akl
and taylor: Security and tradeoffs. Theor. Comput. Sci. 411(1), 213–227 (2010)
8. Steiner, M., Tsudik, G., Waidner, M.: Diffie-hellman key distribution extended to
group communication. ACM Conference on Computer and Communications Secu-
rity pp. 31–37 (1996)
9. Wu, J., Wei, R.: An access control scheme for partial ordered set hierarchy with
provable security. Selected Areas in Cryptography 2005, LNCS 3897 pp. 221–232
(2006)