Cryptographic enforcement of information flow policies without public information via tree partitions 1

Abstract

We may enforce an information flow policy by encrypting a protected resource and ensuring that only users authorized by the policy are able to decrypt the resource. In most schemes in the literature that use symmetric cryptographic primitives, each user is assigned a single secret and derives decryption keys using this secret and publicly available information. Recent work has challenged this approach by developing schemes, based on a chain partition of the information flow policy, that do not require public information for key derivation, the trade-off being that a user may need to be assigned more than one secret. In general, many different chain partitions exist for the same policy and, until now, it was not known how to compute an appropriate one.

In this paper, we introduce the notion of a tree partition, of which chain partitions are a special case. We show how a tree partition may be used to define a cryptographic enforcement scheme and prove that such schemes can be instantiated in such a way as to preserve the strongest security properties known for cryptographic enforcement schemes. We establish a number of results linking the amount of secret material that needs to be distributed to users with a weighted acyclic graph derived from the tree partition. These results enable us to develop efficient algorithms for deriving tree and chain partitions that minimize the total amount of secret material that needs to be distributed.

Keywords

Access control information flow policies cryptographic enforcement chains forests trees

1. Introduction

Access control is a fundamental security service in modern computing systems and seeks to restrict the interactions between users of the system and the resources provided by the system. Traditionally, access control is policy-based, in the sense that a policy is defined by the resource owner(s) specifying those interactions that are authorized. An attempt by a user to interact with a protected resource, typically called an access request, is evaluated by a trusted software component, the policy decision point (or authorization decision function), to determine whether the request should be permitted (if authorized) or denied (otherwise). The use of a policy decision point is entirely appropriate when we can assume the policy will be enforced by the same organization that defined it. However, use of third-party storage, privacy policies controlling access to personal data, and digital rights management all give rise to scenarios where this assumption does not hold.

Cryptographic access control provides an alternative way of regulating access to data objects and has attracted considerable attention in recent years. In this setting, data objects are encrypted and appropriate decryption keys are issued to authorized users. Research into cryptographic access control began with the seminal work of Akl and Taylor [1], and has seen a resurgence of interest in recent years. For instance, there has been a considerable amount of research into attribute-based encryption [8,24], which is regularly used to support access control (see [28], for example). Attribute-based encryption is based on asymmetric cryptographic primitives, which means that any user is able to control read access to data (by encrypting), while only authorized users may decrypt. However, access control policies can also be enforced using symmetric cryptographic primitives (often a cheaper alternative to their asymmetric counterparts). Typically, in this scenario, a specific user – the data owner – encrypts all data objects before transmitting them to a storage provider that is only trusted to store data correctly. Users are able to retrieve data objects from the storage provider (in encrypted form) and only authorized users should be able to decrypt them.

In the symmetric setting, the focus of research has been on enforcing information flow policies [7], not least because many access control requirements may be articulated as information flow policies. An information flow policy is defined by a partially ordered set of security labels and a function mapping each user and data object to a security label. A user is authorized to read any data object associated with a security label that is less than or equal to that of the user.

Generally, it is undesirable to explicitly provide a user with all the keys she requires to decrypt protected objects. Instead, a user is given a small number of secrets from which she is able to derive all keys required.2

²
We could, of course, simply view a set of secrets as a single secret and consider the amount of storage required by that secret. However, it is more convenient for the analysis later in the paper to consider a set of secrets and the number of elements in that set.

Hence, a common feature of cryptographic enforcement schemes for information flow policies is the derivation of decryption keys (since possession of the decryption key for label ℓ implies authorization for the decryption key for any label

ℓ^{'}

less than ℓ). Informally, each security label is associated with a secret (which is issued to every user assigned to that security label) from which decryption keys for all subordinate security labels may be derived. The scheme may also publish additional information in order to support key derivation.

Therefore, the challenge is to compute efficiently the secrets and decryption keys associated with each security label, subject to constraints on the size of relevant parameters. Thus a cryptographic enforcement scheme may be characterized by (i) the number of secrets each user is given, (ii) the total number of secrets issued to users, (iii) the amount of auxiliary (public) information required for key derivation, and (iv) the computational effort required for key derivation.

Many schemes in the literature are space-efficient (on the user side) by providing each user with a single secret (see, for example, [2]), the trade-off being that the amount of public information and derivation time may be substantial. Moreover, the public information must either be transmitted to each user or made available on some publicly accessible server, both possibilities giving rise to concerns either about costs of transmission and local storage, or availability and authenticity of the information.

Crampton, Daud and Martin [14] introduced the concept of a chain-based cryptographic enforcement scheme, which requires no public information but may require users to store more than one secret. Subsequent work has established that secure instantiations of chain-based schemes exist [20,21]. Chain-based schemes are based on a decomposition of the poset of security labels into disjoint chains (that are, in some appropriate sense, compatible with the poset). Informally, the secrets associated with the labels in each chain may be derived in a top-down manner and each user is issued with a number of secrets, at most one from each chain. Thus the number of secrets required by a user is no greater than the number of chains in the decomposition, which is significantly better, generally, than the naive solution of supplying each user with every secret for which she is authorized.

The motivation for the work in this paper can be summarized in two observations. First, there are, in general, many different ways to instantiate a chain-based scheme for a given information flow policy, each instantiation being defined by a particular chain partition of the partially ordered set used to specify the policy. The number of secrets and the amount of computation required to derive decryption keys in a given instantiation crucially depends on the chain partition chosen. However, existing work in the literature assumes that the chain partition is given as part of the input to the algorithm that outputs the secrets and decryption keys. One of the questions we address (in Section 5), therefore, is how to compute the “best” chain partition (with respect to some suitable metric) with which to instantiate a chain-based scheme. Our second observation is that each security label has at most one parent in the chain decomposition. The question we address (in Section 3) is whether it is possible to generalize chain-based schemes to tree-based schemes, given that each element in a tree also has at most one parent.

Our first set of contributions is associated with the novel concept of a tree partition of an information flow policy, from which we define the notion of a forest-based cryptographic enforcement scheme for information flow policies. We prove results establishing how the total number of secrets to be issued to users varies with the structure of the forest and demonstrate that an instantiation of our scheme retains the security property of strong key indistinguishability introduced by Freire, Paterson and Poettering [21]. We design and analyze an efficient algorithm for computing a forest that minimizes the total number of issued secrets. This work generalizes our previous work on tree-based enforcement schemes [16]. In addition, the more general framework enables us to simplify the techniques and formal exposition.

Our second set of contributions is based on specializing our generic scheme to chain-based schemes.3

One disadvantage with forest-based schemes is that one cannot, in general, simultaneously minimize the number of secrets issued on a per-user basis and the total number of secrets issued to users. Thus, chain-based schemes are still relevant, even though, in general, a forest-based scheme for the same policy will require fewer secrets in total to be issued.

We prove that the total number of secrets issued is determined by the number of bottom elements of the chains in the chain partition (Lemma 3). This, in turn, allows us to prove (Theorem 3) there exists a chain partition that simultaneously minimizes the number of secrets that need to be issued and the number of chains in the partition (and thus the number of keys each user is required to store). The last result is of practical importance, since the number of chains provides a tight upper bound on the number of secrets required by any user. Moreover, the result is somewhat unexpected, as it is not usually possible to simultaneously minimize two different parameters. Our main contribution (Theorem 4 and Section 5.1) is to develop an efficient algorithm that enables us to find a chain partition such that the total number of distributed secrets and the number of chains are minimized (with respect to all chain partitions). Our algorithm is based on finding a minimum cost flow in a network whose construction is based on the technical results in Sections 3–5.

Overall, then, the contributions of this paper generalize and unify existing work on tree- and chain-based schemes using the novel concept of a tree partition and a forest-based enforcement scheme. Central to our work are the results in Section 4, which enable us to link two different characterizations of the additional secrets required, thereby allowing us to describe existing schemes using trees and chains within a single framework and to generalize tree-based enforcement schemes to forest-based schemes. An important consequence of our results is that there now exist efficient methods for instantiating cryptographic enforcement schemes that require no public information. We thereby provide rigorous foundations for the development of efficient chain-based enforcement schemes.

The remainder of the paper is organized as follows. In Section 2, we provide the relevant background on cryptographic enforcement schemes, and formally identify the problem. We also discuss related work, including preliminary versions of the ideas presented in this paper [15,16]. Then, in Section 3, we formally define a tree partition and a forest-based cryptographic enforcement scheme for an information flow policy. We establish some important results connecting the structure of a given forest and the total number of secrets required by the associated cryptographic enforcement scheme. We also establish that there exist secure instantiations of our scheme and briefly discuss cryptographic primitives that would be suitable for such an instantiation. In Section 4, we use the theoretical results of Section 3 to develop an efficient algorithm for computing the best tree partition, in terms of the total amount of secret material required. In Section 5, we prove that there exists a chain-based enforcement scheme in which no user requires more than w keys, where w is the width of the information flow policy; and that the total number of issued secrets in a chain-based enforcement scheme is determined entirely by the number of bottom elements of the chain partition. These results, however, are not constructive per se. Accordingly, we also develop an efficient algorithm to derive the best chain partition. We conclude the paper in Section 6 with a summary of our contributions and some ideas for future work.

2. Information flow policies

We first recall some basic definitions from discrete mathematics and establish some notation. We then define what is meant by an information flow policy [7] and discuss how such policies may be enforced using cryptographic mechanisms.

A partially ordered set (or poset) is a pair $P = (X, ⩽)$ , where ⩽ is a reflexive, anti-symmetric, transitive binary relation on a finite set X.

We write $x < y$ to indicate $x ⩽ y$ and $x \neq y$ , and we may write $x ⩾ y$ whenever $y ⩽ x$ .

We say x covers y, or x is a parent of y, denoted $y ⋖ x$ , if $y < x$ and there does not exist $z \in X$ such that $y < z < x$ . An element $x \in X$ is maximal if it has no parents.

The Hasse diagram of $P$ is the directed acyclic graph $H (P) = (X, E_{min})$ , where the (directed) edge $x y \in E_{min}$ if and only if $y ⋖ x$ . We will also make use of the directed acyclic graph $H^{*} (P) = (X, E_{max})$ , where $x y \in E_{max}$ if and only if $y < x$ . Representing the covering relation as an acyclic digraph the Hasse diagram provides a minimal amount of information required to reconstruct the full order relation.4

⁴
The Hasse diagram $H (P) = (X, ⋖) = (X, E_{min})$ is a unique representation of the poset $P = (X, ⩽)$ . Conversely, as the Hasse diagram $H (P)$ of a poset $P$ uniquely represents $P$ , we may consider $H (P)$ as a “shorthand” for $P$ and even loosely say that $H (P)$ is a poset.

The in-degree (out-degree, respectively) of node u of a directed graph $D = (V, E)$ is the number of nodes v such that $v u \in E$ ( $u v \in E$ , respectively). A directed graph D is an out-forest if every node of D has in-degree less than or equal to 1.

We say $P$ is a forest if $H (P)$ is an out-forest. We say $P$ is a tree if it is a forest and has a unique maximal element. That is, there is a single node in its Hasse diagram of in-degree 0.

Note that every forest is a disjoint union of trees. Hasse diagrams of a poset, forest and tree are shown in Fig. 1. The edges in these Hasse diagrams (and all others in the paper) are assumed to be directed from top to bottom.

A set $Y \subseteq X$ is a chain if for all distinct pairs of elements $x, y \in Y$ , $x < y$ or $y < x$ . A chain corresponds to a directed path in $H^{*} (P)$ .

A chain partition of poset $P$ is a disjoint union of chains such that every element of $P$ belongs to one of the chains. Figure 1(d) depicts a chain partition of the poset in Fig. 1(a).

Let $x, y \in X$ with $y < x$ . Then ${z_{0}, \dots, z_{l}} \subseteq X$ , where $x = z_{0} ⋗ z_{1} ⋗ \dots ⋗ z_{l} = y$ is a derivation chain (from x to y) in $P$ of length l. A derivation chain from x to y corresponds to a directed path from x to y in $H (P)$ .

We write $x ∥ y$ to indicate that $x, y$ are incomparable, i.e. $x ⩽̸ y$ and $x ⩾̸ y$ . A set $Y \subseteq X$ is an antichain if for all distinct $x, y \in Y$ , $x ∥ y$ . The width of a poset is the cardinality of an antichain of maximum size.

We write $↓_{} (x)$ to denote ${y \in X : y ⩽ x}$ and $↑_{} (x)$ to denote ${y \in X : y ⩾ x}$ . Note that $↓_{} (x) \subseteq ↓_{} (y)$ if and only if $x ⩽ y$ .

A linear extension of $P$ is a chain $(X, ≼)$ such that if $x ⩽ y$ then $x ≼ y$ . Every (finite) partial order has at least one linear extension, which may be computed, in linear time, by representing the partial order as a directed acyclic graph and using a topological sort [12, §22.3].

Fig. 1.

Hasse diagrams of a poset, a forest, a tree, and a chain partition.

In many cases we will use subscripts to denote a function or relation relative to a poset $T$ . Thus, for example, we write $T = (X, ⩽_{T})$ , we write $x ⋗_{T} y$ if $x >_{T} y$ and there is no $z \in X$ such that $x >_{T} z >_{T} y$ , and we write $↓_{T} (x)$ to denote the set ${y \in X : y ⩽_{T} x}$ .

Definition 1.

An information flow policy is a tuple $(X, ⩽, U, O, λ)$ , where:

$(X, ⩽)$ is a (finite) partially ordered set of security labels;

U is a set of users and O is a set of objects;

$λ : U \cup O \to X$ is a security function that associates users and objects with security labels.

A user

u \in U

is authorized to read an object

o \in O

if and only if

λ (u) ⩾ λ (o)

Given an information flow policy $(X, ⩽, U, O, λ)$ , we may define an equivalence relation ∼ on U, where, for any $u, v \in U$ , $u \sim v$ if and only if $λ (u) = λ (v)$ . We write $U_{x}$ to denote ${u \in U : λ (u) = x}$ . Similarly, $O_{x} \subseteq O$ denotes the set of objects having security label $x \in X$ . In other words, user $u \in U_{y}$ is authorized to read $o \in O_{x}$ whenever $y ⩾ x$ . Henceforth, we will represent an information flow policy $(X, ⩽, U, O, λ)$ as a poset $P = (X, ⩽)$ with the tacit understanding that U, O and λ are given.

2.1. Cryptographic enforcement

The intuition behind the cryptographic enforcement of information flow policies is to encrypt data objects (using a symmetric encryption algorithm) and distribute appropriate secrets to authorized users (from which encryption keys are derived). Hence, there are two high-level algorithms that every cryptographic enforcement scheme (CES) provides: the first, $SetUp$ , is run by the data owner and generates secrets, keys and any public information that is required for deriving decryption keys; the second, $Derive$ , is used to derive decryption keys from secrets and public information. That is, in principle, $SetUp$ and $Derive$ have the following functionality.

$SetUp$ takes as input an information flow policy $(X, ⩽)$ .

$SetUp$ outputs ${(x, σ (x), κ (x)) : x \in X}$ and $Pub$ , where $σ (x)$ and $κ (x)$ respectively determine the secret and encryption key associated with x, and the public information $Pub$ is used as part of the input to the $Derive$ algorithm.

$Derive$ takes as input the information flow policy, $Pub$ , $x, y \in X$ and $σ (x)$ .

$Derive$ outputs $κ (y)$ if $y ⩽ x$ (and some distinguished failure symbol ⊥ otherwise); in particular, $κ (x)$ can be derived from $σ (x)$ .

Prior CES schemes follow the above syntactical framework more or less closely. In particular, different representations of the information flow policy have been used as input to the $SetUp$ and $Derive$ algorithms, and some preprocessing may be required in order to produce those representations. Some schemes, for example, simply use the Hasse diagram of the poset [2] as the input to $SetUp$ and (part of) the input to $Derive$ , while others use a directed, acyclic graph whose edge set is a superset of $E_{min}$ and a subset of $E_{max}$ (and thus contains the same paths as the Hasse diagram) [4,13]. In this work, we transform the information flow policy into a partition of trees.

Part of the specification of $Derive$ ensures the correctness of a scheme. That is, an authorized user belonging to $U_{x}$ must be able to derive $κ (y)$ if $x ⩾ y$ . In contrast, the security of a CES requires that users cannot derive keys for which they are not authorized, even if they collude by pooling secret information. In particular, a user in $U_{z}$ where $z ⩾̸ y$ cannot derive $κ (y)$ . Research in the last 10 years, pioneered by Atallah, Blanton, Frikken and Fazio [2] and Ateniese, de Santis, Ferrara and Masucci [5], has formalized security notions for CESs. Informally, the adversary learns the secrets and keys associated with some set of elements $A \subseteq X$ (modeling a group of colluding users) and selects a “target” x in X such that $x ⩽̸ a$ for any $a \in A$ (to avoid trivial cases). The adversary may be asked to determine $κ (x)$ or to determine, given a candidate key r, whether r is $κ (x)$ or a random element of the key space. These informal scenarios lead to formal concepts of and definitions for key recovery and key indistinguishability [2].5

⁵
Note that a scheme in which $Derive$ may be used to compute $κ (y)$ from $κ (x)$ whenever $y < x$ (rather than from $σ (x)$ ) does not possess the key indistinguishability property: the adversary may select x and A such that $x ⋗ a$ for some $a \in A$ , use x, a, $Pub$ and r (that is, assume $r = κ (x)$ ) as inputs to the $Derive$ algorithm, and test the output for equality with $κ (a)$ . Concerns about key indistinguishability in CESs led to the separation between secrets and keys [2].

We consider the security properties of CESs in more detail in Section 3.2.

2.2. Related work

Essentially, designing a cryptographic enforcement scheme comes down to defining (i) what secrets each user will receive, (ii) how users will generate any keys they require to decrypt data objects, and (iii) how secrets and keys are related. Broadly speaking, there are two standard ways of designing a cryptographic enforcement scheme for information flow policies. These methods assume each user is given a single key from which all other relevant secrets and key may be derived, and are distinguished by the information used to derive secrets and keys. The first method, which we will call “node-based”, relies only on secret information known to the user, while the second, which we will call “edge-based”, assumes that some additional information must be made known to all users.6

⁶
There are some other types of schemes but each of them suffer from a number of disadvantages (see [17], for example) so research has tended to focus on node- and edge-based schemes.

Informally, a node-based scheme uses one-way functions: for $y < x$ the secret associated with y is some (one-way) function of $σ (x)$ , the secret $σ (x)$ associated with x, and $κ (y)$ , the key associated with y, is some (one-way) function of $σ (y)$ . Some of the earliest work on cryptographic enforcement of information flow policies used these kinds of techniques [27]. However, in this setting, it is unclear how to distribute secrets such that $σ (y)$ can be derived from $σ (x_{i})$ for each of the parents $x_{1}, \dots, x_{n}$ that node y might have, without simultaneously exposing the scheme to collusion attacks.

In an edge-based scheme, public information is associated with each pair $(x, y)$ where $x > y$ from which $σ (y)$ can be extracted with knowledge of $σ (x)$ . Thus, informally, we might define $Pub (x, y)$ to be ${enc}_{k} (σ (y))$ , where ${enc}_{k}$ is some symmetric encryption algorithm with key k contained in $σ (x)$ . An edge-based scheme can be used for arbitrary posets but requires public information [2].

Research into schemes that allocate a single secret to each user investigated what trade-offs were possible between the number of items of public data and the number of key derivation operations (in the worst case) [3,13]. Some of this work focused on posets with a particular structure (such as chains [3]). Such research was able to define specific data structures and algorithms, and perform exact complexity analyses [3,4,13]. Other work considered arbitrary posets and used results from graph and poset theory to develop analyses that were generic but arguably less useful in specific cases [5]. In all this work, the amount of public information required for key derivation necessarily increases.

A representation of the policy is required as input to the $Derive$ algorithm. Hence, the data owner must publish the policy (or distribute it with the appropriate secrets to every user). The size of the policy is proportional to the number of edges (each representing a piece of public information) used for secret derivation; that is $O (n^{2})$ , where n is the cardinality of X (the set of security labels). However, compact representations, using an $n \times n$ binary matrix, exist. In the case of edge-based schemes, the data owner must also publish (or otherwise distribute) $Pub$ , which is also proportional in size to the number of edges. However, the size of $Pub$ will be several orders of magnitude bigger than the policy representation (due to the relative sizes of each datum of information). An alternative is to store $Pub$ on a public server. In this case, the server must be on-line and accessible to any user that wishes to run the $Derive$ algorithm. Thus, it may be advantageous to devise schemes that require no public information.

Crampton et al. [14] introduced the idea of cryptographic enforcement schemes, based on chain partitions of the information flow policy, that require no public information. The trade-off with such schemes is that some users may require more than one secret in order to be able to derive all the required encryption keys. Subsequent work established that secure instantiations of such schemes are possible [20,21].

To summarize, informally, the core trade-off made when designing a CES is the amount of public information that is required to assist in the derivation of secrets against the number of additional secrets that are associated with nodes. Broadly speaking, on the one hand one assumes each node is associated with a single secret and defines a “secret-derivation digraph” $G = (X, E)$ , where $E_{min} \subseteq E \subseteq E_{max}$ . (In other words, if $x > z$ in $(X, ⩽)$ there is a derivation path in G, since $E \supseteq E_{min}$ ; and if $x ≯ z$ there is no derivation path in G, since $E \subseteq E_{max}$ .) On the other hand, one selects a secret-derivation digraph $G = (X, E)$ such that $E \subset E_{min}$ , G is an out-forest, and each node is associated with at least one secret. Then, if $x > z$ , there is some node y such that every user in $U_{x}$ is given the secret associated with node y and there is a directed path from y to z in G. Table 1 provides a crude comparison of the generic schemes in the literature: E is the set of edges used to derive secrets; d is the length of the longest directed path in $G = (X, E)$ ; w is the width of X; n is the cardinality of X.

Table 1

A high-level comparison of generic cryptographic enforcement schemes

Generic scheme	Edge set	Public information	Derivation time	Secrets per node
Single-step secret derivation	$E = E_{max}$	$O (\| E \|)$	$O (1)$	$k = 1$
Multi-step secret derivation	$E_{min} \subseteq E \subset E_{max}$	$O (\| E \|)$	$O (d)$	$k = 1$
Chain-based secret derivation	$E \subset E_{min}$	None	$O (d)$	$k \in [1, w]$
All secrets distributed	$E = \emptyset$	None	0	$k \in [1, n]$

The significant open problem with prior work on chain-based schemes is the assumption that the chain partition is part of the input to the $SetUp$ algorithm: there may be many such partitions and it is not immediately obvious how one should select a specific partition in order to optimize characteristics of the corresponding enforcement scheme (an example being to minimize the number of secrets issued). Hence, it seems very natural to ask how difficult it is to compute a “good” chain partition, given that (i) schemes based on chain partitions do not require public information, and (ii) the number of secrets that need to be distributed to users is determined by the choice of chain partition. Our recent work [15] shows that it is possible to compute a minimal chain partition in polynomial time using a minimum cost network flow algorithm.

Crampton et al. [16] made use of the fact that derivation paths are uniquely defined in trees (as well as in chains) to develop the idea of a tree-based cryptographic enforcement scheme. Their work established that it was possible to compute (in polynomial time) an optimal tree for the information flow policy.

2.3. Problem overview

While chain-based enforcement schemes require no public information, some users may be required to store more than one secret, unlike the majority of schemes in the literature. The number of secrets required by an instantiation of such a scheme depends on the chain partition chosen. Moreover, a natural extension of the chain-based approach, explored in the current work, is to use a forest related to the poset defining the information flow policy. In this paper, therefore, we explore three questions:

What is the optimal choice of chain partition and can we compute such a partition efficiently?

How do we implement a cryptographic enforcement scheme based on a partition of the information flow policy into trees rather than chains?

What is the optimal choice of tree partition and can we compute such a partition efficiently?

In the next section, we consider the second of these questions, the results of which enable us to answer the other two questions.

3. Enforcement schemes from tree partitions

In this section, we generalize the approach taken by Crampton et al. [14] for chain-based enforcement schemes, and Crampton et al. [16] for tree-based enforcement schemes. In particular, we introduce the concept of a tree partition of a poset $(X, ⩽)$ and show how such a partition may be used to construct a cryptographic enforcement scheme for an information flow policy defined by $(X, ⩽)$ .

Definition 2.
Let $P = (X, ⩽)$ be a poset, with Hasse diagram $H (P) = (X, E)$ . A tree partition of $P$ is a poset $T = (X, ⩽_{T})$ such that $H (T) = (X, E_{T})$ is an out-forest and $E_{T} \subseteq E$ .

If $P = (X, ⩽)$ is a poset, $T = (X, ⩽_{T})$ is a tree partition of $P$ and $y ≮ x$ , then $y ≮_{T} x$ . However, we may have $y < x$ but $y ≮_{T} x$ . Thus, the problem with a tree partition, in the context of cryptographic enforcement schemes (CESs), is that some authorized labels that were “reachable” by a derivation chain in $P$ will no longer be reachable in $T$ . Accordingly, we define the notion of forest-based enforcement scheme for a tree partition of $P = (X, ⩽)$ .
Definition 3.
Given an information flow policy $P = (X, ⩽)$ and a tree partition $T = (X, ⩽_{T})$ , a forest-based enforcement scheme is a pair $(T, ψ)$ , where $ψ : X \to 2^{X}$ and:
if $u ⩽ x$ then there exists $z \in ψ (x)$ such that $u ⩽_{T} z$ ;

if $u ⩽̸ x$ then for all $z \in ψ (x)$ , $u {⩽̸}_{T} z$ .

Informally, conditions 1 and 2 correspond to the correctness and security requirements of CESs, respectively. Note that $x \in ψ (x)$ . To see this, suppose, in order to obtain a contradiction, that $x \notin ψ (x)$ . Then, by the first property, there exists $z \in ψ (x)$ such that $x <_{T} z$ . This implies $x < z$ and thus $z ⩽̸ x$ . By the second property for all $z^{} \in ψ (x)$ we then have $z {⩽̸}_{T} z^{}$ . This holds in particular for $z^{} = z$ and we obtain $z {⩽̸}_{T} z$ , a contradiction.
Definition 4.
Let $P$ be a poset and $T$ a tree partition of $P$ . Then, given $x, z \in X$ , the maximum element (if it exists) in $↓_{P} (x) \cap ↑_{T} (z)$ , is the anchor* between x and z and denoted by $α (x z)$ .

Consider the poset and tree partition in Fig. 2. Then we have, for example, $α (x_{14} x_{4}) = x_{12}$ and $α (x_{10} x_{4})$ does not exist. If $λ (u) = x_{14}$ then an enforcement scheme based on this tree partition must ensure the secret for $x_{12}$ is assigned to u.

Fig. 2.
Illustration of anchors.

We note the following facts, which we state without proof:

$α (x z)$ exists iff $x ⩾ z$ ;

$α (x z)$ is a unique maximal element (that is, a maximum element) since $↑_{T} (z)$ is a chain;

if $x ⩾ z$ and $x >_{T} z$ then there exists a derivation chain in $T$ from x to z and $α (x z) = x$ (since x is the maximum element in $↓_{P} (x)$ ); and

if $x ⩾ z$ and $x ≯_{T} z$ then there exists a derivation chain in $T$ from $α (x z)$ to z and $x > α (x z)$ .

Given $P$ and a tree partition $T$ , we define $ϕ_{T} : X \to 2^{X}$ , where $ϕ_{T} (x) = {α (x z) : x ⩾ z}$ . In Fig. 2, we have, for example, $ϕ_{T} (x_{13}) = {x_{13}, x_{11}, x_{8}, x_{4}}$ .
Proposition 1.
For any poset $P$ and any tree partition $T$ of $P$ , $(T, ϕ_{T})$ is a forest-based enforcement scheme.
Proof.
If $u ⩽ x$ , then $z = α (x u)$ belongs to $ϕ_{T} (x)$ and $u ⩽_{T} z$ . And if $u ⩽̸ x$ then for every $z \in ϕ_{T} (x)$ we have $z {⩾̸}_{T} u$ . □

In other words, given the secrets corresponding to the elements in $ϕ_{T} (x)$ , a user in $U_{x}$ can derive the secret for all elements $z ⩽ x$ using a derivation chain starting at $α (x z)$ .
Lemma 1.
Let $P = (X, ⩽)$ be a poset, $T$ be a tree partition of $P$ , and $(T, ψ)$ be a forest-based enforcement scheme. Then $ϕ_{T} (x) \subseteq ψ (x)$ for all $x \in X$ .
Proof.
Suppose, in order to obtain a contradiction, that $y \in ϕ_{T} (x)$ and $y \notin ψ (x)$ . By definition, $y ⩽ x$ ; therefore, there must exist $y^{'} \in ψ (x)$ such that $y^{'} >_{T} y$ , and thus $x ⩾ y^{'}$ . Moreover, $y ⩾_{T} z$ so we have $x ⩾ y^{'} >_{T} y >_{T} z$ ; that is, $y^{'} \in ↓_{P} (x) \cap ↑_{T} (z)$ . Thus y is not the maximal element in $↓_{P} (x) \cap ↑_{T} (z)$ , the desired contradiction. □

The following simple lemma characterizes the elements of $ϕ_{T}$ and will be used to prove Proposition 2 and Theorem 2.
Lemma 2.
Let $T = (X, ⩽_{T})$ be a tree partition of poset $P = (X, ⩽)$ . Then for every x in X and every z in X, $z \in ϕ_{T} (x)$ if and only if exactly one of the following conditions holds: (i) $z = x$ ; (ii) $z < x$ , z has a parent in $T$ and $x ⩾̸ {par}_{T} (z)$ ; (iii) $z < x$ and z has no parent in* $T$ .*
Proof.
Suppose $x ⩾ z$ and $x ⩾̸ {par}_{T} (z)$ . Since $x ⩾̸ {par}_{T} (z) ⋗_{T} z$ , z is the maximal element in $↓_{P} (x) \cap ↑_{T} (z)$ . Similarly, if z has no parent or $z = x$ , then z is the maximal element in $↓_{P} (x) \cap ↑_{T} (z)$ . In either case, $z = α (x z)$ and $z \in ϕ_{T} (x)$ .

Conversely, if $z \in ϕ_{T} (x)$ , then $x ⩾ z$ , by definition, and $α (x z) = z$ . Thus, $x ⩾̸ {par}_{T} (z)$ if z has a parent (otherwise, ${par}_{T} (z) \in ↓_{P} (x) \cap ↑_{T} (z)$ and $z \neq α (x z)$ ). □
Proposition 2.
Let $P = (X, ⩽)$ be an information flow policy and let $T = (X, ⩽_{T})$ be a tree partition. Then $ϕ_{T}$ can be computed in time $O (n^{2})$ , where $n = | X |$ .
Proof.
By Lemma 2, for all $x \in X$ , besides x itself, we add all those elements $z \in X$ , $z < x$ , to $ϕ_{T} (x)$ that are either maximal in $T$ or, if not, satisfy $x ⩾̸ {par}_{T} (z)$ . In both cases, we must determine whether $x > z$ for some $z \in X$ .

After $O (n^{2})$ time preprocessing, we may assume that we have data structures allowing us to check whether $x > z$ in $O (1)$ time, and test whether z is a maximal element in $T$ (and compute ${par}_{T} (z)$ otherwise) in $O (1)$ time. Hence, we can compute $ϕ_{T}$ in $O (n^{2})$ time. □
3.1. Generic instantiation

The above results enable us to specify the algorithms of a cryptographic enforcement scheme. The construction can be considered a generalization of the one using chains (rather than trees) defined by Freire et al. [21]. When defining $SetUp$ and $Derive$ we assume that the information flow policy $P = (X, ⩽)$ is presented in the form of a tree partition $T = (X, ⩽_{T})$ , and that for the latter a specific forest-based enforcement scheme $(T, ψ)$ has been selected (such as $(T, ϕ_{T})$ ). Further, for the $n = | X |$ labels of X we assume a numbering convention that follows a (reverse) linear extension ≺ of ⩽; more precisely, we assume that $X = {x_{1}, \dots, x_{n}}$ where $x_{n} ≺ x_{n - 1} ≺ \dots ≺ x_{2} ≺ x_{1}$ (in particular, $x_{n}$ is a minimal element in X and $x_{1}$ is a maximal element).

Following Freire et al. [21], the cryptographic building block of our construction is a pseudorandom function (PRF), where the key space and the output space are the same set $K$ , which we denote by $F$ .7

⁷
Some communities conceptually identify ‘pseudorandom functions’ with ‘keyed hash functions’, others identify ‘pseudorandom functions’ with (unkeyed) ‘collision-resistant hash functions’, others identify ‘keyed hash functions’ with ‘message authentication codes’ (MACs). When we refer to a PRF we mean a keyed function that behaves like a random function as long as the key remains hidden, following the standard provable security naming convention (e.g., used in [21]).

Following Atallah et al. [2], we use a labeling function $ℓ : X \to {0, 1}^{*}$ to associate each node x in the poset with a unique binary string $ℓ (x)$ . We write $x \leftarrow_{$} X$ to denote sampling an element from set X uniformly at random and assigning the result to variable x.

Then, given $F : K \times {0, 1}^{*} \to K$ and $ℓ : X \to {0, 1}^{*}$ , we define the following $SetUp$ and $Derive$ algorithms for our enforcement scheme.

Algorithm $SetUp$ , on input an information flow policy in the format described above:
For $i = 1$ to n do (i.e., count from a maximal label down to a minimal label):

if $x_{i}$ is maximal in $(X, ⩽_{T})$ pick a fresh random key $s (x_{i}) \leftarrow_{$} K$ ;

otherwise, identify the (unique) parent y of $x_{i}$ in $T$ and assign $s (x_{i}) \leftarrow F (s (y), ℓ (x_{i}))$ (where $s (y)$ is the PRF key and $ℓ (x_{i})$ is the PRF input);

For each $x \in X$ output $σ (x) = {(v, s (v)) : v \in ψ (x)}$ and $κ (x) = F (s (x), ℓ (x))$ ; no public information is needed, i.e., $Pub = \emptyset$ .
The general principle of this CES is to derive secrets in a top-down fashion: top nodes (according to $⩽_{T}$ ) are assigned random keys, and the keys of all other nodes are deterministically derived from their parent using the PRF. Observe that, as we arranged ≺ to be a linear extension of ⩽ (and thus $⩽_{T}$ ), step (1.) of $SetUp$ is actually well-defined.

Algorithm $Derive$ , on input the information flow policy, labels $x, y \in X$ , and secret $σ (x)$ :

Return ⊥ if $x ⩾̸ y$ ;

Identify the (unique) $z \in ψ (x)$ such that $y ⩽_{T} z$ and recover $s (z)$ from $σ (x)$ ;

Let $z = z_{0} ⋗ z_{1} ⋗ \dots ⋗ z_{m} = y$ be the complete derivation chain in $T$ between z and y;

For $i = 1$ to m do: $s (z_{i}) \leftarrow F (s (z_{i - 1}), ℓ (z_{i}))$ ;

Output $κ (y) = F (s (y), ℓ (y))$ .

In this instantiation, the same pseudorandom function $F$ is used as a secret- and key-generation function; secret values, and values derived from secret values, serve as PRF keys, and fixed strings that uniquely identify the corresponding node are its inputs.
3.2. Security analysis
We assess the security of our enforcement scheme using the principles of provable security. We start by formalizing the properties of the cryptographic building block, the pseudorandom function $F$ . Our definition is not the most general possible: rather, it is tailored to the requirements of our construction; specifically, we require that the keyspace and the range of the PRF are the same set.

Definition 5.
A pseudorandom function (PRF) with keyspace and range $K$ is any efficient function $F : K \times {0, 1}^{*} \to K$ . We also write $F_{K} (x)$ to denote $F (K, x)$ . We define the advantage of an adversary $D$ in distinguishing $F$ from a random function as $\begin{matrix} {Adv}^{F} (D) = | Pr [K \leftarrow_{$} K; D^{F_{K}} \Rightarrow 1] - Pr [φ \leftarrow_{$} ⟨ {0, 1}^{*} \to K ⟩; D^{φ} \Rightarrow 1] | . \end{matrix}$ We say that PRF $F$ is $(ϵ, τ)$ -indistinguishable from a random function if ϵ upper-bounds the advantage of all distinguishers $D$ that run in time at most τ.

In the above definition, $⟨ {0, 1}^{*} \to K ⟩$ denotes the universe of all functions mapping ${0, 1}^{*}$ to $K$ . Further, writing “ $D^{F} \Rightarrow 1$ ” for a function F means that (randomized) algorithm $D$ has oracle access to F and terminates outputting value 1. Finally, in Definition 5, F either implements access to a keyed PRF instance $F_{K}$ , or it implements a completely random function.8
⁸
Strictly speaking, as uniformly picking a function from the (infinite) universe $⟨ {0, 1}^{*} \to K ⟩$ is impossible, the right-hand probability of the advantage specification is not well-defined. Rather, we use this notation short-hand for expressing that $D$ is executed with access to an oracle that maps inputs to keys, where the latter are sampled uniformly at random in an on-the-fly manner (‘lazy sampling’).

That is, the smaller we can choose ϵ, the closer a particular PRF $F$ is to a random function. We discuss some practical candidate functions in Section 3.3.

We next make precise the level of security that we target for our enforcement scheme. Many different cryptographic models for CES with security guarantees of various strengths have been proposed (see [11] for a comparative overview). The notion we target and reproduce below, strong key indistinguishability [21], was not only proven to imply all other notions (i.e., to define the highest level of security),9
⁹
[11] show that not all of these implications are strict; in particular strong key indistinguishability is polynomially equivalent to the notion of (plain) key indistinguishability of [2], with tightness loss $n = | X |$ . Note also our model considers a static setup where the challenge label is fixed a priori. A variant of Definition 6 would consider dynamic adversaries: such an adversary is able to choose the challenge label x during the experiment, rather than having it fixed as one of the experiment’s parameters. However, it has been shown that static and dynamic definitions of strong key indistinguishability are polynomially equivalent [21]; corresponding results for (plain) key indistinguishability have also been obtained [5]. To simplify the exposition, therefore, we restrict our attention to the static case.

but is also, we believe, the most natural and versatile one. It is based on the security experiment ${Expt}_{X, x}^{kist, b}$ defined in Fig. 3, where we use the following notation: $\begin{array}{l} \bar{σ} = {(v, σ (v)) : v \in X}, \\ \bar{κ} = {(v, κ (v)) : v \in X}, \\ {Corrupt}_{X, x} = {(v, σ (v)) : v \in X, x ⩽̸ v}, \\ {Keys}_{X, x} = {(v, κ (v)) : v \in X ∖ {x}} . \end{array}$ In the experiment we assume that the adversary receives the information flow policy $(X, ⩽)$ in the same format as the $SetUp$ algorithm does.

Fig. 3.
Security experiment for strong key indistinguishability.
Definition 6.
Let $(X, ⩽)$ be an arbitrary poset. A CES for $(X, ⩽)$ is $(ϵ, τ)$ -strongly key indistinguishable with respect to static adversaries [21] if, for all $x \in X$ , the advantage of all adversaries $A$ that interact in experiment ${Expt}_{X, x}^{kist, b} (A)$ and run in time at most τ is bounded by ϵ, where we define $\begin{matrix} {Adv}_{X, x}^{kist} (A) = | Pr [{Expt}_{X, x}^{kist, 1} (A) \Rightarrow 1] - Pr [{Expt}_{X, x}^{kist, 0} (A) \Rightarrow 1] | . \end{matrix}$

Observe that in this definition the adversary obtains, in principle, all secrets embedded in the system (that is, all $σ (x)$ and $κ (x)$ values), excluding only those that would allow distinguishing the challenge key by trivial means (e.g., by invoking the $Derive$ algorithm).

The final step of our analysis is to prove that our forest-based enforcement scheme from the preceding section is strongly key indistinguishable in the sense of Definition 6. More precisely, we have the following result.
Theorem 1.
For any poset $(X, ⩽)$ , $x \in X$ , and adversary $A$ that runs in time at most τ, there exists a constant $0 ⩽ c ⩽ | X |$ and distinguishers $D_{1}^{0}, \dots, D_{c}^{0}$ , $D_{1}^{1}, \dots, D_{c}^{1}$ against the underlying PRF such that $\begin{matrix} {Adv}_{X, x}^{kist} (A) ⩽ {Adv}^{F} (D_{1}^{0}) + \dots + {Adv}^{F} (D_{c}^{0}) + {Adv}^{F} (D_{1}^{1}) + \dots + {Adv}^{F} (D_{c}^{1}) \end{matrix}$ and the respective running times are at most $τ_{i}^{b} = τ + O (| X |)$ . That is, if the PRF is $(ϵ^{'}, τ + O (| X |))$ -indistinguishable then our CES construction is $(ϵ, τ)$ -strongly key indistinguishable with $ϵ = 2 | X | ϵ^{'}$ .
Proof.
The argument proceeds using a sequence of $| X | = n$ hybrid games that interpolate between experiments ${Expt}_{X, x}^{kist, 0}$ and ${Expt}_{X, x}^{kist, 1}$ . In each hybrid step, if specific conditions are met, we replace one PRF instance by a random function; from the point of view of the adversary, the distance between each two consecutive hybrids is not greater than ${Adv}^{F} (D)$ for a specific PRF distinguisher $D$ .

Fix a poset $(X, ⩽)$ together with a (reverse) linear extension $x_{n} ≺ x_{n - 1} ≺ \dots ≺ x_{2} ≺ x_{1}$ of X, a label $x \in X$ , and a CES adversary $A$ that runs in time at most τ. We use sequence $x_{n} ≺ \dots ≺ x_{1}$ to define our hybrid experiments: For $b \in {0, 1}$ , we set $G_{0}^{b} = {Expt}_{X, x}^{kist, b}$ and define games $G_{1}^{b}, \dots, G_{n}^{b}$ (in that order) such that if $1 ⩽ k ⩽ n$ and $x_{k} ⩾ x$ then the difference between games $G_{k}^{b}$ and $G_{k - 1}^{b}$ is precisely that all PRF invocations with key $s (x_{k})$ are replaced by assignments with values drawn uniformly at random from $K$ (correspondingly, also the keys considered in lines 2. and 4. are changed). For the remaining indices k, i.e., in case $x_{k} ⩾̸ x$ , games $G_{k}^{b}$ and $G_{k - 1}^{b}$ are identical. Let $S_{k}^{b}$ denote $Pr [G_{k}^{b} (A) \Rightarrow 1]$ for all $b, k$ .

Observe that we replace PRF invocations by random assignments for precisely those labels $x \in X$ that do not have a corresponding entry in ${Corrupt}_{X, x}$ . Observe also that, as we consider the labels in a suitable order, for all switchings from a PRF to a random function we have that the corresponding PRF key $s (x)$ was replaced with a uniform random value before. Thus, the difference between any two consecutive games is bounded by a PRF advantage: by a standard reductionist argument, in the cases $x ⩽ x_{k}$ , we have $\begin{matrix} (1) & | S_{k}^{b} - S_{k - 1}^{b} | = | Pr [G_{k}^{b} (A) \Rightarrow 1] - Pr [G_{k - 1}^{b} (A) \Rightarrow 1] | = {Adv}^{F} (D), \end{matrix}$ for a specific distinguisher $D$ with running time approximately $τ + | X | \cdot T_{prf} \in τ + O (| X |)$ , where $T_{prf}$ is the time required for one PRF evaluation; in addition, whenever $x ⩽̸ x_{k}$ we have $G_{k}^{b} = G_{k - 1}^{b}$ and hence $| S_{k}^{b} - S_{k - 1}^{b} | = 0$ . Now, by repeated application of the triangle inequality and (1), we have $\begin{matrix} | S_{0}^{b} - S_{n}^{b} | ⩽ \sum_{k = 1}^{n} | S_{k - 1}^{b} - S_{k}^{b} | ⩽ \sum_{k = 1}^{c} {Adv}^{F} (D_{k}^{b}), \end{matrix}$ where $c = | {x^{'} \in X : x ⩽ x^{'}} |$ and distinguishers $D_{k}^{b}$ are constructed as specified. We now consider games $G_{n}^{0}$ and $G_{n}^{1}$ . In both cases $κ (x)$ is picked uniformly at random, thus lines 3. and 4. in the experiment implement the same operation. Hence $G_{n}^{0}$ is identical to $G_{n}^{1}$ and $| S_{n}^{0} - S_{n}^{1} | = 0$ . Thus, we obtain $\begin{array}{rcl} {Adv}_{X, x}^{kist} (A) & = & | S_{0}^{1} - S_{0}^{0} | ⩽ | S_{0}^{1} - S_{n}^{1} | + | S_{n}^{1} - S_{n}^{0} | + | S_{n}^{0} - S_{0}^{0} | \\ ⩽ & {Adv}^{F} (D_{1}^{1}) + \dots + {Adv}^{F} (D_{c}^{1}) + 0 + {Adv}^{F} (D_{1}^{0}) + \dots + {Adv}^{F} (D_{c}^{0}) \end{array}$ as required. □

Note that by results of [11] it would have sufficed to prove (plain) key indistinguishability of our scheme, as the latter would imply the notion of strong key indistinguishability that we target. Observe however that going this way introduces a tightness loss of $n = | X |$ . Besides saving this factor, we believe our direct approach is also more intuitive.
3.3. On practical instantiations of the PRF component

We now briefly consider how one might instantiate our CES in practice. Although pseudorandom functions are a standard building block in the domain of provable security, corresponding constructions do not explicitly appear in most international cryptographic standards documents (e.g., by ANSI, IEEE, NIST, IETF, etc.). However, certain standardized MACs and block ciphers can be used as a PRF replacement, as we discuss next.

The primary aim of message authentication codes (MACs) is integrity protection and data authentication. A standard result says that any PRF may also be used as a MAC. The converse is in general not true: a good MAC is not automatically a good PRF. Fortunately, however, essentially all standardized MAC constructions are in fact good PRFs, including the popular HMAC [26], CMAC [18], GMAC [19], and PMAC [10] schemes.

In our application, the data input of the PRF and hence of the MAC is the name $ℓ (x)$ of a node $x \in X$ . For the sake of generality we did not impose any constraints on the format of these names (in particular, strings of arbitrary length are allowed). We note that all of the MAC schemes mentioned above are designed to process arbitrary-length strings, of any format. By consequence, all of them are suitable to securely instantiate our enforcement scheme. However, we point out that if we imposed a constant-length restriction on $ℓ (x)$ , then a much simpler PRF than the MACs mentioned above can be used: by the PRF/PRP switching lemma [9], any block cipher (a.k.a. pseudorandom permutation, PRP) also constitutes a PRF, where the input length is equal to the output length and coincides with the cipher’s block size. In particular, if one is satisfied with using 128 bit keys and may require 128-bit labels for elements in X then the AES block cipher can be used without modification as the pseudorandom function of our CES construction. Further, if the target is a security level of 256 bit and one uses 127-bit labels, then the following function would be a suitable PRF: $\begin{matrix} F : {0, 1}^{256} \times {0, 1}^{127} \to {0, 1}^{256}, where (K, s) \mapsto {AES}_{K} (0 ∥ s) ∥ {AES}_{K} (1 ∥ s) . \end{matrix}$

4. Selecting a good tree partition

Each poset admits many possible tree partitions and each tree partition gives rise to many possible enforcement schemes. In this section, we investigate which enforcement scheme to select for a given tree partition and which tree partition to select for a given poset. Our analysis is based on the assumption that we wish to minimize the total number of secrets that need to be distributed to users. Thus, given a tree partition $T = (X, ⩽_{T})$ and a forest-based enforcement scheme $(T, ψ)$ , we define $\begin{matrix} S (T, ψ) = \sum_{x \in X} | ψ (x) | \cdot | U_{x} | . \end{matrix}$ Note that $| ψ (x) |$ denotes the number of secrets issued to each $u \in U_{x}$ for the enforcement scheme $(T, ψ)$ . Thus, $S (T, ψ)$ is the total number of secrets that need to be distributed to users when we apply scheme $(T, ψ)$ . By Lemma 1, for a given tree partition $T = (X, ⩽_{T})$ , any forest-based enforcement scheme $(T, ψ)$ and any $x \in X$ , we have $ϕ_{T} (x) \subseteq ψ (x)$ ; thus $| ϕ_{T} (x) | ⩽ | ψ (x) |$ and $S (T, ϕ_{T}) ⩽ S (T, ψ)$ . Hence, for a given tree partition $T$ , we will assume the use of the forest-based enforcement scheme $(T, ϕ_{T})$ .

Let $P = (X, ⩽)$ be an information flow policy and let $T = (X, ⩽_{T})$ be a tree partition of $P$ . Then we say that $T$ is a minimal tree partition of $P$ if, for any tree partition $T^{'}$ of $P$ , we have $S (T, ϕ_{T}) ⩽ S (T^{'}, ϕ_{T^{'}})$ . (In other words, $T$ is a tree partition that minimizes the total number of distributed secrets.)

For any tree partition $T = (X, ⩽_{T})$ and for all $x \in X$ , x must have at most one parent in $(X, ⩽_{T})$ . Informally, then, to construct a tree partition $T$ from $P = (X, ⩽)$ , for all $x \in X$ we must discard all but (at most) one parent of x in $P$ . Hence, if we can associate the choice of parent y for z with an appropriate cost of the edge $y z$ in $H^{*} = (X, E_{max})$ , then computing a minimal tree partition can be translated into a problem of selecting a suitable weighted forest.

We now describe how to compute such a cost function. Given an information flow policy $P = (X, ⩽)$ , for each pair $y z$ such that $y > z$ , we define $γ_{P} (y z) = {x \in X : x ⩾ z, x ⩾̸ y}$ . An illustration of the values taken by $γ_{P}$ is given in Fig. 4(a).

Fig. 4.
A minimal tree partition of $(I (5), \subseteq)$ .
Proposition 3.
For all $x > y > z$ , $γ_{P} (x z) \supset γ_{P} (y z)$ .
Proof.
Let $t \in γ_{P} (y z)$ . Then $t ⩾ z$ and $t ⩾̸ y$ . Now if $t ⩾ x$ , we would have $t ⩾ y$ , by transitivity. Thus $t ⩾̸ x$ and hence $t \in γ_{P} (x z)$ . Moreover, $y \in γ_{P} (x z)$ , since $y > z$ and $y ⩾̸ x$ , and $y \notin γ_{P} (y z)$ , so the inclusion is strict. □

Define a weight function $ω_{P} : X \times X \to N$ , where $\begin{matrix} ω_{P} (y z) = \{\begin{matrix} \sum_{x \in γ_{P} (y z)} | U_{x} | & if y > z, \\ 0 & otherwise . \end{matrix} \end{matrix}$

Note that for any tree partition $T$ , z has at most one parent in $T$ , so we may write $γ_{T} (z)$ for $γ_{P} ({par}_{T} (z) z)$ without ambiguity. Given a tree partition $T$ of X, we define the weight function $Ω_{T} : X \to N$ , where $\begin{matrix} Ω_{T} (z) = \{\begin{matrix} \sum_{x ⩾ z} | U_{x} | & if z is maximal in T, \\ \sum_{x \in γ_{T} (z)} | U_{x} | & otherwise . \end{matrix} \end{matrix}$

Informally, $Ω_{T} (z)$ represents the number of users that will require the secret associated with z, on the one hand if z is maximal in $T$ and on the other if edge ${par}_{T} (z) z$ is used in $T$ . We can now prove the main result of this section, which establishes a relationship between $S (T, ϕ_{T})$ and $Ω_{T}$ , and thus enables us to define an (efficient) algorithm for computing a minimal tree partition.
Theorem 2.
Let $P = (X, ⩽)$ be a poset with Hasse diagram $H (P) = (X, E_{min})$ and let $T$ be a tree partition $T$ of $P$ . Then $\begin{matrix} (2) & S (T, ϕ_{T}) = \sum_{z \in X} Ω_{T} (z) . \end{matrix}$ Moreover, we can compute a minimal tree partition $\hat{T}$ of $P$ in time $O (| E_{min} | + | X |^{2})$ .
Proof.
We first prove (2). Let $X^{″}$ denote the set of maximal elements in $T$ and $X^{'}$ denote the set of non-maximal elements. By definition, $\begin{matrix} S (T, ϕ_{T}) = \sum_{x \in X} | ϕ_{T} (x) | | U_{x} | \end{matrix}$ and we have $\begin{matrix} | ϕ_{T} (x) | = | {z \in X^{'} ∖ {x} : x \in γ_{T} (z)} | + | {z \in X^{″} : x > z} | + 1, \end{matrix}$ where the first summand is due to case (ii) of Lemma 2, the second due to (iii) and the third due to (i). Hence $\begin{array}{l} S (T, ϕ_{T}) & = \sum_{x \in X} (| {z \in X^{'} ∖ {x} : x \in γ_{T} (z)} | + | {z \in X^{″} : x > z} | + 1) | U_{x} | \\ = (\sum_{x \in X} | {z \in X^{'} : x \in γ_{T} (z)} | | U_{x} | - \sum_{x \in X^{'}} | U_{x} |) \\ + \sum_{x \in X} | {z \in X^{″} : x > z} | | U_{x} | + \sum_{x \in X} | U_{x} | \\ = \sum_{x \in X} | {z \in X^{'} : x \in γ_{T} (z)} | | U_{x} | + (\sum_{x \in X} | {z \in X^{″} : x > z} | | U_{x} | + \sum_{x \in X^{″}} | U_{x} |) \\ = \sum_{z \in X^{'}} \sum_{x \in γ_{T} (z)} | U_{x} | + \sum_{z \in X^{″}} \sum_{x ⩾ z} | U_{x} | \\ = \sum_{z \in X} Ω_{T} (z) \end{array}$

We next establish the choice of $T$ that minimizes $S (T, ϕ_{T})$ . Observe that if z is not a maximal element of X, a minimal tree partition $\hat{T}$ will not have z as a maximal element either. Indeed, suppose z is a maximal element in a tree partition $T$ and let y be a parent of z in X. Then $Ω_{T} (z) > Ω_{T^{'}} (z)$ , where $T^{'}$ is obtained from $T$ by adding edge $y z$ to the Hasse diagram of $T$ , since ${x \in X : x \in γ_{T^{'}} (z)} \subset {x \in X : x ⩾ z}$ ; the inclusion is strict since y is in the first set but not the second. Thus, z is a maximal in $\hat{T}$ if and only if z is maximal in X. It remains to decide on parents in $\hat{T}$ for non-maximal elements in X.

Let $T$ be a tree partition and z is not maximal in $T$ . Note that $Ω_{T} (z) = ω_{P} ({par}_{T} (z) z)$ . By Proposition 3, we have $γ_{P} (y z) \subset γ_{P} (x z)$ for $x > y > z$ . It follows that $ω_{P} (y z) ⩽ ω_{P} (x z)$ , the inequality being strict if we assume that at least one user is assigned to each node in X. Thus it suffices to consider only parents of z in X when constructing a minimum tree partition. Moreover, to build $\hat{T}$ , for each non-maximal $z \in X$ , we select a parent y of z in X such that $ω_{P} (y z) ⩽ ω_{P} (y^{'} z)$ for all other parents $y^{'}$ of z.

Finally, we describe an algorithm for computing a minimum tree partition and analyze its running time. In the first step, compute $ω_{P} (y z)$ for each non-maximal z and each parent y of z in $P$ . This can be done in time $O (| X |^{2})$ , as in the proof of Proposition 2. In the second step, for every non-maximal z choose, as its parent in a minimal tree partition, a node y such that $ω_{P} (y z) ⩽ ω_{P} (x z)$ for all $x \in X$ with $x > z$ . The second step will require time $O (| E_{min} |)$ . Thus, the total time required is $O (| E_{min} | + | X |^{2})$ .10
¹⁰
Since $| E_{min} | ⩽ | X |^{2}$ we can simplify the total time to $O (| X |^{2})$ . However, we decided to keep $| E_{min} |$ to stress that only parents of elements need to be considered to compute a minimum tree partition.

□

We have shown that we can compute a minimal tree partition efficiently. Recall that $| ϕ_{T} (x) |$ measures the number of secrets a user in $U_{x}$ will require to derive all authorized secrets (and keys). We now consider whether it is possible to compute a minimal tree partition that simultaneously bounds ${max}_{x \in X} {| ϕ_{T} (x) |}$ . Let $T$ be a minimal tree partition of $P = (X, ⩽)$ . We will say that $T$ is an optimal tree partition of $P$ if $T$ has the minimum number of minimal elements among all minimal tree partitions. An optimal tree partition with ℓ leaves has the property that no user will require more than ℓ secrets.

For each non-maximal $z \in P = (X, ⩽)$ , let $Y (z)$ be the set of $y \in X$ such that $y > z$ and $ω_{P} (y z)$ is minimum. Construct a directed acyclic graph H with vertex set X; for every non-maximal $y \in X$ , the in-neighborhood of y is $Y (y)$ , and each maximal $y \in X$ has no in-neighbors. Add to H a new vertex r which is an in-neighbor of every $x \in X$ . Now apply the polynomial-time algorithm MinLeaf [25], that allows us to find an out-tree rooted at r with minimum number of leaves, i.e., vertices with no out-neighbors. As a result, we obtain, among all tree partitions with minimum number of secrets, one with minimum number of minimal elements. Let $X^{'}$ denote the set of non-maximal elements in $P$ . Then MinLeaf’s runtime is $O (s + | X |^{3 / 2} s^{1 / 2})$ , where $s = \sum_{z \in X^{'}} | Y (z) |$ . Observe that $s ⩽ | E_{max} |$ and $| E_{max} | ⩽ | X |^{2}$ . This implies that $O (s + | X |^{3 / 2} s^{1 / 2}) = O (| X |^{3 / 2} | E_{max} |^{1 / 2})$ . Thus, we have the following result.
Corollary 1.
Given an information flow policy $P = (X, ⩽)$ , we can find an optimal tree partition $T = (X, ⩽_{T})$ of $P$ in time $O (| X |^{3 / 2} | E_{max} |^{1 / 2})$ .

We conclude this section with an example illustrating our results. Let $[n] = {1, 2, \dots, n}$ and let $[i, j] = {i, i + 1, \dots, j - 1, j}$ for $i ⩽ j$ . Then define the poset $\begin{matrix} I (n) = {[i, j] : 1 ⩽ i ⩽ j ⩽ n}, \end{matrix}$ where $[i, j] ⩽ [i^{'}, j^{'}]$ if and only if $i^{'} ⩽ i$ and $j^{'} ⩾ j$ . The Hasse diagram for $I (5)$ is illustrated in Fig. 1(a). The poset $I (n)$ has attracted considerable interest because of its application to “time-bound” access control (see [4,13], for example). In particular, the numbers $1, \dots, n$ represent time points or time intervals, and elements in $I (n)$ represent contiguous intervals of time (either consecutive points or a sequence of consecutive intervals). A user u assigned the interval $[i, j]$ is authorized to access any object assigned an interval $[i^{'}, j^{'}] \subseteq [i, j]$ .

The cardinality of $γ_{P} (y z)$ , $y, z \in I (5)$ , $y ⋗ z$ , is shown in Fig. 4(a). A tree of minimum weight is shown in Fig. 4(b) and the corresponding values of $Ω_{T} (z)$ are shown in Fig. 4(c). It is possible to show that the minimum number of secrets required in total, assuming $| U_{x} | = 1$ for each $x \in I (n)$ , is $\frac{1}{6} m (m + 1) (4 m - 1)$ if $n = 2 m - 1$ , and $\frac{1}{6} m (m + 1) (4 m + 5)$ if $n = 2 m$ .
5. Selecting a good chain partition
In this section, we consider chain-based schemes. Recall that a chain partition of a poset $P$ is a disjoint union of chains such that every element of $P$ belongs to one of the chains. An element z of a chain C is called top (bottom, respectively) if the in-degree (out-degree, respectively) of z in $H (C)$ is zero.

We first show that the total number of secrets to be issued in a chain-based enforcement scheme is determined by the bottom elements of the chains in the corresponding chain partition. This in turn implies that there exists a chain partition with a minimum number of secrets issued for which the number of chains is exactly the width of the poset.

Lemma 3.
For any poset $P = (X, ⩽)$ and any chain partition $C = (X, ⩽_{C})$ of $(X, ⩽)$ with chains ${C_{1}, \dots, C_{ℓ}}$ , let chain $C_{i}$ have bottom element $b_{i}$ , $1 ⩽ i ⩽ ℓ$ . Then $\begin{matrix} (3) & S (C, ϕ_{C}) = \sum_{i = 1}^{ℓ} \sum_{x \in ↑_{P} (b_{i})} | U_{x} | . \end{matrix}$
Proof.
Let $C_{i}$ comprise elements $z_{1}, z_{2}, \dots, z_{c}$ such that $z_{1} > z_{2} > \dots > z_{c}$ (i.e., $b_{i} = z_{c}$ ) and observe that $↑_{P} (b_{i})$ is the disjoint union of sets $X_{i}$ , $1 ⩽ i ⩽ c$ , where $X_{1} = {x : x ⩾ z_{1}}$ and $X_{j} = {x : x ⩾̸ z_{j - 1}, x ⩾ z_{j}}$ , $2 ⩽ j ⩽ c$ . Observe that $X_{j} = {x : x \in γ_{C} (z)}$ , $2 ⩽ j ⩽ c$ . This decomposition of $↑_{P} (b_{i})$ into sets $X_{i}$ , $1 ⩽ i ⩽ c$ , will be used in the following derivation.

By (2) and the definition of $Ω_{C} (z)$ , $\begin{array}{l} S (C, ϕ_{C}) & = \sum_{z \in X} Ω_{C} (z) \\ = \sum_{i = 1}^{ℓ} \sum_{x \in X_{1}} | U_{x} | + \sum_{i = 1}^{ℓ} \sum_{j = 2}^{ℓ} \sum_{x \in X_{j}} | U_{x} | \\ = \sum_{i = 1}^{ℓ} \sum_{x \in ↑_{P} (b_{i})} | U_{x} | \end{array}$ □

By Dilworth’s Theorem, a poset $(X, ⩽)$ of width w of has a chain partition with w chains. Such a chain partition can be obtained in time $O (| X |^{2.5})$ [23]. Thus, in particular, we can compute w in time $O (| X |^{2.5})$ . The next theorem can be viewed as a strengthening of Dilworth’s Theorem. In Section 5.1, we will show how to compute a minimal chain partition of width w in polynomial time.
Theorem 3.
Let $P = (X, ⩽)$ be an information flow policy of width w. Then there exists a minimal chain partition of width w.
Proof.
Let $C = (X, ⩽_{C})$ be a minimal chain partition of X into $t ⩾ w$ chains and let B be the set of bottom elements in the chains of $C$ . A theorem of Gallai and Milgram asserts that if a chain partition $C$ of a poset $P$ contains t chains, where $t > w$ , then there exists a chain partition $C^{'} = (X, ⩽_{C^{'}})$ into $t - 1$ chains such that the set of bottom elements in $C^{'}$ is a subset of B [22].11
¹¹
The result is phrased in the language of digraphs, but every poset may be represented by an equivalent transitive acyclic digraph.

Hence, by iterated applications of the Gallai–Milgram theorem, there exists a chain partition $C^{*} = (X, ⩽_{C^{*}})$ of width w such that the set of bottom elements $B^{*}$ in $C^{*}$ is a subset of B. Moreover, by Lemma 3, $\begin{matrix} S (C^{*}, ϕ_{C^{*}}) = \sum_{b \in B^{*}} \sum_{x \in ↑_{P} (b)} | U_{x} | ⩽ \sum_{b \in B} \sum_{x \in ↑_{P} (b)} | U_{x} | = S (C, ϕ_{C}) \end{matrix}$ As $C$ is a minimal chain partition, we conclude that $C^{*}$ is also a minimal chain partition. □
Corollary 2.
Let $P = (X, ⩽)$ be an information flow policy. There exists a chain partition $C = (X, ⩽_{C})$ such that $S (C, ϕ_{C})$ is minimized and $max {| ϕ_{C} (x) | : x \in X} ⩽ w$ .
Proof.
The result follows immediately from Theorem 3 and the fact that $| ϕ_{C} (x) |$ is bounded above by the number of chains in $C$ for all $x \in X$ . □

The above corollary shows that no user requires more than w secrets in a chain-based enforcement scheme.

Returning to our example of $I (n)$ , note that the width of $I (n)$ is n as the minimal elements form the largest antichain. Thus, any chain partition with n chains requires the same number of secrets. It is not hard to show that this number is $\frac{1}{6} n (n + 1) (n + 2)$ , which is minimum possible. Thus the minimal tree partition of $I (n)$ (discussed in Section 4) requires approximately half the number of secrets required by the minimal chain partition.
5.1. Computing a minimal chain partition

A chain partition imposes stronger constraints than a tree partition. Specifically, each element in a chain partition has at most one parent and one child, whereas a tree partition only requires that each element has at most one parent. Thus, the straightforward algorithm for computing a minimal tree partition cannot be used to compute a minimal chain partition.

Suppose $P = (X, ⩽)$ is a poset of width w. In general, a chain partition of $P$ has $ℓ ⩾ w$ chains. Theorem 3 asserts that there exists a minimal chain partition comprising w chains. We now show how such a chain partition may be constructed. In particular, we show how to transform the problem of finding a minimal chain partition $C = (X, ⩽_{C})$ into a problem of finding a minimum cost flow in a network.

Informally, a network is a directed graph in which each edge is associated with a capacity. A network flow associates each edge in a given network with a flow, which must not exceed the capacity of the edge. Networks are widely used to model systems in which some quantity passes through channels (edges in the network) that meet at junctions (vertices); examples include traffic in a road system, fluids in pipes, or electrical current in circuits. Our definitions for networks and network flows follow the presentation of Bang-Jensen and Gutin [6].

Definition 7.
A network is a tuple $N = (D, l, u, c, β)$ , where:
$D = (V, A)$ is a directed graph with vertex set V and edge set A;

$l : V \times V \to N$ such that $l (v v^{'}) = 0$ if $v v^{'} \notin A$ and $l (v v^{'}) ⩾ 0$ otherwise;

$u : V \times V \to N$ such that $u (v v^{'}) = 0$ if $v v^{'} \notin A$ and $u (v v^{'}) ⩾ l (v v^{'}) ⩾ 0$ otherwise;

$c : V \times V \to R$ ;

$β : V \to R$ such that $\sum_{v \in V} β (v) = 0$ .

Intuitively, l and u represent lower and upper bounds, respectively, on how much flow can pass through each edge, and c represents the cost associated with each unit of flow in each edge. The function β represents how much flow should enter or leave the network at a given vertex. If $β (x) = 0$ , then the flow going into x should be equal to the flow going out of x. If $β (x) > 0$ , then there should be $β (x)$ more flow coming out of x than going into x. If $β (x) < 0$ , there should be $| β (x) |$ more flow going into x than coming out of x.
Definition 8.
Given a network $N = (D, l, u, c, β)$ , a function $f : V \times V \to N$ is a feasible flow for $N$ if the following conditions are satisfied:
$u (v v^{'}) ⩾ f (v v^{'}) ⩾ l (v v^{'})$ for every $v v^{'} \in V \times V$ ;

$\sum_{v^{'} \in V} (f (v v^{'}) - f (v^{'} v)) = β (v)$ for every $v \in V$ .
The cost of f is defined to be $\begin{matrix} \sum_{v v^{'} \in A} c (v v^{'}) f (v v^{'}) . \end{matrix}$

Our aim is to find a tree $C = (X, ⩽_{C})$ such that $C$ is a chain partition of X with precisely w chains that minimizes $S (C, ϕ_{C})$ . To do this, we will construct a network $N$ such that the minimum cost flow of $N$ corresponds to the desired chain partition. We can then find the minimum cost flow of $N$ in polynomial time.

Every top vertex in $C$ must have one child and no parent in C, every bottom vertex in C must have one parent and no child in C, and every other vertex in C must have one parent and one child. We cannot represent this requirement directly in a network. However, we can use the vertex splitting procedure [6] to simulate it. Specifically, given poset $P = (X, ⩽)$ , define first a directed graph $D = (V, A)$ . Let $X_{in} = {x_{in} : x \in X}$ and $X_{out} = {x_{out} : x \in X}$ , and define the vertex set $V = X_{in} \cup X_{out} \cup {s, t}$ , where ${s, t} \cap (X_{in} \cup X_{out}) = \emptyset$ . Define the edge set A as follows: for $v, v^{'} \in X_{in} \cup X_{out}$ , $v v^{'} \in A$ if and only if either $v = x_{in}$ and $v^{'} = x_{out}$ for some $x \in X$ , or $v = x_{out}$ and $v^{'} = y_{in}$ for some $x, y \in X$ such that $y ⩽ x$ ; for every $v \in X_{in}$ we have $s v \in A$ ; and for every $v \in X_{out}$ we have $v t \in A$ .

Then define a network $N = (D, l, u, c, β)$ , where $\begin{array}{l} l (v v^{'}) = \{\begin{matrix} 1 & if v = x_{in}, v^{'} = x_{out}, where x \in X \\ 0 & otherwise; \end{matrix} \\ u (v v^{'}) = \{\begin{matrix} 1 & if v v^{'} \in A \\ 0 & otherwise; \end{matrix} \\ c (v v^{'}) = \{\begin{matrix} \sum_{x \in ↑_{P} (v)} | U_{x} | & if v^{'} = t, v = x_{out}, where x \in X \\ 0 & otherwise; \end{matrix} \\ β (v) = \{\begin{matrix} w & if v = s \\ - w & if v = t \\ 0 & otherwise. \end{matrix} \end{array}$ We call this network the network chain-representation of $(X, ⩽)$ . Note that any feasible flow f for this network must have $0 ⩽ f (x y) ⩽ 1$ for all $x y \in A$ .
Lemma 4.
Let $N$ be the network chain-representation of an information flow policy $P = (X, ⩽)$ . Then the minimum number of secrets issued by a chain-based enforcement scheme for $(X, ⩽)$ with w chains is $\hat{f}$ , where $\hat{f}$ is the minimum cost of a feasible flow in $N$ .
Proof.
Suppose we are given a chain partition $C = (X, ⩽_{C})$ .Consider the following flow: $\begin{array}{l} f (x_{in} x_{out}) = 1 for all x \in X; \\ f (x_{out} y_{in}) = 1 if x = {par}_{C} (y); \\ f (s x_{in}) = 1 if x is the top element in a chain in C; \\ f (x_{out} t) = 1 if x is the bottom element in a chain in C; \\ f = 0 otherwise . \end{array}$ Observe that f is a feasible flow. Indeed, by construction all edges $x y$ satisfy $u (x y) ⩾ f (x y) ⩾ l (x y)$ . In the graph formed by edges $x y$ with $f (x y) = 1$ , it is clear that every vertex x has in-degree and out-degree 1, except for s and t. Also, s has in-degree 0 and out-degree w in this graph, and t has in-degree w and out-degree 0. As all edges $x y$ have $f (x y) = 1$ or $f (x y) = 0$ , we have that $\begin{matrix} \sum_{v \in V (D)} (f (x v) - f (v x)) = β (x) \end{matrix}$ for all x, as required. Moreover, the cost of f equals $\sum_{b \in B} \sum_{x \in ↑_{P} (b)} | U_{x} |$ , where B is the set of bottom elements of chains in $C$ , which by (3) equals $S (C, ϕ_{C})$ .

Conversely, suppose f is a feasible flow for $N$ . Then we define $y ⋖_{C} x$ if and only if $x, y \in X$ and $f (x_{out} y_{in}) = 1$ . By the construction of $N$ and definition of f, it is not hard to see that $C$ is a chain partition of X with w chains. By construction of $N$ , the cost of f equals $\sum_{b \in B} \sum_{x \in ↑_{P} (b)} | U_{x} |$ , where B is the set of bottom elements of chains in $C$ , which by (3) equals $S (C, ϕ_{C})$ . □
Lemma 5.
We can find a minimum cost flow for $N$ in $O (| X |^{4} w)$ time.
Proof.
Recall that computing w can be done in time $O (| X |^{2.5})$ . To compute $\sum_{x \in ↑_{P} (y)} | U_{x} |$ for each $y \in X$ requires time $O (| E_{max} | + | X |)$ using depth-first search from y in the digraph obtained from $H^{*} (X)$ by changing orientation of every edge. Thus, to compute $\sum_{x \in ↑_{P} (y)} | U_{x} |$ for all $y \in X$ requires time $O (| X | (| E_{max} | + | X |))$ .

The well-known buildup algorithm (see [6, §4.10.5], for example) finds a minimum cost flow for a network with n vertices and m edges in time $O (n^{2} m M)$ , where M denotes the maximum of all absolute values of balance demands on vertices. By construction of $N$ , we have that $n = 2 | X | + 2 = O (| X |)$ , $m = O (n^{2}) = O (| X |^{2})$ , and $M = w$ . Thus we get the desired running time. □
Remark 1.
Strictly speaking, the buildup algorithm assumes that all lower bounds on edges are 0. In its current form, our network does not satisfy this condition. However, we can satisfy this condition, given $N = (D, l, u, c, β)$ , by defining the network $N^{'} = (D, l^{'}, u^{'}, c, β^{'})$ , where $\begin{array}{l} l^{'} (x y) = 0 β^{'} (x) = β (x) - l (x y) \\ u^{'} (x y) = u (x y) - l (x y) β^{'} (y) = β (y) + l (x y) \end{array}$ Then the minimum cost flow $f^{'}$ for $N^{'}$ will have cost exactly $\sum_{x y} l (x y) c (x y)$ less than the minimum cost flow for $N$ , and $f^{'}$ can be transformed into a minimum cost feasible flow f for $N$ by setting $f (x y) = f^{'} (x y) + l (x y)$ .

We are now able to prove our main result, for this section which is, essentially, a corollary of Theorem 3 and Lemmas 4 and 5. Theorem 4.
Let $P = (X, ⩽)$ be an information flow policy of width w. Then we can find a minimal chain partition comprising w chains in time $O (| X |^{4} w)$ . In such a chain partition no user requires more than w secrets.
Proof.
Let $S$ denote the minimum number of secrets issued by a chain-based enforcement scheme for X. By Theorem 3, there exists a chain partition that has exactly w chains, for which the corresponding chain-based enforcement scheme only requires $S$ secrets. Then by Lemma 4, $S$ is equal to the minimum cost of a feasible flow in $N$ , the network chain-representation of $P$ . By Lemma 5, such a flow can be found in $O (| X |^{4} w)$ time, and this flow can be easily transformed into the corresponding chain partition $C = (X, ⩽_{C})$ . Finally, by definition of $ϕ_{C} (x)$ , $| ϕ_{C} (x) | ⩽ w$ for each $x \in X$ and therefore no user requires more than w secrets. □

6. Concluding remarks

In this paper, we introduced the concept of a tree partition, generalizing prior work on chain partitions and tree-based enforcement schemes. We have proved that it is possible to compute optimal chain and tree partitions for an arbitrary information flow policy in polynomial time. And we have proved that there exist secure instantiations of enforcement schemes based on tree partitions. In short, we have shown that it is possible to construct forest-based cryptographic enforcement schemes for information flow policies efficiently.

Perhaps the most important contribution of our work on cryptographic enforcement schemes based on tree and chain partitions is to provide alternative trade-offs between the parameters of such enforcement schemes. These additional trade-offs provide data owners with a greater range of potential enforcement schemes, enabling them to select the most appropriate for their particular information flow policy and deployment constraints (such as storage and connectivity capabilities of end-user devices). We might, for example, wish to use an existing scheme that requires each device to store a single secret when storage is limited. Alternatively, we might wish to use a chain-based scheme when the distribution of public information is difficult and we wish to impose a small upper bound on the number of secrets that any device needs to store. We might use a tree-based scheme if distribution of public information is difficult and we wish to minimize the amount of data we wish to transmit to the user population.

Another difference between minimal tree-based and chain-based schemes is that computing the former is significantly faster than the latter as the former can essentially be computed by a simple greedy algorithm, while the latter requires a more sophisticated and much slower minimum cost flow algorithm. While still polynomial-time, minimum cost flow algorithms may be too slow when $| X |$ is large.

In future work, we hope to investigate the difficulty of finding a tree partition in which the worst-case derivation time is as similar as possible for all users (whilst still minimizing the number of secrets issued).

References

1.
S. Akl and P. Taylor, Cryptographic solution to a problem of access control in a hierarchy, ACM Trans. Comput. Syst. 1(3) (1983), 239–248. doi:10.1145/357369.357372.

2.
M.J. Atallah, M. Blanton, N. Fazio and K.B. Frikken, Dynamic and efficient key management for access hierarchies, ACM Trans. Inf. Syst. Secur. 12(3) (2009), Article No. 18. doi:10.1145/1455526.1455531.

3.
M.J. Atallah, M. Blanton and K.B. Frikken, Key management for non-tree access hierarchies, in: SACMAT 2006, 11th ACM Symposium on Access Control Models and Technologies, Proceedings, Lake Tahoe, California, USA, June 7–9, 2006, D.F. Ferraiolo and I. Ray, eds, ACM, 2006, pp. 11–18.

4.
M.J. Atallah, M. Blanton and K.B. Frikken, Incorporating temporal capabilities in existing key management schemes, in: ESORICS, J. Biskup and J. Lopez, eds, Lecture Notes in Computer Science, Vol. 4734, Springer, 2007, pp. 515–530.

5.
G. Ateniese, A.D. Santis, A.L. Ferrara and B. Masucci, Provably-secure time-bound hierarchical key assignment schemes, J. Cryptology 25(2) (2012), 243–270. doi:10.1007/s00145-010-9094-6.

6.
J. Bang-Jensen and G. Gutin, Digraphs: Theory, Algorithms and Applications, 2nd edn, Springer, 2009.

7.
D. Bell and L. LaPadula, Secure computer systems: Unified exposition and Multics interpretation, Technical Report MTR-2997, Mitre Corporation, Bedford, Massachusetts, 1976.

8.
J. Bethencourt, A. Sahai and B. Waters, Ciphertext-policy attribute-based encryption, in: IEEE Symposium on Security and Privacy, IEEE Computer Society, 2007, pp. 321–334.

9.
J. Black and P. Rogaway, CBC MACs for arbitrary-length messages: The three-key constructions, in: Advances in Cryptology – CRYPTO 2000, 20th Annual International Cryptology Conference, Proceedings, Santa Barbara, California, USA, August 20–24, 2000, M. Bellare, ed., Lecture Notes in Computer Science, Vol. 1880, Springer, 2000, pp. 197–215.

10.
J. Black and P. Rogaway, A block-cipher mode of operation for parallelizable message authentication, in: Advances in Cryptology – EUROCRYPT 2002, International Conference on the Theory and Applications of Cryptographic Techniques, Proceedings, Amsterdam, The Netherlands, April 28–May 2, 2002, L.R. Knudsen, ed., Lecture Notes in Computer Science, Vol. 2332, Springer, Amsterdam, The Netherlands, 2002, pp. 384–397.

11.
A. Castiglione, A.D. Santis and B. Masucci, Key indistinguishability vs. strong key indistinguishability for hierarchical key assignment schemes. IACR Cryptology ePrint Archive, 2014:752, 2014.

12.
T.H. Cormen, C.E. Leiserson, R.L. Rivest and C. Stein, Introduction to Algorithms, 3rd edn, MIT Press, 2009.

13.
J. Crampton, Practical and efficient cryptographic enforcement of interval-based access control policies, ACM Trans. Inf. Syst. Secur. 14(1) (2011), 14.

14.
J. Crampton, R. Daud and K.M. Martin, Constructing key assignment schemes from chain partitions, in: Data and Applications Security and Privacy XXIV, 24th Annual IFIP WG 11.3 Working Conference, Proceedings, Rome, Italy, June 21–23, 2010, S. Foresti and S. Jajodia, eds, Lecture Notes in Computer Science, Vol. 6166, Springer, 2010, pp. 130–145. doi:10.1007/978-3-642-13739-6_9.

15.
J. Crampton, N. Farley, G. Gutin and M. Jones, Optimal constructions for chain-based cryptographic enforcement of information flow policies, in: Data and Applications Security and Privacy XXIX – 29th Annual IFIP WG 11.3 Working Conference, DBSec 2015, Proceedings, Fairfax, VA, USA, July 13–15, 2015, P. Samarati, ed., Lecture Notes in Computer Science, Vol. 9149, Springer, 2015, pp. 330–345. doi:10.1007/978-3-319-20810-7_23.

16.
J. Crampton, N. Farley, G. Gutin, M. Jones and B. Poettering, Cryptographic enforcement of information flow policies without public information, in: Applied Cryptography and Network Security – 13th International Conference, ACNS 2015, Revised Selected Papers, New York, NY, USA, June 2–5, 2015, T. Malkin, V. Kolesnikov, A.B. Lewko and M. Polychronakis, eds, Lecture Notes in Computer Science, Vol. 9092, Springer, 2015, pp. 389–408.

17.
J. Crampton, K.M. Martin and P.R. Wild, On key assignment for hierarchical access control, in: CSFW, IEEE Computer Society, 2006, pp. 98–111.

18.
M.J. Dworkin, SP 800-38B: Recommendation for block cipher modes of operation: The CMAC mode for authentication. Technical report, National Institute of Standards & Technology, Gaithersburg, MD, United States, 2005. http://csrc.nist.gov/publications/nistpubs/800-38B/SP_800-38B.pdf.

19.
M.J. Dworkin, SP 800-38D: Recommendation for block cipher modes of operation: Galois/Counter Mode (GCM) and GMAC. Technical report, National Institute of Standards & Technology, Gaithersburg, MD, United States, 2007. http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf.

20.
E.S.V. Freire and K.G. Paterson, Provably secure key assignment schemes from factoring, in: Information Security and Privacy – 16th Australasian Conference, ACISP 2011. Proceedings, Melbourne, Australia, July 11–13, 2011, U. Parampalli and P. Hawkes, eds, Lecture Notes in Computer Science, Vol. 6812, Springer, 2011, pp. 292–309.

21.
E.S.V. Freire, K.G. Paterson and B. Poettering, Simple, efficient and strongly KI-secure hierarchical key assignment schemes, in: Topics in Cryptology – CT-RSA 2013 – The Cryptographers’ Track at the RSA Conference 2013. Proceedings, San Francisco, CA, USA, February 25–March 1, 2013, E. Dawson, ed., Lecture Notes in Computer Science, Vol. 7779, Springer, 2013, pp. 101–114.

22.
T. Gallai and A.N. Milgram, Verallgemeinerung eines Graphentheoretischen Satzes von Rédei, Acta Sci. Math. 21 (1960), 181–186.

23.
V.K. Garg, Introduction to Lattice Theory with Computer Science Applications, Wiley, 2015.

24.
V. Goyal, O. Pandey, A. Sahai and B. Waters, Attribute-based encryption for fine-grained access control of encrypted data, in: ACM Conference on Computer and Communications Security, A. Juels, R.N. Wright and S.D.C. di Vimercati, eds, ACM, 2006, pp. 89–98.

25.
G. Gutin, I. Razgon and E.J. Kim, Minimum leaf out-branching and related problems, Theor. Comput. Sci. 410(45) (2009), 4571–4579. doi:10.1016/j.tcs.2009.03.036.

26.
National Institute of Standards and Technology. FIPS 198-1, The Keyed-Hash Message Authentication Code, Federal Information Processing Standard (FIPS), Publication 198-1. Technical report, Department of Commerce, 2008.

27.
R.S. Sandhu, Cryptographic implementation of a tree hierarchy for access control, Inf. Process. Lett. 27(2) (1988), 95–98. doi:10.1016/0020-0190(88)90099-3.

28.
S. Yu, C. Wang, K. Ren and W. Lou, Achieving secure, scalable, and fine-grained data access control in cloud computing, in: INFOCOM 2010. 29th IEEE International Conference on Computer Communications, Joint Conference of the IEEE Computer and Communications Societies, San Diego, CA, USA, 15–19 March 2010, IEEE, 2010, pp. 534–542.

Cryptographic enforcement of information flow policies without public information via tree partitions 1

Abstract

Keywords

1. Introduction

2 We could, of course, simply view a set of secrets as a single secret and consider the amount of storage required by that secret. However, it is more convenient for the analysis later in the paper to consider a set of secrets and the number of elements in that set.

4 The Hasse diagram H ( P ) = ( X , ⋖ ) = ( X , E min ) is a unique representation of the poset P = ( X , ⩽ ) . Conversely, as the Hasse diagram H ( P ) of a poset P uniquely represents P , we may consider H ( P ) as a “shorthand” for P and even loosely say that H ( P ) is a poset.

6 There are some other types of schemes but each of them suffer from a number of disadvantages (see [17], for example) so research has tended to focus on node- and edge-based schemes.

3. Enforcement schemes from tree partitions

4. Selecting a good tree partition

References

²
We could, of course, simply view a set of secrets as a single secret and consider the amount of storage required by that secret. However, it is more convenient for the analysis later in the paper to consider a set of secrets and the number of elements in that set.

⁴
The Hasse diagram $H (P) = (X, ⋖) = (X, E_{min})$ is a unique representation of the poset $P = (X, ⩽)$ . Conversely, as the Hasse diagram $H (P)$ of a poset $P$ uniquely represents $P$ , we may consider $H (P)$ as a “shorthand” for $P$ and even loosely say that $H (P)$ is a poset.

⁶
There are some other types of schemes but each of them suffer from a number of disadvantages (see [17], for example) so research has tended to focus on node- and edge-based schemes.