Key Assignment Scheme with Authenticated Encryption

.in Abstract. The Key Assignment Scheme (KAS) is a well-studied cryptographic primitive used for hierarchical access control (HAC) in a multilevel organisation where the classes of people with higher privileges can access ﬁles of those with lower ones. Our ﬁrst contribution is the formalization of a new cryptographic primitive, namely, KAS-AE that supports the aforementioned HAC solution with an additional authenticated encryption property. Next, we present three eﬃcient KAS-AE schemes that solve the HAC and the associated authenticated encryption problem more eﬃciently – both with respect to time and memory – than the existing solutions that achieve it by executing KAS and AE separately. Our ﬁrst KAS-AE construction is built by using the cryptographic primitive MLE (EUROCRYPT 2013) as a black box; the other two constructions (which are the most eﬃcient ones) have been derived by cleverly tweaking the hash function FP (Indocrypt 2012) and the authenticated encryption scheme APE (FSE 2014). This high eﬃciency of our constructions is critically achieved by using two techniques: design of a mechanism for reverse decryption used for reduction of time complexity, and a novel key management scheme for optimizing storage requirements when organizational hierarchy forms an arbitrary access graph (instead of a linear graph). We observe that constructing a highly eﬃcient KAS-AE scheme using primitives other than MLE , FP and APE is a non-trivial task. We leave it as an open problem. Finally, we provide a detailed comparison of all the KAS-AE schemes.


Introduction
Hierarchical Access Control (HAC) and the Key Assignment Scheme (KAS).Hierarchical access control is a mechanism that allows the classes of people in an organisation with varying levels of privileges to access data based on their positions.Nowadays, since most of the organisations have hierarchical structures, and since their data is stored in public servers or on the cloud, secure and efficient HAC solutions have gained importance.
From a high level, so far, the HAC problem has been solved using the following two-step methodology: distribute the secret keys to various classes of people in the organization such that the people in the higher class can derive the secret keys owned by the classes below it; after the distribution of keys, all the data are encrypted using symmetric encryption (data authentication may also be incorporated in some way).Loosely speaking, the secure generation of these secret keys, as done in the first step of the above HAC methodology, is known as Key Assignment Scheme.The idea of KAS and its practical construction was introduced by Akl and Taylor in 1983 [AT83].Since then, for over three decades, a large number of KAS constructions have been proposed in the literature with extensive study of their security properties [ABFF09, AFB05, CC02, CCM15, CDM10, CMW06, CSM16a, CSM + 16b, DSFM10, FP11, FPP13, HL90, SC02, SFM07a, WC01, YCN03].
A new cryptographic primitive KAS-AE: A Motivation.In all the above cases, hierarchical access control with authenticated encryption is achieved by following the same design paradigm: execute KAS first, and then execute AE.So far research in solving HAC mainly revolves around designing various types of KAS constructions.To the best of our knowledge, no attempt has been made so far to explore the possibility of building efficient HAC solutions by combining KAS and AE in some non-trivial ways.Our main motivation in this paper is to combine KAS and AE into a single primitive, and solve the HAC problem.It is very important to note at this point that a new cryptographic primitive combining KAS and AE, such as KAS-AE of this paper, makes little sense if it does not permit constructions that are significantly more efficient than the trivial combination of KAS and AE.Therefore, we summarize our main challenge below: Can we construct a secure KAS-AE scheme that solves HAC problem more efficiently than the simple combination of KAS and AE executed in that order?
In the remainder of the paper, we search for answers to the above question, and analyze them.
Our Contribution.Our first contribution is defining and formalizing a new cryptographic notion, namely, key assignment scheme with authenticated encryption, (or KAS-AE for short).To develop, motivate, analyze and easily understand this new idea, we propose a total of nine KAS-AE constructions -except one all are proven secure -with varying degrees of efficiencies and construction subtleties: (1) in the first construction, we show that the most natural combination of KAS and AE to generate KAS-AE is prone to attack; (2) in the second construction, we obviate this attack, and show a secure way of combining KAS and AE to build a KAS-AE scheme; (3-6) Our next four KAS-AE constructions are based on first building KAS-AE schemes for linear graphs (or totally ordered sets) and then combining them to support arbitrary access graphs (i.e.partially ordered sets); (7-9) these last three constructions are the most efficient KAS-AE constructions, they are based on a novel use of Message-Locked Encryption (MLE) [BKR13], of a hash function mode FP [PHG12] and of an authenticated encryption mode APE [ABB + 14], respectively.
Our best three constructions (see Table 3) outperform all other conventional HAC solutions (based on KAS and AE individually, as opposed to on the single primitive KAS-AE) with respect to running time by a factor of at least 2 (or 3) for any reasonable parameter choices; also, the private storage of our best performing constructions is linear, whereas they are quadratic (or cubic) in the simple combination of KAS and AE.A detailed comparison will be given in Table 1, Table 2 and Table 3.
In order to obtain this improvement in performance, our constructions exploit, among others, a very unique feature -what we call reverse decryption -supported by the hash function FP and the authenticated encryption APE.It turns out that the reverse decryption property can also be obtained by a clever use of MLE schemes.Besides this, our constructions also benefit from a novel key management technique to optimize the storage requirements in the very challenging scenarios where organizational access structure is non-linear (i.e., a poset, rather than a totally ordered set).
Note that the very unique reverse decryption property -which, to the best of our knowledge, only exists inherently in the FP hash mode and the APE authenticated encryption scheme -has also been used in [KP18] to construct efficient file-updatable message-locked encryption (FMLE) schemes.However, our focus in this paper is an efficient solution for the very different and fairly old Hierarchical Access Control problem that, unlike the FMLE solution, involves a significant amount of intricate graph theoretic algorithms and tools (e.g.root-finding algorithm, shortest path algorithm, etc.) to overcome crucial 2 Preliminaries

Notation
M := x denotes that the value of x is assigned to M , and M := D(x) denotes that the value returned by function D() for input x, is assigned to M .M = x denotes the equality comparison of the two variables M and x, and M = D(x) denotes the equality comparison of the variable M with the output of D() on input x.The XOR or ⊕ denotes the bit-by-bit exclusive-or operation on two binary strings of same length.The concatenation operation of p ≥ 2 strings s 1 , s 2 , • • • , s p is denoted as s 1 ||s 2 || • • • ||s p .The length of string M is denoted by |M |.The set of all binary strings of length is denoted by {0, 1} .The set of all binary strings of any length is denoted by {0, 1} * .The set of all natural numbers is denoted by N. We denote that M is assigned a string of length k chosen randomly and uniformly by M $ ← {0, 1} k .To mark any invalid string (may be input string or output string), the symbol ⊥ is used.In a vector of strings f , the string corresponding to user i is denoted by f i .The number of strings in f is denoted by f .(f u ) u∈V denotes the sequence of strings f u , where u ∈ V .The symbols f u , S u and k u denote the file, private information and decryption key held by user u, c u denotes the ciphertext corresponding to f u .f = (f u ) u∈V , S = (S u ) u∈V and k = (k u ) u∈V denote the sequence of files, private information and keys for all the nodes in the graph G = (V, E).The operation for some value of p, denotes the sequence of strings f 1 , f 2 , • • • , f p .(M 0 , M 1 , Z) $ ← S(1 λ ) denotes the assignment of outputs given randomly and uniformly by S to M 0 and M 1 and supplying some auxiliary information Z.Here, M 0 and M 1 is a vector of strings and i-th string in M is denoted as M (i) .The encryption function E of authenticated encryption, as defined in Subsubsection 2.2.6, that performs encryption as well as authentication, is denoted as aencrypt.In a graph G = (V, E): if there is an edge from u to v, we say v is a child of u, or u is a parent of v; for any node u, we denote the number of children of u by deg(u); the children of u from left to right are denoted u 1 , u 2 , • • • , u deg(u) ; the level[u] of node u is the length of path from root node to u; and the maximum-depth of the tree is the maximum value of level[ ] among all the nodes of the tree.The node u i j means in the chain C i the j-th node from root.We denote an empty set by ∅ and [s] = {1, 2, • • • , s}.

Posets, Chains and Access Graphs
Suppose the users in an organisation are grouped into a set of pairwise disjoint classes V = {u 1 , u 2 , • • • , u n }; in our case, the u i 's are various security classes.Suppose u, v ∈ V ; let v ≤ u imply that u can access all the data which can be accessed by v (this forms the hierarchical access rule for the security classes).Therefore, (V, ≤) is a partially ordered set (poset), since '≤' can be easily shown to be reflexive, anti-symmetric and transitive.We say: (1) v < u, if u and v are two distinct classes and v ≤ u; (2) v u, if v < u and c ∈ V such that v < c < u; (3) (V, ≤) is a totally ordered set or a chain if ∀u, v ∈ V , either v ≤ u or u ≤ v; and (4) A ⊆ V is an anti-chain in V if for all u, v ∈ A such that u = v, we have v u and u v.The cardinality of the largest anti-chain in V is called the width of V , denoted w.
An access graph is a representation of a poset (V, ≤) by a directed acyclic graph G = (V, E), where the vertices represent the security classes, and, if v u, then there is an edge from u to v. So, for all u, v ∈ V , where v < u, there is either a directed edge or a directed path from According to Dilworth's Theorem, every poset (V, ≤) can be partitioned into w chains, where w is the width of V [Dil50].The partition may not be unique.Let the set of chains We say that v is a successor of u, if v ≤ u, and v is an ancestor of u, if u ≤ v.For all u ∈ V , the set of all ancestors (and successors) of u is denoted ↑ u := {v ∈ V : u ≤ v} (and ↓ u := {v ∈ V : v ≤ u}).Note that ↓ u has a non-empty intersection with one or more

Random Function
Let rf : {0, 1} n → {0, 1} n .Then rf is called a random function if the following property is satisfied.Suppose, x k is the k-th query (k ≥ 1), submitted to the rf, and y ∈ {0, 1} n .Then, for the current query x i :

Source of message S
We are modelling the security based on an unpredictable message source which is a PT algorithm, denoted S(•), that returns (M , Z) or (M 0 , M 1 , Z) on input 1 λ , where each vector of messages M ∈ {0, 1} * * (or M 0 , M 1 ∈ {0, 1} * * ) and auxiliary information Z ∈ {0, 1} * .We consider that S(•) is a public source, that is, it is known to all the parties including the adversary.Here, each vector of messages M has m(1 λ ) number of strings, i.e., M = m(1 λ ) and the length of each string Here, m and l are two functions.We require that the two strings . Associated with the source S(•) is a real number GP S , namely, the Guessing Probability of source, which is the maximum of all the probabilities of guessing a single string in M , given the auxiliary information.The The source S(•) is said to be unpredictable if the value of GP S is negligible.We now define the min-entropy µ S (•) of the source S(•) as µ S (1 λ ) = − log(GP S (1 λ )).The source S(•) is said to be a valid source for an MLE scheme Π if

Message-locked Encryption (MLE)
The definition of message-locked encryption (MLE) has already been described in [BKR13].We briefly re-discuss it below, with a few suitable changes in the notation to suit the present context.
Syntax.Suppose λ ∈ N is the security parameter.An MLE scheme Π = (Π.E, Π. D) is a pair of algorithms over a setup algorithm Π. Setup.Π satisfies the following conditions.
4. We restrict |C| to be a linear function of |M |.
For an MLE scheme, here, we define four security games PRV-CDA, STC, TC and KR-CDA.The game PRV-CDA is designed for the privacy security, STC and TC for the tag consistency security, and KR-CDA for the key recovery security in Figure 1.The first three games have already been described in [BKR13]; we define a new security notion of key recovery useful for our purpose.It is easy to show that an MLE scheme secure against PRV-CDA attack is also secure against KR-CDA attack.Below, we discuss the PRV-CDA, STC, TC and KR-CDA security games in detail.Privacy.Let Π = (Π.E, Π. D) be an MLE scheme.Since, no MLE scheme can provide privacy security for predictable messages (even if the scheme is randomized), we use an unpredictable message source S, as defined in Subsubsection 2.2.4, to design our security notion.For an MLE scheme, we design the privacy against chosen distribution attack PRV-CDA security game in Figure 1.Here, the challenger generates two vector of messages ), and some auxiliary information Z using the source S(1 λ ), encrypts the string M (i) b , where i ∈ [m(1 λ )] and the value of b depends upon the input, using Π.E to obtain (K (i) , C (i) , T (i) ), and sends (C, T , Z) to the adversary.The adversary has to return a bit b indicating whether the ciphertext C and tag T corresponds to message M 0 or message M 1 .If the values of b and b coincide, then the adversary wins the game.Now, we define the advantage of a PRV-CDA adversary A against Π as: An MLE scheme Π is said to be PRV-CDA secure over a set of valid PT sources for MLE scheme Π, S = {S 1 , S 2 , • • • }, for all PT adversaries A and for all S i ∈ S, if Adv PRV-CDA Π,Si,A (•) is negligible.An MLE scheme Π is said to be PRV-CDA secure, for all PT adversaries A, if Adv PRV-CDA Π,S,A (•) is negligible, for all valid PT source S for Π.
Tag Consistency.Let Π = (Π.E, Π. D) be an MLE scheme.For an MLE scheme, we design the STC and TC security games in Figure 1, which aims to provide security against duplicate faking attacks.In a duplicate faking attack, two unidentical messages -one fake message produced by an adversary and a legitimate one produced by an honest clientproduce the same tag, thereby causing loss of message and hampers the integrity.In an erasure attack, the adversary replaces the ciphertext with a fake message that decrypts successfully.
The adversary returns a message M , a ciphertext C and a tag T .If the message or ciphertext is invalid, the adversary loses the game.Otherwise, the challenger computes encryption key K, ciphertext C and tag T corresponding to message M using Π.E, and computes the message M corresponding to key K, ciphertext C and tag T using Π.D. If the two tags are equal, i.e.T = T , the message M is valid, i.e.M =⊥, and the two messages are unequal, i.e.M = M , then the adversary wins the TC game.Now, we define the advantage of a TC adversary A against Π as: Now, we define the advantage of an STC adversary A against Π as: An MLE scheme Π is said to be TC (or STC) secure, for all PT adversaries A, if Key Recovery.Let Π = (Π.E, Π. D) be an MLE scheme.Since, no MLE scheme can provide key recovery security (even if it is randomized) for predictable messages, we use an unpredictable message source S, as defined in Subsubsection 2.2.4, to design our key recovery against chosen distribution attack KR-CDA security game in Figure 1.Here, the challenger generates a message M and some auxiliary information Z using the source S(1 λ ), encrypts M using Π.E(params (Π) , •) and sends (C, T, Z) to the adversary.The adversary has to return a key K corresponding to ciphertext C and tag T .If the keys K and K match, then the adversary wins the game.Now, we define the advantage of a KR-CDA adversary A against Π as: An MLE scheme Π is said to be KR-CDA secure, if Adv KR-CDA Π,S,A (•) is negligible, for all valid PT source S and all PT adversaries A.

Authenticated Encryption (AE)
Syntax.Suppose λ ∈ N is the security parameter.An authenticated encryption (AE) scheme Π = (Π.K GEN , Π. E, Π. D) is a three-tuple of algorithms over a setup algorithm Π. Setup.Π satisfies the following conditions.
3. The PPT encryption algorithm Π. E : ) takes as inputs the parameter params (Π) , K ∈ K (Π) and M ∈ M (Π) , and outputs a pair (C, T ) := Π. E(params (Π) , K, M ), where C ∈ C (Π) and T ∈ T (Π) .It is possible that the tag is incorporated in the ciphertext itself, in this case, T is an empty string.
Here, we make a note that, when the tag is incorporated in the ciphertext itself, we observe an obvious and intuitive expansion of the ciphertext, therefore, we restrict |C| to be a linear function of |M |.Decryption Correctness.Let M ∈ M (Π) .Suppose: • K := Π.K GEN (params (Π) ), and Then decryption correctness of Π requires that Π. D(params (Π) , K, C, T ) = M , for all λ ∈ N, all M ∈ M (Π) and all K ∈ K (Π) .
For an AE scheme, here, we define two security games, namely, IND-PRV and INT for the privacy and tag consistency security in Figure 2. Below, we discuss the IND-PRV and INT security games in detail.
Privacy.Let Π = (Π.K GEN , Π. E, Π. D) be an AE scheme.For an AE scheme, we design the indistinguishability privacy IND-PRV security game in Figure 2. Here, the challenger generates the encryption key using Π.K GEN (params (Π) ) and receives two messages M 0 and M 1 from the adversary, such that |M 0 | = |M 1 |.The challenger encrypts M 0 or M 1 according to the value of b, the input parameter, to obtain (C, T ) and sends (C, T ) to the adversary.The adversary has to return a bit b indicating whether the ciphertext C corresponds to message 0 or message 1.If the values of b and b coincide, then the adversary wins the game.
An AE scheme Π is said to be IND-PRV secure, for all PT adversaries A, if Tag Consistency.Let Π = (Π.K GEN , Π. E, Π. D) be an AE scheme.For an AE scheme, we design the integrity INT security game in Figure 2. Here, the challenger generates the encryption key using Π.K GEN (params (Π) ) and receives two ciphertexts C 0 and C 1 , and one tag T from the adversary.The challenger declares the defeat of adversary if the two ciphertexts are identical, otherwise, the challenger decrypts (C 0 , T ) and (C 1 , T ) using Π.D(params (Π) , K, •, •).The adversary wins if both the messages are valid, i.e., M 0 =⊥ and M 1 =⊥.Now, we define the advantage of an INT adversary A against Π as: An AE scheme Π is said to be INT secure, for all PT adversaries A, if Adv INT Π,A (•) is negligible.

Key Assignment Scheme (KAS)
The definition of key assignment scheme (KAS) has already been described in [FPP13].We briefly re-discuss it below, with a few suitable changes in the notation to suit the present context.
Syntax.Suppose λ ∈ N is the security parameter.A KAS scheme Π = (Π.GEN , Π. DER) is a pair of algorithms over a setup algorithm Π. Setup.Π satisfies the following conditions.
2. The PPT key generation algorithm Π. GEN takes as inputs the parameter params (Π)  and graph G, and returns a three-tuple (S, k, pub) := Π. GEN (params (Π) , G), where S = (S u ) u∈V and k = (k u ) u∈V .The variables S, k and pub are called private information, key and public information vectors, respectively.
3. The key derivation algorithm Π. DER is a deterministic PT algorithm such that k v := Π. DER(params (Π) , G, u, v, S u , pub), where v ≤ u are two nodes of the access graph G, S u is u's private information, pub is the public information, and k v is v's decryption key.
Correctness.The correctness of Π requires that for all λ ∈ N, all G ∈ Γ (Π) , all (S, k, pub) output by Π. GEN (params (Π) , G), and all nodes v ≤ u, we have: For a KAS scheme, here, we define three security games KI-ST, S-KI-ST and KR-ST.The games KI-ST and S-KI-ST are designed for the key indistinguishability security, and KR-ST for the key recovery security in Figure 3.These notions have already been described in [ABFF09, ASFM06, SFM07a, FPP13, DSFM10].Key Indistinguishability. Let Γ (Π) be a set of access graphs and Π = (Π.GEN , Π. DER) be the KAS for Γ (Π) .For a KAS we have designed a key indistinguishability with respect to static adversary KI-ST (and strong key indistinguishability with respect to static adversary S-KI-ST) security game in Figure 3.The static adversary A, when given access to the graph G = (V, E), returns a security class u ∈ V to the challenger, that A chooses to attack.The challenger then performs the following operations: calculates (S, k, pub) using the Π.GEN (params (Π) , G); computes P u as the set of private information S v for the classes v ∈ V such that v < u; (computes K u as the set of keys k v for the classes v ∈ V such that u < v;) if the value of b is 1, then the value T is the value of k u , otherwise, the value of T is chosen to be a random string of same length as k u ; and sends (pub, P u , T ) (and K u ) to the adversary.The adversary has to return a bit b indicating whether T corresponds to key or is it a random string.If the values of b and b coincide, then the adversary wins the game.Now, we define the advantage of a KI-ST adversary A against Π on a graph G ∈ Γ (Π) as: Now, we define the advantage of an S-KI-ST adversary A against Π on a graph G ∈ Γ (Π) as: A KAS scheme Π is said to be KI-ST (or S-KI-ST) secure, for all PT static adversaries Key Recovery.Let Γ (Π) be a set of access graphs and Π = (Π.GEN , Π. DER) be the KAS for Γ (Π) .For a KAS scheme we have designed a key recovery with respect to static adversary KR-ST security game in Figure 3.The static adversary A, when given access to the graph G = (V, E), returns a security class u ∈ V to the challenger, that A chooses to attack.The challenger then performs the following operations: calculates (S, k, pub) using the Π.GEN (params (Π) , G); computes P u as the set of private information S v for the classes v ∈ V such that v < u; and sends (pub, P u ) to the adversary.The adversary has to return a key k u .If the values of k u and k u coincide, then the adversary wins the game.Now, we define the advantage of a KR-ST adversary A against Π on a graph G ∈ Γ (Π) as: A KAS scheme Π is said to be KR-ST secure, for all PT static adversaries A, if Remark.Note that a KAS-chain is a special type of KAS where the access graph is a totally ordered set.

Graph Algorithms used in the Paper
In this paper, we frequently use some graph-based algorithms that we describe below.Their algorithmic description is given in

ch_seq(u, G):
Given the node u and graph G as input, this function outputs a sequence of nodes ũ = (u j1 , u j2 , • • • , u j d ) -that are children of node u in G -in the ascending order of their indices.Therefore, u j1 has the lowest index, u j2 the second lowest, and so on.We say that ũ is NULL, if u is a leaf node.The algorithm works in the following way: the children of node u are extracted from the set of edges E; a sorting algorithm is run on this set; and, finally, the sorted sequence is returned.The running time of ext_cipher(pub, u): Given the public information pub and node u as input, this outputs the extracted ciphertext c u corresponding to u from pub.

ext_secret(S u , v):
Given the private information S u of node u and a node v ≤ u as input, this function outputs the extracted secret value corresponding to v from S u .

ext_tag(S u , v):
Given the private information S u of node u and a node v ≤ u as input, this function outputs the extracted tag t v corresponding to v from S u .

height(G): Given a (directed acyclic) graph G as input, this function first assigns to level[u]
the maximum level of node u for all u ∈ V , and then returns level[ ] and h = max u∈V level [u].We, first, find the root node u of the graph and assign the level[u] = 1.Note that there is exactly one root in a connected DAG.Now, we execute BFS traversal on the graph G with u as the root node, with a slight modification that whenever we encounter a previously discovered node, we update its level[ ] value with the current value.Since, the graph is acyclic, the value of level [v], for all v ∈ V , can be at most n.We calculate the height of the graph max_isect(u, C): Given a node u and a chain C as input, this function outputs the maximum element of ↓ u ∩ C.This can be implemented by first calculating the set ↓ u using all_succ(u, G) function (as defined above), and then performing the set intersection between ↓ u and C, and finally finding the maximum element in the resulting set.The

max_isect_chs(u, G):
Given a node u and the graph G as input, this outputs a sequence of nodes (û path(G, u, v): This function takes as input a graph G, the source and the destination nodes u and v, and outputs a sequence of nodes (u, In order to do this, we invoke the Dijkstra's Algorithm on graph G with u as source node, and get the array dist[ ], defining the distance of any node from u, and array parent[ ], defining the parent of any node in the graph [Dij59].Then, we start to find the parent of v as u i , then the parent of u i as u i −1 , and so on, until we find the parent of u i1 as u.So, the path from

vertex_in_order(G):
This function takes as input the access graph G = (V, E) corresponding to a totally ordered set, and outputs a sequence of nodes (u We, first, find the root node u 1 of the graph.Since, in a totally ordered set there is only one child of each node, we find the edges (u 1 , u 2 ), then (u 2 , u 3 ), and so on up to (u n−1 , u n ), and compute the sequence of nodes

Existing MLE schemes
We refer the reader to [ABM + 13, BKR13, CMYG15, DAB + 02] to know about the various existing MLE constructions in detail.

Existing KAS schemes
Since, our work mainly focuses on KAS-AE, we briefly revisit various KAS schemes below.KAS is usually built in following two ways: 1. Constructing KAS from scratch: We refer the reader to [ABFF09, AFB05, AT83, CC02, CH05, CHW92, Gud80, HL90, SC02, SFM07a, TC95, YL04, ZRM01] to know about the various existing KAS constructions in detail.Crampton, Martin and Wild have classified the KAS constructions into five generic schemes [CMW06].These schemes differ in: (1) the way encryption key k u (for file f u ) corresponding to node u ∈ V is se-lected; (2) the method for generation and distribution of the secret and public information S = (S u ) u∈V and pub respectively; and (3) the working of key derivation algorithm where the node u recomputes the key corresponding to the node v ≤ u.These schemes are as follows: Scheme 1: TKAS.A trivial key assignment scheme (TKAS) has the following properties: Scheme 2: TKEKAS.A trivial key-encrypting-key assignment scheme (TKEKAS) has the following properties: • For all u ∈ V , k u 's and K u 's are chosen independently, where K u is a key used to encrypt Scheme 3: DKEKAS.A direct key-encrypting-key assignment scheme (DKEKAS) has the following properties: Scheme 4: IKEKAS.An iterative key-encrypting-key assignment scheme (TKEKAS) has the following properties: Scheme 5: NBKAS.A node-based key assignment scheme (NBKAS) has the following properties: e v ) can be calculated using e u , e v ∈ pub and k u ∈ S u .

Constructing KAS from KAS-chain:
This paradigm has two phases: (1) building KAS-chain from scratch, and (2) combining KAS-chains to build KAS using chain partition algorithm.We refer the reader to [CDM10,FP11,FPP13] to know about the various existing KAS constructions build from KAS-chain in detail.
(1) Building KAS-chain from scratch: Crampton et al. described two KAS-chain, one based on iterated hashing and the other based on RSA [CDM10].Freire and Paterson also gave a KAS-chain based on Factoring problem in [FP11].Freire et al. described two KAS-chain schemes, one based on pseudorandom functions and the other based on forward-secure pseudorandom generators [FPP13].
(2) Chain Partition: This paradigm builds a KAS from KAS-chains for an arbitrary access graph.Crampton, Daud and Martin have discussed procedures for designing efficient KAS schemes, from KAS-chains, using an innovative chain partition algorithm in [CDM10].The main idea behind their chain partition algorithm is the following: partition the access graph into disjoint chains, and design KAS-chains corresponding to these chains; finally, securely join these KAS-chains to form the KAS for the full access graph.The detailed description of chain partition algorithm is given below: Let (V, ≤) be a poset represented by the access graph G = (V, E); suppose the set of chains {C 1 , C 2 , • • • , C w } is a partition of G; let λ ∈ N be the security parameter, and π = (π.GEN , π. DER) be the KAS-chain for a totally ordered set of length at most l max .
The chain partition algorithm Π = (Π.GEN , Π. DER) is a pair of algorithms over a setup algorithm Π. Setup.Π satisfies the following conditions.
2. The PPT key generation algorithm Π. GEN takes as inputs the parameter params (Π) , the access graph G = (V, E) ∈ Γ (Π) , and the KAS-chain π, and returns a three-tuple (S, k, pub), where S = (S u ) u∈V , k = (k u ) u∈V and pub are the sequence of private information, keys and public values respectively.
3. The key derivation algorithm Π. DER is a deterministic PT algorithm such that k u g h := Π. DER(params (Π) , G, u i j , u g h , S u i j , pub g , π).Here: u g h ≤ u i j are two nodes of the access graph G; S u i j is u i j 's private information; pub g is the public information; π is the KAS-chain; and k u g h is u g h 's decryption key.Note that S u i j ∈ {0, 1} * , pub g ∈ {0, 1} * and k u g h ∈ K (Π) ∪ ⊥.The pseudo-code for the chain partition algorithm Π is described in Figure 5.The subroutines used by the algorithm are described in Subsubsection 2.2.8.These subroutines are identical to the subroutines used in [FPP13], but we reproduce them for the sake of completeness.

A New Cryptographic Primitive: KAS-AE
We have already discussed the key assignment scheme (KAS) in Subsubsection 2.2.7.This new primitive KAS-AE can, loosely, be viewed as a KAS plugged with an additional functionality, namely, authenticated encryption.We observe that KAS consists of two algorithms, namely, key generation and key derivation.The keys generated by KAS are later used to encrypt messages in various use-cases.The motivation for KAS-AE is to combine the KAS and (authenticated) encryption together, and view them as a single cryptographic primitive.Therefore, in KAS-AE, we target three goals: a combined key generation and authenticated encryption algorithm; a key derivation algorithm, which is identical to the one in KAS; and a decryption algorithm, which is necessitated by the authenticated encryption already included in the scheme.This new cryptographic primitive allows us to construct schemes that are more efficient than trivial execution of KAS followed by AE.In Section 1, we have discussed it in great detail.The full technical description of KAS-AE is as follows.
Syntax.Suppose λ ∈ N is the security parameter.A KAS-AE scheme Π = (Π.E, Π. DER, Π. D) is a three-tuple of algorithms over a setup algorithm Π. Setup.Π satisfies the following conditions.
2. The PPT encryption algorithm Π. E takes as inputs the parameter params (Π) , a graph G ∈ Γ (Π) and a vector of files f = (f u ) u∈V , and returns a three-tuple (S, k, pub) := Π. E(params (Π) , G, f ), where S = (S u ) u∈V and k = (k u ) u∈V .The variables S, k and pub are called private information, key and public information vectors respectively.
Note that is, ciphertext is not generated by encrypting a valid message.
Remark.In principle, KAS-AE should also have an update function, allowing the users to encrypt modified plaintext efficiently.Note that such a function is absent in the definition.In fact, an update function, rather a trivial one, is implicitly present, and works in the following way: any update to original file is considered a new file requiring a fresh encryption.
Design and analysis of non-trivial update functions is a deeper issue in its own right, and, would shift the focus of the work of this paper.Therefore, this requires a separate discussion.
Correctness.The correctness of Π requires that for all λ ∈ N, all G = (V, E) ∈ Γ (Π) , all f ∈ M (Π) |V | , all (S, k, pub) output by Π. E(params (Π) , G, f ), and all nodes v ≤ u, we have: • Π. DER(params (Π) , G, u, v, S u , pub) = k v , and Security.The security notions of KAS-AE are influenced by those of KAS [FPP13] and AE [Rog02,BRW03,BN08].So, we should have four security notions, namely, key indistinguishability, key recovery, privacy and tag consistency using the KI-ST & S-KI-ST, KR-ST, IND-PRV and INT games.However, the notion of of key indistinguishability, as described in [FPP13], is not relevant for KAS-AE since the key used for decryption is the private information itself, and the pub value contains the ciphertext.Taking into consideration the scenarios, we target the three security goals: key recovery, privacy and integrity.All the games are written in a challenger-adversary framework.Key Recovery.Let Γ (Π) be a set of access graphs and Π = (Π.E, Π. DER, Π. D) be the KAS-AE for Γ (Π) .For a KAS-AE scheme we have designed a key recovery with respect to static adversary2 KR-ST security game in Figure 6.The static adversary A, when given access to the graph G = (V, E), returns a security class u ∈ V , that A chooses to attack, and a sequence of files f to the challenger.The challenger then performs the following operations: computes (S, k, pub) using the Π.E(params (Π) , G, f ); computes P u as the set of private information S v for the classes v ∈ V such that v < u; and sends (pub, P u ) to the adversary.The adversary has to return a key k u corresponding to the ciphertext for node u.If the keys k u and k u match, then the adversary wins the game.Now, we define the advantage of a KR-ST adversary A against Π on a graph G ∈ Γ (Π) as: Privacy.Let Γ (Π) be a set of access graphs and Π = (Π.E, Π. DER, Π. D) be the KAS-AE for Γ (Π) .For a KAS-AE scheme we have designed an indistinguishability privacy IND-PRV security game in Figure 6.The adversary A, when given access to the graph G = (V, E), returns two sequences of files f 0 and f 1 , such that ∀u ∈ V , |f 0 u | = |f 1 u |.The challenger encrypts f 0 or f 1 according to the value of the input parameter b to obtain (S, k, pub) and sends (pub) to the adversary.The adversary has to return a bit b indicating whether the ciphertext corresponds to file sequence f 0 or f 1 .If the values of b and b match, then the adversary wins the game.Now, we define the advantage of an IND-PRV adversary A against Π on a graph G ∈ Γ (Π) as: Tag Consistency.Let Γ (Π) be a set of access graphs and Π = (Π.E, Π. DER, Π. D) be the KAS-AE for Γ (Π) .For a KAS-AE scheme we have designed the tag consistency INT security game in Figure 6.Here, the challenger receives the target security class u, two public information vectors pub 0 and pub 1 , secret information vector S and key vector k from the adversary.The challenger computes files f 0 u := Π. D(params (Π) , G, u, u, S u , pub 0 ) and f 1 u := Π. D(params (Π) , G, u, u, S u , pub 1 ).The adversary wins if both the files are valid, i.e., f 0 u =⊥ and f 1 u =⊥, and the two files are unidentical, i.e. f 0 u = f 1 u .Now, we define the advantage of an INT adversary A against Π on a graph G ∈ Γ (Π) as: Remark.Note that a KAS-AE-chain is a special type of KAS-AE where the access graph is a totally ordered set.

KAS-AE from KAS and AE
In this section, we design KAS-AE schemes from KAS and AE schemes.

A natural construction, and an attack
We now attempt to construct KAS-AE constructions from KAS in the most intuitive way.Later we show that how this natural KAS-AE construction is vulnerable to an attack.
A KAS-AE scheme guarantees authentication of encrypted messages, in addition to the security properties of a KAS (note that KAS security properties alone do not guarantee authenticated encryption).A natural way to include this property in KAS could have been to use an authenticated encryption (AE) scheme to aencrypt the messages of the nodes using the keys distributed to them by the KAS.Such a natural KAS-AE scheme Π = (Π.E, Π. DER, Π. D) is constructed below using the KAS Ψ = (Ψ.GEN , Ψ. DER) and the AE scheme Ω = (Ω.K GEN , Ω. E, Ω. D).

A secure (yet inefficient) scheme
We have shown an attack on the most intuitive construction of KAS-AE built from KAS and AE construction.In this section, we design a generic KAS-AE scheme by combining a generic KAS scheme and an AE scheme in a different way than done in Subsection 4.1, so that the attack of Subsection 4.1 is avoided.Although, it generates a secure KAS-AE scheme, the high memory requirements make it unsuitable for any practical applications.Let Π = (Π.E, Π. DER, Π. D) be the KAS-AE scheme, Ψ = (Ψ.GEN , Ψ. DER) be the KAS and Ω = (Ω.K GEN , Ω. E, Ω. D) denote the AE scheme.As opposed to considering the authentication tag being a part of the ciphertext, here, we assume that tag and ciphertext are distinct.The core idea behind this construction is that tag is a secret value, and that every node stores the tags of itself and its successors.The full construction of Π is shown in Figure 8.Here, it is important to note that Γ (Π) = Γ (Ψ) and params (Π) = (params (Ψ) , params (Ω) ).A Framework for building a KAS-AE scheme from KAS and AE schemes, used separately.

Theorem 1. If the underlying KAS (or AE) is KR-ST (or IND-PRV or INT) secure, then the KAS-AE construction is also KR-ST (or IND-PRV or INT) secure.
Proof sketch.We can prove the KR-ST (or IND-PRV or INT) security of this construction by using reduction.So, we can show that if the adversary A can break the KR-ST (or IND-PRV or INT) security of KAS-AE, then an adversary B, using A, can break the KR-ST (or IND-PRV or INT) security of KAS (or AE) scheme.By using the contrapositive argument, this would show that if the underlying KAS (or AE) scheme is secure, so is the KAS-AE scheme.

Building KAS-AE using Modified Chain Partition
In this section, we design KAS-AE schemes by using KAS-AE-chain schemes in the modified chain partition algorithm.KAS-AE-chain has already been described in Section 3. The modified chain partition algorithm will be described in detail shortly.

Security of A Chain
Theorem 2. If the underlying KAS-chain scheme is KR-ST secure, then the Construction A Chain is also KR-ST secure.
Proof.The proof is by using reduction.So, we can show that if an adversary A can break the KR-ST security of Construction A Chain , then an adversary B, using A, can break the KR-ST security of the underlying KAS-chain Ψ.By using the contrapositive argument, this would show that if the underlying KAS is secure, so is the Construction A Chain .

Theorem 3. If the underlying AE scheme is IND-PRV secure, then the Construction
Proof.The proof is by using reduction.So, we can show that if an adversary A can break the IND-PRV security of Construction A Chain , then an adversary B, using A, can break the IND-PRV security of the underlying AE Ω.By using the contrapositive argument, this would show that if the underlying AE is secure, so is the Construction A Chain .

Theorem 4. If the underlying AE scheme is INT secure, then the Construction A
Proof.The proof is by using reduction.So, we can show that if an adversary A can break the INT security of Construction A Chain , then an adversary B, using A, can break the INT security of the underlying AE Ω.By using the contrapositive argument, this would show that if the underlying AE is secure, so is the Construction A Chain .
(a) Algorithmic description of building B Chain Π using the MLE scheme Ψ.For the pictorial description with an example, see 10(b)-10(e).(b) The access graph G with 3 nodes u 1 , u 2 , u 3 and their corresponding files f 1 , f 2 , f 3 .Proof.The proof is by using reduction as shown in Figure 11.So, we show that if an adversary A can break the KR-ST security of Construction B Chain , then an adversary B, using A, can break the KR-CDA security of the underlying MLE scheme Ψ.By using the contrapositive argument, this would show that if the underlying MLE scheme is secure, so is the Construction B Chain .
Our message source S u,m works in the following way: for i = m, m − 1, • • • , 1, generate a message f i and a λ-bit random number R i , and computes and returns (M, Z).Here, u is the security class that A chooses to attack and m is the number of nodes (or security classes) in the graph G. Proof.The proof is by using reduction as shown in Figure 12.So, we show that if an adversary A can break the IND-PRV security of Construction B Chain , then an adversary B, using A, can break the PRV-CDA security of the underlying MLE scheme Ψ.By using the contrapositive argument, this would show that if the underlying MLE scheme is secure, so is the Construction B Chain .Our message source S f 0 ,f 1 mimics the functioning of the KAS-AE-chain scheme but instead of giving (S, k, pub) as output, it performs the following operations: for

and computes
) along with auxiliary information Z.Here, m is the number of nodes (or security classes) in the graph G and the adversary A generates two sequence of files f 0 and f 1 such that Proof.The proof is by using reduction as shown in Figure 13.So, we show that if an adversary A can break the INT security of Construction B Chain , then an adversary B, using A, can break the TC security of the underlying MLE scheme Ψ.By using the contrapositive argument, this would show that if the underlying MLE scheme is secure, so is the Construction B Chain .

Functionalities based on APE
In this section, we are designing two functionalities -F π 1 and F π 2 -that are motivated by the encryption and decryption of authenticated encryption algorithm APE [ABB + 14].Let us first be very clear that the APE variant used by us is marginally different from the original APE construction by Andreeva et al.The main difference is: in the original APE, the encryption and decryption keys are identical, because of the XOR operation on the lower-half bits with the encryption key K, in the last round; whereas, in our variant, we remove this XOR.In the entire paper, by APE we refer to the variant used by us.The algorithmic and diagrammatic descriptions of F π 1 and F π 2 are shown in Figure 14. 2 takes as inputs parameter 1 λ , the decryption key K and the ciphertext C, and outputs the message M and value IV 2 .For the sake of simplicity, we assume that |M | is a multiple of security parameter λ.

KAS-AE-chain scheme based on functionalities
1 and F π 2 following the framework described in Figure 15.

Security of Construction C Chain
Theorem 8.If π is the ideal permutation in Construction C Chain , then Proof.We prove security by constructing successive games (or hybrids) and finding adversarial advantages between them.
Game 0: This game is identical to KR-ST game where Construction C Chain is used.(see Figure 15).Game 1: This Game 1 is identical to Game 0 except that we replace the 2λ-bit permutation π with 2λ-bit random function rf.
Using PRP/PRF Switching Lemma [BR06], for an adversary limited by σ queries to the permutation (or random function), the following equation can be obtained.
(a) Algorithmic description of building C Chain Π using the functionalities F π 1 and F π 2 .For the pictorial description with an example, see 15(b)-15(e).
The access graph G with 3 nodes u 1 , u 2 , u 3 and their corresponding files Game 2: This Game 2 is identical to Game 1 except that here we change 2λ-bit permutation π −1 by a 2λ-bit random function rf .Using PRP/PRF Switching Lemma [BR06], for an adversary limited by σ queries to the permutation (or random function), the following equation can be obtained. (2) Game 3: This Game 3 is identical to Game 2 except that the game aborts whenever there is a collision in the lower λ bits of rf or of rf .The event of collision the lower λ bits of rf or rf is called a bad event.
Using Code-Based Game Playing Technique [BR06], for an adversary limited by σ queries to the random functions, the following equation can be obtained.
(3) Using Triangle Inequality [BR06] and the Equation 1, Equation 2 and Equation 3, the following equation can be obtained.
Because the output of Game 3 is releasing no non-trivial information to the adversary.
Proof.We prove security by constructing successive games (or hybrids) and finding adversarial advantages between them.
Game 0: This game is identical to IND-PRV game where Construction C Chain is used.(see Figure 15).

Game 1:
This Game 1 is identical to Game 0 except that we replace the 2λ-bit permutation π with 2λ-bit random function rf.
Using PRP/PRF Switching Lemma [BR06], for an adversary limited by σ queries to the permutation (or random function), the following equation can be obtained.
Game 2: This Game 2 is identical to Game 1 except that here we change 2λ-bit permutation π −1 by a 2λ-bit random function rf .
Using PRP/PRF Switching Lemma [BR06], for an adversary limited by σ queries to the permutation (or random function), the following equation can be obtained.
Game 3: This Game 3 is identical to Game 2 except that the game aborts whenever there is a collision in the lower λ bits of rf or of rf .The event of collision in the lower λ bits of rf or rf is called a bad event.
Using Code-Based Game Playing Technique [BR06], for an adversary limited by σ queries to the random functions, the following equation can be obtained.
Using Triangle Inequality [BR06] and the Equation 4, Equation 5 and Equation 6, the following equation can be obtained.
Because the output of Game 3 is releasing no non-trivial information to the adversary.
Theorem 10.If π is the ideal permutation in Construction C Chain , then Proof.We replace the random permutation π used in the Construction C Chain by the random function rf, to obtain the Construction C Chain shown in Figure 16.
The variables L 0 , L 1 , • • • , L σ represent the lower λ-bit input in the permutation π or random function rf and are generated during the generation of C (see Figure 16).Here, σ is the maximum block-length of the ciphertext C.
The variables L 0 , L 1 , • • • , L σ represent the lower λ-bit input in the permutation π or random function rf and are generated during the generation of C (see Figure 16).Here, σ is the maximum block-length of the ciphertext C .Suppose that we are using the construction C Chain , we define the following events: A is the event that at least one collision occurs in the values of So, we calculate the Probability of event A as follows: Suppose that we are using the construction C Chain , we define the following events:

Functionalities based on FP
In this section, we are designing two functionalities -namely G π 1 and G π 2 -that are motivated by the mode of operation of hash function FP [PHG12] (Note that they are not identical).The algorithmic and diagrammatic descriptions of G π 1 and G π 2 are shown in Figure 17.

KAS-AE-chain scheme based on functionalities
1 and G π 2 following the framework described in Figure 18.

Security of Construction D Chain
Theorem 11.If π is the ideal permutation in Construction D Chain , then Proof.This proof is similar to the proof of Construction C Chain (see Theorem 8).
Theorem 12.If π is the ideal permutation in Construction D Chain , then r j := m j , (r j , s j ) := π(r j , s j ); t j+1 := r j , s j+1 := s j ⊕ t j ; r j := t j+1 , s j := s j+1 ⊕ t j ; (r j , s j ) := π −1 (r j , s j );  2 takes as inputs parameter 1 λ , decryption key K, the ciphertext C and value IV 1 , and outputs the message M and value IV 2 .For the sake of simplicity, we assume that |M | is a multiple of security parameter λ.
(c) Pictorial description of Π. E(params (Π) , G, f ), where f = (f 1 , f 2 , f 3 ) and G is shown in 18(b).Proof.This proof is similar to the proof of Construction C Chain (see Theorem 9).Theorem 13.If π is the ideal permutation in Construction D Chain , then Proof.This proof is similar to the proof of Construction C Chain (see Theorem 10).

Modified Chain Partition using KAS-AE-chains
Modified chain partition algorithm can be viewed as an adaptation of the chain partition algorithm which is used for constructing KAS schemes as described in Subsubsection 2.3.3.
Let (V, ≤) and G = (V, E) be, respectively, a poset and the access graph corresponding to it.Let λ be the security A chain partition of We set l max = max i∈[w] l i .Let π = (π.E, π.DER, π.D) be a KAS-AE-chain scheme of length at most l max .
Suppose λ ∈ N is the security parameter.A modified chain partition algorithm Π = (Π.E, Π. DER, Π. D) is a three tuple of algorithms over a setup algorithm Π. Setup.Π satisfies the following conditions.
2. The PPT encryption algorithm Π. E takes as inputs the parameter params (Π) , the access graph G = (V, E) ∈ Γ (Π) , the sequence of files f = (f u ) u∈V and the KAS-AE-chain scheme π, and return a three-tuple (S, k, pub) := Π. E(params (Π) , G, f, π), where S = (S u ) u∈V , k = (k u ) u∈V and pub are the sequence of private information, keys and public values respectively.
3. The key-derive algorithm Π. DER is a deterministic PT algorithm such that k u g h := Π. DER(params (Π) , G, u i j , u g h , S u i j , pub g , π).Here: u g h ≤ u i j are two nodes of the access graph G; S u i j is u i j 's private information; pub g is the public information; π is the KAS-AE-chain scheme; and k u g h is u g h 's decryption key.Note that S u i j ∈ {0, 1} * , pub g ∈ {0, 1} * and k u g h ∈ K (Π) ∪ ⊥. 4. The decryption algorithm Π. D is a deterministic PT algorithm such that f u g h := Π. D(params (Π) , G, u i j , u g h , S u i j , pub g , π).Here: u g h ≤ u i j are two nodes of the access graph G; S u i j is u i j 's private information; pub g is the public information; π is the KAS-AE-chain scheme; and f u g h is u g h 's decrypted file.Note that S u i j ∈ {0, 1} * , pub g ∈ {0, 1} * and f u g h ∈ M (Π) ∪ ⊥.Detailed internal workings of the modified chain partition algorithm are given in Figure 19.The subroutines used by the algorithm are described in Subsubsection 2.2.8.These subroutines are identical to the subroutines used in [FPP13], but we reproduce them for the sake of completeness.
By instantiating π with the KAS-AE-chain schemes A Chain , B Chain , C Chain and D Chain , in the modified chain partition algorithm, we construct the KAS-AE schemes Construction A, B, C and D respectively (see Figure 19).

Security of KAS-AE built using KAS-AE-chain and modified chain partition algorithm
Proof sketch.We can prove the KR-ST, IND-PRV and INT security of this construction by using reduction as used by Freire et al. [FPP13].So, we can show that if the adversary A can break the KR-ST (or IND-PRV or INT) security of KAS-AE secure built using KAS-AE-chain and modified chain partition, then an adversary B, using A, can break the KR-ST (or IND-PRV or INT) security of KAS-AE-chain scheme.By using the contrapositive argument, this would show that if the underlying KAS-AE-chain scheme is secure, so is the KAS-AE scheme.

Building KAS-AE from MLE
In this section, we describe a KAS-AE scheme built using MLE scheme referred to as Construction 1.This scheme is more efficient than the KAS-AE constructions described in Section 4 and Section 5.This scheme exploits the self-sufficiency of MLE schemes to provide the integrity along with the confidentiality.This results in the huge reduction in memory of the private information that has to be stored securely by the members of each security class, especially in the cases when the width of the access graph (as described in Subsubsection 2.2.1) is huge.

Construction 1: A KAS-AE scheme based on MLE
The pseudo-code for building a KAS-AE scheme Π = (Π.E, Π. DER, Π. D) from the functionalities Ψ. E and Ψ. D of an MLE scheme Ψ = (Ψ.E, Ψ. D) (described in Subsubsection 2.2.5) is given in Figure 20, which also contains the diagrammatic representation of the pseudocode.Below we give the full description of the KAS-AE scheme Π.
• Π. E(params (Π) , G, f ) is a randomised algorithm.This encryption function is designed in such a way that any node u is able to decrypt the files of its successors.In order to do that, for each node u, we encrypt the file f u as well as the decryption keys of the children of u.Therefore, the algorithm: assigns level to each node as level[ ] and calculates maximum-depth of the tree h, which are returned by the function height(G); and starts by encrypting the files at level h, followed by the encryption of the files at level h − 1, and so on, until the root node is reached.
For each node u, the following operations are executed: the function ch_seq(u, G) • Π. D(params (Π) , G, u, v, S u , pub) is a deterministic algorithm that allows u to decrypt the file stored by its successor v. Like before, u uses the private information S u and the public information of the system pub.In the first step, the decryption key k v := Π. DER(params (Π) , G, u, v, S u , pub) is computed.Then, the ciphertext c v and tag t v are extracted from pub using the function ext_cipher.After that, the file f v := Ψ. D(params (Ψ) , k v , c v , t v ) is computed, and the random number and the keys of the children of v are removed from the head of file f v to get the original file f v .Pictorial description of this algorithm on an access graph G is given in 20(e).

Building KAS-AE by Tweaking APE and FP
So far we have constructed the KAS-AE schemes using the existing schemes used as black boxes.Here we take a focused look on generating the KAS-AE schemes from scratch and we describe two KAS-AE schemes, namely, Construction 2 and Construction 3.These two schemes are much more efficient than all the KAS-AE constructions described in the paper.They exploit the very unique property of reverse decryption of APE authenticated encryption and FP hash mode of operation to integrate the key and message, and provide authenticated encryption.This trick has been used earlier by Kandele and Paul to come up with FMLE schemes [KP18].This results in the huge reduction in the memory requirement for the private information -that has to be stored securely by the members of each security class -and the ciphertext expansion that is stored in the public storage, especially in the cases when the width of the access graph (as described in Subsubsection 2.2.1) is huge. Π (a) Algorithmic description of building Construction 1 Π using the MLE scheme Ψ.For the pictorial description with an example, see 20(b)-20(e).
The access graph G with 7 nodes u 1 , u 2 , • • • , u 7 and their corresponding files        IV 2 ; the values of k uj 2 , k uj 3 , • • • , k uj d and f w are extracted from f w ; and the next node in the path is searched in the sequence w, and the key corresponding to it is extracted, before the next iteration begins.Pictorial description of this algorithm on an access graph G is given in 22(d).
• Π. D(params (Π) , G, u, v, S u , pub) is a deterministic algorithm that facilitates the node u to decrypt the file of its successor v.As earlier, the node u uses the private information S u and the public information of the system pub.In the first step, the decryption key k v = Π.DER(params (Π) , G, u, v, S u , pub) is computed.Then, the ciphertext c v is extracted from pub using the function ext_cipher, and the function ch_seq(v, G) returns the sequence of children (u j1 , u j2 , • • • , u j d ) of v (in ascending order); the value of IV 1 is computed as the last λ-bit block of ciphertext c uj 1 .After that, the file f v and value IV 2 are computed (f v , IV 2 ) = G π 2 (1 λ , k v , c v , IV 1 ) and the keys of children of v are removed from the head of file f v to obtain the original file f v .To verify the authentication of the file, the first child w of each node starting from v performs the following operations: the key k w = IV 2 is computed, ciphertext c w is extracted, the function ch_seq(w, G) returns the sequence of children (u j1 , u j2 , • • • , u j d ) of w (in ascending order); the value of IV 1 is computed as the last λ-bit block of ciphertext c uj 1 ; and (f w , IV 2 ) = G π 2 (1 λ , k w , c w , IV 1 ), where IV 2 acts as the key of the first child for the execution of next iteration.The the value of IV 2 should be 0 λ for the leaf node whose ciphertext is decrypted in the last iteration.If this condition is satisfied, the file f v is returned, otherwise ⊥ is returned.

Comparison of various KAS-AE schemes
For the access graph G = (V, E) and the sequence of files f = ( and λ is the security parameter.Also, we consider the key and tag sizes to be λ bits each.Based on the definitions of the key derivation algorithm Π. DER and decryption algorithm Π. D of the KAS-AE scheme (defined in Section 3), the chain C g , and vertices u g h and ûg (discussed in Subsubsection 2.2.1 and Section 5), we define the sets U 1 := {v ∈ C g |u g h ≤ v ≤ ûg }; U 2 := {v ∈ C g |v ≤ ûg }, so U 1 ⊆ U 2 ; U 3 := {u, u i1 , u i2 , • • • , u i , v} such that u i1 u, u i2 u i1 , • • • , v u i ; and U 4 := U 3 ∪ {v, u j1 , u j2 , • • • , u j d } such that u j1 is the first child of v, u j2 is the first child of u j1 , and so on, u j d is the first child of u j d−1 .
Here, C g is a partition of V forming a chain that contains the nodes ûg and u g h , such that ûg ≤ u g h (see Subsubsection 2.2.1).For the KAS schemes Π = (Π.GEN , Π. DER): • c GEN is the running time of generating a λ-bit key by algorithm Π. GEN ; • c K denote the cost of generating single λ-bit key, for the schemes X-AE, where X ∈ {TKAS, TKEKAS, DKEKAS, IKEKAS}; and • c e and c Kg denote the cost of generating one public value e and generating one λ-bit key from a given e value in NBKAS-AE. deg(ui)

Computation
Secure MLE Ideal Permutation Ideal Permutation Assumption

Figure 4 .
In the access graph G = (V, E) ∈ Γ (Π) for the poset (V, ≤), we represent the security classes by nodes u 1 , u 2 , • • • , u n ∈ V , where n = |V |. all_succ(u, G): Given the node u and graph G as input, this outputs the set of all successor nodes ↓ u = {v ∈ V |v ≤ u}.This can be implemented by using Breadth First Search (BFS) (or Depth First Search (DFS)) traversal on the graph G with u as the source/root node.The running time of all_succ(u, G) is O(|V | + |E|).
This can be implemented in the same way as max_isect(u, C) with different chains in different iterations and some trivial running time optimization.The running time of max_isect_chs(u, G) is O(|V | + |E|).nodes_at_level(V, level[ ], x): This function takes a graph G, the array level[ ] storing the levels of nodes, and a level x as input, and outputs the set of nodes in G that are at level x.We have already assigned the values of levels of the nodes to the array level[ ], during the execution of height(G) function.Now, we need to compare the levels of all the nodes, and build the set of those elements whose levels are x.Finally, we return this set.The running time of nodes_at_level(V, level[ ], x) is O(|V |).partition(G): This function takes as input a graph G, and outputs the number of partitions w and the set of chains C 1 , C 2 , • • • , C w (as used by Freire et al. [FPP13]).The running time of partition(G) is poly(n).

Figure 4 :
Figure4: Graph algorithms used in the paper.Here: ENQUEUE(Q, u) operation appends the element u in the queue data structure Q; DEQUEUE(Q) operation removes the first element from the queue Q, and returns the element; FIND_ROOT(G) function takes the graph G, and finds its root node (this node has no incoming edges); SORT(U ) operation takes a list of elements, and returns a sorted list of elements based on their index values; and DIJKSTRA(G, u) is the Single-Source Shortest Path algorithm that takes the Graph G and source u as input, and gives the lengths of shortest paths (as dist[ ]) from u to all the nodes, and the parents of all nodes (as parent[ ])[Dij59].

Figure 5 :
Figure 5: Chain partition algorithm for building KAS.The functions partition, max_isect_chs and max_isect are described in Subsubsection 2.2.8.

Figure 7 :
Figure 7: Algorithmic description of the KAS-AE scheme of Subsection 4.1: simple combination of KAS and AE.A simple attack on the Tag Consistency security of Π.The attack works as follows: a node v replaces the original ciphertext c v ||t v with a different ciphertext c v ||t v computed under the original key k v and file f v = f v ; now, a senior node u (i.e., v ≤ u) decrypts c v without any error message.

Figure 11 :
Figure 11: The reduction used in Theorem 5: MLE adversary is constructed using KAS-AE-chain adversary.

Theorem 7 .
If the underlying MLE scheme is TC secure, then the Construction B Chain is also INT secure.

Figure 12 :
Figure 12: The reduction used in Theorem 6: MLE adversary is constructed using KAS-AE-chain adversary.

Figure 13 :
Figure 13: The reduction used in 7: MLE adversary is constructed using KAS-AE-chain adversary.

Figure 14 :
Figure 14: Algorithmic and diagrammatic descriptions of the functionalities F π 1 and F π 2 are shown in (a), (b) and (c); here, π is a 2λ-bit easy-to-invert permutation.Each wire in (b) and (c) represents λ bits.The function F π 1 takes as inputs parameter 1 λ , message M and two other values IV 1 and IV 2 , and returns the decryption key K and the ciphertext C. Similarly, F π2 takes as inputs parameter 1 λ , the decryption key K and the ciphertext C, and outputs the message M and value IV 2 .For the sake of simplicity, we assume that |M | is a multiple of security parameter λ.

Figure 16 :
Figure 16: Construction C Chain obtained by replacing the random permutation π used in the Construction C Chain by the random function rf.
c) Diagrammatic description of functionality G π 2 .

Figure 17 :
Figure 17: Algorithmic and diagrammatic descriptions of the functionalities G π 1 and G π 2 are shown in (a), (b) and (c); here, π is a 2λ-bit easy-to-invert permutation.Each wire in (b) and (c) represents λ bits.The function G π 1 takes as inputs parameter 1 λ , message M and two other values IV 1 and IV 2 , and returns the decryption key K and the ciphertext C. Similarly, G π2 takes as inputs parameter 1 λ , decryption key K, the ciphertext C and value IV 1 , and outputs the message M and value IV 2 .For the sake of simplicity, we assume that |M | is a multiple of security parameter λ.
then return fv; Else return ⊥;(a) Algorithmic description of building D Chain Π using the functionalities G π 1 and G π 2 .For the pictorial description with an example, see 18(b)-18(e).
The access graph G with 3 nodes u 1 , u 2 , u 3 and their corresponding files

Construction 3 Theorem 16 .
If the underlying FP is KR-ST (or IND-PRV or INT) secure, then the KAS-AE scheme Construction 3 is also KR-ST (or IND-PRV or INT) secure against static adversaries.Proof.The proof of this is identical to the KR-ST (or IND-PRV or INT) security proof of KAS-AE-chain construction D Chain in the Subsubsection 5.1.4.
1} * and pub ∈ {0, 1} * , for all u ∈ V .3.The key derivation algorithm Π. DER is a deterministic PT algorithm such that k v := Π. DER(params(Π), G, u, v, S u , pub).Here: v ≤ u are two nodes of the access graph G; S u is u's private information; pub is the public information; and k v is v's decryption key.
Note that S u ∈ {0, 1} * , pub ∈ {0, 1} * and k v ∈ K (Π) ∪ {⊥}. 1 4. The decryption algorithm Π. D is a deterministic PT algorithm such that f v := Π. D(params(Π), G, u, v, S u , pub).Here: node u decrypts the ciphertext corresponding to node v such that v ≤ u in the access graph G; S u is u's private information; pub is the public information; and returns the sequence of children (u j1 , u j2 , • • • , u j d ) of u (in ascending order); then a λ-bit random number R is generated; then f u is obtained by prepending R and the decryption keys k uj 1 , k uj 2 , • • • , k uj d -which have been already generated in the previous iterations -to the file f u ; and finally, (k u , c u , t u ) := Ψ. E(params(Ψ), f u ) is computed, where k u , c u and t u are the decryption key, ciphertext and tag.The vectors S, k and pub are computed as pub := (c u ||t u ) u∈V , and S := k := (k u ) u∈V .Pictorial description of this algorithm on an access graph G is given in 20(c).•Π.DER(params(Π), G, u, v, S u , pub) is a deterministic algorithm in which a node u computes the decryption key of a successor node v.The node u uses its private information S u and the public information of the system pub.First, the function path(G, u, v) returns a sequence of nodes (u,u i1 , u i2 , • • • , u i , u i +1 = v)representing the path from u to v. S u contains the decryption key k u , and therefore can be used to start the decryption procedure.For all the successive nodes w = u, u i1 , u i2 , • • • , u i , v the following operations are executed: the ciphertext c w and the tag t w is extracted;f w := Ψ. D(params (Ψ) , k w , c w ,t w ) is computed; the function ch_seq(w, G) returns the sequence of children (u j1 , u j2 , • • • , u j d ) of w (in ascending order); the values of R, k uj 1 , k uj 2 , • • • , k uj d and f w are extracted from f w , where R is the random number used during the encryption; and the next node in the path is searched in the sequence w, and the key corresponding to it is extracted, before the next iteration begins.Pictorial description of this algorithm on an access graph G is given in 20(d).

Table 2 :
Comparison table for different KAS-AE schemes built using KAS-AE-chain constructions (described in Subsection 5.1) embedded into modified chain partition algorithm (described in Subsection 5.2).

Table 3 :
Comparison table for KAS-AE schemes built in Section 6 and Section 7.