An Inner Product Space-Based Hierarchical Key Assignment Scheme for Access Control

—An inner product space-based hierarchical access control scheme is presented in this work. The proposed scheme can be utilized in any cloud delivery model where the data owner implements a hierarchical access control policy. In other words, the scheme adjusts any hierarchical access control policy to a digital medium. The scheme is based on inner product spaces and the method of orthogonal projection. While distributing a basis for each class by the data owner, left-to-right and bottom-up (LRBU) policy can ensure much more ﬂexibility and efﬁciency, especially during any change in the structure. For each class, the secret keys can be derived only when a predetermined subspace is available. Our scheme is resistant to collusion attacks and privilege creep problems, as well as providing key recovery and key indistinguishability security. The performance analysis also shows us that the data storage overhead is much more tolerable than other schemes in the literature. In addition, the other advantage of our key access scheme over many others in the literature is that it requires only one operation to derive the secret key of child classes securely and efﬁciently.


INTRODUCTION
T HE confidentiality of data in the digital medium is provided by employed cryptographic primitives such as a symmetric-key algorithm. An encrypted data in any place is converted to its original form with a predetermined secret key. The access control policy to that predetermined key is supposed to reflect the data owner's policy which might be complicated in certain institutions. The extracting process in most cases involves the approval of more than one user and an efficient application of any secret sharing algorithm [1] handles the desired key access control in some cases. On the other hand, a key access control policy that requires approvals from various users where each one has a distinct clearance level determined by the data owner might not be adapted from a secret sharing algorithm. Since Akl and Taylor's proposed hierarchical access control scheme in 1983 [2], many studies have appeared on hierarchical key assignment schemes. However, there are still open spaces to be completed towards a practical access mechanism for hierarchical structures which motivate us to conduct this research.
The recent trend of moving various services to a digital medium is welcomed by many institutions that process mission-critical data. Such institutions might prefer to use public or private cloud services for data flow and apply their data access policy to the data in such a digital environment. There are many concerns about using the public cloud, especially for military, health, and banking, where confidentiality and privacy are crucial. Besides the general concerns of confidentiality, availability, integrity, reliability, data lock-in, and regulatory compliance, integration of the data owner's access policy to a digital medium stands as a challenging topic in the research community [3], [4]. •  Due to the concerns mentioned above, many organizations are slowing down their digitalization adaption plans even though the public cloud deployment model provides many advantages, especially in total cost [5].
This work eliminates the hesitation to utilize the public cloud. It alleviates concerns about moving mission-critical data to the public cloud. A secure and flexible hierarchical inner product space-based key access scheme utilizing a mathematical tool of orthogonal projection on an inner product space is designed. The scheme is specially designed for organizations that use storage as a service cloud delivery model from the public cloud.
This work considers Bell-LaPadula's (BLP) hierarchical multilevel lattice-based model that addresses confidentiality in a hierarchical organizational structure similar to government or military institutions. One of the main properties that should address is simple security, which means any class with lower classification privileges cannot read or access an object of a higher classification. Thus, we follow only the read-down model for hierarchical access control. Figure 1 illustrates a multilevel hierarchical organizational structure. The number of levels indicates the number of classification levels defined by the data owner.
Various institutions have hierarchical management mechanisms in their organizational structure. The hierarchical mechanism can be designed by dividing the organization into functional areas, that is, by dividing it into smaller organization units which we denote by OU . Some of the advantages of this mechanism are that user groups in each OU have different security classification levels to access the data, the members of lower classification level have to get approvals from the members of higher classification level, and the data owner can dynamically adjust all these. The scheme is presented to adapt such a hierarchical organizational structure to the digital environment. In addition, a cloud storage entity as a service provider should not be able to obtain any information about the user's mission-critical data. Thus, a scheme should facilitate the adoption of the public cloud and be employed safely for various purposes. The first stage of such a scheme that deals with the users' key access/assignment mechanism is presented in this work.
In the following parts, we employ directed acyclic graphs (DAG), called access graph and denoted by G(V, E) where V is a finite set of classes (vertices) and E is a set of paired vertices (edges). A partition of set V is a collection of sets {V 1 , V 2 , . . . , V n }. For example, the graph G (9,8) in Figure  1 is a DAG with nine vertices and eight directed edges. ≤ is a partial order (transitive, reflexive, and antisymmetric binary relation) on V , so (V , ≤ ) is a partially ordered set (poset). Note that any two security classes V i or groups G i are disjoint. Let u, v ∈ V denote two distinct classes such that u ≤ v. This relation means the users in class u can access all the data to which the users in class v have access. In other words, G i ≤ G j means that any user in G i can access the data belongs to G j , and the security clearance level of G i is equal to or higher than that of G j . Note that G i has to be one of the parent classes of G j . Figure 1 and Figure 2 illustrate the key access structure via the proposed algorithm.
The root parent G 1 has two children (G 2 , G 3 ). Each of these children is a parent to other children. Parent G 2 has three children (G 4 , G 5 , G 6 ), parent G 3 has three children (G 7 , G 8 , G 9 ). Each child has only one immediate parent, all parents except the root parent G 1 also have an immediate parent and children. The secret key of each child class can be obtained only by the parent classes in addition to its own class, but the other way around is not allowed. Although they have the same clearance level (as shown in Figure 2), if they are not in the parent-child relationship in Figure 1, the key cannot be obtained since the relationship conditions are not met.
The remaining paper is structured as follows; Section 2 provides related works regarding hierarchical key assignment schemes in literature chronologically. Section 3 presents the preliminaries on which our work is based, such as the inner product space, the Gram-Schmidt method, and the orthogonal projection. Section 4 is devoted to the detailed presentation of the proposed scheme. Section 5 shows the implementation results, security and performance analysis of the proposed fully hierarchical key assignment scheme. Section 6 provides a summary of the proposed scheme.

Top Secret
Secret Confidential

RELATED WORK
This section will present the studies related to the hierarchical access control scheme in the literature chronologically.
To provide a key assignment scheme obeying a hierarchical structure, various schemes have been presented, and almost all hierarchical access control schemes [2], [6] - [13] are based on a partially ordered set (poset) hierarchy. These schemes are not designed to give access to users for a certain period of time only. The other ignored point in these schemes is that updating keys are based on poset hierarchy. In other words, the key derivation might be so costly that these schemes become non-practical for large hierarchies. We should note here that Akl and Taylor-based schemes are only secure under the assumption of the security of the Rivest-Shamir-Adleman (RSA) public key algorithm [14].
In the work [15], the time-bound property based on the Lucas function is utilized to provide better performance and time efficiency and solve key update problems. The timebound access control schemes are divided into two categories: the first one is based on tamper-proofed devices [16] and the second one [15], [17] is based on public values. Note that tamper-proof devices, which are collusion resistant but costly and unsuitable for the cloud, limit user convenience. Still, public values can be used efficiently in the cloud due to broad network access. Both public values and the user's own key are used to derive the secret key of lower classification levels. Thus, the numbers of the public values are critical to measuring the efficiency of the key assignment scheme.
In all other schemes proposed later, the main goal is to provide secure, dynamic, and efficient hierarchical key access control. The parameters that measure the efficiency and security of the hierarchical key assignment schemes in literature are as follows: 1) The amount of private and public information: The amount of information assigned to each class to derive the secret key. The data owner distributes private information to classes so that only users of desired classes have access. On the other hand, the data owner publishes all public information to all classes following the predetermined hierarchy. 2) Complexity of key derivation: The number of operations or computational requirements/cost needed for key derivation must be minimal and tolerable.
3) Complexity of key updates due to dynamic changes in the hierarchy structure: The scheme allows the deletion and insertion of classes in the hierarchy without the need for redistribution of any private information. In addition, the computational requirements needed for key updates have to be minimal and tolerable. 4) Resistance to collusion attacks known as collaborative attacks or key recovery (KR) attacks: The derivation of the secret key of each class has to be protected against any coalition of users belonging to the lower classification levels, and KR s denotes such a secure scheme. 5) The state of key indistinguishability secure denoted by KI s : The attacker should not distinguish between the secret key and a random string of the same length.
If the scheme is KI s , it means that it also provides key recovery security KR s , but not vice versa [17]. 6) Resistance to privilege creep problem: When the clearance level of any member U of the class is downgraded, or the membership is changed, the member should not be able to use former privileges during a period of transition. In other words, the scheme must guarantee both forward and backward secrecy.
In 1983, Akl and Taylor proposed a hierarchical access control scheme in a system to manage the key and to solve the hierarchical multi-group management and data sharing problem [2]. According to the proposed scheme, the computer (or communication) system users are divided into some disjoint sets U 1 , U 2 , U 3 .....U n . Note that the relationship between classes is just a poset hierarchy. A security level is used to define each of the U n and users in U n can access data held by users in the same U n or lower security level, while the vice versa is not allowed. The proposed scheme presents a solution to a hierarchical access control problem. The scheme can be useful in a secure distributed system. On the other hand, the approach does not completely solve more general multi-level security issues. This scheme can't be adapted flexibly and dynamically to the security policy determined by the data owner. The other problem with this method is that users can use the key permanently at a higher security level. A substantial amount of storage and communication is consumed due to the need to renew the keys periodically and redistribute them to the users. According to [17], the scheme expensively performs key derivation and only provides security regarding the KR. Due to the large number of keys held by each user, the scheme becomes inefficient as the number of users increases [6]. In addition to this, a large amount of storage for each security class to store public information is required [8], [13].
To control access to the data within a group of users ordered in a hierarchical structure, the improved scheme of [2], called a canonical assignment, is proposed to mitigate the amount of storage needed for public information, especially when the number of classes in the hierarchy is large [15]. However, the need for a large amount of storage is not eliminated [13]. Any member of a group can access the data of lower-class group users because they can generate lowerlevel group users' keys using their own key and the scheme also provides security against collusion attacks.
In 1988, the work [7] proposed a tree hierarchical scheme based on symmetric-key cryptography in which security classes are organized as rooted-tree, which is a special instance of poset hierarchy. Using the iterative method of one-way function, which provides an efficient method to compute images while making computational hard to compute pre-images, the key belonging to the lower security class in the sub-tree can be generated. The most important innovation in this work is that new security classes can be inserted without changing keys for existing classes. For example, once a new security class is inserted in [2] and [6], all keys not associated with this class also have to be changed, and this brings a substantial burden, especially for distributed and large infrastructures. In addition, there is also no need for extra public parameters for the key derivation. The main drawback of [7] is the computational overhead during deriving keys, especially when the key of the lowest class needs to be created by the root of the tree. The scheme is only implemented in a tree hierarchy, and it is not practical in trees greater than ten security levels.
In 1990, Harn and Lin proposed a similar approach to [2] but followed a bottom-top key derivation policy [8]. Unlike the works [2], [6], new security classes can be inserted without changing all keys. The storage need for public parameters for security classes is much less than [2], [6]. In addition, the scheme is more efficient in memory utilization in comparison with [2].
In 1993, Chang et al. [9] and Liaw et al. [10] proposed schemes based on Newton's implementation and one-way function. However, the computation time needed for key generation and derivation is massive, which makes them time-consuming. In addition, their schemes are insecure against collaboration attacks [11].
In 1993, Liaw and Lei [12] proposed an optimal heuristic algorithm for assigning cryptographic keys applying a topdown design approach in a tree structure for multilevel data security. The generation and derivation of keys can be done efficiently, as well as the method reduces the storage requirement for general parameters. However, similar to [7], the algorithm can only be used in a tree structure.
In 1997, the work [13] modified the algorithm [12] to be used in poset hierarchy. Thus a user at a higher level can obtain the keys of other users at lower levels from his own cryptographic key. This is a one-way function, and the opposite direction is not allowed. The users collaborating at a lower level of the hierarchy would not obtain a higher level key for which they are not entitled. Thus the collusion, namely collaborated attacks are also prevented.
In 2002, Tzeng [15] proposed a time-bound cryptographic key assignment scheme inspired by [2] to prevent the key from being used continuously by members of higher level class C. According to the scheme, any user of a class C can only be a member of C for a certain period of time. A user in C i can only compute from secret K i to K j at that time t if and only if C j ≤ C i and t 1 ≤ t ≤ t 2 . Note that t 1 is the beginning, t 2 is the end of time period. There are broadcasting data to authorized users in a hierarchy with optimal bandwidth, and a user can only obtain data that he is granted access to. On the other hand, unauthorized users cannot obtain any data by listening to the broadcasting. In addition, a user can hold encrypted data for only a period of time. A higher classified user can grant a privilege to another user to disclose the encrypted data, which ensures flexibility. The scheme is independent of the number of classes in the hierarchy, and this property did not exist in the previously proposed key assignment schemes based on poset hierarchy. However, the scheme is not efficient as expected since the users must always keep the keys in their hands to access the authorized data for a certain period of time. While the scheme requires less communication and storage cost, it is computationally inefficient due to the need for costly public key computation in addition to costly computations which occur overload during the implementation [16]. In addition, the scheme has been proven to be insecure against a feasible and efficient collusion attack if three users conspire to gain access to the keys [19].
In 2004, Chien [16] proposed an efficient time-bound hierarchical key assignment scheme inspired especially by [2] and [15]. The paper proposes to improve the time-slotbased key assignment scheme [15] by assigning distinct cryptographic keys to all to solve both implementation cost and performance issues in hierarchical key infrastructures. The scheme is based on a tamper-proof device that only performs simple arithmetic operations and is inaccessible even by its owner. There is a Trusted Agent (T A) and also a secure one-way hash function h(). It is economically infeasible to derive the secret key from the public value. Users at lower security levels cannot obtain the key of higher security levels, so the scheme is resistant to collusion. No user can derive any key beyond the authorized time slots. In comparison with [15], the scheme appears much more efficient based on performance analysis. It needs a low-cost tamper-proof device that supports little storage space and simple operations without public-key cryptography and has little computational complexity. However, the scheme has been proven to be insecure against a feasible and efficient collusion attack if three users conspire to gain access to the keys [19], [18].
In 2006, the work [20] categorized nearly all key assignment schemes in literature as a trivial key assignment scheme (TKAS), a trivial key encrypting key assignment scheme (TKEKAS), a direct key encrypting key assignment scheme (DKEKAS), a node-based key assignment scheme (NBKAS), and an iterative key encrypting key assignment scheme (IKEKAS). In TKAS, key generation is effortless, but it is a poor scheme since the key update/change is arduous. In TKEKAS, the key update process is easier and useful, especially if the key is compromised. In DKEKAS, private storage requirements are minimal, and key updates are easier, but public data is quite high. In NBKAS, whose security relies on the difficulty of computing integral roots modulo n, storing a single secret value is only required for each user. It has an advantage over both TKEKAS and DKEKAS. The keys are originally dependent but can easily be converted to independent keys. Keys can be derived in a single step for the schemes above. In IKEKAS, key generation and updates are relatively easy, less public storage is needed, but the key generation is iterative, not direct. It is stated that the changes in the information flow policy are included in a key assignment scheme, but there is a need for studies that solve the problem of key updates/changes. In addition, best practices for any key assignment scheme are described as follows: requiring a small amount of private and public storage, providing a computationally efficient method for both derivation and update keys, and being collusion-free which means that no combination of users can derive keys where they do not have authorization.
In 2009, Atallah et al. [21] proposed dynamic and efficient key management for hierarchical key access control. The scheme's main goal is to find a solution for the access control and key management problem in hierarchical infrastructures. The scheme works with random access graphs. Only hash functions are used for a node to derive the descendant's key from its own key. The number of linear bit processes limits key derivation by a node of the descendant's key, and the class consists of a single key associated with that class. Similar to [21], the scheme in the work [22] is also suitable to the dynamic changes of classes in the hierarchy, such as deletion and insertion of classes. The formal security analysis of the schemes so far has been made, and KI s and KR s notions first came up with [21]. The scheme is secure against chosen-plaintext attacks, and security is based on pseudo-random functions and an additional symmetric key encryption scheme. In the worst case, the key derivation step can require the implementation of O(n) hash functions, where n is the number of nodes in the graph. It is more efficient than predecessors because of its dependency on interpolating polynomial, costly modular exponentiation operations, additional encryption. However, according to work [17], each user has to store a maximum of three private secrets, and the amount of public data inversely affects the complexity of key derivation. According to the study, [23], the number of public information increases with the number of edges on the graph and with the number of classes. In addition, as the number of levels between classes increases, the cost of key derivation increases linearly.
To solve the access control problem in the hierarchy, elliptic-curve cryptography-based hierarchic key assignment schemes were proposed [24] - [26]. In [24], the number of access control policies depends on the number of encryption keys, and tamper-proof devices play a key role in this scheme which is slower than [15], [16]. It has been proven that the scheme [24] is not secure against collusion attack [27]. In addition, Das et al. [28] have proven that the scheme described in the work [25] is vulnerable to exterior rootfinding attack. Furthermore, the method presented in [26] is insecure against collusion attacks [29].
In 2011, De Santis et al. [30], and in 2012, Hassen et al. [31] proposed their schemes with better performance than the previous ones. The schemes in [30] (TBEBF:timebound encryption-based family and TBBEBF:time-bound broadcast encryption-based family) support dynamic updates in the hierarchy without the need of redistribution of private information but at the expense of an increase in the amount of public information. The schemes achieve KI s and also improve the method of [21] computational requirements needed for key derivation and key updates remarkably. Key derivation (TBEBF) requires symmetric decryption approximately as many as the number of levels in the hierarchy, and TBBEBF requires complex symmetric decryption. The scheme's private key storage requirement is small as it needs only one key per class, but the amount of public storage need grows linearly with the number of classes and edges in the graph. On the other hand, the scheme in [31] has very competitive storage, bandwidth, and computation overheads in comparison with previous ones.
In 2012, Ateniese et al. [17] designed two different timebound hierarchical key assignment schemes. The TLEBC (two-level encryption-based construction) is based on symmetric encryption schemes, and the TLPBC (two-level pairing-based construction) is based on bilinear maps. They consider the security of schemes regarding both KI and KR by attackers. These schemes are provable-secure and can compute the keys of all lower classes more efficiently in the hierarchy. In other words, the key derivation procedures are very efficient as only one decryption, or one pairing evaluation is sufficient regardless of the number of levels in the hierarchy. In addition, without any private information that needs to be changed, only local changes to the public information are enough to update the hierarchy. According to the work [23], private information can be as large as the number of periods (public information is already large) as the schemes are based not only on the number of classes but also on the number of time periods.
In 2013, Freire et al. [23] designed schemes based on pseudo-random functions P RF and forward secure pseudorandom generators F SP RG for arbitrary posets. The schemes also show a trade-off between key derivation efficiency and storage requirements of private information. The ultimate efficiency of key derivation depends on the longest depth of poset. In contrast, the amount of private information depends on the width of a poset, but the key derivation efficiency is relatively better than others. The schemes do not need public storage. In addition, the updated KI s notion of [21] provides stronger security SKI s than all schemes so far.
In 2016 [32], hierarchical key access scheme based on linear-geometry organizes the sets of a user in a hierarchical order and divides the users into different disjoint groups called security classes to ensure different access privileges for each class. To derive the key at the descendant security level, the public vector of the user's level and the private vector at the ancestor security level can be used together. Without the need for iterative computation, the key of the descendant security level can be directly derived by the ancestor security level. The scheme only needs to compute the vector multiplication and values of the pseudorandom function, which causes very little computational overhead. The scheme also achieves SKI s . Although the size of the public information in this scheme is slightly larger than the others, there is a balance between computation cost and storage space. The scheme provides an efficient key management solution that can serve as flexible and finegrained hierarchical access control in cloud computing to address potential changes in the hierarchy with light computations in the finite field. However, the main drawback is the amount of public information compared to others, and there is a trade-off between computation cost and storage space. The ultimate overhead of every class might not be tolerable and efficient eventually. In addition, if there is a change in the hierarchy, the data owner must compute and publish a new public matrix. The other disadvantage is that the matrix should satisfy certain properties to establish the relationship between the number of classes in the hierarchy and the public information, especially for rekeying.
There are two types of hierarchical key assignment schemes; indirect access schemes and direct access schemes. In indirect access schemes such as [23], [30], [31], the secret key of the child class can be derived from it by calculating all keys on the path to the child class. In direct access schemes such as [22], [25], [29], [32], it only requires one computational task to derive the secret key of the child class. However, their disadvantages are that they are not secure enough [28], [35], [36] and a high overhead task [29]. Therefore, there is still plenty of room for the research toward a practical and secure key access mechanism. This motivates us to build a secure and efficient inner product space-based cloud-independent hierarchical key assignment scheme.

Inner Product Space
Various applications of linear algebra have been presented for the last century [33]. Matrices, eigenvalues, linear systems are indispensable tools in computational science, especially in artificial intelligence and machine learning-related research [34]. The majority of vector spaces come with a welldefined inner product which is basically a tool to measure the distance between two vectors in the space. Once the distance is defined in space, locating the closest vectors to certain subspaces will only require computational tasks. The proposed algorithm in this work uses this fundamental notion of distance, in other words, the inner product. An inner product and its properties on a vector space V are briefly described below. Then, the procedure of finding the closest vector to a defined subspace is presented. As the procedure requires utilizing an orthonormal basis for the given subspace, constructing an orthonormal basis for a vector space called the Gram-Schmidt orthogonalization process is briefly demonstrated. Finally, we explain the last step to find orthogonal projection (OP) of a vector to the defined subspace of V .
The vector space V with an inner product is called an inner product space. Utilizing an inner product space for our purposes might first require creating an orthonormal basis in it. Now assume B = {v 1 , v 2 , . . . , v n } is a basis for the vector space V . The Gram-Schmidt (GS) method can be utilized to make it an orthogonal basis for V , and the new set S = {w 1 / w 1 , w 1 , . . . , w n / w n , w n } after applying GS method to the set B forms an orthonormal basis for V .
The inner product has been presented to create an analogue of the orthogonal projection for a vector subspace. An orthogonal projection can be rephrased as follows. Let g be a vector and W be a subspace of V such that it is generated by g. Assume that the vector f ∈ V doesn't lie in W . The formula that gives the orthogonal projection of f on W is f, g g, g g. Interestingly, the projection of f on W remains the same for any basis of W , and this fact is independent of the dimension of W , which will be exploited in the proposed key access scheme.

Orthogonal Projection (OP)
In In fact, if S = {g 1 , g 2 , . . . , g n } is an orthonormal basis for W then the projection vector of f on W can be written as a linear combination of elements in S. Let h be the closest vector of f then h = c 1 g 1 + c 2 g 2 + · · · + c n g n for some integers c i ∈ F (1) As f − h must be perpendicular to each one of g 1 , g 2 , . . . , g n , the inner product of f − h with g 1 , g 2 , . . . , g n must all be zero. In other words, f − h, g i = 0 for i = 1, . . . , n and this implies We should note here that for any orthonormal basis S of W , the orthogonal projection of f on W will be the same. As long as a basis of W is known, the unique orthogonal projection can easily be computed via the Gram-Schmidt orthogonalization process. Figure 3 depicts the idea of OP on an inner product space. A projection of a vector f onto W is unique and will be a crucial observation that the proposed scheme is used for its purpose. In other words, for a subspace of W , each user has a distinct basis, but each user can construct the same orthogonal projection of a vector f in V .

THE PROPOSED SCHEME
Our proposed scheme is based on the following rules. Rule 1. G 1 is the root class and the most privileged group, and c ≥ 0 is the number of classes in the hierarchy.

Rule 2.
For any two classes G i , G j ∈ V , G i ≤ G j means that any user in G i can access its own secret key K i and also K j belonging to G j whose security clearance level is equal to or lower than that of G i . This is the simple security property (no read-up access control policy) based on BLP hierarchical lattice-based model. Note that G i has to be one of the parent classes of G j and if they are not in the parentchild relationship like in Figure 1, then K j should not be obtained by the members of G i . Rule 3. All basis sets S distributed for each class to design a poset in the hierarchy have to be in compliance with the LRBU policy to provide much more flexibility and efficiency especially for any change in the hierarchy. For example, in this respect the children G 4 , G 5 and G 6 of the parent G 2 as depicted in Figure 1 are given the basis sets for subspaces W 4 , W 5 and W 6 respectively.
Rule 4. All vectors v i that make up the elements of each S i must be linearly independent. Note that all v i for i = 1, 2, · · · , 9 are distinct and the set v 1 , . . . , v 9 is linearly independent which means that each W 4 , W 5 and W 6 are disjoint three-dimensional subspaces, and W 2 is tendimensional subspace generated by linearly independent set S 2 containing v 1 , v 2 , · · · , v 9 and additionally a 1 .
Notice that except v 1 , v 2 , · · · , v 9 , the remaining vector of S 2 , which is a 1 , is kept secret and it is assumed to be private information of G 2 which prevents the G 2 's key from being accessible by children G 4 , G 5 , and G 6 . In other words, even if all the children come together and combine the information they have, they can not generate the subspace W 2 and derive the secret key of the G 2 . On the other hand, G 2 has all required information (namely all basis elements) to derive its children's keys separately to access their data.
Similarly, now consider that G 7 , G 8 ,and G 9 are children of parent G 3 . Assume that they are given the basis sets for the distinct four-dimensional subspaces W 7 , W 8 ,and W 9 respectively. Hence, the higher clearance level group G 3 (the parent of these three class) has the set S 3 containing v 10 , v 11 , · · · , v 21 and other vector a 2 in its basis which generates the subspace W 3 . As mentioned above, except v 10 , . . . , v 21 the other element a 2 of the basis for W 3 is kept secret of the G 3 . Thus any user in G 3 can access the corresponding keys K 3 , K 7 , K 8 , and K 9 but any member of G 4 , G 5 , G 6 , G 7 , G 8 , and G 9 which are lower clearance level than G 3 groups does not access the K 3 , they can only access their own secret keys.
Finally, in this scheme, the root class G 1 has the basis S 1 of the vector space W 1 . The basis S 1 consists of the basis elements of G 2 and G 3 as well as its private vector b 1 . The above illustration can also be adapted efficiently to an N-class hierarchy by applying an LRBU policy.

Preparation phase
The data owner: Step 1. Determines all hierarchical classes G i for i = 1, 2, · · · , c of the organization instantiated by Figure 1 and 2 based on the Rule 2.
Step 2. Determines a vector space V which is preferably infinite dimension over a finite field F q and decides an inner product defined on V .
Step 3. Identifies subspaces W 1 , W 2 , · · · , W c . Notice that the selected V structure allows the data owner to change the number of W i as the number of classes in the hierarchy c changes.
Step 4. Determines the corresponding basis sets S i (according to clearance level) for predetermined subspaces W i to distribute each class/group G i for i = 1, 2, · · · , c in organization.
Step 5. Generates the basis sets S i obtained by multiplying the first component of the assigned basis set S i with arbitrary constants in the selected field F q to distribute to users U i in the group G i .

Key distribution phase
At this stage, the data owner shares the public and private information with the relevant groups G i that enable each member U i to derive the corresponding key K Gi .
Step 1. Selects a vector f in V which does not lie in any W i for i = 1, 2, · · · , c and makes it known by all the members.
Step 2. Determines all corresponding basis sets S i for each W i assigned to the class G i in the hierarchy.
Step 3. Distributes basis sets S i derived from the base set S i to each member of the group G i .

Key derivation phase
Note that once the users receive their own basis (public and private information), they can form an orthonormal basis for W i by applying the Gram-Schmidt method to their basis and then apply orthogonal projection (OP) of f onto W i to extract the secret K Gi . (Figure 4).
To derive the corresponding secret key K Gi , any user in the hierarchical structure: Step 1. Applies Gram-Schmidt orthogonalization operation to the given basis, namely computes corresponding orthonormal basis. (See 3.1) Step 2. Runs OP in order to obtain the corresponding key K Gi . (See Figure 3) To derive the key for the class G i , each user computes: Notice that the K Gi for each group G i requires having a basis for the corresponding subspace W i . On the other hand, for a child to have its parent's key, it also needs the parent's private information, which will be a vector and is not feasible for the children to guess from its own basis. For example, if W 1 is a three dimensional subspace of R n (n ≥ 4) and W 1 ⊃ W 2 of dimension 2, it is not feasible to obtain W 1 from W 2 . In fact, there are many subspaces of R n of threedimension, and if one knows only two basis elements of it, it is impossible to obtain the third one. The general framework of extracting a K Gi from a known S i for the W is described in Figure 3, and it is the point on which the security and performance of our scheme are based.

Dynamic update phase
The scheme allows the insertion and deletion of classes in the hierarchy without the need to redistribute and change any public information f used by any G j for both cases below. The insertion and deletion of any class G j have to be following security and LRBU policy.
Insertion. If a new group G j is inserted into the hierarchy, a new basis set S j is given to this new group as private information concerning its clearance level by the data owner. Then, all related parents with G j will have the updated basis set, including the basis elements of the S j . Note that there is no need to update any child's basis set.
Deletion. If any G j which is a parent of some children, is removed from the hierarchy, all children of the removed parent will be linked to one higher parent class and the new related parents' basis sets. However, if the deleted group is at the bottom of the hierarchy, there will be no change in linkage. In addition, if the data owner removes or deletes any G j in the hierarchy, the basis set of G j will also be removed from the higher parent classes to ensure efficiency and reduce disk space requirement.

AND SECURITY ANALYSIS, AND COMPARISON
We implemented the proposed hierarchical key access mechanism on a computer with Windows 10 operating system running on Intel Core i5-6200 CPU 2.30 GHZ X-64 bit processor. It has 16 GB of memory, and we use JAVA programming language, and Eclipse integrated development environment (IDE).
The extracting process of a secret key K i requires first finding an orthonormal basis described in Algorithm 2 (Gram-Schmidt orthogonalization process). Upon constructing an orthonormal basis, the method employs orthogonal projection, which outputs the K i where Algorithm 1 stands for the key extracting process. The vector space V can be selected as an inner product space, and in fact, V being a polynomial space over any field offers suitable choices for inner product and subspaces. On the other hand, for simplicity, we employed the well-known space R n and the inner product, which is called dot product, in the implementations.

Performance Analysis
In this section, we will discuss the performance and security analysis of the proposed scheme.
Public and private storage needs, key derivation, and key update overhead are critical metrics to gauge the efficiency of our scheme. Note that the number of classes G in the hierarchy is c. The maximum dimensions of a subspace associated with any class at the bottom in the hierarchy are denoted by b.
Forward Inclusion: Public information storage need: The f vector which does not lie in the subspace W i for all i = 1, 2, · · · , c where c is the total number of classes in the hierarchy but lies in the vector space V is the only public information for each class to derive the corresponding secret key K Gi .
Private information storage need. Each member of the class needs its own basis S Ui to derive the K Gi . The S Gi , which belongs to the bottom classes, is the private information of the corresponding class. Therefore, the maximum private storage need per class in the hierarchy is b. All elements of the basis sets of the children are also the member of relevant parent classes' basis sets. Thus, all parents have one additional private vector, which is not on the basis of any of its children. In summary, all classes except the lowest

Return:
Orthonormal vector set V = {w 1 , w 2 , . . . , w n } child classes at the bottom have only one private information, whereas the classes at the bottom have a maximum private information need of b. Key derivation cost. Let K be the secret key of a class. The K is extracted from users' private information and requires access to data. The extraction process involves Gram-Schmidt orthogonalization operation and projection of the public vector f on the subspace generated by the users' private basis elements. The actual cost depends on the size of the basis and the defined inner product on the universal set V . To compute the cost of these steps, we fixed the group G and the corresponding subspace, which W denotes. Let n be the dimension of the subspace W , which is assigned to the group G. We will address the cost of extracting the key for a user in three categories: the required number of inner product I, multiplication M , and division D operations.
The number of I: n 2 + n.
2) Normalization process: The orthogonal basis should be normalized, requiring n additional I for n vectors.
3) The final operation for the projection is the determination of the coefficients in the equation 2 which requires n more I for the n dimensional vector space.
1) Gram-Schmidt orthogonalization process: 2) Equation 1: n additional M must be performed to obtain the projection vector h.
1) Gram-Schmidt orthogonalization process: 2) Normalization process: n additional D is required to normalize the orthogonal set consisting of n vectors.
In summary, the cost of deriving the secret key K for a user is O(n 2 ) where the ultimate cost is Key update. The scheme allows the insertion and deletion of classes in the hierarchy without the need to redistribution any public information. In addition, computational requirements redistribution of any private information needed for key updates (if there is an insertion) is minimal.
Change in the hierarchy. In case of a change (insertion or deletion) in the number of users and classes, there is no need for extra private or public information, so the key derivation cost will be constant when any class is deleted. As seen in Figures (5-7), key derivation for relevant parent classes will increase linearly only with the insertion of a new child class as the dimension of the subspaces increases. Note that the change in the hierarchy might also cause to privilege creep problem, and our scheme brings a solution for this with a little extra storage need and key derivation cost. (see 5.2).
We implement Algorithm 1 and Algorithm 2 while selecting real vector space R n over real numbers to observe the real-time cost of the key derivation process. The inner product then is chosen to be the dot product. The dimension of vector subspaces vs. maximum total key derivation cost (milliseconds) is depicted in Figures (5-7) below. The key derivation cost increases linearly as the dimension of vector subspaces increases. When calculating the key derivation cost for any user U in the group G, only for the 11 th and 12 th steps of Algorithm 1 have been considered. Namely, these steps are directly related to the actual key derivation cost after the startup phase (up to 10 th step) of the algorithm is completed.

Security Analysis
KR s . Because each class in the hierarchy has a distinct basis S, any child class, and any same level class cannot derive any private keys that do not belong to their own class. Our scheme is collusion resistant to coalition attacks of the child classes and the same level classes. Hence we can easily say that it provides at least KR s . KI s . Our scheme's security is based on the assertion of chosen linearly independence vectors. For any child class, finding a unique linearly independent vector of the parent class is negligible. In other words, any element in the universal not belonging to the subspace associated with the child is equally likely to be the one that the child class is looking for. That makes finding an upper-class basis computationally infeasible. Thus the security of our scheme has provided KI s .
Resistance to privilege creep problem. If there is a change in the hierarchy, which means that the clearance level of any U of the class is downgraded or the membership is changed (e.g., if a U member of G 7 later becomes a member of G 8 , or leaves the organization), the user U should no longer be able to access other classes for which they previously had privileges. When any of the above situations occur, the basis S owned by the user's group gets extra basis element v i distributed to all users in this group and relevant parents (inserting only one element into the basis of the relevant classes). In this way, the maximum private storage will increase by one as relevant space's dimension increases by one, and the key derivation cost will increase accordingly. The left user can not guess the extra basis elements, so the user can not derive the key anymore at the expense of a little extra storage cost. Table 1 reveals a comparison between our scheme and some other well-known key access schemes. The comparison takes into account several parameters, and the notation can be seen at the bottom of Table 1.

Comparison with Other Schemes
In Akl and Taylor based schemes [2], [6] - [13], [15], [16], the key update and the key derivation are costly that these schemes might not be practical for large distinct classes in a hierarchical structure. Some are insecure against collusion attacks and only satisfy KR s and KI s under the RSA assumption or random exponent. KR s and KI s notions, in other words, a provably secure scheme first came up with [21].
In Atallah et al. [21] and De Santis et al. [30], the number of public information increases with the number of security classes. Private storage is only a single symmetric key for each class. However, the key derivation cost is directly related to the path length between classes. Namely, the cost grows if the path length between classes increases. From the security perspective, these schemes are KI s and CP A s .
In D'Arco et al. [14], it has proven that Akl and Taylorbased schemes [6] - [13], [15], [16] (KR s by default) can only be KI s under RSA assumptions RSA s . But, to achieve KI s property, the additional public storage need and key derivation cost must be met, which will be a quite multiple of the bit length l of the key.
In Ateniese et al. [17], the key derivation is very efficient regardless of path length between classes. The main drawbacks are related to storage needs. For the first proposed scheme, both the number of classes and the number of time periods are parameters to define the need for public information. For the second proposed scheme, the number of time periods is the critical parameter to define the need for private information.
In Freire et al. [23], there is a trade-off between private information storage requirement and efficiency of key derivation. The ultimate efficiency of key derivation is limited by path length between the classes in hierarchy h. On the other hand, the amount of private information depends on the poset width w. The most important contribution to the literature is that it does not need public storage.
In Tang et al. [32], the direct access scheme without the need for iterative computation addresses the potential changes in the hierarchy with light computations as well as achieves SKI s . But, the main drawback is the amount of public information compared to others, and there is a trade-off between computation cost and storage space. Each class needs to compute two times M (computational time of modular multiplication), and one time A (computational time of modular addition) over F q to derive its K. On the other hand, each class needs to compute twice the value of F , four times M , and two times A over F q . Thus, the ultimate overhead of each class might not be tolerable, which makes the scheme inefficient. In addition, if there is a change in the hierarchy, the data owner needs to compute and publish a new public matrix.
On the other hand, our scheme is a flexible and finegrained hierarchical direct access control scheme and does not need other classes to derive the secret key. Key derivation cost n 2 . Our scheme's public and private storage needs are tolerable and guarantee SKI s based on the security of the linearly independent chosen vectors LICV . The other advantage over [32] is that there is no need to publish new public information if there is a change in the hierarchy.

CONCLUSION
In this work, the inner product spaces have been applied to construct a hierarchical key assignment scheme employed in various situations, especially for any cloud infrastructures.
Public and private storage requirement, key derivation, and key update overhead, resistance to collusion attacks and privilege creep problem, the state of KR s and KI s , and whether creating an information-theoretic secure system or not are critical parameters to compare our schemes with other hierarchical assignment schemes in the literature. For instance, public and private storage needs are among the main burdens for the data owner who processes the missioncritical data in hierarchical infrastructures. Our scheme has reduced these to certain low levels.
The other best practice for key assignment schemes ensuring a computationally efficient method for derivation and updating keys is also provided in our scheme.
From the security perspective, the collusion problem in other words collaborated attack, which is one of the main problems for key access assignment schemes in literature is prevented by our scheme. Our scheme guarantees the resistance to collusion attacks and privilege creep problem, ensuring forward and backward security. This proposal also provides KR s and KI s .