Bilinear Diffie Hellman Problem - Cryptographic key distribution in wireless sensor networks: a

The identity based cryptosystems discussed later in this thesis are based on the hardness of the Bilinear Diffie Hellman Problem (BDHP).

Definition 3.11 (Bilinear Diffie Hellman Problem). Given P, aP, bP, cP ∈ E(GF (2m)) it is computationally infeasible to calculate el(P, P )abc∈ GF (2mk)

This implies that the Diffie Hellman Problem (DHP) is also a hard problem in E(GF (2m)) and GF (2mk). The DHP in E(GF (2m)) is that given P , aP and bP it is hard to calcu- late abP . If this was not the case then abP and cP could be input to the Tate pairing to calculate el(P, P )abc = el(abP, cP ), and so the BDHP is solved.

The DHP in GF (2mk) is given three elements α, αx and αy ∈ GF (2mk) it is com- putationally infeasible to calculate αxy ∈ GF (2mk) if the field is large enough. Also, if the DHP is easy in GF (2mk) then the BDHP can be solved. For given el(aP, bP ) = el(P, P )ab_{and e}

Mathematical Background

3.9 Summary

The cryptographic protocol outlined in Chapter 4 makes use of the Tate pairing, which is a bilinear map defined over an elliptic curve. It takes two points on a elliptic curve, that have coordinates in GF (2m), and maps them to a element of the l roots of unity in

GF (2mk_{). The underlying field GF (2}m_{) on which the elliptic curve is defined should be}

large enough so that the ECDLP is computationally infeasible, this means that it should be of the order of at least 2160 – see Chapter 4. The DHP is posed in the field to which the Tate pairing maps these points, and in order for the problem to be secure the size of the field has to be at least 21000. As the security multiplier, k, is four for the curve considered in this thesis, then m has to be at least 250. In fact, the curve that is being used is E(GF (2283)) – see Equation (3.44)

The Tate pairing was originally calculated using Miller’s algorithm [64]. Improve- ments have recently been proposed to Miller’s algorithm to reduce its cost in terms of its execution time [33, 8, 59, 6]. Of particular interest in this thesis is the η algorithm pro- posed in [59, 6] which is the most amenable to a low energy hardware implementation, as it is has the least number of multiplications in the subfield, is defined over a field of characteristic two and has a regular structure which maps well to hardware (see Algorithm 3).

Security Considerations in a WSN

4.1 Introduction

There is a clear need for security in a wireless sensor network. The main requirements, known as confidentiality and authentication respectively, are that the data exchanged in the network should not be read by an unauthorised third party and also that this third party cannot join the network.

Confidentiality can be assured by data encryption, either with an asymmetric or symmetric cipher. In practice, an asymmetric system is considered too costly in terms of its computational complexity to perform any task other than the distribution of symmetric keys, or sending one off messages of the order of a symmetric key . In order to perform network access control the wireless sensor nodes should be able to generate digital signatures.

4.2 Symmetric Systems

In symmetric key cryptosystems security is dependent on keeping the key that is shared between the communicating wireless sensor nodes a secret. This means that an adversary should not be able to obtain the key, and that if it does then the security of the system is compromised.

Security Considerations in a WSN

Figure 4.1 shows Alice encrypting a message, m, with the encryption algorithm, E, and the secret key, k. The adversary, Eve, can only see the ciphertext, c. Bob uses the publicly available decryption algorithm, D, together with the secret key to extract the message.

Figure 4.1: Symmetric Cryptosystem

The feasibility of a symmetric scheme for wireless sensor networks has been proved [51]. In this scheme a software approach has been shown to only add a 10% overhead of energy, though it should be noted that the key distribution problem is not addressed in this scheme.

4.3 Key Distribution

Of the many challenges facing real deployments of WSNs, the distribution of symmetric keys in the network is one of the most difficult to address. As there is no in-situ infrastructure for the wireless sensor nodes to interact with in order to obtain keys on the fly, like in a traditional Public Key Infrastructure (PKI) approach, novel techniques have to be employed. This section discusses different approaches to the key distribution problem.

4.3.1 System-Wide Key

The simplest approach to deploy a symmetric system would be that all the wireless sensor nodes share the same key. As the wireless sensor nodes could be placed in a region where an adversary can capture them, it is likely that it could extract the secret key, and therefore

would be able to monitor all communication in the network. For this reason, this method of ensuring privacy is not appropriate in a hostile environment.

4.3.2 Pair-Wise Keys

Another method would be for all the wireless sensor nodes to set up pair-wise keys be- tween them before deployment. If there are n wireless sensor nodes in the network then each wireless sensor node would have to store n − 1 keys in its persistent memory. In a resource constrained device this would be a problem as storing the keys would use too much memory. The other main drawback to using this scheme is that it does not scale. If, after deploying the bulk of the wireless sensor nodes, it is required to add extra wireless sensor nodes then this is not possible unless the extra wireless sensor nodes’ keys are already programmed in the deployed network. Upon capture of a wireless sensor node, however, only its n − 1 links will be compromised, which is a slight improvement on the system that uses only one symmetric key.

4.3.3 Probabilistic Key Sharing

Yet another symmetric technique is probabilistic key sharing [29]. In this approach a large pool of keys is generated from which a smaller ring of keys is randomly selected and preloaded before deployment into each wireless sensor node. Each wireless sensor node thus has a separate ring of keys in which there may be a shared key. During the shared key discovery phase of the algorithm, the wireless sensor nodes ascertain whether or not there is secure path between them. It has been shown [29] that in order to create a network of 10,000 wireless sensor nodes the pool of keys has to be 100,000 and the key ring only has to be 250. This system is scalable as when a new wireless sensor node is added to network it only has to be preloaded with a random selection of 250 keys from the key pool. However, this scheme is not secure against capture by an adversary. If one wireless sensor node is captured then there is a probability of ₁₀₀₀₀₀250 that any of the links in the network can be deciphered, but this increases to ₁₀1 after the capture of 40 wireless sensor nodes.

Security Considerations in a WSN

4.3.4 Public Key Systems

Another approach to key distribution is to employ an asymmetric or public key system. In these schemes there is a private/public key pair and it is considered computationally infeasible to calculate the private key from the public one. The wireless sensor nodes can be deployed with an embedded private/public key pair. They then broadcast the public key to their neighbours who can then use this public key to encrypt a message to them. This scheme has the added advantage that private key can be used to generate digital signatures. Asymmetric systems are secure against individual wireless sensor node capture and they are also scalable.

In document Cryptographic key distribution in wireless sensor networks: a hardware perspective (Page 66-71)