In this section, we present the notation used throughout this chapter and some prelim- inary notions.
2.1.1 Notation
We use the following notation: • S: Sender
• R: Receiver • I: Intruder
• Ti: The ith time interval corresponding to the generation of the ith key of a high level key chain
• Ti,j: The time interval corresponding to the ith high level key and the jth low level key
• t0: The start time • T ime: The current Time
• Mi,j: The jth message in time interval Ti
• M0: A primed variable M0 always means the new value of M • M1.M2: Message M1 concatenated with message M2
• CDM : Commitment Distribution Message
• inv: Inverse of a key. Given a public key returns private key • M AC: Message Authentication Code
• Hash: Message authentication code function • d: The disclosure key delay
• S → R: M ; Message M sent from S to R
• Ki,j: The authenticated key of the ith low level chain in the jth time interval • Ki: The authenticated key corresponding to the high level chain in time interval Ti • Ki,0: The first key of the ith low level chain or the first key commitment of the ith
low level chain
• n1: The number of keys in the low level key chain • n0: The number of keys in the high level key chain • Iknowledge: Intruder Knowledge
• Mk: Message encrypted with key k
• Kprevc1: Set initially to the first key of the high level chain, and then it indicates the current key
• Kprev2: The value of the disclosed key in the received packet • Kpublished: The disclosed key
• Kprev: It indicates the previous key, set initially to the first key of the low level key chain
• act1 /\ act2: This operator indicates in HLPSL language that these two actions act1 and act2 are operated simultaneously
• P RF : Pseudo Random Function
• d: The disclosure key delay. It is represented on terms of number of time intervals.
2.1.2 Preliminaries
In the following, we give a brief overview of the Bloom Filter data structure, and the key chain.
Bloom Filter A Bloom filter is a space-efficient data structure for representing a set.
This structure is used in order to test membership queries. In order to represent a set
E = e1, e2, ..., en of n elements, a Bloom vector B of m bits can be used. The m bits are initially all set to 0. Moreover, this structure needs k independent hash functions h1,..., hk. These k hash functions range between 0 and m − 1, and each element is mapped to [0, ...,
m − 1]. For each element e in E, the bits hi(e) are set to 1 for 1 ≤ i ≤ k. In order to
verify if an item e is in E, we test whether all bits hi(e) are set to 1. If yes, e is assumed to be a member of E. If not, e is not a member of E. A Bloom filter may suggest that an element e is in E even though it is not [100]. Figure 2.1 illustrates an example of Bloom Filter insertion. To query the membership of an item e0 within E, the bits at indices hi(e0) (1 ≤ i ≤ k) are checked. If any of them is 0, then certainly e0 6∈ E. Otherwise, if all the bits are set to ‘1’, e0 ∈ E with high probability. There is a possibility of error which arises due to the hashing collision that makes the elements in E collectively causing indices hi(e0) being set to 1 even if e0 6∈ E. This is called a false positive. Note that there is no false negative in the Bloom Filter membership verification. The probability of a false positive [100] fprob is then approximated to:
fprob = (1 − e
−k×n
m )k
Key chain and its Application in Resource Constrained Networks One way key
chain is a cryptographic primitive. The first use of this technique was for one time passwords [101]. This primitive is used in S/KEY one time password system [102]. After that, one-way chains are also used in many other applications. Figure 2.2 illustrates the generation of a one-way chain. In order to generate this chain, we randomly pick the last element of the chain, and we generate the chain by repeatedly applying a one way function f . Finally, v0 is a commitment to the entire one-way chain, and we can verify any element of the chain through v0. For example, in order to verify that an element vi is indeed the element with index i of the hash chain, we check that fi(vi) = v0. We reveal the elements of the chain in this order v0, v1, v2, and vn. The storage of this chain could be done in two manners. The first one is to create it all at one and store each element of the chain. The second manner
e1 e2 e3 e4
h1(e1)
h2(e1) h3(e1)
h1(e2) h2(e2) h3(e2)
. . .
1 0 1 0 0 1 0 0 0 1 0 0 0 0 0 1
bit 0 bit 15
Figure 2.1. – A Bloom Filter with n = 4, m = 16 and k = 3
Generation Use/Reveal f(vn) f(vn-1) v0 f(v1) v vn-2 vn-1 vn 1 f(v2) ...
Figure 2.2. – An example of a One Way Key Chain
is to store the current key vi, and compute any other key on demand. An hybrid approach was proposed to reduce the storage with a small computation penalty. The authors in [103] devise a storage efficient mechanism for one way chains. In fact, a one way chain with N elements only requires log(N ) storage and log(N ) computation to access an element.