In this section, we explain the key concepts and preliminaries which we will be used in this chapter to formulate our problem, and subsequently throughout the thesis for proposing the solution to the defined problem.
3.2.1 Key Predistribution
Key Predistribution is a key distribution method. In large-scale WSNs whose phys-
ical topology is unknown prior to deployment, some keys or key materials would be installed in sensor nodes. Key predistribution alleviates the communication cost between group members and also provides secure connectivity between nodes.
3.2.2 Symmetric Key Cryptography
Symmetric Key Cryptography [107] concerns symmetric algorithms, also called se- cret key algorithms or single key algorithms, and are algorithms where the encryp- tion key can be calculated from the decryption key and vice versa. In most symmet- ric algorithms, the encryption key and the decryption key are identical. Symmetric algorithms require that the sender and the receiver agree on a key before they can communicate securely. The security of a symmetric algorithm rests in the key. Symmetric key algorithms can be divided into stream ciphers and block ciphers. Some examples of popular and well-respected symmetric algorithms include AES (Rijndael), DES, 3DES, IDEA, RC4 and etc.
Encryption and decryption with a symmetric algorithm can be denoted as fol- lows:
EK(M) = C; DK(C) = M.
3.2.3 Public Key Cryptography
Public Key Cryptography [107] concerns public key algorithms where the key used for encryption is different from the key used for decryption. Furthermore, the de- cryption key cannot be calculated from the encryption key. The encryption key is public and correspondingly is called the public key. Anyone can use the encryption key to encrypt a message, while only the person with the corresponding decryption key can decrypt the message. The decryption key is called a private key. RSA and ECC are two very popular public key algorithms.
Encryption and decryption with a public key algorithm is denoted as the same as the symmetric key algorithm even though the public key and the private key are different.
3.2.4 Hierarchical Wireless Sensor Network (HWSN)
Unlike flat WSNs where sensors act as routers and transfer data via multi-hop rout- ing, in an HWSN, some more powerful fixed or mobile nodes are used to collect and transfer sensing data. These more powerful nodes also work as a cluster head by performing a management function. Commonly used HWSNs include three levels: the base station at the root level, cluster heads at the second level, and normal sensor nodes at the third level.
3.2.5 Mutual Authentication
Mutual authentication, also called two-way authentication, is a process in which
both entities in a communication link authenticate each other. In general network environments, especially E-commence transactions, the client authenticates the server and vice versa. In sensor network environments, mutual authentication not only refers to authentication between the normal nodes and the base station, it can also refer to two counterparts that are assured of each other’s identity.
3.2.6 Implicit Authentication
Implicit authentication is not performed as an independent process. Instead, it is
the byproduct of other processes, such as key establishment. This authentication paradigm in wireless sensor networks can reduce operating complexity and mini- mizes power consumption.
3.2.7 Self-healing Key Distribution
Self-healing key distribution can be thought of as a branch of key distribution. The
objective of self-healing key distribution is to enable group users to recover session keys by themselves, without requesting additional transmissions from the group manager, even if they miss some broadcast messages. The pioneering work on self- healing key distribution was proposed by Staddon et al. in [80]
3.2.8 Mutual-healing Key Distribution
Mutual-healing Key Distribution can be seen as complementary to the self-healing
key distribution mechanism. In self-healing key distribution schemes, if a node has missed more than a fixed number of broadcast messages or the last broadcast message, it can get assistance from its neighboring nodes. The neighboring nodes in the same session group cooperate with each other, forwarding broadcast messages which the neighboring nodes missed. In this way, the nodes can receive the missed broadcast messages in a timely and efficient manner. Thus, the robustness of self- healing key distribution schemes is strengthened. The idea of mutual-healing was proposed by Bohio et al. in [97].
3.2.9 Session
In order to make key management convenient, the lifetime of a network can be divided into many time slots. Each time slot is called a session.
3.2.10 Access Structure
The terminology Access Structure is originally used in secret sharing. A secret is shared between users in U = {1, . . . , n}, only qualified subsets of U can recon- struct the secret from their shares. The family of qualified subsets is called access
structure, denoted by Γ. The subset Γ ⊆ 2U \ φ must be monotone increasing, that is, A1 ∈ Γ and A1 ⊆ A2 ⊂ U embodies A2 ⊂ Γ. The family of authorized subsets
Γ is the closure of minimal authorized subsets Γ0 called the basis of the structure.
The family of non-authorized subsets ¯Γ = 2U \ Γ is monotone decreasing. That is, if A1 ∈ ¯Γ and A2 ⊆ A1 imply A2 ∈ ¯Γ. The family of non-authorized subsets ¯Γ is
determined by the set of maximal non-authorized subsets ¯Γ0.
3.2.11 Shamir’s Secret Sharing
Shamir’s Secret Sharing [108] is based on a polynomial interpolation technique. It allows a dealer D to distribute a secret s to n players P1, . . . , Pn, such that at least
k ≤ n players can reconstruct the secret, while any fewer than k players cannot
obtain any information about the secret.
A (k, n) secret sharing protocol is as follows:
1. Share computation algorithm:
• Dealer D creates a k − 1 degree random polynomial f (x) = a0+ axx +
a2x2+. . .+ak−1xk−1which satisfies a0 = s. Without loss of generality,
we suppose f (x) is constructed over a finite field.
• Dealer D randomly chooses n distinct point xj 6= 0(j = 1, . . . , n), and secretly distributes each share (xj, f (xj)) to each player Pj
2. Share reconstruction algorithm: Given k distinct pairs of (xti, f (xti))(1 ≤
i ≤ k), there is unique k − 1 degree polynomial f (x), passing through all the
points. The polynomial can be reconstructed with Lagrange interpolation.
f (x) =
k−1 X i=0
where Li(x) is the Lagrange polynomial Li(x) = Q
1≤j≤k,i6=j
x−xj
xi−xj.
3.2.12 Vector Space Secret Sharing
Vector Space Secret Sharing was introduced by Brickell [109]. Suppose D wants to share a secret with the members of set U. It picks up a function
ψ : U ∪ {D} → GF (q)l (3.2)
where q is a prime power and l ≥ 2 is an integer. This function satisfies the property:
A ∈ Γ if and only if the vector ψ(D) can be expressed as a linear combination of
the vectors in the set ψ(A) = {ψ(i)|i ∈ A}. An access structure Γ is said to be a vector space access structure if it can be defined in the above way.
A vector space secret sharing scheme for Γ with set of secrets GF (q) is con- structed as follows: (Please refer to [109] for a proof).
1. Share Distribution. To distribute a secret value k ∈ GF (q), D takes at ran-
dom an element v ∈ GF (q)l, such that k = v · ψ(D). For 1 ≤ i ≤ n, D sent the share si = v · ψ(i) to i ∈ U over secure channel. Here the operation “·” is the inner product modulo q.
2. Key Recovery. Let A ∈ Γ be an authorized subset; then,
ψ(D) =X
i∈A
λi· ψ(i) (3.3)
for some λi = GF (q). In order to recover the secret k, members in A compute X i∈A λisi = X i∈A λiv · ψ(i) = v ·X i∈A λiψ(i) = v · ψ(D) = k. (3.4)
3.2.13 Pseudo-random Number Generator (PRNG)
A Pseudo-random Number Generator (PRNG) takes a seed of a certain length as input and outputs a string, which is of a greater length than that of the seed.
3.2.14 Cryptographically Secure Pseudo-random Number Gen-
erator (CSPRNG)
A CSPRNG [110] is a PRNG whose output string cannot be computationally dis- tinguished from a truly random distribution. CSPRNG requirements fall into two groups:
1. Every CSPRNG should satisfy the next-bit test. The next-bit test is as follows: Given the first k bits of a random sequence, there is no polynomial-time al- gorithm that can predict the (k + 1)-th bit with probability of success higher than 50%.
2. Every CSPRNG should withstand “state compromise extensions”. In the event that part or all of its state has been revealed (or guessed correctly), it should be impossible to reconstruct the stream of random numbers prior to the revelation. Additionally, if there is an entropy input while running, it should be impossible to use knowledge of the input’s state to predict future conditions of the CSPRNG state.
3.2.15 One-way Hash Function
A hash function is the foundation of a hash chain. A hash function H takes a binary string M of arbitrary length as input, and outputs a binary string of fixed length, which is called hash value h: h = H(M). A one-way hash function H satisfies the following three properties [107]:
1. Computable property: Given an input M, it is easy to compute h such that h = H(M);
2. One-way property: Given a hash value h, it is computationally infeasible to
3. Collision-free property: Given a hash value h, it is computationally infeasible
to find a second input M0 such that H(M0) = h, where M0 6= M.
3.2.16 One-way Hash Chain
The forward hash chain of length m can be derived based on a hash function as follows:
1. generate a random key seed KF
0 for forward hash chain;
2. iteratively apply the hash function H on the seed to produce forward hash key chain of length m, the forward hash chain is generated as:
{H(KF
0 ), . . . , Hi(K0F), . . . , Hm(K0F)} (3.5)
The backward hash chain can be derived based on a hash function as follows:
1. generate a random key seed KB
0 for backward hash chain;
2. iteratively apply the hash function H to the seed to produce a backward hash chain of length m. The backward hash chain is generated as:
{H(K0B), . . . , Hi(K0B), . . . , Hm(K0B)} (3.6)
3.2.17 Bilinear Pairings
Let G1 and G2 be two cyclic groups of order q for a large prime q. G1 is a cyclic
additive group and G2 is a cyclic multiplicative group. We assume that the discrete
logarithm problems in both G1 and G2 are difficult. Let e : G1 × G1 → G2 be a
pairing which satisfies the following conditions:
• Bilinearity: e(aP, bQ) = e(P, Q)ab, for ∀ P, Q ∈ G
1 and ∀ a, b ∈ Z∗q;
• Non-degeneracy: there exists P ∈ G1 and Q ∈ G1, such that e(P, Q) 6= 1;
That is, for any point P, Q ∈ G1, e(P, Q) = 1 iff P = O.
• Computability: there exists an efficient algorithm to compute e(P, Q) for any P, Q ∈ G1.
3.2.18 Bilinear Diffie-Hellman (BDH) Assumption
BDH Parameter Generator: A BDH parameter generator IG is a probabilistic al-
gorithm that takes a security parameter 0 < k ∈ Z, runs in polynomial time, and outputs the description of two groups G1 and G2 of the same order q and the de-
scription of an admissible bilinear map e : G1× G1 → G2.
BDH Problem: Given hP, aP, bP, cP i for some a, b, c ∈ Z∗
q, computes e(P, P )abc
∈ G2.
BDH Assumption: There is no polynomial time algorithm to solve the BDH
problem.
3.2.19 Discrete Logarithm Problem (DLP)
Given two group elements P and Q, to find an integer n ∈ Z∗q, such that Q = nP when such an integer exists.
3.2.20 ID-based PKI
ID-based PKI involves a trusted KGC and nodes. Nodes’ private keys are calculated
by KGC and send to the node via a secure channel. The basic operations consist of Setup and Private Key Extraction. When we use bilinear pairings to construct ID-based private/public keys, the operations can be implemented as follows: KGC runs BDH parameter generator to generate two groups G1, G2and a bilinear pairing
e : G1 × G1 → G2. It chooses an arbitrary generator P ∈ G1 and defines two
cryptographic hash functions: H1 : {0, 1}∗ → G1, H2 : G2 → {0, 1}∗.
• Setup: KGC chooses a random number s ∈ Z∗
q and set Ppub = sP . Then KGC publishes system parameters params = {G1, G2, q, P, Ppub, H1, H2},
and keeps s as a master-key, which is known only to himself.
• Private Key Extraction: A node submits its identity to KGC. KGC computes
the node’s public key QID = H1(ID) and private key SID = sQID, then privately returns SID = sQIDto the node.