Pair-wise Network Topology Authenticated Hybrid Cryptographic Keys for

Wireless Sensor Networks using Vector Algebra

Marco Pugliese, Fortunato Santucci

Center ofExcellence DEWS - University ofL'Aquila - L'Aquila, ITALY
marco.pugliese@ ieee. org, santucci @ ing. univaq. it

Abstract (topology key authentication, TAK). We want to

highlight that network topology authentication, hybrid
This paper proposes a novel hybrid cryptographic key cryptography and the properties of vector algebra
scheme for the generation of pair-wise network in OP(q) are the building blocks in this proposal. The
topology authenticated (TAK) keys in a Wireless remainder of this paper is organized as follows. In
Sensor Network (WSN) using vector algebra in GF(q). Section 2 a synthetic state-of-art about cryptography
The proposed scheme is deterministic, pair-wise keys applied to WSN, current pending issues and the
are not pre-distributed but generated starting from rationales for this proposal are reported. In Section 3
partial key components, keys management exploits the cryptographic scheme is described and main
benefits from both symmetric and asymmetric schemes features compared with the corresponding of
(hybrid cryptography) and each key in a pair node can symmetric and asymmetric schemes. In Section 4 the
be generated only if nodes have been authenticated scheme is formally defined and each component is
(key authentication). Network topology authentication, rigorously shown. In Section 5 the scheme is formally
and hybrid key cryptography are the building blocks defined and each mechanism and component
for this proposal: the former means that a rigorously shown. In Section 6 the cost analysis of the
cryptographic key can be generated if and only if the scheme in terms of computational time and memory
current network topology is compliant to the "planned usage has been reported for the case of a 128-bit key.
network topology", which acts as the authenticated In Section 7 some conclusive comments and future
reference; the latter means that the proposed scheme is works are reported as well.
a combination of features from symmetric (for the
ciphering and authentication model) and asymmetric 2. Background and Motivations
cryptography (for the key generation model). The
proposal fits the security requirement of a Widely accepted traditional cryptographic key
cryptographic scheme for WSN in a limited computing generation and management techniques can be either
resource. A deep quantitative security analysis has not practicable on WSN or not effective or too few
been carried out. Moreover the cost analysis of the advantages are gained with respect to disadvantages
scheme in terms of computational time and memory and usually just symmetric schemes are considered
usage for each node has been carried on and reported feasible: random key pre-distribution schemes [2] are
for the case ofa 128-bit key. light to implement but randomness implies low
resilience; several key reinforcement proposals to
1. Introduction strengthen security of the established link keys, and
improved resilience can be found at the price of
This paper deals with the cryptographic aspect of increased complexity in key management protocols,
security. In particular, we propose a novel e.g. [3], [4], or by adding constraints on admissible
cryptographic scheme compliant to realistic security communication patterns, e.g. [5]. The proposed scheme
requirements for WSN in a limited resource is deterministic, pair-wise, keys are not pre-distributed
availability. The proposed scheme exploits benefits but generated starting from partial key components in a
from both symmetric and asymmetric schemes (Hybrid node pair, key management exploits benefits from both
Cryptography) and each key in a pair node can be symmetric and asymmetric schemes (Hybrid
generated only if nodes have been authenticated Cryptography); moreover each key in a pair-node can

1-4244-2575-4/08/$20.00 © 2008 IEEE

853
be generated only if nodes have been authenticated Galois fields GF(q) [1] as driving mathematical
(key authentication); key authentication is based on the mechanism in a cryptographic scheme to be applied to
concept of "planned network topology" (Topology WSN node, is motivated by the following properties.
Authenticated Key, TAK). Now we will give the First, vector algebra offers more operators than
reasons for the introduction of Hybrid Cryptography ordinary scalar algebra (two kind of products between
and Topology Authenticated Key concepts in our vectors) and useful properties (for example the
proposal. With Hybrid Cryptography it is meant that property exploited for the proof of TAK Generation
benefits featuring both symmetric and asymmetric Theorem in Sec. 4). Second, the classical geometrical
cryptography [1] are exploited. It will be quantitatively interpretations of vector algebra over the real numbers
shown in Sec. 5 that this approach is compliant to field do not apply over finite fields; this occurrence
realistic security requirements for WSN: qualitatively makes harder any reverse engineering because no
speaking, limited resources (in terms of computational geometrical deductions can be exploited. Moreover the
power, available memory and short life cycle) would scalar product between vectors is a low complexity
suggest the adoption of symmetric cryptography but function with hashing properties because it returns a
the high exposure of sensor nodes to external attacks scalar in GF(q) from two vectors, i.e. 6 scalars, in
implies higher security requirements than ad-hoc or GF(q); this occurrence is important because TAK is
traditional networks and this would suggest the definitively a scalar product (see Sec. 4 eq. (4-4) and
adoption of asymmetric cryptography. Moreover our (4-5)) as well as the verification function g(.) defined
approach does not require any centralised certification in Sec. 3 and Sec. 4.2.
authority, as it is in normal asymmetric schemes. With
Topology Authenticated key it is meant that
cryptographic keys can be generated if and only if the
3. Description of the cryptographic
current network topology is compliant to a "planned scheme
network topology" or, using graphs, if and only if the
graph (a spanning tree is assumed for a WSN) According to the specific service requirements, the
representing the current network (the current net planner first identifies the appropriate network
graph) can be found in the graph representing the topology and then, with the support of a suited
"planned network topology" (the planned topology processing unit (server) generates a set of parameters,
graph). We qualitatively define "planned network we call Local Configuration Data (LCD), that will be
topology" (details in Sec. 4.2) the topology of a assigned to each node (Fig. 1). LCD includes:
network that has been planned by a service manager / • Private Key Component (Priv.Key.Comp.)
network designer (the "planner") in order to fulfil • Public Key Component (Pub.Key.Comp.)
specific service requirements. According to this • Local Planned Topology (Loc.Pld.Top.)
definition, the planned network automatically gets the Information is classified according to the following
attribute of "certified network topology" where the definitions:
certification authority is the planner. As an example, • Public: any information anyone can access
assume a new node is requesting to join the WSN at a (attackers included).
certain attachment node: if this request were accepted, • Restricted: any information any node in the
the resulting network topology would change: so, prior network can access.
to accept any attachment request and start key • Private: any information only a single node in
generation, the topology compliancy test (topology the network can access.
authentication) has to be performed first. The rationale
• Secret: any information only the planner can
for this approach comes out from the consideration that
access.
WSN nodes are highly exposed to physical capture
It is important to highlight that the share of
(more than nodes in traditional networks) by external
information capable to generate each pair-wise
attackers to be used as probes to intercept and
cryptographic key is classified as restricted / private
eventually inject malicious traffic into the network.
and the remainder information capable to generate all
Authentication at network topology level eliminates
possible pair-wise cryptographic keys as secret: this
this dangerous occurrence. Moreover in Sec. 4.2 will
approach in information management yields to
be shown that a "predefined topology" implied by a
maximisation of the entropy associated to the
"planned topology" mechanism is not actually a real
cryptographic scheme, as will be shown in Sec. 5. The
constraint on the flexibility and scalability of the
scheme exploits the impracticability in solving the
scheme. The adoption of vector algebra in extended
Discrete Logarithm Problem (DLP) [1], which a well-

854
known reverse engineering problem in GF(q). We put 3. The algorithmic complexity to crack (reverse
q =2 k
where k is an integer for which q =2 »
k
N engineering) TAK scheme is even greater respect
to a typical asymmetric scheme (Sec. 5).
holds and N is the total number of nodes in the
network. Let V be a vector space over GF(q) where the
generic vector !! E V is represented with a 3-pla
3.2 TAK vs. Symmetric Key Schemes
(u x,U Y, U z) of vector components elements in GF(q).
Comparing TAK mechanism to symmetric
Let f(.) a function satisfying the following schemes, we will show that:
requirements: 1. The scheme is perfect!y secure at single node
1. It must be a one-way function. level and at network level (Sec. 5.2 and Sec.
2. f(!!) * f(!!') = f(!!') * f(!!) :;t: 0 must hold for 5.3)
2. The cryptographic complexity to crack (reverse
V!!,!!' E V where * is an arbitrary
engineering) TAK scheme is comparable to that
commutative operator. of asymmetric schemes which is well greater
Let g(.) a function satisfying the following respect to symmetric schemes (Sec. 5.2);
requirements: 3. Key management is simple and comparable to
3. It must be a one-way function. symmetric schemes.
4. g(!!, !!') = 0 must hold only for
Priv.Key.Comp'j Priv'Key.com~'j
V!!,!!'E U c V, with U sub-space ofV. Pub.Key.Comp'j Pub.Key.Comp'j
According to Kerkhoffs Principle, the explicit
expressions for both f(.) and g(.) are public. Fig. 1 -~~al:;:~ .
reports the conceptual representation of the proposed
scheme. Node n j broadcasts the Pub.Key.Comp j .
Node n i receives it and starts the authentication
procedure and applies the verification function g(.) to
Loc.Pld.ToPi and Pub.Key.Comp j : if the result is zero
then node n j has been successfully authenticated by
node ni and KeYi can be generated. The same steps
are performed by node n j and, in case of successful
authentication, the Key j is generated. If f (.) is
compliant to the specified requirements (Sec. 3 n.l and Fig. 1 Conceptual representation of the
n.2), then KeYi and Key j are coincident (the key is proposed cryptographic scheme
symmetric) and define TAK. If the authentication fails,
an indication of possible threat is passed to the
implemented Intrusion Detection System.

3.1 TAK vs. Asymmetric Key Schemes

TAK mechanism differs from asymmetric schemes

because:
1. The computation complexity to generate TAK YES

from the key components is very low: just few

products and sums in GF(q) (Sec. 4.1).
2. The proposed scheme does not need any
centralised certification authority: each node acts
as a certification authority for its neighbour nodes TAK=TA~=TAK.

leading to a mutual certification authority (Sec.

Fig. 2 Detailed representation of the proposed
4.2).
cryptographic scheme

855
4. Formal Apparatus Fixed ill, f, b and for V~i '~j E A, the following
properties hold:
1. Always TAK * o.
°
Building blocks of the proposed scheme are: This follows from the
1. Hybrid key cryptography condition!!!· ~i X~j)* assumed in (a);
2. Network topology authentication.
2. Elements in KL are always distinct, i.e. for
V~l,kl. E KL then k 1. xk 1. *0. This follows
4.1 Hybrid Key Cryptography
° assumed in (a);
J1 J 1

from !!!. ~i X ~ j) *
Let nodes ni and n j be a pair. The following 3. Elements in KT are always distinct, i.e. for
definitions are assumed: V~ti,ktj E KT then k ti xktj *0. This
a. Let A ~ V, M ~ V . Elements in A are defined
as follows: V~i'~j E Aif m· ~i X~j)* ° with proposition follows from !li x k 1J. * ° and
!ti IImX!li and ktj IImxk 1j (compare (4-1),
mE M an arbitrary fixed vector over GF(q);
(4-2) and (4-3));
b. Let bE B ~ GF(q) an arbitrary fixed (not a
generator) scalar in B: this information is secret;
4. For each node k 1 · ~t = °. The condition
~.(~x~)==O holds for V~. This implies that
c. Let ~ E C ~ V an arbitrary fixed vector over
GF(q): this information is secret; always k1 * kt .

d. Let f(.) = kb!!!·(.) where mE M satisfies (a)

Theorem (TAK Generation). In a node pair n i and
and k E GF(q) is an arbitrary constant. This
n j' for !!! E M and ~i' ~ j E A as defined in (a), fixed
definition for f(.) is compliant to specified
requirements (Sec. 3 n.1 and n.2) because for b E B as defined in (b), and C as defined in (c),
~E

V!!,!!'E V and VkE GF(q) is and ~l. ,

1
kt. 1
and k 1.,
J
ktJ. as defined in (e), if TAK i ,
kb!!!'!! * kb!!!'!!' = kb!!!'!!' * kb!!!'!! = TAK j are defined as follows:
= IkI2b!!!'(!!+!!') = IkI2b!!!'(!!'+!!), where
mod q product (commutative) operator.
* is the
(4-4) =1!l '!tX
TAK i i

TAK =1!l '!tJ

Hereinafter the symbol * will be omitted;
(4-5) j
e. Let -k11·, k- 1J. E KL ~ V (this information is j

private) and ~ti' ~tj E KT ~ V (this then TAK is (4-6):

information is public) be defined as: 2m.~.+a·)1 I )2
TAK=TAK i =TAK j = b - 1 -J km.@iX~j~

k . = a.fla.)= a.kb!!!·~i
(4-1) - 11 -1 ~1 -1 with k = b!!!'~ Proof. The proof is straightforward: putting (4-1) into
{ (4-4) and exploiting the vector algebra property
~ti =~i X~i
~ . ~'x~,) == ~'.~ 'x~), then:

(4-2)
k = a .f~.)= a .kb!!!·~j
- 1j -J J -J with k = b!!!'~ ,
(4-7) TAK i =1!l '!tX
i
=
{ k =s·xa·
- tj -J -J = la.kb!!!·~i . \§J a. ~2 = b2!!!'~i Iks .. la. x a. 12
Is. x -J~
-1 -J @J -1~
where
m·a
s·
-1
= mf (a.) =mb--
- -1 -
i
Putting (4-2) into (4-5) and exploiting the property
(4-3) with k =1.
{ s· =mf(a.)=mb!!!·~j ~j ·Gi X~i)==~i ·~i X~j)' then:
-J - -J -

According to Kerkhoffs Principle, the explicit

(4-8) TAK j =1!l '!tJ
j
=

expressions for k 1 and k t are public.

= -J m·a·J
a .kb-- ~s· xa· ~2 - - J ks .. ~
= b 2m.a·1 a·1 xa· ~2
I
•
1 -1 -1 -J

856
Putting (4-3) into (4-7) and (4-8), the result (4-6) is 2. Node n j ' on reception of kti verifies if
found and the thesis is shown. Q.E.D.
:3! j E cr(j) exists such that ! j . ! ti == 0 ; if yes then
4.2 Network Topology Authentication node n i has been successfully authenticated by
node nj'
The concept of "predefined topology" implied by a Fig. 2 reports the detailed representation of the
"planned topology" is not actually a real constraint on scheme.
the flexibility and scalability of the scheme. This
question is equivalent to count how many spanning
trees can be found in a given graph: if N are the nodes
5. Security Analysis
in the network and cr the average neighbours per node,
The following question is crucial: how much the
the Kirchhoff's (Matrix Tree) Theorem returns ~ cr N
proposed scheme is secure, i.e. how much difficult is to
compliant topologies. U sing the planned topology
crack the scheme. This question is split into the
graph, we identify the i-th node with its public key
following sub-questions:
component (! ti ) and the branch between the i-th node
and the neighbour j -th node with a vector Lover 1. Is TAK a real cryptographic key? I.e. which is the
entropy per binit associated to TAK?
GF(q) such that !i· !t. =
J
o. We denote L as a
2. How much a single node is secure? I.e. how much
Topology Vector for the i-th node. The compliancy complex is the inverse problem to break TAK
test between current and planned topology (security level in a single node)?
(authentication) is carried on through the verification 3. How much a network is secure? I.e. how many
function g(.) defined as the scalar product between !i nodes an attacker should compromise to break
TAK (security level in the network)?
and ! t.: this choice for g(.) is compliant to
J

requirements n. 3 and n.4 defined in Sec. 3. The The following sections answer to these questions.
condition g(!i '!t.) = L . !t. = 0 holds only if the link
J J

between nodes i and j is compliant to the planned 5.1 TAK Entropy

topology. Node i-th can have different Topology
Vectors cr(i) = ~i} how many neighbour nodes are This section deals with the quantitative evaluation
of TAK entropy. The following three positions are
planned. The set cr(i) defines the Local Planned
shown:
Topology (Loc_Pld_Top. in Fig. 1) for LCD.
1. H(kt·)==O,
-J
H(kt.)=O.
Theorem (Network Topology Authentication). In a -1

node pair ni and n j , if 3!i E cr(i) such that kJ

This is straightforward to show because - t· and

!i .! tj =0 exists, then n j belongs to the authentic net kti are public information and thus the related entropy

graph, i.e. n j is authenticated by n i .

is null by definition.

2. H(!li I!tj) == H(!li) , H(!lj I!ti) == H(!lj) .

Proof. If nodes ni and n j are planned to be
The proof for this position, starts from the equation
neighbours, it is enough define !i co-planar to !!! and system (5-1) resulting from (4-1), (4-2) and (4-3): it
~j so that L .~X~j)=O, thus!i .!tj =0. Q.E.D can be shown that !lj and !ti values (the same holds
for !li and !tj) are decoupled: once fixed the values
The network topology authentication procedure
follows: for b, f and !!!' the values for !l j and ! ti are one-to-
1. Node n i receives !t. and verifies if :3L E cr(i) one dependent on ~j and ~i respectively but the
J

exists such that L .! t j == 0; if yes then node n j relationship between ~j and ~i is one-to-many as
has been successfully authenticated by node ni . !!!. ~i X~j) * 0 from Sec. 4 (a).

857
 stated in Sec. 2, this operation is one-way function
from 6 scalars to 1 scalar. As ~tj is public known (it
has been shown that H(k t 0) == 0), then the information
- J
(5-1) on TAK is reduced to one third of the information

t o. Thus H(k
associated to -k J -1l" . -
kJ .!.
t 0) = 3 H(k
-1
o, k t .) :
1-J

1
(5-3) H TAK = H(~ Ii . ~ tj) = "3 H (~Ii ' ~ tj) =
Same considerations can be applied to and ~t j .
1
~li
= "3H(~Ii) == log2 q bit

3. H(~li) = H(~lj) == log2 q3 = 310g 2 q . where (5-2) has been considered. Q.E.D.
It will be shown that solving (5-1) for any possible
node pair in a network of N nodes, there are ~ q 3 free
5.2 Security level in a single node
solutions for ~li (the same holds for ~l j ) if N « q .
This security level is calculated by evaluating the
Suppose a node pair with node i and node j. The complexity to break the cryptographic key with a
equation system (5-1) is made of 6 equations (=3+3) single node available. In this case the complexity in
for node i in 10 variables (~, !!!, ~, b) and similarly reverse engineering !!!, ~, ~ and b from ~l' ~t and
for node j. The proof is given by inductive procedure: the (public) expression of f(.). Equations (5-4) show
solving (5-1) for node i, then ~ q 4 free solutions for that the relationship between ~l' ~t and!!!, f, ~ and
(~, !!!, f, b) are obtained and equivalently ~ q 3 free b is not simply a discrete logarithm, which is one of
most difficult problem in GF(q) algebra [1], but
solutions for ~li; solving (5-1) for any pair between
becomes more complex due to !!! and ~ appearing as
node i and any other node j with j =1,2,..., N, then
multiplying factors of the exponentiation and in the
~ q 3 - Nq free solutions for ~li are obtained: note exponent.
that the constraint ~i X~j *0 with j =1,2,..., N
implies that solutions with ~i parallel to ~j must be
eliminated, that is ~ Nq solutions for ~li are
eliminated. As N << q then there are still
5.3 Security level in the network
q3 _ Nq ~ q3 free choices for ~li. Applying the
definition for entropy, the thesis is proved. Same This security level is calculated by evaluating the
considerations can be applied to ~lj. Q.E.D. complexity to break the cryptographic key with all
nodes in the network available. The T-Security concept
is introduced.
Theorem (TAK Entropy). TAK entropy is
H TAK == log 2 q and TAK entropy per binit is == 1 bit.
Definition (T-Security). Given a network with N
nodes, a cryptographic key is T-Secure if an attacker
Proof. From the previous positions (1), (2) and (3), the should capture T + 1 < N nodes in the network to gain
following relationship is derived: enough information to crack the key.

(5-2) H(kIO,kto)
-1-J
= H(kto)+H(k
-J
o I kto) ==
-11 - J The best case is when T = N , because in this case
the cryptographic key never can be violated as there is
== H(~Ii) == 310g 2 q
no enough information shared in the network to do
that. This result can be achieved if a share of the
TAK is obtained from the scalar product between the information needed to generate cryptographic keys is
vectors ~li and ~tj (the same for ~lj and ~ti). As

858
external to the network (i.e. residing in an external processor MPR2400 @ 7.4 MHz), and assuming 10
server). clock cycles / operation, the cost in terms of
computation time for the calculation of a 128-bit TAK
Theorem (N-Security). TAK generation scheme is N- is estimated to be about -400 Jls. Supposing (0) ~ 4
secure (i.e. T = N ). neighbours per node (thus 4 Topology Vectors, 48
bytes each), plus the private and public TAK
Proof. The equation system (5-1) should be solved for components (48 bytes each), the cost in terms of
~, !!!, ~ and b to break TAK. According to the memory usage is estimated to be less than 300 bytes
definition of T-Security, a cryptographic scheme is N- per node.
secure if it cannot be broken even capturing all nodes
in the network. A similar proof given in Sec. 5.1 can be 7. Conclusions and Future Works
here applied. In case node i has been captured, solving
(5-1) gives ~ q 4 free solutions for (~, !}!, ~ , b). In A novel hybrid cryptographic scheme based on
case a further node, say node j with j = 2, has been pair-wise keys authenticated by the compliance to the
captured, the system equation (5-1) gives ~ q4 - q planned network topology has been proposed and its
effectiveness has been proved. According to the results
free solutions for (~, !}!, ~, b): note that the of the cost analysis reported in Sec. 6, the near term
constraint ~i x ~j ;t 0 implies that ~i cannot be plan consists in its implementation on a MicaZ cluster-
based sensor network.
parallel to ~j eliminating ~ q solutions for (~ , !}!, ~,
Future works foresee a cross-layer integration of
b). In case a further node, say node j with j = 3, has the cryptographic security with the Intrusion Detection
System proposed in [6] by the same authors jointly
been captured, solving (5-1) gives ~ q4 - 2q free
with University of Berkeley. An appealing application
solutions for (~, !}!, ~, b): note that the constraint scenario is bio-medics where WSN are deployed as
~i x ~j ;t 0 shall be applied twice (for nodes j with body area networks and a sink node is integrated into a
PDA: this is the case where security and reliability are
j = 2 and j =3) and ~ 2q solutions for (~, !}!, ~, b)
the absolute qualifying indicators for the effectiveness
shall be eliminated. When the last N-th node has been of the monitoring system.
captured, (5-1) gives ~q4 - Nq free solutions for (~,
4
!}!, ~, b). As N «q there are still ~ q free choices. 8. References
Q.E.D.
[1] A. J. Menezes, P. Van Oorschot, S. A. Vanstone
"Handbook of Applied Cryptography," CRC Press,
6. Cost Analysis 1996
[2] L. Eschenauer, V. D. Gligor, "A key management
The cost is measured in terms of computational scheme for distributed sensor networks," 9th ACM Conf
time and memory usage. The implementation of the on Computer and Communications Security, 2002
proposed cryptographic scheme relies on the following [3] H. Chan, A. Perrig, D. Song, "Random key pre-
distribution schemes for sensor networks," IEEE
processing facilities: an external server (supposed to be
Symposium on Security and Privacy, pages 197-213,
resource unlimited) which computes the set of LCD Berkeley, California, 2003
parameters assigned and loaded into the deployed [4] S. Zhu, S. Xu, S. Setia, S. Jajodia, "Establishing pair-
nodes, and the processing capability of each node wise keys for secure communication in ad hoc networks:
(supposed to be resource limited) needed to a probabilistic approach," 11 th IEEE International
authenticate the neighbour (local) network topology Conference on Network Protocols (ICNP'03), 2003
and to calculate TAK: actually its computationally [5] A. Perrig, R. Szewczyk, V. Wen, D. Culler, J. Tygar,
complexity is the square module of a scalar product "SPINS: Security protocols for sensor networks,"
MobiCom 2001, pp.189-199, 2001
between two vectors in GF(q), as it can be evaluated by
[6] M. Pugliese, A. Giani, and F. Santucci, "A Weak
the expression (4-4).
Process Approach to Anomaly Detection in Wireless
Suppose to apply the case q = 2 128 (i.e. 128 bit Sensor Networks," in First International Workshop on
keys): it can be show that (4-4) can be computed Sensor Networks (SN2008), 2008.
through - 300 16-bit operations (additions and
products). If MicaZ motes are employed (8-bit

859