Matrix Based Key Agreement Algorithms for Sensor ... - CiteSeerX

Matrix Based Key Agreement Algorithms for Sensor Networks Abhishek Parakh

Subhash Kak

Nebraska University Center for Information Assurance School of Interdisciplinary Informatics University of Nebraska Omaha, NE 68182 Email: [email protected]

Computer Science Department Oklahoma State University Stillwater, OK 74078 Email: [email protected]

Abstract—Communication between nodes in a sensor network is often secured by the use of symmetric keys installed on them before deployment. A more efficient method is to install sensors with a small amount of secret information that can be used to generate a pairwise common key when required. We propose new key agreement algorithms based on matrix factorization that requires a maximum of 𝑚 multiplications to generate a key, where 𝑚 ≤ 𝑁 is a system parameter and 𝑁 is the total number of nodes in the network.

I. I NTRODUCTION When sensor networks are used to collect sensitive information, communication between them needs to be protected using encryption. Symmetric encryption algorithms are computationally efficient and commonly used to encrypt data in such resource constrained environment. Since sensors are deployed randomly and have limited communication range, nodes’ neighbors are not known prior to deployment. Therefore pairwise distribution of symmetric keys becomes a challenge. Approaches that model sensor networks as random graphs have been discussed before [1], [2], [3], [4], [5], however due to the lack of apriori knowledge of the neighborhood the number of keys installed per node, in order to keep the network connected, far exceeds the actual number of nodes in the neighborhood. Due to memory constraints on sensor nodes it is desirable to minimize the number of keys per node. Solutions using Elliptic Curve Cryptography, although efficient compared to other public key systems, [6], [7], [8] are generally more computationally expensive than their symmetric counterparts [9]. In this paper we propose algorithms to perform key agreement between nodes after deployment. Before deployment each sensor is installed with certain secret information that can then be used to generate a common encryption key with any other node within communication range. The first proposed protocol factors a symmetric matrix to achieve the above and the latter protocol factors a non-symmetric matrix in a commutative way. The advantage of the second protocol over the first is that the final key that is agreed upon is a function of two input variables and hence the key itself provides higher security. In general the algorithms may be used in any network consisting of nodes that wish to agree on symmetric keys and

the nodes may be static or mobile and join or leave the network as they wish. Eschenauer and Gligor [4] modeled the sensor network as a random graph and pre-installed keys (called key ring) from a large pool of keys. Other schemes that leverage random graph model have been proposed [1], [2], [3], [4]. Du et al. [2] assume deployment knowledge based on gaussian probability distribution function. However, such a scheme is not applicable to mobile nodes and other methods of deployment [10] may be used. Chan et al. [1] proposed a 𝑞-composite scheme that requires that the nodes share 𝑞 keys from the key ring instead of just one key and then final key to be used for encryption is computed as a function of these 𝑞 keys. Blom [11], [12] proposed a scheme based on matrix factorization which is a special case (or specific implementation) of the general scheme proposed here. Du et al. [3] use Blom’s scheme for key distribution in sensor networks and strengthen it by using multiple key spaces that essentially requires every node to implement Blom’s scheme multiple number of times. In contrast, the proposed scheme, not only is more general, but also provides stronger security than Blom’s implementation by randomly distributing rows and columns among nodes. In a related work, the use of bivariate polynomials [12], [13] has been extended by Liu and Ning [14] for key agreement in sensor networks. Bivariate polynomials are further a special case of Blom’s scheme. II. P ROPOSED A LGORITHM All computations are performed modulo a large prime 𝑝. The proposed algorithm works as follows, Pre-deployment: 1) Choose a random symmetric matrix 𝐾 with elements in 𝑍𝑝 . 2) Find two matrices 𝑋 and 𝑌 such that 𝑋𝑌 = 𝐾. 3) Randomly assign row-column pairs from 𝑋 and 𝑌 to nodes. For example if node 𝑖 receives the 𝑟𝑡ℎ row of 𝑋 then it also receives the 𝑟𝑡ℎ column of 𝑌 . Key Agreement: Two nodes 𝑖 and 𝑗 agree on an encryption key by exchanging their columns of 𝑌 and compute key 𝐾𝑖𝑗 = 𝑟𝑜𝑤𝑛𝑜𝑑𝑒(𝑖) (𝑋) ⋅ 𝑐𝑜𝑙𝑛𝑜𝑑𝑒(𝑗) (𝑌 ) = 𝑟𝑜𝑤𝑛𝑜𝑑𝑒(𝑗) (𝑋) ⋅

𝑐𝑜𝑙𝑛𝑜𝑑𝑒(𝑖) (𝑌 ) = 𝐾𝑗𝑖 . Since matrix 𝐾 is symmetric, 𝐾𝑖𝑗 = 𝐾𝑗𝑖 . Here, 𝑟𝑜𝑤𝑛𝑜𝑑𝑒(𝑖) (𝑋) denotes the row of 𝑋 that was assigned to node 𝑖 and so on. III. U SING C OMMUTING M ATRICES If one were to use commuting matrices the requirement of matrix 𝐾 being symmetric can be eliminated. The algorithm works as follows: Pre-deployment: 1) Choose two 𝑞 × 𝑞 matrices 𝑋 and 𝑌 such that 𝑋𝑌 = 𝑌 𝑋 and 𝑌 is symmetric. 2) Randomly pick 𝑟 from a uniform distribution over [1, 𝑞]. 3) Assign node 𝑖 randomly chosen 𝑟𝑡ℎ row and column of 𝑋 and the 𝑟𝑡ℎ column of 𝑌 . Two nodes 𝑖 and 𝑗 agree on a key as follows, 1) Node 𝑖 sends its column of 𝑌 to node 𝑗. 2) Node 𝑗 sends its column of 𝑌 to node 𝑖. 3) Node 𝑖 computes 𝐾𝑖𝑗 = 𝑟𝑜𝑤𝑛𝑜𝑑𝑒(𝑖) (𝑋) ⋅ 𝑐𝑜𝑙𝑛𝑜𝑑𝑒(𝑗) (𝑌 ) ′ (𝑌 ) ⋅ and node 𝑗 computes 𝐾𝑖𝑗 = 𝑐𝑜𝑙𝑛𝑜𝑑𝑒(𝑖) 𝑐𝑜𝑙𝑛𝑜𝑑𝑒(𝑗) (𝑋). ′ 4) Node 𝑖 computes 𝐾𝑗𝑖 = 𝑐𝑜𝑙𝑛𝑜𝑑𝑒(𝑗) (𝑌 ) ⋅ 𝑐𝑜𝑙𝑛𝑜𝑑𝑒(𝑖) (𝑋) and node 𝑗 computes 𝐾𝑗𝑖 = 𝑟𝑜𝑤𝑛𝑜𝑑𝑒(𝑗) (𝑋) ⋅ 𝑐𝑜𝑙𝑛𝑜𝑑𝑒(𝑖) (𝑌 ). 5) Key used is computed as 𝐾 = 𝐻𝑎𝑠ℎ(𝐾𝑖𝑗 ∣∣𝐾𝑗𝑖 ). ′ (𝑌 ) is the transpose of column of 𝑌 Where 𝑐𝑜𝑙𝑛𝑜𝑑𝑒(𝑖) assigned to node 𝑖. This provides stronger security than Blom’s schemes because if prime 𝑝 is of 1024 bits then the final key is a function of 2048 bits. If in a network of 𝑁 nodes every node pair in the network was to share a unique key there would be 𝑁 (𝑁2−1) unique keys in the network and matrix 𝐾 would be of size 𝑁 × 𝑁 . Correspondingly 𝑋 and 𝑌 would be of size 𝑁 × 𝑁 and every node in the network could receive unique row-column pair from 𝑋 and 𝑌 . However if reuse of keys is allowed then 𝑞 ≤ 𝑁 , and matrices 𝑋 and 𝑌 are of size 𝑞 × 𝑞. In this case, step 3 of the algorithm randomly assigns rows and columns, where a row-column pair may go to more than one node. Finding Commuting Matrices 𝑋 and 𝑌 : Among other methods, matrix diagonalization may be used to find two commuting matrices: 1) Choose a diagonalizable symmetric matrix 𝑌 at random. 2) Diagonalize 𝑌 such that 𝑌 = 𝑀 −1 𝐷𝑦 𝑀 , where 𝐷𝑦 is a diagonal matrix with eigenvalues of 𝑌 . 3) Randomly pick a diagonal matrix 𝐷𝑥 and compute 𝑋 = 𝑀 −1 𝐷𝑥 𝑀 . The above algorithm generates two matrices that commute with each other, 𝑋𝑌 = 𝑀

−1

𝐷𝑥 𝑀 𝑀

−1

𝐷𝑦 𝑀 = 𝑀

−1

𝐷𝑥 𝐷𝑦 𝑀

and 𝑌 𝑋 = 𝑀 −1 𝐷𝑦 𝑀 𝑀 −1 𝐷𝑥 𝑀 = 𝑀 −1 𝐷𝑦 𝐷𝑥 𝑀 Since 𝐷𝑥 and 𝐷𝑦 are diagonal matrices 𝐷𝑥 𝐷𝑦 = 𝐷𝑦 𝐷𝑥 .

IV. S ECURITY OF THE P ROPOSED S CHEME First proposed scheme: Assume that matrix 𝐾 is of size 𝑞 × 𝑞 and therefore 𝑋 and 𝑌 are of sizes 𝑞 × 𝑚 and 𝑚 × 𝑞 respectively. The upper triangle (including the diagonal) of elements all of which are generated from matrix 𝐾 has 𝑞(𝑞+1) 2 2𝑞𝑚 elements. For each key there are 𝑝 possibilities and it is clear that in the absence of any knowledge of the elements of 𝑋 and 𝑌 , all the 𝑝 possibilities for every key remain equally likely. However, if an eavesdropper is able to intercept 𝑞 distinct columns of matrix 𝑌 being exchanged between nodes in plain text there will remain 𝑞! ways to arrange these columns. This is because we randomly distribute row-column pairs and hence their specific arrangement in 𝑌 is not known. If 𝑞 ⋅𝑚 < 𝑞(𝑞+1) 2 it is easier for the eavesdropper to guess matrix 𝑋 than to then guessing 𝐾 guess matrix 𝐾; however if 𝑞 ⋅ 𝑚 > 𝑞(𝑞+1) 2 since the is easier. In a strict sense we need 𝑞 ⋅ 𝑚 > 𝑞(𝑞−1) 2 diagonal of 𝐾 is self keys, 𝐾𝑖𝑖 . Compromise of Nodes: Compromise of a node happens when an adversary captures a node and can access all its information enabling it to manipulate the node. Assuming 𝐾 is of size 𝑞 × 𝑞, 𝑞 = 𝑁 , then every node receives a unique row column pair. Upon compromise of 𝑙 nodes, an attacker will be able to construct 2𝑙2 elements of 𝐾. However, if 𝑞 < 𝑁 then a row-column pair will go to more than one node. However, since we randomly and uniformly assign row-column pairs to nodes every pair has a probability of 1𝑞 of being assigned to a node. Consequently, the probability that the compromise of 𝑞 nodes will reveal all the keys in the network is 𝑞𝑞!𝑞 . In general if 𝐿 nodes are compromised then the probability that all the keys are revealed can be computed as follows. Assume an adversary stops compromising nodes once it has acquired 𝑞 distinct row-column pairs. Also assume that an adversary sees the 𝑞 𝑡ℎ unique row-column pair at (𝐿 + 1)𝑡ℎ node compromise. This means that he would have seen 𝑞 − 1 unique pairs at the compromise of the 𝐿𝑡ℎ node, where 𝐿 ≥ (𝑞 − 1). Assuming that the row-column pairs appear 𝑛𝑖 times, the probability that an adversary will see 𝑞 𝑡ℎ distinct pair at (𝐿 + 1)𝑡ℎ node compromise is computed as follows, 𝑃 (𝑞 𝑡ℎ unique pair is obtained at (𝐿 + 1)𝑡ℎ node compromise) = Σ𝑡𝑖=1 𝑃 𝑟𝑖 where, 𝐿! Π𝑞−1 𝑝𝑛𝑖 𝑛1 !𝑛2 ! ⋅ ⋅ ⋅ 𝑛𝑞−1 ! 𝑖=1 𝑖 (1) = 𝐿 and there are 𝑡 ways to partition 𝑐

𝑃 𝑟𝑖 = Σ𝑐𝑛11 =1 Σ𝑐𝑛22 =1 . . . Σ𝑛𝑞−1 𝑞−1 =1

where 𝑐1 +𝑐2 +. . .+𝑐𝑞−1 𝐿 such that 𝑐𝑖 s add to L. Second proposed scheme: If an eavesdropper is able to listen to 𝑞 distinct columns of 𝑌 being transmitted and also determine which out of 𝑞! ways they are to be arranged then he can diagonalize 𝑌 and retrieve 𝑀 . In order to reconstruct all the keys in the network he then has to guess the values in

the diagonal matrix 𝐷𝑥 which can be done with a probability of 𝑝1𝑞 since there are 𝑝 possible values for every eigenvalue in 𝐷𝑥 . Unlike the previous algorithm, using commuting matrices requires 𝑋 and 𝑌 to be square matrices. However, the size of the matrices may be 𝑞 × 𝑞 where 𝑞 ≤ 𝑁 . 𝐾 = 𝐻𝑎𝑠ℎ(𝐾𝑖𝑗 ∣∣𝐾𝑗𝑖 ) is the common key between nodes 𝑖 and 𝑗, where the keys are hashed in a pre-decided order. This increases network resilience as the attacker would need to determine the entire 𝐾 matrix, to compromise the whole network, rather than only half of it as is the case when 𝐾 was symmetric. Recall that by using commutativity we have eliminated the requirement of 𝐾 being symmetric. This is in contrast with other methods that either implement Blom’s scheme multiple times to increase the number of keys shared (example to share two keys, implement Blom’s scheme twice) [3] or Chan et al.’s scheme [1], called 𝑞-composite scheme, that shares at least 𝑞 keys between nodes by decreasing the key pool size. V. M ETHODS TO D ETERMINE 𝑋 AND 𝑌 In the first proposed algorithm, although in general 𝑋 and 𝑌 may be chosen by trial and error, their determination becomes easier if one of the following methods is used. Following examples are some of the different methods to construct 𝑋 and 𝑌 . Although not all of them provide equal security it is not necessary to disclose which method was used to factor 𝐾. ∙ ∙

∙ ∙

A straightforward method is to choose matrix 𝑌 as square and nonsingular, i.e., compute 𝑋 = 𝐾 ⋅ 𝑌 −1 . Another example of construction of 𝑋 and 𝑌 , using a bivariate polynomial, where they⎡are smaller than ⎤ the size 1 3 1 ⎢ 3 4 1 ⎥ ⎢ ⎥ ⎥ of 𝐾 is as follows. Let 𝑋 = ⎢ ⎢ 9 9 1 ⎥ and 𝑌 = ⎣ 4 6 1 ⎦ ⎡5 1 1 ⎤ 5 8 8 0 7 ⎡ ⎤ ⎢ 8 4 2 4 2 ⎥ 1 1 1 1 1 ⎢ ⎥ ⎣ 1 5 3 2 4 ⎦ then 𝐾 = ⎢ 8 2 1 9 6 ⎥ ⎢ ⎥ ⎣ 0 4 9 9 0 ⎦ 1 3 9 4 5 7 2 6 0 3 LU factorization may be used. Computing powers of matrices. Assume that matrix 𝐾 is diagonalizable; then 𝐾 = 𝑀 −1 𝐴𝑀 where 𝑀 is a matrix whose columns are the eigenvectors of 𝐾 and 𝐴 is a diagonal matrix of eigenvalues of 𝐾. With such a factorization the algebra on 𝐾 reduces to the algebra on the elements of the diagonal matrix 𝐴. For example 𝐾 𝑟 = 𝑀 −1 𝐴𝑟 𝑀 and since 𝐴 is a diagonal matrix 𝐴𝑟 = (𝑎𝑟1 , 𝑎𝑟2 , . . . , 𝑎𝑟𝑞 ) where 𝑎𝑖 are the diagonal elements of 𝐴. Then we may factor 𝐾 as follows: 1) Randomly choose a diagonalizable symmetric matrix 𝐾 with elements from the finite field 𝑍𝑝 . 2) Randomly choose a element 𝑟 from the field and 1 1 compute 𝑋 = 𝐾 𝑟 and 𝑌 = 𝐾 1− 𝑟 .

∙

Finding a diagonalizable matrix in finite fields may not be straightforward. Therefore following constructive method may be used, 1) Use Hadamard, 𝐻, matrices as eigenvector matrices. 2) Randomly choose a diagonal matrices 𝐴 and 𝐵. 3) Compute 𝑋 = 𝐻𝐴𝐻 ′ and 𝑌 = 𝐻𝐵𝐻 ′ . Note that since Hadamard matrices are square matrices of sizes of powers of 2, 𝑋 and 𝑌 follow suit. VI. C ONCLUSIONS

We have proposed two algorithms for key agreement between nodes in a (sensor) network. The first algorithm factors a symmetric matrix 𝐾 into two factors 𝑋 and 𝑌 and the second algorithm chooses matrix 𝑋 and 𝑌 such that they commute and 𝑌 is symmetric. In the latter method, matrix 𝐾 need not be symmetric. The latter method provides two keys per node pair that can be hashed together to compute a common key which provides better security. Both methods have linear complexity and require scalar multiplications of vectors of size 𝑚, 𝑚 ≤ 𝑞 ≤ 𝑁 . R EFERENCES [1] H. Chan, A. Perrig, and D. Song, “Random key predistribution schemes for sensor networks,” in Security and Privacy, 2003. Proceedings. 2003 Symposium on, may 2003, pp. 197–213. [2] W. Du, J. Deng, Y. Han, S. Chen, and P. Varshney, in INFOCOM 2004, vol. 1, march 2004, pp. 4 vol. (xxxv+2866). [3] W. Du, J. Deng, Y. S. Han, P. K. Varshney, J. Katz, and A. Khalili, “A pairwise key predistribution scheme for wireless sensor networks,” ACM Transactions on Information and System Security, vol. 8, pp. 228–258, May 2005. [4] L. Eschenauer and V. D. Gligor, “A key-management scheme for distributed sensor networks,” in Proceedings of the CCS’02. New York, NY, USA: ACM, 2002, pp. 41–47. [5] A. Parakh and S. Kak, “Efficient key management in sensor networks,” in GLOBECOM Workshops, 2010 IEEE, dec. 2010, pp. 1539 –1544. [6] Z. Liu, J. Ma, Q. Huang, and S. Moon, “Asymmetric key pre-distribution scheme for sensor networks,” Wireless Communications, IEEE Transactions on, vol. 8, no. 3, pp. 1366 –1372, 2009. [7] L. Zhang, Q. Wu, and B. Qin, “Authenticated asymmetric group key agreement protocol and its application,” in IEEE ICC’10, may 2010, pp. 1 –5. [8] S. Jarecki, J. Kim, and G. Tsudik, “Flexible robust group key agreement,” Parallel and Distributed Systems, IEEE Transactions on, vol. 22, no. 5, pp. 879 –886, may 2011. [9] A. Perrig, R. Szewczyk, J. D. Tygar, V. Wen, and D. E. Culler, “Spins: security protocols for sensor networks,” Wireless Networks, vol. 8, pp. 521–534, September 2002. [10] K. Guruprasad and D. Ghose, “Automated multi-agent search using centroidal voronoi configuration,” Automation Science and Engineering, IEEE Transactions on, vol. 8, no. 2, pp. 420–423, April 2011. [11] R. Blom, “An optimal class of symmetric key generation systems,” in Proc. of the EUROCRYPT 84 workshop on Advances in cryptology: theory and application of cryptographic techniques. Springer-Verlag New York, Inc., 1985, pp. 335–338. [12] ——, “Non-public key distribution.” in CRYPTO, 1982, pp. 231–236. [13] C. Blundo, A. D. Santis, A. Herzberg, S. Kutten, U. Vaccaro, and M. Yung, “Perfectly-secure key distribution for dynamic conferences,” in Proceedings of the 12th Annual International Cryptology Conference on Advances in Cryptology, ser. CRYPTO ’92. London, UK: SpringerVerlag, 1993, pp. 471–486. [14] D. Liu and P. Ning, “Establishing pairwise keys in distributed sensor networks,” in Proceedings of the 10th ACM conference on Computer and Communications security, ser. CCS ’03, 2003, pp. 52–61.