TREA

Key establishment method and system using commutative linear function

Follow

Information

  • Patent Grant
  • 7715556
  • Patent Number
    7,715,556
  • Date Filed
    Thursday, June 8, 2006
    18 years ago
  • Date Issued
    Tuesday, May 11, 2010
    14 years ago
Information
Abstract
Provided are a key establishment method and system using commutative linear functions. In the method, a server defines a set of linear functions that use elements of a first finite field as coefficients and satisfy a commutative rule, selects a first linear function from the set, and selects a predetermined element from a second finite field. Next, the server selects a second linear function corresponding to each of nodes from the set, generates a predetermined combination function based on the first and second linear functions, generates a value of the second linear function using the selected element as a factor, and transmits the combination function and the value of the second linear function to a corresponding node. Each node receives the value of the second linear function from a server, exchanges the received values with the other nodes, computes a value using the exchanged value as a factor of the combination function, and establishes the computed value as a shared key between the nodes. Therefore, each node can perform key establishment with a small amount of computation and low memory consumption, while guaranteeing end-to-end security.
Description
CROSS-REFERENCE TO RELATED PATENT APPLICATIONS

This application claims the benefit of Korean Patent Application No. 10-2005-0113850, filed on Nov. 26, 2005, in the Korean Intellectual Property Office, the disclosure of which is incorporated herein in its entirety by reference.


BACKGROUND OF THE INVENTION

1. Field of the Invention


The present invention relates to a method and system for securely establishing a key for a security service such as a cryptographic service, and more particularly, to a key establishment method and system using commutative linear functions.


2. Description of the Related Art


In the field of information technologies, various types of cryptographic mechanisms are used to protect data to be transmitted or individual privacy. The safety and reliability of a cryptographic mechanism depend on the safety and management of a cryptographic algorithm to be used, and the management and protection of keys to be used.


Insecure key management leads to a fatal threat to the safety of a cryptographic mechanism regardless of the type of a cryptographic algorithm, and therefore, key management is the most basic factor of the cryptographic mechanism. In key management, it is most important to securely distribute keys to the other party concerned in cryptographic communications without disclosing the keys to a third party.


It is the most simple key establishment method in which all of nodes share one key. However, this method is disadvantageous in that when one of the nodes is damaged, the shared key is exposed, thus allowing a person who has no authority for overall network traffic to perform a decoding operation.


Also, there is another key establishment method in which each node stores a pairwise key to be shared with each of the other nodes. If the number of all of nodes belonging to a network is n, each node stores n−1 pairwise keys for the other nodes. However, this method is disadvantageous in that the greater n is, the greater the number of pairwise keys to be stored, and further, it is difficult to add a node to a network.


Conventionally, a public key-based key establishment method is very often used in a general network. This method requires each node to store only its public key and secret key, thus solving problems related to key storing. However, this method requires a lot of amount of computation. Therefore, this method is difficult to be applied to an Ad-hoc environment that undergoes a limitation to resources, and in particular, a sensor network environment.


Recently, many researches have been conducted into key establishment in the sensor network environment that is very limited to resources available. In particular, most of key establishment methods are designed based on the Blom (EUROCRYPT 84) method and the Blundo (CRYPTO 92) method. Such key establishment methods are performed in a hop-by-hop fashion without using an end-to-end method.


Meanwhile, the key establishment methods in the hop-by-hop fashion in the sensor network are confronting many problems more and more. In particular, the Blom method and the Blundo method require finite field multiplication to be performed several tens times, thereby increasing the load on a sensor node that is limited to resources.


SUMMARY OF THE INVENTION

The present invention provides a key establishment method and system for guaranteeing end-to-end security that allows each node to establish a key while reducing memory consumption and computational complexity.


The present invention also provides a computer readable medium in which a program for executing the key establishment method in a computer is stored.


According to an aspect of the present invention, there is provided a key establishment method comprising a server defining a set of linear functions which use elements of a first finite field as coefficients and satisfy a commutative rule, selecting a first linear function from the set, and selecting a predetermined element from a second finite field; the server selecting a second linear function corresponding to each node from the set; generating combination function based on the first linear function and the second linear function; generating a value of the second linear function using the selected element as a factor; and transmitting the combination function and the value of the second linear function to a corresponding node; and each node exchanging the value of the second linear function received from the server with the other nodes, computing a value of the combination function using the exchanged value as a factor, and establishing the computed value as a shared key among the nodes.


According to another aspect of the present invention, there is provided a key establishment system comprising a key generating unit defining a set of linear functions which use elements of a first finite field as coefficients and satisfy a commutative rule, selecting a first linear function from the set, and selecting a predetermined element from a second finite field; and a key allocating unit selecting a second linear function corresponding to each node from the set, generating a combination function based on the first and second linear functions, generating a value of the second linear function using the selected element as a factor, and transmitting the combination function and the value of the second linear function to a corresponding node.


Accordingly, each node is capable of establishing a key while reducing computational complexity and memory consumption.





BRIEF DESCRIPTION OF THE DRAWINGS

The above and other aspects and advantages of the present invention will become more apparent by describing in detail exemplary embodiments thereof with reference to the attached drawings in which:



FIG. 1 is a flowchart of a key establishment method according to an embodiment of the present invention;



FIG. 2 is a diagram illustrating a key establishment method performed from a server to node according to an embodiment of the present invention;



FIG. 3 is a method of establishing a key to be shared between nodes according to an embodiment of the present invention; and



FIG. 4 is a block diagram of a key establishment system according to an embodiment of the present invention.





DETAILED DESCRIPTION OF THE INVENTION

Hereinafter, a key establishment method and system using commutative linear functions, according to embodiments of the present invention, will be described in greater detail with reference to the accompanying drawings.


First, a set F to be used in the present invention is as follows:










F
=

{





i
=
0


m
-
1





α
i



x

2
i




|


α
i



G






F


(
2
)





}


,




(
1
)








wherein elements






f
=





i
=
0


m
-
1





α
i



x

2
i





F






and s,tεGF(2m) satisfy an equation ƒ(s+t)=ƒ(s)+ƒ(t). That is, an arbitrary element of the set F is comprised of a linear function GF(2m)→GF(2m). Also, two functions ƒ,gεF satisfy ƒ∘g(x)=g∘ƒ(x), i.e., ƒ(g(x))=g(ƒ(x)).



FIG. 1 is a flowchart of a key establishment method according to an embodiment of the present invention. Referring to FIG. 1, a server 200 of FIG. 2 randomly selects elements ƒεF and αεGF(2m), and maintains them as secret information (S100). The secret information must be protected not to be exposed to an attacker or nodes that are not concerned.


The server 200 selects hiεF as a secret value of each node i, and allocates ƒ∘hi(x) mod(x2m−x) and hi(α) to each of first through nth nodes i 210, 220, . . . , 230, using the secret information ƒεF and αεGF(2m) which are selected in operation S100 (S110). FIG. 2 illustrates an example of a key assignment method.


After receiving ƒ∘hi(x)mod(x2m−x) and hi(α), each node i discloses hi(α), and maintains ƒ∘hi(x)mod(x2m−x) as a secret value so that an attacker or the other nodes cannot recognize it.


Given predetermined values from the server 200, each node i establishes a shared key among the other nodes (S120). A method of establishing a key to be shared between nodes will now be described in greater detail with reference to FIG. 3.


The first node 210 stores ƒ∘h1(x)mod(x2m−x) and h1(α), which are given from the server 200 in operation S110, in its memory, and the second node 220 stores ƒ∘h2(x)mod(x2m−x) and h2(α) in its memory.


The first node 210 transmits h1(α) to the second node 220, and the second node 220 transmits h2(α) to the first node 210. The first node 210 computes ƒ∘h1(h2(α)) using received h2(α). ƒ∘h1(h2 (α))=ƒ∘h1∘h2(α)=ƒ∘h2(h1(α)) is drawn from the commutative characteristics of the above linear functions. Thus, the first and second nodes 210 and 220 set ƒ∘h1∘h2(α) as a shared key between them.


A key establishment method according to the present invention has many advantages compared to the prior art.


Since hi(α) of a node i is an element of GF(2m) and ƒ∘hi(x)mod(x2m−x) is a polynomial having coefficients of m GF(2), each node i stores 2m bits.


Next, the computational complexity of a key establishment method according to the present invention will now be described.


As described above, the first node 210 computes ƒ∘h1(h2(α)) to obtain a shared key to be shared with the second node 220.


Since may be ƒ∘h1(x)mod(x2m−x)εF, h2(α)εGF(2m), ƒ∘h1(h2(α)) may be computed by computing








p


(
γ
)


=





i
=
0


m
-
1





α
i



γ

2
i







when





p


=





i
=
0


m
-
1





α
i



x

2
i





F



,

γ



GF


(

2
m

)


.







Here, γ,γ2, . . . , γ2m-1, which is a square of γ, needs to be computed.


A normal basis is introduced to effectively express a square operation in GF(2m) which is a finite field. When expressing an element in GF(2m) using the normal basis, a square of the element may be expressed by simply using a shift operation.


Based on the characteristics of the normal basis and that a coefficient αi of P is 0 or 1, P(γ) can easily be computed by performing the shift operation m−1 times and performing an addition operation on GF(2m) having m elements. In this case, computational complexity is very lower than in a conventional key establishment method, and the present invention can be embodied as hardware that is much smaller than a conventional scheme.


Also, in the case of the conventional key establishment method, when direct key sharing is not allowed in the sensor network, a key is transmitted in the hop-by-hop fashion, and thus, the key is disclosed to an intermediate node. However, in the key establishment method according to the present invention, only a public value hi(α) is transmitted to a destination node, and therefore, a shared key is not disclosed to an intermediate node or an attacker even if the public value hi(α) is exposed. That is, the key establishment method according to the present invention provides end-to-end security.


In addition, according to the present invention, it is easy to add or delete a node. When a new node j is added, a server randomly generates hjεF, and allocates hj(α) and ƒ∘hj(x)mod(x2m−x) to the node j. In this case, the other nodes are not influenced by deletion of a node.



FIG. 4 is a block diagram of a key establishment system according to an embodiment of the present invention. Referring to FIG. 4, the key establishment system includes a server 400 comprised of a key generating unit 410 and a key allocating unit 420, and more than one node given a key from the server 400, i.e., first through nth nodes 430, 440, . . . , 450.


The key generating unit 410 defines a set







F
=

{





i
=
0


m
-
1





α
i



x

2
i




|


α
i



G






F


(
2
)





}


,





that is a set of linear functions that use elements of a first finite field GF(2) as coefficients and satisfy commutative rules, selects a first linear function ƒεF from the set F, and selects a predetermined element αεGF(2m) from a second finite field.


The key allocating unit 420 selects a second linear function hiεF indicating each node from the set F of the linear functions, defined by the key generating unit 410; generates a combination function ƒ∘hi(x)mod(x2m−x) based on the selected second linear function hiεF and the first linear function ƒεF selected by the key generating unit 410; generates the values hi(α) of the second linear functions, each using as a factor a predetermined element selected by the key generating unit 410, and transmits the combination function ƒ∘hi(x)mod(x2m−x) and the value hi(α) to each of the nodes 430, 440, . . . , 450.


A key setting unit 432 of the first node 430, a key setting unit 442 of the second node 440, and a key setting unit 452 of the nth node 450 respectively receive the value hi(α) of the second linear function, exchange the received value hi(α) with those of the other nodes, compute ƒ∘hi(hj(α))=ƒ∘hi∘hj(α)=ƒ∘hj(hi(α)) using the exchanged value hi(α) as a factor of the combination function ƒ∘hi(x)mod(x2m−x) and set ƒ∘hi(hj(α))=ƒ∘hi∘hj(α)=ƒ∘hj(hi(α)) as a shared key between them.


The present invention can be embodied as computer readable code in a computer readable medium. Here, the computer readable medium may be any recording apparatus capable of storing data that is read by a computer system, e.g., a read-only memory (ROM), a random access memory (RAM), a compact disc (CD)-ROM, a magnetic tape, a floppy disk, an optical data storage device, and so on. Also, the computer readable medium may be a carrier wave that transmits data via the Internet, for example. The computer readable medium can be distributed among computer systems that are interconnected through a network, and the present invention may be stored and implemented as a computer readable code in the distributed system.


As compared to the prior art, a key establishment method according to the present invention has the following advantages.


1. It is possible to establish a shared key between nodes with low memory consumption.


2. It is possible to establish a shared key between nodes with a very small amount of computation. In particular, the key establishment method according to the present invention is accomplished by performing only a shift operation and an addition operation on GF(2m). Therefore, this method can be realized as hardware that is far smaller than in the prior art.


3. It is possible to effectively add a node to or delete a node from a network, and further support a network with a large number of elements.


4. It is possible to provide end-to-end security that a conventional sensor network does not support.


As described above, a key establishment method according to the present invention can be used for key establishment for cryptographic mechanisms, and security services, such as a certification service, in various environments. In particular, the present invention provides a key establishment method optimized for an Ad-hoc network environment that is limited to resources.


While this invention has been particularly shown and described with reference to exemplary embodiments thereof, it will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the spirit and scope of the invention as defined by the appended claims.

Claims
  • 1. A key establishment method comprising: (a) a server defining a set of linear functions which use elements of a first finite field as coefficients and satisfy a commutative rule, selecting a first linear function from the set, and selecting a predetermined element from a second finite field;(b) the server, for each of a plurality of nodes, selecting a second linear function from the set; generating a combination function based on the first linear function and the second linear function of the corresponding node; generating a value of the second linear function of the corresponding node using the selected element as a factor; and transmitting the combination function and the value of the second linear function to the corresponding node; and(c) each node exchanging the value of the second linear function received from the server with the other nodes, computing a value of the combination function using the exchanged value as a factor, and establishing the computed value as a shared key among the nodes wherein (b) comprises generating the combination function ƒ∘hi(x)mod(x2m−x) based on the first linear function ƒεF and the second linear function hiεF which are selected from the set
  • 2. The method of claim 1, wherein the first finite field is GF(2), and the second finite field is GF(2m).
  • 3. The method of claim 1, wherein during (a), the set of the linear functions is defined as
  • 4. The method of claim 1, wherein during (c), a first node i and a second node j respectively receive the combination function ƒ∘hi(x)mod(x2m−x) and the value hi(α) of the second linear function, and the combination function ƒ∘hj(x)mod(x2m−x) and the value hj(α) of the second linear function from the server, exchange the values hi(α) and hj(α) with each other, and set ƒ∘hi(hj(α))=ƒ∘hi∘hj(α)=ƒ∘hj(hi(α)) as a shared key.
  • 5. A key establishment system comprising: a key generating unit of a server, the key generating unit defining a set of linear functions which use elements of a first finite field as coefficients and satisfy a commutative rule, selecting a first linear function from the set, and selecting a predetermined element from a second finite field; anda key allocating unit of a server, wherein for each of a plurality of nodes the key allocating unit selecting a second linear function from the set, generating a combination function based on the first linear function and the second linear function of the corresponding node, generating a value of the second linear function of the corresponding node using the selected element as a factor, and transmitting the combination function and the value of the second linear function to the corresponding node wherein the key generating unit defines the set of the linear functions as
  • 6. The system of claim 5, wherein the first finite field is GF(2), and the second finite field is GF(2m).
  • 7. The system of claim 5, wherein a first node i and a second node j respectively receive the combination function ƒ∘hi(x)mod(x2m−x) and the value hi(α) of the second linear function, and the combination function ƒ∘hj(x)mod(x2m−x) and the value hj(α) of the second linear function from the server, exchange the values hi(α) and hj(α) with each other, and set ƒ∘hi(hj(α))=ƒ∘hi∘hj(α)=ƒ∘hj(hi(α)) as a shared key.
Priority Claims (1)
Number Date Country Kind
10-2005-0113850 Nov 2005 KR national
US Referenced Citations (6)
Number Name Date Kind
5854759 Kaliski et al. Dec 1998 A
20020015493 Rose Feb 2002 A1
20030026433 Matt Feb 2003 A1
20040109564 Cerf et al. Jun 2004 A1
20040170280 Fekri Sep 2004 A1
20060143453 Imamoto et al. Jun 2006 A1
Foreign Referenced Citations (1)
Number Date Country
10-20040098962 Nov 2004 KR
Related Publications (1)
Number Date Country
20070121948 A1 May 2007 US