Group Rekeying for Filtering False Data in Sensor Networks: A Predistribution and Local
Collaboration-Based Approach
Wensheng Zhang and Guohong Cao
Outline
• Research problem – Group key updating• Previous work• Proposed solution
– B-PCGR– C-PCGR– RV-PCGR
• Performance evaluation• Conclusion
Research Problem• Sensor Network
– Hostile environment– Adversary may use compromised nodes
• Inject false sensing report• Modify the reports sent by other nodes
• Symmetric cryptographic techniques– Sensor nodes are randomly divided into multiple groups– Nodes in the same group share a symmetric group key– Each message is attached with multiple MACs, each is generated using
one group key
• Problem– Node compromises– Innocent nodes should update their group keys
Previous Work
• Centralized solution– SKDC: Use central controller to distribute new keys (Hugh, et al.)
– Logic tree-based schemes (Wallner et al., Wong et al. Balenson et al.)
• High communication cost • Rekeying delay
• Distributed Solution– Blundo’s scheme: Allows a set of nodes to set up a group key in
distributed way (C. Blundo et al.)
• Not scalable: storage cost / each node must know other trusted group members
Motivation
• Preload future keys to individual nodes before deployment– Avoid high communication overhead
• Neighbors collaborate with each other to effectively protect and appropriately use the preloaded keys.– Security– Relieves high cost of centralized management
System Model• Large scale wireless sensor network
• Deployed in a hostile environment
• Each node is innocent – Before deployment– Cannot be compromised during the first several minutes
• Each pair of neighboring nodes can establish a pairwise key
• Compromised nodes can be detected within a certain time period
• Nodes are loosely synchronized
• Group rekeying is started periodically
Basic Predistribution and Local Collaboration-Based Group Rekeying (B-PCGR)
• Group Key Predistribution– The setup sever decides the total number of groups. For each
group i, it constructs a t-degree univariate g-polynomial gi(x). • gi(0) is the initial group key, • gi(j) (j >= 1) is the group key of version j.
– A node is randomly assigned to a group before deployment.
– A group key polynomial (g-polynomial) gi(x) is preloaded in each node based on the group it belongs to.
– New group keys are generated and distributed using g-polynomial at key updating times.
B-PCGR (2)
• Local Collaboration-Based Key Protection– Each node Nu randomly pick a bivariate encryption polynomial
(e-polynomial)
– Nu Encrypts its g-polynomial g(x) using its e-polynomial eu(x,y) to get its g’-polynomial g’(x) = g(x) + eu(x,u)
– Nu distributes the share of eu(x,y) to its n neighbors Nvi (i = 0,…,n-1). Each neighbor Nvi receives share eu(x,vi)
– Nu removes eu(x,y) and g(x) , but keeps g’(x) and uses g(0) as its current group key.
jti
jijiu yxAyxe
0,0
,),(
B-PCGR (3)
• Local Collaboration-Based Group Key Updating– Each node maintains a rekeying timer
• Periodically notify the node to update its group key and the current version of the group key c
– To update keys• Each innocent node Nu increases its c by one
• Nu returns share evi(c,u) to each trusted neighbor Nvi
• Nu receives a share eu(c,vi) from each trusted neighbor Nvi. Having received μ + 1 shares, Nu can reconstruct a unique μ-degree polynomial eu(c,y)
B-PCGR (4)
Nu
Nv1 Nv2
Nv3
Nv4
Nv5
Nv0
g(x)
g’(x) = g(x) + eu(x,u)
eu(x,v1)
eu(x,v0)
eu(x,v2)
eu(x,v3)
eu(x,v4)eu(x,v5)
eu(x,v1)eu(x,v2)
eu(x,v3)
eu(x,v4)eu(x,v5)
eu(x,v0)
eu(c,v1)eu(c,v2)
eu(c,v3)
eu(c,v4)
eu(c,v5)
eu(c,v0)
Compute eu(c,y)
g(c) = g’(c) - eu(c,u)
B-PCGR (5)
• Security Analysis– For a certain group, its g-polynomial g(x) is
compromised if and only if• A node Nu of the group is compromised, and
• At least μ + 1 neighbors of Nu are compromised; or
• At least t + 1 past keys of the group are compromised
Enhancements to B-PCGR
• Limitations of B-PCGR– No more than μ neighbors can be compromised – No more than t keys from the same group can be
compromised
• Improve B-PCGR– Cascading PCGR (C-PCGR)
• First limitation
– Random Variance-Based PCGR (RV-PCGR)• Second limitation
C-PCGR (1)
• Difference from B-PCGR– The e-polynomial shares of Nu are distributed to its
multi-hop neighbors– e-polynomial shares are distributed/collected in a
cascading way– Differs from B-PCGR in the second and third steps
• Polynomial encryption and share distribution• Key updating
– The paper describes the case that e-polynomial shares are distributed to its 1- and 2-hop neighbors
C-PCGR (2)• Polynomial Encryption and Share Distribution
– Each node Nu picks two e-polynomials (degree of x is t, degree of y is μ)• 0-level e-polynomial eu,0(x,y)• 1-level e-polynomial eu,1(x,y)
– Nu encrypts its g(x) using eu,0(x,y) to get its g’(x) = g(x) + eu,0(x,u)
– Nu keeps g(0) and g’(x), removes g(x) and eu,0(x,y) , distributes the shares of eu,0(x,y) to its neighbors. Neighbor Nv is given eu,0(x,v)
– Having received 0-level e-polynomial shares from its neighbors, each node Nv uses its 1-level e-polynomial ev,1(x,y) to encrypt each received 0-level polynomial eu,0(x,v) to obtain e’u,0(x,v) = eu,0(x,v) + ev,1(x-1,v)
– Nv keeps eu,0’(x,v) and eu,0(c+1,v) , which will be returned to Nu at the next key updating time
– Nv removes eu,0(x,v) and distribute shares of its 1-level polynomial ev,1(x,y) to neighbors
C-PCGR (3)
Nu
Nv0
Nv1
Nv2
Nv3
Nv5
Nv4
g(0) & g’(x) = g(x) + eu,0(x,u)
eu,0(x,v2)
eu,0(x,v1)
eu,0(x,v0)
eu,0(1,v1)e’u,0(x,v1) =
eu,0(x,v1) + ev1,1(x-1,v1)
ev1,1(x,v3)
ev1,1(x,v4)ev1,1(x,v5)
ev1,1(x,v5) ev1,1(x,v4
)
ev1,1(x,v3)
C-PCGR (4)• Key updating
– Each innocent node Nu increases its c by one, and returns shares ev,0(c,u) and ev,1(c,u) to each trusted neighbor Nv (We assume that Nu has received these shares from Nv)
– Nu receives its own 0-level and 1-level polynomial shares from its neighbors (eu,0(c,v) and eu,1(c,v) from each trusted neighbor Nv)
– Having received µ + 1 0-level e-polynomial shares, Nu reconstructs a unique polynomial eu,0(c,x) which is used to compute its new group key g(c) = g’(c) – eu,0(c,u)
– Having received µ + 1 1-level e-polynomial shares, Nv computes a unique polynomial ev,1(c,x) and then generates a share eu,0(c+1,v) = e’u,0(c+1,v) – ev,1(c,v), which will be returned to neighbor Nu at the next key updating time.
C-PCGR (5)
Nu
Nv0
Nv1
Nv2
Nv3
Nv5
Nv4
g(0) g’(x)
eu,0(1,v1)e’u,0(x,v1)
eu,0(1,v2)
eu,0(1,v1)eu,0(1,v0)
ev1,1(1,v5) ev1,1(1,v4)
ev1,1(1,v3)
g(1) = g’(1) – eu,0(1,u)
g’(x)
eu,0(2,v1) = e’u,0(2,v1) + ev1,1(1,v1)e’u,0(x,v1)
C-PCGR (6)
• Security Analysis– For a certain group, its g-polynomial g(x) is
compromised if and only if• A node Nu of the group is compromised, and
• The adversary has compromised at least μ + 1 neighbors of Nu , each of which also has μ + 1 neighbors compromised; or
• At least t + 1 past keys of the group are compromised
RV-PCGR(1)
• Aims to address another limitation of B-PCGR– If the adversary has obtained t + 1 keys of a certain group
(g(0),g(1),…,g(t)), the adversary can break the g-polynomial of the group (g(x)).
• Basic Idea– Let the length of g(j) be 2L bits.
– Add a L bit random number σj to each g(j) to obtain gr(j)
– The highest L bit of g(j) and gr(j) are same, but the lowest L bits are different
– Even the adversary compromises t + 1 keys (gr(0),gr(1),…,gr(t)), it cannot break the future keys of the group
RV-PCGR(2)
• Predistribution of g-polynomial– Each g(x) is constructed over an extended finite field F(22L)
– The group key of any version j is defined as the highest L bits of g(j)
• Encrypting g-polynomial and distributing components– Nu randomly picks a t-degree e-polynomial eu(x) to encrypt its g-
polynomial g(x) to get its g’-polynomial g’(x) = g(x) XOR eu(x)
– Nu randomly decomposes eu(x) into μ + 1 components, denoted as eu,i(x) (i = 0,…, μ)
– Components are evenly distributed to the neighbors, each neighbor gets only one components.
RV-PCGR(3)
• Key Updating– To update keys, each innocent node Nu increases its
key version c by one, and returns erv,j(c) = ev,j(c) XOR
σ’c,v to each trusted neighbor Nv
• σ’c,v is randomly picked from {0,…,2L-1}
– Having received μ + 1 distinct shares <vi,eru,i(c)>, Nu
computes eru(c). Knowing er
u(c), Nu can compute gr(c) = g’(c) XOR er
u(c)
RV-PCGR(4)
• Security Analysis– The adversary can only obtain gr(i), while the
calculated by node Nu has already included a random variance.
– The adversary needs to guess all the σj to figure out the original g(x)
• Complexity o(2(t+1)L)
Performance Evaluation
Conclusion
• The paper proposed a family of predistribution and local collaboration-based group rekeying schemes– Address the node compromise problem
– Improve the effectiveness of filtering false data in sensor networks
• The schemes are based on the idea:– Future group keys can be preloaded before deployment
– Neighbors can collaborate to protect and appropriately use the preloaded keys